CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 4
Elgamal. IND-CPA Security. Malleability
Helger Lipmaa
University of Tartu, Estonia
UP TO NOW
Assumptions, reductions
Basic assumptions in DL family:
DL, CDH, DDH
(DH)KE. Security of KE <=> assumptions
Owners of public keys can agree on joint secret key
REMINDER: KEY EXCHANGE
I want to send secret information to
Bob, but he is in Jamaica
Let us agree on a joint secret
key for further communication
SECURE COMPUTATION
I want to
know whether I have more hash than
Bob but I do not want to reveal how
much I have
Let us do secure
computation of
"≥"
Ditto
Millionaires' protocol
SECURE COMPUTATION
(pk, Encode (pk; a))
c = Encode (pk; f (a, b))
sk,pk,a
2 Compute f(a,b) on
"encoded"
inputs 1 Encode a
by using pk
3 Decode by using sk, obtain
f (a, b)
Million dollar
question: how
QUIZ: SECURITY OBJECTIVE
(pk, Encode (pk; a))
c = Encode (pk; f (a, b))
sk,pk,a
2 Compute f(a,b) on
"encoded"
inputs 1 Encode a
by using pk
3 Decode by using sk, obtaine f (a, b)
?
QUIZ: SECURITY OBJECTIVE
(pk, Encode (pk; a))
c = Encode (pk; f (a, b))
sk,pk,a
2 Compute f(a,b) on
"encoded"
inputs 3 Decode by
using sk, obtain f (a, b)
?
Answer: Alice and Bob should not trust each other. Here Alice may want to learn Bob's input, and Bob
may want to learn Alice's input.
Will formalize the next lecture 1 Encode a
by using pk
THIS LECTURE: MODULARIZATION
Assumption Primitive Protocol
DDH, ... Encrypt,
garble, ...
Millionaires', ...
We have a We find an goal
existing encoding that looks suitable Make the
necessary assumption
Top-down approach: good when
you already know the field, and there are enough primitives/assumptions
available
THIS LECTURE: MODULARIZATION
Assumption Primitive Protocol
DDH, ... Encrypt,
garble, ...
Millionaires', ...
We know assumption
We build some
encoding on top of it
We build the final protocol
on top of it
Bottom-up approach: good for
teaching, research (easier to start with basics)
and getting papers published
THIS LECTURE: MODULARIZATION
Assumption Primitive
DDH Encrypt
We know assumption
We build some
encoding on top of it
Bottom-up approach: good for
teaching, research (easier to start with basics) and getting papers published
Elgamal
(homomorphic encryption)
REMINDER: KEY EXCHANGE
h
f
s, h = gˢ t, f←gᵗ
sk=SK(s,f) = sk=SK(t,h)
sk
REMINDER: ONE-TIME PAD
c ← m ⊕ sk
sk, m sk
m←c⊕sk
(m⊕sk)⊕sk=m⊕(sk⊕sk)=m
HOW TO COMBINE
We have key-exchange Returns secret key sk1 ... and one-time pad
Returns ciphertext, given sk2
However, they work in different domains
sk1 is a group element, sk2 is a bit-string
ONE-TIME PAD IN A GROUP
c ← m · sk
sk, m∈G sk
m←c / sk m?
?
m*
SECURITY INTUITION
If sk is uniformly distributed in G, then m · sk is also uniformly distributed
For all m ∈ G*, c ∈ G:
Pr [m · sk = c] = Pr [sk = c / m] = 1 / q
Thus, an adversary who only sees c, has no
information about m
ELGAMAL ENCRYPTION
r, gʳ, m
public key h
s, h=gˢ
sk←SK(r,h)
sk←SK(s,gʳ) m ← c1 / sk
One-time keys
Long-time keys h
(c1, c2) ← (m · sk, gʳ )
ELGAMAL ENCRYPTION
r,h←gˆr
(c1, c2) ← (m · sk, h)
sk,pk
sk←SK(r,pk)
One-time keys
Long-time keys hb
Elgamal.Setup (κ):
1. Choose a group G of order q where breaking DDH has complexity 2^κ 2. Choose a generator g of G
3. Return gk ← desc (G) = (..., q, g)
Elgamal.Keygen (gk):
1. s ← ℤq
2. pk = h ← gˢ
3. Return (s, h) /* secret key, public key */
Elgamal.Enc (gk, h; m, r):
1. /* Assumes r ← R: randomized alg. */
2. (c1,c2)←(mhʳ, gʳ) 3. Return (c1,c2)
Elgamal.Dec (gk, s; c1, c2):
1. m ← c1 / c2ˢ 2. Return m
For the sake of simplicity, we assume that gk is a fixed system parameter, shared by all participants.
Will not mention gk unless explicitly needed
CORRECTNESS: FORMALLY
Key generation: h = gˢ
Encryption: (c1, c2) = Enc (h; m, r) = (mhʳ, gʳ) Decryption: c1 / c2ˢ = m gʳˢ / gʳˢ = m
Thus decryption is always successful
SECURITY: INTUITION
Elgamal = DHKE + one-time pad
DHKE is whatke-secure under X assumption one-time pad is unconditionally secure
=> Elgamal is whatenc-secure under X assumption
But how to formalize?
QUIZ: SECURITY
r,h←gʳ,m
pk
s,h=gˢ
m ← c1 / c2ˢ
h
?
(c1, c2) ← (mhʳ, gʳ )
ENCRYPTION SECURITY: ISSUES
Message recovery security:
Eve should not be able to compute m
Just difficulty of computing m is not good enough Like KR security was not enough in KE
Need indistinguishability again
QUIZ: SECURITY
r,h←gʳ,m
pk
s,h=gˢ
m ← c1 / c2ˢ
h
m*=m or garbage
?
(c1, c2) ← (mhʳ, gʳ )
m*
REAL-RANDOM / LEFT-RIGHT
Real-Random indistinguishability:
Adversary cannot distinguish the real plaintext m from a random plaintext
Even if she has chosen m herself Left-Right indistinguishability:
Adversary cannot distinguish a random ciphertext of m0 from a random ciphertext of m1
Even if she has chosen both m0 and m1 herself
Encrypt "I owe Eve 100$"or else
He encrypted
"start a battle"or "do not start a battle". Which
one?
QUIZ: WHICH NOTION IS STRONGER
Left Right
Random
Answer: equal
1 (RR =>LR) If can distinguish left from right, then one of them must
be distinguishable from random 2 (LR => RR) Assume we can distinguish real from random. This
means the ciphertext distribution of every fixed plaintext must be
different from the ciphertext distribution of a random plaintext.
Thus there must exist two plaintexts that have different
ciphertext distributions
Notions are equal, but RR => LR argumentation is easier.
Standard approach: assume RR security
QUIZ: IND-CPA SECURITY
r,h←gʳ e←{0,1}
pk
s,h=gˢ
mₑ ← c1 / c2ˢ
h
e* = e
?
(c1, c2) ← (mₑhʳ, gʳ ) e*
(m0 ,m1 )
Chosen-Plaintext Attack
IND-CPA SECURITY
Π = (Setup, Keygen, Enc, Dec)
Adv[IND] := | Pr[IND = 1] - 1 / 2 |
A ε -breaks IND-CPA security of Π iff Adv[IND] ≥ ε
Π is (τ,ε)-IND-CPA secure iff no PPT adversary ε -breaks IND-CPA security of Π in time ≤ τ
Π is IND-CPA secure iff it is
(poly(κ),negl(κ))-IND-CPA secure
Game IND(κ,Π,A)
gk ← Setup (κ)
(s, h) ← Keygen (κ) (m0, m1) ← A (h) e ← {0, 1}
r ← R
c ← Enc (h; mₑ, r) e* ← A (h, c)
Return e = e* ? 1 : 0
ELGAMAL IS IND-CPA SECURE
Theorem. If G is a (≈τ, ≈ε)-DDH group, then Elgamal is (τ,ε)-IND-CPA secure in G.
Proof idea. Reduction to absurd: we show that if Elgamal is not secure in G, then DDH must be easy in G.
Elgamal is not secure => there exists an adversary D that breaks Elgamal We show DDH is easy by constructing an adversary C that breaks DDH C can use help from adversary D , by sending inputs to D and receiving outputs
Simple, a home exercise
... TAUTOLOGY
Theorem. If Elgamal is (τ + small,ε)-IND-CPA
secure, then G is (τ,ε)-DDH group. (Thus, equivalent)
Proof idea. Reduction to absurd: we show that if DDH is not secure in G, then breaking Elgamal must be easy in G.
DDH is not secure => there exists an adversary D that breaks DDH
We show Elgamal is easy by constructing an adversary C that breaks Elgamal C can use help from adversary D , by sending inputs to D and receiving
outputs
REDUCTION: DDH <= ELGAMAL
(m0, m1) ← (1,random)
s← ℤq; h ← gˢ
/* some comp */
return e*
if e* = e return 1 else
return 0
(desc(G),h)
(desc(G),g,h,c2,c1)
e*
e*
Challenger C D
Correct distribution for DDH (?)
(m₀,m₁) e ← {0, 1}; r← ℤq;
(c1,c2) ← (mₑhʳ, gʳ )
/* just forward */
(c1,c2)
Need to construct
REDUCTION: DDH <= ELGAMAL
(m0, m1) ← (1,random)
s← ℤq; h ← gˢ
/* some comp */
return e*
if e* = e return 1 else
return 0
(desc(G),h)
(desc(G),g,h,c2,c1)
e*
e*
Challenger C D
Correct distribution for DDH (?)
(m₀,m₁) e ← {0, 1}; r← ℤq;
(c1,c2) ← (mₑhʳ, gʳ )
/* just forward */
(c1,c2)
Need to construct
Assume D works in time τ and is successful with prob. ε + 1 / 2
If D is successful then C is successful and takes time τ* =τ + small
If D is unsuccessful then C is
successful with prob. 0, and takes time τ*
Pr[C successful] = ε + 1 / 2
Thus, if Elgamal is (τ*, ε)-IND-CPA secure, then G is a (τ, ε)-DDH group
IND-CPA AND BEYOND
Actual security requirements even more stringent IND-CPA security only demonstrates basic
concepts
Bob must be sure c really came from Alice Authentication, non-malleability
In protocol design, malleability is very useful
MALLEABILITY
m f(m)
Modifying ciphertexts, without knowing the secret key, so that the plaintext
changes predictably
Essential for secure computation
MALLEABILITY OF ELGAMAL
Recall: Enc (h; m, r) = (c1, c2) = (mhʳ,gʳ)
Enc (h; m, r) · Enc (h; n, t) = Enc (h; m · n, r + t) (mhʳ, gʳ) (nhᵗ, gᵗ)= (mnhʳ ⁺ᵗ, gʳ ⁺ᵗ)
Componentwise multilication
HOMOMORPHIC ENCRYPTION
( M,M) M
( C,C) C
·
·
(Enc, Enc)
Enc
efficient
efficient
efficient
efficient
Similar to isomorphism, except randomized
SOME COROLLARIES
Recall: Enc (m, r) · Enc (n, t) = Enc (m · n, r + t) We omit h for brevity
1. Πᵢ Enc (mᵢ; rᵢ) = Enc (Πᵢ mᵢ; Σᵢ rᵢ)
2. Enc (m, r)ˢ = Enc (mˢ, sr) for public s ∈ ℤq
3. Πᵢ Enc (xⁱ; rᵢ)^fᵢ = Πᵢ Enc (fᵢxⁱ; fᵢrᵢ) = Enc (Πᵢ fᵢxⁱ; Σᵢ fᵢrᵢ) evaluating public "polynomial" at secret point
Polynomials have a sum
QUIZ: ENCRYPTING INTEGERS
Elgamal makes it possible to encrypt group elements Question: how to encrypt (short) integers?
Answer:
Lifted Elgamal: use exponentiation (isomorphism) Enc' (m, r) = Enc (gᵐ, r)
Dec' (c1, c2) = dlog
g(Dec (c1, c2))
SOME COROLLARIES
1. Πᵢ Enc' (mᵢ; rᵢ) = Enc' (Σᵢ mᵢ; Σᵢ rᵢ)
2. Enc' (m, r)ˢ = Enc' (sm, sr) for public s ∈ ℤq
3. Πᵢ Enc' (xⁱ; rᵢ)^fᵢ = Πᵢ Enc' (fᵢxⁱ; fᵢrᵢ) = Enc' (Σᵢ fᵢxⁱ; Σᵢ fᵢrᵢ)
evaluation of public polynomial at secret point
4. Πᵢ Enc' (xᵢ; rᵢ)^yᵢ Enc'(z; t) = Enc' (Σᵢ xᵢ yᵢ + z; Σᵢ yᵢrᵢ + t) -
arbitrary affine functions with public yᵢ, z
LIFTED ELGAMAL: MORE
Enc, Dec --- efficient
Enc' efficient, Dec' inefficient
Dec' can be computed in time Θ (√ L) when input is from {0, ..., L - 1}
Lifted Elgamal useful when L is small: L ≤ 2^40?
G₁
G Enc G2
Dec
efficient
efficient
ℤq dlog
exp
inefficient
efficient
SUMMARY
One can "compute" on Elgamal ciphertexts Plaintexts are group elements
More useful: lifted Elgamal
However, only efficient for small plaintexts Secret computation of arbitrary affine functions in ℤq that have small outputs
limited malleability
