On the Security of a Variant of ElGamal Scheme

Fang-Yu Rao

Abstract—Recently, based on the Paillier [1], Yi et al. [2] proposed a distributed ElGamal cryptosystem which allows for both a much simpler distributed generation procedure and distributed decryption of messages from a large plaintext domain. In this paper, we analyze the security of their proposed variant of ElGamal encryption scheme and demonstrate that their construction is not secure as claimed.

Index Terms—, ElGamal cryptosystem, distributed . !

1INTRODUCTION

OWADAYS, huge amounts of personal data are gen- in may applications is considered an important building N erated and collected everywhere due to the rapid block. In this regard, Yi et al. [2] proposed a variant of advancement of technologies. The use of machine learning the ElGamal encryption scheme supporting efficient dis- techniques makes it possible to extract useful knowledge tributed key generation and distributed decryption. Their from these data. However, because of their sensitivity, it is construction, based on the underlying groups specified in critical that such data be strongly protected by using encryp- the Paillier’s cryptosystem, although being more efficient tion not only for the data at rest but also when performing than the construction by Hazay et al. [4], is not secure as analytics on the data. Recent cryptosystems with homo- claimed. In this paper, we analyze their proposed variant morphic properties have made possible to perform compu- of ElGamal encryption scheme and show a feasible attack tations over . Two very well-known public-key allowing an attacker to derive the private key given the cryptosystems with homomorphic properties are the ElGa- prime order of the underlying group. mal [3] and Paillier’s cryptosystems [1]. Both are considered The rest of the paper is organized as follows. Background partially homomorphic cryptosystem since given any two knowledge on the ElGamal and Paillier’s cryptosystems is ciphertexts, they support the generation of a as- introduced in Section 2. In Section 3 we review the construc- sociated with either the addition or the multiplication of the tion of the variant of ElGamal cryptosystem proposed by Yi two underlying plaintexts, but not both. Hence, to enable et al., which is followed by our proposed attack in Section practical privacy-preserving analyses of the data encrypted 4. Conclusions are then drawn in Section 5. by a public-key scheme, current solutions usually involve the distribution of the private key 2PRELIMINARIES into multiple shares among the participating parties so as to guarantee that only the designated results of analysis are In this section, we briefly introduce the ElGamal cryptosys- revealed. For example, Hazay et al. [4] propose compara- tem and the Paillier cryptosystem. tively more efficient protocols for distributed key generation and distributed decryption for the Paillier’s cryptosystem 2.1 ElGamal Public-Key Cryptosystem than previous approaches. They have rigorously proved the security of their protocols using the simulation-based The ElGamal encryption scheme [3] is a public-key cryp- proofs based on appropriate assumptions. Their approach tosystem with homomorphic properties. It is composed of for distributed key generation is fairly complex and the three algorithms for key generation, encryption, and decryp- cost of distributed decryption is still at least three times tion, respectively. We describe how each algorithm works higher than that of centralized decryption in that the shares below in more detail. of the private key have to be long enough to properly hide the private key from those participants. The ElGamal 2.1.1 Key Generation cryptosystem, on the other hand, allows for much easier dis- The key generation algorithm works as follows. tributed key generation as well as more efficient distributed • decryption. However, it is well known that the ElGamal A cyclic group G of large prime order q with genera- cryptosystem cannot support the addition on ciphertexts if tor g is generated. • { − } the underlying plaintexts are from a larger domain, which Arandomnumberx in 1,...,q 1 is selected and y computed as the following

• Fang-Yu Rao is with the Department of Computer Science, West Lafayette, y = gx. (1) Indiana, IN, 47907. E-mail: [email protected] The public key pk is then (G, q, g, y),andtheprivatekeysk Manuscript received May 1, 2017; revised August 26, 2017. is x.

'LJLWDO2EMHFW,GHQWL¿HU7'6& ‹,(((3HUVRQDOXVHLVSHUPLWWHGEXWUHSXEOLFDWLRQUHGLVWULEXWLRQUHTXLUHV,(((SHUPLVVLRQ 6HH KWWSZZZLHHHRUJSXEOLFDWLRQV VWDQGDUGVSXEOLFDWLRQVULJKWVLQGH[KWPO IRU PRUH LQIRUPDWLRQ JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 2 2.1.2 Encryption ensured by checking the existence of the following To encrypt a message m in G, multiplicative inverse modulo N: λ 2 −1 • Arandomnumberr ∈{1,...,q− 1} is selected. μ =(L(g mod N )) (mod N), • c =(A, B) The ciphertext is computed as where u − 1 A = gr L(u)= . (2) N B = m · yr. (3) Notice that the division in the computation of L takes place in Z. 2.1.3 Decryption The public key pk is then (N,g),andtheprivatekeysk is Given a ciphertext c in G encrypted by pk =(G, q, g, y),the (λ, μ). A simpler variant of the above key generation would plaintext could be recovered by be to set −1 m = B/Ax. (4) g =1+N,μ = λ (mod N), This is because where N = pq,andλ =lcm((p − 1)(q − 1)). B/Ax = m · yr/(gr)x 2.2.2 Encryption · x r r x = m (g ) /(g ) To encrypt a message m in ZN , ∗ = m. • Z Arandomnumberr in N is chosen. • The ciphertext c is computed as 2.1.4 Homomorphic Properties c = E(m, pk)=gm · rN (mod N 2). The ElGamal encryption scheme enjoys multiplicative ho- (5) momorphic properties. More precisely, given two cipher- 2.2.3 Decryption r1 r1 r2 r2 texts (A1,B1)=(g ,m1y ) and (A2,B2)=(g ,m2y ), ∗ c Z 2 pk =(N,g) where r1,r2 are chosen at random from {1,...,q− 1} and Given a ciphertext in N encrypted by ,the m1,m2 ∈ G,wehave plaintext could be recovered by λ 2 r1 r2 r1 r2 m = D(c, sk)=L(c mod N ) · μ (mod N). (A1A2,B1B2)=(g g , (m1y )(m2y )) (6) r1+r2 r1+r2 =(g , (m1m2)y ), 2.2.4 Homomorphic Properties

which corresponds to an encryption of m1m2.Wenotethat The cryptosystem is homomorphic in that an encryption of if the plaintext space is not large, then messages m1 and m1 + m2 can be calculated given of m1 and m2. m1 m2 m2 could instead be encoded as g and g , respectively, Specifically, given two ciphertexts c1 and c2 (A1A2,B1B2) m1 N 2 and in this way could also be considered E(m1,pk)=g r (mod N ) m1+m2 1 m1 + m2 (mod q) g as a ciphertext of encoded by . m2 N 2 However, the decoding of a large message m from gm ∈ G E(m2,pk)=g r2 (mod N ), would be difficult as long as the is hard Z∗ where r1,r2 are randomly chosen from N ,wehave in G. 2 D(E(m1,pk)·E(m2,pk)modN ,sk)=m1+m2 (mod N).

2.2 Paillier Public-Key Cryptosystem Furthermore, an encryption of m1k can be derived by rais- m1 k The Paillier cryptosystem [1] is another public-key cryp- ing an encryption of to the power of in the clear. To be tosystem with homomorphic properties. It consists of three more precise, k 2 algorithms for key generation, encryption, and decryption, D(E(m1,pk) mod N ,sk)=m1k (mod N). respectively. In the following, we describe how each algo- rithm works in more detail. 2.2.5 Other Properties We note that the encryption function E(m, pk)=(1+ 2.2.1 Key Generation 2 N)mrN (mod N ) can also be seen as a mapping from Z × Z∗ Z∗ Z The key generation algorithm works as follows. N N to N 2 ,where N corresponds to the plaintext space which is the exponent part of the term (1 + N) • Two large prime numbers p and q are randomly Z∗ and N is the set from which the random number r is chosen such that 2 selected to produce the random mask rN (mod N ).The Z∗ gcd(pq, (p − 1)(q − 1)) = 1. ciphertext space for the Paillier encryption scheme is N 2 , which consists of N · φ(N)=pq(p − 1)(q − 1) cipher- • N and λ are computed as Z |Z∗ | texts. Each plaintext message in N has exactly N = − − N = pq, λ =lcm(p − 1,q− 1), (p 1)(q 1) corresponding ciphertexts, and thus in total we have pq(p − 1)(q − 1) ciphertexts in the ciphertext sapce Z∗ where lcm denotes the least common multiple of its N 2 . In fact, there is a one-to-one correspondence (bijection) Z × Z∗ Z∗ two given inputs. between the elements in N N and the elements in N 2 ∗ ∗ • Z ∈ Z A random integer g in N 2 of order divisible by [1], [5]. Given a randomly chosen element a N 2 ,there N is chosen. The property of divisibility could be must exist a message  and a random number r such that JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 3 4 E(, pk)=a.Tobemoreprecise,a can be written in the where sk = i=1 ski (mod q),thatis,thesumofthe 2 form of a =(1+N)rN mod N . Another property of private key shares of those 4 participating parties. ∗ ∗ Z ∈ Z • the elements in N 2 is that given any element w N 2 , Recovery of the message m by Nφ(N) pq(p−1)(q−1) 2 w = w =1(modN ).Thisisdueto m 2 ∈ Z∗ L(g1 mod N ) Carmichael’s theorem, which says that for any w N 2 , m = (15) 2 wNλ =1 (modN ) [1], where λ =lcm(p − 1,q− 1). p (1 + N)pm mod N 2 − 1 = (16) 3AVARIANT OF ELGAMAL ENCRYPTION SCHEME Np Based on the Paillier’s cryptosystem, Yi et al. [2] have proposed a distributed ElGamal cryptosystem where the 4AN ATTACK ON THE VARIANT OF ELGAMAL EN- secret key sk is shared among 4 parties. A ciphertext (A, B) CRYPTION SCHEME encrypted under the public pk can be recovered if those In this section, we demonstrate the above construction by 4 parties collaboratively decrypt it using their respective Yi et al. [2] is not secure. To be more specific, we show that secret keys. We describe how their algorithms work in what N p q follows. knowing the factorization of , i.e., and ,enablesone to find out the secret key sk without the collaboration of 3.1 Key Generation all participating parties. Recall that in the key generation algorithm described above to select a random generator g, Let N = pq be the RSA modulus used as in the Paillier’s ∈ Z∗ a random element a N 2 is randomly chosen, and thus cryptosystem. Unlike in the Paillier’s cryptosystem, here p  N 2 ∗ a =(1+N) r (mod N ) for some  ∈ ZN and r ∈ Z . and q are publicly known to each participating party. Their N The generator g is then computed as key generation algorithm works as follows. p(p−1)(q−1) 2 • A generator g is chosen by those participating parties g = a (mod N ) (17) ( −1)( −1) 2 as =[(1+N)rN ]p p q (mod N ) (18) g = ap(p−1)(q−1) (mod N 2), (7) =[(1+N)]p(p−1)(q−1) · [rN ]p(p−1)(q−1) (mod N 2)  Z∗ where a =1is a random integer in N 2 . (19) • Another generator g1 is computed as (p−1)(q−1)p N(p−1)(q−1) p 2 =(1+N) · [r ] (mod N ) (20) p 2 g1 =(1+N) (mod N ). (p−1)(q−1)p p 2 (8) =(1+N) · 1 (mod N ). (21) The public key pk is computed as Our main observation is that if we raise a to the power of 4 2  p(p−1)(q −1) modulo N , the random mask rN previously pk = pk (mod N 2), i (9) used to guarantee the indistinguishability of the ciphertext =1 i would be canceled out, which leaves the plaintext message ski 2 where pki = g (mod N ),andski is the private key unprotected. More precisely, the generator g above could be chosen by the i-th participating party, which is not known seen as a (unprotected) ciphertext of (p−1)(q−1)p modulo sk  to other parties. It can be seen from above that pk = g N, which could be represented as  p = (p − 1)(q − 1)p 2 4 (mod N ),wheresk = i=1 ski (mod q). (mod N). Thus, it is not hard to see that  4 2 3.2 Encryption pk = g i=1 ski (mod N ) (22) sk 2 To encrypt a message m ∈ Zq, = g (mod N ) (23)  2 • Arandomnumberr ∈{1,...,q− 1} is selected. =[(1+N) p]sk (mod N ) (24) • (A, B)  2 The ciphertext is computed as =1+N( p)sk (mod N ). (25) A = gr (mod N 2) (10) sk  − 2 2 So g could be written as 1+N( p)sk hN for some m r  2 2 B = g1 pk (mod N ). (11) quotient h such that 1 ≤ gsk =1+N( p)sk − hN

The first congruence relation above always holds no matter [3] T. E. Gamal, “A public key cryptosystem and a signature  what sk is, since ( p) is a multiple of p. However, the second scheme based on discrete logarithms,” IEEE Trans. Information Theory, vol. 31, no. 4, pp. 469–472, 1985. [Online]. Available: congruence relation allows us to solve sk modulo q since p   http://dx.doi.org/10.1109/TIT.1985.1057074 and q are relatively prime and  p

5CONCLUSION In this paper, a feasible attack against a variant of ElGamal encryption scheme recently proposed [2] has been shown. Any adversary having access to the prime order of the underlying group in the ElGamal encryption scheme would be able to mount such an attack, which results in the total exposure of the secret key in the distributed cryptosystem.

ACKNOWLEDGMENTS The work reported in this paper has been partially sup- ported by the National Science Foundation under grant CNS-1111512.

REFERENCES

[1] P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” in EUROCRYPT, 1999, pp. 223–238. [2] X. Yi, A. Bouguettaya, D. Georgakopoulos, A. Song, and J. Willemson, “Privacy protection for wireless medical sensor data,” IEEE Trans. Dependable Sec. Comput., vol. 13, no. 3, pp. 369–380, 2016. [Online]. Available: http://dx.doi.org/10.1109/TDSC.2015.2406699