DOCSLIB.ORG

Linear Generalized Elgamal Encryption Scheme

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Linear Generalized ElGamal Encryption Scheme Demba Sow1,Leo´ Robert2, and Pascal Lafourcade2 1LACGAA, Universite´ Cheikh Anta Diop de Dakar, Sen´ egal´ , [email protected] 2LIMOS, Universite´ Clermont Auvergne, France, [email protected] , [email protected] Keywords: Cryptography, Partial homomorphic encryption, Linear Assumption, ElGamal encryption scheme. Abstract: ElGamal public key encryption scheme has been designed in the 80’s. It is one of the first partial homomorphic encryption and one of the first IND-CPA probabilistic public key encryption scheme. A linear version has been recently proposed by Boneh et al. In this paper, we present a linear encryption based on a generalized version of ElGamal encryption scheme. We prove that our scheme is IND-CPA secure under the linear assumption. We design a also generalized ElGamal scheme from the generalized linear. We also run an evaluation of performances of our scheme. We show that the decryption algorithm is faster than the existing versions. 1 Introduction Contributions. We propose the following results: In 2009 in his thesis (Gentry, 2009), G. Gren- • Most of today’s public key cryptosystems are re- try proposed the first fully homomorphic encryption sistant to various types of attacks and are effec- scheme. It was a revolution and it solves an open tive. Their main role is the protection of commu- problem already stated by Rivest Shamir and Adel- nications so they guarantee the security of the data man when they invented RSA in (Rivest et al., 1978). exchanged or stored. Thus, it will always be inter- Many advances have been done and nowadays we esting to find a new encryption scheme or to im- have some efficient implementations like for instance prove a known one. It is in this context that we SEAL developed by Microsoft (SEAL, 2019). How- propose a linear Generalized ElGamal encryption ever for some applications like the inversion of a large scheme. The modifications are about the key gen- matrix or multiplications of large matrices fully ho- eration which lead to a different encryption and momorphic encryption schemes can be very slow or decryption algorithms. Like linear ElGamal en- produce large ciphertext or even be inexact. It is why cryption, the linear Generalized ElGamal encryp- all partial homomorphic encryptions like RSA (Rivest tion scheme is IND-CPA secure under (DLA). et al., 1978), GM (Goldwasser and Micali, 1982), • We also propose the ElGamal and the Generalized ElGamal (Elgamal, 1985), Benaloh (Benaloh, 1999; ElGamal schemes from the generalized linear. Fousse et al., 2011), Naccache-Stern (Naccache and • We implement the algorithms and compare their Stern, 1998), Okamoto-Uchiyama (Okamoto and performances with the original algorithms. Our Uchiyama, 1998), Paillier (Paillier, 1999) or Gal- performance evaluations show that the decryption braith (Galbraith, 2002), are still widely used. They algorithm is faster. We also demonstrate that our can be used to solve such problems in reasonable key generation algorithm is slower, but this is not among of time like in (Ciucanu et al., 2019). a problem since this operation is usually done Many cryptosystems rely on the Diffie-Hellman only once. decision problem (DDH) (Boneh, 1998; Joux and • In general, if we work in a cyclic subgroup of size Guyen, 2006) assumption, notably the ElGamal en- d (with d a large prime), we can keep d secret and cryption scheme and the Cramer-Shoup encryption we can also use a secret exponent r for decryp- scheme (Cramer and Shoup, 1998). In (D. Boneh and jdj tion of size ,( where n0 is some integer which Shacham, 2004b), Boneh et al. introduced the Deci- n0 sional Linear Assumption (DLA) and a variation of divides jdj, the size of d). For example, it is possi- ElGamal encryption scheme. Our aim it to improve ble, for different security levels, to use a small key this linear version of ElGamal encryption scheme us- for decryption. Therefore, our scheme is faster ing the same approach proposed in (Sow and Sow, than the classical ElGamal one’s for the decryp- 2011). tion process. Related works. In 1985, Taher ElGamal (Elgamal, 2.1 The ElGamal Encryption Scheme 1985) proposed an encryption and signature scheme called ElGamal scheme. Given a computational group scheme G, the ElGamal In (Hanoymak, 2013), Turgut Hanoymak proves public-key encryption is defined as following (Elga- the security of ElGamal encryption scheme which mal, 1985): is based on the hardness to solve the Computa- tional Diffie-Hellman (CDH) and Decisional Diffie- Hellman (DDH) problems. Key Generation Algorithm. To create a pub- In (D. Boneh and Shacham, 2004b), Boneh et al. lic/secret key, Bob should do the following: proposed a linear encryption scheme based on the El- 1. Select a finite cyclic group G of order q with gen- Gamal encryption scheme. The linear ElGamal en- erator g. cryption scheme is IND-CPA secure under the (DLA). 2. Select a random integer a such that 2 < a < q. a In (Sow and Sow, 2011), a modified variant of 3. Compute h = g in G. the ElGamal scheme is presented, and it is called 4. The public key is pk = (G;q;g;h) and the secret Generalized ElGamal. As ElGamal’s scheme, the key is sk = a. Generalized ElGamal scheme is based on Decisional Diffie-Hellman Problem (DDH). In the Generalized Encryption Algorithm. To encrypt a message m ElGamal scheme, the decryption key size is smaller for Bob, Alice should do the following: than those of ElGamal scheme. Hence the General- 1. Take pk = ( ;q;g;h), the Bob’s public key; ized ElGamal scheme is more efficient than ElGamal G 2. Select a random integer r such that 1 < r < q = scheme; since the decryption process is faster. The # ; encryption mechanism has the same efficiency than G 3. Compute c = gr and c = m · hr in ; ElGamal encryption mechanism. But, the key gener- 1 2 G 4. The ciphertext is c = (c ;c ). ation algorithm is slower than the key generation al- 1 2 gorithm of ElGamal scheme. However, this is not a problem since the key generation is done only once. Decryption Algorithm. To decrypt a ciphertext c, Bob should do the following: Outline of paper. In Section 2, we show the origi- 1. Take sk = a the secret key. c2 2. Compute m = a , we note that m 2 . nal ElGamal encryption scheme and the Generalized (c1) G ElGamal encryption scheme. In Section 3, we present 3. The plaintext is m. the Linear assumption, the linear ElGamal encryp- tion scheme and the ElGamal encryption scheme from Security proof of ElGamal encryption. We recall the generalized linear. In Section 4, we propose the some theorems presented in (Farshim, 2011), which linear Generalized ElGamal encryption scheme and show the security of ElGamal encryption scheme un- the Generalized ElGamal encryption scheme from the der the CDH and DDH assumptions. Let GP an al- generalized linear. In Section 5, we propose a com- gorithm which takes 1k and returns the public key plexity analysis of our scheme. In Section 6.1, we pk = ( ;q;g;h) of the ElGamal encryption scheme. present the curves showing the average time of the G One-wayness under the CDH Assumption. If key generation, encryption and decryption algorithms I the CDH assumption holds with respect to , of the ElGamal encryption scheme and the General- GP then the ElGamal encryption scheme is one-way. ized ElGamal encryption scheme. In Section 6.2, we Theorem 2.1. Let be a probabilistic also present the curves showing the average time of A polynomial-time algorithm against the El- the key generation, encryption and decryption algo- Gamal encryption scheme (Elgamal, 1985) in rithms of the Linear ElGamal encryption scheme and the OW-CPA sense. Then there is a probabilistic the Linear Generalized ElGamal encryption scheme. polynomial-time algorithm B against GP solving the CDH problem such that: AdvCDH (k) = AdvOW−CPA(k): 2 ElGamal and Generalized GP ;B P;A ElGamal Encryption Schemes I Indistinguishability under the DDH Assump- tion. If the DDH assumption holds with respect We recall the ElGamal encryption scheme (Elga- to GP , then the ElGamal encryption scheme is mal, 1985) and the Generalized ElGamal encryption indistinguishable under chosen-plaintext attacks, scheme (Sow and Sow, 2011). i.e., it is IND-CPA secure. Theorem 2.2. ((Farshim, 2011)) Let A be a prob- Decryption algorithm. To decrypt a ciphertext abilistic polynomial-time against the ElGamal en- (c1;c2) encrypted with the public key ((g;d);d;G) cryption scheme in the IND-CPA sense. Then and knowing the associate secret key (r;G), we just r there is a probabilistic polynomial-time algorithm need to compute c1c2. B against GP solving the DDH problem such that: Provable security of the Generalized ElGamal En- 1 cryption Scheme. AdvDDH (k) = · AdvIND−CPA(k): GP ;B 2 P;A I One-wayness under the CDH Assumption. Theorem 2.4. Under the CDH Assumption, the Semantic security. In (J. Katz, 2008), Katz and I Generalized ElGamal encryption scheme is One- al. prove the semantic security of the ElGamal Way secure under Chosen Plaintext Attack (OW- encryption scheme. CPA). That is, for a security parameter k, if there Theorem 2.3. Under the DDH assumption, El- is an attacker that inverse the Generalized El- Gamal encryption scheme is semantically secure. A Gamal encryption then we can build an algorithm B that solves CDH, it means that 2.2 Generalized ElGamal Encryption CDH (k) = OW−CPA(k): Scheme AdvGP ;B AdvP;A I Indistinguishability under the DDH Assump- We give a key generation mechanism and a public key tion. encryption algorithm (Sow and Sow, 2011), which Theorem 2.5.
Recommended publications
  • The Twin Diffie-Hellman Problem and Applications

    The Twin Diffie-Hellman Problem and Applications

    The Twin Diffie-Hellman Problem and Applications David Cash1 Eike Kiltz2 Victor Shoup3 February 10, 2009 Abstract We propose a new computational problem called the twin Diffie-Hellman problem. This problem is closely related to the usual (computational) Diffie-Hellman problem and can be used in many of the same cryptographic constructions that are based on the Diffie-Hellman problem. Moreover, the twin Diffie-Hellman problem is at least as hard as the ordinary Diffie-Hellman problem. However, we are able to show that the twin Diffie-Hellman problem remains hard, even in the presence of a decision oracle that recognizes solutions to the problem — this is a feature not enjoyed by the Diffie-Hellman problem in general. Specifically, we show how to build a certain “trapdoor test” that allows us to effectively answer decision oracle queries for the twin Diffie-Hellman problem without knowing any of the corresponding discrete logarithms. Our new techniques have many applications. As one such application, we present a new variant of ElGamal encryption with very short ciphertexts, and with a very simple and tight security proof, in the random oracle model, under the assumption that the ordinary Diffie-Hellman problem is hard. We present several other applications as well, including: a new variant of Diffie and Hellman’s non-interactive key exchange protocol; a new variant of Cramer-Shoup encryption, with a very simple proof in the standard model; a new variant of Boneh-Franklin identity-based encryption, with very short ciphertexts; a more robust version of a password-authenticated key exchange protocol of Abdalla and Pointcheval.
  • Blind Schnorr Signatures in the Algebraic Group Model

    Blind Schnorr Signatures in the Algebraic Group Model

    An extended abstract of this work appears in EUROCRYPT’20. This is the full version. Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model Georg Fuchsbauer1, Antoine Plouviez2, and Yannick Seurin3 1 TU Wien, Austria 2 Inria, ENS, CNRS, PSL, Paris, France 3 ANSSI, Paris, France first.last@{tuwien.ac.at,ens.fr,m4x.org} January 16, 2021 Abstract. The Schnorr blind signing protocol allows blind issuing of Schnorr signatures, one of the most widely used signatures. Despite its practical relevance, its security analysis is unsatisfactory. The only known security proof is rather informal and in the combination of the generic group model (GGM) and the random oracle model (ROM) assuming that the “ROS problem” is hard. The situation is similar for (Schnorr-)signed ElGamal encryption, a simple CCA2-secure variant of ElGamal. We analyze the security of these schemes in the algebraic group model (AGM), an idealized model closer to the standard model than the GGM. We first prove tight security of Schnorr signatures from the discrete logarithm assumption (DL) in the AGM+ROM. We then give a rigorous proof for blind Schnorr signatures in the AGM+ROM assuming hardness of the one-more discrete logarithm problem and ROS. As ROS can be solved in sub-exponential time using Wagner’s algorithm, we propose a simple modification of the signing protocol, which leaves the signatures unchanged. It is therefore compatible with systems that already use Schnorr signatures, such as blockchain protocols. We show that the security of our modified scheme relies on the hardness of a problem related to ROS that appears much harder.
  • Implementation and Performance Evaluation of XTR Over Wireless Network

    Implementation and Performance Evaluation of XTR Over Wireless Network

    Implementation and Performance Evaluation of XTR over Wireless Network By Basem Shihada [email protected] Dept. of Computer Science 200 University Avenue West Waterloo, Ontario, Canada (519) 888-4567 ext. 6238 CS 887 Final Project 19th of April 2002 Implementation and Performance Evaluation of XTR over Wireless Network 1. Abstract Wireless systems require reliable data transmission, large bandwidth and maximum data security. Most current implementations of wireless security algorithms perform lots of operations on the wireless device. This result in a large number of computation overhead, thus reducing the device performance. Furthermore, many current implementations do not provide a fast level of security measures such as client authentication, authorization, data validation and data encryption. XTR is an abbreviation of Efficient and Compact Subgroup Trace Representation (ECSTR). Developed by Arjen Lenstra & Eric Verheul and considered a new public key cryptographic security system that merges high level of security GF(p6) with less number of computation GF(p2). The claim here is that XTR has less communication requirements, and significant computation advantages, which indicate that XTR is suitable for the small computing devices such as, wireless devices, wireless internet, and general wireless applications. The hoping result is a more flexible and powerful secure wireless network that can be easily used for application deployment. This project presents an implementation and performance evaluation to XTR public key cryptographic system over wireless network. The goal of this project is to develop an efficient and portable secure wireless network, which perform a variety of wireless applications in a secure manner. The project literately surveys XTR mathematical and theoretical background as well as system implementation and deployment over wireless network.
  • On Notions of Security for Deterministic Encryption, and Efficient Constructions Without Random Oracles

    On Notions of Security for Deterministic Encryption, and Efficient Constructions Without Random Oracles

    A preliminary version of this paper appears in Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, D. Wagner ed., LNCS, Springer, 2008. This is the full version. On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles Alexandra Boldyreva∗ Serge Fehr† Adam O’Neill∗ Abstract The study of deterministic public-key encryption was initiated by Bellare et al. (CRYPTO ’07), who provided the “strongest possible” notion of security for this primitive (called PRIV) and con- structions in the random oracle (RO) model. We focus on constructing efficient deterministic encryption schemes without random oracles. To do so, we propose a slightly weaker notion of security, saying that no partial information about encrypted messages should be leaked as long as each message is a-priori hard-to-guess given the others (while PRIV did not have the latter restriction). Nevertheless, we argue that this version seems adequate for certain practical applica- tions. We show equivalence of this definition to single-message and indistinguishability-based ones, which are easier to work with. Then we give general constructions of both chosen-plaintext (CPA) and chosen-ciphertext-attack (CCA) secure deterministic encryption schemes, as well as efficient instantiations of them under standard number-theoretic assumptions. Our constructions build on the recently-introduced framework of Peikert and Waters (STOC ’08) for constructing CCA-secure probabilistic encryption schemes, extending it to the deterministic-encryption setting and yielding some improvements to their original results as well. Keywords: Public-key encryption, deterministic encryption, lossy trapdoor functions, leftover hash lemma, standard model. ∗ College of Computing, Georgia Institute of Technology, 266 Ferst Drive, Atlanta, GA 30332, USA.
  • Lecture 14: Elgamal Encryption, Hash Functions from DL, Prgs from DDH 1 Topics Covered 2 Recall 3 Key Agreement from the Diffie

    Lecture 14: Elgamal Encryption, Hash Functions from DL, Prgs from DDH 1 Topics Covered 2 Recall 3 Key Agreement from the Diffie

    CS 7880 Graduate Cryptography October 29, 2015 Lecture 14: ElGamal Encryption, Hash Functions from DL, PRGs from DDH Lecturer: Daniel Wichs Scribe: Biswaroop Maiti 1 Topics Covered • Public Key Encryption • A Public Key Encryption from the DDH Assumption • El Gamal Encryption • CRHF from Discrete Log • PRG from DDH 2 Recall Recall the three number theoretic assumptions we saw last time. We will build Crypto- graphic schemes or protocols based on the hardness of these problems. Definition 1 (G; g; q) Groupgen(1n) } Assumption 1 DL Given g; gX , it is hard to find X. Assumption 2 Computational Diffie Hellman Given g; gX ; gY , it is hard to find gXY . Assumption 3 Decisional Diffie Hellman Given g; gX ; gY , it is hard to distinguish between gXY and gZ , where Z is chosen at random. (g; gX ; gY ; gXY ) ≈ (g; gX ; gY ; gZ ) 3 Key Agreement from the Diffie Helman scheme AB x Zq X hA = g −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−£ Y hB = g ¡−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Y Zq X XY Y XY hB = g hA = g The keys agreed upon by A and B is gXY . Lecture 14, Page 1 It is interesting to note that in this scheme, A and B were able to agree upon a key without communicating about it. Each party generates a puzzle uniformly at random: A X Y generates hA = g , and B generates hB = g . Then, they send their puzzles to each other, and establish the key to be gXY . Proving this scheme is secure is equivalent to showing that the DDH assumption holds. 4 Public Key Encryption The general syntax of Public Key Encryption is the following.
  • Probabilistic Public-Key Encryption

    Probabilistic Public-Key Encryption

    PROBABILISTIC PUBLIC-KEY ENCRYPTION By Azymbek Beibyt Fundamentals Semantic Security A public-key cryptosystem is semantically secure if it’s computationally infeasible for opponent to derive any information about plaintext given only ciphertext and public key. Semantic Security = Cryptosystem Indistinguishability Fundamentals Semantic Security (Cont.) Semantic security are obtained using trapdoor (one- way) functions: - prime factorization in RSA - discrete logarithm problem in ElGamal Fundamentals Semantic Security (Cont.) Why not use trapdoor functions as before? ¨ The fact that f is a trapdoor function does not rule out the possibility of computing x from f (x) when x is of a special form. ¨ The fact that f is a trapdoor function does not rule out the possibility of easily computing some partial information about x (even every other bit of x) from f(x). Probabilistic Encryption New approach introduced by Shafi Goldwasser and Silvio Micali in 1983. ¨ Replace deterministic block encryption by probabilistic encryption of single bits. ¨ Proved to be hard to extract any information about plaintext under polynomially bounded computational resources, because is based on intractability of deciding Quadratic Residuosity modulo composite numbers whose factorization is unknown. Probabilistic Public -Key Cryptosystem General Idea (P, C, K, E, D, R), where R is a set of randomizers, encryption is public and decryption is secret and following properties should be satisfied: 1. , where b Є P, r Є R and if Probabilistic Public -Key Cryptosystem General Idea (Cont.) 2. Let ϵ be specified security parameter. Define probability distribution on C, which denotes the probability that y is the ciphertext given that K is the key and x is the plaintext .
  • Implementing Several Attacks on Plain Elgamal Encryption Bryce D

    Implementing Several Attacks on Plain Elgamal Encryption Bryce D

    Iowa State University Capstones, Theses and Graduate Theses and Dissertations Dissertations 2008 Implementing several attacks on plain ElGamal encryption Bryce D. Allen Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/etd Part of the Mathematics Commons Recommended Citation Allen, Bryce D., "Implementing several attacks on plain ElGamal encryption" (2008). Graduate Theses and Dissertations. 11535. https://lib.dr.iastate.edu/etd/11535 This Thesis is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Graduate Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. Implementing several attacks on plain ElGamal encryption by Bryce Allen A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Mathematics Program of Study Committee: Clifford Bergman, Major Professor Paul Sacks Sung-Yell Song Iowa State University Ames, Iowa 2008 Copyright c Bryce Allen, 2008. All rights reserved. ii Contents CHAPTER 1. OVERVIEW . 1 1.1 Introduction . .1 1.2 Hybrid Cryptosystems . .2 1.2.1 Symmetric key cryptosystems . .2 1.2.2 Public key cryptosystems . .3 1.2.3 Combining the two systems . .3 1.2.4 Short messages and public key systems . .4 1.3 Implementation . .4 1.4 Splitting Probabilities . .5 CHAPTER 2. THE ELGAMAL CRYPTOSYSTEM . 7 2.1 The Discrete Log Problem . .7 2.2 Encryption and Decryption . .8 2.3 Security . .9 2.4 Efficiency .
  • Power Analysis on NTRU Prime

    Power Analysis on NTRU Prime

    Power Analysis on NTRU Prime Wei-Lun Huang, Jiun-Peng Chen and Bo-Yin Yang Academia Sinica, Taiwan, [email protected], [email protected], [email protected] Abstract. This paper applies a variety of power analysis techniques to several imple- mentations of NTRU Prime, a Round 2 submission to the NIST PQC Standardization Project. The techniques include vertical correlation power analysis, horizontal in- depth correlation power analysis, online template attacks, and chosen-input simple power analysis. The implementations include the reference one, the one optimized using smladx, and three protected ones. Adversaries in this study can fully recover private keys with one single trace of short observation span, with few template traces from a fully controlled device similar to the target and no a priori power model, or sometimes even with the naked eye. The techniques target the constant-time generic polynomial multiplications in the product scanning method. Though in this work they focus on the decapsulation, they also work on the key generation and encapsulation of NTRU Prime. Moreover, they apply to the ideal-lattice-based cryptosystems where each private-key coefficient comes from a small set of possibilities. Keywords: Ideal Lattice Cryptography · Single-Trace Attack · Correlation Power Analysis · Template Attack · Simple Power Analysis · NTRU Prime 1 Introduction Due to Shor’s algorithm [Sho97], quantum computing is a potential threat to all public-key cryptosystems based on the hardness of integer factorization and discrete logarithms, in- cluding RSA [RSA78], Diffie-Hellman key agreement [DH76], ElGamal encryption [Gam85], and ECDSA [JMV01]. Recently, quantum computers have been estimated as arriving in 10 to 15 years [Sni16, WLYZ18], which identifies an urgent need for the examination and standardization of post-quantum cryptosystems.
  • A CCA2 Secure Public Key Encryption Scheme Based on the Mceliece Assumptions in the Standard Model

    A CCA2 Secure Public Key Encryption Scheme Based on the Mceliece Assumptions in the Standard Model

    A CCA2 Secure Public Key Encryption Scheme Based on the McEliece Assumptions in the Standard Model Rafael Dowsley1, J¨ornM¨uller-Quade2, Anderson C. A. Nascimento1 1 Department of Electrical Engineering, University of Brasilia. Campus Universit´arioDarcy Ribeiro,Brasilia, CEP: 70910-900, Brazil, Email:[email protected], [email protected] 2 Universit¨atKarlsruhe, Institut f¨urAlgorithmen und Kognitive Systeme. Am Fasanengarten 5, 76128 Karlsruhe, Germany. E-mail: [email protected] We show that a recently proposed construction by Rosen and Segev can be used for obtaining the first public key encryption scheme based on the McEliece assumptions which is secure against adaptive chosen ciphertext attacks in the standard model. 1 Introduction Indistinguishability of messages under adaptive chosen ciphertext attacks is the strongest known notion of security for public key encryption schemes (PKE). Many computational assumptions have been used in the literature for obtain- ing cryptosystems meeting such a strong security requirements. Given one-way trapdoor permutations, we know how to obtain CCA2 security from any seman- tically secure public key cryptosystem [14, 20, 12]. Efficient constructions are also known based on number-theoretic assumptions [6] or on identity based encryp- tion schemes [3]. Obtaining a CCA2 secure cryptosystem (even an inefficient one) based on the McEliece assumptions in the standard model has been an open problem in this area for quite a while. Recently, Rosen and Segev proposed an elegant and simple new computa- tional assumption for obtaining CCA2 secure PKEs: correlated products [19]. They provided constructions of correlated products based on the existence of certain lossy trapdoor functions [16] which in turn can be based on the deci- sional Diffie-Hellman problem and on Paillier's decisional residuosity problem [16].
  • Comparison of Two Public Key Cryptosystems

    Comparison of Two Public Key Cryptosystems

    Journal of Optoelectronical Nanostructures Summer 2018 / Vol. 3, No. 3 Islamic Azad University Comparison of two Public Key Cryptosystems 1 *,2 1 Mahnaz Mohammadi , Alireza Zolghadr , Mohammad Ali Purmina 1 Department of Electrical and Electronic Eng., Science and Research Branch, Islamic Azad University, Tehran, Iran 2 Faculty of Computer and Electrical Eng., Department of Communication and Electronics, Shiraz University, Shiraz, Iran (Received 10 Jun. 2018; Revised 11 Jul. 2018; Accepted 26 Aug. 2018; Published 15 Sep. 2018) Abstract: Since the time public-key cryptography was introduced by Diffie and Hellman in 1976, numerous public-key algorithms have been proposed. Some of these algorithms are insecure and the others that seem secure, many are impractical, either they have too large keys or the cipher text they produce is much longer than the plaintext. This paper focuses on efficient implementation and analysis of two most popular of these algorithms, RSA and ElGamal for key generation and the encryption scheme (encryption/decryption operation). RSA relies on the difficulty of prime factorization of a very large number, and the hardness of ElGamal algorithm is essentially equivalent to the hardness of finding discrete logarithm modulo a large prime. These two systems are compared to each other from different parameters points of view such as performance, security, speed and applications. To have a good comparison and also to have a good level of security correspond to users need the systems implemented are designed flexibly in terms of the key size. Keywords: Cryptography, Public Key Cryptosystems, RSA, ElGamal. 1. INTRODUCTION The security is a necessary for the network to do all the works related to ATM cards, computer passwords and electronic commerce.
  • Timing Attacks and the NTRU Public-Key Cryptosystem

    Timing Attacks and the NTRU Public-Key Cryptosystem

    Eindhoven University of Technology BACHELOR Timing attacks and the NTRU public-key cryptosystem Gunter, S.P. Award date: 2019 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain Timing Attacks and the NTRU Public-Key Cryptosystem by Stijn Gunter supervised by prof.dr. Tanja Lange ir. Leon Groot Bruinderink A thesis submitted in partial fulfilment of the requirements for the degree of Bachelor of Science July 2019 Abstract As we inch ever closer to a future in which quantum computers exist and are capable of break- ing many of the cryptographic algorithms that are in use today, more and more research is being done in the field of post-quantum cryptography.
  • Lecture 19: Public-Key Cryptography (Diffie-Hellman Key Exchange & Elgamal Encryption)

    Lecture 19: Public-Key Cryptography (Diffie-Hellman Key Exchange & Elgamal Encryption)

    Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access to the secret key sk For example, consider a private-key encryption scheme $ 1 The Alice and Bob generate sk Gen() ahead of time 2 Later, when Alice wants to encrypt and send a message to Bob, she computes the cipher-text c = Encsk(m) 3 The eavesdropping adversary see c but gains no additional information about the message m 4 Bob can decrypt the message me = Decsk(c) 5 Note that the knowledge of sk distinguishes Bob from the eavesdropping adversary Public-key Cryptography Perspective If jskj >jmj, then we can construct private-key encryption schemes (like, one-time pad) that is secure even against adversaries with unbounded computational power If jskj = O(jmj"), where " 2 (0; 1) is a constant, then we can construction private-key encryption schemes using pseudorandom generators (PRGs) What if, jskj = 0? That is, what if Alice and Bob never met? How is “Bob” any different from an “adversary”? Public-key Cryptography In this Lecture We shall introduce the Decisional Diffie-Hellmann (DDH) Assumption and the Diffie-Hellman key-exchange protocol, We shall introduce the El Gamal (public-key) Encryption Scheme, and Finally, abstract out the principal design principles learned. Public-key Cryptography Decisional Diffie-Hellman (DDH) Computational Hardness AssumptionI Let (G; ◦) be a group of size N that is generated by g.