A Security-Mediated Encryption Scheme Based on ElGamal Variant
Abstract
:1. Introduction
2. Preliminaries
2.1. Computational Diffie-Hellman (CDH) Problem
2.2. Security Mediated Encryption Scheme
- KeyGen. On input of security parameter , generates system parameters , user’s public key , and user–SEM secret keys .
- Encrypt. Sender takes in , and message m, encrypts message into ciphertext c = Enc(Params, pk,m).
- Decrypt. Receiver firstly relay ciphertext c to SEM for partial decryption m1 = Dec(c, Ksem) meanwhile computing his own part m2 = Dec(c, Kuser). Finally, receiver performs full decryption to recover message , where ∗ represents necessary operation according to different scheme’s setting.
2.3. Security Model of Security Mediated Encryption Scheme
- Setup. On input of security parameter , challenger adapts and runs KeyGen of the encryption scheme to generate . provides adversary with and retains the .
- Phase 1 (Decryption query). The following queries may be asked adaptively.
- (a)
- SEM-Decryption: queries SEM-decryption for the ciphertext C of his choice. responds with the corresponding SEM’s partial decryption to .
- (b)
- Full Decryption: queries full decryption for the ciphertext C of his choice. responds with decrypted plaintext m to .
- Challenge. produces two messages of equal length to be challenged. randomly picks and outputs challenge ciphertext C* = Enc(Params, pk,mb) to .
- Phase 2. may perform decryption queries for the ciphertext C of his choice as in Phase 1, except the challenge ciphertext .
- Guess. output a guess of , ending the simulation. wins if .
3. The Proposed Security Mediated ElGamal Encryption Scheme
- The user’s public key (abbreviated as ) X in the KeyGen Algorithm 1 is generated by CA using the user’s random master secret key (abbreviated as ) x which is unknown to anyone except CA itself.
- Next, the secret key x is split into two parts and sent securely to the user and SEM respectively as their decryption key.
- Any party who wishes to initiate communication shall obtain the user’s public key X from a public directory as part of the encryption procedure.
Algorithm 1 Key Generation (KeyGen) of |
Require: Security parameter . |
Ensure: System parameters , user’s public key X, user’s secret key x, user’s decryption key , and SEM’s decryption key . |
1: On input of security parameter , generates two large primes with , a generator g such that , and two groups of order q. |
2: Generates the following pairing function and hash functions H such that: |
(a) , |
(b) , |
(c) , |
(d) , |
(e) . |
3: For each user i, computes for a random integer . |
4: Randomly selects and computes (mod ). |
5: Publish system parameters and user i’s , sends user i’s decryption key to user i and SEM’s decryption key to SEM. |
6: The integer which is user i’s secret key, is kept secret. |
Algorithm 2 Encryption (Encrypt) of |
Require: System parameters , user’s public key X, user’s decryption key and message m. |
Ensure: Ciphertext . |
1: User i who wishes to communicate will compute and publish his public key using his decryption key . |
2: Sender who wishes to send message m to user i obtains and perform following computations: |
(a) Selects a random string and computes , |
(b) Computes and next , |
(c) Set , and compute , |
(d) Computes . |
(e) Computes . |
3: Sends ciphertext to user i. |
Algorithm 3 Decryption (Decrypt) of |
Require: System parameters , user’s public key X, user’s public key Y, user’s decryption key , SEM’s decryption key and ciphertext . |
Ensure: Message m. |
SEM-Decryption: |
1: User i upon receiving ciphertext , relays it to SEM. |
2: SEM checks whether . If it does, computes partial decryption and replies it to user i. Otherwise, it rejects ciphertext C. |
User-Decryption: |
1: User i receives partial decryption from SEM, and next compute the following series of computations to recover message m: |
(a) Checks whether . If it does, then continue the decryption procedures. Otherwise, it rejects ciphertext C, |
(b) Computes , and next , |
(c) Computes , and checks whether . If it does, then parse message m from . Otherwise, it rejects ciphertext C. |
2: Lastly, computes , and verifies whether . |
4. Security Proof of the Proposed Mediated ElGamal Scheme
- Setup: Challenger initially takes on security parameter as input and runs KeyGen to output system parameters and sets public key as where . These system parameters and public key are sent to . Note that does not know the secret integer x.
- H-query: prepares four different hash lists to record and store all the hash queries and responses. The lists are initially empty.
- (a)
- -query: For any query made, checks if such query exist. If it does, it responds with the corresponding . Otherwise, it randomly samples and returns . Lastly, it adds to the -list.
- (b)
- -query: For any query made, checks if such query exist. If it does, it responds with the corresponding . Otherwise, it randomly chooses and returns . Lastly, it updates to the -list.
- (c)
- -query: For any query made, checks if such query exist. If it does, it responds with the corresponding . Otherwise, it randomly chooses and returns . Lastly, it adds to the -list.
- (d)
- -query: For any query made, checks if such query exist. If it does, it responds with the corresponding . Otherwise, it randomly samples and returns . Lastly, it updates to the -list.
- Phase 1 (Decryption query):
- (a)
- SEM-Decryption query: queries the SEM-decryption of the ciphertext of his choice. firstly search through the and -lists whether there exists the pairs of and such that and are valid. If it does, it computes as SEM’s partial decryption and returns the SEM-Decryption result to . Otherwise, it returns ⊥. Observe thatThen, and
- (b)
- Full-Decryption query: queries the full decryption of the ciphertext of his choice. firstly search through all the H-lists whether there exists the pairs of such thatWe consider the following possible scenarios:
- Case 1: If all the above queries exists, it outputs and returns the corresponding m as decryption result.
- Case 2: Only , and exist. Then and are valid. Also, by the knowledge of from C, can extract from w and next to extract m from v. It can then compute and adds the new query to the -list. Note that it is easy to verify the validity of such additional query since by , can invert to obtain U. If every query is valid, it returns m as decryption result, otherwise it returns ⊥.
- Case 3: Only and exist. Then and are valid. Also, by the knowledge of from C, can extract from w. It can next compute and samples a random U to updates both the new and queries to the H-lists. Note that it is easy to verify the validity of all such additional queries since by , can invert to obtain v and sample a random V. In addition, the inverted v enables the extraction of m. If every query is valid, it returns m as decryption result, otherwise it returns ⊥.
- Case 4: Only exists. Then is valid. Also, by the knowledge of from C, can extract from w. It can next compute and samples a random U to updates all the new and and queries to the H-lists. Again, it is easy to decide the validity of all such additional queries since by , can invert to obtain v and sample a random V. In addition, the inverted v enables the extraction of m. As for the query of , reverts and then samples z randomly, this is indistinguishable from the ’s point of view. If every query is valid, it returns m as decryption result, otherwise it returns ⊥.
- Case 5: If none of the queries satisfy the ciphertext structures, it returns ⊥.
- Challenge: When is ready to perform the attack, he sends two distinct messages of equal length . randomly selects bit , and . Next, it outputs challenge ciphertext as
- (a)
- ,
- (b)
- ,
- (c)
- ,
- (d)
- .
Hence, the challenge ciphertext is a correct and valid ciphertext in the ’s point of view if it does not query the following to random oracle: - Phase 2: is allowed to continue querying decryption of the ciphertext C of his choice, except the challenge ciphertext .
- Guess: finally output his guess of , ending the IND-CCA game. wins the game if . Note that the challenge hash query is the Diffie-Hellman shared value which is a query to the random oracle . randomly selects one of the queries in -list as the challenge hash query, and output the solution to the CDH problem.
- Scenario 1. If does not query the challenge hash query , then the only alternative way that it could break the challenge ciphertext is to search for the existence of the following queries:
- Scenario 2. If does query the challenge hash query , then it can gain advantage in guessing the encrypted message correctly. Otherwise, it can only guess it with negligible advantage. As has the advantage of in outputting the correct bit following the hardness assumption of breaking the CDH problem, such event could only occur if and only if the challenge hash query exists in the list. Let be the total number of queries in the simulated game, following the IND-CCA model, we have:
5. Efficiency and Performance Analysis
- Key escrow. Our proposed mediated ElGamal scheme currently does not consider the issue of key escrow. In other words, our scheme suffered from key escrow problem, in which the CA has absolute control of the user’s secret key. Therefore, we assume that CA is not compromise-able and is wholly trusted. We will address this issue in the subsequent work.
- Non-certificateless. Our proposed mediated ElGamal scheme is not certificateless as in the SMC by [3]. In other words, users’ public keys will need to be submitted to CA for authentication.
- Integrity. As we apply the Fujisaki-Okamoto transformation in our design, the proposed mediated ElGamal scheme does provide ciphertext integrity checks either on the SEM side, or on the receiver side on top of ensuring confidentiality of the encrypted message.
- Pairing-free. Unlike some other mediated encryption schemes, our mediated ElGamal scheme is pairing-free in the sense that we do not involve pairing computations in the encryption and decryption. One can observe easily that the pairing function in our scheme only serves to provide ciphertext validity check by SEM and the receiver. Hence, our scheme does not suffer from major efficiency and cost-computation drawbacks.
- Novelty. Current security mediated cryptography focuses on ID-based, signature schemes, or is mostly designed based on pairing functions. Our proposed mediated ElGamal scheme on the other hand, utilized the ElGamal variant as our primitive and is also pairing-free in the encryption and decryption.
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
Abbreviations
BDH | Bilinear Diffie-Hellman |
CA | Certificate Authority |
CDH | Computational Diffie-Hellman |
DLP | Discrete Logarithm Problem |
ECDH | Elliptic Curve Diffie-Hellman |
EUF-CMA | Existential Unforgeable under Chosen-Message Attack |
IBE | Identity-Based Encryption |
IB-mRSA/OAEP | Identity-Based Mediated Rivest-Shamir-Adleman/ Optimal Asymmetric Encryption Padding |
IND-CCA | Indistinguishable against Chosen-Ciphertext Attack |
mEG | Mediated ElGamal |
mpk | User’s Public Key |
mRSA | Mediated Rivest-Shamir-Adleman |
msk | Master Secret Key |
PKE | Public-Key Encryption |
PPT | Probabilistic Polynomial Time |
RSA | Rivest-Shamir-Adleman |
SEM | Security Mediator |
SMC | Security Mediated Certificateless |
SM-IBI | Security Mediated Identity-Based Identification |
X-OR | Exclusive-OR |
References
- Boneh, D.; Ding, X.; Tsudik, G.; Wong, C.M. A Method for Fast Revocation of Public Key Certificates and Security Capabilities. In Proceedings of the 10th Conference on USENIX Security Symposium, Washington, DC, USA, 13–17 August 2001. [Google Scholar]
- Ding, X.; Tsudik, G. Simple Identity-Based Cryptography with Mediated RSA. In Topics in Cryptology-CT-RSA 2003; Lecture Notes in Computer Science; Joye, M., Ed.; Springer: Berlin/Heidelberg, Germany, 2003; Volume 2612, pp. 193–210. [Google Scholar]
- Chow, S.S.M.; Boyd, C.; Nieto, J.M.G. Security-Mediated Certificateless Cryptography. In Public Key Cryptography, PKC 2006; Lecture Notes in Computer Science; Yung, M., Dodis, Y., Kiayias, A., Malkin, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2006; Volume 3958, pp. 508–524. [Google Scholar]
- Baek, J.; Zheng, Y. Identity-based Threshold Decryption. In PKC 2004; Lecture Notes in Computer Science; Bao, F., Deng, R., Zhou, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2004; Volume 2947, pp. 262–276. [Google Scholar]
- Yap, W.S.; Chow, S.S.M.; Heng, S.H.; Goi, B.M. Security Mediated Certificateless Signatures. In Applied Cryptography and Network Security; Katz, J., Yung, M., Eds.; ACNS 2007; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2007; Volume 4521, pp. 459–477. [Google Scholar]
- Yang, C.; Wang, F.; Wang, X. Efficient Mediated Certificateless Public-Key Encryption Scheme without Pairings. In Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW’07), Niagara Falls, ON, Canada, 21–23 May 2007; pp. 109–112. [Google Scholar]
- Lo, C.M.; Hwang, T.; Li, C.M. Revocation-Free Public-Key Encryption Based on Security-Mediated Public-Key Infrastructure. Iet Inf. Secur. 2007, 1, 134–141. [Google Scholar] [CrossRef]
- Chow, S.S.M.; Yap, W.-S. Partial Decryption Attacks in Security-Mediated Certificateless Encryption. IET Inf. Secur. 2009, 3, 148–151. [Google Scholar] [CrossRef]
- Wan, Z.; Weng, J.; Li, J. Security Mediated Certificateless Signatures without Pairing. J. Comput. 2010, 5, 1862–1869. [Google Scholar] [CrossRef]
- Chin, J.J.; Behnia, R.; Heng, S.H.; Phan, R.C.W. An Efficient and Provable Secure Security-Mediated Identity-Based Identification Scheme. In Proceedings of the 2013 Eighth Asia Joint Conference on Information Security, Seoul, Korea, 25–26 July 2013; pp. 27–32. [Google Scholar]
- Chin, J.J.; Tan, S.Y.; Heng, S.H.; Phan, R.C. Efficient and provable secure pairing-free security-mediated identity-based identification schemes. Sci. World J. 2014, 2014, 170906. [Google Scholar] [CrossRef] [PubMed]
- Asbullah, M.A.; Ariffin, M.R.K. A proposed CCA-secure encryption on an ElGamal variant. In Proceedings of the 2012 7th International Conference on Computing and Convergence Technology (ICCCT), Seoul, Korea, 3–5 December 2012; pp. 499–503. [Google Scholar]
- Katz, L.; Lindell, Y. Introduction to Modern Cryptography; CRC Press: Boca Raton, FL, USA, 2015. [Google Scholar]
- Lecture Notes: Introduction to Modern Cryptography. Available online: https://web.cs.ucdavis.edu/~rogaway/classes/227/spring05/book/main.pdf (accessed on 14 September 2021).
Operation | X-OR | Subtraction/ Multiplication | Exponentiation | Hashing | Pairing |
---|---|---|---|---|---|
Key Generation | 0 | 1 | 1 | 0 | 0 |
Encryption | 1 | 0 | 4 | 4 | 0 |
SEM-Decryption | 0 | 0 | 1 | 1 | 2 |
User-Decryption | 1 | 1 | 2 | 4 | 2 |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Tea, B.C.; Kamel Ariffin, M.R.; Abd. Ghafar, A.H.; Asbullah, M.A. A Security-Mediated Encryption Scheme Based on ElGamal Variant. Mathematics 2021, 9, 2642. https://doi.org/10.3390/math9212642
Tea BC, Kamel Ariffin MR, Abd. Ghafar AH, Asbullah MA. A Security-Mediated Encryption Scheme Based on ElGamal Variant. Mathematics. 2021; 9(21):2642. https://doi.org/10.3390/math9212642
Chicago/Turabian StyleTea, Boon Chian, Muhammad Rezal Kamel Ariffin, Amir Hamzah Abd. Ghafar, and Muhammad Asyraf Asbullah. 2021. "A Security-Mediated Encryption Scheme Based on ElGamal Variant" Mathematics 9, no. 21: 2642. https://doi.org/10.3390/math9212642
APA StyleTea, B. C., Kamel Ariffin, M. R., Abd. Ghafar, A. H., & Asbullah, M. A. (2021). A Security-Mediated Encryption Scheme Based on ElGamal Variant. Mathematics, 9(21), 2642. https://doi.org/10.3390/math9212642