Review of ElGamal-Like Cryptosystem

The ElGamal cryptosystem should employ the key generation algorithm K

sense. The security had been proven [83] is actually equivalent to theDDH problem.

Recall the ElGamal cryptosystem in Section 3.1. If the plaintext x is larger than modulus p, it should be divided into x₁, x₂,· · · , xn and the length of each xiis smaller than|p|. After dividing x, each xiis fed into the encryption algorithmE:

Epk(y1,i, y_3,i) = Epk(xi, r_i) = (y^ri mod p, x · Y^ri mod p).

Note that ri = rj(i = j), otherwise the cryptosystem is broken by the CPA. For example, the adversary chooses the plaintext x₁, and then she feds x₁ into the encryption algorithm E. With the knowledge of the plaintext-chiphertext (x₁, (y1,1, y_3,1)), she can obtain Y^r1 mod p by computing y3,1 · (x1)⁻¹ mod p without the secret key s. Then, she can easily reveal other plaintexts x₂,· · · , xn by computing xi = y3,i · (y_1,1^s )⁻¹ mod p, for i = 2 to n. In other words, if ri = rj(i = j), the cryptosystem is insecure in the OW-CPAsense.

For encrypting a large message with efficient, Hwang et al. [44] modified some parts in the ElGamal cryptosystem, called the ElGamal-like cryptosys-tem. However, in this section, we will show that even if the ElGamal-like cryptosystem are given the same repair in Section 3.2, it is still insecure in theIND-CPAsense.

Let Π
= (K, E
,D
) be the ElGamal-like cryptosystem.

- Key generation algorithm K : (pk, sk) ← K(1^k), pk = (p, g, Y ) and sk = (p, g, s), where Y = g^s mod p, |p| = k, s ∈ Z^∗p, and # < g >= p.

- Encryption algorithmE
:

(y1, y₂, y_3,i) = Epk
(xi, r₁, r₂) = (g^r1 mod p, g^r2 mod p, xi· (Y^r1 ⊕ (Y^r2)²ⁱ) mod p),

where message x ∈ {0, 1}^>k, x is divided into x₁, x₂,· · · , xn (|x₁| =

|x₂| = · · · = |xn−1|, n = |x|/k, |xn| = |x| mod k, and each xi < p) and r₁, r₂ ←R Zq. The notation⊕ denotes as the bit-wise exclusive-or operation.

- Decryption algorithmD
:

x_i = Dsk
(y1, y₂, y_3,i) = y3,i· (y₁^s⊕ (y₂^s)²ⁱ)⁻¹ mod p, x = x1x₂· · · xn.

This scheme is designed for encrypting large messages, which will more efficient than the ElGamal cryptosystem. Here, we consider the same situa-tion in the ElGamal cryptosytem where the message x < p is for encrypting as follows.

- Encryption algorithmE
:

(y1, y₂, y₃) = Epk
(x, r1, r₂) = (g^r1 mod p, g^r2 mod p, x · (Y^r1 ⊕ (Y^r2)²) mod p),

where message x ∈ {0, 1}^k, x < p, and r₁, r₂ ←R{0, 1}^k.

- Decryption algorithmD
:

x = Dsk
(y1, y₂, y₃) = y3· (y₁^s⊕ (y^s₂)²)⁻¹ mod p.

3.4 Security Analysis

In the following theorem, we prove that the ElGamal-like cryptosystem in Section 3.3 is insure in theCPA sense and has the probability to make that cryptosystem failed.

Theorem 2. Let Π
= (K, E
,D
) be the ElGamal-like cryptosystem described in Section 3.3. An adversary A
is a (t
, 
)-breaker for Π
(1^k) in IND-CPA if Adv^CPA_A
,Π
(k) ≥ 
with the eventFailit does not occur, andA
runs within at most running time t
, where


= 1 and t
≤ t₁+ 3 · tQR.

Proof. We give a simple example and then analyze the results as follows. In the key generation algorithm K, for p = 7, we select a generator g = 5 of Z^∗p and thus QRp = {1, 2, 4} and QNRp = {3, 5, 6}. By Lemma 1, (Y^r2)² mod p∈QRp. We consider the following situations.

SITUATION 1: Y^r1 mod p ∈QRp

The values of computing Y^r1 ⊕ (Y^r2)² mod p are in the set S1 = {1 ⊕ 1 mod 7, 1⊕2 mod 7, 1⊕4 mod 7, 2⊕1 mod 7, 2⊕2 mod 7, 2⊕4 mod 7, 4⊕1 mod 7, 4⊕

2 mod 7, 4 ⊕ 4 mod 7} = {0, 3, 5, 3, 0, 6, 5, 6, 0}.

SITUATION 2: Y^r1 mod p ∈QNRp

The values of computing Y^r1 ⊕ (Y^r2)² mod p are in the set S2 = {1 ⊕ 3 mod 7, 1⊕5 mod 7, 1⊕6 mod 7, 2⊕3 mod 7, 2⊕5 mod 7, 2⊕6 mod 7, 4⊕3 mod 7, 4⊕

5 mod 7, 4 ⊕ 6 mod 7} = {2, 4, 0, 1, 0, 4, 0, 1, 2}.

We can see that the values of Y^r1 ⊕ (Y^r2)² mod p has the probability to be 0, no matter what plaintext x is input to encrypt algorithm E
, the value of

y₃ = x · (Y^r1⊕ (Y^r2)²) mod p is equal to 0. The encrypt algorithm E
is failed, together with the decrypt algorithm D
. We first analyze the probability of Π
= (K, E
,D
) crashed. LetFail, Y^r1 ⊕ (Y^r2)² mod p = 0, be the event that Π
= (K, E
,D
) crashed. By lemma 1, if the value Y^r1 = g^sr1 mod p ∈QRp, then s·r1is even; that either r₁or s are even, which happen with probability Pr[Y^r1 ∈ QRp] = 3/4 and the complement Pr[Y^r1 ∈ QNRp] = 1/4. We can obtain the probability ofFailas follows.

Pr[Fail] = Pr[Fail|Y^r1 ∈ QRp] · Pr[Y^r1 ∈ QRp]

Adversary: A
₂(x0, x₁, state, (y1, y₂, y₃)) occur. By the multiplicative property of Legendre symbol,

y₃ Section 3.2, the key generation algorithm K is replaced as K, and then the cryptosystem becomes Π

= ( K, E
,D
). The following theorem will show

Proof. We also give an example for the key generation algorithm K, where q = 3, p = 2q + 1 = 7, h = 5, g = h² mod p = 4. Obviously, g ∈QRp, therefore, the group is in QRp, where QRp = {1, 2, 4}. The value of Y^r1 ⊕ (Y^r2)² mod p are in the set S₁as the same as in SITUATION1 of Theorem 2. Π

= ( K, E
,D
) has the probability to fail as follows:

Pr[Fail] = Pr[Fail|Y^r1 ∈ QRp] · Pr[Y^r1 ∈ QRp]

= 3 9· 1

= 1 3.

A breaking algorithmA

=: (A

₁,A

₂) in theIND-CPAsense for Π

= ( K, E
,D
) is as follows:

Adversary: A

₁(pk)

Obtain{x0, x₁}, where x0 ∈QRpand x₁ ∈QNRp

Return (x₀, x₁, state) End.

Encryption oracle: OEN(x0, x₁, pk) r₁, r₂ ←RZq

b←R {0, 1}

(y1, y₂, y₃) = Epk
(xb, r₁, r₂)

= (g^r1 mod p, g^r2 mod p, x^b· (Y^r1 ⊕ (Y^r2)²) mod p) Return (y₁, y₂, y₃)

End.

Adversary: A

₂(x0, x₁, state, (y1, y₂, y₃))

CASE1: If y₃ ∈QRp, then outputs 1 CASE2: If y₃ ∈QNRp, then outputs 0 End.

Except the values when Y^r1 ⊕ (Y^r2)² mod p = 0, the Legendre symbol of

Y^r1 ⊕ (Y^r2)² mod p is

Y^r1 ⊕ (Y^r2)² p



= −1,

By the multiplicative property of Legendre symbol,

y₃ polynomial time in Theorem 2 and Theorem 3, respectively.

We can see that no matter what the ElGamal-like cryptosystem employsK or K, the scheme is insecure in theIND-CPA sense, even the cryptosystem will be failed to encrypt and/or decrypt. Though the probability of event Failwill decrease when we chose a large prime q or p (the security parameter k), for both cryptosystems Π
= (K, E
,D
) and Π

= ( K, E
,D
), the values after exclusive-or operation may not in the group Gp and Gq, respectively.

This results in their scheme is insecure in theIND-CPAsense.

The ElGamal cryptosystem has been proven to be secure in the IND-CPA sense in the standard model if the operation is in QRp [83]. The IND-CPA sense is considered as a basic requirement for most provably secure public public key cryptosystems. In many applications, plaintexts may informa-tion which can be guessed easily such as in a BUY/SELL instrucinforma-tion to a stock broker.

In this chapter, we precisely show that the ElGamal cryptosystem is insecure in the IND-CPAsense if the operation is in not QRp. For the ElGamal-like cryptosystem, we give two simple examples to prove it is insecure in the IND-CPA sense either operated in QRp or not (employ the key generation K or K). Besides, the cryptosystem has the probability to be crashed when Y^r1 ⊕ (Y^r2)² mod p = 0. Since the exclusive-or operation is not suitable for the group operation, the computed values cannot be expected in that group.

However, the motivation for encrypting large messages in public public key cryptosystem is practical, since they have bad compared to symmetric cryp-tosystems. Attempt to propose a public key cryptosystem for encrypting large messages and provenGOAL-ATKsecurity in theROor standard model is exhilaratingly.

In the next chapter, an efficient conversion from the semantically secure ElGamal encryption scheme against chosen-plaintext attacks to a seman-tically secure extension of the ElGamal encryption scheme against adaptive chosen-ciphertext attacks in the random oracle model is presented. In the encryption algorithm of the converted scheme, only two random numbers are generated for each encryption. The result of the converted version of the ElGamal encryption scheme not only provides a higher security level but also is more efficient than the ElGamal encryption scheme when encrypting a large plaintext. An analyses of the modified encryption scheme is given to demonstrate its enhanced security.

Chapter 4

An ElGamal-Extension Cryptosystem

4.1 ElGamal-Extension Cryptosystem

Here, we again briefly review the ElGamal encryption scheme (this is the same as in Section 3.1 but we change some parameters for easy-to-read) and show that how to extend the the ElGamal encryption scheme for encrypting a large plaintext.

ElGamal Encryption SchemeΠ = (K, E, D)

Let Π = (K, E, D) be the ElGamal encryption scheme, which is secure in the IND-CPAsense [83].

- Key generation algorithm K: (pk, sk) ← K(1^k0+2k1+l), pk = (p, q, g, Y ) and sk = (p, q, g, s), where Y = g^smod p, |p| = k = k0 + 2k1 + l, s∈ Z/qZ, q|p − 1, and # < g >= q.

- Encryption algorithmE:

(y1, y₃) = Epk(x, r) = (g^r mod p, x · Y^r mod p),

where the plaintext x∈ {0, 1}^k(the plaintext should be chosen from a subgroup [83], however, to simply the notation, we release this restric-tion.) and r ∈RZq.

- Decryption algorithmD:

x = Dsk(y1, y₃) = y3· (y^s₁)⁻¹ mod p.

If the plaintext x > p (|x| > k), it should be divided into several pieces, says x₁, . . . , xn, where xi < p (|xⁱ| < k). For each xi, the random number r should be chosen distinct in the encryption algorithm.

ElGamal-Extension Encryption SchemeΠ = (K, E, D)

Let Π = (K, E, D) be the ElGamal-Extension encryption scheme.

- Key generation algorithmK: (pk, sk) ← K(1^k) = K(1^k).

The key generation algorithmK is the same as in K.

- Hash functions H and J :

H : {0, 1}^k0+2k1 → {0, 1}^l,J : {0, 1}^k → {0, 1}^k.

- Encryption algorithmE:

A large plaintext x is divided into x₁, x₂,· · · , xnsubtexts.

(y₁
, y₂
, y_3,i
) = Epk(xi, r₁, r₂),

1. Concatenate Xi = xi||r1||r2, where xi ∈ {0, 1}^k0, r₁, r₂ ∈R {0, 1}^k1 ∈

2. Compute Ji = J (i · Y^r2 mod p).

3. Compute (y₁, y₃) = Epk(Xi||H(Xi), r1) = (g^r1 mod p, (Xi||H(Xi)) · Y^r1 mod p).

4. Compute (y₁
, y₂
, y_3,i
) = (y1, g^r2 mod p, y3· Ji mod p).

- Decryption algorithmD:

x_i = Dsk(y₁
, y
₂, y_3,i
),

1. Compute Ji = J (i · y₂
^s mod p).

2. Compute Wi = Dsk(y₁
, y_3,i
· J_i⁻¹ mod p).

3. Output

[Wⁱ]^k0, if H([Wⁱ]^k0+2k1) = [Wⁱ]^l null, otherwise

The notations of [Wi]^aand [Wi]b denote the first a-bit and the last b-bit of Wi, respectively

Finally, the whole plaintext x can be concatenated as x₁|| · · · ||xn.

To understand what the ElGamal-Extension encryption scheme can achieve consider the following. The ElGamal encryption scheme is long and in-volved and there is an additional random value Ji for each xi. Even if there are only two random numbers r₁ and r₂, the hash value Ji still makes the encryption scheme probabilistic. If the adversary can obtain the hash value J (i · Y^r2 mod p), she is still faced with the of breaking the ElGamal encryption scheme, i.e. Dsk(y₁
, y₃
· Ji⁻¹ mod p) = Wⁱ. It already knows the ElGamal encryption scheme isIND-CPAsecure [83] under theDDH as-sumption, in which the adversary cannot obtain any bit about the plaintext W_i = xi||r₁||r₂||H(Xi).

Furthermore, to compute the hash value J (i · Y^r2 mod p) with the knowl-edge of the public key Y and the value y₂
is equivalent to solve the Compu-tational Diffie-Hellman (CDH) assumption in Definition 5, which is weaker than the DDH assumption in the same group [71]. If the DDHassumption is held in the group, then theCDHassumption must be held in that group.

Therefore, the security of the proposed scheme can be solely based on the DDHassumption.

To reveal other plaintext xj’s, the adversary cannot compute Jj (∀j = i) un-der the assumption of hash function J (·), since the values of Ji and Jj are nonlinearly related. To meetIND-CCA2, the plaintext xi is protected under the hash function H(·) to ensure the data integrity and has a data integrity validating step in the decryption algorithm. Without this validating step, the adversary could trivially generate ciphertext for which the correspond-ing plaintext is unknown. To do this, she just outputs the random strcorrespond-ings.

In the next section, we give the analyses of the reduction for proving its securities.

4.2 Security Analysis

In this section, our first goal is to show that the ElGamal-Extension encryp-tion scheme is secure in theIND-CCA2sense via Proposition 2. Theorem 4 and Theorem 5 shows that there is a plaintext extractor in the ElGamal-Extension encryption and is secure in theIND-CPAsense, respectively. Here, we only consider that the plaintext x is smaller than p. The sequence num-ber i of xi presented in the ElGamal-Extension encryption scheme is

omit-ted. The sequence number is involved in the ElGamal-Extension encryption scheme to show how the security notation IND-CPAPAIR is achieved when using only two random numbers.

Theorem 4 (Plaintext extractorPE of Π). If there exists a (t, q_H, q_J)-adversary B, then there exists a constant c and a (t
, λ(k))-plaintext extractor PE such that

t
= t + qJq_H(tEpk+ c) and λ(k) = 1 − (qJ · 2^−k+ |Hs| · 2^−l).

t_Epk denotes the computational running time of the encryption algorithm Epk and

|Hs| denotes the number of pairs (h, Hv) in the set Hssuch that (y
₁, y₃
·(Y^[[hv]2k1]k1)⁻¹ mod p) = Epk(h||Hv, [[h]2k1]^k1) in the following specification of PE.

Proof. We construct a plaintext extractorPE as follows:

Extractor: PE(ΛH, ΛJ, C, (y₁
, y₂
, y₃
), pk) For u = 1, · · · , q_J do

For v = 1, · · · , q_Hdo

(y1, y₃) ← (y₁
, y₃
· Ju⁻¹ mod p) If (y1, y₃) == Epk(hv||Hv, [[hv]2k1]^k1)

If ju == Y^[[hv]2k1]k1 mod p then x← [hv]^k0 and break Else x← null

Return x End.

Let c be the computation time of comparing two strings is equal or not, and some overhead. From the specification ofPE, it runs within t+q_Jq_H(tEpk+c).

Since there exists an additional random oracle J (·), ΛJ = {(j1, J₁) , . . . , (jq_J, J_qJ))} denotes the set of all B’s queries and the corresponding an-swers ofJ (·). Intuitionally, the plaintext x together with the random num-bers r₁, r₂ are inputs to the random oracle H(·). Moreover, all the answers

to queries should be obtained by the random oracles in the random ora-cle model. Furthermore, those queries and the corresponding answers are recorded in the lists ΛHand ΛJ. Any generation of valid ciphertext should be obtained via that step. Hence, upon input of the valid ciphertext,PE can find out the corresponding plaintext by watching the lists Λ_Hand Λ_J.

Now the probability that PE correctly outputs the plaintext x, that is x = Dsk(y
₁, y₂
, y₃
). Consider the following events.

Con1∧Con2: the product of events Con1 and Con2, which is assigned to be true if there exists (j, J) in the list ΛJ and (h, H) in the list ΛH such that the conditions (y1, y₃) == Epk(hv||Hv, [[hv]2k1]^k1) and ju == Y^[[hv]2k1]k1 mod p in the specification of PE hold. Two conditions are separately denoted as Con1andCon2.

Fail: an event assigned to be true if x= Dsk(y
₁, y₂
, y
₃).

We now bound the failure probability as follows:

Pr[Fail] = Pr[Fail|Con1∧Con2] · Pr[Con1∧Con2] + Pr[Fail|Con1∧ ¬Con2] · Pr[Con1∧ ¬Con2] + Pr[Fail|¬Con1] · Pr[¬Con1]

≤ Pr[Fail|Con1∧Con2] + Pr[Con1∧ ¬Con2] Pr[Fail|¬Con1]

In the following, we upper bound Pr[Fail|Con1∧Con2], Pr[Con1∧ ¬Con2], and Pr[Fail|¬Con1], respectively.

The specification of PE is as follows. IfCon1∧Con2 is true thenPE never fails to guess the plaintext x and hence Pr[Fail|Con1∧Con2] = 0.

We further upper bound Pr[Con1∧ ¬Con2] as follows:

Pr[Con1∧ ¬Con2] ≤ Pr[Con1|¬Con2]

When ¬Con2 is true, there is a Ju in the list Λ_J such that (y₁
, y₃
· Ju⁻¹ mod p) == Epk(hv||Hv, [[hv]2k1]^k1). Under the random oracle model assumption in Definition 8, the probability of such Juis 2^−k. The conditional probability Pr[Con1|¬Con2] is qJ · 2^−k.

For Pr[Fail|¬Con1], ¬Con1is true and PE outputs null. That is, it guesses (y
₁, y₂
, y₃
) is a invalid ciphertext. Therefore,Failis true impliesB outputs the valid ciphertext (y
₁, y₂
, y
₃). For a fixed (y₁
, y₂
, y₃
) and J = J (Y^[[hv]2k1]k1 mod p), let Hsbe the set of (h, Hv) such that (y
₁, y₃
·J⁻¹ mod p) = Epk(h||Hv, [[h]2k1]^k1).

Then since (y₁
, y₂
, y₃
) ∈ C = {(y
₁, y₂
, y
₃)1,· · · , (y
₁, y₂
, y
₃)q_E} and hence Dsk((y
₁, y₃
· J⁻¹ mod p)i) = h||H(h) for every (y
₁, y₂
, y
₃)i ∈ C. For a fixed (y
₁, y₂
, y
₃) and a fixed h, sinceB doesn’t ask query h to oracle H(·),

Pr[Fail|¬Con1] = Pr

H←Ω[H(h) ∈ Hs] = |Hs| · 2^−l,

where|Hs| denotes the number of pairs in Hs. Obviously,|Hs| is small.

We conclude that Pr[Fail] ≤ qJ · 2^−k+ |Hs| · 2^−l. Hence, λ(k) = 1 − Pr[Fail] = 1 − (qJ · 2^−k+ |Hs| · 2^−l).

Theorem 5 (Π:IND-CPA). If there exists a (t, q_H, q_J, )-breaker A = (A1,A₂) for Π in theIND-CPAsense in the random oracle model, then there exists a constants c and a (t
, 0, 0, 
)-breaker A
= (A
₁,A
₂) for Π in the IND-CPA sense in the standard model, where

t
= t + qH· c + q_J · c and 
=  − qH· 2^−(2k1−2).

Proof. We construct a breaking algorithmA
= (A
₁,A
₂) in theIND-CPAand standard model setting by usingA = (A1,A2) as an oracle.

Firstly, A
initiates two lists ΛH and ΛJ, to empty. Basically, when A asks query h and j,A
simulates two random oraclesH(·) and J (·) as follows: If hhas not been asked in the list ΛH,A
provides a random string H of length l-bit, and adds an entry (h, H) to the list ΛH. Similarly, if j has not been asked in the list ΛJ,A
provides a random string J of length k-bit, and adds an entry (j, J) to the list ΛJ. When A1 halts and outputs (x0, x₁, state), A
₁

Then, outside of A
, the ciphertext (y1, y₃) = Epk(xb||γb||βb, R) is computed by the encryption oracleOEN, where b ∈ {0, 1} is a random bit and R ∈ Zq

is a random string. Finally, (x0, x₁, state, (y1, y₃)) is input to A2.

Encryption oracle: OEN(x0||γ₀||β₀, x₁||γ₁||β₁, pk) R←RZq

b←R {0, 1}

(y1, y₃) ← Epk(xb||γb||βb, R) Return (y₁, y₃)

End.

A
₂chooses a random string r₂ ∈ Zq and k-bit random string J^∗. Then it sets y₁
= y1, y₂
= g^r2 mod p, and y
₃ = y3·J^∗ mod p. Note that (y₁
, y₂
, y
₃) is treated as the ciphertext of xb.

Adversary: A
₂(x0||γ0||β0, x₁||γ1||β1, state, (y1, y₃))

The argument behind the proof is as follows: WhenA2 asks the query j = Y^r2 mod p, A
₂ answers J^∗ and Askj is set be true. Since the random string r₂ is chosen by A
₂, it has the ability to check whether the query j is equal to Y^r2 mod p or not. Once Askj is true and A2 asks a query h = xb||γb, it is almost equivalent toDsk(y1, y₃) = D^sk(y₁
, y
₃· (J^∗)⁻¹mod p), since A2has no clue to γ¯bwhere ¯b is the complement of bit b. The probability to ask h = x¯b||γ¯b

is 2^−(2k1) which is negligible. Under the condition Askj=true,A
₂ can expect that it will output a correct bit b ifA2 asks either h = x0||γ0or h = x1||γ1. If

from a correct ciphertext.

To analyze the success probability of A
= (A
₁,A
₂), we recall the defini-tions of success probabilities ofA
= (A
₁,A
₂) and A = (A1,A2) in Defini-tion 9. Consider the follows events to capture the success probabilities of A = (A1,A2) and A
= (A
₁,A
₂)

Askj: is true if aJ -query j = Y^r2 mod p was made by A2. Askb: is true if aH-query h = xb||γb was made byA2. Ask¯b: is true if a H-query h = x¯b||γ¯bwas made byA2.

The probability ofSucc^IND-CPA_A
,Π (k) can be obtained by considering the condi-tions of the product of eventsAskj∧Askband its complement. Then,

Pr[Succ^IND-CPA_A
,Π (k)] = Pr[Succ^IND-CPA_A
,Π (k)|Askj ∧Askb] · Pr[Askj ∧Askb] + Pr[Succ^IND-CPA_A
,Π (k)|¬Askj ∨ ¬Askb] · Pr[¬Askj∨ ¬Askb].

The probability of¬Askj ∨ ¬Askbcan be written as,

Pr[¬Askj∨ ¬Askb] = Pr[(¬Askj∨ ¬Askb) ∧Ask¯b] + Pr[(¬Askj∨ ¬Askb) ∧ ¬Ask¯b].

Then,

Pr[Succ^IND-CPA_A
,Π (k)] = Pr[Succ^IND-CPA_A
,Π (k)|Askj ∧Askb] · Pr[Askj ∧Askb] + Pr[Succ^IND-CPA_A
,Π (k)|(¬Askj ∨ ¬Askb) ∧Ask¯b] · Pr[(¬Askj ∨ ¬Askb) ∧Ask¯b] + Pr[Succ^IND-CPA_A
,Π (k)|(¬Askj ∨ ¬Askb) ∧ ¬Ask¯b] · Pr[(¬Askj∨ ¬Askb) ∧ ¬Ask¯b].(4.1)

Similarly,

Pr[Succ^IND-CPA_A,Π (k)] = Pr[Succ^IND-CPA_A,Π (k)|Askj ∧Askb] · Pr[Askj ∧Askb] + Pr[Succ^IND-CPA_A,Π (k)|(¬Askj ∨ ¬Askb) ∧Ask¯b] · Pr[(¬Askj ∨ ¬Askb) ∧Ask¯b] + Pr[Succ^IND-CPA_A,Π (k)|(¬Askj ∨ ¬Askb) ∧ ¬Ask¯b] · Pr[(¬Askj∨ ¬Askb) ∧ ¬Ask¯b].(4.2)

From the specification ofA
, we have the following equations,

Equation (4.1) and Equation (4.2) are computed as follows.

Pr[Succ^IND-CPA_A
,Π (k)] − Pr[Succ^IND-CPA_A,Π (k)]

Theorem 4 and Theorem 5 show that the encryption scheme is secure in thePAsense. Intuitively,PE can simulate the decryption oracle in the IND-CCA2 sense with an overwhelming probability. Via Proposition 1, we can

Theorem 6 (Π:IND-CCA2). If there exists a (t, qH, q_J, q_D, )-breaker A = (A1,A2) for Π in the sense ofIND-CCA2in the random oracle model, then there exist a con-stant c and a (t
, 0, 0, 0, 
)-breaker A
= (A
₁,A
₂) for Π in the sense ofIND-CPA in the standard model where

t
= t + qHq_J(TEpk+ c) + qHc + qJc and 
= ( − qH· 2^−(2k1−2)) · λ(k)^qD.

Proof. From the result of Theorem 6, it is found out that the encryption scheme Π is secure in the IND-CCA2. The proof is omitted since it is clear from the following specification of adversary A
combined with the proofs in Theorem 4 and Theorem 5.

Adversary: A
₁(pk)

Adversary: A
₂(x0||γ0||β0, x₁||γ1||β1, state, (y1, y₃))

Now, we have to consider whether the ElGamal-Extension encryption scheme Π is secure when using only two random numbers r1, r₂ for each piece xi. We first show that when using only one random number r in the ElGamal encryption scheme Π, what the advantage of the adversary A = (A₁,A2) is in theIND-CPAPAIR sense in Definition 12.

Basically,A1 with the input pk arbitrarily outputs three plaintexts x^∗, x₀, x₁ with the same length|x^∗| = |x0| = |x1|.

Adversary: A₁(pk)

Return (x^∗, x₀, x₁, state) End.

Then, the ciphertexts (y^∗₁, y₃^∗) = Epk(x^∗, r) and (y1, y₃) = Epk(xb, r) computed by the encryption oracleOEN, where b∈ {0, 1} is a random bit and r ∈ Zqis a random string.

Encryption oracle: OEN(x^∗, x₀, x₁, pk) r←RZq

(y₁^∗, y₃^∗) ← Epk(x^∗, r) b←R {0, 1}

(y1, y₃) ← Epk(xb, r)

Return (x^∗
(y₁^∗, y₃^∗), (y1, y₃)) End.

Finally, (x0, x₁, state, x^∗
(y₁^∗, y₃^∗), (y1, y₃)) are inputted to A2. The aim ofA2

is to output the correct b.

Adversary: A2(x0, x₁, state, x^∗
(y^∗₁, y₃^∗), (y1, y₃)) Y^r ← y₃^∗· (x^∗)⁻¹ mod p

If y₃· (Y^r)⁻¹ mod p == x0

Return 0 Else

Return 1 End.

From the specification of A2, since y₃^∗ = x^∗ · Y^r mod p and x^∗
(y^∗₁, y^∗₃),

∗ ∗ −1

y₃ = xb· Y^r mod p, A2can determine if y₃· (Y^r)⁻¹ mod p is equal to x0. If it is then outputs 0 otherwise output 1. Thus,A2always correctly outputs b, that is, Pr[Succ^IND-CPA_A,Π ^PAIR(k)] = 1 andAdv^IND-CPA_A,Π ^PAIR(k) = 2 · Pr[Succ^IND-CPA_A,Π ^PAIR(k)] − 1 = 1.

The pair of plaintext-ciphertext x^∗
(y₁^∗, y₃^∗) is the “cryptanalysis training”

for the adversary. Here, the reason for giving the pair x^∗
(y^∗₁, y^∗₃) from OEN not generated by the adversary herself is that the adversary cannot generate the pair x^∗
(y^∗₁, y^∗₃) using the same random number r. Hence, the training is provided byOEN.

Obviously, if the encryption oracle chooses a different r, this training does not give any help to the adversary and the scheme is secure in the IND-CPAPAIR sense. In the following theorem, we show only two random num-bers r₁, r₂in the ElGamal-Extension encryption scheme is secure in the IND-CPAPAIR sense.

Theorem 7 (Π:IND-CPAPAIR). If there exists a (t, q_H, q_J, )-breaker A = (A1,A2) for Π in the IND-CPA_PAIR sense in the random oracle model and the probability Pr[¬Succ^PAIR_A,Π(k)] is non-negligible, then there exists a constant c and a (t
, 0, 0, 
)-breaker A
= (A
₁,A
₂) for Π in the IND-CPA_PAIR sense in the standard model, where

t
= t + qH· c + q_J · c and 
= ( − q_H

2^2k1−2) · Pr[¬Succ^PAIR_A,Π(k)] − Pr[Succ^PAIR_A,Π(k)].

Proof. The event Succ^PAIR_A,Π(k) will be defined later. Basically, A
₁ calls A1

as a subroutine. The answers for H-query and J -query are the same as in Theorem 5. When A1 halts and outputs (x^∗, x₀, x₁, state), A
₁ outputs (x^∗||γ^∗||β^∗, x₀||γ0||β0, x₁||γ1||β1, state) where γ^∗, γ₀, γ₁ are (2k1)-bit random

strings and β^∗, β₀, β₁ are l-bit random strings. are computed by the encryption oracle OEN, where b ∈ {0, 1} is a random bit and R^∗, R₁ ∈ Zq are random strings.

The algorithm A
₂ is similar to Theorem 5. The difference is that it sets

From the specification ofA
₂, it simulates the encryption oracleOEN to gen-erate a pair x^∗
(y₁^∗, y₂^∗, y₃^∗) for the cryptanalysis training. If A2 detects that pair is not valid, the simulation fails. Thus, A
₂ cannot make full use of the A2’s ability to get non-negligible advantage. Let Succ^PAIR_A,Π(k) be the

event that A2 detects that pair is not valid. We can rewrite the probabil-ity of Succ^IND-CPA_A
,Π (k) in the inequality (4.3) as the conditional probability of Succ^IND-CPA_A
,Π (k) given ¬Succ^IND-CPA_A
,Π (k).

Pr[Succ^IND-CPA_A
,Π (k)|¬Succ^PAIR_A,Π(k)] ≥  + 1

2 − q_H

2^2k1−1. (4.4) By the law of total probability,

Pr[Succ^IND-CPA_A
,Π (k)] = Pr[Succ^IND-CPA_A
,Π (k)|Succ^PAIR_A,Π(k)] · Pr[Succ^PAIR_A,Π(k)] + Pr[Succ^IND-CPA_A
,Π (k)|¬Succ^PAIR_A,Π(k)] · Pr[¬Succ^PAIR_A,Π(k)].

From the specification ofA
, we know that

Pr[Succ^IND-CPA_A
,Π (k)|Succ^PAIR_A,Π(k)] = 0 (4.5)

Via Inequality (4.4) and Equation (4.5), we obtain

Pr[Succ^IND-CPA_A
,Π (k)] ≥ ( + 1

2 − q_H

2^2k1−1) · Pr[¬Succ^PAIR_A,Π(k)].

To calculate the advantage ofA
,

Adv^IND-CPA_A
,Π (k) = 2 · Pr[Succ^IND-CPA_A
,Π (k)] − 1

Finally, it should be determined if the probability Pr[¬Succ^PAIR_A,Π(k)] is negli-gible or not. Obviously, if Pr[¬Succ^PAIR_A,Π(k)] is non-negligible, then the proof is concluded. For the running time ofA
, it is similar to that in Theorem 5.

To show that Pr[¬Succ^PAIR(k)] is non-negligible consider the following.

We claim that the adversary can distinguish whether a pair of plaintext-ciphertext is at least as hard as the DDH problem. Here, we construct a game, called PAIR. PAIR is defined via the following game played by the adversaryA = (A₁,A₂).

First, the encryption scheme’s key generation algorithm is run, with a secu-rity parameter as input. Next, the adversary A₁ chooses a plaintext x^∗ and sends it to an encryption oracle. The encryption oracle encrypts x^∗ to obtain the ciphertext c₀ and chooses a random string c₁ with the same length as c₀ (|c0| = |c1|). The encryption oracle chooses a bit b at random and give a pair x^∗
cbto the adversaryA2.

After receiving the pair from the encryption oracle, the adversaryA2

After receiving the pair from the encryption oracle, the adversaryA2

在文檔中 可證明安全的公開金鑰密碼系統與通行碼驗證金鑰交換 (頁 53-83)