[{"month":"05","_id":"7966","volume":12107,"date_published":"2020-05-01T00:00:00Z","type":"conference","quality_controlled":"1","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Auerbach, Benedikt, et al. “Everybody’s a Target: Scalability in Public-Key Encryption.” *Advances in Cryptology – EUROCRYPT 2020*, vol. 12107, Springer Nature, 2020, pp. 475–506, doi:10.1007/978-3-030-45727-3_16.","ieee":"B. Auerbach, F. Giacon, and E. Kiltz, “Everybody’s a target: Scalability in public-key encryption,” in *Advances in Cryptology – EUROCRYPT 2020*, 2020, vol. 12107, pp. 475–506.","apa":"Auerbach, B., Giacon, F., & Kiltz, E. (2020). Everybody’s a target: Scalability in public-key encryption. In *Advances in Cryptology – EUROCRYPT 2020* (Vol. 12107, pp. 475–506). Springer Nature. https://doi.org/10.1007/978-3-030-45727-3_16","ama":"Auerbach B, Giacon F, Kiltz E. Everybody’s a target: Scalability in public-key encryption. In: *Advances in Cryptology – EUROCRYPT 2020*. Vol 12107. Springer Nature; 2020:475-506. doi:10.1007/978-3-030-45727-3_16","short":"B. Auerbach, F. Giacon, E. Kiltz, in:, Advances in Cryptology – EUROCRYPT 2020, Springer Nature, 2020, pp. 475–506.","chicago":"Auerbach, Benedikt, Federico Giacon, and Eike Kiltz. “Everybody’s a Target: Scalability in Public-Key Encryption.” In *Advances in Cryptology – EUROCRYPT 2020*, 12107:475–506. Springer Nature, 2020. https://doi.org/10.1007/978-3-030-45727-3_16.","ista":"Auerbach B, Giacon F, Kiltz E. 2020. Everybody’s a target: Scalability in public-key encryption. Advances in Cryptology – EUROCRYPT 2020. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 12107. 475–506."},"oa_version":"Submitted Version","oa":1,"publisher":"Springer Nature","publication":"Advances in Cryptology – EUROCRYPT 2020","language":[{"iso":"eng"}],"author":[{"full_name":"Auerbach, Benedikt","last_name":"Auerbach","orcid":"0000-0002-7553-6606","first_name":"Benedikt","id":"D33D2B18-E445-11E9-ABB7-15F4E5697425"},{"first_name":"Federico","last_name":"Giacon","full_name":"Giacon, Federico"},{"last_name":"Kiltz","full_name":"Kiltz, Eike","first_name":"Eike"}],"department":[{"_id":"KrPi"}],"main_file_link":[{"url":"https://eprint.iacr.org/2019/364","open_access":"1"}],"conference":{"start_date":"2020-05-11","end_date":"2020-05-15","name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques"},"status":"public","date_created":"2020-06-15T07:13:37Z","alternative_title":["LNCS"],"title":"Everybody’s a target: Scalability in public-key encryption","article_processing_charge":"No","page":"475-506","date_updated":"2020-06-17T11:35:02Z","doi":"10.1007/978-3-030-45727-3_16","day":"01","intvolume":" 12107","publication_identifier":{"isbn":["9783030457266","9783030457273"],"issn":["0302-9743","1611-3349"]},"year":"2020","publication_status":"published","project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"abstract":[{"lang":"eng","text":"For 1≤m≤n, we consider a natural m-out-of-n multi-instance scenario for a public-key encryption (PKE) scheme. An adversary, given n independent instances of PKE, wins if he breaks at least m out of the n instances. In this work, we are interested in the scaling factor of PKE schemes, SF, which measures how well the difficulty of breaking m out of the n instances scales in m. That is, a scaling factor SF=ℓ indicates that breaking m out of n instances is at least ℓ times more difficult than breaking one single instance. A PKE scheme with small scaling factor hence provides an ideal target for mass surveillance. In fact, the Logjam attack (CCS 2015) implicitly exploited, among other things, an almost constant scaling factor of ElGamal over finite fields (with shared group parameters).\r\n\r\nFor Hashed ElGamal over elliptic curves, we use the generic group model to argue that the scaling factor depends on the scheme's granularity. In low granularity, meaning each public key contains its independent group parameter, the scheme has optimal scaling factor SF=m; In medium and high granularity, meaning all public keys share the same group parameter, the scheme still has a reasonable scaling factor SF=√m. Our findings underline that instantiating ElGamal over elliptic curves should be preferred to finite fields in a multi-instance scenario.\r\n\r\nAs our main technical contribution, we derive new generic-group lower bounds of Ω(√(mp)) on the difficulty of solving both the m-out-of-n Gap Discrete Logarithm and the m-out-of-n Gap Computational Diffie-Hellman problem over groups of prime order p, extending a recent result by Yun (EUROCRYPT 2015). We establish the lower bound by studying the hardness of a related computational problem which we call the search-by-hypersurface problem."}]}]