Chapter 23 Public Key Encryption Based on Discrete Logarithms This is a chapter from version 2.0 of the book “Mathematics of Public Key Cryptography” by Steven Galbraith, available from http://www.math.auckland.ac.nz/˜sgal018/crypto- book/crypto-book.html The copyright for this chapter is held by Steven Galbraith. This book was published by Cambridge University Press in early 2012. This is the extended and corrected version. Some of the Theorem/Lemma/Exercise numbers may be different in the published version. Please send an email to [email protected] if youfind any mistakes. Historically, encryption has been considered the most important part of cryptography. So it is not surprising that there is a vast literature about public key encryption. It is important to note that, in practice, public key encryption is not usually used to encrypt documents. Instead, one uses public key encryption to securely send keys, and the data is encrypted using symmetric encryption. It is beyond the scope of this book to discuss all known results on public key encryption, or even to sketch all known approaches to designing public key encryption schemes. The goal of this chapter is very modest. We simply aim to give some definitions and to provide two efficient encryption schemes (one secure in the random oracle model and one secure in the standard model). The encryption schemes in this chapter are all based on Elgamal encryption, the “textbook” version of which has already been discussed in Sections 20.3 and 20.4. Finally, we emphasise that this Chapter only discusses confidentiality and not simul- taneous confidentiality and authentication. The reader is warned that naively combining signatures and encryption does not necessarily provide the expected security (see, for example, the discussion in Section 1.2.3 of Joux [317]). 23.1 CCA Secure Elgamal Encryption Recall that security notions for public key encryption were given in Section 1.3.1. As we have seen, the textbook Elgamal encryption scheme does not have OWE-CCA security, since one can easily construct a related ciphertext whose decryption yields the original message. A standard way to prevent such attacks is to add a message authentication code (MAC); see Section 3.3. 493 494 CHAPTER 23. ENCRYPTION FROM DISCRETE LOGARITHMS We have also seen (see Section 20.3) that Elgamal can be viewed as static Diffie- Hellman key exchange followed by a specific symmetric encryption. Hence, it is natural to generalise Elgamal encryption so that it works with any symmetric encryption scheme. The scheme we present in this section is known as DHIES and, when implemented with elliptic curves, is called ECIES. We refer to Abdalla, Bellare and Rogaway [1] or Chapter III of [65] for background and discussion. Letκ be a security parameter. The scheme requires a symmetric encryption scheme, a MAC scheme and a key derivation function. The symmetric encryption functions Enc and Dec take anl 1-bit key and encrypt messages of arbitrary length. The MAC function MAC takes anl 2-bit key and a message of arbitrary length and outputs anl 3-bit binary string. The key derivation function is a function kdf:G 0,1 l1+l2 . The valuesl , →{ } 1 l2 andl 3 depend on the security parameter. Note that it is important that the MAC is evaluated on the ciphertext not the message, since a MAC is not required to have any confidentiality properties. The DHIES encryption scheme is given in Figure 23.1. KeyGen(κ): Generate an algebraic group or algebraic group quotientG whose order is divisible by a large primer (so that the discrete logarithm problem in the subgroup of prime orderr requires at least 2 κ bit operations). Choose a randomg G of exact orderr. Choose a random integer 0<a<r and set h=g a. ∈ The public key is (G, g, h) and the private key isa. Alternatively, (G, g) are system parameters that arefixed for all users and onlyh is the public key. The message space isM κ = 0,1 ∗. { } l The ciphertext space isC =G 0,1 ∗ 0,1 3 . κ ×{ } × { } Encrypt(m, h): (m 0,1 ∗ andh is the authentic public key of the receiver) ∈{ } Choose a random 0<k<r and setc =g k. • 1 k SetK= kdf(h ) and parseK asK 1 K2 whereK 1 andK 2 arel 1 andl 2 bit binary • strings respectively. k Setc = Enc (m) andc = MAC (c ). • 2 K1 3 K2 2 Transmit the ciphertext (c ,c ,c ). • 1 2 3 Decrypt(c1,c 2,c 3, a): Check thatc G and thatc is anl -bit string (if not then return and halt). • 1 ∈ 3 3 ⊥ ComputeK= kdf(c a) and parse it asK K . • 1 1k 2 Check whetherc = MAC (c ) (if not then return and halt). • 3 K2 2 ⊥ Returnm= Dec (c ). • K1 2 Figure 23.1: DHIES Public Key Encryption. Exercise 23.1.1. Show that decryption does return the message when given a ciphertext produced by the DHIES encryption algorithm. A variant of DHIES is to compute the key derivation function on the pair of group (or algebraic group quotient) elements (gk, hk) rather than justh k. This case is presented in 23.1. CCA SECURE ELGAMAL ENCRYPTION 495 Section 10 of Cramer and Shoup [161]. As explained in Section 10.7 of [161], this variant can yield a tighter security reduction. 23.1.1 The KEM/DEM Paradigm Shoup introduced a formalism for public key encryption that has proved to be useful. The idea is to separate the “public key” part of the system (i.e., the valuec 1 in Fig- ure 23.1) from the “symmetric” part (i.e., (c2,c 3) in Figure 23.1). A key encapsulation mechanism (or KEM) outputs a public key encryption of a random symmetric key (this functionality is very similar to key transport; the difference being that a KEM gener- ates a fresh random key as part of the algorithm). A data encapsulation mechanism (or DEM) is the symmetric part. The name hybrid encryption is used to describe an encryption scheme obtained by combining a KEM with a DEM. More formally, a KEM is a triple of three algorithms (KeyGen, Encrypt and Decrypt)1 that depend on a security parameterκ. Instead of a message space, there is space κ of possible keys to be encapsulated. The randomised algorithm Encrypt takes as inputK a public key and outputs a ciphertextc and a symmetric keyK κ (whereκ is the security parameter). One says thatc encapsulatesK. The Decrypt∈K algorithm for a KEM takes as input a ciphertextc and the private key and outputs a symmetric keyK (or if the decryption fails). The Encrypt algorithm for a DEM takes as input a message and⊥ a symmetric keyK and outputs a ciphertext. The Decrypt algorithm of a DEM takes a ciphertext and a symmetric keyK and outputs either or a message. The simplest way to obtain a KEM from Elgamal is⊥ given in Figure 23.2. The DEM corresponding to the hybrid encryption scheme in Section 23.1 takes as inputm andK, parsesK asK K , computesc = Enc (m) andc = MAC (c ) and outputs (c ,c ). 1k 2 2 K1 3 K2 2 2 3 KeyGen(κ): This is the same as standard Elgamal; see Figure 23.1. Encrypt(h): Choose random 0 k<r and setc=g k andK= kdf(h k). Return the ciphertextc and the keyK. ≤ Decrypt(c, a): Return ifc g . Otherwise return kdf(c a). ⊥ 6∈h i Figure 23.2: Elgamal KEM. Shoup has defined an analogue of IND-CCA security for a KEM. We refer to Section 7 of Cramer and Shoup [161] for precise definitions for KEMs, DEMs and their security properties, but give an informal statement now. Definition 23.1.2. An IND-CCA adversary for a KEM is an algorithmA that plays the following game: The input toA is a public key. The algorithmA can also query a decryption oracle that will provide decryptions of any ciphertext of its choosing. At some point the adversary requests a challenge, which is a KEM ciphertextc ∗ together with a keyK ∗ . The challenger choosesK ∗ to be either the key corresponding to ∈K κ the ciphertextc ∗ or an independently chosen random element of κ (both cases with probability 1/2). The game continues with the adversary able toK query the decryption oracle with any ciphertextc=c ∗. Finally, the adversary outputs a guess for whether 6 K∗ is the key corresponding toc ∗, or a random key (this is the same as the “real or random” security notion for key exchange in Section 20.5). Denote by Pr(A) the success probability ofA in this game and define the advantage Adv(A) = Pr(A) 1/2 . The KEM is IND-CCA secure if every polynomial-time adversary has negligible| − advantage.| 1Sometimes the names Encap and Decap are used instead of Encrypt and Decrypt. 496 CHAPTER 23. ENCRYPTION FROM DISCRETE LOGARITHMS Theorem 5 of Section 7.3 of [161] shows that, if a KEM satisfies IND-CCA security and if a DEM satisfies an analogous security property, then the corresponding hybrid encryption scheme has IND-CCA security. Due to lack of space we do not present the details. 23.1.2 Proof of Security in the Random Oracle Model We now sketch a proof that the Elgamal KEM of Figure 23.2 has IND-CCA security. The proof is in the random oracle model. The result requires a strong assumption (namely, the Strong-Diffie-Hellman or gap-Diffie-Hellman assumption). Do not be misled by the use of the word “strong”! This computational problem is not harder than the Diffie-Hellman problem.