Public key encryption based on discrete logarithms - Mathematics of Public Key Cryptography

Cryptography Reference

In-Depth Information

Let κ be a security parameter. The scheme requires a symmetric encryption scheme, a

MAC scheme and a key derivation function. The symmetric encryption functions Enc and

Dec take an l 1 -bit key and encrypt messages of arbitrary length. The MAC function MAC

takes an l 2 -bit key and a message of arbitrary length and outputs an l 3 -bit binary string.

The key derivation function is a function kdf : G

l 1 + l 2 . The values l 1 , l 2 and l 3

depend on the security parameter. Note that it is important that the MAC is evaluated on

the ciphertext not the message, since a MAC is not required to have any confidentiality

properties. The DHIES encryption scheme is given in Box 23.1 .

→{

0 , 1

}

KeyGen ( κ ): Generate an algebraic group or algebraic group quotient G whose order is

divisible by a large prime r (so that the discrete logarithm problem in the subgroup of prime

order r requires at least 2 κ bit operations).

Choose a random g ∈ G of exact order r . Choose a random integer 0 <a<r and set

h = g a .

The public key is ( G,g,h ) and the private key is a . Alternatively, ( G,g ) are system

parameters that are fixed for all users and only h is the public key.

The message space is M κ ={ 0 , 1 } ∗ .

The ciphertext space is C κ = G ×{ 0 , 1 } ∗ ×{ 0 , 1 }

l 3 .

Encrypt ( m ,h ): ( m

∈{

0 , 1

} ∗ and h is the authentic public key of the receiver)

Choose a random 0 <k<r and set c 1 = g k .

kdf ( h k ) and parse K as K 1 K 2 where K 1 and K 2 are l 1 and l 2 bit binary strings

respectively.

Set K =

MAC K 2 ( c 2 ).

Transmit the ciphertext ( c 1 , c 2 , c 3 ).

Set c 2 =

Enc K 1 ( m )and c 3 =

Decrypt ( c 1 , c 2 , c 3 ,a ):

Check that c 1 ∈ G and that c 3 is an l 3 -bit string (if not then return ⊥ and halt).

Compute K = kdf ( c 1 ) and parse it as K 1 K 2 .

Check whether c 3 = MAC K 2 ( c 2 ) (if not then return ⊥ and halt).

Return m = Dec K 1 ( c 2 ).

Box 23.1 DHIES public key encryption

Exercise 23.1.1 Show that decryption does return the message when given a ciphertext

produced by the DHIES encryption algorithm.

A variant of DHIES is to compute the key derivation function on the pair of group (or

algebraic group quotient) elements ( g k ,h k ) rather than just h k . This case is presented in

Section 10 of Cramer and Shoup [ 149 ]. As explained in Section 10.7 of [ 149 ], this variant

can yield a tighter security reduction.

Mathematics of Public Key Cryptography

Search WWH ::

Custom Search

Home