Skip to content
BY 4.0 license Open Access Published by De Gruyter March 21, 2023

A construction of encryption protocols over some semidirect products

  • Shuji Isobe and Eisuke Koizumi EMAIL logo

Abstract

In CANDARW ’18, Isobe et al. proposed a secure encryption protocol on non-abelian groups based on the Anshel–Anshel–Goldfeld key exchange protocol. There have remained two weak points on the protocol: one is that the protocol is indistinguishable against adaptive chosen ciphertext attack (IND-CCA) in a slightly restricted sense, what they call IND-rCCA secure, and the other is that the conditions imposed on groups and hashing schemes are too strict to make the protocol practical. In this article, we propose an IND-CCA secure protocol that resolves those problems. The key idea is to employ some specific semidirect product as platform groups, so that we can achieve the exact IND-CCA security from concise conditions on groups and hashing schemes. Our protocol is not dependent on any computational assumptions on abelian subgroups.

MSC 2010: 94A60; 68P25

1 Introduction

Non-abelian groups have attracted a lot of attention as a potential source of cryptographic primitives for resisting quantum computers. This is partly because many cryptographically hard problems on abelian groups, such as the discrete logarithms, are shown to be efficiently solved by quantum computers, so that the hardness assumptions on them are no longer able to ensure the security of the protocols. Since non-abelian groups have a vast variety of group structures compared to abelian groups, the non-abelian cryptography can be an intriguing research field for not only cryptographers but also group theorists.

Many cryptographic schemes have been proposed on non-abelian groups such as braid groups [13], Thompson’s groups [4], Suzuki 2-groups [5,6], and inner automorphism groups, [7,8] so far. There have been few schemes, however, that have rigorous provable security. Vasco et al. [9] proposed a theoretical framework for constructing, on non-abelian groups, an encryption protocol that is indistinguishable against adaptive chosen ciphertext attacks (IND-CCA) in the standard model. However, there have been no practical protocols instantiated from their framework so far. Gu et al. [10] and Hong et al. [11] constructed IND-CCA secure protocols in the random oracle model based on the factorization search problem. Li et al. [12] proposed the notion of index exchangeable families to construct an IND-CCA secure protocol. We note that their protocols use cyclic subgroups in essential ways, although their construction assumes non-abelian groups.

Toward establishing encryption protocols on non-abelian groups with rigorous probable security, Isobe et al. [13] proposed an encryption protocol on non-abelian groups without any computational assumption on abelian subgroups including cyclic groups. The approach is inspired by Cramer and Shoup [14]. The Cramer–Shoup protocol employs the Diffie–Hellman key exchange protocol [15] over prime-order cyclic subgroups. On the other hand, Isobe et al. [13] involved the Anshel–Anshel–Goldfeld (AAG) key exchange protocol [16], which enables us to share a secret key over insecure channels by using non-abelian groups to establish an encryption protocol on non-abelian groups with provable security. However, two weak points have been left to be resolved. One is the validity, or in other words, practicality, of the conditions imposed on groups and hashing schemes. In fact, the conditions are so strict that we have not succeeded in finding groups and hashing schemes that satisfy them yet. The other is the security of the protocol. They proved that the protocol is “IND-rCCA (IND-restricted CCA)” secure, which is weaker than the standard IND-CCA security because, during his attack, the adversary is allowed to query only elements in some specified subset of strings to his oracles.

In this article, we propose a new enhanced protocol that resolves the aforementioned problems. The main framework remains the same, that is, the protocol is based on the Cramer–Shoup’s approach and the AAG key exchange protocol. The key idea is to employ some specific semidirect products as platform groups. This choice of the platform groups enables us to make an exact analysis of the security of the protocol and then to eliminate perplexing conditions on groups and hashing schemes. As a result, our scheme is proved to be IND-CCA secure in the standard model using only reasonable computational assumptions. Explicitly, our computational assumptions are a collision resistant condition on the hash functions, the hardness assumption of a factorization search problem on non-abelian groups and the hardness assumption of a variant of the conjugacy decision problem.

This article is organized as follows: in Section 2, we give definitions of semidirect products and words. Our protocol and the main theorem are stated in Section 3. We prove the main theorem in Section 4 and compare our protocol with several protocols in Section 5. Some properties of semidirect products are widely used to construct our protocol and prove the main theorem. They are proved in Appendix A.

2 Preliminaries

Let N denote the set of positive integers. For N N , Z N and Z N × denote the residue ring Z / N Z and its group of units, respectively. Z N is regarded as the set { 0 , 1 , , N 1 } .

For a finite set V , # V is the number of elements in V . For a probabilistic distribution D over V , we write a D V (or a D if V is well understood) to denote that a is chosen from V according to the distribution D . In particular, U denotes the uniform distribution on the specified set, and a U V denotes the uniform choice of a from V . For any algorithm A , A ( a ) b or b A ( a ) denotes that A outputs b on input a . If A is probabilistic, then A ( a ) is a probabilistic variables on the input a , where the probability is taken over the random tape of A .

For a non-negative real-valued function f : N R , f is negligible if for any positive real number c > 0 , there exists a number k 0 N such that f ( k ) < k c holds for all k k 0 . A probability function p ( k ) is overwhelming if there exists a negligible function ν ( k ) , together with a number k 0 N , such that p ( k ) 1 ν ( k ) holds for all k k 0 .

2.1 Semidirect product

For a group G , ord ( G ) denotes the order of G . The symbol e is used for the identity element of groups. Let G 1 and G 2 be two subgroups of a group G . The group G is called a semidirect product of G 1 by G 2 if the following three conditions hold:

  1. G 1 G ,

  2. G 1 G 2 = { e } , and

  3. G = G 1 G 2 , that is, any element h G can be written in the form h = h 1 h 2 for some h 1 G 1 and h 2 G 2 .

We write G = G 1 G 2 when G is a semidirect product of G 1 by G 2 .

As platform groups of our encryption protocol, we use a “semidirect product of a semidirect product,” that is, a group G of the form G = ( G 1 G 2 ) G 3 for some subgroups G 1 , G 2 , and G 3 . In particular, we exclusively consider the case where ord ( G 1 ) = p 1 and ord ( G 2 ) = ord ( G 3 ) = p 2 for some distinct primes p 1 and p 2 . Let g i be a generator of G i for each i = 1 , 2 , 3 , and we write G = ( g 1 g 2 ) g 3 . The group G has the following properties (S1)–(S3):

  1. g 1 g 1 g 2 and g 1 g 2 G ;

  2. g 1 g 2 = { e } and ( g 1 g 2 ) g 3 = { e } ; and

  3. g 1 g 2 = g 1 g 2 and G = g 1 g 2 g 3 .

The following proposition exhibits the structure of the semidirect product G . We prove the proposition in Appendix A.1.

Proposition 2.1

There exist α , β Z p 1 × , and γ Z p 1 such that

(2.1) α p 2 = β p 2 = 1 ( mod p 1 ) , and

(2.2) g 2 g 1 g 2 1 = g 1 α , g 3 g 1 g 3 1 = g 1 β , g 3 g 2 g 3 1 = g 1 γ g 2 .

Equation (2.1) implies that the orders of α and β in Z p 1 × are either 1 or p 2 . Hence, unless p 2 p 1 1 , we must have α = β = 1 because they cannot have order p 2 in Z p 1 × , and therefore, g 1 g 2 = g 2 g 1 and g 1 g 3 = g 3 g 1 by equation (2.2). In this article, we assume that p 2 p 1 1 and that α 1 , β 1 , and γ 0 . This implies that the generators g 1 , g 2 , and g 3 do not mutually commute.

2.2 Word

Let T = { t 1 , , t n } be a set of n elements, called a set of formal letters. We consider new formal letters t 1 1 , , t n 1 and define the set of inverse letters by T 1 = { t 1 1 , , t n 1 } , which is assumed to be disjoint from T . We define ( t i 1 ) 1 = t i for each letter t i . A finite (possibly empty) sequence w = t i 1 ε 1 t i l ε l , where t i j T and ε j { 1 , 1 } , is called a word in T . We often write w ( T ) to denote that w is a word in T . The empty sequence is called the empty word. For any words w 1 and w 2 , [ w 1 , w 2 ] = w 1 w 2 w 1 1 w 2 1 denotes the commutator of them.

Let G be a group, and let S = ( s 1 , , s n ) G n . For a word w in a set T = { t 1 , , t n } of formal letters, we substitute t i = s i and t i 1 = s i 1 into w for each i = 1 , , n , where s i 1 denotes the inverse of s i in G , to produce an element, denoted by w ( S ) , of G . When w is the empty word, we set w ( S ) = e . We define g S g 1 = ( g s 1 g 1 , , g s n g 1 ) for any g G . The following proposition is easily obtained by direct calculation.

Proposition 2.2

Let G be a group, and let S = ( s 1 , , s n ) G n . Then, w ( g S g 1 ) = g w ( S ) g 1 holds for any g G and any word w in T .

In this article, we use two “two-letter sets” T = { t 2 , t 3 } and T ¯ = { t ¯ 2 , t ¯ 3 } and consider only words of the form w ( T ) = [ t 2 , t 3 ] n 1 t 2 n 2 t 3 n 3 and w ( T ¯ ) = [ t ¯ 2 , t ¯ 3 ] n 1 t ¯ 2 n 2 t ¯ 3 n 3 for some n 1 Z p 1 and n 2 , n 3 Z p 2 , where p 1 and p 2 are distinct primes.

3 Statement of the result

3.1 Group generation and hashing scheme

We first define a group generation algorithm GGen . It is a probabilistic polynomial-time (PPT) algorithm. Let k denote the security parameter. On input 1 k , the juxtaposition of k copies of the letter 1, GGen outputs a tuple G = ( G , p 1 , p 2 , g 1 , g 2 , g 3 , a 2 , a 3 , b 2 , b 3 ) , where

  1. p 1 = Ω ( 2 k ) and p 2 = Ω ( 2 k ) are distinct primes with p 2 p 1 1 ;

  2. G = ( g 1 g 2 ) g 3 is a semidirect product generated by g 1 , g 2 , and g 3 with ord ( g 1 ) = p 1 and ord ( g 2 ) = ord ( g 3 ) = p 2 ;

  3. there exist α , β Z p 1 × , and γ Z p 1 such that

    (3.1) α 1 , β 1 , γ 0 ,

    (3.2) α p 2 = β p 2 = 1 ( mod p 1 ) ,

    (3.3) g 2 g 1 g 2 1 = g 1 α , g 3 g 1 g 3 1 = g 1 β , g 3 g 2 g 3 1 = g 1 γ g 2

    so that g 1 , g 2 , and g 3 do not mutually commute (see Proposition 2.1), and

  4. a 2 , a 3 , b 2 , and b 3 are uniformly and independently chosen from Z p 2 so that the following conditions are fulfilled:

    (3.4) a 2 b 3 a 3 b 2 0 ( mod p 2 ) ,

    (3.5) [ g 2 a 2 g 3 a 3 , g 2 b 2 g 3 b 3 ] e , and

    (3.6) g 1 ( g 2 a 2 g 3 a 3 ) g 1 1 g 2 a 2 g 3 a 3 , g 1 ( g 2 b 2 g 3 b 3 ) g 1 1 g 2 b 2 g 3 b 3 .

Proposition 3.1 claims that there are overwhelmingly many tuples ( a 2 , a 3 , b 2 , b 3 ) in Z p 2 4 that satisfy equations (3.4)–(3.6). We prove the proposition in Appendix A.2.

Proposition 3.1

The following inequality holds:

Pr [ ( a 2 , a 3 , b 2 , b 3 ) satisfies the conditions (3.4)–(3.4) ( a 2 , a 3 , b 2 , b 3 ) U Z p 2 4 ] 1 8 p 2 .

Set G 0 = ( G , p 1 , p 2 , g 1 ) and S = ( g 2 , g 3 ) , and write G = ( G 0 , S , a 2 , a 3 , b 2 , b 3 ) for ease of writing. As a computational foundation, we should assume that any output G = ( G 0 , S , a 2 , a 3 , b 2 , b 3 ) of GGen ( 1 k ) satisfies the following conditions (I) and (II). If a string g represents an element of G , we identify the string g with the represented element of G , causing no confusion.

  • (I)  The following three polynomial-time deterministic algorithms, Mem , Comp , and Inv , are assigned to the group G :

    • Membership: for any given string g , Mem determines whether or not g G ;

    • Composition: for any given elements g , g G , Comp computes the product g g G ; and

    • Inversion: for any given element g G , Inv computes the inverse g 1 G .

  • (II) For any PPT algorithm A , the probability

    Pr g = g 2 n 2 g 3 n 3 G GGen ( 1 k ) , ( n 2 , n 3 ) U Z p 2 2 , g = g 2 n 2 g 3 n 3 , ( n 2 , n 3 ) A ( 1 k , G , g )

    is negligible in k .

Condition (I) is entirely a computational requirement, which means that the elementary group operations can be efficiently done and ensures that the encryption and decryption operations can be efficiently executed. Condition (II) means that the factorization search problem on the subset g 2 g 3 is infeasible.

We assign a PPT algorithm GGen to GGen : on input 1 k , GGen works as follows:

  1. Execute GGen ( 1 k ) , and obtain a tuple G = ( G 0 , S , a 2 , a 3 , b 2 , b 3 ) .

  2. Set S ¯ = ( a , b ) = ( g 2 a 2 g 3 a 3 , g 2 b 2 g 3 b 3 ) , and output a tuple G = ( G 0 , S , S ¯ ) .

The algorithm GGen outputs S ¯ instead of the tuple ( a 2 , a 3 , b 2 , b 3 ) . By Condition (II), it is infeasible to extract the tuple ( a 2 , a 3 , b 2 , b 3 ) from S ¯ = ( g 2 a 2 g 3 a 3 , g 2 b 2 g 3 b 3 ) .

For any k N and any output G = ( G 0 , S , a 2 , a 3 , b 2 , b 3 ) of GGen ( 1 k ) , we define

G k = { G Pr [ G GGen ( 1 k ) ] > 0 }

and then define

G = k N G k .

We now define a hashing scheme HF associated with the family G . It specifies the following two items:

  1. A family KS k , G of non-empty finite key sets indexed by k N and G G k . We assume that there exists a PPT algorithm, which, on input 1 k and G , uniformly outputs an element hk of KS k , G .

  2. A family of hash functions HF hk k , G : G 5 Z p 1 indexed by k N , G G k and hk KS k , G . We assume that there exists a deterministic polynomial-time algorithm, which, on input 1 k , G G k , hk KS k , G , and ( h 1 , h 2 , h 3 , h 4 , h 5 ) G 5 , outputs the element HF hk k , G ( h 1 , h 2 , h 3 , h 4 , h 5 ) Z p 1 .

We assume that HF satisfies the following target collision resistant condition (H):
  1. For any PPT algorithm A , the function

    Adv A TCR ( k ) = Pr h 5 g 1 ( u 2 , u 3 , u ¯ 2 , u ¯ 3 ) G 4 s.t. U = ( u 2 g 2 u 2 1 , u 3 g 3 u 3 1 ) U ¯ = ( u ¯ 2 a u ¯ 2 1 , u ¯ 3 b u ¯ 3 1 ) ( U , U ¯ , h 5 ) ( U , U ¯ , h 5 ) HF hk k , G ( U , U ¯ , h 5 ) = HF hk k , G ( U , U ¯ , h 5 ) G GGen ( 1 k ) , hk U KS k , G , ( u 2 , u 3 , u ¯ 2 , u ¯ 3 ) U G 4 , h 5 U g 1 U = ( u 2 g 2 u 2 1 , u 3 g 3 u 3 1 ) , U ¯ = ( u ¯ 2 a u ¯ 2 1 , u ¯ 3 b u ¯ 3 1 ) , ( U , U ¯ , h 5 ) A ( 1 k , G , hk , U , U ¯ , h 5 )

    is negligible in k , where G = ( G 0 , S , S ¯ ) with G 0 = ( G , p 1 , p 2 , g 1 ) , S = ( g 2 , g 3 ) , and S ¯ = ( a , b ) = ( g 2 a 2 g 3 a 3 , g 2 b 2 g 3 b 3 ) .

3.2 Description of our protocol

We now propose our protocol Σ = ( KGen , Enc , Dec ) .

The key generation algorithm KGen . On input 1 k , execute the following steps:

  1. Execute GGen ( 1 k ) , and obtain a tuple G = ( G 0 , S , a 2 , a 3 , b 2 , b 3 ) , where G 0 = ( G , p 1 , p 2 , g 1 ) and S = ( g 2 , g 3 ) .

  2. Independently and uniformly choose tuples ( x i 1 , x i 2 , x i 3 ) , ( y i 1 , y i 2 , y i 3 ) , ( z i 1 , z i 2 , z i 3 ) Z p 1 × Z p 2 2 for i = 1 , 2 , and set

    w x 1 ( T ) = [ t 2 , t 3 ] x 11 t 2 x 12 t 3 x 13 , w y 1 ( T ) = [ t 2 , t 3 ] y 11 t 2 y 12 t 3 y 13 , w z 1 ( T ) = [ t 2 , t 3 ] z 11 t 2 z 12 t 3 z 13 , w x 2 ( T ¯ ) = [ t ¯ 2 , t ¯ 3 ] x 21 t ¯ 2 x 22 t ¯ 3 x 23 , w y 2 ( T ¯ ) = [ t ¯ 2 , t ¯ 3 ] y 21 t ¯ 2 y 22 t ¯ 3 y 23 , w z 2 ( T ¯ ) = [ t ¯ 2 , t ¯ 3 ] z 21 t ¯ 2 z 22 t ¯ 3 z 23 .

  3. Compute S ¯ = ( a , b ) = ( g 2 a 2 g 3 a 3 , g 2 b 2 g 3 b 3 ) .

  4. Compute x 1 = w x 1 ( S ) , y 1 = w y 1 ( S ) , z 1 = w z 1 ( S ) , x 2 = w x 2 ( S ¯ ) , y 2 = w y 2 ( S ¯ ) , and z 2 = w z 2 ( S ¯ ) , and set X = x 1 x 2 S x 2 1 x 1 1 , Y = y 1 y 2 S y 2 1 y 1 1 , and Z = z 1 z 2 S z 2 1 z 1 1 . Explicitly,

    x 1 = [ g 2 , g 3 ] x 11 g 2 x 12 g 3 x 13 , x 2 = [ g 2 a 2 g 3 a 3 , g 2 b 2 g 3 b 3 ] x 21 ( g 2 a 2 g 3 a 3 ) x 22 ( g 2 b 2 g 3 b 3 ) x 23 , X = ( x 1 x 2 g 2 x 2 1 x 1 1 , x 1 x 2 g 3 x 2 1 x 1 1 ) ,

    for instance.

  5. Uniformly choose a key hk KS k , G , where G = ( G 0 , S , S ¯ ) .

  6. Output pk = ( 1 k , G 0 , S , S ¯ , X , Y , Z , hk ) as a public key and

    sk = ( x 1 , x 2 , y 1 , y 2 , z 1 , z 2 , w x 1 , w x 2 , w y 1 , w y 2 , w z 1 , w z 2 )

    as a secret key.

The encryption algorithm Enc . Given a message m g 1 and a public key pk , execute the following steps:

  1. Independently and uniformly choose a tuple ( r 01 , r 02 , r 03 ) Z p 1 × Z p 2 2 , and set

    w r 0 ( T ) = [ t 2 , t 3 ] r 01 t 2 r 02 t 3 r 03 .

  2. Compute r 0 = w r 0 ( S ) , and set R = r 0 S r 0 1 and R ¯ = r 0 S ¯ r 0 1 .

  3. Compute c = m r 0 w r 0 ( Z ) 1 .

  4. Compute v = HF hk k , G ( R , R ¯ , c ) , where G = ( G 0 , S , S ¯ ) .

  5. Compute d 1 = r 0 w r 0 ( X ) 1 , d 2 = r 0 w r 0 ( Y ) 1 , and d = d 1 d 2 v .

  6. Output C = ( R , R ¯ , c , d ) as a ciphertext.

The decryption algorithm Dec . Given a ciphertext C , the public key pk , and the secret key sk , execute the following steps:

  1. Check whether or not C satisfies the following conditions:

    1. C can be parsed as a tuple C = ( R , R ¯ , c , d ) belonging to G 6 ; and

    2. R = ( r g 2 , r g 3 ) = ( r 2 g 2 r 2 1 , r 3 g 3 r 3 1 ) and R ¯ = ( r ¯ a , r ¯ b ) = ( r ¯ 2 a r ¯ 2 1 , r ¯ 3 b r ¯ 3 1 ) hold for some r 2 , r 3 , r ¯ 2 , r ¯ 3 G .

    If this is not the case, then output and abort.

  2. Compute v = HF hk k , G ( R , R ¯ , c ) .

  3. Compute d 1 = w x 1 ( R ) w x 2 ( R ¯ ) x 2 1 x 1 1 and d 2 = w y 1 ( R ) w y 2 ( R ¯ ) y 2 1 y 1 1 .

  4. Check whether or not d = d 1 ( d 2 ) v holds. If this is not the case, then output and abort.

  5. Compute m = c z 1 z 2 w z 2 ( R ¯ ) 1 w z 1 ( R ) 1 , and output m .

We should make a few remarks on those algorithms. Proposition 3.2 is proved in Appendix A.3, which claims that the elements x i , y i , z i , and r 0 computed in the algorithms KGen and Enc are uniformly distributed over G .

Proposition 3.2

Let S ¯ = ( a , b ) = ( g 2 a 2 g 3 a 3 , g 2 b 2 g 3 b 3 ) be the pair computed in Step K 3 of GGen . Then, the two probabilistic distributions

{ [ g 2 , g 3 ] l 1 g 2 l 2 g 3 l 3 l 1 U Z p 1 , ( l 2 , l 3 ) U Z p 2 2 }

and

{ [ a , b ] l 1 a l 2 b l 3 l 1 U Z p 1 , ( l 2 , l 3 ) U Z p 2 2 }

are uniform over G.

For g G , let Orb ( g ) = { h g h 1 h G } denote the conjugacy class of g . The proof of the following proposition is given in Appendix A.4.

Proposition 3.3

Assume that g 1 ( g 2 l 2 g 3 l 3 ) g 1 1 g 2 l 2 g 3 l 3 . Then, one has

Orb ( g 2 l 2 g 3 l 3 ) = { g 1 l 1 g 2 l 2 g 3 l 3 l 1 Z p 1 } .

In particular, g ( g 2 l 2 g 3 l 3 ) 1 g 1 holds for any g Orb ( g 2 l 2 g 3 l 3 ) .

It follows from Proposition 3.3, together with condition (3.6), that one can efficiently check the condition (b) of Step D1 in the algorithm Dec by the following steps:

  1. Compute r g 2 g 2 1 , r g 3 g 3 1 , r ¯ a a 1 , and r ¯ b b 1 .

  2. Conclude that the condition (b) holds if and only if ( r g 2 g 2 1 ) p 1 = ( r g 3 g 3 1 ) p 1 = ( r ¯ a a 1 ) p 1 = ( r ¯ b b 1 ) p 1 = e .

In the encryption algorithm Enc , the message space is the cyclic subgroup g 1 , not the entire group G . We explain the reason in the last paragraph of Section 3.4.

3.3 Cryptographic assumptions

In order to demonstrate the security of our protocol, we need a cryptographic assumption called the decisional simultaneous conjugacy (SDC) assumption, which is a variant of the decisional conjugacy assumption.

For k N , we define two probabilistic distributions: one is

SDC k = { ( 1 k , G , U , U ¯ ) G GGen ( 1 k ) , u 0 U G , U = u 0 S u 0 1 , U ¯ = u 0 S ¯ u 0 1 }

and the other is

SDC k = ( 1 k , G , U , U ¯ ) G GGen ( 1 k ) , ( u 2 , u 3 , u ¯ 2 , u ¯ 3 ) U G 4 , U = ( u 2 g 2 u 2 1 , u 3 g 3 u 3 1 ) , U ¯ = ( u ¯ 2 a u ¯ 2 1 , u ¯ 3 b u ¯ 3 1 ) ,

where G = ( G 0 , S , S ¯ ) with G 0 = ( G , p 1 , p 2 , g 1 ) , S = ( g 2 , g 3 ) , and S ¯ = ( a , b ) = ( g 2 a 2 g 3 a 3 , g 2 b 2 g 3 b 3 ) . For any probabilistic algorithm A , we set

Adv A SDC ( k ) = Pr [ 1 A ( η k ) η k SDC k ] Pr [ 1 A ( η k ) η k SDC k ] .

We say that the SDC assumption holds for GGen if the function Adv A SDC ( k ) is negligible in k for any PPT algorithm A .

3.4 Main theorem

We state our main theorem. Let us define the security notion through a hypothetical security game for the protocol. An adaptive chosen ciphertext attack (CCA) game for an encryption protocol Σ is a hypothetical game between a probabilistic algorithm A (with oracle tape) called an adversary and a challenger C , which is described as follows.

Initialization phase: The challenger C executes KGen on input 1 k and gets a public key pk and a secret key sk . Then, C sends pk to A .

Query phase I (probing): The adversary A is allowed to interact with a decryption oracle. Whenever A sends a query C to the decryption oracle, the oracle executes Dec ( C , pk , sk ) and returns the output m to A . Note that the query C does not need to be a legitimate ciphertext. If the execution of Dec ( C , pk , sk ) aborts with no output, the oracle returns a special symbol .

Challenge phase: The adversary A chooses two distinct messages m 0 and m 1 and sends them to C . Then, C uniformly chooses μ { 0 , 1 } and returns C = Enc ( m μ , pk ) back to A as a challenge ciphertext.

Query phase II (guessing): The adversary’s goal is to make a correct guess on the value μ that C has chosen. The adversary A can still interact with the decryption oracle, except that A is not allowed to query the challenge ciphertext C .

Guess phase: The adversary A outputs a bit μ { 0 , 1 } and halts.

We define the advantage of the adversary A for Σ in indistinguishing by

Adv Σ , A CCA ( k ) = Pr [ μ = μ ] 1 2 .

The protocol Σ is said to be IND-CCA secure if Adv Σ , A CCA is negligible in k for any PPT adversary A .

We are now ready to state our main result.

Theorem

If the SDC assumption holds for GGen and the condition (H) holds for the hashing family HF , then the proposed protocol Σ is IND-CCA secure. Explicitly, for any PPT adversary A , there are PPT algorithms 1 and 2 , together with negligible functions ν 1 and ν 2 , such that

Adv Σ , A CCA ( k ) Adv 1 SDC ( k ) + 2 Adv 2 TCR ( k ) + ν 1 ( k ) + q A ( k ) ν 2 ( k ) ,

where q A is a polynomial such that A makes the oracle queries at most q A ( k ) times during the game.

It should be noted that the theorem would not hold if the message space of the proposed protocol Σ is to be the entire group G . In fact, for any message pair ( m 0 , m 1 ) with m 0 m 1 1 g 1 and any challenge C = Enc ( m μ , pk ) on them, the adversary can make the correct guess on μ by using the algorithm described just after Proposition 3.3.

4 Proof of main theorem

In this section, we give the proof of the main theorem. Consider any PPT adversary A . Let G 0 be the original CCA game for Σ between A and the challenger C , and let T 0 denote the event that μ = μ holds in Game G 0 . Then, we see that

(4.1) Adv Σ , A CCA ( k ) = Pr [ T 0 ] 1 2 .

We have to prove that this advantage Adv Σ , A CCA ( k ) is negligible in k .

Let G = ( G 0 , S , a 2 , a 3 , b 2 , b 3 ) be obtained by executing GGen ( 1 k ) at Initialization phase of the game, where G 0 = ( G , p 1 , p 2 , g 1 ) and S = ( g 2 , g 3 ) . We keep the notations used in the description of the algorithms KGen , Enc , and Dec in Section 3.2. We define a sequence G 1 , G 2 , G 2 , G 2 , G 3 , G 4 , G 5 of games, where each game is a slight modification of the previous one. We prove that the advantage Adv Σ , A CCA ( k ) is negligible through several lemmas on those games. In order to show the lemmas, we need several propositions, whose proofs are given in Appendix A.

Let T i denote the event that μ = μ holds in Game G i .

Game G 1 . We replace Steps E3 and E5 of the encryption process in Challenge phase, that is, Steps E3 and E5 of the encryption algorithm are replaced by the following Steps E 3 and E 5 , respectively:

  1. Compute c = m μ w z 1 ( R ) w z 2 ( R ¯ ) z 2 1 z 1 1 in place of computing c = m μ r 0 w r 0 ( Z ) 1 .

  2. Compute d 1 = w x 1 ( R ) w x 2 ( R ¯ ) x 2 1 x 1 1 , d 2 = w y 1 ( R ) w y 2 ( R ¯ ) y 2 1 y 1 1 , and d = d 1 d 2 v , in place of computing d 1 = r 0 w r 0 ( X ) 1 , d 2 = r 0 w r 0 ( Y ) 1 , and d = d 1 d 2 v .

Namely, in Game G 1 , the challenger C uses the secret key, in place of the public key, to encrypt the message m μ . Since the message is correctly encrypted even in this situation, we have the following lemma:

Lemma 4.1

Pr [ T 0 ] = Pr [ T 1 ] .

Proof

It suffices to show that the values c , d 1 , and d 2 computed in Game G 0 are identical to those in Game G 1 , which means that the adversary’s view is identical in both games. In both Games G 0 and G 1 , we have z 1 = w z 1 ( S ) , z 2 = w z 2 ( S ¯ ) , Z = z 1 z 2 S z 2 1 z 1 1 , and r 0 = w r 0 ( S ) . Furthermore, in both games, we have w t 0 ( T ) = [ t 2 , t 3 ] r 01 t 2 r 02 t 3 r 03 , r 0 = w r 0 ( S ) , R = r 0 S r 0 1 , and R ¯ = r 0 S ¯ r 0 1 . By Proposition 2.2, the value c for the plaintext m μ in Step E 3 of Game G 1 is

m μ w z 1 ( R ) w z 2 ( R ¯ ) z 2 1 z 1 1 = m μ r 0 w z 1 ( S ) r 0 1 r 0 w z 2 ( S ¯ ) r 0 1 z 2 1 z 1 1 = m μ r 0 z 1 z 2 r 0 1 z 2 1 z 1 1 = m μ r 0 ( z 1 z 2 r 0 z 2 1 z 1 1 ) 1 = m μ r 0 ( z 1 z 2 w r 0 ( S ) z 2 1 z 1 1 ) 1 = m μ r 0 w r 0 ( Z ) 1

and is identical to the value of c for m μ in Step E3 of Game G 0 . In a similar manner, one can observe that the values d 1 and d 2 in Step E 5 of Game G 1 are w x 1 ( R )