A Security-Mediated Encryption Scheme Based on ElGamal Variant

: Boneh et al. introduced mediated RSA (mRSA) in 2001 in an attempt to achieve faster key revocation for medium-sized organizations via the involvement of a security mediator (SEM) as a semi-trusted third party to provide partial ciphertext decryption for the receiver. In this paper, a pairing-free security mediated encryption scheme based on an ElGamal variant is proposed. The scheme features a similar setting as in the mediated RSA but with a different underlying primitive. We show that the proposed security mediated encryption scheme is secure indistinguishably against chosen-ciphertext attack (IND-CCA) in the random oracle via the hardness assumption of the computational Difﬁe-Hellman (CDH) problem.


Introduction
In 2001, Boneh et al. proposed a fast key revocation scheme-the mediated RSA (mRSA). This scheme features a new semi-trusted role, the security mediator (SEM), which takes part in the decryption process. The idea behind this mediated scheme is that the user's secret key is effectively split into two parts, with one kept by SEM and the remaining one by the user. Whenever the user receives a ciphertext, he must relay it to SEM for partial decryption (token issuance) prior to recovering the full plaintext [1]. This property provides an advantage of instant revocation upon the certificate authority (CA) instructions. The SEM will stop assisting in the user's partial ciphertext decryption, not only to decrypt ciphertext received in the future, but also to re-decrypt the ciphertext that has been received and decrypted previously.
The introduction of mRSA has initiated various security mediated schemes following this path such as the IB-mRSA/OAEP, a type of identity-based encryption (IBE) scheme proposed by Ding and Tsudik in 2003 based on mRSA [2]. The designed IB-mRSA/OAEP is proven to be secure indistinguishably against adaptive chosen-ciphertext attack (IND-CCA) in the random oracle model. To this end, the authors stated that the security proof in the standard model remains an open problem.
Chow et al. then introduced the notion of security mediated certificateless (SMC) cryptography in 2006 that provides the solution to the key escrow problem described in other security mediated schemes [3]. Besides generalizing the framework of SMC, they also provided a lightweight version of SMC cryptography that is fully adaptive chosenciphertext attack secure in the random oracle model via the intractability assumption of bilinear Diffie-Hellman (BDH) problem. In addition, Chow et al. claimed that their proposal is more efficient than Baek and Zheng's ID-based mediated encryption scheme [4].
Following the trend of SMC cryptography by Chow et al., Yap et al. subsequently explored the notion of SMC signature. They proposed the very first concrete provable secure SMC signature scheme that is bilinear pairing-free. Based on the intractability assumption of the discrete logarithm problem (DLP), their scheme is proven to be existentially unforgeable under chosen message attack (EUF-CMA) in the random oracle mode [5]. In the same year, Yang et al. [6] and Lo et al. [7] came out with efficient certificateless pairing-free encryption schemes and mediated revocation-free encryption schemes respectively. Unfortunately, both the proposed schemes suffered from partial decryption attacks as demonstrated in [8]. Wan et al. also proposed a similar efficient pairing-free SMC signature scheme, but with proof of security in the random oracle model based on the hardness assumption of factoring [9].
While the majority of follow-ups focus on mediated IBE and signature schemes, Chin et al. in 2013 devised the first efficient security mediated identity-based identification (SM-IBI) scheme. Via the computational Diffie-Hellman (CDH) assumption, they provided the security proof against impersonation under passive, active and concurrent attacks in the random oracle model [10]. In the following year, Chin et al. further improved the efficiency of the SM-IBI scheme by proposing two pairing-free versions via the intractability of RSA and discrete logarithm assumptions, with security proofs against impersonation under passive, active and concurrent attacks both in the random oracle models [11].
In this paper, we propose a new security mediated encryption scheme based on an IND-CCA secure ElGamal variant. The motivation of our work is based on current existing non-certificateless mediated schemes by Boneh et al. [1]. We consider the IND-CCAsecure ElGamal encryption scheme designed by [12] and prove that our scheme is secure indistinguishably against chosen-ciphertext attack (IND-CCA) in the random oracle model via the hardness assumption of the computational Diffie-Hellman (CDH) problem.
The rest of the paper is organized as follows. Section 2 outlines necessary preliminaries, followed by a formal security model and definition of security mediated encryption scheme. In Section 3, the construction of a new security mediated encryption scheme based on an ElGamal variant is presented. Next, we provide the security proof of our designed scheme in Section 4. The analysis about the efficiency and performance proceedes in Section 5. Finally, we conclude our work in Section 6.

Preliminaries
We provide some mathematical and cryptographic backgrounds related to our work in this section, including mathematical hard problems, security mediated encryption scheme model, and corresponding security model. We note that the primary reference of our definitions in this section are due to [13], but similar definitions can be found in [14].

Computational Diffie-Hellman (CDH) Problem
Definition 1 (Computational Diffie-Hellman Problem [13]). Let g be a generator for G p and let h 1 , h 2 be non-zero elements of G p . Define DH g (h 1 , h 2 ) = g log g h 1 ·log g h 2 . That is, if h 1 = g x 1 and h 2 = g x 2 , then The CDH problem is to compute DH g (h 1 , h 2 ) for uniform h 1 and h 2 .

Security Mediated Encryption Scheme
A generic security mediated encryption scheme consists of three probabilistic polynomialtime algorithms:

1.
KEYGEN. On input of security parameter 1 n , generates system parameters (Params), user's public key (pk), and user-SEM secret keys (K user , K sem ).

3.
DECRYPT. Receiver firstly relay ciphertext c to SEM for partial decryption m 1 = DEC(c, K sem ) meanwhile computing his own part m 2 = DEC(c, K user ). Finally, receiver performs full decryption to recover message m = m 1 * m 2 , where * represents necessary operation according to different scheme's setting.

Security Model of Security Mediated Encryption Scheme
The following defines the IND-CCA security game corresponds to the security mediated encryption scheme above.

1.
Setup. On input of security parameter 1 n , challenger B adapts and runs KEYGEN of the encryption scheme to generate {Params, pk, K user , K sem }. B provides adversary A with {Params, pk} and retains the {K user , K sem }.

The Proposed Security Mediated ElGamal Encryption Scheme
We now describe the design of our security mediated encryption scheme based on the IND-CCA-secure ElGamal variant proposed by [12]. Our design involves some structural modifications in order to fit the concept of the security mediated cryptography. Hereafter, we use mediated ElGamal scheme (or abbreviated as mEG) to denote the proposed security mediated encryption scheme. We point out some highlights of our proposed mediated ElGamal scheme below.

1.
The user's public key (abbreviated as mpk) X in the KEYGEN Algorithm 1 is generated by CA using the user's random master secret key (abbreviated as msk) x which is unknown to anyone except CA itself.

2.
Next, the secret key x is split into two parts and sent securely to the user and SEM respectively as their decryption key.

3.
Any party who wishes to initiate communication shall obtain the user's public key X from a public directory as part of the encryption procedure.
We now present the full mediated ElGamal scheme as follows. The Algorithm 1 of Key Generation describes the initial setting of system parameters including the public-private key pair, Algorithm 2 outlines the encryption procedures between sender and receiver, and Algorithm 3 shows the decryption of both SEM and receiver upon receiving the ciphertext.

Algorithm 1 Key Generation (KEYGEN) of mEG
Require: Security parameter 1 n . Ensure: System parameters {p, q, g,ê, G 1 , G 2 , H 1 , H 2 , H 3 , H 4 }, user's public key X, user's secret key x, user's decryption key x user , and SEM's decryption key x sem . 1: On input of security parameter 1 n , generates two large primes p, q with |p|= |q|= n, a generator g such that g = Z * p , and two groups G 1 , G 2 of order q. 2: Generates the following pairing functionê and hash functions H such that: (a)ê : to user i and SEM's decryption key x sem to SEM. 6: The integer x i which is user i's secret key, is kept secret.
1: User i who wishes to communicate will compute and publish his public key Y i ≡ g x user i (mod p) using his decryption key x user i . 2: Sender who wishes to send message m to user i obtains X i and perform following computations: (a) Selects a random string σ ∈ {0, 1} n and computes r =

SEM-Decryption:
If it does, computes partial decryption c x sem 1 and replies it to user i. Otherwise, it rejects ciphertext C.

User-Decryption:
1: User i receives partial decryption from SEM, and next compute the following series of computations to recover message m: 2: Lastly, computes r = H 1 (σ Y i ), and verifies whether c 1 = g r (mod p).

Proof of correctness.
The correctness of the proposed mediated ElGamal scheme begins with the ciphertext validation by SEM, that iŝ Next, one can easily verify the correctness of the combination of both the partial decryptions from SEM and user i respectively such that Then, one can proceed with the decryption of M = c 2 ⊕ h 1 , followed by the verification of h 2 = H 3 (M). This next enables the extraction of σ and message m from the string of σ m and finally checks whether c 1 = g H 1 (σ Y i ) .

Remark 1.
As σ m is the concatenation of σ and message m, while σ is of n-bit, it is possible for a user to extract σ and m efficiently from it for the next ciphertext c 1 integrity check.

Security Proof of the Proposed Mediated ElGamal Scheme
We put forward in this section the indistinguishability against chosen-ciphertext attack (IND-CCA) security proof of our proposed mediated ElGamal scheme. Our proof is constructed based on the hardness assumption of solving the CDH problem. Theorem 1. Let mEG be the proposed mediated ElGamal scheme as described in Section 3, and A be a probabilistic polynomial-time (PPT) adversary that has access to mEG. Then the proposed mediated ElGamal scheme is secure indistinguishably against chosen-ciphertext attack (IND-CCA) in the random oracle model via assumption that solving the computational Diffie-Hellman (CDH) problem is hard. That is, where ε denotes the negligible function, and q H 1 , q H 2 and q H 3 represent the number of H 1 , H 2 and H 3 queries, respectively.
Proof. Suppose there exists an adversary A who can break the mediated ElGamal scheme, then we can construct a challenger B to solve the CDH problem. B is given the CDH instances of g, g a , g b of cyclic group Z * p , p, g , and modeled all H 1 , H 2 , H 3 , H 4 as random oracles. We now describe the interaction between the challenger B and adversary A in the following game.

1.
Setup: Challenger B initially takes on security parameter 1 n as input and runs KEYGEN to output system parameters {p, q, g,ê, G 1 , G 2 , H 1 , H 2 , H 3 , H 4 } and sets public key as X = g a where a = x. These system parameters and public key are sent to A. Note that B does not know the secret integer x.

2.
H-query: B prepares four different hash lists to record and store all the hash queries and responses. The lists are initially empty.
We consider the following possible scenarios:

4.
Challenge: When A is ready to perform the attack, he sends two distinct messages of equal length m 0 , m 1 ∈ {0, 1} n . B randomly selects bit l ∈ {0, 1}, σ * , R 1 , R 2 ∈ {0, 1} n and Y * ∈ Z * p . Next, it outputs challenge ciphertext C * as where g b is taken from the CDH instance. Observe that the challenge ciphertext could be treated as the encryption of message m l ∈ {m 0 , m 1 } using the random chosen string σ * ∈ {0, 1} n such that Hence, the challenge ciphertext C * is a correct and valid ciphertext in the A's point of view if it does not query the following to random oracle:

Phase 2:
A is allowed to continue querying decryption of the ciphertext C of his choice, except the challenge ciphertext C * . 6.
Guess: A finally output his guess of l , ending the IND-CCA game. A wins the game if l = l. Note that the challenge hash query is the Diffie-Hellman shared value X b = g ab which is a query to the random oracle H 2 . B randomly selects one of the queries (u 1 , U 1 ), ..., u q H 2 , U q H 2 in H 2 -list as the challenge hash query, and output the solution to the CDH problem.
It remains now to evaluate the advantage of the simulated game described above. We discuss the following two possible cases that could happen: 1. Scenario 1. If A does not query the challenge hash query X b = g ab , then the only alternative way that it could break the challenge ciphertext is to search for the existence of the following queries: or from the H 3 -list; or from H 1 -list, which has the total negligible probability of q H 1 p + 2q H 3 2 n , where q H 1 , q H 3 represents the total number of H 1 and H 3 queries, respectively. 2.
Scenario 2. If A does query the challenge hash query X b = g ab , then it can gain advantage in guessing the encrypted message m l correctly. Otherwise, it can only guess it with negligible advantage. As A has the advantage of ε in outputting the correct bit l ∈ {0, 1} following the hardness assumption of breaking the CDH problem, such event could only occur if and only if the challenge hash query X b = g ab exists in the H 2 list. Let q H 2 be the total number of H 2 queries in the simulated game, following the IND-CCA model, we have: Putting both the above cases together, hence Pr mEG ind-cca This completes the proof of security of the proposed mediated ElGamal scheme.

Efficiency and Performance Analysis
We discuss the efficiency and performance about the proposed mediated ElGamal encryption scheme in Section 3. We emphasize a few important points based on our proposal as follows: 1.
Key escrow. Our proposed mediated ElGamal scheme currently does not consider the issue of key escrow. In other words, our scheme suffered from key escrow problem, in which the CA has absolute control of the user's secret key. Therefore, we assume that CA is not compromise-able and is wholly trusted. We will address this issue in the subsequent work.

2.
Non-certificateless. Our proposed mediated ElGamal scheme is not certificateless as in the SMC by [3]. In other words, users' public keys will need to be submitted to CA for authentication.

3.
Integrity. As we apply the Fujisaki-Okamoto transformation in our design, the proposed mediated ElGamal scheme does provide ciphertext integrity checks either on the SEM side, or on the receiver side on top of ensuring confidentiality of the encrypted message.

4.
Pairing-free. Unlike some other mediated encryption schemes, our mediated ElGamal scheme is pairing-free in the sense that we do not involve pairing computations in the encryption and decryption. One can observe easily that the pairing function in our scheme only serves to provide ciphertext validity check by SEM and the receiver. Hence, our scheme does not suffer from major efficiency and cost-computation drawbacks.

5.
Novelty. Current security mediated cryptography focuses on ID-based, signature schemes, or is mostly designed based on pairing functions. Our proposed mediated ElGamal scheme on the other hand, utilized the ElGamal variant as our primitive and is also pairing-free in the encryption and decryption.
The overall computational efficiency of our proposed mediated ElGamal scheme is presented in Table 1 below. Next, we summarize the performances of the current existing mediated encryption schemes, including both the traditional and IBE types in the following Table 2. We excluded the ciphertext validity check upon receiving the ciphertext tuple by either SEM or user in this summary, as some mediated schemes (i.e., in [6,7]) do not provide such computations in their original proposal.
In this Table 2, 'Exp' denotes exponentiation, 'Mul' indicates multiplication, '⊕' represents exclusive-OR, 'H' denotes hash, and 'P' means pairing. Algebraically, our proposed mediated ElGamal scheme utilizes different primitive and at a glance, the performance is somewhat undesirable compared to mRSA [1]. Such occurrence is due to the Fujisaki-Okamoto transformation in the IND-CCA ElGamal variant, which is not required in mRSA.
Observe that the SEM that operates on the central server has the most extensive operational overhead upon deployment. This is because it caters to all the communication interactions. On the other hand, encryption and user-decryption occur at individual sites and occurs once in a while. One can assume long intervals of inactivity when compared to the server site.
In the context of cryptographic deployment, the current recommended key length required by RSA to achieve 128-bit security is 2048 bits and 1024 bits for discrete logarithm based cryptographic schemes. Hence, our scheme is notably better suited for high volume communication than the pairing-free scheme mRSA.The high volume of operations at the server site is much more efficient via our scheme than mRSA.
For the security mediated IBE schemes, although MCL-PKE [6] gives better efficiency as it is pairing-free, only SMC [3] withstands various cryptanalysis and remain secure among the three. Both MCL-PKE [6] and mRFPKE [7] were broken under a partial decryption attack. Nonetheless, all these three mediated IBE schemes achieved certificateless property and are key-escrow free. On a non-apple-to-apple comparison between our pairing-free with pairing-based schemes, it is evident that our scheme performs better than the discrete logarithm scheme MCL-PKE. Our design has significantly fewer operations in each process. Moreover, further research on our scheme would strive towards certificateless and escrow freeness properties as in MCL-PKE [6].

Conclusions
In this paper, a new mediated encryption scheme based on the ElGamal variant is proposed and proved to be IND-CCA secure via the hardness assumption of the computational Diffie-Hellman problem. As this is our first attempt to utilize another well-known primitive in proposing a mediated encryption scheme, it exhibits the key-escrow problem and lack of certificateless property. Our next objective is to provide an overall mediated encryption scheme, resolving all the weaknesses addressed above. Our scheme can easily be transformed into an elliptic curve and pairing-based settings via the hardness assumption of the elliptic curve Diffie-Hellman (ECDH) and bilinear Diffie-Hellman (BDH) problems, respectively. Finally, we expect various schemes to be designed in the future based on the ElGamal variant, such as mediated IBE, signature, IBI, and certificateless-type schemes like those in the existing literature.

Conflicts of Interest:
The authors declare no conflict of interest.

Abbreviations
The following abbreviations are used in this manuscript: