A Security-Mediated Encryption Scheme Based on ElGamal Variant

Abstract

Boneh et al. introduced mediated RSA (mRSA) in 2001 in an attempt to achieve faster key revocation for medium-sized organizations via the involvement of a security mediator (SEM) as a semi-trusted third party to provide partial ciphertext decryption for the receiver. In this paper, a pairing-free security mediated encryption scheme based on an ElGamal variant is proposed. The scheme features a similar setting as in the mediated RSA but with a different underlying primitive. We show that the proposed security mediated encryption scheme is secure indistinguishably against chosen-ciphertext attack (IND-CCA) in the random oracle via the hardness assumption of the computational Diffie-Hellman (CDH) problem.

1. Introduction

In 2001, Boneh et al. proposed a fast key revocation scheme—the mediated RSA (mRSA). This scheme features a new semi-trusted role, the security mediator (SEM), which takes part in the decryption process. The idea behind this mediated scheme is that the user’s secret key is effectively split into two parts, with one kept by SEM and the remaining one by the user. Whenever the user receives a ciphertext, he must relay it to SEM for partial decryption (token issuance) prior to recovering the full plaintext [1]. This property provides an advantage of instant revocation upon the certificate authority (CA) instructions. The SEM will stop assisting in the user’s partial ciphertext decryption, not only to decrypt ciphertext received in the future, but also to re-decrypt the ciphertext that has been received and decrypted previously.

The introduction of mRSA has initiated various security mediated schemes following this path such as the IB-mRSA/OAEP, a type of identity-based encryption (IBE) scheme proposed by Ding and Tsudik in 2003 based on mRSA [2]. The designed IB-mRSA/OAEP is proven to be secure indistinguishably against adaptive chosen-ciphertext attack (IND-CCA) in the random oracle model. To this end, the authors stated that the security proof in the standard model remains an open problem.

Chow et al. then introduced the notion of security mediated certificateless (SMC) cryptography in 2006 that provides the solution to the key escrow problem described in other security mediated schemes [3]. Besides generalizing the framework of SMC, they also provided a lightweight version of SMC cryptography that is fully adaptive chosen-ciphertext attack secure in the random oracle model via the intractability assumption of bilinear Diffie-Hellman (BDH) problem. In addition, Chow et al. claimed that their proposal is more efficient than Baek and Zheng’s ID-based mediated encryption scheme [4].

Following the trend of SMC cryptography by Chow et al., Yap et al. subsequently explored the notion of SMC signature. They proposed the very first concrete provable secure SMC signature scheme that is bilinear pairing-free. Based on the intractability assumption of the discrete logarithm problem (DLP), their scheme is proven to be existentially unforgeable under chosen message attack (EUF-CMA) in the random oracle mode [5]. In the same year, Yang et al. [6] and Lo et al. [7] came out with efficient certificateless pairing-free encryption schemes and mediated revocation-free encryption schemes respectively. Unfortunately, both the proposed schemes suffered from partial decryption attacks as demonstrated in [8]. Wan et al. also proposed a similar efficient pairing-free SMC signature scheme, but with proof of security in the random oracle model based on the hardness assumption of factoring [9].

While the majority of follow-ups focus on mediated IBE and signature schemes, Chin et al. in 2013 devised the first efficient security mediated identity-based identification (SM-IBI) scheme. Via the computational Diffie-Hellman (CDH) assumption, they provided the security proof against impersonation under passive, active and concurrent attacks in the random oracle model [10]. In the following year, Chin et al. further improved the efficiency of the SM-IBI scheme by proposing two pairing-free versions via the intractability of RSA and discrete logarithm assumptions, with security proofs against impersonation under passive, active and concurrent attacks both in the random oracle models [11].

In this paper, we propose a new security mediated encryption scheme based on an IND-CCA secure ElGamal variant. The motivation of our work is based on current existing non-certificateless mediated schemes by Boneh et al. [1]. We consider the IND-CCA-secure ElGamal encryption scheme designed by [12] and prove that our scheme is secure indistinguishably against chosen-ciphertext attack (IND-CCA) in the random oracle model via the hardness assumption of the computational Diffie-Hellman (CDH) problem.

The rest of the paper is organized as follows. Section 2 outlines necessary preliminaries, followed by a formal security model and definition of security mediated encryption scheme. In Section 3, the construction of a new security mediated encryption scheme based on an ElGamal variant is presented. Next, we provide the security proof of our designed scheme in Section 4. The analysis about the efficiency and performance proceedes in Section 5. Finally, we conclude our work in Section 6.

2. Preliminaries

We provide some mathematical and cryptographic backgrounds related to our work in this section, including mathematical hard problems, security mediated encryption scheme model, and corresponding security model. We note that the primary reference of our definitions in this section are due to [13], but similar definitions can be found in [14].

2.1. Computational Diffie-Hellman (CDH) Problem

Definition 1

(Computational Diffie-Hellman Problem [13]). Let g be a generator for ${\mathbb{G}}_p$ and let $h_1,h_2$ be non-zero elements of ${\mathbb{G}}_p$. Define ${\mathit{DH}}_g(h_1,h_2)=g^{{log}_g{h}_1·{log}_g{h}_2}$. That is, if $h_1=g^{x_1}$ and $h_2=g^{x_2}$, then

$${\mathit{DH}}_g(h_1,h_2)=g^{x_1·x_2}=h_1^{x_2}=h_2^{x_1}.$$

(1)

The CDH problem is to compute ${\mathit{DH}}_g(h_1,h_2)$ for uniform $h_1$ and $h_2$.

2.2. Security Mediated Encryption Scheme

A generic security mediated encryption scheme consists of three probabilistic polynomial-time algorithms:

• KeyGen. On input of security parameter $1^n$, generates system parameters $\left(\mathrm{Params}\right)$, user’s public key $\left(\mathrm{pk}\right)$, and user–SEM secret keys $\left(K_{\mathrm{user}},K_{\mathrm{sem}}\right)$.
• Encrypt. Sender takes in $\mathrm{Params}$, $\mathrm{pk}$ and message m, encrypts message into ciphertext c = Enc(Params, pk,m).
• Decrypt. Receiver firstly relay ciphertext c to SEM for partial decryption m₁ = Dec(c, K_sem) meanwhile computing his own part m₂ = Dec(c, K_user). Finally, receiver performs full decryption to recover message $m=m_1\ast m_2$, where ∗ represents necessary operation according to different scheme’s setting.

2.3. Security Model of Security Mediated Encryption Scheme

The following defines the IND-CCA security game corresponds to the security mediated encryption scheme above.

• Setup. On input of security parameter $1^n$, challenger $\mathcal{B}$ adapts and runs KeyGen of the encryption scheme to generate $\left\{\mathrm{Params},\mathrm{pk},K_{\mathrm{user}},K_{\mathrm{sem}}\right\}$. $\mathcal{B}$ provides adversary $\mathcal{A}$ with $\left\{\mathrm{Params},\mathrm{pk}\right\}$ and retains the $\left\{K_{\mathrm{user}},K_{\mathrm{sem}}\right\}$.
• Phase 1 (Decryption query). The following queries may be asked adaptively.

  (a)

  SEM-Decryption: $\mathcal{A}$ queries SEM-decryption for the ciphertext C of his choice. $\mathcal{B}$ responds with the corresponding SEM’s partial decryption to $\mathcal{A}$.

  (b)

  Full Decryption: $\mathcal{A}$ queries full decryption for the ciphertext C of his choice. $\mathcal{B}$ responds with decrypted plaintext m to $\mathcal{A}$.

• Challenge.$\mathcal{A}$ produces two messages $\left\{m_0,m_1\right\}$ of equal length to be challenged. $\mathcal{B}$ randomly picks $b\in \{0,1\}$ and outputs challenge ciphertext C^* = Enc(Params, pk,m_b) to $\mathcal{A}$.
• Phase 2.$\mathcal{A}$ may perform decryption queries for the ciphertext C of his choice as in Phase 1, except the challenge ciphertext $C^{*}$.
• Guess.$\mathcal{A}$ output a guess of $b^{\prime }$, ending the simulation. $\mathcal{A}$ wins if $b^{\prime }=b$.

Definition 2 (Indistinguishability against Chosen-Ciphertext Attack (IND-CCA) [13]). A public-key encryption scheme $\left(\mathrm{PKE}\right)$ is said to be IND-CCA secure if the guessing advantage of a probabilistic polynomial-time (PPT) $\mathcal{A}$, $\mathrm{Adv}\left[\mathcal{A}\right]$ is negligible. That is,

$$\mathrm{Adv}\left[\mathcal{A}\right]=\left|\mathrm{Pr}\left[{\mathrm{PKE}}_{\mathcal{A}}^{ind-cca}\left(n\right)=1\right]-\frac{1}{2}\right|\le \epsilon .$$

(2)

3. The Proposed Security Mediated ElGamal Encryption Scheme

We now describe the design of our security mediated encryption scheme based on the IND-CCA-secure ElGamal variant proposed by [12]. Our design involves some structural modifications in order to fit the concept of the security mediated cryptography. Hereafter, we use mediated ElGamal scheme (or abbreviated as $\mathrm{mEG}$) to denote the proposed security mediated encryption scheme. We point out some highlights of our proposed mediated ElGamal scheme below.

• The user’s public key (abbreviated as $\mathrm{mpk}$) X in the KeyGen Algorithm 1 is generated by CA using the user’s random master secret key (abbreviated as $\mathrm{msk}$) x which is unknown to anyone except CA itself.
• Next, the secret key x is split into two parts and sent securely to the user and SEM respectively as their decryption key.
• Any party who wishes to initiate communication shall obtain the user’s public key X from a public directory as part of the encryption procedure.

We now present the full mediated ElGamal scheme as follows. The Algorithm 1 of Key Generation describes the initial setting of system parameters including the public-private key pair, Algorithm 2 outlines the encryption procedures between sender and receiver, and Algorithm 3 shows the decryption of both SEM and receiver upon receiving the ciphertext.

Algorithm 1 Key Generation (KeyGen) of $\mathrm{mEG}$

Require: Security parameter $1^n$.

Ensure: System parameters $\{p,q,g,\widehat{e},{\mathbb{G}}_1,{\mathbb{G}}_2,H_1,H_2,H_3,H_4\}$, user’s public key X, user’s secret key x, user’s decryption key $x_{\mathrm{user}}$, and SEM’s decryption key $x_{\mathrm{sem}}$.

1: On input of security parameter $1^n$, generates two large primes $p,q$ with $\left|p\right|=\left|q\right|=n$, a generator g such that $\langle g\rangle ={\mathbb{Z}}_p^{*}$, and two groups ${\mathbb{G}}_1,{\mathbb{G}}_2$ of order q.

2: Generates the following pairing function $\widehat{e}$ and hash functions H such that:

(a)      $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$,

(b)      $H_1:{\{0,1\}}^n\times {\mathbb{Z}}_p^{*}\to {\mathbb{Z}}_p^{*}$,

(c)      $H_2:{\mathbb{Z}}_p^{*}\to {\{0,1\}}^n$,

(d)      $H_3:{\{0,1\}}^n\times {\{0,1\}}^n\to {\{0,1\}}^n$,

(e)      $H_4:{\mathbb{Z}}_p^{*}\times {\{0,1\}}^n\times {\mathbb{Z}}_p^{*}\to {\mathbb{Z}}_p^{*}$.

3: For each user i, computes $X_i\equiv g^{x_i}\left(\mathrm{mod}p\right)$ for a random integer $x_i\in {\mathbb{Z}}_p^{*}$.

4: Randomly selects $x_{{\mathrm{user}}_i}\in {\mathbb{Z}}_p^{*}$ and computes $x_{\mathrm{sem}}\equiv x_i-x_{{\mathrm{user}}_i}$ (mod $p-1$).

5: Publish system parameters $\{p,q,g,\widehat{e},{\mathbb{G}}_1,{\mathbb{G}}_2,H_1,H_2,H_3,H_4\}$ and user i’s $\mathrm{mpk}$$X_i$, sends user i’s decryption key $x_{{\mathrm{user}}_i}$ to user i and SEM’s decryption key $x_{\mathrm{sem}}$ to SEM.

6: The integer $x_i$ which is user i’s secret key, is kept secret.

Algorithm 2 Encryption (Encrypt) of $\mathrm{mEG}$

Require: System parameters $\{p,q,g,\widehat{e},{\mathbb{G}}_1,{\mathbb{G}}_2,H_1,H_2,H_3,H_4\}$, user’s public key X, user’s decryption key $x_{\mathrm{user}}$ and message m.

Ensure: Ciphertext $\{c_1,c_2,h_2,h_3,Y_i\}$.

1: User i who wishes to communicate will compute and publish his public key $Y_i\equiv g^{x_{{\mathrm{user}}_i}}\left(\mathrm{mod}p\right)$ using his decryption key $x_{{\mathrm{user}}_i}$.

2: Sender who wishes to send message m to user i obtains $X_i$ and perform following computations:

(a)        Selects a random string $\sigma \in {\{0,1\}}^n$ and computes $r=H_1\left(\sigma \Vert Y_i\right)$,

(b)        Computes $c_1\equiv g^r\left(\mathrm{mod}p\right)$ and next $h_1=H_2\left(X_i^r\right)$,

(c)        Set $M=\sigma \Vert m$, and compute $h_2=H_3\left(M\right)$,

(d)        Computes $c_2=M\oplus h_1$.

(e)        Computes $h_3=H_4{\left(c_1,c_2,Y_i\right)}^r$.

3: Sends ciphertext $C=\left\{c_1,c_2,h_2,h_3,Y_i\right\}$ to user i.

Algorithm 3 Decryption (Decrypt) of $\mathrm{mEG}$

Require: System parameters $\{p,q,g,\widehat{e},{\mathbb{G}}_1,{\mathbb{G}}_2,H_1,H_2,H_3,H_4\}$, user’s public key X, user’s public key Y, user’s decryption key $x_{\mathrm{user}}$, SEM’s decryption key $x_{\mathrm{sem}}$ and ciphertext $C=\{c_1,c_2,h_2,h_3,Y_i\}$.

Ensure: Message m.

SEM-Decryption:

1: User i upon receiving ciphertext $C=\{c_1,c_2,h_2,h_3,Y_i\}$, relays it to SEM.

2: SEM checks whether $\widehat{e}\left(g,h_3\right)=\widehat{e}\left(c_1,H_4\left(c_1,c_2,Y_i\right)\right)$. If it does, computes partial decryption $c_1^{x_{\mathrm{sem}}}$ and replies it to user i. Otherwise, it rejects ciphertext C.

User-Decryption:

1: User i receives partial decryption from SEM, and next compute the following series of computations to recover message m:

(a)      Checks whether $\widehat{e}\left(g,h_3\right)=\widehat{e}\left(c_1,H_4\left(c_1,c_2,Y_i\right)\right)$. If it does, then continue the decryption procedures. Otherwise, it rejects ciphertext C,

(b)      Computes $c_1^{x_{\mathrm{sem}}}·c_1^{x_{{\mathrm{user}}_i}}$, and next $h_1^{\prime }=H_2\left(c_1^{x_{\mathrm{sem}}}·c_1^{x_{{\mathrm{user}}_i}}\right)$,

(c)      Computes $M^{\prime }=c_2\oplus h_1^{\prime }$, and checks whether $h_2=H_3\left(M^{\prime }\right)$. If it does, then parse message m from $\sigma \Vert m$. Otherwise, it rejects ciphertext C.

2: Lastly, computes $r^{\prime }=H_1\left(\sigma \Vert Y_i\right)$, and verifies whether $c_1=g^{r^{\prime }}\left(\mathrm{mod}p\right)$.

Proof of correctness. The correctness of the proposed mediated ElGamal scheme begins with the ciphertext validation by SEM, that is

$$\begin{array}{ccc}\hfill \widehat{e}\left(g,h_3\right)& =& \widehat{e}\left(g,H_4{\left(c_1,c_2,Y_i\right)}^r\right)\hfill \\ & =& \widehat{e}\left(g^r,H_4\left(c_1,c_2,Y_i\right)\right)\hfill \\ & =& \widehat{e}\left(c_1,H_4\left(c_1,c_2,Y_i\right)\right).\hfill \end{array}$$

Next, one can easily verify the correctness of the combination of both the partial decryptions from SEM and user i respectively such that

$$\begin{array}{ccc}\hfill c_1^{x_{\mathrm{sem}}}·c_1^{x_{{\mathrm{user}}_i}}& =& c_1^{x_{\mathrm{sem}}+x_{{\mathrm{user}}_i}}\hfill \\ & =& c_1^{x_i}\hfill \\ & =& g^{r{x}_i}\hfill \\ & =& X_i^r\hfill \end{array}$$

so that $h_1=H_2\left(X_i^r\right)$. Then, one can proceed with the decryption of $M=c_2\oplus h_1$, followed by the verification of $h_2=H_3\left(M\right)$. This next enables the extraction of $\sigma$ and message m from the string of $\sigma \Vert m$ and finally checks whether $c_1=g^{H_1\left(\sigma \Vert Y_i\right)}$.  ☐

Remark 1.

As $\sigma \Vert m$ is the concatenation of σ and message m, while σ is of n-bit, it is possible for a user to extract σ and m efficiently from it for the next ciphertext $c_1$ integrity check.

4. Security Proof of the Proposed Mediated ElGamal Scheme

We put forward in this section the indistinguishability against chosen-ciphertext attack (IND-CCA) security proof of our proposed mediated ElGamal scheme. Our proof is constructed based on the hardness assumption of solving the CDH problem.

Theorem 1.

Let $\mathrm{mEG}$ be the proposed mediated ElGamal scheme as described in Section 3, and $\mathcal{A}$ be a probabilistic polynomial-time (PPT) adversary that has access tomEG. Then the proposed mediated ElGamal scheme is secure indistinguishably against chosen-ciphertext attack (IND-CCA) in the random oracle model via assumption that solving the computational Diffie-Hellman (CDH) problem is hard. That is,

$$\mathrm{Pr}\left[{mEG}_{\mathcal{A}}^{ind-cca}\left(n\right)=1\right]\le \frac{1}{2}+\frac{\epsilon }{q_{H_2}}+\frac{q_{H_1}}{p}+\frac{q_{H_3}}{2^{n-1}},$$

where ε denotes the negligible function, and $q_{H_1},q_{H_2}$ and $q_{H_3}$ represent the number of $H_1,H_2$ and $H_3$ queries, respectively.

Proof. 

Suppose there exists an adversary $\mathcal{A}$ who can break the mediated ElGamal scheme, then we can construct a challenger $\mathcal{B}$ to solve the CDH problem. $\mathcal{B}$ is given the CDH instances of $\left(g,g^a,g^b\right)$ of cyclic group $\left\{{\mathbb{Z}}_p^{*},p,g\right\}$, and modeled all $H_1,H_2,H_3,H_4$ as random oracles. We now describe the interaction between the challenger $\mathcal{B}$ and adversary $\mathcal{A}$ in the following game.

• Setup: Challenger $\mathcal{B}$ initially takes on security parameter $1^n$ as input and runs KeyGen to output system parameters $\{p,q,g,\widehat{e},{\mathbb{G}}_1,{\mathbb{G}}_2,H_1,H_2,H_3,H_4\}$ and sets public key as $X=g^a$ where $a=x$. These system parameters and public key are sent to $\mathcal{A}$. Note that $\mathcal{B}$ does not know the secret integer x.
• H-query:$\mathcal{B}$ prepares four different hash lists to record and store all the hash queries and responses. The lists are initially empty.

  (a)

  $H_1$-query: For any $w_i$ query made, $\mathcal{B}$ checks if such query exist. If it does, it responds with the corresponding $W_i$. Otherwise, it randomly samples $W_i\leftarrow {\mathbb{Z}}_p^{*}$ and returns $H_1\left(w_i\right)=W_i$. Lastly, it adds $\left(w_i,W_i\right)$ to the $H_1$-list.

  (b)

  $H_2$-query: For any $u_i$ query made, $\mathcal{B}$ checks if such query exist. If it does, it responds with the corresponding $U_i$. Otherwise, it randomly chooses $U_i\leftarrow {\left\{0,1\right\}}^n$ and returns $H_2\left(u_i\right)=U_i$. Lastly, it updates $\left(u_i,U_i\right)$ to the $H_2$-list.

  (c)

  $H_3$-query: For any $v_i$ query made, $\mathcal{B}$ checks if such query exist. If it does, it responds with the corresponding $V_i$. Otherwise, it randomly chooses $V_i\leftarrow {\left\{0,1\right\}}^n$ and returns $H_3\left(v_i\right)=V_i$. Lastly, it adds $\left(v_i,V_i\right)$ to the $H_3$-list.

  (d)

  $H_4$-query: For any $z_i$ query made, $\mathcal{B}$ checks if such query exist. If it does, it responds with the corresponding $Z_i$. Otherwise, it randomly samples $Z_i\leftarrow {\mathbb{Z}}_p^{*}$ and returns $H_4\left(z_i\right)=Z_i$. Lastly, it updates $\left(z_i,Z_i\right)$ to the $H_4$-list.

• Phase 1 (Decryption query):

  (a)

  SEM-Decryption query: $\mathcal{A}$ queries the SEM-decryption of the ciphertext $C=\{c_1,c_2,h_2,h_3,Y_i\}$ of his choice. $\mathcal{B}$ firstly search through the $H_1$ and $H_4$-lists whether there exists the pairs of $\left(w_i,W_i\right)$ and $\left(z_i,Z_i\right)$ such that $c_1=g^W$ and $\widehat{e}\left(g,h_3\right)=\widehat{e}\left(c_1,Z\right)$ are valid. If it does, it computes ${\displaystyle {\left(\frac{X}{Y_i}\right)}^W}$ as SEM’s partial decryption and returns the SEM-Decryption result to $\mathcal{A}$. Otherwise, it returns ⊥. Observe that

  $$\begin{array}{ccc}\hfill X& =& g^x\hfill \\ & =& g^{x_{\mathrm{sem}}+x_{{\mathrm{user}}_i}}\hfill \\ & =& g^{x_{\mathrm{sem}}}·g^{x_{{\mathrm{user}}_i}}\hfill \\ & =& g^{x_{\mathrm{sem}}}·Y_i.\hfill \end{array}$$

  Then, ${\displaystyle g^{x_{\mathrm{sem}}}=\frac{X}{Y_i}}$ and

  $${\left(\frac{X}{Y_i}\right)}^W={\left(g^{x_{\mathrm{sem}}}\right)}^W={\left(g^W\right)}^{x_{\mathrm{sem}}}=c_1^{x_{\mathrm{sem}}}$$

  is a valid SEM’s partial decryption in the simulation.

  (b)

  Full-Decryption query: $\mathcal{A}$ queries the full decryption of the ciphertext $C=\{c_1,c_2,h_2,h_3,Y_i\}$ of his choice. $\mathcal{B}$ firstly search through all the H-lists whether there exists the pairs of $\left(w_i,W_i\right),\left(u_i,U_i\right),\left(v_i,V_i\right),\left(z_i,Z_i\right)$ such that

  $$\begin{array}{ccc}\hfill w& =& \sigma \Vert Y_i\hfill \\ \hfill u& =& X^W\hfill \\ \hfill v& =& \sigma \Vert m\hfill \\ \hfill c_1& =& g^W\hfill \\ \hfill c_2& =& v\oplus U\hfill \\ \hfill \widehat{e}\left(g,h_3\right)& =& \widehat{e}\left(c_1,Z\right).\hfill \end{array}$$

  We consider the following possible scenarios:

  • Case 1: If all the above queries exists, it outputs and returns the corresponding m as decryption result.
  • Case 2: Only $\left(w_i,W_i\right)$, $\left(v_i,V_i\right)$ and $\left(z_i,Z_i\right)$ exist. Then $c_1=g^W$ and $\widehat{e}\left(g,h_3\right)=\widehat{e}\left(c_1,Z\right)$ are valid. Also, by the knowledge of $Y_i$ from C, $\mathcal{B}$ can extract $\sigma$ from w and next to extract m from v. It can then compute $u=X^W$ and adds the new $\left(u,U\right)$ query to the $H_2$-list. Note that it is easy to verify the validity of such additional query since by $\left(v,V\right)$, $\mathcal{B}$ can invert $U=c_2\oplus v$ to obtain U. If every query is valid, it returns m as decryption result, otherwise it returns ⊥.
  • Case 3: Only $\left(w_i,W_i\right)$ and $\left(z_i,Z_i\right)$ exist. Then $c_1=g^W$ and $\widehat{e}\left(g,h_3\right)=\widehat{e}\left(c_1,Z\right)$ are valid. Also, by the knowledge of $Y_i$ from C, $\mathcal{B}$ can extract $\sigma$ from w. It can next compute $u=X^W$ and samples a random U to updates both the new $\left(u,U\right)$ and $\left(v,V\right)$ queries to the H-lists. Note that it is easy to verify the validity of all such additional queries since by $\left(u,U\right)$, $\mathcal{B}$ can invert $v=c_2\oplus U$ to obtain v and sample a random V. In addition, the inverted v enables the extraction of m. If every query is valid, it returns m as decryption result, otherwise it returns ⊥.
  • Case 4: Only $\left(w_i,W_i\right)$ exists. Then $c_1=g^W$ is valid. Also, by the knowledge of $Y_i$ from C, $\mathcal{B}$ can extract $\sigma$ from w. It can next compute $u=X^W$ and samples a random U to updates all the new $\left(u,U\right)$ and $\left(v,V\right)$ and $\left(z,Z\right)$ queries to the H-lists. Again, it is easy to decide the validity of all such additional queries since by $\left(u,U\right)$, $\mathcal{B}$ can invert $v=c_2\oplus U$ to obtain v and sample a random V. In addition, the inverted v enables the extraction of m. As for the query of $\left(z,Z\right)$, $\mathcal{B}$ reverts $Z=h_3^{-W}$ and then samples z randomly, this is indistinguishable from the $\mathcal{A}$’s point of view. If every query is valid, it returns m as decryption result, otherwise it returns ⊥.
  • Case 5: If none of the queries satisfy the ciphertext structures, it returns ⊥.

• Challenge: When $\mathcal{A}$ is ready to perform the attack, he sends two distinct messages of equal length $m_0,m_1\in {\left\{0,1\right\}}^n$. $\mathcal{B}$ randomly selects bit $l\in \{0,1\}$, ${\sigma }^{*},R_1,R_2\in {\left\{0,1\right\}}^n$ and $Y^{*}\in {\mathbb{Z}}_p^{*}$. Next, it outputs challenge ciphertext $C^{*}$ as

  $$C^{*}=\left(g^b,R_1,h_2^{*},R_2,Y^{*}\right),$$

  (3)

  where $g^b$ is taken from the CDH instance. Observe that the challenge ciphertext could be treated as the encryption of message $m_l\in \{m_0,m_1\}$ using the random chosen string ${\sigma }^{*}\in {\{0,1\}}^n$ such that

  (a)

  $b=H_1\left({\sigma }^{*}\Vert Y^{*}\right)$,

  (b)

  $R_1=M\oplus H_2\left(X^b\right)$,

  (c)

  $h_2^{*}=H_3\left({\sigma }^{*}\Vert m_l\right)$,

  (d)

  $R_2=H_4{\left(g^b,R_1,Y^{*}\right)}^b$.

  Hence, the challenge ciphertext $C^{*}$ is a correct and valid ciphertext in the $\mathcal{A}$’s point of view if it does not query the following to random oracle:

  $$\begin{array}{ccc}\hfill u& =& X^b\hfill \\ \hfill w& =& {\sigma }^{*}\Vert Y^{*}\hfill \\ \hfill v& =& {\sigma }^{*}\Vert m_l\hfill \\ \hfill z& =& \left(g^b,R_1,Y^{*}\right).\hfill \end{array}$$
• Phase 2: $\mathcal{A}$ is allowed to continue querying decryption of the ciphertext C of his choice, except the challenge ciphertext $C^{*}$.
• Guess:$\mathcal{A}$ finally output his guess of $l^{\prime }$, ending the IND-CCA game. $\mathcal{A}$ wins the game if $l^{\prime }=l$. Note that the challenge hash query is the Diffie-Hellman shared value $X^b=g^{ab}$ which is a query to the random oracle $H_2$. $\mathcal{B}$ randomly selects one of the queries $\left(\left(u_1,U_1\right),\dots ,\left(u_{q_{H_2}},U_{q_{H_2}}\right)\right)$ in $H_2$-list as the challenge hash query, and output the solution to the CDH problem.

It remains now to evaluate the advantage of the simulated game described above. We discuss the following two possible cases that could happen:

• Scenario 1. If $\mathcal{A}$ does not query the challenge hash query $X^b=g^{ab}$, then the only alternative way that it could break the challenge ciphertext is to search for the existence of the following queries:

  $$\begin{array}{ccc}& H_3\left({\sigma }^{*}\Vert m_0\right)=h_2& \\ & \mathrm{or}& \hfill \end{array}$$

  (4)

  $$\begin{array}{cc}& H_3\left({\sigma }^{*}\Vert m_1\right)=h_2\end{array}$$

  (5)

  from the $H_3$-list; or

  $$\begin{array}{ccc}\hfill b& =& H_1\left({\sigma }^{*}\Vert Y^{*}\right)\hfill \end{array}$$

  (6)

  from $H_1$-list, which has the total negligible probability of ${\displaystyle \left(\frac{q_{H_1}}{p}+\frac{2q_{H_3}}{2^n}\right)}$, where $q_{H_1},q_{H_3}$ represents the total number of $H_1$ and $H_3$ queries, respectively.
• Scenario 2. If $\mathcal{A}$ does query the challenge hash query $X^b=g^{ab}$, then it can gain advantage in guessing the encrypted message $m_l$ correctly. Otherwise, it can only guess it with negligible advantage. As $\mathcal{A}$ has the advantage of $\epsilon$ in outputting the correct bit $l\in \{0,1\}$ following the hardness assumption of breaking the CDH problem, such event could only occur if and only if the challenge hash query $X^b=g^{ab}$ exists in the $H_2$ list. Let $q_{H_2}$ be the total number of $H_2$ queries in the simulated game, following the IND-CCA model, we have:

  $$\mathrm{Adv}\left[\mathcal{A}\right]=\left|\mathrm{Pr}\left[{\mathrm{mEG}}_{\mathcal{A}}^{\mathrm{ind}-\mathrm{cca}}\left(n\right)=1\right]-\frac{1}{2}\right|\le \frac{\epsilon }{q_{H_2}}.$$

Putting both the above cases together, hence

$$\mathrm{Pr}\left[{\mathrm{mEG}}_{\mathcal{A}}^{\mathrm{ind}-\mathrm{cca}}\left(n\right)=1\right]\le \frac{1}{2}+\frac{\epsilon }{q_{H_2}}+\frac{q_{H_1}}{p}+\frac{q_{H_3}}{2^{n-1}}.$$

This completes the proof of security of the proposed mediated ElGamal scheme.  ☐

5. Efficiency and Performance Analysis

We discuss the efficiency and performance about the proposed mediated ElGamal encryption scheme in Section 3. We emphasize a few important points based on our proposal as follows:

• Key escrow. Our proposed mediated ElGamal scheme currently does not consider the issue of key escrow. In other words, our scheme suffered from key escrow problem, in which the CA has absolute control of the user’s secret key. Therefore, we assume that CA is not compromise-able and is wholly trusted. We will address this issue in the subsequent work.
• Non-certificateless. Our proposed mediated ElGamal scheme is not certificateless as in the SMC by [3]. In other words, users’ public keys will need to be submitted to CA for authentication.
• Integrity. As we apply the Fujisaki-Okamoto transformation in our design, the proposed mediated ElGamal scheme does provide ciphertext integrity checks either on the SEM side, or on the receiver side on top of ensuring confidentiality of the encrypted message.
• Pairing-free. Unlike some other mediated encryption schemes, our mediated ElGamal scheme is pairing-free in the sense that we do not involve pairing computations in the encryption and decryption. One can observe easily that the pairing function in our scheme only serves to provide ciphertext validity check by SEM and the receiver. Hence, our scheme does not suffer from major efficiency and cost-computation drawbacks.
• Novelty. Current security mediated cryptography focuses on ID-based, signature schemes, or is mostly designed based on pairing functions. Our proposed mediated ElGamal scheme on the other hand, utilized the ElGamal variant as our primitive and is also pairing-free in the encryption and decryption.

The overall computational efficiency of our proposed mediated ElGamal scheme is presented in

Table 1. Computational Efficiency of The Proposed Mediated ElGamal Encryption Scheme.

Operation	X-OR	Subtraction/ Multiplication	Exponentiation	Hashing	Pairing
Key Generation	0	1	1	0	0
Encryption	1	0	4	4	0
SEM-Decryption	0	0	1	1	2
User-Decryption	1	1	2	4	2

below.

Next, we summarize the performances of the current existing mediated encryption schemes, including both the traditional and IBE types in the following

Table 2. Computation Performance of Security Mediated Encryption Schemes.

Scheme	Type	Encrypt	SEM- Decrypt	User- Decrypt	Pairing- Free	Certificate- Less	Escrow Freeness
mRSA [1]	Enc	$1\mathrm{Exp}$	$1\mathrm{Exp}$	$1\mathrm{Exp},$ $1\mathrm{Mul}$	Yes	No	No
Our Scheme	Enc	$4\mathrm{Exp},$ $1\oplus ,4\mathrm{H}$	$1\mathrm{Exp}$	$2\mathrm{Exp},$ $1\mathrm{Mul},$ $1\oplus ,3\mathrm{H}$	Yes	No	No
SMC [3]	IBE	$3\mathrm{Exp},$ $1\mathrm{P},1\mathrm{H}$	$3\mathrm{P},1\mathrm{H}$	$2\mathrm{Mul},$ $1\oplus ,2\mathrm{H}$	No	Yes	Yes
MCL-PKE [6]	IBE	$3\mathrm{Exp},$ $1\mathrm{Mul},$ $3\oplus ,4\mathrm{H}$	$1\mathrm{Exp},$ $1\mathrm{H}$	$2\mathrm{Exp},$ $3\oplus ,3\mathrm{H}$	Yes	Yes	Yes
mRFPKE [7]	IBE	$1\mathrm{Exp},$ $1\mathrm{Mul},$ $2\oplus ,4\mathrm{H},$ $2\mathrm{P}$	$1\mathrm{P}$	$2\mathrm{Mul},$ $2\oplus ,3\mathrm{H},$ $1\mathrm{P}$	No	Yes	Yes

. We excluded the ciphertext validity check upon receiving the ciphertext tuple by either SEM or user in this summary, as some mediated schemes (i.e., in [6,7]) do not provide such computations in their original proposal.

In this Table 2, ‘$\mathrm{Exp}$’ denotes exponentiation, ‘$\mathrm{Mul}$’ indicates multiplication, ‘⊕’ represents exclusive-OR, ‘$\mathrm{H}$’ denotes hash, and ‘$\mathrm{P}$’ means pairing.

Algebraically, our proposed mediated ElGamal scheme utilizes different primitive and at a glance, the performance is somewhat undesirable compared to mRSA [1]. Such occurrence is due to the Fujisaki-Okamoto transformation in the IND-CCA ElGamal variant, which is not required in mRSA.

Observe that the SEM that operates on the central server has the most extensive operational overhead upon deployment. This is because it caters to all the communication interactions. On the other hand, encryption and user-decryption occur at individual sites and occurs once in a while. One can assume long intervals of inactivity when compared to the server site.

In the context of cryptographic deployment, the current recommended key length required by RSA to achieve 128-bit security is 2048 bits and 1024 bits for discrete logarithm based cryptographic schemes. Hence, our scheme is notably better suited for high volume communication than the pairing-free scheme mRSA.The high volume of operations at the server site is much more efficient via our scheme than mRSA.

For the security mediated IBE schemes, although MCL-PKE [6] gives better efficiency as it is pairing-free, only SMC [3] withstands various cryptanalysis and remain secure among the three. Both MCL-PKE [6] and mRFPKE [7] were broken under a partial decryption attack. Nonetheless, all these three mediated IBE schemes achieved certificateless property and are key-escrow free. On a non-apple-to-apple comparison between our pairing-free with pairing-based schemes, it is evident that our scheme performs better than the discrete logarithm scheme MCL-PKE. Our design has significantly fewer operations in each process. Moreover, further research on our scheme would strive towards certificateless and escrow freeness properties as in MCL-PKE [6].

6. Conclusions

In this paper, a new mediated encryption scheme based on the ElGamal variant is proposed and proved to be IND-CCA secure via the hardness assumption of the computational Diffie-Hellman problem. As this is our first attempt to utilize another well-known primitive in proposing a mediated encryption scheme, it exhibits the key-escrow problem and lack of certificateless property. Our next objective is to provide an overall mediated encryption scheme, resolving all the weaknesses addressed above. Our scheme can easily be transformed into an elliptic curve and pairing-based settings via the hardness assumption of the elliptic curve Diffie-Hellman (ECDH) and bilinear Diffie-Hellman (BDH) problems, respectively. Finally, we expect various schemes to be designed in the future based on the ElGamal variant, such as mediated IBE, signature, IBI, and certificateless-type schemes like those in the existing literature.