Decryption speed up of ElGamal with composite modulus

Public key cryptosystems such as RSA, rebalanced RSA and ElGamal have the disadvantage of serious asymmetry between encryption and decryption speed. We reduced the CRT (Chinese Remainder Theorem) exponents maintaining full sized private exponent in ElGamal with composite modulus (CRT–ElGamal) for the fast decryption as in rebalanced RSA. In this case, unlike rebalanced RSA, decryption speed up can be obtained without losing of the fast encryption speed which is comparable to RSA with small public exponent. As a result, it is possible to propose the fast public key cryptosystem in which both encryption and decryption are fast, by reducing the asymmetry (i.e., fast encryption/slow decryption) in CRT–ElGamal encryption.


Introduction
The security of ElGamal public key cryptosystem [1] depends on the intractability of the DL (Discrete Logarithm) problem. In other words, computational security of ElGamal depends on the CDH (Computational Diffie-Hellman) assumption [2] and semantic security under the passive attack depends on the DDH (Decision Diffie-Hellman) assumption [3] or HDH (Hashed Diffie-Hellman) assumption [4].
Under the DDH assumption, ElGamal is secure in the sense of indistinguishability against chosen plaintext attack (IND-CPA) and some variants of ElGamal such as Cramer-Shoup [5] are secure in the sense of indistinguishability against chosen ciphertext attack (IND-CCA).
If CDH assumption is broken then DDH and HDH assumptions will also be broken. However, CDH by itself is not sufficient to prove that ElGamal encryption is useful for practical cryptographic purpose, because it does not consider the partial exposure of plaintext. Hence, DDH assumption was proposed for the semantic security of ElGamal.
Meanwhile, using DH value itself to mask plaintext via multiplication is not recommended in practical ElGamal systems and it is recommended to hash DH value in order to obtain pseudorandom key (which is used as a one-time pad) of suitable length which can then be used to encrypt the plaintext under the semantically secure symmetric encryption (e.g., symmetric authenticated encryption).
If hash function is modeled as a random oracle, it is possible to obtain the pseudorandom key based on the CDH assumption in the non-DDH groups (i.e., the groups in which DDH assumption does not hold). In DDH-group (i.e., the group in which DDH assumption holds), from the property of DDH assumption, it is needless for the hash function to be modeled as a random oracle (i.e., there is no need to use the random oracle).
HDH assumption which is a weaker assumption than DDH was studied [4] to get the pseudorandom key without random oracle in the non-DDH groups.
Then, what is the basis of CDH, DDH and HDH assumptions? As in all the other public key systems, assumption for the one-way function is used as a base assumption of security in ElGamal, too.
That is, cryptographers developed the one way function in a finite group G with generator g and, on the basis of the assumption that F is a one-way function, they considered the CDH, DDH and HDH assumptions and designed the ElGamal encryption protocols in various groups.
For the proof of one-wayness of F(x), assumption that DLP (Discrete Logarithm Problem) is hard (i.e., DL assumption) has been usually used, but other assumptions (e.g., DLSE (Discrete Logarithm with Short Exponents) assumption [4,[6][7][8]) which have been known to be hard as a DL assumption can also be used instead of DL assumption.
We proposed the one-way function based on RDL (Restricted DL with small CRT exponents) assumption, considered the various assumptions such as RCDH, RDDH and RHDH assumptions (described later) and designed the fast ElGamal encryption protocols.
First, we considered the CRT-ElGamal which is known to be semantic secure under the passive attack (i.e., which is known to be IND-CPA).
Let G is a multiplicative subgroup of Z � nð¼pqÞ with order l ¼ ðpÀ 1ÞðqÀ 1Þ 2 where p; q; pÀ 1 2 and qÀ 1 2 are the prime numbers. And let K = Z n ,x p = x mod (p−1),x q = x mod (q−1) and H(G 2 !K s ) is a hash function, where K s is a key space of symmetric authenticated encryption (E s , D s ).
Then, referring to [3,4] and [9], the following four assumptions hold for the group G.

DL assumption
There is no probabilistic polynomial time algorithm A such that DL assumption is based on the Fact 3.78 and 3.79 of [9] and from DL assumption, F(x) becomes a one-way function when K = Z n .

CDH assumption
There is no probabilistic polynomial time algorithm A such that Pr½Aðg; FðxÞ; FðyÞÞ ¼ FðxyÞjx; y 2 Z n � > negligible: CDH assumption is based on the assumption that F(x) is a one-way function for x2Z n .
For the assumptions mentioned above,

DL(¼CDH(¼HDH(¼DDH
is satisfied, where "X(¼Y" denotes that assumption X always holds if assumption Y holds. Under the assumptions above, practical CRT-ElGamal can be described as follows.

Algorithm 1.1: Key generation for CRT-ElGamal.
Each user creates the public key and the corresponding private key.
Step 1. Select a large composite number n ¼ pq : p; q; pÀ 1 2 À and qÀ 1 2 are large primes) and a generator g of group G. G is a multiplicative subgroup of Z � n and order of G is l ¼ ðpÀ 1ÞðqÀ 1Þ 2 À � . This can be described in detail as follows.
Step 1.2. Select a generator g p of Z � p and generator g q of Z � q and calculate g that satisfies g p = g mod p and g q = g mod q as follows.
In this case, g becomes a generator of subgroup G with order λ, which is the multiplicative subgroup of Z n .
Step 2. Select a random integer x(1�x<λ,gcd(x,λ) = 1) and compute k = g x mod n. This can be described in detail as follows.
Step 2.2. Calculate k p ¼ g In this case, k = g x mod n,x p = x mod (p−1) and x q = x mod(q−1) are satisfied.
Step 3. Public key is (g,k,n) and private key is x. This can be described in detail as follows.
Step 3.1. Public key is (g,k,n) and private key is (x,x p ,x q ,p,q). For the semantic security, encryption and decryption use the symmetric authenticated encryption (E s ,D s ) defined over (K s ,M s ,C s ) and hash function H(G 2 !K s ).

Algorithm 1.2: Encryption for CRT-ElGamal.
User encrypts a message m2M s , where M s is a plaintext space of (E s ,D s ).
Step 2. Select a random integer y(1<y<n) and compute u = g y mod n, v = k y mod n and k s = H(u,v).
Step 3. Encrypt the message m by using symmetric encryption E s and key k s .
c ¼ E s ðk s ; mÞ Step 4. Send the cipher text (u2G,c2C s ). C s is a cipher text space of (E s ,D s ).
Compute v = u x mod n and k s = H(u,v).
Step 1.1. Compute u p = u mod p and u q = u mod q. Step Step 1.4. Compute k s = H(u,v).
Step 2. Recover the message m by using symmetric decryption D s and key k s .

m ¼ D s ðk s ; cÞ
As in CRT-RSA [10], CRT-ElGamal has an advantage to increase the decryption speed by using CRT. As mentioned above, hash function H(G 2 !K s ) is used to extract the pseudo randomness present in the DH value and it is not necessary that H should be modeled as a random oracle in CRT-ElGamal because DDH assumption holds [3] in group G.
Next, we considered the new one-way function based on the RDL assumption and considered the RCDH, RDDH and RHDH assumptions.
Let I(�Z n ) is a set of x such that log n x p � log n x q � d 0 < d < 1 2 À � ; log n x � 1 and gcd(x,λ) = 1.
If δ is large enough, following RDL assumption holds. (δ which breaks the RDL assumption is described as w in Proposition 1 and 2 of Section 3.2.)

RDL assumption
There is no probabilistic polynomial time algorithm A such that From the RDL assumption, F(x) becomes one-way function for x2I. In other words, the one-wayness of F(x) is not broken, even if K is changed from Z n to I in Eq (1).
Hence, RCDH (Restricted CDH) assumption can be considered as follows.

RCDH assumption
There is no probabilistic polynomial time algorithm A such that Pr½Aðg; FðxÞ; FðyÞÞ ¼ FðxyÞjx 2 I; y 2 Z n � > negligible: From DL and RDL assumptions, DDL (Decision DL) assumption can be considered as follows. (See Proposition 3 of Section 3.2 for more details.)
(See Proposition4 of Section 3.2 for more details.)

RDDH assumption
There is no probabilistic polynomial time algorithm A such that PrfjPr½Aðg; FðxÞ; FðyÞ; FðxyÞÞ ¼ 1� À Pr½Aðg; FðxÞ; FðyÞ; FðzÞÞ ¼ 1�j > negligiblejx 2 I; y; z 2 Z n g > neligible: From the definitions above, it can be seen that RDL; DL(¼RCDH; DDL(¼RHDH(¼RDDH is satisfied. Lastly, on the basis of RCDH, RDDH and RHDH assumptions, we described the possibility of reducing CRT private exponents in the CRT-ElGamal key generation for the fast decryption. Unlike rebalanced RSA, in this case, encryption speed is not affected. (Practically, encryption of ElGamal can be done fast [9,Section 8.4.1] by using the pre-calculated table that contains the main exponentiations of generator and public key and random exponents with low Hamming weights).
As a result, it is possible to make both encryption and decryption fast by reducing CRT exponents in CRT-ElGamal. This paper is organized as follows. In Section 2, we reviewed the rebalanced RSA briefly. In Section 3, we described the possibility of reducing CRT exponents in CRT-ElGamal. In Section 4, we presented the theoretical and experimental results. In Section 5, we mentioned the possibility of decryption speed up in the other variants of ElGamal such as twin ElGamal [11] and Cramer-Shoup scheme [5]. Finally we concluded this paper in Section 6.

RSA assumption and rebalanced RSA
The security of RSA [12] public key encryption depends on the intractability of the IFP (Integer Factorization Problem). More precisely, computational security of RSA depends on the RSA assumption. However, as in the other public key cryptosystems, the base assumption is the assumption for the one-way function in RSA, too.

RSA assumption
There is no probabilistic polynomial time algorithm A such that However, RSA assumption is not sufficient to prove that RSA is useful for the practical cryptographic purpose, because it does not provide the semantic security.
Hence, RSA is usually used with symmetric authenticated encryption or padding scheme (RSA-OAEP). In both cases, RSA has been believed to be semantic secure under the RSA assumption.
For the convenience of comparison in Section 4, we considered the RSA with symmetric authenticated encryption (We simply called this CRT-RSA later on.) in detail as follows.
Step 4. Public key is (n,e) and private key is (p,q,d,d p ,d q ). For the semantic security, encryption and decryption use the symmetric authenticated encryption (E s ,D s ) defined over (K s ,M s ,C s ) and hash function H(Z n !K s ).

Algorithm 2.2: Encryption for CRT-RSA.
User encrypts a message m2M s , where M s is a plaintext space of (E s ,D s ).
Step 2. Choose a random integer x in Z � n and compute y = x e mod n and k s = H(x).
Step 3. Encrypt the message m by using symmetric encryption E s and key k s .
Step 4. Send the cipher text ðy 2 Z � n ; c 2 C s Þ. C s is a cipher text space of (E s ,D s ).
Step 1. Compute x = y d mod n and k s = H(x).
Step 1.1. Compute y p = y mod p and y q = y mod q.
x ¼ Step 2. Recover the message m by using symmetric decryption D s and key k s .
If H is modeled as a random oracle, CRT-RSA is believed to be semantic secure under RSA assumption.
When K = J, RSA is called rebalanced RSA [17]. That is, rebalanced RSA is a variant that changes the key generation in RSA for the fast decryption (or signature generation).
The main issue of rebalanced RSA is to reduce the private CRT exponents d p and d q while maintaining private exponent d of the same bit size as modulus n.
For the security proof of proposed scheme, we considered the case that p and q are the safe primes (i.e., pÀ 1 2 and qÀ 1 2 are the primes). Of course, such a restriction does not compromise the security of RSA and rebalanced RSA (i.e., RSA and rebalanced RSA with modulus n = (2p 0 +1)(2q 0 +1) where p 0 and q 0 are primes have been believed to be secure). In this case, the key generation of rebalanced RSA can be described as follows. Algorithm 2.4: Key generation for the rebalanced RSA using safe primes.
Step 3. Find d such that d = d p mod(p−1) and d = d q mod(q−1).
Step 5. Public key is (n,e) and private key is (p,q,d,d p ,d q ).
In rebalanced RSA, d p and d q are small and so, decryption can be done faster than CRT-RSA.
However, e will increase to be of the same bit size as modulus n and it will cause encryption (or signature verification) speed to be further slowed down [17] compared to standard CRT-RSA that uses 3 or 65537 as public exponent e.
In other words, rebalanced RSA (i.e, RSA (250, 250, 2048)) becomes to be (t,ε) secure under the assumption that CRT-RSA (1024, 1024, 2048) is (t,ε) secure, in which the triple indicates the bit length of CRT exponents d p ,d q and modulus n.
Note. We say that RSA is (t,ε) secure if no t-time algorithm has advantage ε in finding plaintext from public key and ciphertext. This is the strict definition for the computational security of RSA and in this way, the computational security of other public key cryptosystems can be redefined more strictly.
Since RSA assumption still holds in rebalanced RSA, both rebalanced RSA with symmetric authenticated encryption and rebalanced RSA with OAEP become to be semantically secure.
From all facts above, it can be seen that even though CRT exponents are reduced, CRT-RSA is still semantically secure unless the computational security is not broken.
Meanwhile, in the CRT-ElGamal, when the CRT exponents are reduced, many problems except for the computational security have to be considered, unlike the case of CRT-RSA. We considered about this in detail as follows.

Possibility of fast decryption in CRT-ElGamal
In RSA, possibility to use the small private exponent instead of full-length exponent has been introduced with small private exponent attacks [14][15][16]22]. However, RSA with small private exponents has not been usually used in practical applications. Similarly, possibility to replace the full-length exponent with shorter exponent has been introduced [4, Section 4, 6-8] with DLSE assumption in ElGamal, but ElGamal with short exponents also has not been widely used in practical applications, as RSA with small private exponents.
As a result, it is not recommended to use the small private exponent instead of full-length exponent for the practical cryptographic purpose in both RSA and ElGamal.
In practical RSA applications, the scheme that reduces the CRT exponents d p and d q instead of d (i.e., rebalanced RSA) has been used for the fast decryption. In practical ElGamal applications, secure groups with small order (e.g., prime order subgroup of Z � p ) have been used for the fast decryption.
As in rebalanced RSA, it would be possible to propose the fast ElGamal scheme by reducing the CRT exponents x p and x q instead of x in CRT-ElGamal. In this case, decryption can be done faster (mentioned in Section 4) than ElGamal in subgroup of Z � p , which is currently used. We described the possibility of reducing CRT exponents in CRT-ElGamal and set the reduction bound (noted as w in this section) of CRT exponents x p and x q .

Reducing the CRT exponents in CRT-ElGamal key generation
Key generation algorithm of proposed scheme can be described similarly to Algorithm 1.1.
Compared to key generation of CRT-ElGamal (Algorithm1.1), the selection range of x p (x q ) is only reduced to 2 w from p−1(or q−1) in step 2.1. The reduction bound w(<1/2log 2 n) is discussed in later, so skipped here.
That is, the key generation algorithm of proposed scheme is same as the one of the CRT-ElGamal except for the Step 2.1, which can be described as follows.
And key generation algorithm of proposed scheme can also be described similarly to Algorithm 2.4 as follows. and qÀ 1 2 are large primes) and calculate λ = lcm(p−1,q−1).
Step 3. Find a x such that x = x p mod(p−1) and x = x q mod(q−1).
Step 4. Select a generator g of group G and compute k = g x mod n. G is a multiplicative subgroup of Z � n and order of G is λ.
Step 5. Public key is (g,k,n) and private key is (p,q,x,x p ,x q ).
Compared to the key generation of rebalanced RSA (Algorithm2.4), only step 4 and 5 are different in Algorithm3.1. Unlike rebalanced RSA, in proposed scheme, modular inverse of private key (i.e., x −1 mod λ) is not published and instead, generator g of group G and k(= g x mod n) are published.

Security
In the proposed scheme, RCDH, RDDH and RHDH assumptions are used instead of CDH, DDH and HDH assumptions, respectively. In other words, computational security of proposed scheme is based on the RCDH assumption and semantic security of proposed scheme is based on the RDDH (RHDH) assumption.
In Section 1, we supposed that RDL assumption holds and considered the RCDH, RHDH and RDDH assumptions under the RDL assumption. That is, if the RDL assumption is broken, the one-wayness of F(x) of Eq (1) is also broken and so, proposed scheme becomes to be insecure.
We mainly considered the upper bound of x p and x q that break the RDL assumption in this section.
In the case of rebalanced RSA, only the small CRT exponent attacks have been considered because other attacks except for small CRT exponent attacks are not effective.
Similarly, we considered only the small CRT exponent attacks for the RDL assumption as follows.
Proposition 1: Let n = pq where p; q; pÀ 1 2 and qÀ 1 2 are primes. If there is a polynomial time algorithm to find the private key (x,x p ,x q ,p,q) from the public key (g,k,n) in proposed scheme when log 2 x p �log 2 x q �w for the proper integer w < 1 2 log 2 n À � , it is possible to find the private key (d,d p ,d q ,p,q) from the public key (n,e) in rebalanced RSA with full exponent e(i.e., log n e�1) when log 2 d p �log 2 d q �w.
Proof. In rebalanced RSA, log n e�1 is usually satisfied [17] for e such that ed�1 mod λ and similarly, log n e 0 �1 is satisfied for e' such that xe 0 �1 mod λ (i.e., k e 0 mod n = g) in proposed scheme. From the assumption of Proposition1, there exists a polynomial time algorithm (AlgorithmA) that finds private key (x,x p ,x q ,p,q) from public key (g,k,n) in proposed scheme.
Hence, by using AlgorithmA, it is possible to propose the attack algorithm (AlgorithmB) that breaks the rebalanced RSA with public key (n,e) satisfying log n e�1 and log 2 d p �log 2 d q �w as follows.
Algorithm B: Attack algorithm to rebalanced RSA which uses Algorithm2.4. Input: Public key (n,e) of rebalanced RSA (n = pq,log n e�1) such that pÀ 1 2 and qÀ 1 2 are primes. Output: Private key (d,d p ,d q ,p,q) Step 1. Select a generator m of G with order λ, which is a multiplicative subgroup of Z � n , and calculate c(= m e mod n). In this case, c also becomes a generator of G, because gcd(e,λ) = 1 in rebalanced RSA.
Step 2. Search the private key(x,x p ,x q ,p,q) in polynomial time by using Algorithm A after setting g = c and k = m. In this case, m = c d mod n, d p = d p mod (p−1), d q = d mod (q−1) and log 2 d p �log 2 d q �w are satisfied by the assumption and so, it is possible to find private key (d,d p ,d q ,p,q) in polynomial time.
Of course, unlike proposed scheme, the generator of group G is unknown in rebalanced RSA and so, it seems difficult to select m as a generator in Step 1 of AlgorithmB. However, attacker can select the generator without difficulty by selecting a random element m 2 Z � n in Step 1, because many elements of Z � n can become the generator of group G. Let p0 ¼ pÀ 1 2 and q0 ¼ qÀ 1 2 . From the property of Euler function, the probability that random element m2Z n becomes a generator of G is as follows.
If AlgorithmB is repeated more than 4 times, then attacker can find private key (d,d p ,d q ,p,q) by selecting m as a generator in Step 1.
From this, rebalanced RSA can be broken in polynomial time. (end of proof.) Proposition1 shows the rough information for the upper bound of w that the small CRT exponent attacks can break the RDL assumption.
Note. We say that (t,ε) RDL assumption holds in G if no t-time algorithm has advantage ε in solving the RDL problem on G. This is the strict definition for the RDL assumption of Section 1 and in this way, the all assumptions of Section 1 and 2 can be redefined more strictly.
In fact, it is not easy to find e 0 (= x −1 mod λ) such that k e 0 mod n = g, from the public key (g,k, n) in proposed scheme, because log n e 0 �1 is usually satisfied and so, finding e 0 from (g,k,n) becomes a discrete logarithm problem in Z � n . (For the composite number n, discrete logarithm problem in Z � n is known to be not easier [3,9,26] than factoring problem.) Hence, it is not possible for the attacker to obtain e' and as a result, the lattice based methods and continued fraction methods [14][15][16][18][19][20][21][22][23][24][25] cannot be applied to the proposed scheme.
Especially, TLP's lattice based attack [23][24][25] which has been known as the state-of-the-art attack to rebalanced RSA cannot be applied to the proposed scheme and so, it can be seen that the proposed scheme is more secure than rebalanced RSA with full exponent e(log n e�1).
The practical attack to the proposed scheme can be described as follows.
Attacks to the proposed scheme (small private CRT exponent attacks). From k p ¼ k mod p ¼ g x p mod p; k À k p ¼ k À g x p mod p ¼ jp is satisfied and so, gcdðk À g x p mod p; pqÞ ¼ p is satisfied.
Hence, attack to the proposed scheme is finalized as finding i that satisfies gcd ðk À g i mod n; nÞ 6 ¼ 1 for all available i because CRT exponents are small. Thus, attack of [17] to rebalanced RSA is straightly applicable to the proposed scheme as follows. ; x p = x mod (p −1) and x q = x mod (q−1) with x p <x q for the random selected number x 2 Z � n . Then modulus n can be factored in time ðx 1=2 p logx p Þ by using generator g of subgroup of Z � n with order λ and z = g x mod n.
(Proof): The proof is identical to the case of rebalanced RSA, which has been explained in detail in [17], and so skipped here. (end of Proof).
Judging with Oðx 1=2 p logx p Þ, CRT-exponents x p and x q should be at least 160bits long for 1024bits modulus and at least 224bits for 2048bits modulus in order for this attack to match the current estimated complexity of factoring the modulus for those sizes [17].
Unlike Proposition1, Proposition2 shows the more exact information for the upper bound of w that the small CRT exponent attacks can break the RDL assumption. That is, Proposition2 and its proof show that if w = 224 and modulus is 2048bits number, then (t,ε) secure RDL assumption holds.
There are two methods to break the RCDH assumption which is the basis of the computational security of proposed scheme. One is to break the DL assumption and the other is to break RDL assumption. RDL assumption is weaker than DL assumption, which is known to be hard [7][8][9], and so, breaking RDL becomes best known method to break RCDH.
Hence, if H(G 2 !K s ) is modeled as a random oracle, proposed scheme becomes to be semantically secure.
Next, we considered the RDDH and RHDH assumptions under the RCDH assumption in order to prove the semantic security of proposed scheme without random oracle.
Under the RDL and RCDH assumptions, we can simply prove that DDL, RHDH and RDDH assumptions hold in the similar way to [4], which described the DDH with short exponents under the DLSE assumption. That is, the following Proposition 3 (DDL) and Proposition 4 (RHDH) can be easily obtained by substituting RDL assumption for DLSE [4,Assumption4] in Proposition1 and Theorem5 of [4].
Proposition 3: Let n = pq where p; q; pÀ 1 2 and qÀ 1 2 are primes, λ ¼ ðpÀ 1ÞðqÀ 1Þ 2 and G is a subgroup of Z � n of order λ. If RDL assumption holds, then DDL assumption holds in G. (Proof): In [7], Patel and Sundaram introduced the concept of HB (Hardness of Bits) connected to the one-way function and first described the HB under the s-DLSE (Discrete Logarithm with Short s-Bit Exponent) assumption. Referring to the result of [7], Gennaro [4,8] introduced the concept of SEI (Short-Exponent Indistinguishability) and described the difficulty of SEI (i.e., SEI assumption) under the s-DLSE assumption. More exactly, SEI assumption in Z � pð¼2qþ1Þ where both p and q are primes was proved in [8] and generalization of this result (i.e., SEI assumption for the cyclic group G with order ord(G), such that ord(G) is odd or ordðGÞ 2 is odd) was introduced in Proposition1 of [4]. From the fact above, SEI assumption holds under the DLSE assumption in G, because λ, which is the order of G, is even, but λ/2 is odd.
Meanwhile, the DLSE assumption and RDL assumption are identical in the aspect that they are all based on intractability of cracking the discrete logarithm when restricted exponents are used instead of full exponents. (In the case of s-DLSE, s-bits exponent is used instead of full exponent and in the case of w-RDL, w-bits CRT exponents are used instead of full CRT exponents. The relation between s-DLSE and w-RDL is described in detail in the proof of Proposition4.) From this, RDL can be used instead of DLSE in the proof of SEI assumption in G and as a result, the proof of DDL is derived. That is, the proof of DDL can be easily obtained by only substituting RDL for DLSE in the proof of SEI assumption [4,Proposition1], which was described in detail in Appendix C of e-print version of [4] and so, skipped here. (end of Proof).
Proposition 4: Let n = pq where p; q; pÀ 1 2 and qÀ 1 2 are primes, λ ¼ ðpÀ 1ÞðqÀ 1Þ 2 and G is a subgroup of Z � n of order λ. If RDL assumption holds, then RHDH assumption also holds in G. (Proof): In [4], Gennaro proposed t-DDH assumption as a relaxation of a DDH assumption and described the possibility of secure DH key transform by hash function in the non-DDH group.
Note. 0�t�log (ord) is satisfied and DDH assumption can be seen a special case (t = log (ord)) of t-DDH assumption [4] when ord denotes the order of group.
Besides, Gennaro proved that if s-DLSE and t-DDH assumptions hold, then hashed DH transform is as secure with full exponents as with s-bit exponents (i.e., HDH assumption with short exponents holds) in non-DDH group [4,Theorem5].
From the fact above, HDH assumption with short exponents holds under the DLSE assumption in G, because G is a DDH group [3] (i.e., log (ord)-DDH assumption holds in G).
Then, what is the relation between DLSE and RDL assumptions in group G? As in the other groups, square-root attacks such as Shanks and Pollard methods are usually used in order to break the DLSE assumption in G, too. And, unlike the other groups, small CRT exponent attacks can be additionally used for breaking DLSE in G. However, the best known small CRT exponent attack is also square-root algorithm (mentioned in Proposition2) and so, the best known attack for DLSE still remains the square-root attack. That is, 224-DLSE assumption still holds for the 2048 bits modulus in G, even if the small CRT exponent attacks are considered.
From the fact above, it seems that DLSE and RDL assumption are quite identical in security. However, RDL assumption is strictly stronger (i.e., DLSE(¼RDL) than DLSE assumption in the aspect that, in order to break the RDL, Shanks and Pollard methods cannot be used and only small CRT exponent attack can be used.
From this, RDL can be used instead of DLSE in the proof of HDH assumption with short exponents in G and as a result, the proof of RHDH can be obtained. The proof of RHDH is identical to the proof of HDH with short exponents [4,Theorem5] except that RDL is used instead of DLSE and so, skipped here. (end of Proof).
Finally, let's consider the RDDH assumption. In [4], on the basis of Theorem5, Gennaro described that performing the DH transform with exponent of size s yields values which are indistinguishable from random element in DDH-group where s-DLSE assumption holds (i.e., described that DDH assumption with short exponents holds under the DLSE and DDH assumption).
As mentioned in the proof of Proposition4, DDH and DLSE assumptions hold in the subgroup G of Z � nð¼pqÞ of order l ¼ ðpÀ 1ÞðqÀ 1Þ 2 À � where p; q; pÀ 1 2 and qÀ 1 2 are primes (i.e., G is a DDH group in which DLSE assumption holds) and so, DDH assumption with short exponents also holds in G.
Similarly to Proposition3 and 4, DLSE can be replaced with RDL in the proof of DDH assumption with short exponents, too. As a result, following Proposition5 (i.e., the proof of RDDH in G) can be easily obtained.
Proposition 5: Let n = pq where p,q, pÀ 1 2 and qÀ 1 2 are primes, λ ¼ ðpÀ 1ÞðqÀ 1Þ 2 and G is a subgroup of Z � n of order λ. If RDL assumption holds, then RDDH assumption holds in G. From Proposition4 and 5, it is known that proposed scheme becomes to be semantically secure even if H(G 2 !K s ) is not modeled as a random oracle.
From the all facts above, it is proved that regardless of what security properties the hash function H may possess, proposed scheme (i.e., CRT-ElGamal (224, 224, 2048) with/without random oracle) is semantically secure.

Performance comparison
We have used the hybrid encryption paradigm for the performance analysis. (See Algorithm 1.2, 1.3, 2.2 and 2.3.) In comparison, all public key schemes have been used as KEM (Key Encapsulation Mechanism) and the same symmetric authentication encryption (E s ,D s ) has been used as DEM (Data Encapsulation Mechanism) for all public key schemes.
In this case, delays by hash function and symmetric authenticated encryption can be ignored compared to modular exponentiation of big integers and so, we have considered only the encryption and decryption times of public key schemes in the comparison.

Theoretical results
The theoretical encryption and decryption time comparison of CRT-RSA, rebalanced RSA, ElGamal in subgroup of quadratic residues in Z � pð¼2p 0 þ1Þ where both p and p 0 are primes (noted as ElGamal), ElGamal in subgroup of Z � pð¼aqþ1;a>2Þ of order q where both p and q are primes (noted as ElGamal in subgroup), CRT-ElGamal, ElGamal with short exponents (noted as SE-ElGamal) and proposed scheme are summarized in Table 1.
In the encryption of ElGamal type schemes of  [23] and [24], 224 bits and 250bits CRT exponents were used in decryption of proposed scheme and rebalanced RSA, respectively. And, referring to [4, Section 4], [6] and [9, Section 3.6], 224 bits private exponent was used in decryption of SE-ElGamal and ElGamal in subgroup to thwart the usual square-root attacks such as Shanks and Pollard methods.
As shown in Table 1, proposed scheme is more advantageous than other systems because both encryption and decryption are fast. In theory, the total processing speed of proposed scheme is approximately 18.2 times faster than ElGamal (or rebalanced RSA), 4.54 times faster than CRT-RSA (or CRT-ElGamal) and 2 times faster than SE-ElGamal (or ElGamal in subgroup), respectively.

Experimental results
The experimental results for the schemes of Table 1 are listed in Table 2, which shows the relative comparison between the schemes, because the timings are approximate.
The prime generation module to find a prime p = 2p 0 +1 where p 0 is a prime number was used in all schemes of Table 2 (ElGamal in subgroup is an exception).
In fact, as shown in Table 2, the total processing speed of CRT-ElGamal is the same as the one of CRT-RSA, but there exists a message expansion by factor of 2 compared to CRT-RSA and so, CRT-ElGamal is of no practical use compared to CRT-RSA. However, in the case of reducing the CRT exponents, CRT-ElGamal is more advantageous than CRT-RSA in total processing speed, because encryption time of CRT-ElGamal is not affected by reducing CRT exponents unlike CRT-RSA. (Compare the rebalanced RSA with proposed scheme of Table 2).
For the 2048 bits modulus, proposed scheme is almost 4.37 times faster than CRT-RSA and 1.93 times faster than SE-ElGamal (or ElGamal in subgroup) in total encryption processing.

Discussion
In Section 3.2, we proved that CRT-ElGamal (224, 224, 2048) is still one-way (i.e., RCDH assumption holds) under the RDL and CDH assumptions and is still IND-CPA (i.e., RHDH and RDDH assumption hold) under the RDL and DDH assumptions. In other words, Section 3 described that RDL assumption can be used for the CPA security.
However, RDL can also be used for the CCA security when it is used in CCA secure encryption schemes such as twin ElGamal and Cramer-Shoup scheme. That is, twin ElGamal and Cramer-Shoup scheme can be modified for the fast decryption in the similar way to Section 3. In this case, our variant of twin ElGamal becomes to be IND-CCA under the RCDH assumption in the random oracle model and our variant of Cramer-Shoup becomes to be IND-CCA under the RDDH assumption. The security proof can be easily obtained by substituting RCDH and RDDH for CDH and DDH, respectively, in the security proof of ordinary twin ElGamal and Cramer-Shoup scheme.
Finally, the DLSE assumption can be used for both DH and ElGamal protocol, but RDL assumption can be used for only the ElGamal protocol.

Conclusion
In this paper, we did not suggest any new encryption protocols. We described only the possibility of reducing CRT exponents in CRT-ElGamal which is known to be semantically secure under the combination with hash function and symmetric authenticated encryption.
In other words, we considered RCDH, RDDH and RHDH assumptions and described that these assumptions can be substituted for CDH, DDH and HDH assumptions, respectively, in protocols. By using such substitutions, we achieved the decryption speed up without losing of fast encryption in CRT-ElGamal (with/without random oracle).
Total processing speed of the proposed scheme is comparable to the decryption speed of rebalanced RSA. Hence, the proposed scheme is suited for the applications which require the fast speed in both encryption and decryption.
Substitutions above give the possibility of speed up in some CCA secure ElGamal protocols, too. Especially, it would be possible to propose the fast variant of twin ElGamal which has the fast encryption and fast decryption by using RCDH assumption instead of CDH assumption.