CEILIDH

Template:Short description Template:About

CEILIDH is a public key cryptosystem based on the discrete logarithm problem in algebraic torus. This idea was first introduced by Alice Silverberg and Karl Rubin in 2003; Silverberg named CEILIDH after her cat.^[1][2] The main advantage of the system is the reduced size of the keys for the same security over basic schemes.Template:Which

• Let ${\displaystyle q}$ be a prime power.
• An integer ${\displaystyle n}$ is chosen such that :
  • The torus ${\displaystyle T_n}$ has an explicit rational parametrization.
  • ${\displaystyle {\mathrm{\Phi }}_n(q)}$ is divisible by a big prime ${\displaystyle l}$ where ${\displaystyle {\mathrm{\Phi }}_n}$ is the ${\displaystyle n^{th}}$ Cyclotomic polynomial.
• Let ${\displaystyle m=\varphi (n)}$ where ${\displaystyle \varphi }$ is the Euler function.
• Let ${\displaystyle \rho :T_n({𝔽}_q)\to {{𝔽}_q}^m}$ a birational map and its inverse ${\displaystyle \psi }$.
• Choose ${\displaystyle \alpha \in T_n}$ of order ${\displaystyle l}$ and let ${\displaystyle g=\rho (\alpha )}$.

This Scheme is based on the Diffie-Hellman key agreement.

• Alice chooses a random number ${\displaystyle a(\mathrm{mod}{\mathrm{\Phi }}_n(q))}$.
• She computes ${\displaystyle P_A=\rho (\psi (g{)}^a)\in {𝔽}_q^m}$ and sends it to Bob.
• Bob chooses a random number ${\displaystyle b(\mathrm{mod}{\mathrm{\Phi }}_n(q))}$.
• He computes ${\displaystyle P_B=\rho (\psi (g{)}^b)\in {𝔽}_q^m}$ and sends it to Alice.
• Alice computes ${\displaystyle \rho (\psi (P_B){)}^a)\in {𝔽}_q^m}$
• Bob computes ${\displaystyle \rho (\psi (P_A){)}^b)\in {𝔽}_q^m}$

${\displaystyle \psi \circ \rho }$ is the identity, thus we have : ${\displaystyle \rho (\psi (P_B){)}^a)=\rho (\psi (P_A){)}^b)=\rho (\psi (g{)}^{ab})}$ which is the shared secret of Alice and Bob.

This scheme is based on the ElGamal encryption.

• Key Generation
  • Alice chooses a random number ${\displaystyle a(\mathrm{mod}{\mathrm{\Phi }}_n(q))}$ as her private key.
  • The resulting public key is ${\displaystyle P_A=\rho (\psi (g{)}^a)\in {𝔽}_q^m}$.
• Encryption
  • The message ${\displaystyle M}$ is an element of ${\displaystyle {𝔽}_q^m}$.
  • Bob chooses a random integer ${\displaystyle k}$ in the range ${\displaystyle 1\le k\le l-1}$.
  • Bob computes ${\displaystyle \gamma =\rho (\psi (g{)}^k)\in {𝔽}_q^m}$ and ${\displaystyle \delta =\rho (\psi (M)\psi (P_A{)}^k)\in {𝔽}_q^m}$.
  • Bob sends the ciphertext ${\displaystyle (\gamma ,\delta )}$ to Alice.
• Decryption
  • Alice computes ${\displaystyle M=\rho (\psi (\delta )\psi (\gamma {)}^{-a})}$.

The CEILIDH scheme is based on the ElGamal scheme and thus has similar security properties.

If the computational Diffie-Hellman assumption holds the underlying cyclic group ${\displaystyle G}$, then the encryption function is one-way.^[3] If the decisional Diffie-Hellman assumption (DDH) holds in ${\displaystyle G}$, then CEILIDH achieves semantic security.^[3] Semantic security is not implied by the computational Diffie-Hellman assumption alone.^[4] See decisional Diffie-Hellman assumption for a discussion of groups where the assumption is believed to hold.

CEILIDH encryption is unconditionally malleable, and therefore is not secure under chosen ciphertext attack. For example, given an encryption ${\displaystyle (c_1,c_2)}$ of some (possibly unknown) message ${\displaystyle m}$, one can easily construct a valid encryption ${\displaystyle (c_1,2c_2)}$ of the message ${\displaystyle 2m}$.

• Template:Cite book

• Torus-Based Cryptography: the paper introducing the concept (in PDF from Silverberg's university web page).

Template:Cryptography navbox