Professional Documents
Culture Documents
q
, to decide whether c = ab. Whereas,
the CDH problem is to compute abP, given (P, aP, bP).
The group ( is called a GDH group if there exits an ecient algorithm for solving the DDH
problem but there is no polynomial-time (in [q[) algorithm to solve the CDH problem and the
rst example of such group was given by Joux and Nguyen [21]. They used the bilinear map
on certain elliptic curves to construct such groups. We review this in more detail as follows.
First, we briey review the bilinear map. Let p be a prime. Let E be an elliptic curve over
F
p
n for some positive integer n. Let E[q] be the q-torsion subgroup of E, that is, E[q] = P
E[qP = O where q is a prime. The Weil (or Tate) paring is a map e : E[q] E[q] F
p
n
for the least positive integer called a multiplier such that q[p
n
1 with the following
properties.
Identity: For all R E[q], e(R, R) = 1.
Bilinear: For all R
1
, R
2
E[q] and a, b ZZ, e(aR
1
, bR
2
) = e(R
1
, R
2
)
ab
.
Non-degenerate: If for R E[q], e(R, R
) = 1 for R
E[q] then R = O.
Computable: For all R
1
, R
2
E[q], the pairing e(R
1
, R
2
) is eciently computable.
Suppose that q divides E(F
p
n) with a small cofactor. Suppose that we also have a non-
F
p
n-rational map : E E. Then (
def
= E(F
p
n)[q] is a group where a non-degenerate and
eciently computable bilinear map e : ( ( F
p
n exists, which is called the modied Weil
pairing [8]. Note that the bilinear map e is dened by e(P, Q) = e(P, (Q)).
The group ( constructed above satises the property of the GDH group, namely, the DDH
problem is easy but the CDH problem is still hard. We briey describe how this can be done.
Suppose we have a tuple (P, aP, bP, cP), where a, b, c ZZ
q
. The paring provides a ecient
algorithm for determining whether c = ab by checking whether e(P, cP) = e(aP, bP).
On the one hand, it was a bad news that the DDH assumption, a widely accepted compu-
tational primitive that can be applied to the security proofs of many cryptographic schemes,
is indeed very strong. On the other hand, a new chance was created that this special group
can yield cryptographic schemes of useful structure.
In fact, cryptographic schemes based on the GDH group are emerging these days. Such
schemes include Boneh et al.s short signature scheme [9], Lysyanskayas unique signature
scheme [23] and more recently, Bolyrevas construction of various signature schemes based on
the Boneh et al.s short signature scheme.
2
Throughout this paper, the operation in G is denoted by + (addition).
3
2 Publicly Checkable Encryption Scheme Fromthe GDH Group
2.1 Discussions on Publicly Checkable Encryption
It is a common practice in designing public key crytosystems secure against chosen ciphertext
attacks to include validity check of ciphertexts. However, in many public key cryptosystems,
e.g., [1, 5, 6, 12, 17, 26, 27, 37], validity check can be done only if the verier (or receiver) knows
the private key. Only a few schemes have known to be publicly checkable, e.g., [2, 24, 35, 36].
But, as observed by Lim and Lee [22], publicly checkable cryptosystems are particularly useful
for designing threshold cryptosystems. The main reason is that in the threshold cryptosystem
the attacker has decryption shares as additional information, as well as decryption of chosen
plaintexts, which will be illustrated more precisely in the following.
Imagine that in the non-publicly checkable cryptosystems, the attacker slightly modies
a target ciphertext, say, just changes the least signicant bit of it. Note that the trapdoor
permutation part of the scheme in [6] or the ElGamal encryption part of the schemes in
[1, 26, 37] do not change under this modication. Although the modied target ciphertext is
actually not valid, we dont know its validity until after all the (necessary) decryption shares
are gathered and combined. However, before the decision is made, there is a big chance that the
attacker might have gathered enough decryption shares to invert the trapdoor permutation
part or the ElGamal encryption part of target ciphertexts of such schemes, which makes the
validity test useless.
In the schemes in [2, 24, 35, 36], the public checkability is provided with non-interactive
zero-knowledge proofs (of language membership [35] or knowledge [2, 24, 36]) on ciphertexts.
However, these zero-knowledge proofs make the schemes complex, computationally inecient
and importantly, causes ciphertext-length expansion. But our publicly checkable encryption
scheme presented below does not have a non-interactive zero-knowledge proof due to the special
property of the GDH group on which the scheme is dened.
2.2 Description of the Scheme T(((
We describe our publicly checkable cryptosystem based on the GDH group T((( = (K, E, D).
Note that the formal denition and security notion for generic public key cryptosystem is given
in Appendices A.1 and A.2, respectively.
Assume that the GDH group ( with order q and its generator P are shared among parties.
Note that throughout this paper, we denote the GDH group by (.
We need two has functions G and H modelled as random oracles:
G : ( 0, 1
l
and H : ( 0, 1
l
(.
Now we describe a key generation, an encryption and a decryption algorithms denoted by
K, E and D, respectively as follows.
K(k): On input a security parameter k, this algorithm picks x uniformly at random from
ZZ
q
and compute Y = xP. The public key pk is Y and the private key sk is x.
E
pk
(m): given a plaintext message m 0, 1
l
, and a random value uniformly chosen
from ZZ
q
, it computes
U = rP, V = G(rY ) m and W = rH(U, V )
and outputs the ciphertext C = (U, V, W).
4
D
sk
(C): given a ciphertext C, it computes H = H(U, V ).
If e(P, W) = e(U, H) then the algorithm computes m = G(xU) V and returns m,
otherwise, it returns Reject.
2.3 Security Analysis for the Scheme T(((
In this section, we prove that the scheme T((( described in the previous section is secure
against adaptive chosen ciphertext attack in the random oracle model, relative to the CDH
problem on the GDH group (.
For completeness, we formally dene the CDH problem on the group ( as follows.
Denition 1 (CDH) Let ( denote the GDH group of prime order q as dened above. Let
P be a generator of (. Now we consider a probabilistic polynomial time attacker A
CDH
that
tries to compute abP, given (P, aP, bP) ( for a, b, c ZZ
q
.
We dene the attacker A
CDH
s success by the probability
Succ
CDH
(A
CDH
) = Pr[A
CDH
outputs abP].
We denote by Succ
CDH
(t
CDH
) the maximal success probability Succ
CDH
(A
CDH
) over all at-
tackers whose running time is bounded by t
CDH
.
Now we state a result of the security analysis on the scheme T(((.
Theorem 1 The scheme T((( is secure against adaptive chosen ciphertext attack in the
random oracle model, relative to the CDH problem on the group (. More precisely,
1
2
Succ
INDCCA
PCCG
(t
CCA
, q
G
, q
H
, q
D
) Succ
CDH
(t
CDH
) +
q
D
+q
H
q
D
2
k
,
where t
CDH
= t
CCA
+q
G
+q
H
O(k
3
) +q
G
q
H
q
D
O(k
3
).
Here, q
G
, q
H
and q
D
denote number of queries made by A
CCA
to the random oracles G and
H and the decryption oracle, respectively.
The full proof is given in Appendix B, however we briey explain here how to construct a
decryption oracle simulator for the scheme T(((, which can actually extract a Die-Hellman
key in the ElGamal encryption part exploiting the validity test (checking whether e(P, W) =
e(U, H)) in the scheme.
Let C = (U, V, W) = (rP, G(rY )m, rH(U, V )) be an attackers decryption query. Assume
that C is legitimate. Suppose that the simulator sets H
def
= H(U, V ) = tY for t picked uniformly
at random from ZZ
q
(This is possible under the assumption that H is modelled as a random
oracle). Since C is legitimate (P, U, H, W) should be a Die-Hellman tuple, which is publicly
cheackble by checking whether e(P, W) = e(U, H). More precisely, we have
(P, U, H, W) = (P, rP, tY, r(tY )) = (P, rP, txP, rtxP).
Since r, t, x ZZ
q
, it is clear that above tuple is a Die-Hellman one.
Because the simulator knows t, it can compute (1/t)W(= (1/t)(trY ) = rY ) and this is the
Die-Hellman key rY , which the simulator wanted to nd. Once rY is extracted, decryption
of C is straightforward.
5
3 Threshold Cryptosystem From the GDH Group
3.1 Security Notion for Threshold Cryptosystem
In this section we review the basic denition of (t, n)-threshold cryptosystem and its security
notion against chosen ciphertext attack The denitions reviewed in this section can be found
in [35].
Denition 2 (Threshold Cryptosystem) In threshold cryptosystem, we assume the ex-
istence of a trusted dealer who runs a key generation algorithm to output a public key, a
verication key and distributes a share of private keys to each decryption server.
Given the public key, a sender encrypts a plaintext by running an encryption algorithm.
Given the ciphertext, a receiver requests the decryption servers to generate each decryption
share. The receiver can check the validity of the shares by running a decryption share verica-
tion algorithm. When the receiver collects valid decryption shares from at least t servers, the
ciphertext can be decrypted by running a share combining algorithm.
Below, we describe the above mentioned algorithms in detail.
A randomized key generation algorithm K(k, n, t) which, on input a security parameter k,
the number n of decryption servers and the threshold parameter t, generates (pk, vk, sk)
where pk is the public key, vk is the verication key and sk = (sk
1
, sk
2
, . . . , sk
n
) is the
list of private keys.
A randomized encryption algorithmE
pk
(m) which, on input the public key pk, a plaintext
m, outputs a ciphertext C.
A decryption share generation algorithm D
sk
i
(C) which, on input a private key sk
i
and
a ciphertext C, outputs a decryption share D
i
.
A decryption share verication algorithm V
vk
(C, D
i
) which, on input the verication key
vk, a ciphertext C and a decryption share D
i
, outputs valid or invalid.
A share combining algorithm SC
vk
(C, D
i
i
) which, on input the verication key vk,
a ciphertext C and a set of decryption shares D
i
, outputs a plaintext m. Here, the
cardinality of is at least t (the threshold parameter). Note that the combining algorithm
is allowed output a symbol ?, which is distinct from all possible plaintexts.
Denition 3 (THD-IND-CCA) Now we review the semantic security notion against adap-
tive chosen ciphertext attack for threshold cryptosystem, which we call THD-IND-CCA,
given in [35]. Consider an attacker A
CCA
in the following game. The game consists of several
stages.
Corrupt: A
CCA
corrupts a xed subset of t 1 servers.
Setup: The key generation algorithm on input a security parameter k is run. The private
keys of the corrupted servers, the public key and the verication key (all of which are
output by the key generation algorithm) are given to A
CCA
. However, the private keys
of uncorrupted servers are kept secret from A
CCA
.
Phase 1: A
CCA
adaptively interacts with the uncorrupted decryption servers, submitting
ciphertexts and obtaining decryption shares.
6
Challenge: A
CCA
chooses two equal length plaintexts (m
0
, m
1
). If these are given to the
encryption algorithm then it chooses b 0, 1 at random and returns a target ciphertext
C
= E
pk
(m
b
) to A
CCA
.
Phase 2: A
CCA
adaptively interacts with the uncorrupted decryption servers, submitting
ciphertexts and obtaining decryption shares. However, the target ciphertext C
is not
allowed to query to the decryption servers.
Guess: A
CCA
outputs a guess b
0, 1.
We dene the attacker A
CCA
s success probability by
Succ
THDINDCCA
(A
CCA
) = 2 Pr[b
= b] 1.
The probability is over the random bits used by the experiment and the attacker. We de-
note by Succ
THDINDCCA
(t
CCA
, q
D
) the maximal success probability Succ
THDINDCCA
(A
CCA
)
over all attackers whose running time and number of queries to the decryption share gen-
eration oracles are bounded by t and q
D
, respectively.
3.2 Description of the Scheme T ((
We describe our threshold cryptosystem from the GDH group T (( = (K, E, D, V, SC).
3.2.1 Preliminary Shamirs Secret Sharing Scheme
We use Shamirs (t, n) threshold secret sharing scheme [31] to share a private key. More
precisely, it can be described as follows.
Setup: Let q be a prime and 1 t n < q. Let x ZZ
q
be a secret to share. A
dealer picks a
1
, a
2
, . . . , a
t1
at random from ZZ
q
, sets a
0
= x and dene a polynomial
Poly(X) =
t1
j=0
a
j
X
j
. The dealer transfers the ith share x
i
= Poly(i) ZZ
q
along with
public index i to the ith member among n members. For notational convenience, we
assume that 0th share is the secret itself, that is, x = x
0
= a
0
Pooling of Shares: Any subset of t or more members pool their shares. Their share
provide t distinct points (i, x
i
) allowing computation of the coecients a
j
, 1 j t 1
of P(x) by Lagrange interpolation given below.
For ZZ
q
of cardinality k, any i ZZ
q
, and any j , there exists an element
S
ij
such
that
Poly(i) =
ij
x
i
j
.
Note that the computation of
ij
is easy, namely, it can be done in polynomial time.
Note also that Shamirs scheme satises perfectness saying that given knowledge of t 1
or fewer shares, all values x ZZ
q
of the shared secret remain equally probable.
7
3.2.2 Threshold Cryptosystem from the GDH Group
Assume that the GDH group ( with order q and its generator P are shared among the parties.
We need two has functions G and H modelled as random oracles:
G : ( 0, 1
l
and H : ( 0, 1
l
(.
Now we describe each algorithm K, E, D, V, SC as follows.
K(k, n, t): Given a security parameter k, the number n of decryption servers and a
threshold parameter t, this algorithm picks a
0
, a
1
, . . . , a
t1
uniformly at random from ZZ
q
and denes a polynomial Poly(X) =
t1
j=0
a
j
X
j
. Then, for 0 i n, this algorithms
sets x
i
= Poly(i) ZZ
q
and computes Y
i
= x
i
P. Without loss of generality, it sets
x
def
= a
0
= Poly(0) and Y
def
= Y
0
= xP. Finally, it outputs a public key pk = Y ,
verication key vk = (pk, Y
1
, Y
2
, . . . , Y
n
) and a private key sk = sk
i
= (pk, i, x
i
) for
1 i n.
E
pk
(m): given a plaintext message m 0, 1
n
, and a random value uniformly chosen
from ZZ
q
, it computes
U = rP, V = G(rY ) m and W = rH(U, V )
and outputs the ciphertext C = (U, V, W).
D
sk
i
(C): given a ciphertext C, it computes H = H(U, V ) and checks if e(P, W) = e(U, H).
If this test holds, it computes U
i
= x
i
U and outputs D
i
= (i, U
i
). Otherwise, it returns
(i, ?).
V
vk
(C, D
i
): computes H = H(U, V ) and checks if e(P, W) = e(U, H). If this tests holds
then this algorithm does the following:
If D
i
is of the form (i, ?) output invalid.
Else do the following:
Parse D
i
as (i, U
i
).
Check if e(P, U
i
) = e(U, Y
i
).
If the test above holds, output valid, else output invalid.
Otherwise, do the following:
If d
i
is of the form (i, ?), output valid, else output invalid.
SC
vk
(C, D
i
i
) where has cardinality t: computes H = H(U, V ). If e(P, W) =
e(U, H) then computes m = G(
0i
U
i
) V and output m. Otherwise, outputs ?
3
.
3
In this case, all the decryption shares are of the form (i,?) due to the validity test of c in the decryption
share generation/verication algorithms run before.
8
3.3 Security Analysis for the Scheme T ((
In this section, we analyze the security of the threshold cryptosystem described in the previous
section. Note that we use the new proof methodology introduced by Shoup in [33] and rened
in [18] for more precise analysis.
Theorem 2 The (t, n)-threshold cryptosystem T (( is secure against adaptive chosen cipher-
text attack in the random oracle model, relative to the CDH problem. More precisely,
1
2
Succ
THDINDCCA
T CG
(t
CCA
, q
G
, q
H
, q
D
) Succ
CDH
(t
CDH
) +
q
D
+q
H
q
D
2
k
,
where t
CDH
= t
CCA
+q
G
+nO(k
3
) +q
H
O(k
3
) +q
G
q
H
q
D
O(k
3
).
Here, q
G
, q
H
and q
D
denote number of queries made by A
CCA
to the random oracles G and
H and the decryption oracles, respectively.
Proof. First, we dene notations and conventions. Let A
CCA
be an attacker the defeats the
sematic security of the scheme T (( against adaptive chosen ciphertext attack.
We denote by C = (U, V, W) a decryption query made by the attacker A
CCA
to the decryp-
tion oracle. Especially, we use C
= (U
, V
, W
q
and a polynomial Poly(X) =
t1
j=0
a
j
X
j
is dened.
Next, x
i
= Poly(i) ZZ
q
is computed for 0 i n and so is Y
i
= x
i
P. Being
set as x
def
= Poly(0) and Y
def
= Y
0
= xP, a public key pk = Y , a verication key
vk = (pk, Y
1
, Y
2
, . . . , Y
n
) and a private key sk = sk
i
= (pk, i, x
i
) for 1 i n are
returned. The public key pk and the verication key vk are provided as input to A
CCA
.
After A
CCA
submits a pair of plaintexts (m
0
, m
1
), a target ciphertext C
= (U
, V
, W
)
is created as follows. For b
R
0, 1,
U
= r
P, V
= G(K
) m
b
, and W
= r
,
where K
= r
Y for r
R
ZZ
q
and H
= H(U
, V
).
On input C
, A
CCA
outputs b
. We denote by S
0
the event b
q
and compute Y
i
=
i0
Y +
t1
j=1
(x
j
ij
)P for t i n.
Now we set pk
def
= Y = bP and U
def
= aP. (Note that aP and bP are the parameters
given to the attacker A
CDH
.) Then, we choose K
+
uniformly at random from ( and set
K
def
= K
+
. We also choose G
+
uniformly at random from 0, 1
n
and set G
+
def
= G(K
).
Then, we set V
def
= G
+
m
b
. As a result, K
and G(K
q
and compute s
+
P. We set
H
= H(U
, V
)
def
= s
+
P. Also, we compute s
+
U
and set W
def
= s
+
U
. We summarize
the modications as the following rules.
R1-1 K
= K
+
U
= aP, Y = bP, V
= G
+
m
b
, W
= s
+
U
and H
= s
+
P.
R1-2 Whenever the random oracle G is queried at K
+
, the answer is G
+
.
R1-3 Whenever the random oracle H is queried at (U
, V
), the answer is s
+
P.
Note that since G is a random oracle, G(K
) and G
+
have the same distribution. Since
output of the random oracle H is uniformly distributed in ( and so is s
+
P for s
+
R
ZZ
q
,
H
and s
+
P are identically distributed. Similarly, W
and s
+
U
, H
, W
) = e(U
, H
) by the construction of H
and W
= (U
, V
, W
) remains
the same as the previous game.
Thus, we have
Pr[S
1
] = Pr[S
0
].
Game G
2
: In this game, we drop the rule R1-2 above but hold the rule R1-3 (Hereafter,
we hold the rule R1-3). As a result, G
+
appears only in V
. Let
AskG
2
denotes the event that, in game G
2
, G is queried at K
. (However, we exclude
the case that K
q
and
10
computes H = sY and return H as answer to A
CCA
. Similarly, let HList be a set of all
query-answer pairs for the random oracle H. More specically, HList consists of the
pairs (U, V ), H)) where H = H(U, V ) = sY . Notice that all these lists grow as A
CCA
s
attack proceeds.
Note above simulation of G and H is perfect due to the randomness of the distributions
of the outputs of G and H. Then, we have
Pr[AskG
3
] = Pr[AskG
2
].
Note that the decryption oracle has been regarded as perfect up to this game. The rest
of games will deal with simulation of the decryption oracle.
Game G
4
: In this game, we make the decryption oracle to reject all ciphertexts C =
(U, V, W) such that H
def
= H(U, V ) has not been queried. If C is a valid ciphertext while
H(U, V ) has not been queried, the games G
4
and G
3
may dier. By the simulation of
the random oracles G and H, if C is valid then (P, U, H, W) is a legitimate Die-Hellman
tuple since
(P, U, H, W) = (P, rP, sY, rsY ) = (P, rP, sxP, rsxP).
However, since we have assumed that H has not been queried in this game, above equality
happens with probability at most 1/2
k
since output of the (simulated) random oracle H
is uniformly distributed in (.
Summing up all decryption queries, we have
[ Pr[AskG
4
] Pr[AskG
3
][
q
D
2
k
.
Game G
5
: In this game, we modify the decryption oracle to reject all ciphertexts C such
that the value K has not been queried to the random oracle G. If C is a valid ciphertext
and (U, V ) has been queried to the random oracle H, while G(K) has not been queried,
the rule of this game would cause the dierence (from game G
4
). Since V = G(K) m
and we have assumed that G(K) has not been queried, V is independent of view of A
CCA
.
Furthermore, since we have assumed that C is valid, V has been queried from H and this
happens with probability at most q
H
/2
k
.
Summing up all decryption queries, we have
[ Pr[AskG
5
] Pr[AskG
4
][
q
D
q
H
2
k
.
Game G
6
: In this game, we modify the decryption oracle in the previous game to yield a
decryption oracle simulator which decrypts a submitted decryption query C = (U, V, W)
without the private key. Note that the cases when H(U, V ) and G(K) have not been
queried are excluded in this game since these case were already dealt with in the previous
game. That is, we assume that H(U, V ) and G(K) have been queried at some point.
Now we describe the complete specication of the decryption oracle simulator. Note in
the following that the decryption oracle simulator is provided with an input ciphertext
C = (U, V, W).
11
Extract (U, V ), H) from HList.
If e(P, W) = e(U, H)
Compute K = (1/s)W. (Note here that we have obtained the Die-Hellman
key rxP of U and Y without knowing r and x since (1/s)W = (1/s)rsY =
rY = rxP.)
For t i n, compute
U
i
= (
i0
/s)W +
t1
j=1
x
j
ij
U = r
i0
Y +
t1
j=1
rx
j
ij
P = r
i0
Y + (rY
i
r
i0
Y ) = rY
i
.
Return U
i
to each server P
i
.
Else reject C.
Once A
CDH
obtains U
i
= rY
i
, it can determine whether (P, U, Y
i
, U
i
) is a Die-Hellman
tuple by checking whether e(P, U
i
) = e(U, Y
i
) or not.
Note that the above decryption oracle simulator perfectly simulates the real decryption
oracle since H(U, V ) and G(K) have been previously queried. Thus, we get
Pr[AskG
6
] = Pr[AskG
5
].
Now we put all the bounds we have obtained in each game together.
1
2
Succ
THDINDCCA
(A
CCA
) = [ Pr[S
0
] Pr[S
2
][ Pr[AskG
2
] Pr[AskG
4
] +
q
D
2
k
q
D
2
k
+
q
H
q
D
2
k
+ Pr[AskG
6
]
q
D
+q
H
q
D
2
k
+Succ
CDH
(A
CDH
)
Considering the running time t
of A
CDH
, we have
1
2
Succ
THDINDCCA
(t, q
G
, q
H
, q
D
) Succ
CDH
(t
) +
q
D
+q
H
q
D
2
k
,
where t
= t +q
G
+q
H
O(k
3
) +q
G
q
H
q
D
O(k
3
). .
4 Implementation Issues and Comparisons to Other Schemes
For implementation of our threshold cryptosystem TGDH, the supersingular curves y
2
= x
3
+
2x 1 over F
3
n with a multiplier = 6 might be the best choice in terms of computation and
communication overheads. In this case, the Weil paring maps the discrete logarithm to E(F
3
n)
into F
3
6n
. Note that these curves were used to construct the Boneh et al.s short signature
[9] in which small values for n provide short signatures: e.g.
4
, an elliptic curve group E(F
3
97)
(whose size is 151 bits) provides a signature of length 154 bits with security comparable to
923-bit discrete log security of the group F
3
697
. Accordingly, the size of a ciphertext and a
decryption share of TGDH is much smaller than those of, possibly, elliptic curve versions of
the threshold cryptosystems in [35], [16] and [10].
Before discussing computational eciency of our scheme, we summarize major computa-
tional overheads caused by the encryption, the decryption share generation/verication and
12
Algorithm Point mul. Pairing comp. Hash comp.
Encryption 3 0 1
Decryption share generation 1 2 1
Decryption share verication 0 2 1
Share combining 1 2 1
Table 1: The number of cryptographic operations for TGDH
the share combining algorithms. In the following table, Hash comp. represents computation
of the hash function H only, which is more signicant than that of the hash function G.
In TGDH, there are several validity checks whether a given tuple is Die-Hellman one
or not as the verication algorithm of Boneh et al.s short signature algorithm does. To run
this algorithm, we need two pairing (bilinear map) computations and a computation of the
hash function H which maps an arbitrary string to the group element, constructed like the
algorithm MapToGroup described in [9].
It was known that pairing computation, even the Tate pairing computation which is more
ecient than computation of the Weil pairing, is far more expensive than point multiplication.
For example, it was reported that the verication time of the Boneh et al.s short signature
scheme is 2900 ms when the group E(F
3
97) and the Tate pairing are used. However, drastic
improvement on paring computation has been made quite recently by Barreto et al. [3]. Their
result shows that when the Tate pairing is used, the verication time of the E(F
3
97)-Boneh et
al.s short signature scheme has been improved to 53 ms which is nearly 55 times faster than
the previous result. Hence, even computational point of view, our scheme is expected to have
performance comparable to the most ecient threshold scheme so far, (elliptic curve version
of) TDH1 or TDH2 in [35] which involves a number of point multiplications (e.g., rP) and
double multiplications (e.g., rP + sQ) in the decryption share generation/verication stages
due to heavy zero-knowledge proofs.
5 Conclusion
In this paper, we have constructed a threshold cryptosystem from the GDH group in which the
DDH problem is easy but the CDH problem is hard. Our scheme is not only simple due to the
elegant structure of the GDH group, but also enjoys the basic security requirements of robust
threshold cryptosystem: it is secure against adaptive chosen ciphertext attack, non-interactive
and ecient in terms of computation and communication overheads.
References
[1] M. Abdala, M. Bellare and P. Rogaway: The Oracle Die-Hellman Assumptions and an Analysis
of DHIES, Proceedings of Topics in Cryptology - CT-RSA 2001, Vol. 2020 of LNCS, Springer-
Verlag 2001, pages 143158. Full version available at http : //www cse.ucsd.edu/users/mihir/.
[2] M. Abe: Securing Encryption + Proof of Knowledge in the Random Oracle Model, Proceedings
of Topics in Cryptology - CT-RSA 2002, Vol. 2271 of LNCS, Springer-Verlag 2002, pages 277289.
4
Note that to avoid the Weil-decent attacks [19], the values for n should be restricted to prime numbers.
13
[3] P. Barreto, H. Kim, B. Lynn and M. Scott: Ecient Algorithms for Pairing-Based Cryptosystems,
Advances in Cryptology - Proceedings of CRYPTO 2002, Vol. 2442 of LNCS, Springer-Verlag 2002,
pages 354369.
[4] M. Bellare, A. Desai, D. Pointcheval and P. Rogaway: Relations Among Notions of Security for
Public-Key Encryption Schemes, Advances in Cryptology - Proceedings of CRYPTO 98, Vol. 1462
of LNCS, Springer-Verlag 1998, pages 2645.
[5] M. Bellare and P. Rogaway: Optimal Asymmetric Encryption, Advances in Cryptology -
Proceedings of EUROCRYPT 94, Vol. 950 of LNCS, Springer-Verlag 1994, pages 92111.
[6] M. Bellare and P. Rogaway: Random Oracles are Practical: A Paradigm for Designing Ecient
Protocols, Proceedings of First ACM Conference on Computer and Communications Security 1993,
pages 6273.
[7] A. Boldyreva: Ecient Threshold Signatures, Multisignatures and Blind Signatures Based on the
Gap-Die-Hellman-group Signature Scheme, Proceedings of Public Key Cryptography 2003 (PKC
2003), Vol. 2567 of LNCS, Springer-Verlag 2003, pages 3146.
[8] D. Boneh and M. Franklin: Identity-Based Encryption from the Weil Pairing, Advances in Cryp-
tology - Proceedings of CRYPTO 2001, Vol. 2139 of LNCS, Springer-Verlag 2001, pages 213229.
[9] D. Boneh, B. Lynn and H. Shacham: Short Signatures from the Weil Pairing, Advances in Cryptol-
ogy - Proceedings of ASIACRYPT 2001, Vol. 2248 of LNCS, Springer-Verlag 2001, pages 566582.
[10] R. Canetti and S. Goldwasser: An Ecient Threshold Public Key Cryptosystem Secure Agaisnt
Adaptive Chosen Ciphertext Attack, Advances in Cryptology - Proceedings of EUROCRYPT 99,
Vol. 1592 of LNCS, Springer-Verlag 1999, pages 90106.
[11] D. Chaum and T. Perderson: Wallet Databases with Observers, Advances in Cryptology - Pro-
ceedings of CRYPTO 92, Vol. 740 of LNCS, Springer-Verlag 1992, pages 89105.
[12] R. Cramer and V. Shoup: A Practical Public Key Cryptosystem Provably Secure against Adaptive
Chosen Ciphertext Attack, Advances in Cryptology - Proceedings of CRYPTO 98, Vol. 1462 of
LNCS, Springer-Verlag 1998, pages 1325.
[13] A. De Santis, Y. Desmedt, Y. Frankel and M. Yung: How to Share a Function Securely, Proceedings
of the 26nd Annual ACM Symposiumm on the Theory of Computing STOC, 1994, pages 522533.
[14] Y. Desmedt and Y. Frankel: Threshold Cryptosystems, Advances in Cryptology - Proceedings of
CRYPTO 89, Vol. 435 of LNCS, Springer-Verlag 1989, pages 307315.
[15] T. ElGamal: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,
IEEE Trans. Information Theory, 31, 1985, pages 469472.
[16] P. Fouque and D. Pointcheval: Threshold Cryptosystems Secure Chosen-Ciphertext Attacks, Ad-
vances in Cryptology - Proceedings of ASIACRYPT 2001, Vol. 2248 of LNCS, Springer-Verlag
2001, pages 351368.
[17] E. Fujisaki and T. Okamoto: How to Enhance the Security of Public-Key Encryption at Minimum
Cost, Proceedings of Public Key Cryptography 99 (PKC 99), Vol. 1666 of LNCS, Springer-Verlag
1999, pages 5368.
[18] E. Fujisaki, T. Okamoto, D. Pointcheval and J. Stern: RSA-OAEP is Secure under the RSA
Assumption, Journal of Cryptology, 2002, To appear.
[19] S. Galbraith and N. P. Smart: A Cryptographic Application of Weil Decent, Proceedings of Cryp-
tology and Coding, Vol. 1746 of LNCS, Springer-Verlag 1999, pages 191200.
[20] S. Goldwasser and S. Micali: Probabilistic Encryption, Journal of Computer and System Sciences,
Vol. 28, 1984, pages 270299.
14
[21] A. Joux and K. Nguyen: Separating Decision Die-Hellman from Die-Hellman in Cryptographic
Groups, Cryptology ePrint Archive, Report 2001/003, 2001, available at http : //eprint.iacr.org.
[22] C. Lim and P. Lee: Another Method for Attaining Security Against Adaptively Chosen Ciphertext
Attack, Advances in Cryptology - Proceedings of CRYPTO 93, Vol. 773 of LNCS, Springer-Verlag
1993, pages 410434.
[23] A. Lysyanskaya: Unique signatures and veriable random functions from the DH-DDH separation,
Advances in Cryptology - Proceedings of CRYPTO 2002, Vol. 2242 of LNCS, Springer-Verlag 2002,
pages 597612.
[24] M. Naor and M. Yung: Public-key Cryptosystems Provably Secure against Chosen Ciphertext At-
tacks, Proceedings of the 22nd Annual ACM Symposiumm on the Theory of Computing STOC,
1990, pages 427437.
[25] T. Okamoto and D. Pointcheval: The Gap-Problems: A New Class of Problems for the Security of
Cryptographic Schemes, Proceedings of Public Key Cryptography 2001 (PKC 2001), Vol. 1992 of
LNCS, Springer-Verlag 2001, pages 104118.
[26] T. Okamoto and D. Pointcheval: REACT: Rapid Enhanced-security Asymmetric Cryptosystem
Transform, Proceedings of Topics in Cryptology-CT-RSA 2001, Vol. 2020 of LNCS, Springer-
Verlag 2001, pages 159174.
[27] D. Pointcheval: Chosen-Ciphertext Security for Any One-Way Cryptosystem, Proceedings of Public
Key Cryptography 2000 (PKC 2000), Vol. 1751 of LNCS, Springer-Verlag 2000, pages 129146.
[28] C. Rackho and D. R. Simon: Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen
Ciphertext Attack, Advances in Cryptology - Proceedings of CRYPTO 91, Vol. 576 of LNCS,
Springer-Verlag 1992, pages 434444.
[29] R. Rivest, A Shamir and L. Adleman: A Method for Obtaining Digital Signatures and Public Key
Cryptosystems, Communications of the ACM, Vol. 21 (2), 1978, pages 120126.
[30] C. P. Schnorr: Ecient Signature Generation for Smarts Cards, Journal of Cryptology, Vol. 4,
Springer-Verlag 1991, pages 239252.
[31] A. Shamir: How to Share a Secret, Communications of the ACM, Vol. 22, 1979, pages 612613.
[32] V. Shoup: A Proposal for an ISO Standard for Public Key Encryption (Version 1.1), ISO/IEC
JTC 1/SC 27, 2001.
[33] V. Shoup: OAEP Reconsidered, Advances in Cryptology - Proceedings of CRYPTO 2001, Vol.
2139 of LNCS, Springer-Verlag 2001, pages 239259.
[34] V. Shoup and R. Gennaro: Securing Threshold Cryptosystems against Chosen Ciphertext Attack,
Advances in Cryptology - Proceedings of EUROCRYPT 98, Vol. 1403 of LNCS, Springer-Verlag
1998, pages 116.
[35] V. Shoup and R. Gennaro: Securing Threshold Cryptosystems against Chosen Ciphertext Attack,
Journal of Cryptology, Vol. 15, Springer-Verlag 2002, pages 7596.
[36] Y. Tsiounis and M. Yung: On the Security of ElGamal-Based Encryption, Proceedings of Public
Key Cryptography 98 (PKC 98), Vol. 1431 of LNCS, Springer-Verlag 1998, pages 117134.
[37] Y. Zheng and J. Seberry: Practical Approaches to Attaining Security against Adaptively Chosen
Ciphertext Attacks, Advances in Cryptology - Proceedings of CRYPTO 1992, Vol. 742 of LNCS,
Springer-Verlag 1993, pages 292304.
15
A Preliminaries
A.1 Public Key Cryptosystem
A public key cryptosystem consists of the following algorithms.
A randomized key generation algorithm K(k) which, on input a security parameter k
generates (pk, sk) where pk is the public key and sk is the private key.
A randomized encryption algorithm E(pk, m) which, on input the public key pk and a
plaintext m, outputs a ciphertext C.
A deterministic decryption algorithm D(sk, C) which, on input a private key sk and a
ciphertext C, outputs a plaintext m.
A.2 Security Notion for Public Key Cryptosystem
Now we review the security model for public key encryption schemes. Consider an attack
algorithm (attacker) A
CCA
in the following experiment (game). The experiment consists of
several stages.
Setup: The common parameter generation algorithm on input a security parameter k
is run. Then the key generation algorithm on input the common parameter output by
the common parameter generation algorithm is run. The public key which is output by
the key generation algorithm and the common parameters are given to A
CCA
.
Phase 1: A
CCA
interacts with the decryption oracle, submitting ciphertexts and obtain-
ing decryptions. A
CCA
s interaction with the decryption oracle can be adaptive.
Challenge: A
CCA
chooses two equal length plaintexts (m
0
, m
1
). If these are given to the
encryption algorithm then it chooses b 0, 1 at random and returns a target ciphertext
C
= E(pk, m
b
) to A
CCA
.
Phase 2: A
CCA
interacts with the decryption oracle, submitting ciphertexts and obtain-
ing decryptions. A
CCA
s interaction with the decryption oracle can be adaptive.
Guess: A
CCA
outputs a guess b
0, 1.
We dene the attacker A
CCA
s success probability by
Succ
INDCCA
(A
CCA
) = 2 Pr[b
= b] 1.
The probability is over the random bits used by the experiment and the attacker. We
denote by Succ
INDCCA
(t
CCA
, q
D
) the maximal success probability Succ
INDCCA
(A
CCA
)
over all attackers whose running time and number of queries to the decryption oracle are
bounded by t and q
D
, respectively.
16
B Proof of Theorem 1
Proof. First, we dene notations and conventions. Let A
CCA
be an attacker the defeats the
sematic security of the scheme T(c against adaptive chosen ciphertext attack.
We denote by C = (U, V, W) a decryption query made by the attacker A
CCA
to the decryp-
tion oracle. Especially, we use C
= (U
, V
, W
= (U
, V
, W
) is
created as follows. For b
R
0, 1,
U
= r
P, V
= G(K
) m
b
, and W
= r
,
where K
= r
Y for r
R
ZZ
q
and H
= H(U
, V
).
On input C
, A
CCA
outputs b
. We denote by S
0
the event b
def
= aP and pk = Y = bP. (Note that aP and bP are
the parameters given to the attacker A
CDH
.)
Then, we choose K
+
uniformly at random from ( and set K
def
= K
+
. We also choose G
+
uniformly at random from 0, 1
l
and set G
+
def
= G(K
). Then, we set V
def
= G
+
m
b
.
As a result, K
and G(K
q
and compute s
+
P. We set H
= H(U
, V
)
def
= s
+
P.
Also, we compute s
+
U
and set W
def
= s
+
U
= K
+
, U
= g
a
, V
= G
+
m
b
, W
= s
+
U
and H
= s
+
P.
R1-2 Whenever the random oracle G is queried at K
+
, the answer is G
+
.
R1-3 Whenever the random oracle H is queried at (U
, V
), the answer is s
+
P.
17
Note that since G is a random oracle, G(K
) and G
+
have the same distribution. Since
output of the random oracle H is uniformly distributed in ( and so is s
+
Y for s
+
R
ZZ
q
,
H
and s
+
Y are identically distributed. Similarly, W
and s
+
U
, H
, W
, H
, W
) = (P, aP, s
+
P, as
+
P), where a, s
+
R
ZZ
q
. Finally, since aP is uniformly
distributed in group (, the distribution of C
= (U
, V
, W
. Let AskG
2
denotes the
event that, in game G
2
, G is queried at K
is
queried by the encryption oracle to produce the target ciphertext.) We will use the same
notation AskG
i
to denote such events in all other games.
Now, we have
[ Pr[S
2
] Pr[S
1
][ Pr[AskG
2
].
Game G
3
: In this game, we modify the random oracle G and H as follows. Note that we
have already dealt with the simulation of the random oracles G and H appeared in the
target ciphertext C
q
and
computes H = sY and return H as answer to A
CCA
. Similarly, let HList be a set of all
query-answer pairs for the random oracle H. More specically, HList consists of the
pairs (U, V ), H)) where h = H(U, V ) = sY . Notice that all these lists grow as A
CCA
s
attack proceeds.
Note above simulation of G and H is perfect. Then, we have
Pr[AskG
3
] = Pr[AskG
2
].
Note that the decryption oracle has been regarded as perfect up to this game. The rest
of games will deal with simulation of the decryption oracle.
Game G
4
: In this game, we make the decryption oracle to reject all ciphertexts C =
(U, V, W) such that H
def
= H(U, V ) has not been queried. If C is a valid ciphertext while
H(U, V ) has not been queried, the games G
4
and G
3
may dier. By the simulation of
the random oracles G and H, if C is valid then (P, U, H, W) is a legitimate Die-Hellman
tuple since
(P, U, H, W) = (P, rP, sY, rsY ) = (P, rP, sxP, rsxP).
18
However, since we have assumed that H has not been queried in this game, above equality
happens with probability at most 1/2
k
since output of the (simulated) random oracle H
is uniformly distributed in (.
Summing up all decryption queries, we have
[ Pr[AskG
4
] Pr[AskG
3
][
q
D
2
k
.
Game G
5
: In this game, we modify the decryption oracle to reject all ciphertexts C such
that the value K has not been queried to the random oracle G. If C is a valid ciphertext
and (U, V ) has been queried to the random oracle H, while G(K) has not been queried,
the rule of this game would cause the dierence (from game G
4
). Since V = G(K) m
and we have assumed that G(K) has not been queried, V is independent of view of A
CCA
.
Furthermore, since we have assumed that C is valid, V has been queried from H and this
happens with probability at most q
H
/2
k
.
Summing up all decryption queries, we have
[ Pr[AskG
5
] Pr[AskG
4
][
q
D
q
H
2
k
.
Game G
6
: In this game, we modify the decryption oracle in the previous game to yield a
decryption oracle simulator which decrypts a submitted decryption query C = (U, V, W)
without the private key. Note that the cases when H(U, V ) and G(K) have not been
queried are excluded in this game since these case were already dealt with in the previous
game. That is, we assume that H(U, V ) and G(K) have been queried at some point.
Now we describe the complete specication of the decryption oracle simulator. Note in
the following that the decryption oracle simulator is provided with an input ciphertext
C = (U, V, W).
Extract (U, V ), H) from HList.
If e(P, W) = e(U, H)
Compute K = (1/s)P.
Extract K, G) from GList
Compute m = V G
Return m
Else reject c.
Note that the above decryption oracle simulator perfectly simulates the real decryption
oracle since H(U, V ) and G(K) have been previously queried. Thus, we get
Pr[AskG
6
] = Pr[AskG
5
].
Now we put all the bounds we have obtained in each game together.
1
2
Succ
INDCCA
(A
CCA
) = [ Pr[S
0
] Pr[S
2
][ Pr[AskG
2
] Pr[AskG
4
] +
q
D
2
k
q
D
2
k
+
q
H
q
D
2
k
+ Pr[AskG
6
]
q
D
+q
H
q
D
2
k
+Succ
CDH
(A
CDH
)
19
Considering the running time t
CCA
of A
CDH
1
2
Succ
INDCCA
(t
CCA
, q
G
, q
H
, q
D
) Succ
CDH
(t
CDH
) +
q
D
+q
H
q
D
2
k
,
where t
CDH
= t
CCA
+q
G
+q
H
O(k
3
) +q
G
q
H
q
D
O(k
3
). .
20