國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
Besides, it is worthy to be noted that the encryption can also take ciphertext as input. Let 𝐶•,— ← 𝐸𝑛𝑐 𝑝𝑘•, 𝑝𝑘— , 𝑚 , the ciphertext could be further encrypted into 𝐶•,—,Þ ← 𝐸𝑛𝑐(𝑝𝑘Þ, 𝐶•,—). It is also remarkable that the encryption and decryption order among different public keys and secret keys does not influence the correctness. However, the ciphertext 𝐶•,…,? is composed of 𝑛 + 1 elements 𝑈, 𝑉•, … , 𝑉? whose order cannot be permuted because of the correctness requirement.
By the way, the ciphertext size grows linearly along with the group size.
Security notion
A brief high-level description of its security could be realized as follows. Let 𝑛 = 1, the AE encryption is an ElGamal encryption so that its security is identical to ElGamal encryption. Let 𝑛 > 1, each ciphertext could be recursively reduced as 𝐶•,…,? ← 𝐸𝑛𝑐(𝑝𝑘?, 𝐶•,…,?°•); and 𝐶• is secure based on ElGamal encryption. The repeated encryption does not increase the advanced probability of distinguishing the hidden message 𝑚Ï because oracle 𝒪Š¡ does not work in the IND-CCA security. This is an informal proof, and the formal one is discussed below.
Theorem 4: AE encryption is as secure as the ElGamal encryption
Proof. Assume that there is an adversary 𝒜 who has non-negligible advanced probability to break the AE encryption, a simulator 𝒮 can take advantage of 𝒜 to break the IND-CCA security of ElGamal. Let 𝒪Š,ËîÌ•²•î(∙) be the oracle access of the IND-CCA experiment for ElGamal encryption before receiving a challenge. The security reduction is illustrated in Figure 11. Because ElGamal has been rigorously proved IND-CCA secure, proved by contradiction, AE encryption is IND-CCA secure.
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
Adversary 𝒜 Simulator 𝒮 𝐸𝑥𝑝𝒜,ËîÌ•²•îÎxŠ°ŽŽÂ°Ï(𝜆)
vv,𝒑𝒌
∀𝑖 ∈ [2, 𝑛]
𝑠𝑘„, 𝑝𝑘„ ← 𝐾𝐺𝑒𝑛(𝑝𝑝);
𝒑𝒌 ← (𝑝𝑘•, … , 𝑝𝑘?);
𝒑𝒌′ ← (𝑝𝑘—, … , 𝑝𝑘?);
𝒔𝒌′ ← (𝑠𝑘—, … , 𝑠𝑘?);
vv,v~
𝑝𝑝 ← 𝑆𝑒𝑡𝑢𝑝(1¼);
𝑠𝑘•, 𝑝𝑘• ← 𝐾𝐺𝑒𝑛(𝑝𝑝);
(𝑚Í, 𝑚•) ←
𝒜𝒪Ð (∙)(𝑝𝑝, 𝒑𝒌); ²ï,² ²ï,²
Ž∗
𝐶∗ ← 𝐸𝑛𝑐(𝒑𝒌Ó, 𝐶Ï); ŽÙ 𝐶Ï← 𝐸𝑛𝑐(𝑝𝑘•, 𝑚Ï);
𝑏Ó ← 𝒜(𝑝𝑝, 𝒑𝒌, 𝐶∗); Ïð Ïð
Oracle 𝒪Š (𝐶•,…,?)
Adversary 𝒜 Simulator 𝒮 𝐸𝑥𝑝𝒜,ËîÌ•²•îÎxŠ°ŽŽÂ°Ï(𝜆)
Ž ,…,ñ
𝐶• ← 𝐷𝑒𝑐(𝒔𝒌Ó, 𝐶•,…,?) Ž
²
² 𝑚 ← 𝒪Š,ËîÌ•²•î(𝐶•)
Figure 11: The security reduction from AE encryption to ElGamal
In Figure 11, the simulator inputs the public parameter 𝑝𝑝 and public key 𝑝𝑘 from the IND-CCA game of ElGamal, it executes ∀𝑖 ∈ 2, 𝑛 : 𝑠𝑘„, 𝑝𝑘„ ← 𝐾𝐺𝑒𝑛(𝑝𝑝) to generate 𝒑𝒌′ ← (𝑝𝑘—, … , 𝑝𝑘?) and 𝒔𝒌′ ← (𝑠𝑘—, … , 𝑠𝑘?). Then, 𝑝𝑝 and 𝒑𝒌 ← (𝑝𝑘•, … , 𝑝𝑘?) are transmitted to the adversary to initialize the IND-CCA game of the AE encryption. When oracle 𝒪Š (𝐶•,…,?) is
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
𝐶• ← 𝐷𝑒𝑐(𝒔𝒌Ó, 𝐶•,…,?) ; and it delivers the decrypted message 𝑚 ← 𝒪Š,ËîÌ•²•î(𝐶•) to the adversary as the answer of 𝒪Š (𝐶•,…,?). Next, the simulator delivers (𝑚Í, 𝑚•) from the adversary to the IND-CCA game of ElGamal, and it forwards the challenge to the adversary afterward.
Finally, the simulator outputs what the adversary outputs. If the adversary has non-negligible advanced probability to break the AE encryption, the simulator has the same non-negligible advanced probability to break the IND-CCA security of ElGamal. Proved by contradiction, AE encryption is IND-CCA secure.
Application of AE encryption
An intuitive application of the commutative encryption is the secret sharing system. A sender is able to pick some trusted users as information receivers, encrypts messages through commutative encryption schemes, and delivers the ciphertext to those chosen receivers, like what is done in the Shamir secret sharing [40]. The encrypted message can be obtained when all chosen receivers cooperate to decrypt. Definitely, it is intuitive to think whether another secret sharing scheme is needed, whose efficiency is dramatically worse than Shamir’ work [40]. On the other hand, the AE encryption is not that easy to become a threshold secret sharing scheme. If the efficiency is the top consideration, the commutative encryption based secret sharing schemes might not be that suitable for us. However, rather than the efficiency, there are some advantages of the commutative encryption based secret sharing schemes, such as the highly flexibility of the chosen receivers. For example, a “𝑡-out-of-𝑛” threshold Shamir secret sharing might not be able to become a “(𝑡 + 1)-out-of-𝑛” threshold Shamir secret sharing unless the secret is reallocated. Whereas, it might be easy in the commutative encryption based secret sharing schemes.
The second application of the commutative encryption is called the anonymous consensus system.
Imaging a scenario that a nuclear bomb can be launched only when three engineers (or agencies) 𝐸Â, 𝐸³ and 𝐸Ž cooperate, and these three engineers are individually known by three parties: the president knows engineer 𝐸Â, CIA can find engineer 𝐸³, and 𝐸Ž can only be contacted by FBI.
This is a common multi-authentication system with several advantages. First, each engineer is
‧
of engineers a leaked, it might be easy to find out the spy from the corresponding party. Third, the nuclear launching is a serious issue that cannot be determined by a specific party; on the contrary, it needs the consensus of all three parties. Two security requirements are regarded important in this application.
• Anonymous. In the whole process, the identities of engineers should be hidden as secrets.
• Indistinguishability. All decisions of each party should be secret.
Without loss of generality, let engineers are regarded as openers who are responsible to open the consensus; and there are 𝑛 parties included. A commutative encryption based anonymous consensus system {𝑉𝑜𝑡𝑒, 𝑂𝑝𝑒𝑛}, shown in Figure 12, is a wonderful solution in this case. Assume all openers adopt the same commutative encryption parameters and they have their own public / private key pairs. The identities of openers are merely known by the relative parties. Let a desired timestamp which changes every 5 minutes (or other time intervals) be the first message. Then, for each party, if it agrees with the launching, it encrypts the previous message and outputs to the next party; otherwise, it outputs a random number to the next party. Finally, three openers will cooperate to decrypt the commutatively encrypted message. The nuclear bomb will be launched if the decrypted timestamp matches. The only case occurs when all parties vote to launch.
Figure 12: Anonymous consensus system based on commutative encryption 𝑉𝑜𝑡𝑒(Parties)
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
The correctness is straightforward so that it is omitted. Besides the functionalities, the security notions including the anonymous and the indistinguishability can be easily obtained by the indistinguishability of the adopted commutative encryption scheme.
• Anonymous. The “message indistinguishability” of the AE encryption directly implies the
“key indistinguishability”, which contributes to the anonymous of identities.
• Indistinguishability. Even 𝑛 − 1 parties collude with each other, the message indistinguishability still holds based on the indistinguishability of the ElGamal encryption.
Apart from the nuclear bomb launching system, other consensus based systems like the judge group of the court and even the block chain systems might take advantage of commutative encryption schemes to find a consensus anonymously (see Figure 13).
Figure 13: Voting flowchart of AE based anonymous consensus
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
3.4.2 One-time-commutative public key encryption
Another research called “One-Time-Commutative Public Key Encryption” (OTC for short) is also worthy to be mentioned. As its name, OTC only allows one-time commutative encryption. Assume 𝐶 ← 𝐸𝑛𝑐(𝑝𝑘, 𝑚) is a regular ciphertext of a public key encryption, it can be further encrypted using another public key 𝑝𝑘′, which is 𝐶Ó ← 𝐶𝑜𝑚𝐸𝑛𝑐(𝑝𝑘Ó, 𝐶). In a high-level view, OTC is a series of algorithms over a Type-I pairing algebra, which is based on Ateniese et al.’s proxy re-encryption [29] and the ElGamal re-encryption [10]. The algorithms are formalized as follows.
• 𝑆𝑒𝑡𝑢𝑝 1É : The algorithm takes as input a secure parameter 𝜅 and outputs parameters 𝑝𝑝 ← {𝑒, 𝔾•, 𝔾™, 𝑞, 𝑔•, 𝑔™} where 𝑒: 𝔾• × 𝔾• → 𝔾™ denotes a Type-I pairing and 𝑞 =
𝔾• = 𝔾™ stands for the order of groups. Elements 𝑔• is a generator of group 𝔾•; and 𝑔™ ← 𝑒(𝑔•, 𝑔•). The message space ℳ is set to the group 𝔾™.
• 𝐾𝐺𝑒𝑛(𝑝𝑝): On input the public parameters, user randomly picks 𝑥 $ ℤW∗ as its private key and publishes the public key 𝑦 ← 𝑔•s.
• 𝐸𝑛𝑐 𝑝𝑘, 𝑚 : To encrypt a message 𝑚, the sender randomly picks a random number 𝑟 $ ℤW∗ and computes 𝐶 ← 𝑈, 𝑉 , where 𝑈 ← 𝑦ƒ and 𝑉 ← 𝑚𝑔™ƒ.
• 𝐷𝑒𝑐(𝑠𝑘, 𝐶) : The receiver decrypts the ciphertext 𝐶 to obtain the hidden message 𝑚 through 𝑚 ← 𝑉/ 𝑒(𝑈, 𝑔•sø ).
Correctness: The decryption is straightforward, that follows:
𝑉/ 𝑒(𝑈, 𝑔•sø ) = 𝑚𝑔™ƒ 𝑒(𝑔•sƒ, 𝑔•sø ) = 𝑚 (34)
So far, this is a normal public key encryption. In addition, the encrypted ciphertext 𝐶 can be further encrypted again through algorithm 𝐶Ó ← 𝐶𝑜𝑚𝐸𝑛𝑐(𝑝𝑘′, 𝐶); and the commutatively encrypted ciphertext 𝐶Ó could be decrypt through algorithm 𝑚 ← 𝐶𝑜𝑚𝐷𝑒𝑐(𝑠𝑘, 𝑠𝑘Ó, 𝐶′) with the cooperation of two receivers.
• 𝐶𝑜𝑚𝐸𝑛𝑐 𝑝𝑘Ó, 𝐶 : Let (𝑥Ó, 𝑦′) be another receiver’s key pair. To commutatively encrypt a ciphertext (𝑈, 𝑉) ← 𝐶 , the sender outputs 𝐶Ó ← 𝑊, 𝑉 , where 𝑊 ← 𝑒(𝑈, 𝑦′) and 𝑉
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
remains the same. It is remarkable that sender of 𝐸𝑛𝑐 𝑝𝑘, 𝑚 might be different to sender of 𝐶𝑜𝑚𝐸𝑛𝑐 𝑝𝑘Ó, 𝐶 .
• 𝐶𝑜𝑚𝐷𝑒𝑐(𝑠𝑘, 𝐶′): The receivers decrypt the ciphertext 𝐶′ to obtain the hidden message 𝑚 through 𝑚 ← 𝑉/ 𝑊(ssÓ)ø .
Correctness: The commutative decryption is straightforward, that follows:
𝑉/ 𝑊(ssÓ)ø = 𝑚𝑒(𝑔•, 𝑔•)ƒ 𝑒(𝑔•sƒ, 𝑔•sÓ)(ssÓ)ø = 𝑚 (35)
Comparisons
A list of comparisons for commutative encryption schemes is depicted in Table 2. Several features including the limit of times for commutative operations (com-op), the ciphertext size, pairing requirement, the security notion and the hardness assumptions are listed as the differences between two publications. In most case, AE [69] performs better than OTC [70]; however, the ciphertext size increases along with each extra commutative encryption is executed.
Table 2: Comparison of commutative encryption schemes
com-op cipher size pairing security assumption AE [69] infinite increasing non-pairing IND-CCA DDH
OTC [70] one-time fixed pairing IND-CPA Ateniese’s
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
Security notion
For the proposed OTC scheme, it is claimed that both the encrypted ciphertext 𝐶 and the commutatively encrypted ciphertext 𝐶′ are IND-CPA secure in the standard model, both of which are based on the intractability of Ateniese’s assumption. In a high-level viewpoint, assume the ciphertext 𝐶 is CPA secure, the commutatively encrypted ciphertext 𝐶′ is inherently IND-CPA secure. Owing to this, only the former one has to be proved.