![Page 1: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/1.jpg)
Leakage Resilient ElGamal Encryption
Eike Kiltz and Krzysztof Pietrzak
Asiacrypt 2010, December 9th, Singapore
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 2: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/2.jpg)
Outline
1 Hybrid Encryption, the KEM/DEM framework
2 ElGamal KEM3 Leakage Resilient Crypto
Why?How?Other models?
4 Leakage Resilient ElGamal
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 3: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/3.jpg)
CCA1 secure KEM (Key Encapsulation Mechanism)
KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 4: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/4.jpg)
CCA1 secure KEM (Key Encapsulation Mechanism)
KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE
Pr[Dec(sk ,C ) = K : (pk, sk)$← KG ; (K ,C )
$← Enc(pk)] = 1
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 5: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/5.jpg)
CCA1 secure KEM (Key Encapsulation Mechanism)
KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE
Pr[Dec(sk ,C ) = K : (pk, sk)$← KG ; (K ,C )
$← Enc(pk)] = 1
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 6: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/6.jpg)
CCA1 secure KEM (Key Encapsulation Mechanism)
KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE
Pr[Dec(sk ,C ) = K : (pk, sk)$← KG ; (K ,C )
$← Enc(pk)] = 1
KG
pk sk
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 7: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/7.jpg)
CCA1 secure KEM (Key Encapsulation Mechanism)
KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE
Pr[Dec(sk ,C ) = K : (pk, sk)$← KG ; (K ,C )
$← Enc(pk)] = 1
pk skC
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 8: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/8.jpg)
CCA1 secure KEM (Key Encapsulation Mechanism)
KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE
Pr[Dec(sk ,C ) = K : (pk, sk)$← KG ; (K ,C )
$← Enc(pk)] = 1
pk skDec(sk , C )
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 9: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/9.jpg)
CCA1 secure KEM (Key Encapsulation Mechanism)
KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE
Pr[Dec(sk ,C ) = K : (pk, sk)$← KG ; (K ,C )
$← Enc(pk)] = 1
Kb, C pk sk
(K0, C )← Enc(pk) , K1$← K , b ← {0, 1}
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 10: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/10.jpg)
CCA1 secure KEM (Key Encapsulation Mechanism)
KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE
Pr[Dec(sk ,C ) = K : (pk, sk)$← KG ; (K ,C )
$← Enc(pk)] = 1
Kb, C pk sk
(K0, C )← Enc(pk) , K1$← K , b ← {0, 1}
CCA1 security: ∀ : Pr[ guesses b]− 1/2 = negl
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 11: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/11.jpg)
ElGamal KEM
public parameter: Cyclic group G of prime order p, g = 〈G〉
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 12: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/12.jpg)
ElGamal KEM
public parameter: Cyclic group G of prime order p, g = 〈G〉
KG: sk = x , pk = g x where x$← Zp
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 13: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/13.jpg)
ElGamal KEM
public parameter: Cyclic group G of prime order p, g = 〈G〉
KG: sk = x , pk = g x where x$← Zp
Enc(pk): output (C := g r , K := g rx) where r$← Zp
Dec(sk, C ): output C x
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 14: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/14.jpg)
ElGamal KEM
public parameter: Cyclic group G of prime order p, g = 〈G〉
KG: sk = x , pk = g x where x$← Zp
Enc(pk): output (C := g r , K := g rx) where r$← Zp
Dec(sk, C ): output C x = g rx = K
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 15: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/15.jpg)
Side-Channel Attacks
pk sk
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 16: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/16.jpg)
Side-Channel Attacks
pk skC
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 17: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/17.jpg)
Side-Channel Attacks
pk skC x
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 18: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/18.jpg)
Side-Channel Attacks
pk skC x
Can e.g. measure time it takes to compute C x
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 19: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/19.jpg)
Side-Channel Attacks
pk skC x
Can e.g. measure time it takes to compute C x
Side-Channel Attack: Cryptanalytic attack exploringinformation leaked from a physical implementation of acryptosystem.
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 20: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/20.jpg)
More side-channel attacks
power analysis
radiation, sound, heat,. . .
probing attacks
cold-boot attacks
cache attacks
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 21: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/21.jpg)
More side-channel attacks
power analysis[Eisenbarth et al. CRYPTO’08]break wireless car keys
radiation, sound, heat,. . .
probing attacks
cold-boot attacks[Halderman et al. USENIX’08]break disc-encryption schemes
cache attacks[Ristenpart et al. CCS’09]break cloud computing
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 22: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/22.jpg)
Side-Channel Countermeasures
Usually Ad-hocImplement countermeasures to prevent known attacks.
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 23: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/23.jpg)
Side-Channel Countermeasures
Usually Ad-hocImplement countermeasures to prevent known attacks.
Timing Make computation time independent of inputs.
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 24: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/24.jpg)
Side-Channel Countermeasures
Usually Ad-hocImplement countermeasures to prevent known attacks.
Timing Make computation time independent of inputs.
Radiation Shield the chip.
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 25: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/25.jpg)
Side-Channel Countermeasures
Usually Ad-hocImplement countermeasures to prevent known attacks.
Timing Make computation time independent of inputs.
Radiation Shield the chip.
make physical device look more like a black-box
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 26: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/26.jpg)
Leakage-Resilient Cryptography [DP’08]
extend black-box model to incorporte leakage
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 27: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/27.jpg)
Leakage-Resilient Cryptography [DP’08]
extend black-box model to incorporte leakage
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 28: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/28.jpg)
Leakage-Resilient Cryptography [DP’08]
extend black-box model to incorporte leakage
Computation is split in steps.
Adversary has black-box access + get bounded amount ofarbitrary, adaptively chosen leakage of every step.
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 29: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/29.jpg)
Leakage-Resilient Cryptography [DP’08]
extend black-box model to incorporte leakage
Computation is split in steps.
Adversary has black-box access + get bounded amount ofarbitrary, adaptively chosen leakage of every step.(only computation leaks “axiom” [MR04].)
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 30: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/30.jpg)
Leakage Resilient Cryptography Cont.
LR primitives must be stateful.
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 31: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/31.jpg)
Leakage Resilient Cryptography Cont.
LR primitives must be stateful.
Key evolution:LR stream-cipher [DP’08,P09,YSPY’10]
LR (tree-based) signatures [FKPR’10]
Evolving PKE sk difficult: must decrypt for fixed pk.
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 32: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/32.jpg)
Leakage Resilient Cryptography Cont.
LR primitives must be stateful.
Key evolution:LR stream-cipher [DP’08,P09,YSPY’10]
LR (tree-based) signatures [FKPR’10]
Evolving PKE sk difficult: must decrypt for fixed pk.
We secret-share key (aka blinding.) Frequently re-share.
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 33: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/33.jpg)
Leakage Resilient Cryptography Cont.
LR primitives must be stateful.
Key evolution:LR stream-cipher [DP’08,P09,YSPY’10]
LR (tree-based) signatures [FKPR’10]
Evolving PKE sk difficult: must decrypt for fixed pk.
We secret-share key (aka blinding.) Frequently re-share.
Scheme is very efficient (≈ 2x basic ElGamal)
Security proofs are very limited (generic group.)
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 34: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/34.jpg)
Some Related Work
General Compilers [Goldwasser-Rothblum,Juma-VahlisCrypto’10]General but not practical (One Encryption get gate /Fully homomorphic encryption)
Non-Continuous leakage (BRM/memory-attacks, auxiliaryinput), next talk.
Continuous memory attacks [DHLW,BKKV FOCS’10],[LLW eprint 2010/562].
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 35: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/35.jpg)
ElGamal KEM with shared key
g x x ∈ Zp
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 36: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/36.jpg)
ElGamal KEM with shared key
g x x ∈ ZpC
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 37: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/37.jpg)
ElGamal KEM with shared key
g x x ∈ ZpC x
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 38: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/38.jpg)
ElGamal KEM with shared key
g x x ∈ ZpC , f (.)
Not Leakage-Resilient (learn x bit by bit.)
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 39: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/39.jpg)
ElGamal KEM with shared key
g x x ∈ ZpC x , f (x)
Not Leakage-Resilient (learn x bit by bit.)
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 40: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/40.jpg)
ElGamal KEM with shared key
g x x0
x ′
0
Not Leakage-Resilient (learn x bit by bit.)
Multiplicatively Secret-Share x = x0 · x′
0.
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 41: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/41.jpg)
ElGamal KEM with shared key
g x x0
x ′
0
C
Not Leakage-Resilient (learn x bit by bit.)
Multiplicatively Secret-Share x = x0 · x′
0.
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 42: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/42.jpg)
ElGamal KEM with shared key
g x x1 := x0 · r
x ′
0
C
C x0 , r
Not Leakage-Resilient (learn x bit by bit.)
Multiplicatively Secret-Share x = x0 · x′
0.
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 43: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/43.jpg)
ElGamal KEM with shared key
g x x1 := x0 · r
x ′
1 := x0/r
C
C x0 , r(C x0)x ′
0 = C x
Not Leakage-Resilient (learn x bit by bit.)
Multiplicatively Secret-Share x = x0 · x′
0.
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 44: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/44.jpg)
ElGamal KEM with shared key
g x x1 := x0 · r
x ′
1 := x0/r
C
C x0 , r(C x0)x ′
0 = C x
Not Leakage-Resilient (learn x bit by bit.)
Multiplicatively Secret-Share x = x0 · x′
0.
Re-Sharing: x i+1 ← x i · r , x ′
i+1 ← x ′
i/r .
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 45: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/45.jpg)
ElGamal KEM with shared key
g x x1 := x0 · r
x ′
1 := x0/r
C
C x0 , r(C x0)x ′
0 = C x
Not Leakage-Resilient (learn x bit by bit.)
Multiplicatively Secret-Share x = x0 · x′
0.
Re-Sharing: x i+1 ← x i · r , x ′
i+1 ← x ′
i/r .
i ’th query: adaptively chooses fi(.), f′
i (.).Gets leakage fi(x i , r), f ′
i (x′
i , r , Cx i ).
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 46: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/46.jpg)
Conjecture: ElGamal KEM (as on previous slide) isleakage-resilient if
the group order p is not smooth (i.e. p − 1 has largeprime factor.)
Range of leakage functions is bounded to, sayλ = 0.25 · log(p) bits.
1Howgrave-Graham, Nguyen, Shparlinski. Hidden number problemwith hidden multipliers, timed-release crypto, and noisy exponentiation.Math. Comput. 72(243): 1473-1485 (2003)
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 47: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/47.jpg)
Conjecture: ElGamal KEM (as on previous slide) isleakage-resilient if
the group order p is not smooth (i.e. p − 1 has largeprime factor.)
Range of leakage functions is bounded to, sayλ = 0.25 · log(p) bits.
Attack exits if we use additive secret sharing,i.e. x = x i + x ′
i mod p instead x = x i · x′
i mod p.
1Howgrave-Graham, Nguyen, Shparlinski. Hidden number problemwith hidden multipliers, timed-release crypto, and noisy exponentiation.Math. Comput. 72(243): 1473-1485 (2003)
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 48: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/48.jpg)
Conjecture: ElGamal KEM (as on previous slide) isleakage-resilient if
the group order p is not smooth (i.e. p − 1 has largeprime factor.)
Range of leakage functions is bounded to, sayλ = 0.25 · log(p) bits.
Attack exits if we use additive secret sharing,i.e. x = x i + x ′
i mod p instead x = x i · x′
i mod p.
Attack exists if p − 1 is smooth.
1Howgrave-Graham, Nguyen, Shparlinski. Hidden number problemwith hidden multipliers, timed-release crypto, and noisy exponentiation.Math. Comput. 72(243): 1473-1485 (2003)
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 49: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/49.jpg)
Conjecture: ElGamal KEM (as on previous slide) isleakage-resilient if
the group order p is not smooth (i.e. p − 1 has largeprime factor.)
Range of leakage functions is bounded to, sayλ = 0.25 · log(p) bits.
Attack exits if we use additive secret sharing,i.e. x = x i + x ′
i mod p instead x = x i · x′
i mod p.
Attack exists if p − 1 is smooth.
Attack exists if λ = 0.4 · log(p).1
1Howgrave-Graham, Nguyen, Shparlinski. Hidden number problemwith hidden multipliers, timed-release crypto, and noisy exponentiation.Math. Comput. 72(243): 1473-1485 (2003)
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 50: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/50.jpg)
Conjecture: ElGamal KEM (as on previous slide) isleakage-resilient if
the group order p is not smooth (i.e. p − 1 has largeprime factor.)
Range of leakage functions is bounded to, sayλ = 0.25 · log(p) bits.
Attack exits if we use additive secret sharing,i.e. x = x i + x ′
i mod p instead x = x i · x′
i mod p.
Attack exists if p − 1 is smooth.
Attack exists if λ = 0.4 · log(p).1
Scheme if “lifted” to bilinear groups is secure in genericgroup model (next slides.)
1Howgrave-Graham, Nguyen, Shparlinski. Hidden number problemwith hidden multipliers, timed-release crypto, and noisy exponentiation.Math. Comput. 72(243): 1473-1485 (2003)
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 51: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/51.jpg)
Bilinear Groups
1 G is a (multiplicative) cyclic group of prime order p.
2 g is a generator of G.3 e is a bilinear map e : G×G→ GT
1 ∀a, b ∈ Z, e(ga, gb) = e(g , g)ab
2 e(g , g)def= gT 6= 1.
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 52: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/52.jpg)
“lifted” ElGamal KEM
public parameter: G, GT of prime order p, e : G×G→ GT ,
g = 〈G〉, gTdef= e(g , g)
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 53: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/53.jpg)
“lifted” ElGamal KEM
public parameter: G, GT of prime order p, e : G×G→ GT ,
g = 〈G〉, gTdef= e(g , g)
KG: sk = g x , pk = g xT where x
$← Zp
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 54: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/54.jpg)
“lifted” ElGamal KEM
public parameter: G, GT of prime order p, e : G×G→ GT ,
g = 〈G〉, gTdef= e(g , g)
KG: sk = g x , pk = g xT where x
$← Zp
Enc(pk): output (C := g r , K := g rxT ) where r
$← Zp
Dec(sk, C ): output e(C , g x)
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 55: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/55.jpg)
“lifted” ElGamal KEM
public parameter: G, GT of prime order p, e : G×G→ GT ,
g = 〈G〉, gTdef= e(g , g)
KG: sk = g x , pk = g xT where x
$← Zp
Enc(pk): output (C := g r , K := g rxT ) where r
$← Zp
Dec(sk, C ): output e(C , g x) = g rxT = K
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 56: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/56.jpg)
“lifted” ElGamal KEM
public parameter: G, GT of prime order p, e : G×G→ GT ,
g = 〈G〉, gTdef= e(g , g)
KG: sk = gx , pk = g xT where x
$← Zp
Enc(pk): output (C := g r , K := g rxT ) where r
$← Zp
Dec(sk, C ): output e(C , g x) = g rxT = K
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 57: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/57.jpg)
“lifted” ElGamal KEM
public parameter: G, GT of prime order p, e : G×G→ GT ,
g = 〈G〉, gTdef= e(g , g)
KG: sk = gx , pk = g xT where x
$← Zp
Enc(pk): output (C := g r , K := g rxT ) where r
$← Zp
Dec(sk, C ): output e(C , g x) = g rxT = K
Like for standard ElGamal, can define shared-key versiong x = g x−r ◦ g r .
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 58: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/58.jpg)
“lifted” ElGamal KEM
public parameter: G, GT of prime order p, e : G×G→ GT ,
g = 〈G〉, gTdef= e(g , g)
KG: sk = gx , pk = g xT where x
$← Zp
Enc(pk): output (C := g r , K := g rxT ) where r
$← Zp
Dec(sk, C ): output e(C , g x) = g rxT = K
Like for standard ElGamal, can define shared-key versiong x = g x−r ◦ g r .
Theorem
In the bilinear generic group model the lifted, shared-keyElGamal KEM is Leakage-Resilient (CCA1).The leakage per invocation can be < .49| log(p)| bits.
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 59: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/59.jpg)
Questions?
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
![Page 60: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaec5a56e04667e0d6305fa/html5/thumbnails/60.jpg)
Questions?
ICITS 2011, Amsterdam, The Netherlands, May 21 - 24, 20115th International Conference on Information Theoretic Security
Submission deadline: Dec 10, 2010Invited Speakers:
Benny Applebaum, Alexander Barg, Imre Csiszar, Ivan Damgaard,
Yuval Ishai, Renato Renner, Leonid Reyzin, Ronald de Wolf
Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption