Linear Generalized ElGamal Encryption Scheme Pascal Lafourcade, Léo Robert, Demba Sow To cite this version: Pascal Lafourcade, Léo Robert, Demba Sow. Linear Generalized ElGamal Encryption Scheme. In- ternational Conference on Security and Cryptography (SECRYPT), Jul 2020, Paris, France. hal- 02559556 HAL Id: hal-02559556 https://hal.archives-ouvertes.fr/hal-02559556 Submitted on 30 Apr 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Linear Generalized ElGamal Encryption Scheme Pascal Lafourcade1,Leo´ Robert1, and Demba Sow2 1LIMOS, Universite´ Clermont Auvergne, France, [email protected] , [email protected] 2LACGAA, Universite´ Cheikh Anta Diop de Dakar, Sen´ egal´ , [email protected] Keywords: Cryptography, Partial homomorphic encryption, Linear Assumption, ElGamal encryption scheme. Abstract: ElGamal public key encryption scheme has been designed in the 80’s. It is one of the first partial homomorphic encryption and one of the first IND-CPA probabilistic public key encryption scheme. A linear version has been recently proposed by Boneh et al. In this paper, we present a linear encryption based on a generalized version of ElGamal encryption scheme. We prove that our scheme is IND-CPA secure under linear assumption. We design a generalized ElGamal scheme from the generalized linear. We also run an evaluation of performances of our scheme. We show that the decryption algorithm is slightly faster than the existing versions. 1 Introduction Contributions. We propose the following results: • Most of today’s public key cryptosystems are re- In 2009 in his thesis (Gentry, 2009), G. Gren- sistant to various types of attacks and are effec- try proposed the first fully homomorphic encryption tive. Their main role is the protection of commu- scheme. It was a revolution and it solves an open nications so they guarantee the security of the data problem already stated by Rivest Shamir and Adel- exchanged or stored. Thus, it will always be inter- man when they invented RSA in (Rivest et al., 1978). esting to find a new encryption scheme or to im- Many advances have been done and nowadays we prove a known one. It is in this context that we have some efficient implementations like for instance propose a linear Generalized ElGamal encryption SEAL developed by Microsoft (SEAL, 2019). How- scheme. The modifications are about the key gen- ever for some applications like the inversion of a large eration which lead to a different encryption and matrix or multiplications of large matrices fully ho- decryption algorithms. Like linear ElGamal en- momorphic encryption schemes can be very slow or cryption, the linear Generalized ElGamal encryp- produce large ciphertext or even be inexact. It is why tion scheme is IND-CPA secure under (DLA). all partial homomorphic encryptions like RSA (Rivest et al., 1978), GM (Goldwasser and Micali, 1982), • We also propose the ElGamal and the Generalized ElGamal (Elgamal, 1985), Benaloh (Benaloh, 1999; ElGamal schemes from the generalized linear. Fousse et al., 2011), Okamoto-Uchiyama (Okamoto • We implement the algorithms and compare their and Uchiyama, 1998), Naccache-Stern (Naccache performances with the original algorithms. Our and Stern, 1998), Paillier (Paillier, 1999) or Gal- performance evaluations show that the decryption braith (Galbraith, 2002), are still widely used. They algorithm is faster. We also demonstrate that our can be used to solve such problems in reasonable key generation algorithm is slower, but this is not among of time like in (Ciucanu et al., 2019). a problem since this operation is usually done Many cryptosystems rely on the Diffie-Hellman only once. decision problem (DDH) (Boneh, 1998; Joux and Guyen, 2006) assumption, notably the ElGamal en- cryption scheme and the Cramer-Shoup encryption Related works. In 1985, Taher ElGamal (Elgamal, scheme (Cramer and Shoup, 1998). In (D. Boneh and 1985) proposed an encryption and signature scheme Shacham, 2004b), Boneh et al. introduced the Deci- called ElGamal scheme. sional Linear Assumption (DLA) and a variation of In (Hanoymak, 2013), Turgut Hanoymak proves ElGamal encryption scheme. Our aim is to improve the security of ElGamal encryption scheme which this linear version of ElGamal encryption scheme us- is based on the hardness to solve the Computa- ing the same approach proposed in (Sow and Sow, tional Diffie-Hellman (CDH) and Decisional Diffie- 2011). Hellman (DDH) problems. In (D. Boneh and Shacham, 2004b), Boneh et al. Key Generation Algorithm. For the creation of a proposed a linear encryption scheme based on the El- public/secret key, Bob should do the following: Gamal encryption scheme. The linear ElGamal en- 1. Select a finite cyclic group G of order d with gen- cryption scheme is IND-CPA secure under the (DLA). erator g. In (Sow and Sow, 2011), a modified variant of 2. Select a random integer a such that 2 < a < d. a the ElGamal scheme is presented, and it is called 3. Compute h = g in G. Generalized ElGamal. As ElGamal’s scheme, the 4. The public key is pk = (G;d;g;h) and the secret Generalized ElGamal scheme is based on Decisional key is sk = a. Diffie-Hellman Problem (DDH). In the Generalized ElGamal scheme, the decryption key size is smaller Encryption Algorithm. To encrypt a message m than those of ElGamal scheme. Hence the General- for Bob, Alice should do the following: ized ElGamal scheme is more efficient than ElGamal 1. Take pk = (G;d;g;h), the Bob’s public key; scheme; since the decryption process is a bit faster. 2. Select a random integer r such that 1 < r < d = The encryption mechanism has the same efficiency #G; than ElGamal encryption mechanism. But, the key r r 3. Compute c1 = g and c2 = m · h in G; generation algorithm is slower than the key genera- 4. The ciphertext is c = (c1;c2). tion algorithm of ElGamal scheme. However, this is not a problem since the key generation is done only Decryption Algorithm. To decrypt a ciphertext c, once. Bob should do the following: 1. Take sk = a the secret key. Outline of paper. In Section 2, we present the orig- c2 2. Compute m = a , we note that m 2 G. inal ElGamal encryption scheme and the Generalized (c1) 3. The plaintext is m. ElGamal encryption scheme. In Section 3, we present the Linear assumption, the linear ElGamal encryp- tion scheme and the ElGamal encryption scheme from Security proof of ElGamal encryption. We recall the generalized linear. In Section 4, we propose the some theorems, which show the security of ElGamal linear Generalized ElGamal encryption scheme and encryption scheme under the CDH and DDH assump- k the Generalized ElGamal encryption scheme from the tions. Let GP an algorithm which takes 1 and re- generalized linear. In Section 5, we propose a com- turns the public key pk = (G;d;g;h) of the ElGamal plexity analysis of our scheme. In Section 6.1, we encryption scheme. present the curves showing the average time of the I One-wayness under the CDH Assumption. If key generation, encryption and decryption algorithms the CDH assumption holds with respect to GP , of the ElGamal encryption scheme and the General- then the ElGamal encryption scheme is one-way. ized ElGamal encryption scheme. In Section 6.2, we Theorem 2.1. Let adversary be a probabilis- also present the curves showing the average time of A tic polynomial-time algorithm against the ElGa- the key generation, encryption and decryption algo- mal encryption scheme (Elgamal, 1985) in the rithms of the Linear ElGamal encryption scheme and OW-CPA sense. Then there is a probabilistic the Linear Generalized ElGamal encryption scheme. polynomial-time algorithm against solving Note that a full version with the security proofs is B GP the CDH problem such that: available on (Lafourcade et al., 2020). CDH OW−CPA AdvGP ;B (k) = AdvP;A (k): 2 ElGamal and Generalized I Indistinguishability under the DDH Assump- tion. If the DDH assumption holds with respect ElGamal Encryption Schemes to GP , then the ElGamal encryption scheme is indistinguishable under chosen-plaintext attacks, We recall the ElGamal encryption scheme (Elga- i.e., it is IND-CPA secure. mal, 1985) and the Generalized ElGamal encryption scheme (Sow and Sow, 2011). Theorem 2.2. Let adversary A be a probabilis- tic polynomial-time against the ElGamal encryp- 2.1 The ElGamal Encryption Scheme tion scheme in the IND-CPA sense. Then there is a probabilistic polynomial-time algorithm B against solving the DDH problem such that: Given a computational group scheme G, the ElGamal GP public-key encryption is defined as following (Elga- 1 AdvDDH (k) = · AdvIND−CPA(k): mal, 1985): GP ;B 2 P;A I Semantic security. In (J. Katz, 2008), Katz and is an attacker A that inverse the Generalized El- al. prove the semantic security of the ElGamal Gamal encryption then we can build an algorithm encryption scheme. B that solves CDH, it means that Theorem 2.3. Under the DDH assumption, El- AdvCDH (k) = AdvOW−CPA(k): Gamal encryption scheme is semantically secure. GP ;B P;A I Indistinguishability under the DDH Assump- 2.2 Generalized ElGamal Encryption tion. Scheme Theorem 2.5. Under the DDH Assumption, the Generalized ElGamal encryption scheme is indis- We give a key generation mechanism and a public key tinguishable under Chosen Plaintext Attacks, i.e., encryption algorithm (Sow and Sow, 2011), which it is IND-CPA secure.