Linear Generalized Elgamal Encryption Scheme

Linear Generalized ElGamal Encryption Scheme

Pascal Lafourcade1 a,Leo´ Robert1 b and Demba Sow2 c 1Universite´ Clermont Auvergne, LIMOS CNRS (UMR 6158), Campus des Cezeaux,´ Aubiere,` France 2LACGAA, Universite´ Cheikh Anta Diop de Dakar, Senegal

Keywords: Cryptography, Partial Homomorphic Encryption, Linear Assumption, ElGamal Encryption Scheme.

Abstract: ElGamal public key encryption scheme has been designed in the 80’s. It is one of the ﬁrst partial homomorphic encryption and one of the ﬁrst IND-CPA probabilistic public key encryption scheme. A linear version has been recently proposed by Boneh et al. In this paper, we present a linear encryption based on a generalized version of ElGamal encryption scheme. We prove that our scheme is IND-CPA secure under linear assumption. We design a generalized ElGamal scheme from the generalized linear. We also run an evaluation of performances of our scheme. We show that the decryption algorithm is slightly faster than the existing versions.

1 INTRODUCTION sional Linear Assumption (DLA) and a variation of ElGamal encryption scheme. Our aim is to improve In 2009 in his thesis (Gentry, 2009), G. Grentry pro- this linear version of ElGamal encryption scheme us- posed the first fully homomorphic encryption scheme. ing the same approach proposed in (Sow and Sow, It was a revolution and it solves an open problem 2011). already stated by Rivest Shamir and Adelman when they invented RSA in (Rivest et al., 1978). Many ad- Contributions. We propose the following results: vances have been done and nowadays we have some • efficient implementations like for instance SEAL de- Most of today’s public key cryptosystems are re- veloped by Microsoft (SEAL, 2019). However for sistant to various types of attacks and are effec- some applications like the inversion of a large ma- tive. Their main role is the protection of commu- trix or multiplications of large matrices fully homo- nications so they guarantee the security of the data morphic encryption schemes can be very slow or pro- exchanged or stored. Thus, it will always be inter- duce large ciphertext or even be inexact. It is why esting to find a new encryption scheme or to im- all partial homomorphic encryptions like RSA (Rivest prove a known one. It is in this context that we et al., 1978), GM (Goldwasser and Micali, 1982), propose a linear Generalized ElGamal encryption ElGamal (Elgamal, 1985), Benaloh (Benaloh, 1999; scheme. The modifications are about the key gen- Fousse et al., 2011), Okamoto-Uchiyama (Okamoto eration which lead to a different encryption and and Uchiyama, 1998), Naccache-Stern (Naccache decryption algorithms. Like linear ElGamal en- and Stern, 1998), Paillier (Paillier, 1999) or Gal- cryption, the linear Generalized ElGamal encryp- braith (Galbraith, 2002), are still widely used. They tion scheme is IND-CPA secure under (DLA). can be used to solve such problems in reasonable • We also propose the ElGamal and the Generalized among of time like in (Ciucanu et al., 2019). ElGamal schemes from the generalized linear. Many cryptosystems rely on the Diffie-Hellman • We implement the algorithms and compare their decision problem (DDH) (Boneh, 1998; Joux and performances with the original algorithms. Our Guyen, 2006) assumption, notably the ElGamal en- performance evaluations show that the decryption cryption scheme and the Cramer-Shoup encryption algorithm is faster. We also demonstrate that our scheme (Cramer and Shoup, 1998). In (D. Boneh and key generation algorithm is slower, but this is not Shacham, 2004b), Boneh et al. introduced the Deci- a problem since this operation is usually done a https://orcid.org/0000-0002-4459-511X only once. b https://orcid.org/0000-0002-9638-3143 c https://orcid.org/0000-0002-1917-2051

372

Lafourcade, P., Robert, L. and Sow, D. Linear Generalized ElGamal Encryption Scheme. DOI: 10.5220/0009828703720379 In Proceedings of the 17th International Joint Conference on e-Business and Telecommunications (ICETE 2020) - SECRYPT, pages 372-379 ISBN: 978-989-758-446-6 Copyright c 2020 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved

Linear Generalized ElGamal Encryption Scheme

Related Works. In 1985, Taher ElGamal (Elgamal, 2 ElGamal AND GENERALIZED 1985) proposed an encryption and signature scheme ElGamal ENCRYPTION called ElGamal scheme. In (Hanoymak, 2013), Turgut Hanoymak proves SCHEMES the security of ElGamal encryption scheme which is based on the hardness to solve the Computa- We recall the ElGamal encryption scheme (Elga- tional Diffie-Hellman (CDH) and Decisional Diffie- mal, 1985) and the Generalized ElGamal encryption Hellman (DDH) problems. scheme (Sow and Sow, 2011). In (D. Boneh and Shacham, 2004b), Boneh et al. proposed a linear encryption scheme based on the El- 2.1 The ElGamal Encryption Scheme Gamal encryption scheme. The linear ElGamal encryption scheme is IND-CPA secure under the (DLA). Given a computational group scheme G, the ElGamal In (Sow and Sow, 2011), a modified variant of public-key encryption is defined as follow (Elgamal, the ElGamal scheme is presented, and it is called 1985): Generalized ElGamal. As ElGamal’s scheme, the Generalized ElGamal scheme is based on Decisional Key Generation Algorithm. For the creation of a Diffie-Hellman Problem (DDH). In the Generalized public/secret key, Bob should do the following: ElGamal scheme, the decryption key size is smaller 1. Select a finite cyclic group G of order d than those of ElGamal scheme. Hence the General- with generator g. ized ElGamal scheme is more efficient than ElGamal 2. Select a random integer a such that 2 < a < d. a scheme; since the decryption process is a bit faster. 3. Compute h = g in G. The encryption mechanism has the same efficiency 4. The public key is pk = (G,d,g,h) and the than ElGamal encryption mechanism. But, the key secret key is sk = a. generation algorithm is slower than the key generation algorithm of ElGamal scheme. However, this is Encryption Algorithm. To encrypt a message m not a problem since the key generation is done only for Bob, Alice should do the following: once. 1. Take pk = (G,d,g,h), the Bob’s public key; 2. Select a random integer r such that Outline of Paper. In Section 2, we present the orig- 1 < r < d = #G; r r inal ElGamal encryption scheme and the Generalized 3. Compute c1 = g and c2 = m · h in G; ElGamal encryption scheme. In Section 3, we present 4. The ciphertext is c = (c1,c2). the Linear assumption, the linear ElGamal encryption scheme and the ElGamal encryption scheme from Decryption Algorithm. To decrypt a ciphertext c, the generalized linear. In Section 4, we propose the Bob should do the following: linear Generalized ElGamal encryption scheme and 1. Take sk = a the secret key. the Generalized ElGamal encryption scheme from the c2 2. Compute m = a , we note that m ∈ G. generalized linear. In Section 5, we propose a com- (c1) 3. The plaintext is m. plexity analysis of our scheme. In Section 6.1, we present the curves showing the average time of the key generation, encryption and decryption algorithms Security Proof of ElGamal Encryption. We recall of the ElGamal encryption scheme and the General- some theorems, which show the security of ElGamal ized ElGamal encryption scheme. In Section 6.2, we encryption scheme under the CDH and DDH assump- k also present the curves showing the average time of tions. Let GP an algorithm which takes 1 and re- the key generation, encryption and decryption algo- turns the public key pk = (G,d,g,h) of the ElGamal rithms of the Linear ElGamal encryption scheme and encryption scheme. the Linear Generalized ElGamal encryption scheme. I One-wayness under the CDH Assumption. If Note that a full version with the security proofs is the CDH assumption holds with respect to GP , available on (Extended Version, ). then the ElGamal encryption scheme is one-way. Theorem 2.1. Let adversary A be a probabilistic polynomial-time algorithm against the ElGa- mal encryption scheme (Elgamal, 1985) in the OW-CPA sense. Then there is a probabilistic

373 SECRYPT 2020 - 17th International Conference on Security and Cryptography

polynomial-time algorithm B against GP solving 3. Transform the message m as an element of G and the CDH problem such that: compute c2 = λm in G. CDH OW−CPA The ciphertext is (c1,c2). AdvGP ,B (k) = AdvΠ,A (k). Decryption Algorithm. To decrypt a ciphertext of I Indistinguishability under the DDH Assump- tion. If the DDH assumption holds with respect the form (c1,c2) that is encrypted with the public to , then the ElGamal encryption scheme is key ((γ,δ),d,G) and knowing the associate secret key GP r indistinguishable under chosen-plaintext attacks, (r,G), we just need to compute c1c2. i.e., it is IND-CPA secure. Theorem 2.2. Let adversary A be a probabilis- Provable Security of the Generalized ElGamal En- tic polynomial-time against the ElGamal encryp- cryption Scheme. tion scheme in the IND-CPA sense. Then there I One-wayness under the CDH Assumption. is a probabilistic polynomial-time algorithm B Theorem 2.4. Under the CDH Assumption, the against GP solving the DDH problem such that: Generalized ElGamal encryption scheme is One- 1 Way secure under Chosen Plaintext Attack (OW- AdvDDH (k) = · AdvIND−CPA(k). GP ,B 2 Π,A CPA). That is, for a security parameter k, if there is an attacker A that inverse the Generalized El- I Semantic Security. In (J. Katz, 2008), Katz and Gamal encryption then we can build an algorithm al. prove the semantic security of the ElGamal B that solves CDH, it means that encryption scheme. AdvCDH (k) = AdvOW−CPA(k). Theorem 2.3. Under the DDH assumption, El- GP ,B Π,A Gamal encryption scheme is semantically secure. I Indistinguishability under the DDH Assump- tion. 2.2 Generalized ElGamal Encryption Theorem 2.5. Under the DDH Assumption, the Scheme Generalized ElGamal encryption scheme is indistinguishable under Chosen Plaintext Attacks, i.e., We give a key generation mechanism and a public key it is IND-CPA secure. So we have: encryption algorithm (Sow and Sow, 2011), which can be view as a slight modification of ElGamal’s DDH 1 IND−CPA AdvGP ,B (k) = · AdvΠ,A (k), schemes (Elgamal, 1985). 2 where A is an attacker of the Generalized ElGa- Key Generation Algorithm. To create a pair of mal encryption and k the security parameter. public and private key, we do the following: To justify the performance of Generalized ElGa- 1. Select a cyclic group G with sufficiently large or- mal encryption scheme described in (Sow and Sow, der d = #G such that G = hgi. 2011) with respect to ElGamal encryption scheme, 2. Select two random integers r and k sufficiently comparison curves in execution time of the key gen- large such that 2 < k < d and r of size half the eration, encryption and decryption algorithms are per- size of d with d = #G. Compute kd. formed (see Figure 1, Figure 2 and Figure 3). 3. Compute with euclidean division algorithm, the pair (s,t) such that kd = rs + t where t = kd mod s. 4. Compute γ = gs and δ = gt in G; Note that γ 6= 1 3 LINEAR ENCRYPTION and δ 6= 1. Then public key is ((γ,δ),G) and the private key is Boneh et al. (D. Boneh and Shacham, 2004b) in- (r,G). troduced a decisional assumption, called Linear, in- tended to take the place of DDH in groups - in partic- ular, bilinear groups (Joux and Nguyen, 2003) - where Encryption Algorithm. To encrypt a message with DDH is easy. For this setting, the Linear problem has the public key ((γ,δ),d,G), we do the following: desirable properties, as they have shown: it is hard if 1. Select a random integer 2 < α < d = #G such that DDH is hard, but, at least in generic groups (Shoup, α and #G are co-prime. 1997), it remains hard even if DDH is easy. Letting G 2. Compute c = γα and λ = δα in G, hence c 6= 1 1 1 be a cyclic multiplicative group of prime order p, and and λ 6= 1.

374 Linear Generalized ElGamal Encryption Scheme

letting g1,g2, and g3 be arbitrary generators of G, we Theorem 3.2. Under the Linear Assumption, ElGa- consider the following problem: mal Encryption Scheme is IND-CPA secure (D. Boneh a b c Linear Problem in G: Given g1,g2,g3,g1,g2, g3 ∈ G and Shacham, 2004b). as input, output yes if a+b = c and no otherwise. The advantage of an algorithm A in deciding the Linear 3.2 ElGamal from Generalized Linear linear problem in G is denoted by AdvA and it is equal to: We define three functions: the setup function, denoted a b a+b |Pr[A(g1,g2,g3,g1,g2,g3 ) = yes : LE.Gg(), the encryption function, denoted LE.Enc() R R and the decryption function, denoted LE.Dec(). g1,g2,g3 ← G,a,b ← Zp] a b We now describe how these functions works. −Pr[A(g1,g2,g3,g1,g2,η) = yes : R R λ $ g1,g2,g3,η ← G,a,b ← Zp]| LE.Gg(1 ) : Choose a random generator gn ← G with the probability taken over the uniform random $ 1/x1 and x1,x2,...,xn−1 ← Zp, and set: g1 ← gn , choice of the parameters to and over the coin tosses A g ← g1/x2 , ..., g ← g1/xn−1 . The public key of . We say that an algorithm (t,ε)-decides Linear 2 n n−1 n A A is pk = (g ,g ,...,g ) ∈ Gn; the secret key is in G if runs in time at most t, and Advlinear is at 1 2 n A A sk = (x ,x ,...,x ) ∈ n−1. least ε. 1 2 n−1 Zp LE.Enc(pk,M): To encrypt a message M ∈ G, parse Definition 3.1. We say that the (t,ε)-Decision Linear n pk = (g1,g2,...,gn) ∈ G , choose random ex- Assumption holds in G if no algorithm (t,ε)-decides $ the Decision Linear problem in G. ponents r1,r2,...,rn−1 ← Zp, and set: u1 ← r1 r2 r1+r2+...+rn−1 g1 , u2 ← g2 ,...un ← Mgn . the ci- The Linear problem is well defined in any group n where DDH is well defined. It is mainly used in phertext ct = (u1,u2,...,un) ∈ G . bilinear groups like in (Boneh and Franklin, 2003; LE.Dec(sk,ct): Parse the private key sk as (x1,x2, n−1 D. Boneh and Shacham, 2004a; Paterson, 2005). ...,xn−1) ∈ Zp and the ciphertext ct as (u1,u2, n n ...,un) ∈ G ) ∈ G and compute :

3.1 Linear ElGamal Encryption Scheme x1 x2 xn−1 M ← un/(u1 u2 ...un−1 ) Boneh et al proposed a linear encryption scheme based on the ElGamal encryption scheme. Given a computational group scheme G, the Linear ElGamal 4 LINEAR GENERALIZED encryption scheme is deﬁned as follows: ElGamal ENCRYPTION λ $ SCHEME LE.Gg(1 ): Choose a random generator g3 ← G and −1 −1 $ x1 x2 x1,x2 ← Zp, and set g1 ← g3 and g2 ← g3 . The We present the Linear Generalized ElGamal encryp- 3 public key is pk = (g1,g2,g3) ∈ G ; the secret key tion scheme, its security and the Generalized ElGamal 2 is sk = (x1,x2) ∈ Zp. encryption scheme from the generalized linear. LE.Enc(pk,M): To encrypt a message M ∈ G, parse 3 pk = (g1,g2,g3) ∈ G , choose random exponents 4.1 Algorithms $ r1 r2 r1,r2 ← Zp, and set: u1 ← g1 and u2 ← g2 and r1+r2 Given a computational group scheme G, the Lin- u3 ← Mg3 . The ciphertext ct = (u1,u2,u3) ∈ 3 ear Generalized ElGamal encryption scheme is com- G . posed of the following three functions: the setup func- LE.Dec(sk,ct): Parse the private key sk as (x1,x2) ∈ tion, denoted LGE.Gg(), the encryption function, de- 2 3 Zp and the ciphertext ct as (u1,u2,u3) ∈ G and noted LGE.Enc() and the decryption function, de- −x1 −x2 noted LGE.Dec(). compute M ← u3u u . 1 2 We now describe how these functions works. λ $ Correctness of Decryption Process. Since u1 = LGE.Gg(1 ): Choose a random generator g ← G r1 r2 r1+r2 g and u2 = g , u3 = Mg we have: $ $ 1 2 3 and k ← Zd, r ← Zd/2. x1 x2 r1+r2 r1 x1 r2 x2 2 kd u3/(u1 u2 ) = Mg3 /((g1 ) (g2 ) ) Compute (s,t) ∈ Zd such that s ← b r c and t ← r s t = (Mgr1+r2 )/(gr1 gr2 ) = M kd mod r and set g1 ← g , g2 ← g , and g3 ← g . 3 3 3 3 The public key is pk = (g1,g2,g3) ∈ G and the 2 secret key is sk = (r,s,t) ∈ Zd/2 × Zd.

375 SECRYPT 2020 - 17th International Conference on Security and Cryptography

LGE.Enc(pk,M): To encrypt a message M ∈ G, Table 1: Comparison of Linear ElGamal and Linear Gen- 3 parse pk = (g1,g2,g3) ∈ G , choose random ex- eralized ElGamal for each algorithm in terms of computa- $ tional cost. ponents α1,α2 ← Zd, and set Linear ElGamal Linear General- α1 α2 α1+α2 c1 ← g1 and c2 ← g2 and c3 ← Mg3 ; ized ElGamal 3 the ciphertext ct = (c1,c2,c3) ∈ G . Size Key secret key ∈ Zq, secret key ∈ Zd, q = o(G) d = o(G) LGE.Dec(sk,ct): Parse the private key sk as (r,s,t) ∈ Key Gen P = 2, M = 0, P = 3, M = 1, × 2 and the ciphertext ct as (c ,c ,c ) ∈ G3 Zd/2 Zd 1 2 3 nP = 3, nS = 2 nP = 3, nS = 3 and compute M ← cs cr c . 1 2 3 Encryption P = 3, M = 1 P = 3, M = 1 Before proving the security of our scheme in The- Decryption P = 2, M = 2, P = 2, M = 2, orem 4.1, we give its correctness. I = 2 I = 0

Correctness of Decryption Process. Since c1 = gα1 , c = gα2 and c = Mgα1+α2 , we have: 1 2 2 3 3 5 COMPLEXITY EVALUATION s r α1s α2r α1+α2 c1c2c3 = g1 g2 g3 M = Mgα1rsgα2srg(α1+α2)t We present a complexity comparison between the Linear ElGamal and the Linear Generalized ElGamal (rs+t)(α1+α2) = Mg schemes. We give in this section a theoretical com- = Mgkd(α1+α2) plexity where we study the number of computations = M needed in each algorithm (key generation, encryption and decryption). Let us set the following parameters: Theorem 4.1. The Linear Generalized ElGamal En- • P = power’s number (exponent), cryption Scheme is IND-CPA secure under the Deci- sional Linear Assumption (DLA). • M = multiplication’s number, • S = sum’s number, 4.2 Generalized ElGamal from • I = inverse’s number, Generalized Linear • nP = number of parameters of the public key, Given a computational group scheme G, the Gener- • nS = number of parameters of the private key. alized ElGamal encryption scheme from the general- To present the performance of the two encryp- ized linear is deﬁned as follows: tion schemes, we study the number of operations per- LGE.Gg(1λ): Choose a random generator g ←$ G formed (according to the parameters described) in the key generation, encryption and decryption processes. $ 2 and k,ri ← Zd × Zd/2, compute (si,ti) ∈ Zd such From the comparative Table 1, we can clearly see that s ← b kd c and t ← kd mod r , 1 ≤ i ≤ n and that Linear Generalized ElGamal encryption scheme i ri i i 3 n rk+1 is slower at generating keys but is faster for decryp- set for 0 ≤ k ≤ 3 − 1: g3k+1 ← g , g3k+2 ← s t g k+1 and g3k+3 ← g k+1 . The public key is pk = tion the exponent used in the decryption algorithm has n (g1,g2,g3,...,gn−2,gn−1,gn) ∈ G and the secret a size half of the order of the group. Moreover, we see 2 n that there is no inverse computed (even though this key is sk = (ri,si,ti) ∈ Zd/2 × Zd,1 ≤ i ≤ 3 . LGE.Enc(pk,M): . To encrypt a message M ∈ difference brings only a slight improvement). n G, parse pk = (g1,g2,g3,...,gn−2,gn−1,gn) ∈ G , $ choose random exponents α1,α2,...,αn−1 ← Zd, n α3k+1 6 PERFORMANCE and set 0 ≤ k ≤ 3 − 1 : c3k+1 ← g3k+1 , c3k+2 ← α3k+2 α3k+1+α3k+2 EVALUATIONS g3k+2 , c3k+3 ← Mg3k+3 . The ciphertext ct is (c ,c ,c ) ∈ G3. 3k+1 3k+2 3k+3 All our algorithms have been programmed with Sage- LGE.Dec(sk,ct): Parse the private key sk as (ri,si,ti) Math (The Sage Developers, 2020). The tests are per- 2 ∈ Zd/2 × Zd, 1 ≤ i ≤ n/3 and the ciphertext ct as formed with security parameters of size 32, 64, 128, n (c1,c2,...,cn) ∈ G and compute 512, 1024 bits. Some even go up to 2048 bits. We s n start by comparing ElGamal and Generalized ElGa- n sk+1 rk+1 M ← ∏c3k+1c3k+2c3k+3 . k=1

376 Linear Generalized ElGamal Encryption Scheme

Key Generation algorithm, 1000 trials Encryption algorithm, 1000 trials ·10−3 ·10−3 1.2 ElGamal ElGamal 1 Generalized ElGamal Generalized ElGamal 1 0.8

0.6

0.4 0.5 Time in seconds Time in seconds

0.2

0 0 25 26 27 28 29 25 26 27 28 29 Size of security parameter Size parameter Figure 1: Average time of key generation algorithm depend- Figure 2: Average time of encryption algorithm depending ing on the size of security parameter. on the size of security parameter. mal1 before comparing Linear ElGamal and Linear eralized ElGamal encryption is always faster that El- Generalized ElGamal. Gamal encryption. Indeed, we observe empirically that computations of γα and computations of δα for 6.1 ElGamal and Generalized ElGamal Generalized ElGamal have the same execution time than the term hr for the standard ElGamal. Yet, the We present the curves showing the execution time computations of the term gr is slower than the three of the key generation, encryption and decryption al- others. Thus, the overall execution time of encryption gorithms of the ElGamal encryption scheme and the algorithm for the Generalized scheme is less than the Generalized ElGamal encryption scheme. one for the standard ElGamal. The execution time of those two schemes is car- ried out under the same conditions in terms of gen- Decryption Algorithms. The curves given in Fig- eration of the values and sizes of the security param- ure 3 show the execution time of decryption algo- eters. Indeed, given a size of a security parameter, rithms of the ElGamal encryption scheme and Gen- there are 1000 trials where new parameters (such as eralized ElGamal encryption scheme. We can see that prime number and messages) are computed for each the Generalized ElGamal decryption is always signif- trial. icantly faster that ElGamal decryption. We give a detailed execution time for the key generation in Figure 1 and 4, the encryption algorithm in 6.2 Linear ElGamal and Linear Figure 2 and 5 and the decryption algorithm in Fig- Generalized ElGamal ure 3 and 6. We studied the performance of Linear Generalized El- Key Generation Algorithms. The curves of Fig- Gamal encryption scheme with respect to Linear El- ure 1 show the execution time of key generation al- Gamal encryption scheme. We present the execution gorithms for the ElGamal encryption scheme and for time evaluations of the key generation in Figure 4, en- Generalized ElGamal encryption scheme. We show cryption in Figure 5 and decryption in Figure 6. that the two algorithms are similar. When the key size increases then the Generalized ElGamal is a bit faster. Key Generation Algorithms. The curves given in Figure 4 show the execution time of key generation Encryption Algorithms. The curves of Figure 2 algorithms of the Linear ElGamal encryption scheme show the execution time of encryption algorithms of and Linear Generalized ElGamal encryption scheme. the ElGamal encryption scheme and Generalized El- We can see that our algorithm for key generation is Gamal encryption scheme. We observe that the Gen- clearly slower than the one proposed by Boneh et al. It 1Surprisingly this performance evaluation has not been is the price to pay in order to have a faster encryption done in (Sow and Sow, 2011). and decryption algorithms. It is not an issue because

377 SECRYPT 2020 - 17th International Conference on Security and Cryptography

Decryption algorithm, 1000 trials Encryption algorithm with 100 trials ·10−3 ·10−3 1 ElGamal Linear ElGamal Generalized ElGamal Linear Generalized ElGamal 0.8 2 0.6

0.4 1 Time in seconds Time in seconds 0.2

0 0 25 26 27 28 29 25 26 27 28 29 Size parameter Size of security parameter Figure 3: Average time of decryption algorithm depending Figure 5: Average time of encryption algorithm depending on the size of security parameter. on the size of security parameter.

Key Generation algorithm 100 trials Decryption algorithm, 100 trials ·10−3 ·10−3 Linear ElGamal Linear ElGamal 3 Linear Generalized ElGamal Linear Generalized ElGamal 2

1 Time in seconds Time in seconds 1

0 0 25 26 27 28 29 25 26 27 28 29 Size of security parameter Size of security parameter Figure 4: Average time of key generation algorithm depend- Figure 6: Average time of decryption algorithm depending ing on the size of security parameter. on the size of security parameter. the key generation is in general done only once while Generalized ElGamal encryption scheme. We clearly the encryption and decryption algorithms are more of- see that the decryption is faster using our scheme, ten used. which conﬁrms the complexity analysis of the previ- ous section. Encryption Algorithms. The curves of Figure 5 give the execution time of encryption algorithms of the Linear ElGamal encryption scheme and Linear 7 CONCLUSION Generalized ElGamal encryption scheme. Accord- ing to the complexity analysis the timings are similar We have proposed a faster Linear Generalized ElGa- since the number of exponentiations are similar. Em- mal encryption scheme based on the Generalized El- pirically, we observe that they are similar. Gamal encryption scheme. We prove that our linear scheme is IND-CPA secure under the Linear problem Decryption Algorithms. The curves of Figure 6 like the linear encryption scheme based on the ElGa- represent the execution time of decryption algorithms mal encryption scheme. It also has a faster encryption of the Linear ElGamal encryption scheme and Linear and decryption algorithms.

378 Linear Generalized ElGamal Encryption Scheme

In the future, we would like to see how our ap- Hanoymak, T. (2013). On provable security of crypto- proach can be applied to improved other schemes. graphic schemes. International Journal of Informa- tion Security Science, 2, No.2. J. Katz, Y. L. (2008). Introduction to modern cryptography. CRC PRESS. ACKNOWLEDGEMENT Joux, A. and Guyen, K. (2006). Separating decision diffe- hellman to diffe hellmann in cryptographie groups. This study was partially supported by the French Joux, A. and Nguyen, K. (Sept. 2003). Separating deci- ANR project ANR-18-CE39-0019 (MobiS5). sion diffie-hellman from computational diffie-hellman in cryptographic groups. J. Cryptology, 16(4):239–47. Naccache, D. and Stern, J. (1998). A new public key cryptosystem based on higher residues. In Proceedings of REFERENCES the 5th ACM Conference on Computer and Commu- nications Security, CCS ’98, page 59–66, New York, Benaloh, J. (1999). Dense probabilistic encryption. NY, USA. Association for Computing Machinery. Boneh, D. (1998). The decision diffie-hellman problem. Okamoto, T. and Uchiyama, S. (1998). A new public-key In In Proceedings of the Third Algorithmic Number cryptosystem as secure as factoring. In Nyberg, K., Theory Symposium, volume 1423, pages 48–63. editor, Advances in Cryptology — EUROCRYPT’98, Boneh, D. and Franklin, M. (2003). Identity-based en- pages 308–318, Berlin, Heidelberg. Springer Berlin cryption from the weil pairing. SIAM J. Computing, Heidelberg. 32(3):586–615. Paillier, P. (1999). Public-key cryptosystems based on com- Ciucanu, R., Giraud, M., Lafourcade, P., and Ye, L. (2019). posite degree residuosity classes. In Stern, J., editor, Secure strassen-winograd matrix multiplication with Advances in Cryptology — EUROCRYPT ’99, pages mapreduce. In Obaidat, M. S. and Samarati, P., 223–238, Berlin, Heidelberg. Springer Berlin Heidel- editors, Proceedings of the 16th International Joint berg. Conference on e-Business and Telecommunications, Paterson, K. (2005). Cryptography from pairings. Cam- ICETE 2019 - Volume 2: SECRYPT, 2019, pages 220– bridge University Press, 317 of London Mathematical 227. SciTePress. Society Lecture Notes:215–51. Cramer, R. and Shoup, V. (1998). A practical public key Rivest, R. L., Shamir, A., and Adleman, L. (1978). A cryptosystem provably secure against adaptive chosen method for obtaining digital signatures and public-key ciphertext attack. In Proc. of the 18th Annual Interna- cryptosystems. Commun. ACM, 21(2):120–126. tional Cryptology Conference on Advances in Cryp- SEAL (2019). Microsoft SEAL (release 3.4). https: tology, CRYPTO’98. //github.com/Microsoft/SEAL. Microsoft Research, D. Boneh, B. L. and Shacham, H. (Sept. 2004a). Short Redmond, WA. signatures from the weil pairing. J. Cryptology, Shoup, V. (May 1997). Lower bounds for discrete log- 17(4):297–319. arithms and related problems. In In W. Fumy, edi- D. Boneh, X. B. and Shacham, H. (Aug. 2004b). tor, Proceedings of Eurocrypt 1997, volume 1233 of Short group signatures. In In M. Franklin, edi- LNCS, pages 256–66. tor,Proceedings of Crypto 2004, volume 3152, pages Sow, D. and Sow, D. (2011). A new variant of el gamal’s en- 41–55. cryption and signatures schemes. Journal of Algebra, Elgamal, T. (1985). A public key cryptosystem and a sig- Number Theory and Applications, 20(1):21–39. nature scheme based on discrete logarithms. IEEE The Sage Developers (2020). SageMath, the Sage Transactions on Information Theory, 31(4):469–472. Mathematics Software System (Version 9.0). Extended Version. https://sancy.iut-clermont.uca.fr/ https://www.sagemath.org. ∼lafourcade/PAPERS/PDF/Secrypt-long2020.pdf. Fousse, L., Lafourcade, P., and Alnuaimi, M. (2011). Be- naloh’s Dense Probabilistic Encryption Revisited. In Progress in Cryptology - AFRICACRYPT 2011 - 4th Conference on the Theory and Application of Crypto- graphic Techniques in Africa, volume 6737 of Lecture Notes in Computer Science, pages 348–362. Springer. Galbraith, S. D. (2002). Elliptic curve paillier schemes. J. Cryptol., 15(2):129–138. Gentry, C. (2009). A Fully Homomorphic Encryption Scheme. PhD thesis, Stanford, CA, USA. Goldwasser, S. and Micali, S. (1982). Probabilistic encryption and how to play mental poker keeping secret all partial information. In Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, STOC ’82.

379