Simple and Ecient Threshold Cryptosystem from

the Gap Die-Hellman Group

Joonsang Baek and Yuliang Zheng
Abstract
In this paper, we construct a new threshold cryptosystem from the Gap Die-Hellman
group. The proposed scheme enjoys all the most important properties that a robust and
practical threshold cryptosystem should possess, that is, it is non-interactive, computation-
ally ecient and provably secure against adaptive chosen ciphertext attacks. In addition,
thanks to the elegant structure of the GDH group, the proposed threshold cryptosystem
has shorter decryption shares as well as ciphertexts when compared with other schemes
proposed in the literature.
1 Introduction
1.1 Threshold Cryptosystems
It is sometimes dangerous to give one person all the power of signing or decrypting in the
use of public key cryptography. A natural way of mitigating this kind of risk is to share a
secret among a group of users so that the power of signing or decrypting is distributed, which
motivated the introduction of the concept of threshold cryptography. Over the past decade,
threshold cryptography has been realized by various concrete schemes in the context of digital
signature and that of public key encryption. In this work, we focus on the latter. Without
confusion we will simply refer it as a threshold cryptosystem.
Although there had been several proposals, it was not until Shoup and Gennaros work
[34] that security notion for threshold cryptosystem, that is, security against adaptive chosen
ciphertext attack was fully formalized and robust threshold cryptosystems were proposed.
Since their work, there have been a number of advancements in the research into threshold
cryptosystems. However, many of the proposed solutions are complex and inecient in terms
of computation and communication overheads. As a result, it remains a challenge to design
a simple yet ecient threshold cryptosystem that is provably secure against adaptive chosen
ciphertext attack.
In this paper, we take up the challenge with the aim of further advancing this line of
research. We achieve our goal, namely to design a simple, secure and ecient threshold cryp-
tosystem, by taking advantage of an emerging technique for using a group of points on certain
elliptic curves which have a special property.
1.2 Related work
A concrete construction of threshold cryptosystem which is based on the ElGamal encryption
[15] goes back to Desmedt and Frankel [14]s work in 1989. Later, De Santis et al. [13]
proposed a threshold cryptosystem based on the RSA problem [29]. However, the problem of
1
such schemes is that they seem to be secure against chosen plaintext attack but not known to
be secure against adaptive chosen ciphertext attack.
In 1993, Lim and Lee [22] made an important observation on the security of threshold
cryptosystem: they observed that it is dicult to build a threshold cryptosystem withstanding
chosen ciphertext attack without making it publicly checkable. We discuss more about Lim
and Lees observation in Section 2.1.
As mentioned in the preceding section, Shoup and Gennaro [34] rst formalized security
notions for threshold cryptosystem, proposed two practical schemes and proved their schemes
are secure against adaptive chosen ciphertext attack in the random oracle model [6]. Their
rst intention might have been adding a non-interactive zero-knowledge proof of knowledge of
discrete logarithm similar to the Schnorr signature to construct publicly checkable cryptosystem
as Tsiounis and Yung did in [36]. But they realized that it is dicult to prove such schemes
be secure against adaptive chosen ciphertext attack even in the random oracle model due
to exponential blowing up of running time of rewinding the attacker to extract a knowledge
1
.
They nally used a non-interactive zero-knowledge proof of membership to x the problem, but
this made the schemes somewhat less ecient computationally and expansion of the ciphertext
followed.
After Shoup and Gennaros work, Canetti and Goldwasser [10] proposed a threshold en-
cryption scheme derived from Cramer and Shoups famous public key crytosystem provably
secure against adaptive chosen ciphertext attack without depending on the random oracle
model [12]. Even though Cramer and Shoup [12]s scheme is not publicly checkable, they used
the algebraic property of the scheme that the receiver can check the validity of a ciphertext
by using one part of the private key, before decrypting the ciphertext using the second part of
the private key. However, the problem of their approach is that the servers must keep a large
number of pre-shared secrets.
More recently, Fouque and Pointcheval [16] proposed a generic method to convert any pub-
lic key cryptosystem semantically secure [20] against chosen plaintext attack to the threshold
scheme secure against adaptive chosen ciphertext attack in the random oracle model. They ob-
served that Naor and Yung [24]s twin-encryption technique and the random oracle can yield
an ecient non-interactive zero-knowledge proof of membership and as a result, threshold
cryptosystems can be constructed. The main advantage of Fouque and Pointchevals scheme
is its generic nature that can be applied to various computational primitives such as inte-
ger factorization, but it is still complex and also less ecient in terms of computation and
communication overheads.
Now we briey review some related works concerning with the use of the Gap Die-Hellman
(GDH) group which will be discussed more in detail in next section.
In [8], Boneh and Franklin mentioned that the Private Key Generator (PKG) in their
identity-based encryption scheme can be distributed using the techniques of threshold cryp-
tography, which only holds in the identity-based setting and hence is dierent from our scheme
which is for the normal public key setting. Another dierence is that our scheme is publicly
checkable whereas the schemes in [8] are not. Nevertheless, we remark that they did mention
about exploiting the easiness of solving the Decisional Die-Hellman (DDH) problem in the
group on which their identity-based encryption scheme is based, which plays a central role in
our threshold cryptosystem, too.
Other related works in this line of research include Boneh et al.s short signature scheme
1
For more detailed explanation, readers are referred to [35].
2
[9], Lysyanskayas unique signature scheme [23] and more recently, Bolyrevas construction of
various signature schemes based on the Boneh et al.s short signature scheme, all of which
are based on the property of the GDH group. However, until the present work, a threshold
cryptosystem on the GDH group has not yet emerged.
1.3 Gap Die-Hellman groups
Informally, the DDH problem is, given (P, aP, bP, cP) (
2
where ( = P) is a group of prime
order q and a, b, c are uniformly chosen at random fromZZ

q
, to decide whether c = ab. Whereas,
the CDH problem is to compute abP, given (P, aP, bP).
The group ( is called a GDH group if there exits an ecient algorithm for solving the DDH
problem but there is no polynomial-time (in [q[) algorithm to solve the CDH problem and the
rst example of such group was given by Joux and Nguyen [21]. They used the bilinear map
on certain elliptic curves to construct such groups. We review this in more detail as follows.
First, we briey review the bilinear map. Let p be a prime. Let E be an elliptic curve over
F
p
n for some positive integer n. Let E[q] be the q-torsion subgroup of E, that is, E[q] = P
E[qP = O where q is a prime. The Weil (or Tate) paring is a map e : E[q] E[q] F

p
n
for the least positive integer called a multiplier such that q[p
n
1 with the following
properties.
Identity: For all R E[q], e(R, R) = 1.
Bilinear: For all R
1
, R
2
E[q] and a, b ZZ, e(aR
1
, bR
2
) = e(R
1
, R
2
)
ab
.
Non-degenerate: If for R E[q], e(R, R

) = 1 for R

E[q] then R = O.
Computable: For all R
1
, R
2
E[q], the pairing e(R
1
, R
2
) is eciently computable.
Suppose that q divides E(F
p
n) with a small cofactor. Suppose that we also have a non-
F
p
n-rational map : E E. Then (
def
= E(F
p
n)[q] is a group where a non-degenerate and
eciently computable bilinear map e : ( ( F

p
n exists, which is called the modied Weil
pairing [8]. Note that the bilinear map e is dened by e(P, Q) = e(P, (Q)).
The group ( constructed above satises the property of the GDH group, namely, the DDH
problem is easy but the CDH problem is still hard. We briey describe how this can be done.
Suppose we have a tuple (P, aP, bP, cP), where a, b, c ZZ

q
. The paring provides a ecient
algorithm for determining whether c = ab by checking whether e(P, cP) = e(aP, bP).
On the one hand, it was a bad news that the DDH assumption, a widely accepted compu-
tational primitive that can be applied to the security proofs of many cryptographic schemes,
is indeed very strong. On the other hand, a new chance was created that this special group
can yield cryptographic schemes of useful structure.
In fact, cryptographic schemes based on the GDH group are emerging these days. Such
schemes include Boneh et al.s short signature scheme [9], Lysyanskayas unique signature
scheme [23] and more recently, Bolyrevas construction of various signature schemes based on
the Boneh et al.s short signature scheme.
2
Throughout this paper, the operation in G is denoted by + (addition).
3
2 Publicly Checkable Encryption Scheme Fromthe GDH Group
2.1 Discussions on Publicly Checkable Encryption
It is a common practice in designing public key crytosystems secure against chosen ciphertext
attacks to include validity check of ciphertexts. However, in many public key cryptosystems,
e.g., [1, 5, 6, 12, 17, 26, 27, 37], validity check can be done only if the verier (or receiver) knows
the private key. Only a few schemes have known to be publicly checkable, e.g., [2, 24, 35, 36].
But, as observed by Lim and Lee [22], publicly checkable cryptosystems are particularly useful
for designing threshold cryptosystems. The main reason is that in the threshold cryptosystem
the attacker has decryption shares as additional information, as well as decryption of chosen
plaintexts, which will be illustrated more precisely in the following.
Imagine that in the non-publicly checkable cryptosystems, the attacker slightly modies
a target ciphertext, say, just changes the least signicant bit of it. Note that the trapdoor
permutation part of the scheme in [6] or the ElGamal encryption part of the schemes in
[1, 26, 37] do not change under this modication. Although the modied target ciphertext is
actually not valid, we dont know its validity until after all the (necessary) decryption shares
are gathered and combined. However, before the decision is made, there is a big chance that the
attacker might have gathered enough decryption shares to invert the trapdoor permutation
part or the ElGamal encryption part of target ciphertexts of such schemes, which makes the
validity test useless.
In the schemes in [2, 24, 35, 36], the public checkability is provided with non-interactive
zero-knowledge proofs (of language membership [35] or knowledge [2, 24, 36]) on ciphertexts.
However, these zero-knowledge proofs make the schemes complex, computationally inecient
and importantly, causes ciphertext-length expansion. But our publicly checkable encryption
scheme presented below does not have a non-interactive zero-knowledge proof due to the special
property of the GDH group on which the scheme is dened.
2.2 Description of the Scheme T(((
We describe our publicly checkable cryptosystem based on the GDH group T((( = (K, E, D).
Note that the formal denition and security notion for generic public key cryptosystem is given
in Appendices A.1 and A.2, respectively.
Assume that the GDH group ( with order q and its generator P are shared among parties.
Note that throughout this paper, we denote the GDH group by (.
We need two has functions G and H modelled as random oracles:
G : ( 0, 1
l
and H : ( 0, 1
l
(.
Now we describe a key generation, an encryption and a decryption algorithms denoted by
K, E and D, respectively as follows.
K(k): On input a security parameter k, this algorithm picks x uniformly at random from
ZZ

q
and compute Y = xP. The public key pk is Y and the private key sk is x.
E
pk
(m): given a plaintext message m 0, 1
l
, and a random value uniformly chosen
from ZZ

q
, it computes
U = rP, V = G(rY ) m and W = rH(U, V )
and outputs the ciphertext C = (U, V, W).
4
D
sk
(C): given a ciphertext C, it computes H = H(U, V ).
If e(P, W) = e(U, H) then the algorithm computes m = G(xU) V and returns m,
otherwise, it returns Reject.
2.3 Security Analysis for the Scheme T(((
In this section, we prove that the scheme T((( described in the previous section is secure
against adaptive chosen ciphertext attack in the random oracle model, relative to the CDH
problem on the GDH group (.
For completeness, we formally dene the CDH problem on the group ( as follows.
Denition 1 (CDH) Let ( denote the GDH group of prime order q as dened above. Let
P be a generator of (. Now we consider a probabilistic polynomial time attacker A
CDH
that
tries to compute abP, given (P, aP, bP) ( for a, b, c ZZ

q
.
We dene the attacker A
CDH
s success by the probability
Succ
CDH
(A
CDH
) = Pr[A
CDH
outputs abP].
We denote by Succ
CDH
(t
CDH
) the maximal success probability Succ
CDH
(A
CDH
) over all at-
tackers whose running time is bounded by t
CDH
.
Now we state a result of the security analysis on the scheme T(((.
Theorem 1 The scheme T((( is secure against adaptive chosen ciphertext attack in the
random oracle model, relative to the CDH problem on the group (. More precisely,
1
2
Succ
INDCCA
PCCG
(t
CCA
, q
G
, q
H
, q
D
) Succ
CDH
(t
CDH
) +
q
D
+q
H
q
D
2
k
,
where t
CDH
= t
CCA
+q
G
+q
H
O(k
3
) +q
G
q
H
q
D
O(k
3
).
Here, q
G
, q
H
and q
D
denote number of queries made by A
CCA
to the random oracles G and
H and the decryption oracle, respectively.
The full proof is given in Appendix B, however we briey explain here how to construct a
decryption oracle simulator for the scheme T(((, which can actually extract a Die-Hellman
key in the ElGamal encryption part exploiting the validity test (checking whether e(P, W) =
e(U, H)) in the scheme.
Let C = (U, V, W) = (rP, G(rY )m, rH(U, V )) be an attackers decryption query. Assume
that C is legitimate. Suppose that the simulator sets H
def
= H(U, V ) = tY for t picked uniformly
at random from ZZ

q
(This is possible under the assumption that H is modelled as a random
oracle). Since C is legitimate (P, U, H, W) should be a Die-Hellman tuple, which is publicly
cheackble by checking whether e(P, W) = e(U, H). More precisely, we have
(P, U, H, W) = (P, rP, tY, r(tY )) = (P, rP, txP, rtxP).
Since r, t, x ZZ

q
, it is clear that above tuple is a Die-Hellman one.
Because the simulator knows t, it can compute (1/t)W(= (1/t)(trY ) = rY ) and this is the
Die-Hellman key rY , which the simulator wanted to nd. Once rY is extracted, decryption
of C is straightforward.
5
3 Threshold Cryptosystem From the GDH Group
3.1 Security Notion for Threshold Cryptosystem
In this section we review the basic denition of (t, n)-threshold cryptosystem and its security
notion against chosen ciphertext attack The denitions reviewed in this section can be found
in [35].
Denition 2 (Threshold Cryptosystem) In threshold cryptosystem, we assume the ex-
istence of a trusted dealer who runs a key generation algorithm to output a public key, a
verication key and distributes a share of private keys to each decryption server.
Given the public key, a sender encrypts a plaintext by running an encryption algorithm.
Given the ciphertext, a receiver requests the decryption servers to generate each decryption
share. The receiver can check the validity of the shares by running a decryption share verica-
tion algorithm. When the receiver collects valid decryption shares from at least t servers, the
ciphertext can be decrypted by running a share combining algorithm.
Below, we describe the above mentioned algorithms in detail.
A randomized key generation algorithm K(k, n, t) which, on input a security parameter k,
the number n of decryption servers and the threshold parameter t, generates (pk, vk, sk)
where pk is the public key, vk is the verication key and sk = (sk
1
, sk
2
, . . . , sk
n
) is the
list of private keys.
A randomized encryption algorithmE
pk
(m) which, on input the public key pk, a plaintext
m, outputs a ciphertext C.
A decryption share generation algorithm D
sk
i
(C) which, on input a private key sk
i
and
a ciphertext C, outputs a decryption share D
i
.
A decryption share verication algorithm V
vk
(C, D
i
) which, on input the verication key
vk, a ciphertext C and a decryption share D
i
, outputs valid or invalid.
A share combining algorithm SC
vk
(C, D
i

i
) which, on input the verication key vk,
a ciphertext C and a set of decryption shares D
i
, outputs a plaintext m. Here, the
cardinality of is at least t (the threshold parameter). Note that the combining algorithm
is allowed output a symbol ?, which is distinct from all possible plaintexts.
Denition 3 (THD-IND-CCA) Now we review the semantic security notion against adap-
tive chosen ciphertext attack for threshold cryptosystem, which we call THD-IND-CCA,
given in [35]. Consider an attacker A
CCA
in the following game. The game consists of several
stages.
Corrupt: A
CCA
corrupts a xed subset of t 1 servers.
Setup: The key generation algorithm on input a security parameter k is run. The private
keys of the corrupted servers, the public key and the verication key (all of which are
output by the key generation algorithm) are given to A
CCA
. However, the private keys
of uncorrupted servers are kept secret from A
CCA
.
Phase 1: A
CCA
adaptively interacts with the uncorrupted decryption servers, submitting
ciphertexts and obtaining decryption shares.
6
Challenge: A
CCA
chooses two equal length plaintexts (m
0
, m
1
). If these are given to the
encryption algorithm then it chooses b 0, 1 at random and returns a target ciphertext
C

= E
pk
(m
b
) to A
CCA
.
Phase 2: A
CCA
adaptively interacts with the uncorrupted decryption servers, submitting
ciphertexts and obtaining decryption shares. However, the target ciphertext C

is not
allowed to query to the decryption servers.
Guess: A
CCA
outputs a guess b

0, 1.
We dene the attacker A
CCA
s success probability by
Succ
THDINDCCA
(A
CCA
) = 2 Pr[b

= b] 1.
The probability is over the random bits used by the experiment and the attacker. We de-
note by Succ
THDINDCCA
(t
CCA
, q
D
) the maximal success probability Succ
THDINDCCA
(A
CCA
)
over all attackers whose running time and number of queries to the decryption share gen-
eration oracles are bounded by t and q
D
, respectively.
3.2 Description of the Scheme T ((
We describe our threshold cryptosystem from the GDH group T (( = (K, E, D, V, SC).
3.2.1 Preliminary Shamirs Secret Sharing Scheme
We use Shamirs (t, n) threshold secret sharing scheme [31] to share a private key. More
precisely, it can be described as follows.
Setup: Let q be a prime and 1 t n < q. Let x ZZ

q
be a secret to share. A
dealer picks a
1
, a
2
, . . . , a
t1
at random from ZZ

q
, sets a
0
= x and dene a polynomial
Poly(X) =

t1
j=0
a
j
X
j
. The dealer transfers the ith share x
i
= Poly(i) ZZ

q
along with
public index i to the ith member among n members. For notational convenience, we
assume that 0th share is the secret itself, that is, x = x
0
= a
0
Pooling of Shares: Any subset of t or more members pool their shares. Their share
provide t distinct points (i, x
i
) allowing computation of the coecients a
j
, 1 j t 1
of P(x) by Lagrange interpolation given below.
For ZZ
q
of cardinality k, any i ZZ

q
, and any j , there exists an element
S
ij
such
that
Poly(i) =

ij
x
i
j
.
Note that the computation of

ij
is easy, namely, it can be done in polynomial time.
Note also that Shamirs scheme satises perfectness saying that given knowledge of t 1
or fewer shares, all values x ZZ

q
of the shared secret remain equally probable.
7
3.2.2 Threshold Cryptosystem from the GDH Group
Assume that the GDH group ( with order q and its generator P are shared among the parties.
We need two has functions G and H modelled as random oracles:
G : ( 0, 1
l
and H : ( 0, 1
l
(.
Now we describe each algorithm K, E, D, V, SC as follows.
K(k, n, t): Given a security parameter k, the number n of decryption servers and a
threshold parameter t, this algorithm picks a
0
, a
1
, . . . , a
t1
uniformly at random from ZZ

q
and denes a polynomial Poly(X) =

t1
j=0
a
j
X
j
. Then, for 0 i n, this algorithms
sets x
i
= Poly(i) ZZ

q
and computes Y
i
= x
i
P. Without loss of generality, it sets
x
def
= a
0
= Poly(0) and Y
def
= Y
0
= xP. Finally, it outputs a public key pk = Y ,
verication key vk = (pk, Y
1
, Y
2
, . . . , Y
n
) and a private key sk = sk
i
= (pk, i, x
i
) for
1 i n.
E
pk
(m): given a plaintext message m 0, 1
n
, and a random value uniformly chosen
from ZZ

q
, it computes
U = rP, V = G(rY ) m and W = rH(U, V )
and outputs the ciphertext C = (U, V, W).
D
sk
i
(C): given a ciphertext C, it computes H = H(U, V ) and checks if e(P, W) = e(U, H).
If this test holds, it computes U
i
= x
i
U and outputs D
i
= (i, U
i
). Otherwise, it returns
(i, ?).
V
vk
(C, D
i
): computes H = H(U, V ) and checks if e(P, W) = e(U, H). If this tests holds
then this algorithm does the following:
If D
i
is of the form (i, ?) output invalid.
Else do the following:
Parse D
i
as (i, U
i
).
Check if e(P, U
i
) = e(U, Y
i
).
If the test above holds, output valid, else output invalid.
Otherwise, do the following:
If d
i
is of the form (i, ?), output valid, else output invalid.
SC
vk
(C, D
i

i
) where has cardinality t: computes H = H(U, V ). If e(P, W) =
e(U, H) then computes m = G(

0i
U
i
) V and output m. Otherwise, outputs ?
3
.
3
In this case, all the decryption shares are of the form (i,?) due to the validity test of c in the decryption
share generation/verication algorithms run before.
8
3.3 Security Analysis for the Scheme T ((
In this section, we analyze the security of the threshold cryptosystem described in the previous
section. Note that we use the new proof methodology introduced by Shoup in [33] and rened
in [18] for more precise analysis.
Theorem 2 The (t, n)-threshold cryptosystem T (( is secure against adaptive chosen cipher-
text attack in the random oracle model, relative to the CDH problem. More precisely,
1
2
Succ
THDINDCCA
T CG
(t
CCA
, q
G
, q
H
, q
D
) Succ
CDH
(t
CDH
) +
q
D
+q
H
q
D
2
k
,
where t
CDH
= t
CCA
+q
G
+nO(k
3
) +q
H
O(k
3
) +q
G
q
H
q
D
O(k
3
).
Here, q
G
, q
H
and q
D
denote number of queries made by A
CCA
to the random oracles G and
H and the decryption oracles, respectively.
Proof. First, we dene notations and conventions. Let A
CCA
be an attacker the defeats the
sematic security of the scheme T (( against adaptive chosen ciphertext attack.
We denote by C = (U, V, W) a decryption query made by the attacker A
CCA
to the decryp-
tion oracle. Especially, we use C

= (U

, V

, W

) to denote a target ciphertext.

The nal goal of our proof is to reduce the intractability of the CDH problem in group (
to the semantic security of the scheme T (( against adaptive chosen ciphertext attack. We
denote the attacker for the CDH problem by A
CDH
and the input parameters for this attacker
by ((, q, P, aP, bP) as dened in Denition 1.
As mentioned we use the proof methodology introduced in [33]. More precisely, we dene
a sequence of games starting with game G
0
, the real attack game for A
CCA
as described in
Section A.2. Then we modify this game to yield another game G
1
and measure the dierence
between those two games. We repeat this modication until we completely simulate all the
oracles that A
CCA
has access to and bound the success probability of A
CCA
by that of A
CDH
.
Below, we denote by s
R
S an element s chosen uniformly at random from the set S.
Game G
0
: This game is actually the same as the real attack game. We assume that the
set of common parameters ((, P, q, G, H) is given to A
CCA
. Note that q 2
k
.
First, the key generation algorithm is run, given a security parameter k, the number n
of decryption servers and a threshold parameter t. Then, a
0
, a
1
, . . . , a
t1
are picked
uniformly at random from ZZ

q
and a polynomial Poly(X) =

t1
j=0
a
j
X
j
is dened.
Next, x
i
= Poly(i) ZZ

q
is computed for 0 i n and so is Y
i
= x
i
P. Being
set as x
def
= Poly(0) and Y
def
= Y
0
= xP, a public key pk = Y , a verication key
vk = (pk, Y
1
, Y
2
, . . . , Y
n
) and a private key sk = sk
i
= (pk, i, x
i
) for 1 i n are
returned. The public key pk and the verication key vk are provided as input to A
CCA
.
After A
CCA
submits a pair of plaintexts (m
0
, m
1
), a target ciphertext C

= (U

, V

, W

)
is created as follows. For b
R
0, 1,
U

= r

P, V

= G(K

) m
b
, and W

= r

,
where K

= r

Y for r

R
ZZ

q
and H

= H(U

, V

).
On input C

, A
CCA
outputs b

. We denote by S
0
the event b

= b and use a similar

notation S
i
for all G
i
. Since game G
1
is the same as the real attack game, we have
Pr[S
0
] =
1
2
+
1
2
Succ
INDCCA
(A
CCA
).
9
Game G
1
: In this game, we assume that a subset of t 1 servers have been corrupted
without loss of generality. Let = 0, 1, . . . , t 1. Then, we choose x
1
, x
2
, . . . , x
t1
uniformly at random from ZZ

q
and compute Y
i
=

i0
Y +

t1
j=1
(x
j

ij
)P for t i n.
Now we set pk
def
= Y = bP and U

def
= aP. (Note that aP and bP are the parameters
given to the attacker A
CDH
.) Then, we choose K
+
uniformly at random from ( and set
K

def
= K
+
. We also choose G
+
uniformly at random from 0, 1
n
and set G
+
def
= G(K

).
Then, we set V

def
= G
+
m
b
. As a result, K

and G(K

) are independet from everything

else. Next, we choose s
+
uniformly at random from ZZ

q
and compute s
+
P. We set
H

= H(U

, V

)
def
= s
+
P. Also, we compute s
+
U

and set W

def
= s
+
U

. We summarize
the modications as the following rules.
R1-1 K

= K
+
U

= aP, Y = bP, V

= G
+
m
b
, W

= s
+
U

and H

= s
+
P.
R1-2 Whenever the random oracle G is queried at K
+
, the answer is G
+
.
R1-3 Whenever the random oracle H is queried at (U

, V

), the answer is s
+
P.
Note that since G is a random oracle, G(K

) and G
+
have the same distribution. Since
output of the random oracle H is uniformly distributed in ( and so is s
+
P for s
+

R
ZZ

q
,
H

and s
+
P are identically distributed. Similarly, W

and s
+
U

are also identically

distributed. Also, (P, U

, H

, W

) in this game is a legitimate Die-Hellman tuple since

e(P, W

) = e(U

, H

) by the construction of H

and W

. Finally, since aP and bP are

uniformly distributed in group (, the distribution of Y and C

= (U

, V

, W

) remains
the same as the previous game.
Thus, we have
Pr[S
1
] = Pr[S
0
].
Game G
2
: In this game, we drop the rule R1-2 above but hold the rule R1-3 (Hereafter,
we hold the rule R1-3). As a result, G
+
appears only in V

. Thus, the distribution of

input to A
CDH
does not depend on b. Hence we get Pr[S
2
] = 1/2.
Note that game G
2
and G
1
may dier if the random oracle G is queried at K

. Let
AskG
2
denotes the event that, in game G
2
, G is queried at K

. (However, we exclude
the case that K

is queried by the encryption oracle to produce the target ciphertext.)

We will use the same notation AskG
i
to denote such events in all other games.
Now, we have
[ Pr[S
2
] Pr[S
1
][ Pr[AskG
2
].
Game G
3
: In this game, we modify the random oracle G and H as follows. Note that we
have already dealt with the simulation of the random oracles G and H appeared in the
target ciphertext C

. In the following, we deal with the rest of simulation of G and H.

Whenever G is queried, we choose G uniformly at random from 0, 1
l
and return G
as answer to A
CCA
. We dene GList as a list which consists of simple query-answer
entries for the random oracle G of the form K, G) where G = G(K). On the other
hand, whenever H is queried at (U, V ), we choose s uniformly at random from ZZ

q
and
10
computes H = sY and return H as answer to A
CCA
. Similarly, let HList be a set of all
query-answer pairs for the random oracle H. More specically, HList consists of the
pairs (U, V ), H)) where H = H(U, V ) = sY . Notice that all these lists grow as A
CCA
s
attack proceeds.
Note above simulation of G and H is perfect due to the randomness of the distributions
of the outputs of G and H. Then, we have
Pr[AskG
3
] = Pr[AskG
2
].
Note that the decryption oracle has been regarded as perfect up to this game. The rest
of games will deal with simulation of the decryption oracle.
Game G
4
: In this game, we make the decryption oracle to reject all ciphertexts C =
(U, V, W) such that H
def
= H(U, V ) has not been queried. If C is a valid ciphertext while
H(U, V ) has not been queried, the games G
4
and G
3
may dier. By the simulation of
the random oracles G and H, if C is valid then (P, U, H, W) is a legitimate Die-Hellman
tuple since
(P, U, H, W) = (P, rP, sY, rsY ) = (P, rP, sxP, rsxP).
However, since we have assumed that H has not been queried in this game, above equality
happens with probability at most 1/2
k
since output of the (simulated) random oracle H
is uniformly distributed in (.
Summing up all decryption queries, we have
[ Pr[AskG
4
] Pr[AskG
3
][
q
D
2
k
.
Game G
5
: In this game, we modify the decryption oracle to reject all ciphertexts C such
that the value K has not been queried to the random oracle G. If C is a valid ciphertext
and (U, V ) has been queried to the random oracle H, while G(K) has not been queried,
the rule of this game would cause the dierence (from game G
4
). Since V = G(K) m
and we have assumed that G(K) has not been queried, V is independent of view of A
CCA
.
Furthermore, since we have assumed that C is valid, V has been queried from H and this
happens with probability at most q
H
/2
k
.
Summing up all decryption queries, we have
[ Pr[AskG
5
] Pr[AskG
4
][
q
D
q
H
2
k
.
Game G
6
: In this game, we modify the decryption oracle in the previous game to yield a
decryption oracle simulator which decrypts a submitted decryption query C = (U, V, W)
without the private key. Note that the cases when H(U, V ) and G(K) have not been
queried are excluded in this game since these case were already dealt with in the previous
game. That is, we assume that H(U, V ) and G(K) have been queried at some point.
Now we describe the complete specication of the decryption oracle simulator. Note in
the following that the decryption oracle simulator is provided with an input ciphertext
C = (U, V, W).
11
Extract (U, V ), H) from HList.
If e(P, W) = e(U, H)
Compute K = (1/s)W. (Note here that we have obtained the Die-Hellman
key rxP of U and Y without knowing r and x since (1/s)W = (1/s)rsY =
rY = rxP.)
For t i n, compute
U
i
= (

i0
/s)W +
t1

j=1
x
j

ij
U = r

i0
Y +
t1

j=1
rx
j

ij
P = r

i0
Y + (rY
i
r

i0
Y ) = rY
i
.
Return U
i
to each server P
i
.
Else reject C.
Once A
CDH
obtains U
i
= rY
i
, it can determine whether (P, U, Y
i
, U
i
) is a Die-Hellman
tuple by checking whether e(P, U
i
) = e(U, Y
i
) or not.
Note that the above decryption oracle simulator perfectly simulates the real decryption
oracle since H(U, V ) and G(K) have been previously queried. Thus, we get
Pr[AskG
6
] = Pr[AskG
5
].
Now we put all the bounds we have obtained in each game together.
1
2
Succ
THDINDCCA
(A
CCA
) = [ Pr[S
0
] Pr[S
2
][ Pr[AskG
2
] Pr[AskG
4
] +
q
D
2
k

q
D
2
k
+
q
H
q
D
2
k
+ Pr[AskG
6
]
q
D
+q
H
q
D
2
k
+Succ
CDH
(A
CDH
)
Considering the running time t

of A
CDH
, we have
1
2
Succ
THDINDCCA
(t, q
G
, q
H
, q
D
) Succ
CDH
(t

) +
q
D
+q
H
q
D
2
k
,
where t

= t +q
G
+q
H
O(k
3
) +q
G
q
H
q
D
O(k
3
). .
4 Implementation Issues and Comparisons to Other Schemes
For implementation of our threshold cryptosystem TGDH, the supersingular curves y
2
= x
3
+
2x 1 over F
3
n with a multiplier = 6 might be the best choice in terms of computation and
communication overheads. In this case, the Weil paring maps the discrete logarithm to E(F
3
n)
into F

3
6n
. Note that these curves were used to construct the Boneh et al.s short signature
[9] in which small values for n provide short signatures: e.g.
4
, an elliptic curve group E(F
3
97)
(whose size is 151 bits) provides a signature of length 154 bits with security comparable to
923-bit discrete log security of the group F

3
697
. Accordingly, the size of a ciphertext and a
decryption share of TGDH is much smaller than those of, possibly, elliptic curve versions of
the threshold cryptosystems in [35], [16] and [10].
Before discussing computational eciency of our scheme, we summarize major computa-
tional overheads caused by the encryption, the decryption share generation/verication and
12
Algorithm Point mul. Pairing comp. Hash comp.
Encryption 3 0 1
Decryption share generation 1 2 1
Decryption share verication 0 2 1
Share combining 1 2 1
Table 1: The number of cryptographic operations for TGDH
the share combining algorithms. In the following table, Hash comp. represents computation
of the hash function H only, which is more signicant than that of the hash function G.
In TGDH, there are several validity checks whether a given tuple is Die-Hellman one
or not as the verication algorithm of Boneh et al.s short signature algorithm does. To run
this algorithm, we need two pairing (bilinear map) computations and a computation of the
hash function H which maps an arbitrary string to the group element, constructed like the
algorithm MapToGroup described in [9].
It was known that pairing computation, even the Tate pairing computation which is more
ecient than computation of the Weil pairing, is far more expensive than point multiplication.
For example, it was reported that the verication time of the Boneh et al.s short signature
scheme is 2900 ms when the group E(F
3
97) and the Tate pairing are used. However, drastic
improvement on paring computation has been made quite recently by Barreto et al. [3]. Their
result shows that when the Tate pairing is used, the verication time of the E(F
3
97)-Boneh et
al.s short signature scheme has been improved to 53 ms which is nearly 55 times faster than
the previous result. Hence, even computational point of view, our scheme is expected to have
performance comparable to the most ecient threshold scheme so far, (elliptic curve version
of) TDH1 or TDH2 in [35] which involves a number of point multiplications (e.g., rP) and
double multiplications (e.g., rP + sQ) in the decryption share generation/verication stages
due to heavy zero-knowledge proofs.
5 Conclusion
In this paper, we have constructed a threshold cryptosystem from the GDH group in which the
DDH problem is easy but the CDH problem is hard. Our scheme is not only simple due to the
elegant structure of the GDH group, but also enjoys the basic security requirements of robust
threshold cryptosystem: it is secure against adaptive chosen ciphertext attack, non-interactive
and ecient in terms of computation and communication overheads.
References
[1] M. Abdala, M. Bellare and P. Rogaway: The Oracle Die-Hellman Assumptions and an Analysis
of DHIES, Proceedings of Topics in Cryptology - CT-RSA 2001, Vol. 2020 of LNCS, Springer-
Verlag 2001, pages 143158. Full version available at http : //www cse.ucsd.edu/users/mihir/.
[2] M. Abe: Securing Encryption + Proof of Knowledge in the Random Oracle Model, Proceedings
of Topics in Cryptology - CT-RSA 2002, Vol. 2271 of LNCS, Springer-Verlag 2002, pages 277289.
4
Note that to avoid the Weil-decent attacks [19], the values for n should be restricted to prime numbers.
13
[3] P. Barreto, H. Kim, B. Lynn and M. Scott: Ecient Algorithms for Pairing-Based Cryptosystems,
Advances in Cryptology - Proceedings of CRYPTO 2002, Vol. 2442 of LNCS, Springer-Verlag 2002,
pages 354369.
[4] M. Bellare, A. Desai, D. Pointcheval and P. Rogaway: Relations Among Notions of Security for
Public-Key Encryption Schemes, Advances in Cryptology - Proceedings of CRYPTO 98, Vol. 1462
of LNCS, Springer-Verlag 1998, pages 2645.
[5] M. Bellare and P. Rogaway: Optimal Asymmetric Encryption, Advances in Cryptology -
Proceedings of EUROCRYPT 94, Vol. 950 of LNCS, Springer-Verlag 1994, pages 92111.
[6] M. Bellare and P. Rogaway: Random Oracles are Practical: A Paradigm for Designing Ecient
Protocols, Proceedings of First ACM Conference on Computer and Communications Security 1993,
pages 6273.
[7] A. Boldyreva: Ecient Threshold Signatures, Multisignatures and Blind Signatures Based on the
Gap-Die-Hellman-group Signature Scheme, Proceedings of Public Key Cryptography 2003 (PKC
2003), Vol. 2567 of LNCS, Springer-Verlag 2003, pages 3146.
[8] D. Boneh and M. Franklin: Identity-Based Encryption from the Weil Pairing, Advances in Cryp-
tology - Proceedings of CRYPTO 2001, Vol. 2139 of LNCS, Springer-Verlag 2001, pages 213229.
[9] D. Boneh, B. Lynn and H. Shacham: Short Signatures from the Weil Pairing, Advances in Cryptol-
ogy - Proceedings of ASIACRYPT 2001, Vol. 2248 of LNCS, Springer-Verlag 2001, pages 566582.
[10] R. Canetti and S. Goldwasser: An Ecient Threshold Public Key Cryptosystem Secure Agaisnt
Adaptive Chosen Ciphertext Attack, Advances in Cryptology - Proceedings of EUROCRYPT 99,
Vol. 1592 of LNCS, Springer-Verlag 1999, pages 90106.
[11] D. Chaum and T. Perderson: Wallet Databases with Observers, Advances in Cryptology - Pro-
ceedings of CRYPTO 92, Vol. 740 of LNCS, Springer-Verlag 1992, pages 89105.
[12] R. Cramer and V. Shoup: A Practical Public Key Cryptosystem Provably Secure against Adaptive
Chosen Ciphertext Attack, Advances in Cryptology - Proceedings of CRYPTO 98, Vol. 1462 of
LNCS, Springer-Verlag 1998, pages 1325.
[13] A. De Santis, Y. Desmedt, Y. Frankel and M. Yung: How to Share a Function Securely, Proceedings
of the 26nd Annual ACM Symposiumm on the Theory of Computing STOC, 1994, pages 522533.
[14] Y. Desmedt and Y. Frankel: Threshold Cryptosystems, Advances in Cryptology - Proceedings of
CRYPTO 89, Vol. 435 of LNCS, Springer-Verlag 1989, pages 307315.
[15] T. ElGamal: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,
IEEE Trans. Information Theory, 31, 1985, pages 469472.
[16] P. Fouque and D. Pointcheval: Threshold Cryptosystems Secure Chosen-Ciphertext Attacks, Ad-
vances in Cryptology - Proceedings of ASIACRYPT 2001, Vol. 2248 of LNCS, Springer-Verlag
2001, pages 351368.
[17] E. Fujisaki and T. Okamoto: How to Enhance the Security of Public-Key Encryption at Minimum
Cost, Proceedings of Public Key Cryptography 99 (PKC 99), Vol. 1666 of LNCS, Springer-Verlag
1999, pages 5368.
[18] E. Fujisaki, T. Okamoto, D. Pointcheval and J. Stern: RSA-OAEP is Secure under the RSA
Assumption, Journal of Cryptology, 2002, To appear.
[19] S. Galbraith and N. P. Smart: A Cryptographic Application of Weil Decent, Proceedings of Cryp-
tology and Coding, Vol. 1746 of LNCS, Springer-Verlag 1999, pages 191200.
[20] S. Goldwasser and S. Micali: Probabilistic Encryption, Journal of Computer and System Sciences,
Vol. 28, 1984, pages 270299.
14
[21] A. Joux and K. Nguyen: Separating Decision Die-Hellman from Die-Hellman in Cryptographic
Groups, Cryptology ePrint Archive, Report 2001/003, 2001, available at http : //eprint.iacr.org.
[22] C. Lim and P. Lee: Another Method for Attaining Security Against Adaptively Chosen Ciphertext
Attack, Advances in Cryptology - Proceedings of CRYPTO 93, Vol. 773 of LNCS, Springer-Verlag
1993, pages 410434.
[23] A. Lysyanskaya: Unique signatures and veriable random functions from the DH-DDH separation,
Advances in Cryptology - Proceedings of CRYPTO 2002, Vol. 2242 of LNCS, Springer-Verlag 2002,
pages 597612.
[24] M. Naor and M. Yung: Public-key Cryptosystems Provably Secure against Chosen Ciphertext At-
tacks, Proceedings of the 22nd Annual ACM Symposiumm on the Theory of Computing STOC,
1990, pages 427437.
[25] T. Okamoto and D. Pointcheval: The Gap-Problems: A New Class of Problems for the Security of
Cryptographic Schemes, Proceedings of Public Key Cryptography 2001 (PKC 2001), Vol. 1992 of
LNCS, Springer-Verlag 2001, pages 104118.
[26] T. Okamoto and D. Pointcheval: REACT: Rapid Enhanced-security Asymmetric Cryptosystem
Transform, Proceedings of Topics in Cryptology-CT-RSA 2001, Vol. 2020 of LNCS, Springer-
Verlag 2001, pages 159174.
[27] D. Pointcheval: Chosen-Ciphertext Security for Any One-Way Cryptosystem, Proceedings of Public
Key Cryptography 2000 (PKC 2000), Vol. 1751 of LNCS, Springer-Verlag 2000, pages 129146.
[28] C. Rackho and D. R. Simon: Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen
Ciphertext Attack, Advances in Cryptology - Proceedings of CRYPTO 91, Vol. 576 of LNCS,
Springer-Verlag 1992, pages 434444.
[29] R. Rivest, A Shamir and L. Adleman: A Method for Obtaining Digital Signatures and Public Key
Cryptosystems, Communications of the ACM, Vol. 21 (2), 1978, pages 120126.
[30] C. P. Schnorr: Ecient Signature Generation for Smarts Cards, Journal of Cryptology, Vol. 4,
Springer-Verlag 1991, pages 239252.
[31] A. Shamir: How to Share a Secret, Communications of the ACM, Vol. 22, 1979, pages 612613.
[32] V. Shoup: A Proposal for an ISO Standard for Public Key Encryption (Version 1.1), ISO/IEC
JTC 1/SC 27, 2001.
[33] V. Shoup: OAEP Reconsidered, Advances in Cryptology - Proceedings of CRYPTO 2001, Vol.
2139 of LNCS, Springer-Verlag 2001, pages 239259.
[34] V. Shoup and R. Gennaro: Securing Threshold Cryptosystems against Chosen Ciphertext Attack,
Advances in Cryptology - Proceedings of EUROCRYPT 98, Vol. 1403 of LNCS, Springer-Verlag
1998, pages 116.
[35] V. Shoup and R. Gennaro: Securing Threshold Cryptosystems against Chosen Ciphertext Attack,
Journal of Cryptology, Vol. 15, Springer-Verlag 2002, pages 7596.
[36] Y. Tsiounis and M. Yung: On the Security of ElGamal-Based Encryption, Proceedings of Public
Key Cryptography 98 (PKC 98), Vol. 1431 of LNCS, Springer-Verlag 1998, pages 117134.
[37] Y. Zheng and J. Seberry: Practical Approaches to Attaining Security against Adaptively Chosen
Ciphertext Attacks, Advances in Cryptology - Proceedings of CRYPTO 1992, Vol. 742 of LNCS,
Springer-Verlag 1993, pages 292304.
15
A Preliminaries
A.1 Public Key Cryptosystem
A public key cryptosystem consists of the following algorithms.
A randomized key generation algorithm K(k) which, on input a security parameter k
generates (pk, sk) where pk is the public key and sk is the private key.
A randomized encryption algorithm E(pk, m) which, on input the public key pk and a
plaintext m, outputs a ciphertext C.
A deterministic decryption algorithm D(sk, C) which, on input a private key sk and a
ciphertext C, outputs a plaintext m.
A.2 Security Notion for Public Key Cryptosystem
Now we review the security model for public key encryption schemes. Consider an attack
algorithm (attacker) A
CCA
in the following experiment (game). The experiment consists of
several stages.
Setup: The common parameter generation algorithm on input a security parameter k
is run. Then the key generation algorithm on input the common parameter output by
the common parameter generation algorithm is run. The public key which is output by
the key generation algorithm and the common parameters are given to A
CCA
.
Phase 1: A
CCA
interacts with the decryption oracle, submitting ciphertexts and obtain-
ing decryptions. A
CCA
s interaction with the decryption oracle can be adaptive.
Challenge: A
CCA
chooses two equal length plaintexts (m
0
, m
1
). If these are given to the
encryption algorithm then it chooses b 0, 1 at random and returns a target ciphertext
C

= E(pk, m
b
) to A
CCA
.
Phase 2: A
CCA
interacts with the decryption oracle, submitting ciphertexts and obtain-
ing decryptions. A
CCA
s interaction with the decryption oracle can be adaptive.
Guess: A
CCA
outputs a guess b

0, 1.
We dene the attacker A
CCA
s success probability by
Succ
INDCCA
(A
CCA
) = 2 Pr[b

= b] 1.
The probability is over the random bits used by the experiment and the attacker. We
denote by Succ
INDCCA
(t
CCA
, q
D
) the maximal success probability Succ
INDCCA
(A
CCA
)
over all attackers whose running time and number of queries to the decryption oracle are
bounded by t and q
D
, respectively.
16
B Proof of Theorem 1
Proof. First, we dene notations and conventions. Let A
CCA
be an attacker the defeats the
sematic security of the scheme T(c against adaptive chosen ciphertext attack.
We denote by C = (U, V, W) a decryption query made by the attacker A
CCA
to the decryp-
tion oracle. Especially, we use C

= (U

, V

, W

) to denote a target ciphertext.

The nal goal of our proof is to reduce the intractability of the CDH problem in group (
to the semantic security of the scheme T(c against adaptive chosen ciphertext attack. We
denote the attacker for the CDH problem by A
CDH
and the input parameters for this attacker
by ((, q, P, aP, bP) as dened in Denition 1.
As mentioned we use the proof methodology introduced in [33]. More precisely, we dene
a sequence of games starting with game G
0
, the real attack game for A
CCA
as described in
Section A.2. Then we modify this game to yield another game G
1
and measure the dierence
between those two games. We repeat this modication until we completely simulate all the
oracles that A
CCA
has access to and bound the success probability of A
CCA
by that of A
CDH
.
Below, we denote by s
R
S an element s chosen uniformly at random from the set S.
Game G
0
: This game is actually the same as the real attack game. We assume that the
set of common parameters ((, P, q, G, H) is given to A
CCA
. Note that q 2
k
.
First, the key generation algorithm is run and the private/public key pair (sk, pk) =
(x, y), where y = g
x
, is generated. The public key pk is provided as input to A
CCA
. After
A
CCA
submits a pair of plaintexts (m
0
, m
1
), a target ciphertext C

= (U

, V

, W

) is
created as follows. For b
R
0, 1,
U

= r

P, V

= G(K

) m
b
, and W

= r

,
where K

= r

Y for r

R
ZZ

q
and H

= H(U

, V

).
On input C

, A
CCA
outputs b

. We denote by S
0
the event b

= b and use a similar

notation S
i
for all G
i
. Since game G
1
is the same as the real attack game, we have
Pr[S
0
] =
1
2
+
1
2
Succ
INDCCA
(A
CCA
).
Game G
1
: In this game, we set U

def
= aP and pk = Y = bP. (Note that aP and bP are
the parameters given to the attacker A
CDH
.)
Then, we choose K
+
uniformly at random from ( and set K

def
= K
+
. We also choose G
+
uniformly at random from 0, 1
l
and set G
+
def
= G(K

). Then, we set V

def
= G
+
m
b
.
As a result, K

and G(K

) are independet from everything else. Next, we choose s

+
uniformly at random from ZZ

q
and compute s
+
P. We set H

= H(U

, V

)
def
= s
+
P.
Also, we compute s
+
U

and set W

def
= s
+
U

. We summarize the modications as the

following rules.
R1-1 K

= K
+
, U

= g
a
, V

= G
+
m
b
, W

= s
+
U

and H

= s
+
P.
R1-2 Whenever the random oracle G is queried at K
+
, the answer is G
+
.
R1-3 Whenever the random oracle H is queried at (U

, V

), the answer is s
+
P.
17
Note that since G is a random oracle, G(K

) and G
+
have the same distribution. Since
output of the random oracle H is uniformly distributed in ( and so is s
+
Y for s
+

R
ZZ

q
,
H

and s
+
Y are identically distributed. Similarly, W

and s
+
U

are also identically

distributed. Also, (P, U

, H

, W

) in this game is a legitimate Die-Hellman tuple since

(P, U

, H

, W

) = (P, aP, s
+
P, as
+
P), where a, s
+

R
ZZ

q
. Finally, since aP is uniformly
distributed in group (, the distribution of C

= (U

, V

, W

) remains the same as the

previous game.
Thus, we have
Pr[S
1
] = Pr[S
0
].
Game G
2
: In this game, we drop the rule R1-2 above but hold the rule R1-3 (Hereafter,
we hold the rule R1-3). As a result, G
+
appears only in V

. Thus, the distribution of

input to A
CDH
does not depend on b. Hence we get Pr[S
2
] = 1/2.
Note that game G
2
and G
1
may dier if G is queried at K

. Let AskG
2
denotes the
event that, in game G
2
, G is queried at K

. (However, we exclude the case that K

is
queried by the encryption oracle to produce the target ciphertext.) We will use the same
notation AskG
i
to denote such events in all other games.
Now, we have
[ Pr[S
2
] Pr[S
1
][ Pr[AskG
2
].
Game G
3
: In this game, we modify the random oracle G and H as follows. Note that we
have already dealt with the simulation of the random oracles G and H appeared in the
target ciphertext C

. In the following, we deal with the rest of simulation of G and H.

Whenever G is queried, we choose G uniformly at random from 0, 1
l
and return G
as answer to A
CCA
. We dene GList as a list which consists of simple query-answer
entries for the random oracle G of the form K, G) where G = G(K). On the other
hand, whenever H is queried at (U, V ), we choose s uniformly at random from ZZ

q
and
computes H = sY and return H as answer to A
CCA
. Similarly, let HList be a set of all
query-answer pairs for the random oracle H. More specically, HList consists of the
pairs (U, V ), H)) where h = H(U, V ) = sY . Notice that all these lists grow as A
CCA
s
attack proceeds.
Note above simulation of G and H is perfect. Then, we have
Pr[AskG
3
] = Pr[AskG
2
].
Note that the decryption oracle has been regarded as perfect up to this game. The rest
of games will deal with simulation of the decryption oracle.
Game G
4
: In this game, we make the decryption oracle to reject all ciphertexts C =
(U, V, W) such that H
def
= H(U, V ) has not been queried. If C is a valid ciphertext while
H(U, V ) has not been queried, the games G
4
and G
3
may dier. By the simulation of
the random oracles G and H, if C is valid then (P, U, H, W) is a legitimate Die-Hellman
tuple since
(P, U, H, W) = (P, rP, sY, rsY ) = (P, rP, sxP, rsxP).
18
However, since we have assumed that H has not been queried in this game, above equality
happens with probability at most 1/2
k
since output of the (simulated) random oracle H
is uniformly distributed in (.
Summing up all decryption queries, we have
[ Pr[AskG
4
] Pr[AskG
3
][
q
D
2
k
.
Game G
5
: In this game, we modify the decryption oracle to reject all ciphertexts C such
that the value K has not been queried to the random oracle G. If C is a valid ciphertext
and (U, V ) has been queried to the random oracle H, while G(K) has not been queried,
the rule of this game would cause the dierence (from game G
4
). Since V = G(K) m
and we have assumed that G(K) has not been queried, V is independent of view of A
CCA
.
Furthermore, since we have assumed that C is valid, V has been queried from H and this
happens with probability at most q
H
/2
k
.
Summing up all decryption queries, we have
[ Pr[AskG
5
] Pr[AskG
4
][
q
D
q
H
2
k
.
Game G
6
: In this game, we modify the decryption oracle in the previous game to yield a
decryption oracle simulator which decrypts a submitted decryption query C = (U, V, W)
without the private key. Note that the cases when H(U, V ) and G(K) have not been
queried are excluded in this game since these case were already dealt with in the previous
game. That is, we assume that H(U, V ) and G(K) have been queried at some point.
Now we describe the complete specication of the decryption oracle simulator. Note in
the following that the decryption oracle simulator is provided with an input ciphertext
C = (U, V, W).
Extract (U, V ), H) from HList.
If e(P, W) = e(U, H)
Compute K = (1/s)P.
Extract K, G) from GList
Compute m = V G
Return m
Else reject c.
Note that the above decryption oracle simulator perfectly simulates the real decryption
oracle since H(U, V ) and G(K) have been previously queried. Thus, we get
Pr[AskG
6
] = Pr[AskG
5
].
Now we put all the bounds we have obtained in each game together.
1
2
Succ
INDCCA
(A
CCA
) = [ Pr[S
0
] Pr[S
2
][ Pr[AskG
2
] Pr[AskG
4
] +
q
D
2
k

q
D
2
k
+
q
H
q
D
2
k
+ Pr[AskG
6
]
q
D
+q
H
q
D
2
k
+Succ
CDH
(A
CDH
)
19
Considering the running time t
CCA
of A
CDH
1
2
Succ
INDCCA
(t
CCA
, q
G
, q
H
, q
D
) Succ
CDH
(t
CDH
) +
q
D
+q
H
q
D
2
k
,
where t
CDH
= t
CCA
+q
G
+q
H
O(k
3
) +q
G
q
H
q
D
O(k
3
). .
20