A new CCA-secure Encryption based on the Gap

A new CCA-secure Encryption based on the Gap Hashed Diffie-

Hellman Problem 1

Muhammad Asyraf Asbullah, 2Muhammad Rezal Kamel Ariffin

1,2

Al-Kindi Cryptography Research Labarotary, Institute for Mathematical Research 1 [email protected], [email protected]

Abstract This paper proposes a variant of the ElGamal public key encryption which is secure against chosen ciphertext attack. Our proof of security is based on the intractability of the Gap Hashed Diffie-Hellman assumption in the standard model. The proposed scheme is practical to send encrypted short messages such as credit card information, PIN code, password etc. This scheme also preserves the computational performance of the hash ElGamal encryption scheme (i.e. its simplistic algebraic construction, less exponentiation cost).

Keywords: Chosen Ciphertext Security, ElGamal Encryption Scheme, Gap Hashed DiffieHellman Problem.

1. Introduction More than 30 years ago, the world witnessed a remarkable breakthrough event in cryptography. Through the work of Whitfield Diffie and Martin Hellman in [6], a brilliant idea to resolve the key distribution problem revolutionized the field of cryptography – to be known as public key cryptography. Inspired by the Diffie-Hellman protocol, Elgamal developed a new public key cryptosystem [5]. The ElGamal cryptosystem is one of the fundamental public key cryptosystem and is widely used apart to RSA cryptosystem, and remains amongst the most attractive cryptographic public key constructions until today. Suppose Bob wants to sends a message to Alice using the Elgamal encryption scheme. We begin by describing the Elgamal encryption scheme as follows. Let ॳ be a group of large prime order ‫ ݍ‬and ݃ be its generator (i.e an element that generates all the other elements in the group). We assume that the value of ॳ, ‫ ݍ‬and ݃ are placed in public domain. Then the scheme works as follows. Alice picks a random integer‫ ∈ ݔ‬ℤ௤ as her private key and set a value ‫ ݃ = ݕ‬௫ to be her public key. In order for Bob to send a message݉ (encoded into an element ofॳ), Bob chooses a random integer ‫ ∈ ݎ‬ℤ௤ and computes ‫݃ = ݑ‬௥ , ‫ ݕ‬௥ andܿ = ݉ ∙ ‫ ݕ‬௥ . Then he sets his ciphertext as (‫ݑ‬, ܿ) and sends to Alice. Upon ௖ receiving the ciphertext, Alice computes ‫ ݑ‬௫ and then performs ೣ to obtain the message݉. ௨ Interestingly, this scheme comes with simple design, their computation requires roughly two exponentiations, and most importantly the encryption algorithm is probabilistic [9], which is necessary feature for any public key construction. Furthermore, this scheme also proven to be semantically secure against chosen plaintext attack (CPA). Despite all of these advantages, the original Elgamal scheme actually faces some deficiencies. As stated in [1, 4, 9] the disadvantage of the scheme is based on the fact that the message space is somewhat limited, since the message needs to be encoded into an element of the groupॳ. In addition in the literature mentioned above, if the order of the group ॳ is not prime, then the scheme loses its CPA security. Nevertheless, it is easy to make the order to be prime. The problem of group encoding could be solved via manipulating any appropriate hash function onto the ElGamal scheme, which in these days referred as the hash ElGamal cryptosystem. As mentioned in [4, 9], instead of multiplication operation (i.e.ܿ = ݉ ∙ ‫ ݕ‬௥ ) from the original Elgamal, the encryption algorithm for hash Elgamal computes the ciphertext as ܿ = ݉⨁‫ܪ‬ሺ‫ ݕ‬௥ ሻ where ‫ )∙(ܪ‬is modeled as a random oracle function. Throughout the years, many cryptosystems are found out to be broken and the crypto-community needs a much stronger security assurance. Nowadays, any public key scheme would be required more than just to be proven secure against chosen plaintext attacks. It is also demanded that for such systems

to withstand a stronger attacks known as the chosen ciphertext attack (CCA). As shown in [5], the original Elgamal is completely insecure against the CCA. This is also true for the hash ElGamal version, as mentioned in [2]. Attempts are made to produce a scheme that achieves chosen ciphertext security. We give some examples of existing schemes related to ElGamal variants that are proven to be CCA-secure such as the DHIES [1], the Compact Elgamal Encryption [2], the Twin Elgamal Encryption [3], the Cramer-Shoup scheme [5]and also a variant presented in [12].

1.1. Related work We now restate the idea of [11] for protecting the original ElGamal scheme against chosen ciphertext attacker. Firstly, let us consider the original Elgamal scheme and suppose we have a collision resistance hash function‫)∙(ܪ‬. Let ℎ = ‫ )݉(ܪ‬be the hash value of the corresponding message ݉. Next we append this value ℎ along with the ciphertext before we send it receiver. Now the ciphertext is in the form(‫ݑ‬, ܿ, ℎ). Upon receiving the ciphertext(‫ݑ‬, ܿ, ℎ), the decryption algorithm will decrypt as usual and obtain the message݉′. Finally decryption algorithm will compute the hash value ‫݉(ܪ‬′) and compare it with the appended valueℎ. Since whoever is sending this ciphertext must able to generate exactly the same hash value as the appendedℎ, therefore if we have‫݉(ܪ‬′) ≠ ℎ, then we immediately declare the ciphertext is invalid. This approach, however, has shortcomings when the encrypted message is known to be small (i.e. yes or no, PIN numbers, password). The adversary only need to check the hash value for the entire message space (it is easy since the message space is known from a small set) until the value ℎ appears.

1.2. Our contributions We design an encryption scheme based on the hash Elgamal which is secure against chosen ciphertext attack. The security of our scheme stands in the standard model; avoid the need of the random oracle assumption. In term of performance, our scheme replicates the same algebraic structure as the hash Elgamal. Furthermore, the message that is to be encrypted does not require to be encoded to be a group element before encryption. On the other hand, the valuable information can be very short, for example credit card numbers, PIN code etc. Such data are often being transmitted in digitally (e.g. online transactions). Most existing schemes however do not guarantee the security if a short message is encrypted, or require extra redundancy to offer such security [2]. Interestingly, our scheme can be very useful to provide a secure and efficient mechanism for encryption of short messages.

1.3. Paper organization The paper is organized as follows. Section 2 reviews the definitions for public key encryption, the chosen ciphertext security, the computational hardness and brief explanation on the collision resistance hash function. In section 3, we describe our proposed scheme, and accompany it with a numerical example in section 4. We then proceed to give the security proof in section 5. Conclusions appear in the final section.

2. Preliminaries In this section, we give a bit of background regarding the definition of the public key cryptosystem, description of our security goal namely chosen ciphertext security. Then we continue to introduce the computational intractibility assumption, and finally we specify a particular type of hash function.

2.1. Public key encryption scheme A public key encryption scheme is a triple of algorithm(‫ܭ‬, ‫ܧ‬, ‫ )ܦ‬such that:  Key generation algorithm ‫ܭ‬: is a probabilistic algorithm that will generate a pair of public and private keys,݁ and ݀ respectively.

Encryption algorithm‫ܧ‬: is a probabilistic algorithm that takes a message ݉ and the public key݁, to produce its corresponding ciphertext as a function‫ܧ‬ሺ݁, ݉ሻ.  Decryption algorithm‫ܦ‬: is a deterministic algorithm which is given the private key݀ and the ciphertext ‫ܧ‬ሺ݁, ݉ሻ, will output ݉ or returns ⊥ if the ciphertext was invalid. (Correctness): For each pairs of key(݁, ݀) output by the algorithm‫ܭ‬, and for every message݉ then‫ܦ‬൫݀, ‫ܧ‬ሺ݁, ݉ሻ൯ = ݉. This mathematical statement says that for any legitimate ciphertext, given the private key݀ then the decryption algorithm ‫ܦ‬always produce its corresponding message݉. 

2.2. Chosen ciphertext security Suppose we have a challengerࣝ and an adversaryࣛ. We describe the chosen ciphertext attack (CCA) via the following game played by the challengerࣝ and adversaryࣛ. 1. The challengerࣝ generates(݁, ݀) and sends ݁ to the adversaryࣛ. 2. The adversary ࣛ makes decryption queries for any ciphertext of his choice to the challengerࣝ, which decrypts as usual or rejects if it is invalid ciphertext. 3. The adversaryࣛ outputs the two messages ݉଴ and ݉ଵ and send to the challengerࣝ. During this stage, the challengerࣝ chooses ܾ ∈ {0,1}at random and set‫ܧ‬ሺ݁, ݉௕ ሻ as the challenge ciphertext. 4. The adversary ࣛ is allowed to submit decryption queries for any ciphertext ‫ܧ‬′ሺ݁, ݉ሻ ≠ ‫ܧ‬ሺ݁, ݉௕ ሻ to the challengerࣝ. 5. The adversaryࣛ outputs the value ofܾ′ and wins the game ifܾ ′ = ܾ. The adversary’s goal is to answer whether the challenge ciphertext‫ܧ‬ሺ݁, ݉௕ ሻis the encryption of ଵ ݉଴ or݉ଵ . Thus the adversary’s advantage to win the game is defined to be|Pr[ܾ ′ = ܾ] − |. The ଶ encryption scheme is said to be CCA-secure if for all efficient adversaries, the advantage is negligible. This has been shown to ensure that the adversaries cannot acquire any useful information about a message from its ciphertext.

2.3. Computational intractability In general, there are more formulations on the computational hard problem based on the DiffieHellman family [8]. However, for the purpose of this research we begin with two well known standard assumptions in this class namely the Computational Diffie-Hellman, the Decisional Diffie-Hellman and then the nonstandard Gap Hashed Diffie-Hellman assumptions, which we shall use for our scheme. 2.3.1. Computational Diffie-Hellman Assumption. The Computational Diffie–Hellman (CDH assumption) is the assumption that a certain computational problem within a cyclic group is hard. Consider a cyclic group ॳ of order‫ݍ‬. The CDH assumption states that, given ሺ݃, ݃௔ , ݃௕ ሻfor a randomly chosen generator g and random ܽ, ܾ ∈ ℤ௤ it is computationally intractable to compute the value݃௔௕ . 2.3.2. Decisional Diffie-Hellman Assumption. The Decisional Diffie–Hellman (DDH) assumption states that given the distributions(݃, ݃௔ , ݃௕ , ݃௖ ) ∈ ℤ௤ it is hard to decide whether݃௖ is actually ݃௔௕ or not. In another words, it is computationally indistinguishable when ܽ, ܾ, ܿ ∈ ℤ௤ are chosen randomly. The best known algorithm to solve DDH in general is to solve discrete logarithms problem. The DDH assumption is stronger as compare to the CDH assumption. 2.3.2. Gap Hashed Diffie-Hellman Assumption[10].

Let ॳ be a particular group of order‫ ݍ‬and assume that we have a suitable hash function ‫ )∙(ܪ‬that maps an element in ॳ into a value ℎ of certain binary strings of fixed length ݇ (i.e.ሼ0,1ሽ௞ ). Basically, if we choose random exponents ܽ, ܾ ∈ ℤ௤ and a randomܴ ∈ ሼ0,1ሽ௞ , then the Gap Hashed Diffie-Hellman (GHDH) assumption states that the following distribution of (݃, ݃௔ , ݃௕ , ‫݃(ܪ‬௔௕ )) and (݃, ݃௔ , ݃௕ , ܴ) are computationally indistinguishable.

2.4. Collision resistance hash function Basically, a cryptographic hash function ‫ )∙(ܪ‬is a function that takes arbitrary-length strings of input and generates a fixed size and much shorter strings, denotes byℎ. Suppose we apply the hash function ‫ )∙(ܪ‬onto two distinct messages ݉଴ and݉ଵ and both end up with the same outputℎ. We say that a collision for ‫ )∙(ܪ‬has occurred since the different inputs produce the same hash valueℎ. Instantly, we define that the function ‫ )∙(ܪ‬is collision resistance if it is hard to find such collisions for this function; that is infeasible to find any ݉଴ ≠ ݉ଵ such that‫ܪ‬ሺ݉଴ ሻ = ‫݉(ܪ‬ଵ ).

3. The scheme In this section we present our construction on the CCA-secure scheme which its security lays on the intractability of GHDH assumption. We suppose that we have a group ॳ of order large prime ‫ ݍ‬and an element ݃ ∈ ॳ ≠ 1 which is a generator ofॳ. We also require a collision resistance hash function ‫)∙(ܪ‬ that takes arbitrary large inputs and produce a fixed size output values.

3.1. Key generation algorithm Let ॳ be an abelian group of large prime order ‫ ݍ‬and ݃ ∈ ॳ ≠ 1 is generator ofॳ, and then the key generation algorithm will run as follows. 1. Choose a random element‫ ∈ ݔ‬ℤ௤ . 2. Set‫ ݃ = ݕ‬௫ . 3. Set (݃, ‫ )ݕ‬as the public key. 4. Set‫ ݔ‬as the private key.

3.2. Encryption algorithm To encrypt a message݉ ∈ ॳ using the public key(݃, ‫)ݕ‬, the encryption algorithm will run as follows. 1. Choose a random integer‫ ∈ ݎ‬ℤ௤ . 2. Compute ‫݃ = ݑ‬௥ . 3. Compute ‫ ݕ‬௥ 4. Compute ℎଵ = ‫ܪ‬ሺ‫ ݕ‬௥ ሻ. 5. Choose a random integer ݈ ∈ ℤ௤ . 6. Set ‫݉ ∥ ݈ = ܯ‬ 7. Computeℎଶ = ‫)݉ ∥ ݈(ܪ‬. 8. Calculate ܿ = ‫⨁ܯ‬ℎଵ . 9. The ciphertext is the tuple(‫ݑ‬, ܿ, ℎଶ ).

3.3. Decryption algorithm To decrypt the ciphertext(‫ݑ‬, ܿ, ℎଶ ), the decryption algorithm will run as follows.

1. 2. 3. 4. 5. 6.

Compute‫ ݑ‬௫ and ‫ ݑ(ܪ‬௫ ). Compute ‫ ܯ‬′ = ܿ⨁‫ ݑ(ܪ‬௫ ) Evaluate ‫ܪ‬ሺ‫ ܯ‬′ ሻ. Test whether ‫ܪ‬ሺ‫ ܯ‬′ሻ⨁ℎଶ = 0. If the answer in the step 3 is no, then the decryption algorithm will reject the ciphertext (i.e. returns⊥). If the answer in the step 3 is yes, then the decryption algorithm will output the message m.

3.4. Proof of correctness We now proceed to prove the correctness of the scheme as follows. 3.4.1. Proposition 1. If the ciphertext tuple(u, c, hଶ ) is valid, then the decryption algorithm will always output the correct m. Proof: Given the ciphertext(‫ݑ‬, ܿ, ℎଶ ), the decryption algorithm will compute‫ ݑ‬௫ and‫ ݑ(ܪ‬௫ ). Observe that ‫ ݑ‬௫ = (݃௥ ) ௫ = (݃ ௫ )௥ = ‫ ݕ‬௥ therefore we have ‫ܪ‬ሺ‫ ݑ‬௫ ሻ = ℎଵ = ‫ܪ‬ሺ‫ ݕ‬௥ ሻ Suppose that the ciphertext is valid, and then we will obtained ‫ ܯ‬by computing ܿ⨁‫ܪ‬ሺ‫ ݑ‬௫ ሻ = ‫ܪ⨁ܯ‬ሺ‫ ݕ‬௥ ሻ⨁‫ܪ‬ሺ‫ ݑ‬௫ ሻ = ‫⨁ܯ‬ℎଵ ⨁ℎଵ = ‫ܯ‬. Afterwards, it is trivial to extract݉ from its concatenation, thus the decryption algorithm is correct. 3.4.2. Remark We note that, during decryption process, the algorithm will check the validity of the given ciphertext before returning the message ݉ . This is made possible with the help of the collision resistance hash function ‫ )∙(ܪ‬as a checking mechanism for this process.

4. Numerical example We will now provide a clear illustration of the scheme. Suppose Bob decides to send Alice the message݉ = 432. First of all, Alice selects the prime ‫ = ݍ‬249863 and the primitive root݃ = 2. Let ॳ be an abelian group of large prime order ‫ ݍ‬and ݃ ∈ ॳ ≠ 1 is generator ofॳ, and then the key generation algorithm will run as follows. 1. Choose‫ = ݔ‬267 2. Set‫ = ݕ‬2ଶ଺଻ = 43756(݉‫݀݋‬249863) 3. Publicize the valueሺ‫ݍ‬, ݃, ‫ݕ‬ሻ = (249863, 2, 43756) In the mean time, Bob will choose an ephemeral key ‫ = ݎ‬173at random, and run the encryption algorithm as follows. 1. Compute‫݃ = ݑ‬௥ = 2ଵ଻ଷ = 162031(݉‫݀݋‬249863) 2. Compute ‫ ݕ‬௥ = 206984ሺ݉‫݀݋‬249863ሻ 3. Computesℎଵ = ‫ܪ‬ሺ‫ ݕ‬௥ ሻ = ‫ܪ‬ሺ206984ሻ = 241633 4. Choose a random integer݈ = 257. 5. Set ‫ = ݉ ∥ ݈ = ܯ‬257 ∥ 432 = 257432 6. Computesℎଶ = ‫ܪ‬ሺ257 ∥ 432ሻ = 442 7. Computes ܿ = ‫⨁ܯ‬ℎଵ = 257432⨁241633 = 17017 8. Sends the tupleሺ‫ݑ‬, ܿ, ℎଶ ሻ = (162031,17017,442) Upon receivingሺ162031,17017,442ሻ, Alice will run the decryption algorithm as follows. 1. Computes‫ ݑ‬௫ = 206984 and ‫ܪ‬ሺ‫ ݑ‬௫ ሻ = ‫ܪ‬ሺ206984ሻ = 241633. 2. Computes ‫ ܯ‬ᇱ = ܿ⨁‫ܪ‬ሺ‫ ݑ‬௫ ሻ = 17017⨁241633 = 257432 3. Checks ‫ܪ‬ሺ‫ ܯ‬ᇱ ሻ = ‫ܪ‬ሺ257432ሻ = 442. 4. Test ‫ܪ‬ሺ‫ ܯ‬ᇱ ሻ⨁ℎଶ gives 0.

5.

The answer in the above step is 0 thus the decryption algorithm will output the message ݉ = 432.

5. Security proof In this section we provide the following proposition for our proof of security.

5.1. Proposition 2. The above scheme is secure against chosen ciphertext attack assuming that the GHDH problem is intractable in the groupॳ and the hash functionH(∙) is a collision resistance hash function. Proof: The proof of the above proposition follows from the following lemmas. 5.1.1. Lemma 1. If there exists an adversary that is able to break the scheme, then we could use such adversary to solve the GHDH problem. Suppose we are given GHDH problem; to decide whetherܴ = ‫݃(ܪ‬௔௕ ) or whether it is just a random number from the distribution of(݃, ݃௔ , ݃௕ , ܴ). First of all, we assume that there exists an adversary ࣛ that could break our scheme with nonnegligible probability. Recall that during the CCA game, the adversary makes an arbitrary amount of decryption queries and is given a challenge ciphertext for distinguishability test. If the adversaryࣛ could break the scheme then it is capable to distinguish whether the challenge ciphertext is an encryption of ݉଴ or ݉ଵ . If such adversary exists, then we can solve the GHDH problem by constructing a simulator ࣭ and treat the adversary ࣛ as our black box. We illustrate the simulation as follows. Note that the simulation is pictured as a CCA game played by the simulator࣭ and the adversaryࣛ. From here on, we will only denote ࣭ for the simulator andࣛ as the adversary. At the beginning of the game, ࣭ setups his public key(݃, ‫)ݕ‬and sends it toࣛ. Next, ࣛ is allowed to request the decryption of any ciphertext ሺ‫ݑ‬′ , ܿ ′ , ℎ′ ሻ of his choices from࣭. As a result, ࣛ receives ݉′ or just ⊥ as his query results. During the challenge stage, ࣛ chooses a pair of distinct messages ݉଴ and ݉ଵ and sends the messages to ࣭ . Let ‫݉ ∥ ݈ = ܯ‬௕ where ܾ ∈ {0,1} is chosen randomly, then ࣭ computes the value ܿ = ‫ ܴ⨁ܯ‬where ܴ is obtained from the earlier distribution of(݃, ݃௔ , ݃௕ , ܴ) and the hash valueℎ = ‫ܪ‬ሺ‫ܯ‬ሻ. Next, ࣭ sets the challenge ciphertext as the tuple of(‫ݑ‬, ܿ, ℎ) and submits the tuple toࣛ. Since we assume thatࣛ could break our scheme, if the value ofܴ is actually‫݃(ܪ‬௔௕ ), then ࣛ will always give the answer ofܾ correctly, with nonnegligible probability. Else, we are certain that ܴ is just a random value in the groupॳ . This is sufficient to prove the lemma 1. Next, we need to prove that any decryption queries of any invalid ciphertexts will certainly be rejected. 5.1.2. Lemma 2. Decryption oracle will reject all invalid ciphertext. Suppose that the adversary submits an invalid ciphertext (‫ݑ‬′, ܿ′, ℎଶ ′) ≠ (‫ݑ‬, ܿ, ℎଶ ). Hence we are considering the following three cases. Case 1: Supposeሺ‫ݑ‬ᇱ , ܿ ᇱ , ℎ′ሻ = (‫ݑ‬ᇱ , ܿ, ℎଶ ). For the first case, upon receiving the ciphertext (‫ݑ‬ᇱ , ܿ, ℎଶ ), the decryption algorithm will proceed withܿ⨁‫ݑ(ܪ‬′௫ ). It is obvious that one can notice the value of ‫ݑ(ܪ‬′௫ ) is not equal to ‫ ݑ(ܪ‬௫ ), since we assume our hash function is collision resistant. As a result, the decryption algorithm will obtain ‫ ܯ‬′ from ܿ⨁‫ݑ(ܪ‬′ ௫ )and proceed to compare with the hash value ‫ܪ‬ሺ‫ ܯ‬′ሻ. Once again, if our assumption on the hash function holds, then ‫ܪ‬ሺ‫ ܯ‬′ ሻ ≠ ℎଶ . Thus with high probability, the ciphertext will be rejected by decryption oracle. We observe that the only option for the adversary to avoid rejection is appending the same value‫ݑ‬ᇱ = ‫ݑ‬. Case 2: Letሺ‫ݑ‬′ , ܿ ′ , ℎ′ ሻ = (‫ݑ‬, ܿ′, ℎଶ ).

For the second case, we utilize to the same value ‫݅(ݑ‬. ݁. ‫ݑ‬ᇱ = ‫ )ݑ‬with some modification done on the element ܿ. There are various ways we can modifyܿ. Let ܿ′ denote the modification of ܿ. Recall tha‫⨁ܯ = ܿݐ‬ℎଵ , and we proceed to alter as follows: 1. Let ‫ ܯ‬ᇱ in the form of ݈ ᇱ ∥ 0. Then we compute ܿ ᇱ = ‫ ܯ‬ᇱ ۩ ܿand submit it as (‫ݑ‬, ܿ ᇱ , ℎଶ )to the decryption oracle. Note that the decryption of ܿ ᇱ will result in the value‫ ܯ‬ᇱ ⨁‫݈ = ܯ‬′⨁݈ ∥ ݉. In this case the hash value ‫ܪ‬ሺ݈′⨁݈ ∥ ݉ሻ ≠ ℎଶ implies that the decryption algorithm certainly returns⊥. 2. Let ‫ ܯ‬ᇱ be in the form of 0 ∥ ݉′. By computing ܿ ᇱ = ‫ ܯ‬ᇱ ۩ ܿand submitting it as (‫ݑ‬, ܿ ᇱ , ℎଶ )to the decryption oracle, its output is‫ ܯ‬ᇱ ⨁‫݉ ∥ ݈ = ܯ‬′⨁݉. Since‫ܪ‬ሺ݈ ∥ ݉′⨁݉ሻ ≠ ℎଶ thus such ciphertext certainly will be rejected by the decryption algorithm. 3. Suppose the adversary submits ሺ‫ݑ‬, ܿ ′ , ℎଶ ሻ where‫ ܯ‬ᇱ = ݈ ᇱ ∥ ݉ᇱ andܿ ᇱ = ‫ܯ‬′⨁ܿ. The ciphertext will also will be rejected because the value‫ܪ‬ሺ݈′⨁݈ ∥ ݉′⨁݉ሻ ≠ ℎଶ . Case 3: We assumeሺ‫ݑ‬ᇱ , ܿ ᇱ , ℎᇱ ሻ = (‫ݑ‬, ܿ ᇱ , ℎᇱ ) and the adversary has already modifiedܿ ᇱ . Furthermore we assume that our adversary is able to generate his own hash value ℎᇱ ≠ ℎଶ . That is, the adversary has knowledge of the preimage of ℎᇱ upon submission. However this situation contradicts with our assumption upon the hash function, (i.e. it is infeasible to find ‫ܯ‬such that‫ܪ‬ሺ‫ܯ‬ሻ = ℎ). Therefore, for this case, the decryption algorithm will return⊥. The proof is now complete.

6. Conclusion In this paper, we have proposed a new variant of the ElGamal encryption scheme. Our scheme is proven secure against the chosen ciphertext attacks based on the assumption that the Gap Hashed Diffie-Hellman problem is hard and the hash function is collision resistance. Our system maintains the simple algebraic structure of the hash Elgamal and preserves its computational performance for encryption and decryption. Finally, the scheme is suitable to encrypt small messages securely. .

7. References [1] M. Abdalla, M. Bellare, and P. Rogaway, “The oracle Diffie-Hellman assumptions and an analysis of DHIES,” In Topics in cryptology—CT-RSA 2001 David Naccache (ed), SpringerVerlag, 2020, pp. 143–158, 2001. [2] M. Abe, E. Kiltz and T.Okamoto, “Compact CCA-secure encryption for messages of arbitrary length,” In Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography: PKC '09 (Irvine), Springer-Verlag, Berlin, Heidelberg, pp. 377-392, 2009. [3] D. Cash, E. Kiltz, V. Shoup, “The Twin Diffie-Hellman Problem and Applications,” Journal of Cryptology, 22(4), pp. 470-504, 2009. [4] B. Chevallier-Mames, P. Paillier, and D. Pointcheval, “Encoding-free ElGamal encryption without random oracles,” In Proceedings of the 9th international conference on Theory and Practice of Public-Key Cryptography (PKC'06), Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin (Eds.). Springer-Verlag, Berlin, Heidelberg, pp. 91-104, 2006. [5] R. Cramer and V. Shoup, “Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack,” SIAM Journal on Computing, 33(1), pp. 167-226, 2003. [6] W. Diffie and M.E. Hellman, “New Directions in Cryptography”, IEEE Transactions on Information Theory, 22(6), pp. 644-654, 1976. [7] T. Elgamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, 31(4), pp. 469-472, 1985. [8] European Network of Excellence in Cryptology II (ECRYPT II), “Main Computational Assumptions in Cryptography”, [Available Online]. [Last accessed on January 16, 2013]. [9] R. Gennaro, H. Krawczyk, and T. Rabin. Secure Hashed Diffie-Hellman over NonDDH Groups. In Eurocrypt '04, LNCS 3027, Springer-Verlag, Berlin, pp. 361-381. 2004. [10] E. Kiltz, “Chosen Ciphertext Secure Key-Encapsulation Based On Gap Hashed Diffie-Hellman,” In Proceedings of the 10th international conference on Practice and theory in public-key

cryptography (PKC'07), Tatsuaki Okamoto and Xiaoyun Wang (Eds.). Springer-Verlag, Berlin, Heidelberg, pp. 282-297, 2007. [11] N. Koblitz and A. J. Menezes, “Another look at provable security,” Journal of Cryptology, 20(1), pp. 3 – 37, 2007. [12] N. Koblitz and A. J. Menezes, “Intractable assumptions in cryptography,” In Proceedings of 9th International Conferences Finite Fields and Their Applications, Contemporary Mathematics, 518, pp. 279-300, 2010.