https://orcid.org/0000-0001-7199-7387
Figures
Abstract
In order to prove the ElGamal CCA(Chosen Ciphertext Attack) security in the random oracle model, it is necessary to use the group where ICDH(Interactive Computational Diffie Hellman) assumption holds. Until now, only bilinear group with complex algebraic structure has been known as the ICDH group. In this paper, we introduce the ICDH group with simple algebraic structure. In other words, we prove that ICDH assumption holds in the integer group with composite modulus. On the basis of this, we propose the CCA secure hashed ElGamal and its fast variant to speed up decryption by parallel processing. Our parallel scheme has the fastest decryption among all CCA secure PKE(Public Key Encryption) schemes implemented in integer group and gives the possibility that ElGamal protocol could be practical when the big modulus numbers are used to resist the quantum attack.
Citation: Kim GC, Ji HA, Jong YB, Kim GH, Kim HS (2023) Possibility of decryption speed-up by parallel processing in CCA secure hashed ElGamal. PLoS ONE 18(11): e0294840. https://doi.org/10.1371/journal.pone.0294840
Editor: Vincent Omollo Nyangaresi, Jaramogi Oginga Odinga University of Science and Technology, KENYA
Received: July 21, 2023; Accepted: November 9, 2023; Published: November 30, 2023
Copyright: © 2023 Kim et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Data Availability: All relevant data are within the paper and its Supporting Information files.
Funding: The author(s) received no financial support for the research, authorship, and/or publication of this article.
Competing interests: The authors have declared that no competing interests exist.
1. Introduction
After the discovery of DH(Diffie Hellman) key exchange protocol [1], many PKE schemes [2–8] based on CDH(Computational Diffie Hellman) problem have been developed and widely used. In modern ElGamal systems, using DH value itself to mask plaintext via multiplication is not recommended and DH value is used to derive the symmetric encryption key which is used to encrypt the plaintext in the semantically secure symmetric encryption. In order to prove the CCA security, CDH, DDH(Decisional Diffie Hellman) [9] and ICDH [10] assumptions are basically used. CCA security is a strong and very useful notion of security for PKE schemes [11–13].
In the random oracle model [14], hashed ElGamal is proved to be CCA secure (i.e., to be semantically secure against Chosen Ciphertext Attack) under the ICDH assumption and twin ElGamal is proved to be CCA secure under the CDH assumption [6, 7, 10]. Without random oracle model [3], Cramer-Shoup scheme is proved to be CCA secure under the DDH assumption. Table 1 shows the comparison between hashed ElGamal, Twin ElGamal and Cramer Shoup scheme.
Note. ICDH assumption is noted as Strong DH assumption in [4, 7, 15–21]. However, in some papers [22–28], the name strong DH assumption also sometimes refers to a different assumption defined over bilinear maps. Hence, in order to avoid the conflict, Strong DH assumption is noted as ICDH assumption in [10] and this paper.
As shown in Table 1, among the above CCA secure protocols, hashed ElGamal is advantageous in the aspect of optimal ciphertext overhead(difference between ciphertext and plaintext) [7] and encryption/decryption efficiency. However, hashed ElGamal can be implemented only in ICDH group for the CCA security. At present, only bilinear group in which ICDH assumption is known to be equivalent to the CDH assumption [15] has been known as ICDH group.
However, bilinear group needs the special elliptic curve with more complex structure and so, CCA secure ElGamal system is most commonly implemented as twin ElGamal or Cramer-Shoup scheme in simple groups where CDH or DDH assumption holds. In other words, twin ElGamal or Cramer-Shoup scheme is commonly used instead of hashed ElGamal in practice.
To the best of our knowledge there are no results in the literature introducing the ICDH group with simple algebraic structure.
In this paper, we present a simple ICDH group and propose the CCA secure hashed ElGamal which has the possibility of fast decryption by parallel processing.
We highlight the following key results of our study:
- We prove that ICDH assumption holds in the integer group with composite modulus.
- In the integer group with composite modulus, we propose the hashed ElGamal and prove the CCA security.
- We modify the logical structure of hashed ElGamal to speed up decryption by parallel processing.
This paper is organized as follows. In Section2, we describe the important relevant preliminaries including PKE and reasonable assumptions. In Section 3, we analyze the CCA security of hashed ElGamal in G and propose a fast variant of hashed ElGamal in which decryption can be sped up by parallel processing. In Section 4, we show the some theoretical and experimental results of our implementation. In Section 5, we discuss the possibility of further reducing decryption time. Finally, we conclude with Section 6.
2. Preliminaries
A PKE scheme is a triple of algorithm (K, E, D) such that
- Key generation algorithm K: is a probabilistic algorithm that generates a pair of public and private keys (pk, sk).
- Encryption algorithm E: is a probabilistic algorithm that produces ciphertext c←E(pk, m) for given message m and public key pk.
- Decryption algorithm D: is a deterministic algorithm that outputs message m←D(sk, c) or special reject value ⊥ for given ciphertext c and private key sk.
For each pairs of key (pk, sk) generated by algorithm K, and for every message .
The security of a PKE usually proved under a reasonable assumption. A typical assumption is the computational assumption which is described as the intractability of inverting problems such as factoring a composite number, computing the RSA problem, computing the DL(Discrete Logarithm) problem, and computing the CDH problem. In this case, an inverting problem is, given y and relation f, to find its solution, x satisfying f(x, y) = 1.
Another type of reasonable assumption is described as the intractability of the decision problem such as the DDH problem, which is usually used to prove the CPA(Chosen Plaintext Attack) security of PKE. A decision problem is, given (x, y) and f, to decide whether the pair (x, y) satisfies f(x, y) = 1 or not.
Let, be prime numbers and n = pq. Let G be the multiplicative subgroup of
with generator g of order
. Then, above problems are described as follows.
Factoring problem: given a composite integer n = pq where the p and q are the safe primes, find p and q.
RSA problem: given y, find an integer x such that .
DL problem: given a pair , find the x.
CDH problem: given a triple , find the element Y = gxy.
DDH problem: given a quadruple of elements , decide whether z = xy mod λ or not.
In order to prove the CCA security, strong type of reasonable assumption like Gap DH(Gap Diffie Hellman) assumption [17, 29–35] or ICDH assumption is usually used, which describes the intractability to solve an inverting problem with the access to the oracle of a related decision problem. A typical problem is, given y and f, to find x such that f(x, y) = 1, with the access to the oracle of, given question (x1, y1), answering whether f(x1, y1) = 1 or not. Gap DH and ICDH assumption in G are described in following section.
3. System model
We considered the integer group with composite modulus which is known as DDH group and proved that ICDH assumption holds in this group. In other words, we have proved that breaking generalized ICDH assumption modulo a composite leads to breaking RSA assumption [36] and, on the basis of this, proposed CCA secure hashed ElGamal in G.
In group G, CDH and DDH have been believed to be intractable [9, 37, 38]. Let (n, e) be the RSA public key and d be the RSA private key such that ed≡1 mod λ. Assume that an adversary can obtain the generator g of group G and gd(∈G)(In RSA, this is possible by randomly selecting generator u and setting g = uemod n. In this case, g is also a generator and u = gdmod n is satisfied). And assume that r be the element of G.
Then, r = gx is satisfied for some x(∈Zn) and if CDH assumption is broken in G, the adversary can obtain rd (= gxd) from r (= gx) and gd.
From the fact above, it can be seen that breaking CDH assumption in group G gives the possibility to break the RSA assumption.
Note. Of course, CDH assumption has been already known to be intractable in G [37, 38]. In this paper, we reconsidered it in correlation with RSA assumption.
Similarly, we proved that ICDH assumption holds in G under the RSA assumption as follows.
In the ICDH problem, access to “DH-decision oracle” is added to CDH problem. Assume that CDH assumption is not broken, but ICDH assumption is broken in G. Then, the adversary can briefly break RSA assumption by using public key e as follows.
In RSA, the adversary can briefly test whether any triple he likes is a DH-triple (i.e.,
for the triple
) by using the given public key e (i.e., by checking that
), without knowledge of any secret key material and so, he never needs to issue queries to the challenger. In other words, the adversary can access the “DH-decision oracle” that recognizes DH-triples of the form (gd,∙,∙) offline on his own.
Note that in hashed ElGamal, the adversary has to access the “DH-decision oracle” online (more precisely, the adversary has to issue the decryption queries to the challenger in the “DH-decision oracle”) [7, 10].
Consequently, the adversary can obtain rd (= gxd) from r (= gx) and gd by using his own “DH-decision oracle” and so, it can be seen that breaking ICDH assumption in group G also gives the possibility to break the RSA assumption. See the proof of Theorem2 for more details.
When modulus n is large enough (2048bit), RSA assumption is not broken. Hence, in group G, ICDH assumption holds and hashed ElGamal is CCA secure for the large modulus.
Next, we modified the hashed ElGamal a little to speed up decryption by parallel processing. We converted the large private key to the group of small private keys and modified the encryption process so that small private keys are used in decryption. In this case, it is possible to speed up decryption by parallel processing. The results of modification are encouraging and show that hashed ElGamal can be still practical even when the big modulus number is used to resist the quantum computing.
3.1 CCA secure hashed ElGamal in integer group with composite modulus
The most important security guarantee needed for PKE is semantic security. Semantic security is classified into CPA security(Semantic security against chosen-plaintext attacks) and CCA security(Semantic security against adaptive chosen-ciphertext attacks) which are described as follows.
Algorithm 3.1: Chosen plaintext attack game, played between a challenger and adversary A.
Step1. The challenger generates a public key/private key pair (pk, sk), and sends the public key pk to A.
Step2. A makes one challenge query, which is a pair of messages (m0, m1) and sends them to the challenger.
Step3. The challenger chooses b∈{0, 1} at random, encrypts mb, and sends the ciphertext to A.
Step4. A outputs .
The advantage of adversary is defined as The scheme PKE is secure against chosen plaintext attack if for all efficient adversaries A, the advantage Advcpa is negligible.
Algorithm 3.2: Chosen ciphertext attack game, played between a challenger and adversary A.
Step1. The challenger generates a public key/private key pair (pk, sk), and sends the public key pk to A.
Step2. A makes a number of decryption queries to the challenger; each query is a ciphertext c; the challenger decrypts c, and sends the result m←D(sk, c) to A.
Step3. A makes one challenge query, which is a pair of messages (m0, m1) and sends them to the challenger.
Step4. The challenger chooses b∈{0, 1} at random, encrypts mb, and sends the ciphertext c*←E(pk, mb) to A.
Step5. A makes more decryption queries, just as in Step 2, but with the restriction that c≠c*;
Step6. A outputs .
The advantage of adversary is defined as . The scheme PKE is secure against chosen ciphertext attack if for all efficient adversaries A, the advantage Advcca is negligible.
Note. A function ε(k) is said to be negligible if for every i>0 there exists k0 satisfying for all k>k0.
If the security of PKE is proved in the random oracle model, hash functions are replaced by random oracle queries, and both challenger and adversary are allowed to access the random oracle in the above attack games.
In group G, we propose a CCA secure ElGamal whose ciphertext overhead consists of only one group element as follows.
Algorithm 3.3: Key generation for hashed ElGamal in G.
Each user creates the public key and the corresponding private key.
Step1. Select a multiplicative cyclic group G of order , with generator g where p, q,
and
are large primes.
In this case, G becomes a subgroup of . This can be described in detail as follows.
Step1.1. Select the large primes p, q, p′ and q′ such that p = 2p′+1 and q = 2q′+1 and calculate and qinv = q−1mod p.
Step1.2. Select the generator gp of and generator gq of
and calculate
that satisfies gp = g mod p and gq = g mod q as follows.
In this case, g becomes a generator of G.
Step2. Select a random integer and compute the group element u←gx.
This can be described in detail as follows.
Step2.1. Select random integers and
such that
and
. In this case,
is satisfied.
In this case, and
are satisfied.
Step3. Public key is (g, u, n) and private key is x.
This can be described in detail as follows.
Step3.1. Public key is (g, u, n) and private key is (x, xp, xq, p, q).
Encryption and decryption use the symmetric encryption (Es, Ds) defined over (Ks, Ms, Cs) and hash function H(G2→Ks).
Algorithm 3.4: Encryption for hashed ElGamal in G.
User encrypts a message m∈Ms, where Ms is a message space of (Es, Ds).
Step1. Obtain authentic public key (g, u, n).
Step2. Select a random integer y(1<y<n) and compute group elements v←gy, w←uy and hash value ks←H(v, w).
Step3. Encrypt the message m by using symmetric encryption Es and key ks.
Step4. Send the cipher text (v∈G, c∈Cs). Cs is a cipher text space of (Es, Ds).
Algorithm 3.5: Decryption for hashed ElGamal in G.
User recovers message m from (v, c).
Step1. Compute the group element w←vx and hash value ks←H(v,w).
Calculation of w can be done fast by using CRT(Chinese Remainder Theorem) exponents xp and xq as in CRT-RSA [39].
Step1.1. Calculate and
.
Step1.3. Calculate w as follows.
Step1.4. Calculate ks←H(v, w).
Step2. Recover the message m by using symmetric decryption Ds and key ks.
Because CDH and DDH assumptions are satisfied in G [9], following Theorem1 can be obtained referring to [10].
Theorem 1. If is modeled as a random oracle and symmetric encryption (Es, Ds) is CPA secure (i.e., is semantically secure against Chosen Plaintext Attack), then hashed ElGamal in G is CPA secure.
Proof. Assume that there exists an IND(Indistinguishability)-CPA adversary A which makes at most Q queries to the random oracle and has advantage εEG in hashed ElGamal. Then, we present CDH adversary Bcdh which has advantage εcdh in group G and IND-CPA adversary Bs which has advantage εs in symmetric encryption (Es, Ds) such that
(1)
We define Game1 as a modified version of Game0, which is the actual attack game to hashed ElGamal in G. In each game, b denotes the random bit chosen by the challenger, while denotes the bit output by A. For j = 0, 1, we define Wj to be the event that
in Game j.
Game 0. Challenger selects x, y randomly so that and calculates
.
The random oracle is implemented by using an array . Challenger selects k∈K randomly and sets Map[v, w] = k. And challenger sends the public key u to adversary A. Then, adversary A outputs a pair of messages (m0, m1) and challenger produces the ciphertext (v, c = Es(k, mb)) by flipping a coin b.
- When random oracle is queried at , challenger acts as follows.
If then select k∈K randomly and set
.
The answer corresponding to random oracle query at is
.
Game 1. We modify Game0 by setting Map[v, w] = ∅ instead of Map[v, w] = k.
Let Z be the event that the adversary queries the random oracle at (v, w) in Game 1.
If event Z happens, then one of the adversary’s random oracle queries is (v, w), where w = vx.
Also, challenger uses x and y only to compute u and v in Game1.
Hence, we can use adversary A to build adversary Bcdh to break the CDH assumption. Bcdh chooses one of the A’s random oracle queries at random, and the probability that such
will be chosen from random selection is at least Pr[Z]/Q. In other words,
(4)
Meanwhile, in Game 1, the key k is used only to encrypt the challenge plaintext.
Hence, we can also use adversary A to build IND-CPA adversary Bs in symmetric encryption (Es, Ds).
From the definition of IND-CPA adversary,
(5)
By combining (2), (3), (4) and (5), we can obtain (1). (end of proof)
Theorem1 shows only the CPA security of hashed ElGamal in G. For the CCA security, a stronger assumption is needed.
Assume that the adversary selects arbitrary elements and
, and computes
and
for some arbitrary message
. Further, assume the adversary gives the ciphertext
to a “decryption oracle” and obtains the decryption
. Now, it is very likely that
if and only if
. See [7] and [10] for more details.
Note. Decryption algorithm does not verify that (Of course, such a verification can be easily done, but it requires additional calculation. Furthermore, it could present a more attractive target for the adversary because it gives an oracle to check whether or not
? for an arbitrary element
) for given ciphertext
(See Algorithm3.5) and so,
and
can be used instead of
and
, respectively, in the CCA scenario (more precisely, in the definition of DH-triple
).
For , define the predicate dh(U, V)≔Vx and for
, define the predicate
. (These are little different from the definition of [7, Section1.1] and [10, Section11.4] because
are used instead of
. As mentioned above, factorization of n is unknown and so, adversary cannot distinguish between G and
.) Then, in the CCA scenario, the adversary can use the decryption oracle to answer questions (i.e.,
?) of the form
for elements
and
of the adversary’s choosing.
The adversary cannot efficiently answer such questions on his own(if he can, DDH assumption is broken in G), and so the decryption oracle is leaking some information about that secret key x which could potentially be used to break the encryption scheme.
From the facts above, ICDH assumption which is used in the CCA security of hashed ElGamal over G can be defined as follows.
ICDH assumption: It is difficult to compute dh(U, V), given random U∈G and V∈G, along with access to decision oracle for the predicate dhp(U,∙,∙), which on input , returns
.
Note. Gap DH assumption where an adversary gets access to a full DH decision oracle for the predicate dhp(∙,∙,∙), which on input , returns
is different (and stronger) than ICDH assumption where an adversary gets access to a restricted DH decision oracle for the predicate dhp(U,∙,∙), which on input
, returns
. In other words, ICDH assumption (where the first element of the triplets submitted to the DH decision oracle is fixed) is implied by the Gap DH assumption (where the first element can be freely chosen) [7, 17, 40, 41].
Following Theorem2 shows that if ICDH assumption is broken in G, then it is possible to break RSA assumption.
Theorem 2: Assume ICDH assumption is (t, qdh, ε)-broken in group G, where qdh is the number of queries to “DH-decision oracle” and ε is the probability to break the assumption in time t. Then, RSA assumption is (t, qdh, ε/8)-broken when safe primes are used.
Proof. Let B be an attacker which (t, qdh, ε)-breaks ICDH assumption in group G. We present an adversary A which (t, qdh, ε/8)-breaks RSA assumption when modulus n is the product of two safe primes. Let e be the public exponent and d be the private exponent. Adversary A is given as input (n, e, r) where r was chosen at random from and is trying to find rd mod n.
In RSA, anyone can obtain the pair of elements (h, hd), where h is an element of , by selecting arbitrary element
and setting h = uemod n(i.e., u = hdmod n). Besides, anyone can obtain the arbitrary element
by multiplying eth power of arbitrary element
and r (i.e., v = ser mod n).
Assume that h is a generator of G and v is an element of G(i.e., v = ha).
Then, the ICDH attacker B can obtain vd = had from elements u = hd and v = ha with success probability ε and running time t, making qdh queries to “DH-decision oracle” that recognizes DH-triples of form .
In this case, “DH-decision oracle” is different from the one of hashed ElGamal.
First, in order to determine whether or not any triple is DH-triple(i.e.,
?), the ICDH attacker B checks that
using RSA public exponent e on his own without making queries to the challenger, because modular inverse of private key (i.e., e = d−1mod λ) is published in RSA, unlike hashed ElGamal. In other words, “DH-decision oracle” can be done off line(This creates more favorable conditions to B than in hashed ElGamal’s DH-decision oracle) by B and so, A need not simulate “DH-decision oracle” to answer B’s query.
Second, the computational cost per iteration of “DH-decision oracle” query is comparable to hashed ElGamal.
In RSA, small public exponents are commonly used (i.e., RSA assumption still holds for small public exponents such as 3 and 65537) and so, for given , calculation of
for the test (
) is much faster(This also creates favorable conditions to B) than the calculation of “DH-decision oracle” of hashed ElGamal in G (i.e., calculation of
and
for the test (
)) because lognx≈1. Even though full sized public exponent e(logne≈1) is used [42] in RSA, computation of
is comparable to the computation of
of decryption oracle in hashed ElGamal.
Of course, the generator and element of G are unknown to B. Hence, adversary A must select h (= ue) and v (= ser mod n) as a generator and an element of G, respectively, and run the ICDH attacker B on input (u(= hd),v) in order to get vd.
Meanwhile, many elements of can become the generator or element of G. Hence, when adversary A selects h and v as random elements of
(this is accomplished by anyone in RSA as mentioned above), h becomes a generator and v becomes an element of G with high probability.
Let and
. From Algorithm3.3, the order of G is λ = 2p′q′ and so, the probability that random element v∈Zn is included in G is as follows.
The group of order λ has ϕ(λ) generators, where ϕ is Euler phi function. Hence, the probability that random element h∈Zn becomes a generator of G is as follows.
From Eqs (6) and (7), the probability that h is a generator of G and v is included in G for arbitrarily selected h and v is as follows.
Hence, with probability at least 1/8, A can select h and v as a generator and element of G, respectively, and give B the challenge instance (u = hd, v = ha). If and when B outputs vdmod n, A outputs rdmod n = vds−1mod n.
From all facts above, it can be seen that if ICDH assumption is (t, qdh, ε)-broken in G, then it is possible to (t, qdh, ε/8)-break RSA assumption.(end of proof)
Even though safe primes p and q are used, RSA assumption have been believed not to be broken(regardless of whether public exponent e is small or large) and so, ICDH assumption holds in G from Theorem2.
From the above fact, referring to [10], following Theorem3 can be obtained.
Theorem 3. If is modeled as a random oracle and symmetric encryption (Es, Ds) is CCA secure(i.e., is semantically secure against Chosen Ciphertext Attack), then hashed ElGamal in G is CCA secure.
Proof. Assume that there exists an IND-CCA adversary A which has advantage εEG in hashed ElGamal. Then, we present ICDH adversary Bicdh which has advantage εicdh in group G and IND-CCA adversary Bs which has advantage εS in symmetric encryption (Es, Ds) such that
(9)
We define Game1 as a modified version of Game0, which is the actual attack game to hashed ElGamal in G. In each game, b denotes the random bit chosen by the challenger, while denotes the bit output by A. For j = 0, 1, we define Wj to be the event that
in Game j.
Game 0. Challenger selects x, y randomly so that and calculates
. The random oracle is implemented by using array
and
. Challenger selects k∈K randomly and sets
. And challenger sends the public key u to adversary A. Then, adversary A outputs a pair of messages (m0, m1) and challenger produces the ciphertext (v, c = Es(k, mb)) by flipping a coin b.
- When decryption oracle is queried at where
, challenger acts as follows.
If then
.
Else
If then select k∈K randomly and set
.
is the answer corresponding to decryption oracle query at
.
- When random oracle is queried at , challenger acts as follows.
If then
If then
If then select k∈K randomly and set
.
Else
Select k∈K randomly and set .
The answer corresponding to random oracle query at is
.
Game 1. We modify Game0 by setting instead of
.
Let Z be the event that the adversary queries the random oracle at (v, w) in Game 1.
If event Z happens, then Sol[v] = w. Moreover, in Game1, challenger uses x only to compute u and to evaluate dhp function. Meanwhile, from the assumption, Bicdh can use the DH-decision oracle(i.e., can evaluate dhp function without x).
Hence, we can use adversary A to build an adversary Bicdh to break the ICDH assumption and Bicdh outputs w = Sol[v] with probability Pr[Z].
Meanwhile, in Game1, the key k is used only to encrypt the challenge plaintext, and to process decryption queries of the form , where
.
Hence, we can also use adversary A to build IND-CCA adversary Bs in symmetric encryption (Es, Ds). From the definition of IND-CCA adversary,
(13)
By combining (10), (11), (12) and (13), we can obtain (9). (end of proof)
Composite number is used as modulus number and so, CRT can be used to speed up decryption of hashed ElGamal in G. However, in decryption, this scheme is still not fast because big prime numbers(1024bit and 7680bit prime numbers are needed to be secure from the current attacks and quantum computing attacks, respectively.) are used. To increase the decryption speed by parallel processing, we modified the logical structure of hashed ElGamal as follows.
3.2 Parallel scheme
Let Td denotes the decryption time of a single ciphertext block which has the bitlength of modulus and N denotes the number of processors. Then, it is trivial that N ciphertext blocks can be decrypted by N processors in time Td using parallel processing. However, this does not mean that a single ciphertext block can be decrypted in time Td/N. In other words, no message is recovered in time Td/N even by parallel processing in hashed ElGamal. In order to decrypt a single ciphertext block in time Td/N by parallel processing, we modify the logical structure of hashed ElGamal as follows.
Key generation is same as the hashed ElGamal in G and so, we describe only the encryption and decryption algorithms.
Encryption and decryption use the CCA secure symmetric encryption (Es, Ds) defined over (Ks, Ms, Cs) and hash function H(G2→Ks).
Algorithm 3.6: Encryption for parallel scheme.
User encrypts a message m∈Ms, where Ms is a message space of (Es, Ds).
Step1. Obtain authentic public key (g, u, n) and set h←2⌈r/2⌉ and g1←gh, where n is 2r-bit number.
Step2. Select a random integer y(1<y<n) and compute group elements and hash value ks←H(v,w). In this case,
.
Step3. Encrypt the message m by using symmetric encryption Es and key ks.
Step4. Send the cipher text . Cs is a cipher text space of (Es, Ds).
Algorithm 3.7: Decryption for parallel scheme.
User recovers message m from (v, v1, c).
Step1. Compute the group element w←vx and hash value ks←H(v, w).
Calculation of w can be done fast by using r-bit CRT exponents and
, where h = 2⌈r/2⌉ and
.
Step1.1. Calculate and
.
Step1.3. Calculate w as follows.
Step1.4. Calculate ks←H(v,w).
Step2. Recover the message m by using symmetric decryption Ds and key ks.
In the Step1.2 of Algorithm3.7, and
can be calculated in parallel and so, it seems that private key length is reduced to 1/2 in hashed ElGamal. (Of course, without parallel processing, the calculation of
and
can be done fast by simultaneous multiple exponentiation algorithm [37]).
In security, parallel scheme is identical to hashed ElGamal in G.
In parallel scheme, h (= 2⌈r/2⌉) does not provide any information except for the bit size of private key, which has been known to be approximately equal to modulus number’s bitlength(i.e., 2r). In other words, some of calculation needed in decryption (vdmod n) has been only pre-calculated at the encryption stage.
This can be seen from the following Theorem4.
Theorem4. Assume that parallel scheme is (t, ε)-broken, where ε is the probability to break the encryption scheme in time t. Then, hashed ElGamal in G is also (t, ε)-broken.
Proof. Assume that B is an adversary which (t, ε)-breaks the one-wayness of parallel scheme. Then, we present adversary A which (t, ε)-breaks the one-wayness of hashed ElGamal in G. Let (g, u, n) be the public key and x be the private key of hashed ElGamal. Adversary A is given as input (g, u, n, c, v) and is trying to find the plaintext m, where (c, v) is the ciphertext. In hashed ElGamal, anyone knows the bit size of modulus number(i.e., 2r) and can obtain h = 2⌈r/2⌉.
Hence, A can obtain h (= 2⌈r/2⌉) and give B the challenge instance (g, u, n, c, v, vh). From the assumption, B is given as input (g, u, n, c, v, vh) and outputs . If and when B outputs m, A outputs m.
In the same way above, we can present the IND-CPA(or IND-CCA) adversary A to hashed ElGamal in G from the IND-CPA(or IND-CCA) adversary B to parallel scheme.
From all facts above, it can be seen that if parallel scheme is (t, ε)-broken, then it is possible to (t, ε)-break hashed ElGamal in G. (end of proof)
Similarly, it is possible to reduce the decryption time by setting h = 2⌈r/3⌉. In this case, ciphertext can be decrypted in parallel by using private key
instead of
and
, where (X2X1X0)h is the base h representation of X. In other words,
and
In such way, it is possible to propose the fast ElGamal variants which is t(t = 2,3,4,…) times faster than ordinary hashed ElGamal in G. Of course, in this case, there is message expansion by a factor of t. However, when considering the current network throughput and the fact that PKE is used only to establish a session key, drawback caused from the message expansion could be ignored compared to the benefit gained by speed-up.
Note. Unlike the parallel scheme, the scheme of [43] compromises the security of hashed ElGamal because CRT exponents xp and xq are reduced.
4. Performance analysis
Let t denotes the number of processors participating in parallel processing. When 2r bits modulus number is used, expected decryption speed-up factor β can be denoted as follows.
Note. Let TM denotes the modular multiplication time of two r-bits numbers. Then, t numbers can be multiplied in time ⌈log2t⌉ TM by parallel processing with μ(≥⌈t/2⌉) processors.
Table 2 shows the theoretical decryption time comparison of CRT-RSA, hashed ElGamal in G and parallel scheme.
As shown in Table 2, β≈t is usually satisfied when r is much larger than t. However, Hamming weight(which is the number of ones in binary representation) of r-bits number is not always actually r/2 and so, exact decryption speed-up factor can be denoted as
(15)
, where V, W, Vi and Wi denotes the Hamming weights of xp, xq, xip and xiq, respectively. In Eq (15), we used max{Vi|1≤i≤t} (or max{Wi|1≤i≤t}) instead of
(or
) considering the delay associated with synchronizing parallel processes.
If wp and wq are calculated simultaneously by using parallel processing (In this case, 2t processors are needed), then
(16)
Fig 1 shows the relation between β and in different t values. In order to obtain an average value of
, we ran the key generation algorithm 1000 times, each of which included 100 different x values. When the common multicore CPUs of Intel or AMD are used in parallel processing, t is usually small(i.e., t<16). If many core GPUs of NVIDIA or multi-CPUs are used in parallel processing, then t is not small. However, it is not practical to set t too large(i.e., t>256) because of message expansion. As shown in Fig 1,
is slightly small than β because V and W are similar to r×0.5, but max{Vi|1≤i≤t} and max{Wi|1≤i≤t} are usually larger than
(See S1 to S4 Tables). Meanwhile, the effectiveness (β/t or
) decreases with increasing the number of processors and increases with increasing modulus number.
Relation between β and in different t. (a): 2048-bit modulus. (b): 15768-bit modulus.
Consequently, our scheme gives the possibility to propose the fast public key cryptosystem which is approximately times faster than CRT-RSA(typical RSA) and hashed ElGamal in G.
Table 3 shows the practical execution time comparison between parallel scheme and CRT-RSA.
Timings were made on 3.6GHz Core i7-7700 desktop using Open SSL and can be treated as a relative guideline. We ran the decryption algorithm 1000 times varying keys, each of which included 100 different messages, and obtained the averages. In all measurements, mod p and mod q exponentiation were done serially and delays by hash function and symmetric encryption were ignored because it is very small compared to modular exponentiation of big integers. As shown in Table 3, our parallel schemes are about 1.86(t = 2) and 3.56(t = 4) times faster, respectively, than CRT-RSA in decryption, but have the ciphertext overhead increased in proportion to the number of processors.
Overall, the results presented above show that our scheme is suitable to encrypt and decrypt short messages such as session key, credit card information and PIN(Personal Identification Number) code at high speed in multi-core and many-core platforms.
5. Discussion
The purpose of converting large private key into the group of small private keys is to reduce the secret exponentiation time by parallel processing. Our technique does not affect the security of original hashed ElGamal, because r-bit private key xp(xq) is simply divided into two -bit halves x0p and x1p (x0q and x1q) by h = 2⌈r/2⌉.
However, one could reduce the secret exponentiation time further by choosing so that x0p, x1p, x0q and x1q are extremely small(i.e.,
and r′<r/2). In this case, for the security problem,
must be satisfied for x0 and x1 such that
,
and
. Of course, the time required for encryption is not affected by the selection of h because g1 = gh is calculated only once in the system. It is an open problem whether there is an attack on parallel scheme when x0p, x1p, x0q and x1q are small.
6. Conclusion
ICDH assumption is known to be hold only in bilinear group with complex structure. We first proved that ICDH assumption holds in the simple integer group and proposed the CCA secure hashed ElGamal encryption, the security of which is proved in the random oracle model. Our scheme is superior in ciphertext overhead and exponentiation cost to other CCA secure ElGamal variants based on integer group such as Cramer Shoup scheme and twin ElGamal because it maintains the concise style of plain ElGamal. We also sped up decryption of CCA secure hashed ElGamal by parallel processing. Our parallelization scheme does not affect the security since the some operations for decryption have been only pre-calculated at encryption stage and the private key itself is not reduced compared to the hashed ElGamal. By using parallel scheme, it would be possible to use ElGamal in integer group when the big modulus numbers(15360 bit) are used in order to resist quantum computing attack. We expect our finding to be widely applied to the platforms equipped with multicore CPUs or many core GPUs.
Supporting information
S1 Table. Relationship between parameters of Eqs (14) and (15) (r = 1024, t = 2).
https://doi.org/10.1371/journal.pone.0294840.s001
(DOCX)
S2 Table. Relationship between parameters of Eqs (14) and (15) (r = 1024, t = 4).
https://doi.org/10.1371/journal.pone.0294840.s002
(DOCX)
S3 Table. Relationship between parameters of Eqs (14) and (15) (r = 1024, t = 8).
https://doi.org/10.1371/journal.pone.0294840.s003
(DOCX)
S4 Table. Relationship between parameters of Eqs (14) and (15) (r = 1024, t = 16).
https://doi.org/10.1371/journal.pone.0294840.s004
(DOCX)
Acknowledgments
The authors would like to thank the editor and the anonymous reviewers for their valuable comments and suggestions.
References
- 1. Diffie W. and Hellman M. E., “New directions in cryptography”, IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644–654, 1976.
- 2. ElGamal T., “A public key cryptosystem and signature scheme based on discrete logarithms”, IEEE Transactions on Information Theory, vol. 31, pp. 469–472, 1985.
- 3. Crammer R and Shoup V., “A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack”, CRYPTO 1998, LNCS, vol. 1462, 1998, pp. 13–25.
- 4. Abdalla M., Bellare M., and Rogaway P., “The oracle diffie-hellman assumptions and an analysis of DHIES”, CT-RSA 2001, LNCS, vol. 2020, 2001, pp. 143–158.
- 5. Cramer R. and Shoup V. “Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack”, SIAM Journal on Computing, vol. 33, no. 1, pp. 167–226, 2003.
- 6. Gennaro R., Krawczyk H., and Rabin T., “Secure Hashed Diffie–Hellman over Non–DDH Groups”, EUROCRYPT 2004, LNCS, vol. 3027, 2004, pp. 361–381.
- 7. Cash D., Kiltz E., and Shoup V., “The Twin Diffie-Hellman Problem and Applications”, Journal of Cryptology, vol. 22, no. 4, pp. 470–504, 2009.
- 8. abe M., Kiltz E. and Okamoto T., “Compact CCA-secure encryption for messages of arbitrary length”, PKC 2009, LNCS, vol. 5443, 2009, pp. 377–392.
- 9. Boneh D., “The decision Diffie–Hellman problem”, ANTSIII, LNCS, vol. 1423, 1998, pp. 48–63.
- 10.
Boneh D. and Shoup V., “A Graduate Course in Applied Cryptography”, 2023, version 0.6, Stanford University, https://crypto.stanford.edu/~dabo/cryptobook/
- 11. Rackoff C. and Simon D., “Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack”, CRYPTO 1991, LNCS, vol. 576, 1992, pp. 433–444.
- 12. Bellare M., Desai A., Pointcheval D., and Rogaway P., “Relations among Notions of Security for Public-Key Encryption Schemes”, CRYPTO 1998, LNCS, vol. 1462, 1998, pp. 26–45.
- 13. Dolev D., Dwork C., and Naor M. “Non-Malleable Cryptography”, SIAM J. Computing, vol. 30, no. 2, pp. 391–437, 2000.
- 14. Bellare M. and Rogaway P., “Random oracles are practical: a paradigm for designing efficient protocols”, In Proceedings of the First ACM Conference on Computer and Communications Security, 1993, pp. 62–73.
- 15. Wee H., “Efficient Chosen-Ciphertext Security via Extractable Hash Proofs”, CRYPTO 2010, LNCS, vol. 6223, 2010, vol. 314–332.
- 16. Baecher P. and Fischlin M., “Random Oracle Reducibility”, CRYPTO 2011, LNCS, vol. 6841, 2011, pp. 21–38.
- 17. Brendel J., Fischlin M., Gunther F. and Janson C., “:PRF-ODH: Relations, Instantiations, and Impossibility Results”, CRYPTO 2017, LNCS, vol. 10403, 2017, pp. 651–681.
- 18. Fuchsbauer G., Kiltz E. and Loss J., “The Algebraic Group Model and its Applications”, CRYPTO 2018, LNCS, vol. 10992, 2018, pp. 33–62.
- 19.
Davis H. and Gunther F., “Tighter proofs for the sigma and tls 1.3 key exchange protocols”, International Conference on Applied Cryptography and Network Security, Springer, 2021, pp.448–479.
- 20. Diemert D. and Jager T., “On the tight security of tls1.3: Theoretically sound cryptographic parameters for real-world deployments”, Journal of Cryptology, vol. 34, no. 3, pp. 1–57, 2021.
- 21. Dumittan L. H., Vaudenay S., “On IND-qCCA Security in the ROM and Its Applications”, EUROCRYPT 2022, LNCS, vol. 13277, 2022, pp. 613–642
- 22. Boneh D. and Boyen X., “Short Signatures without Random Oracles”, EUROCRYPT 2004, LNCS, vol. 3027, 2004, pp. 56–73.
- 23. Boneh D., Boyen X., “Efficient selective-ID secure identity-based encryption without random Oracles”, EUROCRYPT 2004, LNCS, vol. 3027, 2004, pp. 223–238,
- 24. Boneh D. and Boyen X., “Short signatures without random oracles and the SDH assumption in bilinear groups”, Journal of Cryptology, vol. 21, no. 2, pp. 149–177, 2008
- 25. Jao D. and Yoshida K., “Boneh-Boyen signatures and the strong Diffie-Hellman problem”, Pairing 2009, LNCS, vol. 5671, 2009, pp. 1–16.
- 26. Ghadafi E. and Groth J., “Towards a Classification of Non-interactive Computational Assumptions in Cyclic Groups”, ASIACRYPT 2017, LNCS, vol. 10625, 2017, pp. 66–96.
- 27. Jason H. M. and Kunihiro N., “Bounds in Various Generalized Settings of the Discrete Logarithm Problem”, ACNS 2017, LNCS, vol. 10355, 2017, pp. 498–517.
- 28. Bauer B. and Fuchsbauer G., “A Classification of Computational Assumptions in the Algebraic Group Model”, CRYPTO 2020, LNCS, vol. 12171, 2020, pp. 121–151.
- 29. Okamoto T. and Pointcheval D., “The Gap Problems: A New Class of Problems for the Security of Cryptographic Schemes”, PKC 2001, LNCS, vol. 1992, 2001, pp. 104–118.
- 30. Boldyreva A., “Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diifie-Hellman-Group Signature Scheme”, PKC 2003, LNCS, vol. 2567, 2003, pp. 31–46.
- 31. Krawczyk H., “HMQV: a high-performance secure Diffie-Hellman protocol”, CRYPTO 2005, LNCS, vol. 3621, 2005, pp. 546–566.
- 32. LaMacchia B., Lauter K., and Mityagin A., “Stronger Security of Authenticated Key Exchange”, ProvSec 2007, LNCS, vol. 4784, 2007, pp. 1–16.
- 33. Kiltz E., “Chosen-Ciphertext Secure Key-Encapsulation Based on Gap Hashed Diffie-Hellman”, PKC 2007, LNCS, vol. 4450, 2007, pp. 282–297.
- 34. Yanqi G., Stanislaw J., Hugo K., “KHAPE:Asymmetric PAKE from Key-Hiding Key Exchange”, CRYPTO 2021, LNCS, vol. 12828, 2021, pp. 701–730.
- 35. Alwen J., Blanchet B., Hauck E., Kiltz E., “Analysing the HPKE Standard”, EUROCRYPT 2021, LNCS, vol. 12696, 2021, pp. 87–116.
- 36. Rivest R.L., Shamir A., and Adleman L., “A method for obtaining digital signatures and public–key cryptosystems”, Communications of ACM, vol. 21, no. 2, pp. 120–126, 1978.
- 37.
Menezes A., van Orschot P., and Vanstone S., “Handbook of Applied Cryptography”, CRC Press, 1996, pp. 287, 617–618.
- 38. Biham E., Boneh D., and Reingold O., “Breaking generalized Diffie–Hellman modulo a composite is no easier than factoring”, Information Processing Letters, vol. 70, pp. 83–87, 1998.
- 39. Quisquater J. J. and Couvreur C., “Fast Decipherment Algorithm for RSA Public-Key Cryptosystem”, IEEE Electronics Letters, vol. 18, pp. 905–907, 1982.
- 40. Baek J., Ghu C. K. and Zhou J., “On Shortening Ciphertexts: New Constructions for Compact Public Key and Stateful Encryption Scheme”, CT-RSA 2011, LNCS, vol. 6558, 2011, pp. 302–318.
- 41. Seurin Y. and Treger J., “A Robust and Plaintext-Aware Variant of Signed ElGamal Encryption”, CT-RSA 2013, LNCS, vol. 7779, 2013, pp. 68–83.
- 42. Boneh D. and Shacham H., “Fast variants of RSA”, CryptoBytes, vol. 5, no. 1, pp. 1–9, 2002.
- 43. Kim G. C., Li S. C., “Decryption speed up of ElGamal with composite modulus”, PLOS One, October 5, 2020, 1–16 pmid:33017837