Linear Generalized Elgamal Encryption Scheme Pascal Lafourcade, Léo Robert, Demba Sow

Linear Generalized ElGamal Encryption Scheme Pascal Lafourcade, Léo Robert, Demba Sow

To cite this version:

Pascal Lafourcade, Léo Robert, Demba Sow. Linear Generalized ElGamal Encryption Scheme. In- ternational Conference on Security and Cryptography (SECRYPT), Jul 2020, Paris, France. hal- 02559556

HAL Id: hal-02559556 https://hal.archives-ouvertes.fr/hal-02559556 Submitted on 30 Apr 2020

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Linear Generalized ElGamal Encryption Scheme

Pascal Lafourcade1,Leo´ Robert1, and Demba Sow2

1LIMOS, Universite´ Clermont Auvergne, France, [email protected] , [email protected] 2LACGAA, Universite´ Cheikh Anta Diop de Dakar, Sen´ egal´ , [email protected]

Keywords: Cryptography, Partial homomorphic encryption, Linear Assumption, ElGamal encryption scheme.

Abstract: ElGamal public key encryption scheme has been designed in the 80’s. It is one of the ﬁrst partial homomorphic encryption and one of the ﬁrst IND-CPA probabilistic public key encryption scheme. A linear version has been recently proposed by Boneh et al. In this paper, we present a linear encryption based on a generalized version of ElGamal encryption scheme. We prove that our scheme is IND-CPA secure under linear assumption. We design a generalized ElGamal scheme from the generalized linear. We also run an evaluation of performances of our scheme. We show that the decryption algorithm is slightly faster than the existing versions.

1 Introduction Contributions. We propose the following results: • Most of today’s public key cryptosystems are re- In 2009 in his thesis (Gentry, 2009), G. Gren- sistant to various types of attacks and are effec- try proposed the first fully homomorphic encryption tive. Their main role is the protection of commu- scheme. It was a revolution and it solves an open nications so they guarantee the security of the data problem already stated by Rivest Shamir and Adel- exchanged or stored. Thus, it will always be inter- man when they invented RSA in (Rivest et al., 1978). esting to find a new encryption scheme or to im- Many advances have been done and nowadays we prove a known one. It is in this context that we have some efficient implementations like for instance propose a linear Generalized ElGamal encryption SEAL developed by Microsoft (SEAL, 2019). How- scheme. The modifications are about the key gen- ever for some applications like the inversion of a large eration which lead to a different encryption and matrix or multiplications of large matrices fully ho- decryption algorithms. Like linear ElGamal en- momorphic encryption schemes can be very slow or cryption, the linear Generalized ElGamal encryp- produce large ciphertext or even be inexact. It is why tion scheme is IND-CPA secure under (DLA). all partial homomorphic encryptions like RSA (Rivest et al., 1978), GM (Goldwasser and Micali, 1982), • We also propose the ElGamal and the Generalized ElGamal (Elgamal, 1985), Benaloh (Benaloh, 1999; ElGamal schemes from the generalized linear. Fousse et al., 2011), Okamoto-Uchiyama (Okamoto • We implement the algorithms and compare their and Uchiyama, 1998), Naccache-Stern (Naccache performances with the original algorithms. Our and Stern, 1998), Paillier (Paillier, 1999) or Gal- performance evaluations show that the decryption braith (Galbraith, 2002), are still widely used. They algorithm is faster. We also demonstrate that our can be used to solve such problems in reasonable key generation algorithm is slower, but this is not among of time like in (Ciucanu et al., 2019). a problem since this operation is usually done Many cryptosystems rely on the Diffie-Hellman only once. decision problem (DDH) (Boneh, 1998; Joux and Guyen, 2006) assumption, notably the ElGamal encryption scheme and the Cramer-Shoup encryption Related works. In 1985, Taher ElGamal (Elgamal, scheme (Cramer and Shoup, 1998). In (D. Boneh and 1985) proposed an encryption and signature scheme Shacham, 2004b), Boneh et al. introduced the Deci- called ElGamal scheme. sional Linear Assumption (DLA) and a variation of In (Hanoymak, 2013), Turgut Hanoymak proves ElGamal encryption scheme. Our aim is to improve the security of ElGamal encryption scheme which this linear version of ElGamal encryption scheme us- is based on the hardness to solve the Computa- ing the same approach proposed in (Sow and Sow, tional Diffie-Hellman (CDH) and Decisional Diffie- 2011). Hellman (DDH) problems. In (D. Boneh and Shacham, 2004b), Boneh et al. Key Generation Algorithm. For the creation of a proposed a linear encryption scheme based on the El- public/secret key, Bob should do the following: Gamal encryption scheme. The linear ElGamal en- 1. Select a finite cyclic group G of order d with gen- cryption scheme is IND-CPA secure under the (DLA). erator g. In (Sow and Sow, 2011), a modified variant of 2. Select a random integer a such that 2 < a < d. a the ElGamal scheme is presented, and it is called 3. Compute h = g in G. Generalized ElGamal. As ElGamal’s scheme, the 4. The public key is pk = (G,d,g,h) and the secret Generalized ElGamal scheme is based on Decisional key is sk = a. Diffie-Hellman Problem (DDH). In the Generalized ElGamal scheme, the decryption key size is smaller Encryption Algorithm. To encrypt a message m than those of ElGamal scheme. Hence the General- for Bob, Alice should do the following: ized ElGamal scheme is more efficient than ElGamal 1. Take pk = (G,d,g,h), the Bob’s public key; scheme; since the decryption process is a bit faster. 2. Select a random integer r such that 1 < r < d = The encryption mechanism has the same efficiency #G; than ElGamal encryption mechanism. But, the key r r 3. Compute c1 = g and c2 = m · h in G; generation algorithm is slower than the key genera- 4. The ciphertext is c = (c1,c2). tion algorithm of ElGamal scheme. However, this is not a problem since the key generation is done only Decryption Algorithm. To decrypt a ciphertext c, once. Bob should do the following: 1. Take sk = a the secret key. Outline of paper. In Section 2, we present the orig- c2 2. Compute m = a , we note that m ∈ G. inal ElGamal encryption scheme and the Generalized (c1) 3. The plaintext is m. ElGamal encryption scheme. In Section 3, we present the Linear assumption, the linear ElGamal encryption scheme and the ElGamal encryption scheme from Security proof of ElGamal encryption. We recall the generalized linear. In Section 4, we propose the some theorems, which show the security of ElGamal linear Generalized ElGamal encryption scheme and encryption scheme under the CDH and DDH assump- k the Generalized ElGamal encryption scheme from the tions. Let GP an algorithm which takes 1 and re- generalized linear. In Section 5, we propose a com- turns the public key pk = (G,d,g,h) of the ElGamal plexity analysis of our scheme. In Section 6.1, we encryption scheme. present the curves showing the average time of the I One-wayness under the CDH Assumption. If key generation, encryption and decryption algorithms the CDH assumption holds with respect to GP , of the ElGamal encryption scheme and the General- then the ElGamal encryption scheme is one-way. ized ElGamal encryption scheme. In Section 6.2, we Theorem 2.1. Let adversary be a probabilis- also present the curves showing the average time of A tic polynomial-time algorithm against the ElGa- the key generation, encryption and decryption algo- mal encryption scheme (Elgamal, 1985) in the rithms of the Linear ElGamal encryption scheme and OW-CPA sense. Then there is a probabilistic the Linear Generalized ElGamal encryption scheme. polynomial-time algorithm against solving Note that a full version with the security proofs is B GP the CDH problem such that: available on (Lafourcade et al., 2020). CDH OW−CPA AdvGP ,B (k) = AdvΠ,A (k). 2 ElGamal and Generalized I Indistinguishability under the DDH Assump- tion. If the DDH assumption holds with respect ElGamal Encryption Schemes to GP , then the ElGamal encryption scheme is indistinguishable under chosen-plaintext attacks, We recall the ElGamal encryption scheme (Elga- i.e., it is IND-CPA secure. mal, 1985) and the Generalized ElGamal encryption scheme (Sow and Sow, 2011). Theorem 2.2. Let adversary A be a probabilistic polynomial-time against the ElGamal encryp- 2.1 The ElGamal Encryption Scheme tion scheme in the IND-CPA sense. Then there is a probabilistic polynomial-time algorithm B against solving the DDH problem such that: Given a computational group scheme G, the ElGamal GP public-key encryption is defined as following (Elga- 1 AdvDDH (k) = · AdvIND−CPA(k). mal, 1985): GP ,B 2 Π,A I Semantic security. In (J. Katz, 2008), Katz and is an attacker A that inverse the Generalized El- al. prove the semantic security of the ElGamal Gamal encryption then we can build an algorithm encryption scheme. B that solves CDH, it means that Theorem 2.3. Under the DDH assumption, El- AdvCDH (k) = AdvOW−CPA(k). Gamal encryption scheme is semantically secure. GP ,B Π,A I Indistinguishability under the DDH Assump- 2.2 Generalized ElGamal Encryption tion. Scheme Theorem 2.5. Under the DDH Assumption, the Generalized ElGamal encryption scheme is indis- We give a key generation mechanism and a public key tinguishable under Chosen Plaintext Attacks, i.e., encryption algorithm (Sow and Sow, 2011), which it is IND-CPA secure. So we have: can be view as a slight modification of ElGamal’s 1 schemes (Elgamal, 1985). AdvDDH (k) = · AdvIND−CPA(k), GP ,B 2 Π,A Key generation algorithm. To create a pair of pub- where A is an attacker of the Generalized ElGa- lic and private key, we do the following: mal encryption and k the security parameter. 1. Select a cyclic group G with sufficiently large or- To justify the performance of Generalized ElGa- der d = #G such that G = hgi. mal encryption scheme described in (Sow and Sow, 2. Select two random integers r and k sufficiently 2011) with respect to ElGamal encryption scheme, large such that 2 < k < d and r of size half the comparison curves in execution time of the key gen- size of d with d = #G. Compute kd. eration, encryption and decryption algorithms are per- 3. Compute with euclidean division algorithm, the formed (see Figure 1, Figure 2 and Figure 3). pair (s,t) such that kd = rs + t where t = kd mod s. 4. Compute γ = gs and δ = gt in G; Note that γ 6= 1 and δ 6= 1. 3 Linear Encryption Then public key is ((γ,δ),G) and the private key is (r,G). Boneh et al. (D. Boneh and Shacham, 2004b) introduced a decisional assumption, called Linear, in- tended to take the place of DDH in groups - in partic- Encryption algorithm. To encrypt a message with ular, bilinear groups (Joux and Nguyen, 2003) - where the public key ((γ,δ),d,G), we do the following: DDH is easy. For this setting, the Linear problem has 1. Select a random integer 2 < α < d = #G such that desirable properties, as they have shown: it is hard if α and #G are co-prime. DDH is hard, but, at least in generic groups (Shoup, 2. Compute c = γα and λ = δα in G, hence c 6= 1 1 1 1997), it remains hard even if DDH is easy. Letting G and λ 6= 1. be a cyclic multiplicative group of prime order p, and 3. Transform the message m as an element of G and letting g ,g , and g be arbitrary generators of G, we compute c = λm in G. 1 2 3 2 consider the following problem: The ciphertext is (c1,c2). a b Linear Problem in G: Given g1,g2,g3,g1,g2, c g3 ∈ G as input, output yes if a + b = c and no oth- Decryption algorithm. To decrypt a ciphertext of erwise. The advantage of an algorithm A in deciding the form (c ,c ) that is encrypted with the public linear 1 2 the Linear problem in G is denoted by AdvA and it key ((γ,δ),d,G) and knowing the associate secret key is equal to: (r,G), we just need to compute cr c . a b a+b 1 2 |Pr[A(g1,g2,g3,g1,g2,g3 ) = yes : R R g1,g2,g3 ← G,a,b ← Zp] Provable security of the Generalized ElGamal En- a b −Pr[A(g1,g2,g3,g1,g2,η) = yes : cryption Scheme. R R g1,g2,g3,η ← G,a,b ← Zp]| I One-wayness under the CDH Assumption. with the probability taken over the uniform random Theorem 2.4. Under the CDH Assumption, the choice of the parameters to A and over the coin tosses Generalized ElGamal encryption scheme is One- of A. We say that an algorithm A(t,ε)-decides Linear linear Way secure under Chosen Plaintext Attack (OW- in G if A runs in time at most t, and AdvA is at CPA). That is, for a security parameter k, if there least ε. Definition 3.1. We say that the (t,ε)-Decision Linear LE.Enc(pk,M): To encrypt a message M ∈ G, parse n Assumption holds in G if no algorithm (t,ε)-decides pk = (g1,g2,...,gn) ∈ G , choose random ex- the Decision Linear problem in G. $ ponents r1,r2,...,rn−1 ← Zp, and set: u1 ← r1 r2 r1+r2+...+rn−1 The Linear problem is well defined in any group g1 , u2 ← g2 ,...un ← Mgn . the ci- n where DDH is well defined. It is mainly used in phertext ct = (u1,u2,...,un) ∈ G . bilinear groups like in (Boneh and Franklin, 2003; D. Boneh and Shacham, 2004a; Paterson, 2005). LE.Dec(sk,ct): Parse the private key sk as (x1,x2, n−1 ...,xn−1) ∈ Zp and the ciphertext ct as (u1,u2, n n 3.1 Linear ElGamal Encryption Scheme ...,un) ∈ G ) ∈ G and compute : x1 x2 xn−1 M ← un/(u1 u2 ...un−1 ) Boneh et al proposed a linear encryption scheme based on the ElGamal encryption scheme. Given a computational group scheme G, the Linear ElGamal encryption scheme is defined as follows: 4 Linear Generalized ElGamal

λ $ Encryption Scheme LE.Gg(1 ): Choose a random generator g3 ← G and x−1 x−1 x ,x ←$ , and set g ← g 1 and g ← g 2 . The 1 2 Zp 1 3 2 3 We present the Linear Generalized ElGamal en- public key is pk = (g ,g ,g ) ∈ G3; the secret key 1 2 3 cryption scheme, its security and the Generalized El- is sk = (x ,x ) ∈ 2 . 1 2 Zp Gamal encryption scheme from the generalized linear. LE.Enc(pk,M): To encrypt a message M ∈ G, parse pk = (g ,g ,g ) ∈ G3, choose random exponents 1 2 3 4.1 Algorithms $ r1 r2 r1,r2 ← Zp, and set: u1 ← g1 and u2 ← g2 and u ← Mgr1+r2 . The ciphertext ct = (u ,u ,u ) ∈ 3 3 1 2 3 Given a computational group scheme G, the Lin- G3. ear Generalized ElGamal encryption scheme is com- LE.Dec(sk,ct): Parse the private key sk as (x1,x2) ∈ posed of the following three functions: the setup func- 2 3 Zp and the ciphertext ct as (u1,u2,u3) ∈ G and tion, denoted LGE.Gg(), the encryption function, de- −x1 −x2 noted LGE.Enc() and the decryption function, de- compute M ← u3u1 u2 . noted LGE.Dec().

r1 We now describe how these functions works. Correctness of decryption process. Since u1 = g1 r r +r 2 1 2 λ $ and u2 = g2 , u3 = Mg3 we have: LGE.Gg(1 ): Choose a random generator g ← G $ $ x x r +r r r 1 2 1 2 1 x1 2 x2 and k ← d, r ← d/2. u3/(u1 u2 ) = Mg3 /((g1 ) (g2 ) ) Z Z r1+r2 r1 r2 2 kd = (Mg )/(g g ) = M Compute (s,t) ∈ Zd such that s ← b r c and t ← 3 3 3 r s t kd mod r and set g1 ← g , g2 ← g , and g3 ← g . Theorem 3.2. Under the Linear Assumption, ElGa- 3 The public key is pk = (g1,g2,g3) ∈ G and the mal Encryption Scheme is IND-CPA secure (D. Boneh secret key is sk = (r,s,t) ∈ × 2. and Shacham, 2004b). Zd/2 Zd LGE.Enc(pk,M): To encrypt a message M ∈ G, 3 3.2 ElGamal from Generalized Linear parse pk = (g1,g2,g3) ∈ G , choose random ex- $ ponents α1,α2 ← Zd, and set We deﬁne three functions: the setup function, denoted α1 α2 α1+α2 LE.Gg(), the encryption function, denoted LE.Enc() c1 ← g1 and c2 ← g2 and c3 ← Mg3 ; and the decryption function, denoted LE.Dec(). 3 We now describe how these functions works. the ciphertext ct = (c1,c2,c3) ∈ G .

λ $ LE.Gg(1 ) : Choose a random generator gn ← G LGE.Dec(sk,ct): Parse the private key sk as (r,s,t) ∈ 2 3 $ 1/x1 Zd/2 ×Zd and the ciphertext ct as (c1,c2,c3) ∈ G and x1,x2,...,xn−1 ← Zp, and set: g1 ← gn , s r and compute M ← c c c3. 1/x2 1/xn−1 1 2 g2 ← gn , ..., gn−1 ← gn . The public key n is pk = (g1,g2,...,gn) ∈ G ; the secret key is Before proving the security of our scheme in The- n−1 sk = (x1,x2,...,xn−1) ∈ Zp . orem 4.1, we give its correctness. Correctness of decryption process. Since c1 = Linear ElGamal Linear General- α1 α2 α1+α2 ized ElGamal g1 , c2 = g2 and c3 = Mg3 , we have: Size Key secret key ∈ Zq, secret key ∈ Zd, s r α1s α2r α1+α2 c1c2c3 = g1 g2 g3 M q = o(G) d = o(G) = Mgα1rsgα2srg(α1+α2)t Key Gen P = 2, M = 0, P = 3, M = 1, nP = 3, nS = 2 nP = 3, nS = 3 (rs+t)(α1+α2) = Mg Encryption P = 3, M = 1 P = 3, M = 1 = Mgkd(α1+α2) Decryption P = 2, M = 2, P = 2, M = 2, = M I = 2 I = 0 Table 1: Comparison of Linear ElGamal and Linear Gen- Theorem 4.1. The Linear Generalized ElGamal En- eralized ElGamal for each algorithm in terms of computa- cryption Scheme is IND-CPA secure under the Deci- tional cost. sional Linear Assumption (DLA). • M = multiplication’s number, 4.2 Generalized ElGamal from • S = sum’s number, Generalized Linear • I = inverse’s number,

Given a computational group scheme G, the Gener- • nP = number of parameters of the public key, alized ElGamal encryption scheme from the general- • nS = number of parameters of the private key. ized linear is deﬁned as follows: To present the performance of the two encryp- LGE.Gg(1λ): Choose a random generator g ←$ G tion schemes, we study the number of operations performed (according to the parameters described) in the k,r ←$ × (s ,t ) ∈ 2 and i Zd Zd/2, compute i i Zd such key generation, encryption and decryption processes. that s ← b kd c and t ← kd mod r , 1 ≤ i ≤ n and i ri i i 3 From the comparative Table 1, we can clearly see n rk+1 set for 0 ≤ k ≤ 3 − 1: g3k+1 ← g , g3k+2 ← that Linear Generalized ElGamal encryption scheme s t g k+1 and g3k+3 ← g k+1 . The public key is pk = is slower at generating keys but is faster for decryp- n (g1,g2,g3,...,gn−2,gn−1,gn) ∈ G and the secret tion the exponent used in the decryption algorithm has 2 n key is sk = (ri,si,ti) ∈ Zd/2 × Zd,1 ≤ i ≤ 3 . a size half of the order of the group. Moreover, we see LGE.Enc(pk,M): . To encrypt a message M ∈ that there is no inverse computed (even though this n difference brings only a slight improvement). G, parse pk = (g1,g2,g3,...,gn−2,gn−1,gn) ∈ G , $ choose random exponents α1,α2,...,αn−1 ← Zd, n α3k+1 and set 0 ≤ k ≤ 3 − 1 : c3k+1 ← g3k+1 , c3k+2 ← α3k+2 α3k+1+α3k+2 6 Performance Evaluations g3k+2 , c3k+3 ← Mg3k+3 . The ciphertext ct is (c ,c ,c ) ∈ G3. 3k+1 3k+2 3k+3 All our algorithms have been programmed with LGE.Dec(sk,ct): Parse the private key sk as (ri,si,ti) SageMath (The Sage Developers, 2020). The tests 2 ∈ Zd/2 × Zd, 1 ≤ i ≤ n/3 and the ciphertext ct as are performed with security parameters of size 32, 64, n (c1,c2,...,cn) ∈ G and compute 128, 512, 1024 bits. Some even go up to 2048 bits. s We start by comparing ElGamal and Generalized El- n 1 n sk+1 rk+1 Gamal before comparing Linear ElGamal and Linear M ← ∏c3k+1c3k+2c3k+3 . k=1 Generalized ElGamal. 6.1 ElGamal and Generalized ElGamal 5 Complexity Evaluation We present the curves showing the execution time We present a complexity comparison between the of the key generation, encryption and decryption al- Linear ElGamal and the Linear Generalized ElGamal gorithms of the ElGamal encryption scheme and the schemes. We give in this section a theoretical com- Generalized ElGamal encryption scheme. plexity where we study the number of computations The execution time of those two schemes is car- needed in each algorithm (key generation, encryption ried out under the same conditions in terms of gen- and decryption). Let us set the following parameters: 1Surprisingly this performance evaluation has not been • P = power’s number (exponent), done in (Sow and Sow, 2011). Key Generation algorithm, 1000 trials Encryption algorithm, 1000 trials ·10−3 ·10−3 1.2 ElGamal ElGamal 1 Generalized ElGamal Generalized ElGamal 1 0.8

0.6

0.4 0.5 Time in seconds Time in seconds

0.2

0 0 25 26 27 28 29 25 26 27 28 29 Size of security parameter Size parameter

Figure 1: Average time of key generation algorithm depend- Figure 2: Average time of encryption algorithm depending ing on the size of security parameter. on the size of security parameter. eration of the values and sizes of the security param- Decryption algorithm, 1000 trials ·10−3 eters. Indeed, given a size of a security parameter, 1 there are 1000 trials where new parameters (such as ElGamal prime number and messages) are computed for each Generalized ElGamal trial. 0.8 We give a detailed execution time for the key generation in Figure 1 and 4, the encryption algorithm in 0.6 Figure 2 and 5 and the decryption algorithm in Fig- ure 3 and 6. 0.4 Time in seconds Key Generation Algorithms. The curves of Fig- 0.2 ure 1 show the execution time of key generation algorithms for the ElGamal encryption scheme and for 0 Generalized ElGamal encryption scheme. We show that the two algorithms are similar. When the key size 25 26 27 28 29 increases then the Generalized ElGamal is a bit faster. Size parameter

Figure 3: Average time of decryption algorithm depending Encryption Algorithms. The curves of Figure 2 on the size of security parameter. show the execution time of encryption algorithms of the ElGamal encryption scheme and Generalized El- eralized ElGamal encryption scheme. We can see that Gamal encryption scheme. We observe that the Gen- the Generalized ElGamal decryption is always signif- eralized ElGamal encryption is always faster that El- icantly faster that ElGamal decryption. Gamal encryption. Indeed, we observe empirically that computations of γα and computations of δα for 6.2 Linear ElGamal and Linear Generalized ElGamal have the same execution time Generalized ElGamal than the term hr for the standard ElGamal. Yet, the r computations of the term g is slower than the three We studied the performance of Linear Generalized El- others. Thus, the overall execution time of encryption Gamal encryption scheme with respect to Linear El- algorithm for the Generalized scheme is less than the Gamal encryption scheme. We present the execution one for the standard ElGamal. time evaluations of the key generation in Figure 4, encryption in Figure 5 and decryption in Figure 6. Decryption Algorithms. The curves given in Fig- ure 3 show the execution time of decryption algo- Key Generation Algorithms. The curves given in rithms of the ElGamal encryption scheme and Gen- Figure 4 show the execution time of key generation Key Generation algorithm 100 trials Encryption algorithm with 100 trials ·10−3 ·10−3 Linear ElGamal Linear ElGamal Linear Generalized ElGamal Linear Generalized ElGamal

2 2

1 1 Time in seconds Time in seconds

0 0 25 26 27 28 29 25 26 27 28 29 Size of security parameter Size of security parameter

Figure 4: Average time of key generation algorithm depend- Figure 5: Average time of encryption algorithm depending ing on the size of security parameter. on the size of security parameter. algorithms of the Linear ElGamal encryption scheme Decryption algorithm, 100 trials and Linear Generalized ElGamal encryption scheme. ·10−3 We can see that our algorithm for key generation is Linear ElGamal clearly slower than the one proposed by Boneh et al. It 3 Linear Generalized ElGamal is the price to pay in order to have a faster encryption and decryption algorithms. It is not an issue because the key generation is in general done only once while 2 the encryption and decryption algorithms are more of- ten used.

Time in seconds 1 Encryption Algorithms. The curves of Figure 5 give the execution time of encryption algorithms of the Linear ElGamal encryption scheme and Linear 0 Generalized ElGamal encryption scheme. Accord- 5 6 7 8 9 ing to the complexity analysis the timings are similar 2 2 2 2 2 since the number of exponentiations are similar. Em- Size of security parameter pirically, we observe that they are similar. Figure 6: Average time of decryption algorithm depending on the size of security parameter.

Decryption Algorithms. The curves of Figure 6 like the linear encryption scheme based on the ElGa- represent the execution time of decryption algorithms mal encryption scheme. It also has a faster encryption of the Linear ElGamal encryption scheme and Linear and decryption algorithms. Generalized ElGamal encryption scheme. We clearly see that the decryption is faster using our scheme, In the future, we would like to see how our ap- which conﬁrms the complexity analysis of the previ- proach can be applied to improved other schemes. ous section.

Conclusion Acknowledgement

We have proposed a faster Linear Generalized El- Gamal encryption scheme based on the Generalized ElGamal encryption scheme. We prove that our linear This study was partially supported by the French scheme is IND-CPA secure under the Linear problem ANR project ANR-18-CE39-0019 (MobiS5). REFERENCES Hanoymak, T. (2013). On provable security of cryptographic schemes. International Journal of In- Benaloh, J. (1999). Dense probabilistic encryption. formation Security Science, 2, No.2. Boneh, D. (1998). The decision diffie-hellman prob- J. Katz, Y. L. (2008). Introduction to modern cryp- lem. In In Proceedings of the Third Algorithmic tography. CRC PRESS. Number Theory Symposium, volume 1423, pages Joux, A. and Guyen, K. (2006). Separating decision 48–63. diffe-hellman to diffe hellmann in cryptographie Boneh, D. and Franklin, M. (2003). Identity-based groups. encryption from the weil pairing. SIAM J. Com- Joux, A. and Nguyen, K. (Sept. 2003). Separating de- puting, 32(3):586–615. cision diffie-hellman from computational diffie- Ciucanu, R., Giraud, M., Lafourcade, P., and Ye, L. hellman in cryptographic groups. J. Cryptology, (2019). Secure strassen-winograd matrix multi- 16(4):239–47. plication with mapreduce. In Obaidat, M. S. and Lafourcade, P., Robert, L., and Sow, D. (2020). Samarati, P., editors, Proceedings of the 16th In- https://sancy.iut-clermont.uca.fr/∼lafourcade/ ternational Joint Conference on e-Business and PAPERS/PDF/Secrypt-long2020.pdf. Telecommunications, ICETE 2019 - Volume 2: Naccache, D. and Stern, J. (1998). A new public key SECRYPT, 2019, pages 220–227. SciTePress. cryptosystem based on higher residues. In Pro- Cramer, R. and Shoup, V. (1998). A practical public ceedings of the 5th ACM Conference on Com- key cryptosystem provably secure against adap- puter and Communications Security, CCS ’98, tive chosen ciphertext attack. In Proc. of the 18th page 59–66, New York, NY, USA. Association Annual International Cryptology Conference on for Computing Machinery. Advances in Cryptology, CRYPTO’98. Okamoto, T. and Uchiyama, S. (1998). A new public- D. Boneh, B. L. and Shacham, H. (Sept. 2004a). Short key cryptosystem as secure as factoring. In Ny- signatures from the weil pairing. J. Cryptology, berg, K., editor, Advances in Cryptology — EU- 17(4):297–319. ROCRYPT’98, pages 308–318, Berlin, Heidel- D. Boneh, X. B. and Shacham, H. (Aug. 2004b). berg. Springer Berlin Heidelberg. Short group signatures. In In M. Franklin, ed- Paillier, P. (1999). Public-key cryptosystems based on itor,Proceedings of Crypto 2004, volume 3152, composite degree residuosity classes. In Stern, pages 41–55. J., editor, Advances in Cryptology — EURO- Elgamal, T. (1985). A public key cryptosystem CRYPT ’99, pages 223–238, Berlin, Heidelberg. and a signature scheme based on discrete loga- Springer Berlin Heidelberg. rithms. IEEE Transactions on Information The- Paterson, K. (2005). Cryptography from pairings. ory, 31(4):469–472. Cambridge University Press, 317 of London Fousse, L., Lafourcade, P., and Alnuaimi, M. Mathematical Society Lecture Notes:215–51. (2011). Benaloh’s Dense Probabilistic Encryp- Rivest, R. L., Shamir, A., and Adleman, L. (1978). tion Revisited. In Progress in Cryptology - A Method for Obtaining Digital signatures and AFRICACRYPT 2011 - 4th Conference on the Public-Key Cryptosystems. Communications of Theory and Application of Cryptographic Tech- the ACM, 21(2):120–126. niques in Africa, volume 6737 of Lecture Notes SEAL (2019). Microsoft SEAL (release 3.4). https: in Computer Science, pages 348–362. Springer. //github.com/Microsoft/SEAL. Microsoft Re- Galbraith, S. D. (2002). Elliptic Curve Paillier Sche- search, Redmond, WA. mes. J. Cryptol., 15(2):129–138. Shoup, V. (May 1997). Lower bounds for discrete Gentry, C. (2009). A Fully Homomorphic Encryption logarithms and related problems. In In W. Fumy, Scheme. PhD thesis, Stanford, CA, USA. editor, Proceedings of Eurocrypt 1997, volume Goldwasser, S. and Micali, S. (1982). Probabilistic 1233 of LNCS, pages 256–66. encryption and how to play mental poker keep- Sow, D. and Sow, D. (2011). A new variant of ing secret all partial information. In Proceed- el gamal’s encryption and signatures schemes. ings of the Fourteenth Annual ACM Symposium Journal of Algebra, Number Theory and Appli- on Theory of Computing, STOC ’82. cations, 20(1):21–39. Goldwasser, S. and Micali, S. (1984). Probabilistic The Sage Developers (2020). SageMath, the Sage encryption. Journal of Computer and System Mathematics Software System (V 9.0). https: Sciences, 28:270–299. //www.sagemath.org. ow A Cryptographic Recalls Game 1: The One Wayness Game: PubKA,Π 1: Gen is run to obtain the keys (pk,sk) We recall some notions about public key encryp- 2: m is chosen at random from message space tion schemes: success probability of an adversary, se- 3: The challenge ciphertext c = Encpk(m) curity models in terms of the adversarial goals and the 4: Adversary A is given pk and c to produce m0 = adversarial capabilities (see (Hanoymak, 2013)). We A(pk,c) also recall some notions on security models. 5: The output of the game is defined to be 1 if m0 = m and ⊥ otherwise. A.1 Public Key Encryption Schemes Definition A.2. A public key encryption scheme Π = (Gen,Enc,Dec) is one-way secure against chosen Definition A.1. A public key encryption scheme is a plaintext attacks (OW-CPA) if the advantage of any tuple of probabilistic polynomial time algorithms Π = probabilistic polynomial-time algorithm A defined by (Gen,Enc,Dec) such that: h i Advow−cpa(k) = Pr Expow (k) ⇒ true 1. The key generation algorithm Gen takes as input Π,A Π,A ow the security parameter and outputs a pair of pub- is negligible as a function k, where ExpΠ,A (k) is the lic and secret keys (pk,sk). experiment. 2. The encryption algorithm Enc takes as input a public key pk and a message m from some under- Indistinguishability. Here, the goal of the adver- lying plaintext message space. It outputs a cipher- sary is to find out which of the plaintexts have been text c, i.e., c = Encpk(m). selected by the challenger. 3. The decryption algorithm Dec takes as input (sk,c) and outputs a message m or ⊥. We denote Game 2 IND-CPA Game: PubKind−cpa the decryption algorithm by m = Decsk(c). A,Π 1: Gen is run to obtain public and secret keys We note that Enc may be probabilistic but Dec (pk,sk). must be deterministic and the following equation 2: Adversary A is given pk, outputs a pair of mes- should hold for any message: sages (m0,m1) of equal length. 3: A random bit b ∈ {0,1} is chosen, the challenge Decsk(Encpk(m)) = m ciphertext c = Encpk(mb) is computed and given to A. 0 A.2 Security Notions 4: A outputs a bit b . 5: The output of the game is defined to be 1 if b0 = b and 0 otherwise. In this subsection, we recall some security notions: Definition A.3. A public key encryption scheme Π = (Gen,Enc,Dec) is indistinguishable secure against Chosen Plaintext Attack (CPA). A chosen- chosen plaintext attacks (IND-CPA) if for all proba- plaintext attack (CPA) is an attack model for bilistic polynomial time adversaries A, there exists a cryptanalysis which presumes that the attacker can negligible function such that obtain the ciphertexts for arbitrary plaintexts. The h i 1 Pr PubKind−cpa = 1 ≤ + negl. goal of the attack is to gain information that reduces A,Π 2 the security of the encryption scheme. + where a negligible function µ : N → R is function Modern ciphers aim to provide semantic security, such that for every positive polynomial p(·) there ex- also known as ciphertext indistinguishability under ists Np ∈ N such that for all integers x > Np, we have chosen-plaintext attack, and are therefore by design µ(x) < 1 . generally immune to chosen-plaintext attacks if cor- p(x) rectly implemented. A.3 Semantic security:

This definition comes from (Goldwasser and Micali, One-Wayness. This goal is defined via a game be- 1984), where is called polynomial indistinguishabil- tween the adversary and the challenger as follows: ity, and semantic security is actually the name of a syntactically different, but equivalent, characteriza- same encryption mechanism than these schemes but tion. This is formally defined via a game between an with some parameters then it is also a homomorphic adversary and a challenger. encryption. • The challenger computes: (pk,sk) ←$ KeyGen(), and gives pk to the adversary. B Security Proof • The adversary chooses two messages m0,m1 ∈ M, and gives these to the challenger. Theorem 4.1. The Linear Generalized ElGamal En- • The challenger computes cryption Scheme is IND-CPA secure under the Deci-

$ $ sional Linear Assumption (DLA). b ← {0,1}, ψ ← E(pk,mb) Proof. Let G be a group and g be a random generator r s t and gives the ”target ciphertext” ψ to the adver- of G. Let a random instance (g1 = g ,g2 = g ,g3 = g ) sary. of the Decisional Linear problem that one wants to • The adversary outputs b ∈ {0,1}. solve, considering the adversary A against the Linear Generalized ElGamal encryption in time t. We write We deﬁne the SS-advantage of the adversary to be: Game 0 the adversary’s scenarios and we modify it 1 gradually to the Decisional Linear problem. We note |Pr[b = b] − | 2 C the challenger and D a distinguisher and compare each output when a random is generated or when DH Semantic security means that any efﬁcient adversary’s is computed. SS-advantage is negligible.

A.4 Homomorphic encryption Game 0: challenger C, adversary A $ $ 1: g ← G and k,r ← Zd × Zd/2, compute (s,t) Homomorphic encryption is a form of encryption that such that kd = rs + t and output (g1,g2,g3) = allows specific types of computations to be executed (gr,gs,gt ): C on ciphertexts and obtain an encrypted result that is 2: (m0,m1) ←− A(g1,g2,g3) the ciphertext of the result of operations performed 3: (c1,c2,c3) ←− E((g1,g2,g3),mσ,α1,α2) where on the plain text. A homomorphic encryption allows a $ $ user to manipulate without needing to decrypt it first. σ ← {0,1} and α1,α2 ← G : C 0 An example of homomorphic encryption is the RSA 4: {0,1} 3 σ ←− A(c1,c2,c3) algorithm. Other examples of homomorphic encryption schemes are the ECC encryption, the ElGamal Here, we have modeled the adversary A as a de- cryptosystem (Elgamal, 1985), and the Pailler cryp- terministic algorithm that takes as input a random el- tosystem. ement sampled uniformly from some set. It should be Typically, secure data aggregation mechanisms re- evident that this algorithm faithfully represents the at- quire nodes to perform the following operations: 0 tack game. If we define S0 to be the event that σ = σ , 1 • at the transmitting node, prior to transmission, then the adversary’s advantage is |Pr[S0] − 2 |. data are encrypted with some cryptographic func- Game 1. (This is a transition based on indistin- tion E; guishability). We now make one small change to the • at the receiving node, all received data packets are above game. Namely, instead of computing c3 as α1+α2 z1+z2 decrypted with the inverse cryptographic function g3 , we compute it as g for randomly cho- D = E −1 to retrieve the original data; sen z1,z2 ∈ Zd. We can describe the resulting game algorithmically as follows: • data are aggregated with an aggregation function; • prior to re-transmission, aggregated data are en- Game 1: challenger C and adversary A crypted through E and relayed to the next hop. $ $ 1: g ← G and k,r ← × , compute (s,t) such Lemma A.4. Linear Generalized ElGamal Encryp- Zd Zd/2 kd = rs +t tion Scheme is a homomorphic encryption. that : C 2: (m0,m1) ←− A(g1,g2,g3) t(z +z ) Proof. The ElGamal encryption scheme, Linear El- 3: (c1,c2,c3) ←− E((g1,g2,g 1 2 ),mσ,α1,α2) Gamal encryption and Generalized ElGamal Encryp- $ $ where σ ← {0,1} and α1,α2 ← G : C tion scheme are homomorphic encryptions. Our Lin- 0 4: {0,1} 3 σ ←− A(c1,c2,c3) ear Generalized ElGamal Encryption scheme has the 0 rα sα t(z +z ) Let S1 be the event that σ = σ in Game 1. If the input to D is of the form (g 1 ,g 2 ,g 1 2 ), then computation proceeds just as in Game 1, and 1 Claim B.1. We prove that: Pr[S1] = 2 . therefore

$ rα1 sα2 t(z1+z2) This follows from the fact that in Game 1, Pr[α1,α2 ←− Zd : D(g ,g ,g ) = 1] = Pr[S1] gt(z1+z2) is effectively a one-time pad, and as such, From this, it follows that the DLA-advantage of is the adversary’s output σ0 is independent of the hid- D equal to |Pr[S ] − Pr[S ]|. That completes the proof den bit σ. To prove this more rigorously, it suf- 0 1 of Claim B.2. fices to show that σ,α ,α ,g ,g ,g ,c ,c ,c are 1 2 1 2 3 1 2 3 Combining Claim B.1 and Claim B.2, we see that mutually independent, since from this, it follows 1 0 |Pr[S0] − | = εdla, and this is negligible. That com- that σ and σ = A(α1,α2,g1,g2,g3,c1,c2,c3) are 2 pletes the proof of security of Linear Generalized El- independent. First observe that by construction, z +z Gamal encryption. σ,α1,α2,g1,g2,g3,c1,c2,g 1 2 are mutually independent. It suffices to show that conditioned on any fixed values of σ,α1,α2,g1,g2,g3,c1,c2, the conditional distribution of c3 is the uniform distribution over G. Now, if σ,α1,α2,g1,g2,g3,c1,c2 are fixed, then so are m0, m1, since they are determined by α1,α2,g1,g2,g3; moreover, by independence, the conditional distribution of gz1+z2 is the uniform distribution on G, and hence from this, one sees that t(z +z ) the conditional distribution of c3 = g 1 2 ·mσ is the uniform distribution on G.

Claim B.2. We prove that |Pr[S0] − Pr[S1]| = εdla where εdla is the DLA-advantage of some efﬁcient algorithm (and hence negligible under the DLA (Deci- sional Linear Assumption).

The proof of this is essentially the observation that in Game 0, the triple (grα1 ,gsα2 ,gt(z1+z2)) is of the form (grα1 ,gsα2 ,gt(α1+α2)), while in Game 1, it is of the form (grα1 ,gsα2 ,gt(z1+z2)), and so the adversary should not notice the difference, under the DLA assumption. To be more precise, our distinguishing algorithm D works as follows:

Algorithm: D(grα1 ,gsα2 ,gt(z1+z2))

D • (m0,m1) ←− A (g1,g2,g3) • (c1,c2,λ · mσ) ← E((g1,g2,g3),mσ,α1,α2) t(z +z ) $ $ where λ = g 1 2 , σ ← {0,1}; α1,α2 ← G : C 0 D •{ 0,1} 3 σ ←− A (c1,c2,c3) • If σ = σ0 – then output 1 – else output 0

Algorithm D effectively ”interpolates” between Games 0 and 1. If the input to D is of the form (grα1 ,gsα2 ,gt(α1+α2)), then computation proceeds just as in Game 0, and therefore

$ rα1 sα2 t(α1+α2) Pr[α1,α2 ←− Zd : D(g ,g ,g ) = 1] = Pr[S0].