On the Hardness of Proving CCA-Security of Signed ElGamal

The well-known Signed ElGamal scheme consists of ElGamal encryption with a non-interactive Schnorr proof of knowledge. While this scheme should be intuitively secure against chosen-ciphertext attacks in the random oracle model, its security has not yet been proven nor disproven so far, without relying on further non-standard assumptions like the generic group model. Currently, the best known positive result is that Signed ElGamal is non-malleable under chosen-plaintext attacks. In this paper we provide some evidence that proving Signed ElGamal to be CCA secure in the random oracle model is hard. That is, building on previous work of Shoup and Gennaro Eurocrypt'98, Seurin and Treger CT-RSA 2013, and Bernhard et al. PKC 2015, we exclude a large class of potential reductions that could be used to establish CCA security of the scheme.

[1]  Markus Jakobsson,et al.  Security of Signed ElGamal Encryption , 2000, ASIACRYPT.

[2]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[3]  Marc Fischlin,et al.  Communication-Efficient Non-interactive Proofs of Knowledge with Online Extractors , 2005, CRYPTO.

[4]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[5]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[6]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[7]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[8]  Marc Fischlin,et al.  Adaptive proofs of knowledge in the random oracle model , 2015, IET Inf. Secur..

[9]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[10]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[11]  Douglas Wikström,et al.  Simplified Submission of Inputs to Protocols , 2008, SCN.

[12]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[13]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[14]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[15]  Fabrice Benhamouda,et al.  Security of the J-PAKE Password-Authenticated Key Exchange Protocol , 2015, 2015 IEEE Symposium on Security and Privacy.

[16]  Rosario Gennaro,et al.  Securing Threshold Cryptosystems against Chosen Ciphertext Attack , 1998, Journal of Cryptology.

[17]  Yannick Seurin,et al.  A Robust and Plaintext-Aware Variant of Signed ElGamal Encryption , 2013, CT-RSA.

[18]  Bogdan Warinschi,et al.  How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios , 2012, ASIACRYPT.

[19]  Tibor Jager,et al.  On Tight Security Proofs for Schnorr Signatures , 2014, ASIACRYPT.

[20]  Marc Fischlin,et al.  Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures , 2013, IACR Cryptol. ePrint Arch..

[21]  Yiannis Tsiounis,et al.  On the Security of ElGamal Based Encryption , 1998, Public Key Cryptography.