Page 1: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Leakage Resilient ElGamal Encryption

Eike Kiltz and Krzysztof Pietrzak

Asiacrypt 2010, December 9th, Singapore

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 2: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)


1 Hybrid Encryption, the KEM/DEM framework

2 ElGamal KEM3 Leakage Resilient Crypto

Why?How?Other models?

4 Leakage Resilient ElGamal

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 3: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

CCA1 secure KEM (Key Encapsulation Mechanism)

KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 4: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

CCA1 secure KEM (Key Encapsulation Mechanism)

KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE

Pr[Dec(sk ,C ) = K : (pk, sk)$← KG ; (K ,C )

$← Enc(pk)] = 1

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 5: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

CCA1 secure KEM (Key Encapsulation Mechanism)

KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE

Pr[Dec(sk ,C ) = K : (pk, sk)$← KG ; (K ,C )

$← Enc(pk)] = 1

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 6: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

CCA1 secure KEM (Key Encapsulation Mechanism)

KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE

Pr[Dec(sk ,C ) = K : (pk, sk)$← KG ; (K ,C )

$← Enc(pk)] = 1


pk sk

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 7: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

CCA1 secure KEM (Key Encapsulation Mechanism)

KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE

Pr[Dec(sk ,C ) = K : (pk, sk)$← KG ; (K ,C )

$← Enc(pk)] = 1

pk skC

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 8: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

CCA1 secure KEM (Key Encapsulation Mechanism)

KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE

Pr[Dec(sk ,C ) = K : (pk, sk)$← KG ; (K ,C )

$← Enc(pk)] = 1

pk skDec(sk , C )

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 9: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

CCA1 secure KEM (Key Encapsulation Mechanism)

KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE

Pr[Dec(sk ,C ) = K : (pk, sk)$← KG ; (K ,C )

$← Enc(pk)] = 1

Kb, C pk sk

(K0, C )← Enc(pk) , K1$← K , b ← {0, 1}

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 10: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

CCA1 secure KEM (Key Encapsulation Mechanism)

KEM = {KG, Enc, Dec} ≈ PKE for random messages.KEM + DEM ⇒ PKE

Pr[Dec(sk ,C ) = K : (pk, sk)$← KG ; (K ,C )

$← Enc(pk)] = 1

Kb, C pk sk

(K0, C )← Enc(pk) , K1$← K , b ← {0, 1}

CCA1 security: ∀ : Pr[ guesses b]− 1/2 = negl

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 11: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM

public parameter: Cyclic group G of prime order p, g = 〈G〉

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 12: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM

public parameter: Cyclic group G of prime order p, g = 〈G〉

KG: sk = x , pk = g x where x$← Zp

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 13: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM

public parameter: Cyclic group G of prime order p, g = 〈G〉

KG: sk = x , pk = g x where x$← Zp

Enc(pk): output (C := g r , K := g rx) where r$← Zp

Dec(sk, C ): output C x

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 14: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM

public parameter: Cyclic group G of prime order p, g = 〈G〉

KG: sk = x , pk = g x where x$← Zp

Enc(pk): output (C := g r , K := g rx) where r$← Zp

Dec(sk, C ): output C x = g rx = K

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 15: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Side-Channel Attacks

pk sk

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 16: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Side-Channel Attacks

pk skC

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 17: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Side-Channel Attacks

pk skC x

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 18: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Side-Channel Attacks

pk skC x

Can e.g. measure time it takes to compute C x

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 19: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Side-Channel Attacks

pk skC x

Can e.g. measure time it takes to compute C x

Side-Channel Attack: Cryptanalytic attack exploringinformation leaked from a physical implementation of acryptosystem.

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 20: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

More side-channel attacks

power analysis

radiation, sound, heat,. . .

probing attacks

cold-boot attacks

cache attacks

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 21: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

More side-channel attacks

power analysis[Eisenbarth et al. CRYPTO’08]break wireless car keys

radiation, sound, heat,. . .

probing attacks

cold-boot attacks[Halderman et al. USENIX’08]break disc-encryption schemes

cache attacks[Ristenpart et al. CCS’09]break cloud computing

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 22: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Side-Channel Countermeasures

Usually Ad-hocImplement countermeasures to prevent known attacks.

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 23: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Side-Channel Countermeasures

Usually Ad-hocImplement countermeasures to prevent known attacks.

Timing Make computation time independent of inputs.

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 24: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Side-Channel Countermeasures

Usually Ad-hocImplement countermeasures to prevent known attacks.

Timing Make computation time independent of inputs.

Radiation Shield the chip.

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 25: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Side-Channel Countermeasures

Usually Ad-hocImplement countermeasures to prevent known attacks.

Timing Make computation time independent of inputs.

Radiation Shield the chip.

make physical device look more like a black-box

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 26: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Leakage-Resilient Cryptography [DP’08]

extend black-box model to incorporte leakage

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 27: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Leakage-Resilient Cryptography [DP’08]

extend black-box model to incorporte leakage

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 28: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Leakage-Resilient Cryptography [DP’08]

extend black-box model to incorporte leakage

Computation is split in steps.

Adversary has black-box access + get bounded amount ofarbitrary, adaptively chosen leakage of every step.

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 29: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Leakage-Resilient Cryptography [DP’08]

extend black-box model to incorporte leakage

Computation is split in steps.

Adversary has black-box access + get bounded amount ofarbitrary, adaptively chosen leakage of every step.(only computation leaks “axiom” [MR04].)

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 30: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Leakage Resilient Cryptography Cont.

LR primitives must be stateful.

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 31: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Leakage Resilient Cryptography Cont.

LR primitives must be stateful.

Key evolution:LR stream-cipher [DP’08,P09,YSPY’10]

LR (tree-based) signatures [FKPR’10]

Evolving PKE sk difficult: must decrypt for fixed pk.

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 32: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Leakage Resilient Cryptography Cont.

LR primitives must be stateful.

Key evolution:LR stream-cipher [DP’08,P09,YSPY’10]

LR (tree-based) signatures [FKPR’10]

Evolving PKE sk difficult: must decrypt for fixed pk.

We secret-share key (aka blinding.) Frequently re-share.

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 33: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Leakage Resilient Cryptography Cont.

LR primitives must be stateful.

Key evolution:LR stream-cipher [DP’08,P09,YSPY’10]

LR (tree-based) signatures [FKPR’10]

Evolving PKE sk difficult: must decrypt for fixed pk.

We secret-share key (aka blinding.) Frequently re-share.

Scheme is very efficient (≈ 2x basic ElGamal)

Security proofs are very limited (generic group.)

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 34: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Some Related Work

General Compilers [Goldwasser-Rothblum,Juma-VahlisCrypto’10]General but not practical (One Encryption get gate /Fully homomorphic encryption)

Non-Continuous leakage (BRM/memory-attacks, auxiliaryinput), next talk.

Continuous memory attacks [DHLW,BKKV FOCS’10],[LLW eprint 2010/562].

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 35: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM with shared key

g x x ∈ Zp

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 36: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM with shared key

g x x ∈ ZpC

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 37: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM with shared key

g x x ∈ ZpC x

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 38: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM with shared key

g x x ∈ ZpC , f (.)

Not Leakage-Resilient (learn x bit by bit.)

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 39: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM with shared key

g x x ∈ ZpC x , f (x)

Not Leakage-Resilient (learn x bit by bit.)

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 40: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM with shared key

g x x0

x ′


Not Leakage-Resilient (learn x bit by bit.)

Multiplicatively Secret-Share x = x0 · x′


Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 41: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM with shared key

g x x0

x ′



Not Leakage-Resilient (learn x bit by bit.)

Multiplicatively Secret-Share x = x0 · x′


Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 42: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM with shared key

g x x1 := x0 · r

x ′



C x0 , r

Not Leakage-Resilient (learn x bit by bit.)

Multiplicatively Secret-Share x = x0 · x′


Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 43: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM with shared key

g x x1 := x0 · r

x ′

1 := x0/r


C x0 , r(C x0)x ′

0 = C x

Not Leakage-Resilient (learn x bit by bit.)

Multiplicatively Secret-Share x = x0 · x′


Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 44: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM with shared key

g x x1 := x0 · r

x ′

1 := x0/r


C x0 , r(C x0)x ′

0 = C x

Not Leakage-Resilient (learn x bit by bit.)

Multiplicatively Secret-Share x = x0 · x′


Re-Sharing: x i+1 ← x i · r , x ′

i+1 ← x ′

i/r .

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 45: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

ElGamal KEM with shared key

g x x1 := x0 · r

x ′

1 := x0/r


C x0 , r(C x0)x ′

0 = C x

Not Leakage-Resilient (learn x bit by bit.)

Multiplicatively Secret-Share x = x0 · x′


Re-Sharing: x i+1 ← x i · r , x ′

i+1 ← x ′

i/r .

i ’th query: adaptively chooses fi(.), f′

i (.).Gets leakage fi(x i , r), f ′

i (x′

i , r , Cx i ).

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 46: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Conjecture: ElGamal KEM (as on previous slide) isleakage-resilient if

the group order p is not smooth (i.e. p − 1 has largeprime factor.)

Range of leakage functions is bounded to, sayλ = 0.25 · log(p) bits.

1Howgrave-Graham, Nguyen, Shparlinski. Hidden number problemwith hidden multipliers, timed-release crypto, and noisy exponentiation.Math. Comput. 72(243): 1473-1485 (2003)

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 47: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Conjecture: ElGamal KEM (as on previous slide) isleakage-resilient if

the group order p is not smooth (i.e. p − 1 has largeprime factor.)

Range of leakage functions is bounded to, sayλ = 0.25 · log(p) bits.

Attack exits if we use additive secret sharing,i.e. x = x i + x ′

i mod p instead x = x i · x′

i mod p.

1Howgrave-Graham, Nguyen, Shparlinski. Hidden number problemwith hidden multipliers, timed-release crypto, and noisy exponentiation.Math. Comput. 72(243): 1473-1485 (2003)

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 48: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Conjecture: ElGamal KEM (as on previous slide) isleakage-resilient if

the group order p is not smooth (i.e. p − 1 has largeprime factor.)

Range of leakage functions is bounded to, sayλ = 0.25 · log(p) bits.

Attack exits if we use additive secret sharing,i.e. x = x i + x ′

i mod p instead x = x i · x′

i mod p.

Attack exists if p − 1 is smooth.

1Howgrave-Graham, Nguyen, Shparlinski. Hidden number problemwith hidden multipliers, timed-release crypto, and noisy exponentiation.Math. Comput. 72(243): 1473-1485 (2003)

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 49: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Conjecture: ElGamal KEM (as on previous slide) isleakage-resilient if

the group order p is not smooth (i.e. p − 1 has largeprime factor.)

Range of leakage functions is bounded to, sayλ = 0.25 · log(p) bits.

Attack exits if we use additive secret sharing,i.e. x = x i + x ′

i mod p instead x = x i · x′

i mod p.

Attack exists if p − 1 is smooth.

Attack exists if λ = 0.4 · log(p).1

1Howgrave-Graham, Nguyen, Shparlinski. Hidden number problemwith hidden multipliers, timed-release crypto, and noisy exponentiation.Math. Comput. 72(243): 1473-1485 (2003)

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 50: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Conjecture: ElGamal KEM (as on previous slide) isleakage-resilient if

the group order p is not smooth (i.e. p − 1 has largeprime factor.)

Range of leakage functions is bounded to, sayλ = 0.25 · log(p) bits.

Attack exits if we use additive secret sharing,i.e. x = x i + x ′

i mod p instead x = x i · x′

i mod p.

Attack exists if p − 1 is smooth.

Attack exists if λ = 0.4 · log(p).1

Scheme if “lifted” to bilinear groups is secure in genericgroup model (next slides.)

1Howgrave-Graham, Nguyen, Shparlinski. Hidden number problemwith hidden multipliers, timed-release crypto, and noisy exponentiation.Math. Comput. 72(243): 1473-1485 (2003)

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 51: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

Bilinear Groups

1 G is a (multiplicative) cyclic group of prime order p.

2 g is a generator of G.3 e is a bilinear map e : G×G→ GT

1 ∀a, b ∈ Z, e(ga, gb) = e(g , g)ab

2 e(g , g)def= gT 6= 1.

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 52: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

“lifted” ElGamal KEM

public parameter: G, GT of prime order p, e : G×G→ GT ,

g = 〈G〉, gTdef= e(g , g)

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 53: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

“lifted” ElGamal KEM

public parameter: G, GT of prime order p, e : G×G→ GT ,

g = 〈G〉, gTdef= e(g , g)

KG: sk = g x , pk = g xT where x

$← Zp

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 54: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

“lifted” ElGamal KEM

public parameter: G, GT of prime order p, e : G×G→ GT ,

g = 〈G〉, gTdef= e(g , g)

KG: sk = g x , pk = g xT where x

$← Zp

Enc(pk): output (C := g r , K := g rxT ) where r

$← Zp

Dec(sk, C ): output e(C , g x)

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 55: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

“lifted” ElGamal KEM

public parameter: G, GT of prime order p, e : G×G→ GT ,

g = 〈G〉, gTdef= e(g , g)

KG: sk = g x , pk = g xT where x

$← Zp

Enc(pk): output (C := g r , K := g rxT ) where r

$← Zp

Dec(sk, C ): output e(C , g x) = g rxT = K

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 56: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

“lifted” ElGamal KEM

public parameter: G, GT of prime order p, e : G×G→ GT ,

g = 〈G〉, gTdef= e(g , g)

KG: sk = gx , pk = g xT where x

$← Zp

Enc(pk): output (C := g r , K := g rxT ) where r

$← Zp

Dec(sk, C ): output e(C , g x) = g rxT = K

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 57: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

“lifted” ElGamal KEM

public parameter: G, GT of prime order p, e : G×G→ GT ,

g = 〈G〉, gTdef= e(g , g)

KG: sk = gx , pk = g xT where x

$← Zp

Enc(pk): output (C := g r , K := g rxT ) where r

$← Zp

Dec(sk, C ): output e(C , g x) = g rxT = K

Like for standard ElGamal, can define shared-key versiong x = g x−r ◦ g r .

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 58: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)

“lifted” ElGamal KEM

public parameter: G, GT of prime order p, e : G×G→ GT ,

g = 〈G〉, gTdef= e(g , g)

KG: sk = gx , pk = g xT where x

$← Zp

Enc(pk): output (C := g r , K := g rxT ) where r

$← Zp

Dec(sk, C ): output e(C , g x) = g rxT = K

Like for standard ElGamal, can define shared-key versiong x = g x−r ◦ g r .


In the bilinear generic group model the lifted, shared-keyElGamal KEM is Leakage-Resilient (CCA1).The leakage per invocation can be < .49| log(p)| bits.

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 59: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)


Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption

Page 60: Leakage Resilient ElGamal Encryption · Conjecture: ElGamal KEM (as on previous slide) is leakage-resilient if the group order p is not smooth (i.e. p −1 has large prime factor.)


ICITS 2011, Amsterdam, The Netherlands, May 21 - 24, 20115th International Conference on Information Theoretic Security

Submission deadline: Dec 10, 2010Invited Speakers:

Benny Applebaum, Alexander Barg, Imre Csiszar, Ivan Damgaard,

Yuval Ishai, Renato Renner, Leonid Reyzin, Ronald de Wolf

Eike Kiltz and Krzysztof Pietrzak Leakage Resilient ElGamal Encryption
