A second homomorphic cryptosystem

Let Γτ be a set of tuples (G, K, H, g) such thatSP(G,K,H)is a splitting problem,

g is a generator for K, and|H| has no small prime divisors. Let Γ = {Γτ}. We

shall be interested in the derived subgroup membership problem SMΓ, or the symmetric subgroup membership problemSSMΓ.

The basic idea is that we shall do as for the ElGamal cryptosystem, but that the Diffie-Hellman key exchange part should be done in K and the message should be either in G, or restricted to H. The exact construction of Π2 from Γ is described in Figure 5.3.

Proposition 5.6. The cryptosystem Π2 is an homomorphic public key system.

Proof. Clear.

Theorem 5.7. The public key cryptosystem Π2 is semantically secure for mes-

sages in H if the subgroup membership problem SMΓ is hard, and semantically

secure for messages in G if the symmetric subgroup membership problemSSMΓ

is hard.

Proof. We assume that A = (A1, A2) is a chosen plaintext adversary against indistinguishability for Π2 with advantage .

Experiment 1. Input: (G, K, H, g), x∈ G. 1. k← {0, . . . , |G| − 1}, y ← gk. 2. (m0, m1, o)← A1(G, K, H, g, k). 3. b← {0, 1}. 4. e← xk_m. 5. b0← A2(m0, m1, x, e, o).

6. If b = b0, output 1, otherwise output 0. Output: 0 or 1.

5.3. A SECOND HOMOMORPHIC CRYPTOSYSTEM 63 Key generation. Input: Γ, τ . 1. (G, K, H, g)← Γτ. 2. k← {0, . . . , |G| − 1}.≈ 3. y← gk_. 4. pk← (G, K, H, g, y). 5. sk← (G, k). 6. Output (pk, sk).

Output: A public-private key pair (pk, sk).

Encryption. Input: pk = (G, K, H, g, y), m∈ G. 1. w← {0, . . . , |K| − 1}.≈ 2. x← gw_{, z← y}w_{, e← zm.} 3. Output (x, e). Output: A ciphertext c∈ G × G. Decryption. Input: sk = (G, k), (x, e)∈ G × G. 1. z← xk_. 2. m← ez−1. 3. Output m. Output: A message m∈ G.

Figure 5.3: The cryptosystem Π2derived from a (symmetric) subgroup member- ship problem. The message is restricted to H ifSM(G,H)is not hard.

In a realisation of Experiment 1, we could perhaps not sample k uniformly at random, but δ-close to uniform (Lemma 2.3), where δ can be made arbitrarily small at little cost.

Note that Step 1 does exactly as K would do, and Step 4 does exactly as E would do, if it had first sampled x. (They would of course not know k, but would have sampled x as gw _{and computed y}w_.)

Let T0 be the event that Experiment 1 outputs 1 when its input x is in K. We note that if x∈ K, then Experiment 1 proceeds exactly as a real attack, so

AdvINDA ≤ |Pr[T0]− 1/2|. (5.1)

Let T be the event that Experiment 1 outputs 1 when its input x is in G\ K. We note that we can obviously derive an algorithm A0 from Experiment 1 that distinguishes K from G\ K such that

|Pr[T0_{]− Pr[T ]| ≤ Adv}SM(G,K)

A0 + δ. (5.2)

Now we modify Experiment 1 as follows to get Experiment 10: We replace Step 4 with the following step:

4. z← H, c ← xkmz.

Let T1 be the event that Experiment 10 outputs 1 when its input x is in G\ K. By Lemma 4.12, the distributions of (x, y, xk) and (x, y, xkz) are (|H| −

φ(|H|))/|H|-close, and otherwise the two algorithms are identical, so

|Pr[T ] − Pr[T1]| ≤ |H| − φ(|H|)_|H| . (5.3) It is clear that if the message space is H, then the input to A2is independent of the bit b chosen, so no matter what A2does, it guesses correctly with probability 1/2, and

Pr[T1] = 1/2. (5.4)

By combining (5.1)–(5.4), we immediately get that AdvINDA ≤ Adv

SM(G,K)

A0 +

|H| − φ(|H|) |H| + δ.

Under the assumption thatSM(G,K) is hard, this proves the first claim. To prove the second claim, we first make a modification to Experiment 10 to get Experiment 100: We replace Step 4 with the following step:

4. z← G \ H, c ← xkmz.

Let T2 be the event that Experiment 100outputs 1 when its input x is in G\ K. It is clear that if z was sampled uniformly at random, then the input to A2would be independent of the bit b chosen, so no matter what A2 does, it would guess

5.3. A SECOND HOMOMORPHIC CRYPTOSYSTEM 65 correctly with probability 1/2. By Lemma 2.2, the uniform distribution on G\H is 2|H|/|G|-close to the uniform distribution on G, so we have that

|Pr[T2]− 1/2| ≤ 2|H|

|G| . (5.5)

To bound the difference in probability between T1 and T2, we introduce the following experiment: Experiment 2. Input: (G, K, H, g), z∈ G. 1. k← {0, . . . , |G| − 1}, y ← gk_. 2. (m0, m1, o)← A1(G, K, H, g, k). 3. b← {0, 1}. 4. x← G \ K, e ← xkmz. 5. b0← A2(m0, m1, x, e, o).

6. If b = b0, output 1, otherwise output 0. Output: 0 or 1.

Let R0 be the event that Experiment 2 outputs 1 when its input z is in H, and let R be the corresponding event with the input z is in G\ H.

It is quite clear that if the input z to Experiment 2 is in H, then Experiment 2 behaves exactly as Experiment 10 behaves when its input x is in G\ K. Likewise, if z∈ G \ H, then Experiment 2 behaves exactly as Experiment 100behaves when its input x is in G\ K. So we can derive an algorithm A00 from Experiment 2 such that

|Pr[T1]− Pr[T2] =|Pr[R0]− Pr[R]| ≤ AdvSMA00 (G,H)+ δ. (5.6)

Combining (5.1)–(5.3), (5.5), and (5.6), we get that AdvINDA ≤ Adv

SM(G,K) A0 + Adv SM(G,K) A00 + |H| − φ(|H|) |H| + 2δ,

which proves the second claim.

Note that this cryptosystem does not require a trapdoor problem, unlike Π1 and Π10. We shall see more of the advantages of this approach in Section 7.

This variant of ElGamal can usefully be instantiated with the Decision Com- posite Residuosity problem (Section 4.5.4), to get an additively homomorphic cryptosystem. Various technical1 benefits of such an approach was discussed in [13].

It can also be usefully instantiated with the symmetric subgroup membership problems discussed in Section 4.5.6 and Section 4.5.7.

Chapter 6

Key encapsulation methods

A key encapsulation method is a public key cryptosystem whose only job is to encapsulate keys for symmetric cryptosystems. The idea is that the weaker goal of transporting a random key could be easier to do than the more complicated task of transporting messages with an unknown distribution.

6.1

Security against passive attacks

Let SP(G,K,H) be a splitting problem. The basic idea is that we can sample elements uniformly from K and H to be the random key, and hide them by multiplying. We recover the random key with the splitting algorithm. The key encapsulation method is described in Figure 6.1.

It is quite clear that the key encapsulation method Λ1 is secure against key recovery if the splitting problem is hard. As we shall see, deciding if the correct key has been recovered is possible if either K can be distinguished from G\ K or if H can be distinguished from G\ H.

Theorem 6.1. Let TSPΓ be a trapdoor splitting problem, such that for every

tuple (G, K, H), the group order|G| has no small prime factors. The key encap- sulation method Λ1 is semantically secure if and only if the symmetric subgroup membership problem SSMΓ is hard.

Proof. Given a key-ciphertext pair ((x, y), c)∈ G × G × G, it is quite clear that

if x∈ K or y ∈ H, then (x, y) is with overwhelming probability the correct key. Now we show that an algorithm for distinguishing the keys output by Λ1from random keys must lead to an algorithm for distinguishing either K or H.

Suppose the sampling algorithm given by the symmetric subgroup member- ship problem samples elements δ-close to the uniform distribution. We note that by using the sampling algorithms of the symmetric subgroup membership prob- lem, and by Lemma 2.3, even if we do not know|G|, we can implement modified experiments whose underlying probability spaces are O(δ+δ0)-close to the original experiments. The extra work needed is O(log 1/δ0) exponentiations in G.

Key generation. Input: TSPΓ, τ . 1. (G, K, H, σ)← Γτ. 2. pk← (G, K, H). 3. sk← (G, σ). 4. Output (pk, sk).

Output: A public-private key pair (pk, sk).

Encryption.

Input: pk = (G, K, H). 1. x← K, y≈ ← H.≈ 2. Output ((x, y), xy).

Output: A key-ciphertext pair in

G× G × G. Decryption. Input: sk = (G, σ), c∈ G. 1. (x, y)← σ(c). 2. Output (x, y). Output: A key in G× G.

Figure 6.1: The key encapsulation method Λ1.

Experiment 1. Input: (G, K, H), A, x∈ G. 1. x0← K. 2. r← {0, . . . , |G| − 1}. 3. y← H. 4. b← {0, 1}. 5. If b = 1, then (c, c0, c00)← (xr_x0_{, y, x}r_x0_y), otherwise (c, c0)← G × G and c00← cc0. 6. b0← A((c, c0), c00). 7. If b = b0, then output 1, otherwise output 0. Output: 0 or 1. Experiment 2. Input: (G, K, H), A, y∈ G. 1. x← G. 2. y0← H. 3. r← {0, . . . , |G| − 1}. 4. b← {0, 1}. 5. If b = 1, then (c, c0, c00)← (x, yr_y0_{, xy}r_y0_), otherwise (c, c0)← G × G and c00← cc0. 6. b0← A((c, c0), c00). 7. If b = b0, then output 1, otherwise output 0. Output: 0 or 1.

6.1. SECURITY AGAINST PASSIVE ATTACKS 69 Let T1 be the event that Experiment 1 returns 1 when the input x is in K. Let T₁0 be the event that Experiment 1 returns 1 when the input x is in G\ K. Let T2be the event that Experiment 2 returns 1 when the input y is in H. Let

T₂0 be the event that Experiment 2 returns 1 when the input y is in G\ H. It is clear that if the input to Experiment 1 is in K, then the experiment proceeds exactly as an attack against the cryptosystem would do, except that in a real attack, x would not be sampled uniformly but δ-close to uniformly. In other words,

≤ |Pr[T1]− 1/2| + δ.

Next, we see that if the input to Experiment 1 is in G\ K, then when x is a generator for G, xr _{is uniformly distributed in G, so (x}r_x0_{, y) is uniformly}

distributed in G× H. By Lemma 2.5, the probability that x is a generator is larger than φ(|G|)/|G|.

If the input to Experiment 2 is in H, then no matter what r is, (x, yry0) is uniformly distributed in G× H. This means that

|Pr[T0

1]− Pr[T2]| ≤ |G| − φ(|G|)

|G| .

Finally, suppose that the input y to Experiment 2 is in G\ H, and that it is a generator for G. Then (x, yr_y0_{) is distributed uniformly in G× G. It is then}

clear that

|Pr[T0

2]− 1/2| ≤ |G| − φ(|G|)_|G| . Putting it all together, we get that

≤ |Pr[T1]− Pr[T10] + Pr[T10]− Pr[T2]+ Pr[T2]− Pr[T20] + Pr[T20]− 1/2| + δ

≤ |Pr[T1]− Pr[T10]| + |G| − φ(|G|)_|G| +

|Pr[T2]− Pr[T20]| + |G| − φ(|G|)_|G| + δ.

Since (up to O(δ0))|Pr[T1]− Pr[T10]| and |Pr[T2]− Pr[T20]| are the advantages of some algorithms distinguishing K from G\K and H from G\H, respectively, the assumption that the symmetric subgroup membership problem was hard means that  must be negligible.

We can create a simple ElGamal-like cryptosystem using this key encapsula- tion method and the shift cipher in G. The symmetric cryptosystem has message space G, ciphertext space G and key space G× G. The encryption algorithm is

SE((x, y), m) = xm, and the decryption algorithm is SD((x, y), c) = cx−1_.

When this cryptosystem is instantiated with the symmetric subgroup mem- bership problemSSM(G,K,H) =SOUn described in Section 4.5.6, we see that

encryption requires one exponentiation in K and one in H, while decryption requires essentially the same work.

Compared to ElGamal over G, which requires two exponentiations in G for encryption and one for decryption, this is quite efficient. But Π2 in Section 5.3 requires two exponentiations in K for encryption, and only one exponentiation in K for decryption. This is rather more efficient than the above system, and just as secure.

We conclude that the key encapsulation method Λ1, while secure, is not very useful.

In document Subgroup membership problems and public key cryptosystems (Page 70-78)