Cryptography Reference
In-Depth Information
23
Public key encryption based on discrete logarithms
Historically, encryption has been considered the most important part of cryptography. So
it is not surprising that there is a vast literature about public key encryption. It is important
to note that, in practice, public key encryption is not usually used to encrypt documents.
Instead, one uses public key encryption to securely send keys, and the data is encrypted
using symmetric encryption.
It is beyond the scope of this topic to discuss all known results on public key encryption,
or even to sketch all known approaches to designing public key encryption schemes. The
goal of this chapter is very modest. We simply aim to give some definitions and to provide
two efficient encryption schemes (one secure in the random oracle model and one secure
in the standard model). The encryption schemes in this chapter are all based on Elgamal
encryption, the “textbook” version of which has already been discussed in Sections
20.3
and
20.4
.
Finally, we emphasise that this chapter only discusses confidentiality and not simul-
taneous confidentiality and authentication. The reader is warned that naively combining
signatures and encryption does not necessarily provide the expected security (see, for
example, the discussion in Section 1.2.3 of Joux [
283
]).
23.1 CCA secure Elgamal encryption
Recall that security notions for public key encryption were given in Section
1.3.1
.Aswe
have seen, the textbook Elgamal encryption scheme does not have OWE-CCA security,
since one can easily construct a related ciphertext whose decryption yields the original
message. A standard way to prevent such attacks is to add a message authentication code
(MAC); see Section
3.3
.
We have also seen (see Section
20.3
) that Elgamal can be viewed as static Diffie-Hellman
key exchange followed by a specific symmetric encryption. Hence, it is natural to generalise
Elgamal encryption so that it works with any symmetric encryption scheme. The scheme
we present in this section is known as
DHIES
and, when implemented with elliptic curves,
is called
ECIES
. We refer to Abdalla, Bellare and Rogaway [
1
] or Chapter III of [
61
]for
background and discussion.
