Linear Generalized Elgamal Encryption Scheme

Linear Generalized Elgamal Encryption Scheme

Linear Generalized ElGamal Encryption Scheme Demba Sow1,Leo´ Robert2, and Pascal Lafourcade2 1LACGAA, Universite´ Cheikh Anta Diop de Dakar, Sen´ egal´ , [email protected] 2LIMOS, Universite´ Clermont Auvergne, France, [email protected] , [email protected] Keywords: Cryptography, Partial homomorphic encryption, Linear Assumption, ElGamal encryption scheme. Abstract: ElGamal public key encryption scheme has been designed in the 80’s. It is one of the first partial homomorphic encryption and one of the first IND-CPA probabilistic public key encryption scheme. A linear version has been recently proposed by Boneh et al. In this paper, we present a linear encryption based on a generalized version of ElGamal encryption scheme. We prove that our scheme is IND-CPA secure under the linear assumption. We design a also generalized ElGamal scheme from the generalized linear. We also run an evaluation of performances of our scheme. We show that the decryption algorithm is faster than the existing versions. 1 Introduction Contributions. We propose the following results: In 2009 in his thesis (Gentry, 2009), G. Gren- • Most of today’s public key cryptosystems are re- try proposed the first fully homomorphic encryption sistant to various types of attacks and are effec- scheme. It was a revolution and it solves an open tive. Their main role is the protection of commu- problem already stated by Rivest Shamir and Adel- nications so they guarantee the security of the data man when they invented RSA in (Rivest et al., 1978). exchanged or stored. Thus, it will always be inter- Many advances have been done and nowadays we esting to find a new encryption scheme or to im- have some efficient implementations like for instance prove a known one. It is in this context that we SEAL developed by Microsoft (SEAL, 2019). How- propose a linear Generalized ElGamal encryption ever for some applications like the inversion of a large scheme. The modifications are about the key gen- matrix or multiplications of large matrices fully ho- eration which lead to a different encryption and momorphic encryption schemes can be very slow or decryption algorithms. Like linear ElGamal en- produce large ciphertext or even be inexact. It is why cryption, the linear Generalized ElGamal encryp- all partial homomorphic encryptions like RSA (Rivest tion scheme is IND-CPA secure under (DLA). et al., 1978), GM (Goldwasser and Micali, 1982), • We also propose the ElGamal and the Generalized ElGamal (Elgamal, 1985), Benaloh (Benaloh, 1999; ElGamal schemes from the generalized linear. Fousse et al., 2011), Naccache-Stern (Naccache and • We implement the algorithms and compare their Stern, 1998), Okamoto-Uchiyama (Okamoto and performances with the original algorithms. Our Uchiyama, 1998), Paillier (Paillier, 1999) or Gal- performance evaluations show that the decryption braith (Galbraith, 2002), are still widely used. They algorithm is faster. We also demonstrate that our can be used to solve such problems in reasonable key generation algorithm is slower, but this is not among of time like in (Ciucanu et al., 2019). a problem since this operation is usually done Many cryptosystems rely on the Diffie-Hellman only once. decision problem (DDH) (Boneh, 1998; Joux and • In general, if we work in a cyclic subgroup of size Guyen, 2006) assumption, notably the ElGamal en- d (with d a large prime), we can keep d secret and cryption scheme and the Cramer-Shoup encryption we can also use a secret exponent r for decryp- scheme (Cramer and Shoup, 1998). In (D. Boneh and jdj tion of size ,( where n0 is some integer which Shacham, 2004b), Boneh et al. introduced the Deci- n0 sional Linear Assumption (DLA) and a variation of divides jdj, the size of d). For example, it is possi- ElGamal encryption scheme. Our aim it to improve ble, for different security levels, to use a small key this linear version of ElGamal encryption scheme us- for decryption. Therefore, our scheme is faster ing the same approach proposed in (Sow and Sow, than the classical ElGamal one’s for the decryp- 2011). tion process. Related works. In 1985, Taher ElGamal (Elgamal, 2.1 The ElGamal Encryption Scheme 1985) proposed an encryption and signature scheme called ElGamal scheme. Given a computational group scheme G, the ElGamal In (Hanoymak, 2013), Turgut Hanoymak proves public-key encryption is defined as following (Elga- the security of ElGamal encryption scheme which mal, 1985): is based on the hardness to solve the Computa- tional Diffie-Hellman (CDH) and Decisional Diffie- Hellman (DDH) problems. Key Generation Algorithm. To create a pub- In (D. Boneh and Shacham, 2004b), Boneh et al. lic/secret key, Bob should do the following: proposed a linear encryption scheme based on the El- 1. Select a finite cyclic group G of order q with gen- Gamal encryption scheme. The linear ElGamal en- erator g. cryption scheme is IND-CPA secure under the (DLA). 2. Select a random integer a such that 2 < a < q. a In (Sow and Sow, 2011), a modified variant of 3. Compute h = g in G. the ElGamal scheme is presented, and it is called 4. The public key is pk = (G;q;g;h) and the secret Generalized ElGamal. As ElGamal’s scheme, the key is sk = a. Generalized ElGamal scheme is based on Decisional Diffie-Hellman Problem (DDH). In the Generalized Encryption Algorithm. To encrypt a message m ElGamal scheme, the decryption key size is smaller for Bob, Alice should do the following: than those of ElGamal scheme. Hence the General- 1. Take pk = ( ;q;g;h), the Bob’s public key; ized ElGamal scheme is more efficient than ElGamal G 2. Select a random integer r such that 1 < r < q = scheme; since the decryption process is faster. The # ; encryption mechanism has the same efficiency than G 3. Compute c = gr and c = m · hr in ; ElGamal encryption mechanism. But, the key gener- 1 2 G 4. The ciphertext is c = (c ;c ). ation algorithm is slower than the key generation al- 1 2 gorithm of ElGamal scheme. However, this is not a problem since the key generation is done only once. Decryption Algorithm. To decrypt a ciphertext c, Bob should do the following: Outline of paper. In Section 2, we show the origi- 1. Take sk = a the secret key. c2 2. Compute m = a , we note that m 2 . nal ElGamal encryption scheme and the Generalized (c1) G ElGamal encryption scheme. In Section 3, we present 3. The plaintext is m. the Linear assumption, the linear ElGamal encryp- tion scheme and the ElGamal encryption scheme from Security proof of ElGamal encryption. We recall the generalized linear. In Section 4, we propose the some theorems presented in (Farshim, 2011), which linear Generalized ElGamal encryption scheme and show the security of ElGamal encryption scheme un- the Generalized ElGamal encryption scheme from the der the CDH and DDH assumptions. Let GP an al- generalized linear. In Section 5, we propose a com- gorithm which takes 1k and returns the public key plexity analysis of our scheme. In Section 6.1, we pk = ( ;q;g;h) of the ElGamal encryption scheme. present the curves showing the average time of the G One-wayness under the CDH Assumption. If key generation, encryption and decryption algorithms I the CDH assumption holds with respect to , of the ElGamal encryption scheme and the General- GP then the ElGamal encryption scheme is one-way. ized ElGamal encryption scheme. In Section 6.2, we Theorem 2.1. Let be a probabilistic also present the curves showing the average time of A polynomial-time algorithm against the El- the key generation, encryption and decryption algo- Gamal encryption scheme (Elgamal, 1985) in rithms of the Linear ElGamal encryption scheme and the OW-CPA sense. Then there is a probabilistic the Linear Generalized ElGamal encryption scheme. polynomial-time algorithm B against GP solving the CDH problem such that: AdvCDH (k) = AdvOW−CPA(k): 2 ElGamal and Generalized GP ;B P;A ElGamal Encryption Schemes I Indistinguishability under the DDH Assump- tion. If the DDH assumption holds with respect We recall the ElGamal encryption scheme (Elga- to GP , then the ElGamal encryption scheme is mal, 1985) and the Generalized ElGamal encryption indistinguishable under chosen-plaintext attacks, scheme (Sow and Sow, 2011). i.e., it is IND-CPA secure. Theorem 2.2. ((Farshim, 2011)) Let A be a prob- Decryption algorithm. To decrypt a ciphertext abilistic polynomial-time against the ElGamal en- (c1;c2) encrypted with the public key ((g;d);d;G) cryption scheme in the IND-CPA sense. Then and knowing the associate secret key (r;G), we just r there is a probabilistic polynomial-time algorithm need to compute c1c2. B against GP solving the DDH problem such that: Provable security of the Generalized ElGamal En- 1 cryption Scheme. AdvDDH (k) = · AdvIND−CPA(k): GP ;B 2 P;A I One-wayness under the CDH Assumption. Theorem 2.4. Under the CDH Assumption, the Semantic security. In (J. Katz, 2008), Katz and I Generalized ElGamal encryption scheme is One- al. prove the semantic security of the ElGamal Way secure under Chosen Plaintext Attack (OW- encryption scheme. CPA). That is, for a security parameter k, if there Theorem 2.3. Under the DDH assumption, El- is an attacker that inverse the Generalized El- Gamal encryption scheme is semantically secure. A Gamal encryption then we can build an algorithm B that solves CDH, it means that 2.2 Generalized ElGamal Encryption CDH (k) = OW−CPA(k): Scheme AdvGP ;B AdvP;A I Indistinguishability under the DDH Assump- We give a key generation mechanism and a public key tion. encryption algorithm (Sow and Sow, 2011), which Theorem 2.5.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    11 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us