## Security of Signed ElGamal Encryption (2000)

### Cached

### Download Links

Venue: | In Asiacrypt ’2000, LNCS 1976 |

Citations: | 41 - 3 self |

### BibTeX

@INPROCEEDINGS{Schnorr00securityof,

author = {Claus Peter Schnorr and Markus Jakobsson},

title = {Security of Signed ElGamal Encryption},

booktitle = {In Asiacrypt ’2000, LNCS 1976},

year = {2000},

pages = {73--89},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

. Assuming a cryptographically strong cyclic group G of prime order q and a random hash function H, we show that ElGamal encryption with an added Schnorr signature is secure against the adaptive chosen ciphertext attack, in which an attacker can freely use a decryption oracle except for the target ciphertext. We also prove security against the novel one-more-decyption attack. Our security proofs are in a new model, corresponding to a combination of two previously introduced models, the Random Oracle model and the Generic model. The security extends to the distributed threshold version of the scheme. Moreover, we propose a very practical scheme for private information retrieval that is based on blind decryption of ElGamal ciphertexts. 1 Introduction and Summary We analyse a very practical public key cryptosystem in terms of its security against the strong adaptive chosen ciphertext attack (CCA) of [RS92], in which an attacker can access a decryption oracle on arbitrary ciphertexts (ex...

### Citations

2466 | Handbook of Applied Cryptography - Menezes, Oorschot, et al. - 1996 |

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...are provably secure in a reasonable, new security model, the random oracle and generic model (ROM+GM). The ROM goes back to Fiat and Shamir [FS86] and has been further enhanced by Bellare and Rogaway =-=[BR93]-=-, while the generic model (GM) goes back to Nechaev [Ne94] and Shoup [Sh97]. We introduce the combination of these two models, the result of which seems to cover all practical attacks at hand. Namely,... |

1178 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ... rise to many cryptographic schemes, for example ElGamal encryption [E85]. An ElGamal ciphertext of message m ∈ G is a pair (gr , mhr ) ∈ G2 for random r ∈ Zq. ElGamal encryption is indistinguis=-=hable [GM84] —-=- it is secure against a passive, merely eavesdroping adversary. Formally, an attacker, given distinct messages m0, m1 and a corresponding target ciphertext cipb for random b ∈ {0, 1}, cannot guess b... |

1114 |
A public-key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ... Diffie-Hellman key pair consists of a random secret key x ∈ Zq and the corresponding public key h = gx ∈ G. DiffieHellman keys give rise to many cryptographic schemes, for example ElGamal encrypt=-=ion [E85]. An ElG-=-amal ciphertext of message m ∈ G is a pair (gr , mhr ) ∈ G2 for random r ∈ Zq. ElGamal encryption is indistinguishable [GM84] — it is secure against a passive, merely eavesdroping adversary. F... |

583 |
Efficient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ...gned extension of ElGamal encryption, which was independently proposed by Tsiounis and Yung [TY98] and Jakobsson [J98]. Herein, an ElGamal ciphertext (g r , mh r ) is completed by a Schnorr signature =-=[Sc91] p-=-roviding a proof of knowledge ofsthe plaintext m and of the secret r — the public signature key gr is given by the ciphertext. CCA-security of this signed ElGamal encryption has been shown in [TY98]... |

461 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...ting way to the target ciphertext. Non-malleability and CCA-security have been shown to be equivalent [DDN98]. Previous work. The public key encryption schemes of Shoup, Gennaro [SG98], Cramer, Shoup =-=[CS98]-=-, Abdalla, Bellare, Rogaway [ABR98], Fujisaki, Okamoto [FO99], Shoup [Sh00] and Zheng, Seberry [ZS92] all extend variants of ElGamal encryption by an added signature or tag. This idea first appears in... |

395 | Fast probabilistic algorithms for verification of polynomial identities
- Schwartz
- 1980
(Show Context)
Citation Context ... trivial collisions do not depend on b. 12 As 1 ≤ d ≤ 2, the probability that fi(r, x) = fj(r, x) for random r, x is13 at most 2 q , thus proving the claim. Here we use a Lemma attributed to Schwa=-=rtz [Sch80] 14 ⊓⊔-=- The leakage of secret information through the absence of collisions. Here we pay attention to the fact that b, r, x are not perfectly random if COt = ∅. By Lemma 1 a 2 � � t 2 /q-fraction of th... |

310 | Zero-knowledge Proof of Identity - Feige, Fiat, et al. - 1988 |

238 | Optimal asymmetric encryption
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ... by the adaptive chosen ciphertext attack, as the latter relates to a single target ciphertext. Interestingly, security against the one-more attack follows from plaintext awareness (PA) as defined in =-=[BR94]-=-. Proving PA is the core of the proof of Theorem 1 and 2. 2 For motivation of the one-more decryption attack, we propose a practical scheme for private information retrieval. It is based on blind decr... |

221 | bounds for discrete logarithms and related problems
- Shoup, “Lower
- 1997
(Show Context)
Citation Context ...and generic model (ROM+GM). The ROM goes back to Fiat and Shamir [FS86] and has been further enhanced by Bellare and Rogaway [BR93], while the generic model (GM) goes back to Nechaev [Ne94] and Shoup =-=[Sh97]-=-. We introduce the combination of these two models, the result of which seems to cover all practical attacks at hand. Namely, security in ROM+GM allows a separation of potential weaknesses of the grou... |

172 | Secure Integration of Asymmetric and Symmetric Encryption Schemes
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...ecurity have been shown to be equivalent [DDN98]. Previous work. The public key encryption schemes of Shoup, Gennaro [SG98], Cramer, Shoup [CS98], Abdalla, Bellare, Rogaway [ABR98], Fujisaki, Okamoto =-=[FO99]-=-, Shoup [Sh00] and Zheng, Seberry [ZS92] all extend variants of ElGamal encryption by an added signature or tag. This idea first appears in [ZS92] without a security proof. CCA-security has been prove... |

115 |
Moni Naor. Non-malleable cryptography
- Dolev, Dwork
- 2000
(Show Context)
Citation Context ...he CCA-attack of Rackoff and Simon [RS92]. CCA-security means indistinguishability against an adversary that can freely use a decryption oracle except for the target ciphertext. Dolev, Dwork and Naor =-=[DDN91] pro-=-pose another notion of security against active attacks, called non-malleability. Here the adversary — which is given a decryption oracle — tries to create another ciphertext that is related in an ... |

109 | Securing Threshold Cryptosystems against Chosen Ciphertext Attack
- SHOUP, GENNARO
- 2002
(Show Context)
Citation Context ... related in an interesting way to the target ciphertext. Non-malleability and CCA-security have been shown to be equivalent [DDN98]. Previous work. The public key encryption schemes of Shoup, Gennaro =-=[SG98]-=-, Cramer, Shoup [CS98], Abdalla, Bellare, Rogaway [ABR98], Fujisaki, Okamoto [FO99], Shoup [Sh00] and Zheng, Seberry [ZS92] all extend variants of ElGamal encryption by an added signature or tag. This... |

74 | Algorithms for black-box fields and their application to cryptography (extended abstract - Boneh, Lipton - 1996 |

71 | A practical mix
- Jakobsson
(Show Context)
Citation Context ...oblem, the tag in [ABR98] uses symmetric encryption. We consider the very practical, signed extension of ElGamal encryption, which was independently proposed by Tsiounis and Yung [TY98] and Jakobsson =-=[J98]. -=-Herein, an ElGamal ciphertext (g r , mh r ) is completed by a Schnorr signature [Sc91] providing a proof of knowledge ofsthe plaintext m and of the secret r — the public signature key gr is given by... |

67 | Using Hash function s as a hedge against chosen ciphertext attack
- Shoup
- 2000
(Show Context)
Citation Context ...tion and the number of on-line exp. per enc. (exponentiations not depending on the message). 10 exp./enc. on-line/enc. exp./dec. Signed ElGamal enc. 3 0 2 [FO99] El Gamal 2 2 2 [ABR 98] 2 0 1 [CS98], =-=[Sh00]-=- 4 1 2 [SG98], TDH1, TDH2 5 2 5 The relative efficiency of [FO99], [ABR98] is due to the usage of further cryptographic primitives. [FO99] uses private encryption, [ABR98] uses private encryption and ... |

66 |
Complexity of a Determinate Algorithm for the Discrete Logarithm
- NECHAEV
- 1994
(Show Context)
Citation Context ...he random oracle and generic model (ROM+GM). The ROM goes back to Fiat and Shamir [FS86] and has been further enhanced by Bellare and Rogaway [BR93], while the generic model (GM) goes back to Nechaev =-=[Ne94]-=- and Shoup [Sh97]. We introduce the combination of these two models, the result of which seems to cover all practical attacks at hand. Namely, security in ROM+GM allows a separation of potential weakn... |

47 | On the security of ElGamal based encryption
- Tsiounis, Yung
(Show Context)
Citation Context ...the Diffie-Hellman problem, the tag in [ABR98] uses symmetric encryption. We consider the very practical, signed extension of ElGamal encryption, which was independently proposed by Tsiounis and Yung =-=[TY98] a-=-nd Jakobsson [J98]. Herein, an ElGamal ciphertext (g r , mh r ) is completed by a Schnorr signature [Sc91] providing a proof of knowledge ofsthe plaintext m and of the secret r — the public signatur... |

26 | Probabilistic algorithms for veri of polynomial identities - Schwartz - 1980 |

23 | Practical Approaches to Attaining Security Against Adaptively Chosen Ciphertext Attacks
- Zheng, Seberry
- 1992
(Show Context)
Citation Context ... [DDN98]. Previous work. The public key encryption schemes of Shoup, Gennaro [SG98], Cramer, Shoup [CS98], Abdalla, Bellare, Rogaway [ABR98], Fujisaki, Okamoto [FO99], Shoup [Sh00] and Zheng, Seberry =-=[ZS92]-=- all extend variants of ElGamal encryption by an added signature or tag. This idea first appears in [ZS92] without a security proof. CCA-security has been proved in [SG98, CS98, ABR98, FO99, Sh00]. Th... |

22 | How to Prove Yourself - Fiat, Shamir - 1987 |

11 | Security of Discrete Log Cryptosystems in the Random Oracle and Generic Model
- Schnorr, Jakobsson
(Show Context)
Citation Context ...nteractive attacks. In this paper we merely consider encryption. For security in ROM+GM of Schnorr signatures — in particular security of blind signatures against the one-more signature forgery — =-=see [SJ99]-=-. Recently, it has been shown [Sc00] that the generation of secret DL-keys from short random seeds through a strong hash function is secure in GM. Notions of security. Let G be a cyclic group of prime... |

8 |
Small Generic Hardcore Subsets for the Discrete Logarithm: Short Secret DL-Keys
- Schnorr
- 2001
(Show Context)
Citation Context ... merely consider encryption. For security in ROM+GM of Schnorr signatures — in particular security of blind signatures against the one-more signature forgery — see [SJ99]. Recently, it has been sh=-=own [Sc00]-=- that the generation of secret DL-keys from short random seeds through a strong hash function is secure in GM. Notions of security. Let G be a cyclic group of prime order q with generator g, and let Z... |

4 |
Non-Interactive Zero-Knowledge
- Rackoff, Simon
- 1992
(Show Context)
Citation Context ...ecryption of ElGamal ciphertexts. 1 Introduction and Summary We analyse a very practical public key cryptosystem in terms of its security against the strong adaptive chosen ciphertext attack (CCA) of =-=[RS92]-=-, in which an attacker can access a decryption oracle on arbitrary ciphertexts (except for the target ciphertext.) Let a signed ElGamal encryption of a message be an ElGamal ciphertext together with a... |

3 |
Dwork and M. Naor : Non-Malleable Cryptography. Manuscript (updated, full length version of STOC paper
- Dolev, C
- 1998
(Show Context)
Citation Context ...ch is given a decryption oracle — tries to create another ciphertext that is related in an interesting way to the target ciphertext. Non-malleability and CCA-security have been shown to be equivalen=-=t [DDN98]-=-. Previous work. The public key encryption schemes of Shoup, Gennaro [SG98], Cramer, Shoup [CS98], Abdalla, Bellare, Rogaway [ABR98], Fujisaki, Okamoto [FO99], Shoup [Sh00] and Zheng, Seberry [ZS92] a... |

2 |
Bellare and P. Rogaway : DHES: An Encryption Scheme Based on the Diffie-Hellman Problem. Contributions to P1363, ftp: //stdgbbs.ieee.org/pub/p1363/contributions/aes-uhf.ps
- Abdalla, M
(Show Context)
Citation Context ... Non-malleability and CCA-security have been shown to be equivalent [DDN98]. Previous work. The public key encryption schemes of Shoup, Gennaro [SG98], Cramer, Shoup [CS98], Abdalla, Bellare, Rogaway =-=[ABR98]-=-, Fujisaki, Okamoto [FO99], Shoup [Sh00] and Zheng, Seberry [ZS92] all extend variants of ElGamal encryption by an added signature or tag. This idea first appears in [ZS92] without a security proof. C... |

1 | Algorithms for black-box and their application - Boneh, Lipton - 1996 |