On the Hardness of Proving CCA-Security of Signed ElGamal

Bernhard, David; Fischlin, Marc; Warinschi, Bogdan

doi:10.1007/978-3-662-49384-7_3

Cited by 12 publications

(8 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Our notion of adaptive proofs captures the kind of proofs we would like to have in such scenarios (and which are achievable via the Fischlin transformation). Since the publication of the first version of this work [24], the chain-of-proofs technique has been developed further to prove that CCA security of Signed ElGamal cannot be reduced to IND-CPA of plain ElGamal [10] (unless Schnorr proofs leak the witness, in which case any use of Signed ElGamal is questionable). This does not follow directly from the theorems of this work here which do not exclude an extractor tailored specifically to Signed ElGamal that uses the ElGamal ciphertext as well as the attacked PoK.…”

Section: Resultsmentioning

confidence: 99%

See 1 more Smart Citation

Adaptive proofs of knowledge in the random oracle model

Bernhard

Fischlin²,

Warinschi

2016

IET Information Security

Self Cite

View full text Add to dashboard Cite

We define a notion of adaptive proofs of knowledge (PoKs) in the Random Oracle Model (ROM). These are proofs where the malicious prover can adaptively issue multiple statements and proofs, and where the extractor is supposed to extract a witness for each statement. We begin by studying the traditional notion of zero-knowledge PoKs in the ROM and then show how to extend it to the case of adaptive adversaries and to simulation soundness, where the adversary can also learn simulated proofs. Our first main result is negative. Under common assumptions we can show that the well-known Fiat-Shamir-Schnorr proof system is not adaptively secure. As for the second result we prove that an existing construction due to Fischlin (Crypto 2005) yields adaptively secure simulation-sound PoKs in the ROM. Since the purpose of this work is to motivate and introduce adaptive proofs, we only briefly discuss some applications to other areas, for example that adaptive proofs seem to be exactly what one requires to construct CCA-secure public-key encryption from IND-CPA secure schemes.

show abstract

Section: Resultsmentioning

confidence: 99%

“…The focus of this paper is on the notion of adaptive proofs for which we provide a detailed treatment. In particular, we spell out the proof of insecurity of the Fiat-Shamir-Schnorr transform which has led to follow-up work on Signed ElGamal [10].…”

Section: Related Workmentioning

confidence: 99%

Adaptive proofs of knowledge in the random oracle model

Bernhard

Fischlin²,

Warinschi

2016

IET Information Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…Sedangkan Algoritma ElGamal merupakan salah satu algoritma kriptografi kunci publik yang sudah familiar digunakan, khususnya pada program pertukaran data yang sangat terkenal yaitu PGP (Pretty Good Privacy), dan penerapannya pada tanda-tangan digital (Digital Signature) [6]. Kekuatan dari algoritma ElGamal terletak pada sulitnya menghitung logaritma diskrit [7].…”

Section: Pendahuluanunclassified

Analisis Kompleksitas Waktu Algoritma Kriptografi Elgamal Dan Data Encryption Standard

Kabetta¹

2020

Preprint

View full text Add to dashboard Cite

ElGamal as an asymmetric key cryptographysystem and Data Encryption Standard (DES) as a symmetrickey cryptography system, both of algorithms will becompared using the time complexity analysis and computersimulation. The result of time analysis shows a dif erentcomplexity for both algorithms, there is quadraticcomplexity for ElGamal Algorithm and Linear Complexityfor DES algorithm. Input that is used by ElGamal algorithmis the private key, while for DES algorithm is the plaintext’ssize. Based on result of simulation using a computer program, it shows a significant timing dif erences, ElGamal’s time execution is longer than DES. This iscaused by dif erences of arithmetic operations that is usedby each algorithms.

show abstract

“…Note that Theorem 18 implies that every generic algorithm A, which wins Σ−one-wayness with high probability, must perform at least Ω(α |X |) group operations, where α = 1 − |ker(φ)|/|W|. In particular, if W is large then we get the lower bound Ω( |X |) for IES (described in [6]) by choosing φ(w) = g w .…”

Section: Limitations Of the Fiat-shamir Transformationmentioning

confidence: 99%

Adaptive Proofs Have Straightline Extractors (in the Random Oracle Model)

Bernhard

Nguyen

Warinschi

2017

Applied Cryptography and Network Security

Self Cite

View full text Add to dashboard Cite

The concept of adaptive security for proofs of knowledge was recently studied by Bernhard et al. They formalised adaptive security in the ROM and showed that the non-interactive version of the Schnorr protocol obtained using the Fiat-Shamir transformation is not adaptively secure unless the one-more discrete logarithm problem is easy. Their only construction for adaptively secure protocols used the Fischlin transformation [11] which yields protocols with straight-line extractors. In this paper we provide two further key insights. Our main result shows that any adaptively secure protocol must have a straight-line extractor: even the most clever rewinding strategies cannot offer any benefits against adaptive provers. Then, we show that any Fiat-Shamir transformed Σprotocol is not adaptively secure unless a related problem which we call the Σ-one-wayness problem is easy. This assumption concerns not just Schnorr but applies to a whole class of Σ-protocols including e.g. Chaum-Pedersen and representation proofs. We also prove that Σ-one-wayness is hard in an extension of the generic group model which, on its own is a contribution of independent interest. Taken together, these results suggest that the highly efficient proofs based on the popular Fiat-Shamir transformed Σ-protocols should be used with care in settings where adaptive security of such proofs is important.

show abstract

On the Hardness of Proving CCA-Security of Signed ElGamal

Cited by 12 publications

References 18 publications

Adaptive proofs of knowledge in the random oracle model

Adaptive proofs of knowledge in the random oracle model

Analisis Kompleksitas Waktu Algoritma Kriptografi Elgamal Dan Data Encryption Standard

Adaptive Proofs Have Straightline Extractors (in the Random Oracle Model)

Contact Info

Product

Resources

About