Linear Generalized ElGamal Scheme

Demba Sow1,Leo´ Robert2, and Pascal Lafourcade2

1LACGAA, Universite´ Cheikh Anta Diop de Dakar, Sen´ egal´ , [email protected] 2LIMOS, Universite´ Clermont Auvergne, France, [email protected] , [email protected]

Keywords: , Partial , Linear Assumption, ElGamal encryption scheme.

Abstract: ElGamal public encryption scheme has been designed in the 80’s. It is one of the first partial homomorphic encryption and one of the first IND-CPA probabilistic public key encryption scheme. A linear version has been recently proposed by Boneh et al. In this paper, we present a linear encryption based on a generalized version of ElGamal encryption scheme. We prove that our scheme is IND-CPA secure under the linear assumption. We design a also generalized ElGamal scheme from the generalized linear. We also run an evaluation of performances of our scheme. We show that the decryption algorithm is faster than the existing versions.

1 Introduction Contributions. We propose the following results:

In 2009 in his thesis (Gentry, 2009), G. Gren- • Most of today’s public key are re- try proposed the first fully homomorphic encryption sistant to various types of attacks and are effec- scheme. It was a revolution and it solves an open tive. Their main role is the protection of commu- problem already stated by Rivest Shamir and Adel- nications so they guarantee the security of the data man when they invented RSA in (Rivest et al., 1978). exchanged or stored. Thus, it will always be inter- Many advances have been done and nowadays we esting to find a new encryption scheme or to im- have some efficient implementations like for instance prove a known one. It is in this context that we SEAL developed by Microsoft (SEAL, 2019). How- propose a linear Generalized ElGamal encryption ever for some applications like the inversion of a large scheme. The modifications are about the key gen- matrix or multiplications of large matrices fully ho- eration which lead to a different encryption and momorphic encryption schemes can be very slow or decryption algorithms. Like linear ElGamal en- produce large or even be inexact. It is why cryption, the linear Generalized ElGamal encryp- all partial homomorphic like RSA (Rivest tion scheme is IND-CPA secure under (DLA). et al., 1978), GM (Goldwasser and Micali, 1982), • We also propose the ElGamal and the Generalized ElGamal (Elgamal, 1985), Benaloh (Benaloh, 1999; ElGamal schemes from the generalized linear. Fousse et al., 2011), Naccache-Stern (Naccache and • We implement the algorithms and compare their Stern, 1998), Okamoto-Uchiyama (Okamoto and performances with the original algorithms. Our Uchiyama, 1998), Paillier (Paillier, 1999) or Gal- performance evaluations show that the decryption braith (Galbraith, 2002), are still widely used. They algorithm is faster. We also demonstrate that our can be used to solve such problems in reasonable key generation algorithm is slower, but this is not among of time like in (Ciucanu et al., 2019). a problem since this operation is usually done Many cryptosystems rely on the Diffie-Hellman only once. decision problem (DDH) (Boneh, 1998; Joux and • In general, if we work in a cyclic subgroup of size Guyen, 2006) assumption, notably the ElGamal en- d (with d a large prime), we can keep d secret and cryption scheme and the Cramer-Shoup encryption we can also use a secret exponent r for decryp- scheme (Cramer and Shoup, 1998). In (D. Boneh and |d| tion of size ,( where n0 is some integer which Shacham, 2004b), Boneh et al. introduced the Deci- n0 sional Linear Assumption (DLA) and a variation of divides |d|, the size of d). For example, it is possi- ElGamal encryption scheme. Our aim it to improve ble, for different security levels, to use a small key this linear version of ElGamal encryption scheme us- for decryption. Therefore, our scheme is faster ing the same approach proposed in (Sow and Sow, than the classical ElGamal one’s for the decryp- 2011). tion process. Related works. In 1985, (Elgamal, 2.1 The ElGamal Encryption Scheme 1985) proposed an encryption and signature scheme called ElGamal scheme. Given a computational group scheme G, the ElGamal In (Hanoymak, 2013), Turgut Hanoymak proves public-key encryption is defined as following (Elga- the security of ElGamal encryption scheme which mal, 1985): is based on the hardness to solve the Computa- tional Diffie-Hellman (CDH) and Decisional Diffie- Hellman (DDH) problems. Key Generation Algorithm. To create a pub- In (D. Boneh and Shacham, 2004b), Boneh et al. lic/secret key, Bob should do the following: proposed a linear encryption scheme based on the El- 1. Select a finite cyclic group G of order q with gen- Gamal encryption scheme. The linear ElGamal en- erator g. cryption scheme is IND-CPA secure under the (DLA). 2. Select a random integer a such that 2 < a < q. a In (Sow and Sow, 2011), a modified variant of 3. Compute h = g in G. the ElGamal scheme is presented, and it is called 4. The public key is pk = (G,q,g,h) and the secret Generalized ElGamal. As ElGamal’s scheme, the key is sk = a. Generalized ElGamal scheme is based on Decisional Diffie-Hellman Problem (DDH). In the Generalized Encryption Algorithm. To encrypt a message m ElGamal scheme, the decryption is smaller for Bob, Alice should do the following: than those of ElGamal scheme. Hence the General- 1. Take pk = ( ,q,g,h), the Bob’s public key; ized ElGamal scheme is more efficient than ElGamal G 2. Select a random integer r such that 1 < r < q = scheme; since the decryption process is faster. The # ; encryption mechanism has the same efficiency than G 3. Compute c = gr and c = m · hr in ; ElGamal encryption mechanism. But, the key gener- 1 2 G 4. The ciphertext is c = (c ,c ). ation algorithm is slower than the key generation al- 1 2 gorithm of ElGamal scheme. However, this is not a problem since the key generation is done only once. Decryption Algorithm. To decrypt a ciphertext c, Bob should do the following: Outline of paper. In Section 2, we show the origi- 1. Take sk = a the secret key. c2 2. Compute m = a , we note that m ∈ . nal ElGamal encryption scheme and the Generalized (c1) G ElGamal encryption scheme. In Section 3, we present 3. The plaintext is m. the Linear assumption, the linear ElGamal encryp- tion scheme and the ElGamal encryption scheme from Security proof of ElGamal encryption. We recall the generalized linear. In Section 4, we propose the some theorems presented in (Farshim, 2011), which linear Generalized ElGamal encryption scheme and show the security of ElGamal encryption scheme un- the Generalized ElGamal encryption scheme from the der the CDH and DDH assumptions. Let GP an al- generalized linear. In Section 5, we propose a com- gorithm which takes 1k and returns the public key plexity analysis of our scheme. In Section 6.1, we pk = ( ,q,g,h) of the ElGamal encryption scheme. present the curves showing the average time of the G One-wayness under the CDH Assumption. If key generation, encryption and decryption algorithms I the CDH assumption holds with respect to , of the ElGamal encryption scheme and the General- GP then the ElGamal encryption scheme is one-way. ized ElGamal encryption scheme. In Section 6.2, we Theorem 2.1. Let be a probabilistic also present the curves showing the average time of A polynomial-time algorithm against the El- the key generation, encryption and decryption algo- Gamal encryption scheme (Elgamal, 1985) in rithms of the Linear ElGamal encryption scheme and the OW-CPA sense. Then there is a probabilistic the Linear Generalized ElGamal encryption scheme. polynomial-time algorithm B against GP solving the CDH problem such that:

AdvCDH (k) = AdvOW−CPA(k). 2 ElGamal and Generalized GP ,B Π,A ElGamal Encryption Schemes I Indistinguishability under the DDH Assump- tion. If the DDH assumption holds with respect We recall the ElGamal encryption scheme (Elga- to GP , then the ElGamal encryption scheme is mal, 1985) and the Generalized ElGamal encryption indistinguishable under chosen-plaintext attacks, scheme (Sow and Sow, 2011). i.e., it is IND-CPA secure. Theorem 2.2. ((Farshim, 2011)) Let A be a prob- Decryption algorithm. To decrypt a ciphertext abilistic polynomial-time against the ElGamal en- (c1,c2) encrypted with the public key ((γ,δ),d,G) cryption scheme in the IND-CPA sense. Then and knowing the associate secret key (r,G), we just r there is a probabilistic polynomial-time algorithm need to compute c1c2. B against GP solving the DDH problem such that: Provable security of the Generalized ElGamal En- 1 cryption Scheme. AdvDDH (k) = · AdvIND−CPA(k). GP ,B 2 Π,A I One-wayness under the CDH Assumption. Theorem 2.4. Under the CDH Assumption, the . In (J. Katz, 2008), Katz and I Generalized ElGamal encryption scheme is One- al. prove the semantic security of the ElGamal Way secure under Chosen Plaintext Attack (OW- encryption scheme. CPA). That is, for a security parameter k, if there Theorem 2.3. Under the DDH assumption, El- is an attacker that inverse the Generalized El- Gamal encryption scheme is semantically secure. A Gamal encryption then we can build an algorithm B that solves CDH, it means that 2.2 Generalized ElGamal Encryption CDH (k) = OW−CPA(k). Scheme AdvGP ,B AdvΠ,A I Indistinguishability under the DDH Assump- We give a key generation mechanism and a public key tion. encryption algorithm (Sow and Sow, 2011), which Theorem 2.5. Under the DDH Assumption, the can be view as a slight modification of ElGamal’s Generalized ElGamal encryption scheme is indis- schemes (Elgamal, 1985). tinguishable under Chosen Plaintext Attacks, i.e., it is IND-CPA secure. So we have: Key generation algorithm. To create a pub- 1 lic/private key, we do the following: AdvDDH (k) = · AdvIND−CPA(k), GP ,B 2 Π,A 1. Select a cyclic group G with sufficiently large or- der d = #G such that G = hg0i. where A is an attacker of the Generalized ElGa- 2. Select a random element β < o(g0) = #G such that mal encryption and k the security parameter. gcd(β,d) = 1, i.e., β is invertible modulo d and To justify the performance of Generalized ElGa- compute g = g0β ∈ G. mal encryption scheme described in (Sow and Sow, 3. Select two random integers s and k sufficiently 2011) with respect to ElGamal encryption scheme, large such that 2 < k < s < d with d = #G and comparison curves in execution time of the key gen- compute kd. eration, encryption and decryption algorithms are per- 4. Compute with euclidean division algorithm, the formed (see Figure 1, Figure 2 and Figure 3). pair (r,t) such that kd = rs + t where t = kd kd  kd  mod s and r = < d. Note that r = , s s 3 Linear Encryption jsk , d −r, and t must be sufficiently large, if not, t Boneh et al. (D. Boneh and Shacham, 2004b) in- return to step 3. s t troduced a decisional assumption, called Linear, in- 5. Compute γ = g and δ = g in G; Note that γ 6= 1 tended to take the place of DDH in groups - in partic- and δ 6= 1. ular, bilinear groups (Joux and Nguyen, 2003) - where Then public key is ((γ,δ),G) and the private key is DDH is easy. For this setting, the Linear problem has (r,G). desirable properties, as they have shown: it is hard if DDH is hard, but, at least in generic groups (Shoup, Encryption algorithm. To encrypt a message with 1997), it remains hard even if DDH is easy. Letting G the public key ((γ,δ),d,G), we do the following: be a cyclic multiplicative group of prime order p, and 1. Select a random integer 2 < α < d = #G such that letting g1,g2, and g3 be arbitrary generators of G, we α and #G are co-prime. consider the following problem: α α a b 2. Compute c1 = γ and λ = δ in G, hence c1 6= 1 Linear Problem in G: Given g1,g2,g3,g1,g2, c and λ 6= 1. g3 ∈ G as input, output yes if a + b = c and no oth- 3. Transform the message m as an element of G and erwise. The advantage of an algorithm A in deciding linear compute c2 = λm in G. the Linear problem in G is denoted by AdvA and it The ciphertext is (c1,c2). is equal to: a b a+b |Pr[A(g1,g2,g3,g1,g2,g3 ) = yes : We now describe how these functions works. R R λ $ g1,g2,g3 ← G,a,b ← Zp] LE.Gg(1 ) : Choose a random generator gn ← G a b −Pr[ (g ,g ,g ,g ,g ,η) = yes : $ 1/x1 A 1 2 3 1 2 and x1,x2,...,xn−1 ← Zp, and set: g1 ← gn , R R g ,g ,g , ← G,a,b ← ]| 1/x2 1/xn−1 1 2 3 η Zp g2 ← gn , ..., gn−1 ← gn . The public key n with the probability taken over the uniform random is pk = (g1,g2,...,gn) ∈ G ; the secret key is choice of the parameters to and over the coin tosses n−1 A sk = (x1,x2,...,xn−1) ∈ Zp . of . We say that an algorithm (t,ε)-decides Linear A A LE.Enc(pk,M): To encrypt a message M ∈ G, parse G t linear in if A runs in time at most , and AdvA is at pk = (g ,g ,...,g ) ∈ Gn, choose random ex- least ε. 1 2 n ponents r ,r ,...,r ←$ , and set: u ← Definition 3.1. We say that the (t,ε)-Decision Linear 1 2 n−1 Zp 1 r1 r2 r1+r2+...+rn−1 Assumption holds in G if no algorithm (t, )-decides g1 , u2 ← g2 ,...un ← Mgn . the ci- ε n the Decision Linear problem in G. phertext ct = (u1,u2,...,un) ∈ G . The Linear problem is well defined in any group LE.Dec(sk,ct): Parse the private key sk as n−1 where DDH is well defined. It is mainly used in (x1,x2,...,xn−1) ∈ Zp and the ciphertext n n bilinear groups like in (Boneh and Franklin, 2003; ct as (u1,u2,...,un) ∈ G ) ∈ G and compute : x1 x2 xn−1 D. Boneh and Shacham, 2004a; Paterson, 2005). M ← un/(u1 u2 ...un−1 ) 3.1 Linear ElGamal Encryption Scheme 4 Linear Generalized ElGamal Boneh et al proposed a linear encryption scheme based on the ElGamal encryption scheme. Given a Encryption Scheme computational group scheme G, the Linear ElGamal We present the Linear Generalized ElGamal en- encryption scheme is defined as follows: cryption scheme, its security and the Generalized El- λ $ LE.Gg(1 ): Choose a random generator g3 ← G and Gamal encryption scheme from the generalized linear. −1 −1 $ x1 x2 x1,x2 ← Zp, and set g1 ← g3 and g2 ← g3 . The 3 4.1 Algorithms public key is pk = (g1,g2,g3) ∈ G ; the secret key 2 is sk = (x1,x2) ∈ Zp. Given a computational group scheme G, the Lin- LE.Enc(pk,M): To encrypt a message M ∈ G, parse ear Generalized ElGamal encryption scheme is com- 3 pk = (g1,g2,g3) ∈ G , choose random exponents posed of the following three functions: the setup func- $ r1 r2 tion, denoted LGE.Gg(), the encryption function, de- r1,r2 ← Zp, and set: u1 ← g1 and u2 ← g2 and r1+r2 noted LGE.Enc() and the decryption function, de- u3 ← Mg3 . The ciphertext ct = (u1,u2,u3) ∈ 3 noted LGE.Dec(). G . We now describe how these functions works. LE.Dec(sk,ct): Parse the private key sk as (x1,x2) ∈ λ $ 2 3 LGE.Gg(1 ): Choose a random generator g ← G Zp and the ciphertext ct as (u1,u2,u3) ∈ G and $ $ −x1 −x2 and k ← Zd, r ← Zd/2. compute M ← u3u1 u2 . 2 kd Compute (s,t) ∈ Zd such that s ← b r c and t ← r s t r1 kd mod r and set g ← g , g ← g , and g ← g . Correctness of decryption process. Since u1 = g 1 2 3 1 3 u = gr2 u = Mgr1+r2 The public key is pk = (g1,g2,g3) ∈ G and the and 2 2 , 3 3 we have: 2 secret key is sk = (r,s,t) ∈ Zd/2 × Zd. u /(ux1 ux2 ) = Mgr1+r2 /((gr1 )x1 (gr2 )x2 ) 3 1 2 3 1 2 LGE.Enc(pk,M): To encrypt a message M ∈ G, r1+r2 r1 r2 3 = (Mg3 )/(g3 g3 ) = M parse pk = (g1,g2,g3) ∈ G , choose random ex- $ Theorem 3.2. Under the Linear Assumption, ponents α1,α2 ← Zd, and set the ElGamal Encryption Scheme is IND-CPA α1 α2 α1+α2 c1 ← g1 and c2 ← g2 and c3 ← Mg3 ; secure (D. Boneh and Shacham, 2004b). 3 the ciphertext ct = (c1,c2,c3) ∈ G . 3.2 ElGamal from Generalized Linear LGE.Dec(sk,ct): Parse the private key sk as (r,s,t) ∈ 2 3 Zd/2 ×Zd and the ciphertext ct as (c1,c2,c3) ∈ G s r We define three functions: the setup function, denoted and compute M ← c1c2c3. LE.Gg(), the encryption function, denoted LE.Enc() Before proving the security of our scheme in The- and the decryption function, denoted LE.Dec(). orem 4.1, we give its correctness. Correctness of decryption process. Since c1 = Linear ElGamal Linear General- α1 α2 α1+α2 ized ElGamal g1 , c2 = g2 and c3 = Mg3 , we have: Size Key secret key ∈ Zq, secret key ∈ Zd, s r α1s α2r α1+α2 α1rs α2sr (α1+α2)t c1c2c3 = g1 g2 g3 M = Mg g g q = o(G) d = o(G) = Mg(rs+t)(α1+α2) = Mgkd(α1+α2) = M Key Gen P = 2, M = 0, P = 3, M = 1, nP = 3, nS = 2 nP = 3, nS = 3 Theorem 4.1. The Linear Generalized ElGamal En- Encryption P = 3, M = 1 P = 3, M = 1 cryption Scheme is IND-CPA secure under the Deci- Decryption P = 2, M = 2, P = 2, M = 2, sional Linear Assumption (DLA). I = 2 I = 0 The proof is given in Appendix. Table 1: Comparison of Linear ElGamal and Linear Gen- eralized ElGamal for each algorithm in terms of computa- 4.2 Generalized ElGamal from tional cost. Generalized Linear • nS = number of parameters of the private key. To present the performance of the two encryp- Given a computational group scheme G, the Gener- tion schemes, we study the number of operations per- alized ElGamal encryption scheme from the general- formed (according to the parameters described) in the ized linear is defined as follows: key generation, encryption and decryption processes. $ LGE.Gg(1λ): Choose a random generator g ← G From the comparative Table 1, we can clearly see $ 2 that Linear Generalized ElGamal encryption scheme and k,ri ← Zd × Zd/2, compute (si,ti) ∈ Zd such kd n is slower at generating keys but is faster for decryp- that si ← b c and ti ← kd mod ri, 1 ≤ i ≤ and ri 3 tion since no inversion is calculated. n rk+1 set for 0 ≤ k ≤ 3 − 1: g3k+1 ← g , g3k+2 ← s t g k+1 and g3k+3 ← g k+1 . The public key is pk = n (g1,g2,g3,...,gn−2,gn−1,gn) ∈ G and the secret 2 n 6 Performance Evaluations key is sk = (ri,si,ti) ∈ Zd/2 × Zd,1 ≤ i ≤ 3 . LGE.Enc(pk,M): . To encrypt a message M ∈ n All our algorithms have been programmed with G, parse pk = (g1,g2,g3,...,gn−2,gn−1,gn) ∈ G , $ SageMath (The Sage Developers, 2020). The tests choose random exponents α1,α2,...,αn−1 ← Zd, are performed with security parameters of size 32, 64, n α3k+1 and set 0 ≤ k ≤ 3 − 1 : c3k+1 ← g3k+1 , c3k+2 ← 128, 512, 1024 bits. Some even go up to 2048 bits. α3k+2 α3k+1+α3k+2 g3k+2 , c3k+3 ← Mg3k+3 . The ciphertext ct We start by comparing ElGamal and Generalized El- 3 1 is (c3k+1,c3k+2,c3k+3) ∈ G . Gamal before comparing Linear ElGamal and Linear Generalized ElGamal. LGE.Dec(sk,ct): Parse the private key sk as 2 (ri,si,ti) ∈ Zd/2 × Zd, 1 ≤ i ≤ n/3 and the n 6.1 ElGamal and Generalized ElGamal ciphertext ct as (c1,c2,...,cn) ∈ G and compute

s n s r We present the curves showing the execution time M ← n c k+1 c k+1 c . ∏ 3k+1 3k+2 3k+3 of the key generation, encryption and decryption al- k=1 gorithms of the ElGamal encryption scheme and the Generalized ElGamal encryption scheme. 5 Complexity Evaluation The execution time of those two schemes is car- ried out under the same conditions in terms of gen- eration of the values and sizes of the security param- We present a complexity comparison between the eters. Indeed, given a size of a security parameter, Linear ElGamal and the Linear Generalized ElGamal there are 1000 trials where new parameters (such as schemes. We give in this section a theoretical com- prime number and messages) are computed for each plexity where we study the number of computations trial. needed in each algorithm (key generation, encryption We give a detailed execution time for the key gen- and decryption). Let us set the following parameters: eration in Figure 1 and 4, the encryption algorithm in • P = power’s number (exponent), Figure 2 and 5 and the decryption algorithm in Fig- • M = multiplication’s number, ure 3 and 6. • S = sum’s number, • I = inverse’s number, 1Surprisingly this performance evaluation has not been • nP = number of parameters of the public key, done in (Sow and Sow, 2011). Key Generation algorithm, 1000 trials Encryption algorithm, 1000 trials ·10−3 ·10−3 ElGamal ElGamal Generalized ElGamal Generalized ElGamal 1.5 2

1.5 1 1

Time in seconds 0.5 Time in seconds 0.5

0 0 25 26 27 28 29 25 26 27 28 29 Size of security parameter Size parameter

Figure 1: Average time of key generation algorithm depend- Figure 2: Average time of encryption algorithm depending ing on the size of security parameter. The standard ElGamal on the size of security parameter. The standard ElGamal scheme is in blue and circle points. The proposed scheme is scheme is in blue and circle points. The proposed scheme is depicted in red and square points. Each security parameter depicted in red and square points. Each security parameter size is tested with 1000 trials. size is tested with 1000 trials.

Key Generation Algorithms. The curves of Fig- Decryption algorithm, 1000 trials ure 1 show the execution time of key generation al- ·10−3 gorithms for the ElGamal encryption scheme and for ElGamal Generalized ElGamal encryption scheme. we show Generalized ElGamal that the two algorithms are similar. When the key size 2 increases then the Generalized ElGamal is a bit faster. 1.5

Encryption Algorithms. The curves of Figure 2 1 show the execution time of encryption algorithms of the ElGamal encryption scheme and Generalized El- Time in seconds Gamal encryption scheme. We observe that the Gen- 0.5 eralized ElGamal encryption is always faster that El- Gamal encryption. 0 25 26 27 28 29 Decryption Algorithms. The curves given in Fig- Size parameter ure 3 show the execution time of decryption algo- Figure 3: Average time of decryption algorithm depending rithms of the ElGamal encryption scheme and Gen- on the size of security parameter. The standard ElGamal eralized ElGamal encryption scheme. We can see that scheme is in blue and circle points. The proposed scheme is the Generalized ElGamal decryption is always signif- depicted in red and square points. Each security parameter icantly faster that ElGamal decryption. size is tested with 1000 trials. Key Generation Algorithms. The curves given in 6.2 Linear ElGamal and Linear Figure 4 show the execution time of key generation Generalized ElGamal algorithms of the Linear ElGamal encryption scheme and Linear Generalized ElGamal encryption scheme. We also studied the performance of Linear General- We can see that our algorithm for key generation is ized ElGamal encryption scheme with respect to Lin- clearly slower than the one proposed by Boneh et al. It ear ElGamal encryption scheme. We present the exe- is the price to pay in order to have a faster encryption cution time evaluations of the key generation in Fig- and decryption algorithms. It is not an issue because ure 4, encryption algorithms in Figure 5 and decryp- the key generation is in general done only once while tion algorithms in Figure 6. the encryption and decryption algorithms are more of- Key Generation algorithm 100 trials Decryption algorithm, 100 trials ·10−3 ·10−3 Linear ElGamal Linear ElGamal Linear Generalized ElGamal 3 Linear Generalized ElGamal 2

2

1 Time in seconds Time in seconds 1

0 0 25 26 27 28 29 25 26 27 28 29 Size of security parameter Size of security parameter

Figure 4: Average time of key generation algorithm depend- Figure 6: Average time of decryption algorithm depending ing on the size of security parameter. The standard Linear on the size of security parameter. The standard Linear El- ElGamal scheme is in blue and circle points; the proposed Gamal scheme is in blue and circle points. The proposed scheme is depicted in red and square points. Each security scheme is depicted in red and square points. Each security parameter size is tested with 100 trials. parameter size is tested with 100 trials.

Encryption algorithm with 100 trials Decryption Algorithms. The curves of Figure 6 ·10−3 represent the execution time of decryption algorithms Linear ElGamal of the Linear ElGamal encryption scheme and Linear Linear Generalized ElGamal Generalized ElGamal encryption scheme. We clearly see that the decryption is faster using our scheme, 2 which confirms the complexity analysis of the previ- ous section.

1

Time in seconds Conclusion

We have proposed a faster Linear Generalized El- 0 Gamal encryption scheme based on the Generalized ElGamal encryption scheme. We prove that our linear 5 6 7 8 9 2 2 2 2 2 scheme is IND-CPA secure under the Linear problem Size of security parameter like the linear encryption scheme based on the ElGa- mal encryption scheme. It also has a faster encryption Figure 5: Average time of encryption algorithm depending on the size of security parameter. The standard Linear El- and decryption algorithms. Gamal scheme is in blue and circle points. The proposed In the future, we would like to see how our ap- scheme is depicted in red and square points. Each security proach can be applied to improved other schemes. parameter size is tested with 100 trials. ten used. Acknowledgement

This study was partially supported by the French Encryption Algorithms. The curves of Figure 5 ANR project ANR-18-CE39-0019 (MobiS5). give the execution time of encryption algorithms of the Linear ElGamal encryption scheme and Linear Generalized ElGamal encryption scheme. Accord- ing to the complexity analysis the timings are similar REFERENCES since the number of exponentiations are similar. Em- pirically, we observe that they are similar. Benaloh, J. (1999). Dense . Boneh, D. (1998). The decision diffie-hellman prob- Hanoymak, T. (2013). On provable security of cryp- lem. In In Proceedings of the Third Algorithmic tographic schemes. International Journal of In- Number Theory Symposium, volume 1423, pages formation Security Science, 2, No.2. 48–63. J. Katz, Y. L. (2008). Introduction to modern cryp- Boneh, D. and Franklin, M. (2003). Identity-based tography. CRC PRESS. encryption from the weil pairing. SIAM J. Com- puting, 32(3):586–615. Joux, A. and Guyen, K. (2006). Separating decision diffe-hellman to diffe hellmann in cryptographie Ciucanu, R., Giraud, M., Lafourcade, P., and Ye, L. groups. (2019). Secure strassen-winograd matrix multi- plication with mapreduce. In Obaidat, M. S. and Joux, A. and Nguyen, K. (Sept. 2003). Separating de- Samarati, P., editors, Proceedings of the 16th In- cision diffie-hellman from computational diffie- ternational Joint Conference on e-Business and hellman in cryptographic groups. J. Cryptology, Telecommunications, ICETE 2019 - Volume 2: 16(4):239–47. SECRYPT, 2019, pages 220–227. SciTePress. Naccache, D. and Stern, J. (1998). A new public key Cramer, R. and Shoup, V. (1998). A practical public based on higher residues. In Pro- key cryptosystem provably secure against adap- ceedings of the 5th ACM Conference on Com- tive chosen ciphertext attack. In Proc. of the 18th puter and Communications Security, CCS 98, Annual International Cryptology Conference on page 5966, New York, NY, USA. Association for Advances in Cryptology, CRYPTO’98. Computing Machinery. D. Boneh, B. L. and Shacham, H. (Sept. 2004a). Short Okamoto, T. and Uchiyama, S. (1998). A new public- signatures from the weil pairing. J. Cryptology, key cryptosystem as secure as factoring. In Ny- 17(4):297–319. berg, K., editor, Advances in Cryptology — EU- D. Boneh, X. B. and Shacham, H. (Aug. 2004b). ROCRYPT’98, pages 308–318, Berlin, Heidel- Short group signatures. In In M. Franklin, ed- berg. Springer Berlin Heidelberg. itor,Proceedings of Crypto 2004, volume 3152, pages 41–55. Paillier, P. (1999). Public-key cryptosystems based on composite degree residuosity classes. In Stern, Elgamal, T. (1985). A public key cryptosystem J., editor, Advances in Cryptology — EURO- and a signature scheme based on discrete loga- CRYPT ’99, pages 223–238, Berlin, Heidelberg. rithms. IEEE Transactions on Information The- Springer Berlin Heidelberg. ory, 31(4):469–472. Farshim, P. (2011). Provable-Security Paterson, K. (2005). Cryptography from pairings. of Public-Key Encryption Schemes. Cambridge University Press, 317 of London farshim.files.wordpress.com/2011/09/lectures.pdf. Mathematical Society Lecture Notes:215–51. Fousse, L., Lafourcade, P., and Alnuaimi, M. Rivest, R. L., Shamir, A., and Adleman, L. (1978). (2011). Benaloh’s Dense Probabilistic Encryp- A method for obtaining digital signatures and tion Revisited. In Progress in Cryptology - public-key cryptosystems. Commun. ACM, AFRICACRYPT 2011 - 4th Conference on the 21(2):120126. Theory and Application of Cryptographic Tech- SEAL (2019). Microsoft SEAL (release 3.4). https: niques in Africa, volume 6737 of Lecture Notes //github.com/Microsoft/SEAL. Microsoft Re- in Computer Science, pages 348–362. Springer. search, Redmond, WA. Galbraith, S. D. (2002). Elliptic curve paillier schemes. J. Cryptol., 15(2):129138. Shoup, V. (May 1997). Lower bounds for discrete logarithms and related problems. In In W. Fumy, Gentry, C. (2009). A Fully Homomorphic Encryption editor, Proceedings of Eurocrypt 1997, volume Scheme. PhD thesis, Stanford, CA, USA. 1233 of LNCS, pages 256–66. Goldwasser, S. and Micali, S. (1982). Probabilistic encryption and how to play mental poker keep- Sow, D. and Sow, D. (2011). A new variant of ing secret all partial information. In Proceed- el gamal’s encryption and signatures schemes. ings of the Fourteenth Annual ACM Symposium Journal of Algebra, Number Theory and Appli- on Theory of Computing, STOC 82. cations, 20(1):21–39. Goldwasser, S. and Micali, S. (1984). Probabilistic The Sage Developers (2020). SageMath, the Sage encryption. Journal of Computer and System Mathematics Software System (Version 9.0). Sciences, 28:270–299. https://www.sagemath.org. ow A Cryptographic Recalls Game 1: The One Wayness Game: PubKA,Π 1: Gen is run to obtain the keys (pk,sk) We recall some notions about public key encryp- 2: m is chosen at random from message space tion schemes: success probability of an adversary, se- 3: The challenge ciphertext c = Encpk(m) curity models in terms of the adversarial goals and the 4: Adversary A is given pk and c to produce m0 = adversarial capabilities (see (Hanoymak, 2013)). We A(pk,c) also recall some notions on security models. 5: The output of the game is defined to be 1 if m0 = m and ⊥ otherwise. A.1 Public Key Encryption Schemes Definition A.2. A public key encryption scheme Π = (Gen,Enc,Dec) is one-way secure against chosen Definition A.1. A public key encryption scheme is a plaintext attacks (OW-CPA) if the advantage of any tuple of probabilistic polynomial time algorithms Π = probabilistic polynomial-time algorithm A defined by (Gen,Enc,Dec) such that: h i Advow−cpa(k) = Pr Expow (k) ⇒ true 1. The key generation algorithm Gen takes as input Π,A Π,A ow the security parameter and outputs a pair of pub- is negligible as a function k, where ExpΠ,A (k) is the lic and secret keys (pk,sk). experiment. 2. The encryption algorithm Enc takes as input a public key pk and a message m from some under- Indistinguishability. Here, the goal of the adver- lying plaintext message space. It outputs a cipher- sary is to find out which of the plaintexts have been text c, i.e., c = Encpk(m). selected by the challenger. 3. The decryption algorithm Dec takes as input (sk,c) and outputs a message m or ⊥. We denote Game 2 IND-CPA Game: PubKind−cpa the decryption algorithm by m = Decsk(c). A,Π 1: Gen is run to obtain public and secret keys We note that Enc may be probabilistic but Dec (pk,sk). must be deterministic and the following equation 2: Adversary A is given pk, outputs a pair of mes- should hold for any message: sages (m0,m1) of equal length. 3: A random bit b ∈ {0,1} is chosen, the challenge Decsk(Encpk(m)) = m ciphertext c = Encpk(mb) is computed and given to A. 0 A.2 Security Notions 4: A outputs a bit b . 5: The output of the game is defined to be 1 if b0 = b and 0 otherwise. In this subsection, we recall some security notions: Definition A.3. A public key encryption scheme Π = (Gen,Enc,Dec) is indistinguishable secure against Chosen Plaintext Attack (CPA). A chosen- chosen plaintext attacks (IND-CPA) if for all proba- plaintext attack (CPA) is an attack model for bilistic polynomial time adversaries A, there exists a which presumes that the attacker can negligible function such that obtain the for arbitrary plaintexts. The h i 1 Pr PubKind−cpa = 1 ≤ + negl. goal of the attack is to gain information that reduces A,Π 2 the security of the encryption scheme. + where a negligible function µ : N → R is function Modern ciphers aim to provide semantic security, such that for every positive polynomial p(·) there ex- also known as ciphertext indistinguishability under ists Np ∈ N such that for all integers x > Np, we have chosen-plaintext attack, and are therefore by design µ(x) < 1 . generally immune to chosen-plaintext attacks if cor- p(x) rectly implemented. A.3 Semantic security:

This definition comes from (Goldwasser and Micali, One-Wayness. This goal is defined via a game be- 1984), where is called polynomial indistinguishabil- tween the adversary and the challenger as follows: ity, and semantic security is actually the name of a syntactically different, but equivalent, characteriza- B Security Proof tion. This is formally defined via a game between an adversary and a challenger. Theorem 4.1. The Linear Generalized ElGamal En- • The challenger computes: (pk,sk) ←$ KeyGen(), cryption Scheme is IND-CPA secure under the Deci- and gives pk to the adversary. sional Linear Assumption (DLA). • The adversary chooses two messages m0,m1 ∈ M, and gives these to the challenger. Proof. Let G be a group and g be a random generator • The challenger computes r s t of G. Let a random instance (g1 = g ,g2 = g ,g3 = g ) of the Decisional Linear problem that one wants to b ←$ { , }, ←$ E(pk,m ) 0 1 ψ b solve, considering the adversary A against the Linear and gives the ”target ciphertext” ψ to the adver- Generalized ElGamal encryption in time t. We write sary. Game 0 the adversary’s scenarios and we modify it • The adversary outputs b ∈ {0,1}. gradually to the Decisional Linear problem. We note We define the SS-advantage of the adversary to be: C the challenger and D a distinguisher and compare each output when a random is generated or when DH 1 |Pr[b = b] − | is computed. 2 Semantic security means that any efficient adversary’s Game 0: challenger C, adversary A SS-advantage is negligible. $ $ 1: g ← G and k,r ← Zd × Zd/2, compute (s,t) A.4 Homomorphic encryption such that kd = rs + t and output (g1,g2,g3) = (gr,gs,gt ): C Homomorphic encryption is a form of encryption that 2: (m0,m1) ←− A(g1,g2,g3) allows specific types of computations to be executed 3: (c1,c2,c3) ←− E((g1,g2,g3),mσ,α1,α2) where $ $ on ciphertexts and obtain an encrypted result that is σ ← {0,1} and α1,α2 ← G : C 0 the ciphertext of the result of operations performed 4: {0,1} 3 σ ←− A(c1,c2,c3) on the plain text. A homomorphic encryption allows a user to manipulate without needing to decrypt it first. An example of homomorphic encryption is the RSA Here, we have modeled the adversary A as a de- algorithm. Other examples of homomorphic encryp- terministic algorithm that takes as input a random el- tion schemes are the ECC encryption, the ElGamal ement sampled uniformly from some set. It should be evident that this algorithm faithfully represents the at- cryptosystem (Elgamal, 1985), and the Pailler cryp- 0 tack game. If we define S0 to be the event that σ = σ , tosystem. 1 Typically, secure data aggregation mechanisms re- then the adversary’s advantage is |Pr[S0] − 2 |. quire nodes to perform the following operations: Game 1. (This is a transition based on indistin- • at the transmitting node, prior to transmission, guishability). We now make one small change to the data are encrypted with some cryptographic func- above game. Namely, instead of computing c3 as α1+α2 z1+z2 tion E; g3 , we compute it as g for randomly cho- • at the receiving node, all received data packets are sen z1,z2 ∈ Zd. We can describe the resulting game decrypted with the inverse cryptographic function algorithmically as follows: D = E −1 to retrieve the original data; • data are aggregated with an aggregation function; Game 1: challenger C and adversary A • prior to re-transmission, aggregated data are en- $ $ crypted through E and relayed to the next hop. 1: g ← G and k,r ← Zd × Zd/2, compute (s,t) such that kd = rs +t: C Lemma A.4. Linear Generalized ElGamal Encryp- 2: (m0,m1) ←− A(g1,g2,g3) tion Scheme is a homomorphic encryption. t(z +z ) 3: (c1,c2,c3) ←− E((g1,g2,g 1 2 ),mσ,α1,α2) Proof. $ $ The ElGamal encryption scheme, Linear El- where σ ← {0,1} and α1,α2 ← G : C 0 Gamal encryption and Generalized ElGamal Encryp- 4: {0,1} 3 σ ←− A(c1,c2,c3) tion scheme are homomorphic encryptions. Our Lin- ear Generalized ElGamal Encryption scheme has the 0 same encryption mechanism than these schemes but Let S1 be the event that σ = σ in Game 1. with some parameters then it is also a homomorphic 1 encryption. Claim B.1. We prove that: Pr[S1] = 2 . This follows from the fact that in Game 1, Combining Claim B.1 and Claim B.2, we see that t(z1+z2) 1 g is effectively a one-time pad, and as such, |Pr[S0] − 2 | = εdla, and this is negligible. That com- the adversary’s output σ0 is independent of the hid- pletes the proof of security of Linear Generalized El- den bit σ. To prove this more rigorously, it suf- Gamal encryption. fices to show that σ,α1,α2,g1,g2,g3,c1,c2,c3 are mutually independent, since from this, it follows 0 that σ and σ = A(α1,α2,g1,g2,g3,c1,c2,c3) are independent. First observe that by construction, z +z σ,α1,α2,g1,g2,g3,c1,c2,g 1 2 are mutually inde- pendent. It suffices to show that conditioned on any fixed values of σ,α1,α2,g1,g2,g3,c1,c2, the con- ditional distribution of c3 is the uniform distribu- tion over G. Now, if σ,α1,α2,g1,g2,g3,c1,c2 are fixed, then so are m0, m1, since they are determined by α1,α2,g1,g2,g3; moreover, by independence, the conditional distribution of gz1+z2 is the uniform dis- tribution on G, and hence from this, one sees that t(z +z ) the conditional distribution of c3 = g 1 2 ·mσ is the uniform distribution on G.

Claim B.2. We prove that |Pr[S0] − Pr[S1]| = εdla where εdla is the DLA-advantage of some efficient al- gorithm (and hence negligible under the DLA (Deci- sional Linear Assumption). The proof of this is essentially the observation that in Game 0, the triple (grα1 ,gsα2 ,gt(z1+z2)) is of the form (grα1 ,gsα2 ,gt(α1+α2)), while in Game 1, it is of the form (grα1 ,gsα2 ,gt(z1+z2)), and so the adversary should not notice the difference, under the DLA assumption. To be more precise, our distinguishing algorithm D works as follows:

Algorithm: D(grα1 ,gsα2 ,gt(z1+z2)) D • (m0,m1) ←− A (g1,g2,g3) • (c1,c2,λ · mσ) ← E((g1,g2,g3),mσ,α1,α2) t(z +z ) $ $ where λ = g 1 2 , σ ← {0,1}; α1,α2 ← G : C 0 D •{ 0,1} 3 σ ←− A (c1,c2,c3) • If σ = σ0 – then output 1 – else output 0 Algorithm D effectively ”interpolates” between Games 0 and 1. If the input to D is of the form (grα1 ,gsα2 ,gt(α1+α2)), then computation proceeds just as in Game 0, and therefore

$ rα1 sα2 t(α1+α2) Pr[α1,α2 ←− Zd : D(g ,g ,g ) = 1] = Pr[S0]. If the input to D is of the form (grα1 ,gsα2 ,gt(z1+z2)), then computation proceeds just as in Game 1, and therefore

$ rα1 sα2 t(z1+z2) Pr[α1,α2 ←− Zd : D(g ,g ,g ) = 1] = Pr[S1] From this, it follows that the DLA-advantage of D is equal to |Pr[S0] − Pr[S1]|. That completes the proof of Claim B.2.