Fast Short and Fast Linear Cramer-Shoup

. A linear Cramer-Shoup encryption scheme version was proposed by Shacham in 2007. Short Cramer-Shoup encryption scheme was designed by Abdalla et al. in 2014. This scheme is a variant of the Cramer-Shoup encryption scheme that has a smaller size. They proved that it is an IND-PCA secure encryption under DDH and the collision-resistance assumptions. We design a faster version of Short Cramer-Shoup encryption scheme denoted Fast Short Cramer-Shoup encryption. We also, proposed a faster version of linear Cramer-Shoup encryption called Fast Linear Cramer-Shoup . We prove that the Fast Short Cramer-Shoup is IND-PCA secure under DDH and the collision-resistance assumptions. We also, show that our linear encryption is CCA secure under the Linear assumption. Finally we run an evaluation of performances of our schemes.


Introduction
Cramer-Shoup cryptosystem was introduced in 1998 by Cramer et al. in [?].It is an encryption scheme based on ElGamal encryption that is IND-CCA secure.In [?], a linear version of Cramer-Shoup scheme was proposed.A short Cramer-Shoup scheme was also proposed in [?].This scheme improves the performance of Cramer-Shoup scheme by reducing the number of generators in G and the number of parameters of the keys.This scheme is also IND-PCA secure which is lower security notion than IND-CCA and stronger than IND-CPA.But applied to small messages, IND-PCA implies IND-CCA.Contributions.Our main aim is to improve the efficiency of Short and Linear Cramer-Shoup public key schemes.Our contributions are as follows: -We design a cryptographic encryption scheme, called Fast Short Cramer-Shoup, based on the Generalized ElGamal encryption scheme [?].We follow the spirit of Short Cramer-Shoup versions introduced in [?].We modify the key generation and the decryption algorithm to be faster.We prove its security against Plaintext-Checking Attack (IND-PCA) under the Decisional Diffie-Hellman (DDH) and the collision-resistance assumptions.
-We also design a Fast Linear Short Cramer-Shoup scheme.We prove that our linear scheme is secure in the CCA sense if HF a secure UOWHF family and the Linear assumption hold in a group G. -Finally, we implement all these schemes with GMP [?] to demonstrate that Fast Short Cramer-Shoup and Fast Linear Cramer-Shoup are significantly faster than Short Cramer-Shoup and Linear Cramer-Shoup respectively.Related works.ElGamal cryptosystem was proposed in 1984 by T. ElGamal in [?].It was one of the first cryptosystems whose security was based on the problem of the discrete logarithm (DLP).ElGamal The linear ElGamal scheme is IND-CPA secure under the (DLin).In [?], Linear Cramer-Shoup scheme is presented.As Original Cramer-Shoup scheme, the Linear Cramer-Shoup scheme is IND-CCA secure under DDH.We improve both Short and Linear Cramer-Shoup schemes.Outline.In Section 2, we recall public key encryption and the existing Cramer-Shoup schemes.In Section 3, we present our Fast Short Cramer-Shoup encryption scheme.In Section 4, we also propose a Fast Linear version of Cramer-Shoup.In Section 5, we show the results of our performance evaluations.The security proofs of our proposed schemes are available in [?].

Boneh et al.
[?] introduced a Decisional assumption, called Linear, intended to take the place of DDH in groups -in particular, bilinear groups [?] -where DDH is easy.For this setting, the Linear problem has desirable properties, as they have shown: it is hard if DDH is hard, but, at least in generic groups [?], it remains hard even if DDH is easy.Let G be a cyclic multiplicative group of prime order p, and let g 1 , g 2 , and g 3 be arbitrary generators of G, we consider the following problem: Linear Problem in G: Given g 1 , g 2 , g 3 , g a 1 , g b 2 , g c 3 ∈ G as input, output yes if a + b = c and no otherwise.The advantage of an algorithm A in deciding the Linear problem in G is denoted by Adv linear A and it is equal to: | with the probability taken over the uniform random choice of the parameters to A and over the coin tosses of A. We say that an algorithm A(t, )-decides Linear in G if A runs in time at most t, and Adv linear A is at least .Definition 1.We say that the (t, )-Decision Linear Assumption holds in G if no algorithm (t, )-decides the Decision Linear problem in G.
The Linear problem is well defined in any group where DDH is well defined.It is mainly used in bilinear groups like in [?,?,?].

Original Cramer-Shoup Scheme
We recall the original Cramer-Shoup encryption scheme presented in the eprint version [?].It is composed of a key generation algorithm, an encryption and a decryption algorithm.The decryption algorithm consists into two algorithms one for recovering from the ciphertext the plaintext and one to check the nonmalleability of the ciphertext in order to ensure IND-CCA2 security.We define three functions: the setup function, denoted CS.KG(), the encryption function, denoted CS.Enc() and the decryption function, denoted CS.Dec().CS.KG(1 λ ): Select a group G of prime order q.Choose eight random elements: Choose a hash function H that hashes messages to elements of Z q .Return (pk, sk) where pk = (g 1 , g 2 , c, d, h, H) and sk = (x 1 , x 2 , y 1 , y 2 , z 1 , z 2 ).CS.Enc(pk, M ): To encrypt message m with pk = (g 1 , g 2 , c, d, h, H), choose a random element r ∈ Z q .Compute u if the condition holds, otherwise output "reject".Correctness: Verification: Since u 1 = g r 1 and u 2 = g r 2 , we have:
LCS.KG(1 λ ): Choose random generators g 1 , g 2 , g 3 $ ← G and exponents = v holds.If it does not, output "reject".Otherwise, compute and output M ← e/(u z1 1 u z2 2 u z3 3 ).Correctness: If the keys and encryption are generated according to the algorithms above, the test in LCS.Dec is satisfied, since we have Next, decryption algorithm computes M as follows, e/(u z1 1 u z2 2 u z3 3 ) = e/(g r1z1 Security proof of Linear Cramer-Shoup (LCS).Theorem 1. [?].LCS scheme is IND-CCA secure if HF is a secure UOWHF family and if the Linear assumption holds in G.

Short Cramer-Shoup Scheme
The Short Cramer-Shoup (SCS) encryption scheme [?] is a variant of the above Cramer-Shoup encryption scheme [?], but with one less element.It is defined as follows, in a cyclic group G of prime order p, with a generator g, together with a hash function H randomly drawn from a collision-resistant hash function family HF [?] from the set {0, 1} * ×G 2 to the set G\{1}.We define three functions: the setup function, denoted SCS.KG(), the encryption function, denoted SCS.Enc() and the decryption function, denoted SCS.Dec().We now describe how these functions work.Then compute m = eu −s and check v = u a+a α (em −1 ) b+b α .Output m if the condition holds, otherwise output "reject".Correctness.Decryption: eu −s = g sr mg −sr = m, since u = g r , e = h r m and h = g s .Verification: u a+a α (em −1 ) b+b α = (g r ) a+a α (g sr , where q p is the number of queries to the OPCA oracle.

Fast Short Cramer-Shoup
We define three functions: the setup function FSCS.KG(), the encryption function FSCS.Enc() and the decryption function FSCS.Dec().FSCS.KG(1 λ ): Select a cyclic group G of prime order p and a generator g.
Pick two random elements k, q ∈ Z p such that the size of q is half of the size of p, i.e., log 2 (q) = log2(p)

2
. Compute s , t ∈ Z p such that kp = qs + t and s ≡ s (mod p).Note that the size of t is smaller or equal to the size of q, i.e., log 2 (t) ≤ log 2 (q).Pick four random elements a, b, a , b ∈ Z p .Compute Choose a hash function H that hashes messages to elements of G.Return (pk, sk), where pk = (g 1 , h, c, d, H) and sk = (q, a, b, a , b ).Output m if the condition holds, otherwise output "reject".Correctness.Decryption: eu q = g tr mg srq = mg r(sq+t) = mg rkp = m, since u = g sr , e = h r m and h = g t .
The full proof is given in [?] and follows the proof of [?].
FLCS.KG(1 λ ): Choose a random generator g $ ← G of order p and random el- and the secret key is sk = (q 1 , q 2 , q 3 , x 1 , x 2 , x 3 , y 1 , y 2 , y 3 ).= v.If not, output "reject".Otherwise, compute and output M ← e(u q1 1 u q2 2 u q3 3 ).Correctness.If the keys and encryption are generated according to the algorithms above, the test in FLCS.Dec is satisfied, since we then have Next, decryption algorithm recovers the correct M , Security proof of Fast Linear Cramer-Shoup (FLCS).We now show that the the FLCS scheme is CCA secure.
Theorem 4. The FLCS scheme is secure in the CCA sense if HF a secure UOWHF family and the Linear assumption hold in G.
The full proof is given in [?] and follows the proof of [?].

Performances Evaluation
We compare efficiency between our proposed schemes and existing ones.We first study the complexity and the performance of the short Cramer-Shoup variant, namely Fast Short Cramer-Shoup encryption scheme (Section 3) and Short Cramer-Shoup encryption scheme (Section 2.3).Next, we study the complexity and the performance of the linear construction, namely Fast Linear Cramer-Shoup encryption scheme (Section 4) with Linear Cramer-Shoup encryption scheme (Section 2.2).
In both cases (short and linear variants), we chose to compare them algorithm by algorithm.Hence, we study key generation, encryption and decryption algorithms apart.Note that the decryption algorithm is composed of two steps: a verification and the actual decryption (for retrieving the initial message).Thus, the full decryption algorithm is divided in two, each part corresponding to those specific phases (verification and actual decryption).
For all algorithms, we split the study in two approaches to conduct such comparison.The first one is relative to the theoretical complexity; we look the number of operations needed for each algorithm.The second one is an experimental study.For this, we have implemented the schemes using the C-library GMP [?] for computing the average execution time of algorithms.In all schemes, there are 1000 execution trials where new security parameters and messages are randomly generated for each execution.For a complete comparison though, the security parameters (such as prime number) and messages are the same for the schemes.The curves shown are the average execution time for a given size of security parameter (from 2 9 = 512 to 2 12 = 4096 bits).Our proposed schemes are always represented by (black) circle points whereas standard schemes (Linear CS and Short CS) are represented by (blue) square points.

Short and Fast Short Cramer-Shoup
Key Generation Algorithms.We look for the differences between the key generation algorithm of Fast Short CS (Section 3) and Short CS protocol (Section 2.3).Table 1 shows that our scheme has the same number of parameters in the public and secret keys.Table 2 gives the number of parameters needed in this phase.The most noticeable difference lies in the number of modular exponentiations.Indeed, the short version uses only 5 of them while our uses 6.
The additional exponent comes from the term g 1 = g s ; our construction implies to use this element instead of a simple generator (as in the standard version).This computation's difference can be observed in Fig. 1, as expected.We conclude that key generation is slightly slower for our proposed scheme.However,  this inconvenient will be greatly rewarded during the decryption algorithm.Note that the key generation algorithm is ran only once per party thus the balance is in favour of the Fast Short Cramer-Shoup if several messages are sent/received with the same pair of key (i.e., the practical case).Encryption Algorithms.We now study the encryption algorithm.Since both schemes use the same encryption algorithm, we have the same number of operations, as it is shown in Table 3.This matches with the average execution time given in Fig. 2. Decryption Algorithms.Our contribution lies on a faster decryption algorithm.The average execution time is given in Fig. 3.The decryption algorithms are composed of two distinct phases: a verification to check integrity of the message sent, and the actual decryption where the message is decrypted.Note that the full decryption algorithm from the short   Actual Decryption.Our construction is dedicated to improve the actual decryption.There are two explanations for understanding the improvement of the average execution time (Fig. 4) during this phase.Firstly, The number of multiplication and modular exponentiation are the same, but the number of operations is reduced for the Fast Short CS.As depicted in Table 4, there is no inverse computation while the Short CS needs one.The second explanation lies on the modular exponentiation itself (from a purely computational point of view).
Indeed, despite the fact that both algorithms have the same computation there is a major difference, namely the size of the exponent.In the Fast Short CS, the exponent q has its size half of the security parameter leading to a faster modular exponentiation.
Verification phase.Both schemes have the same verification computations thus we have the same average execution time as shown in Fig. 5. Table 5.Comparison of Short and Fast Short Cramer-Shoup for verification.

Linear and Fast Linear Cramer-Shoup
We study the complexity and average execution time of the algorithms of Linear CS and Fast Linear CS.We compare the key generation algorithms of Linear CS and Fast Linear CS.From Table 6, we can see that there is one less modular exponentiation in the standard scheme.However, the fast version has two exponentiations: h 1 = g t1+t3 and h 1 = g t2+t3 , where elements t i are computed as the rest of the euclidean division (recall that the equations are : k i p = q i s i + t i for i = 1, 2, 3).We have t i ≤ q i where the size of q i is the half of the size of p. Thus elements t i have in average a size half of the size of q i leading to smaller exponentiation of h 1 and h 2 in the fast version.In addition, the fast variant has two less multiplications than the standard scheme.The results of our experiences, Fig. 6.Key Generation comparison of Linear and Fast Linear Cramer-Shoup.
presented in Fig. 6, confirm this slight improvement.As shown in Table 7 both schemes have the same number of key parameters.Encryption Algorithms.Both schemes use the same encryption algorithm thus the number of operations (Table 8) is the same so as the average execution time (Fig. 7).Decryption Algorithms.We observe in Fig. 8 that our proposed scheme has a faster decryption algorithm.Verification phase.The verification is identical in both schemes.Hence they have same execution time.The results given in Table 9 and Fig. 9 corroborate it.
Actual Decryption.The construction of the Fast Linear CS aims at reducing the execution time of this phase.In Table 10, we observe that the number of multiplication and modular exponentiation are the same.However, there is no inverse computation in the fast version unlike the standard scheme.This is the first ex- Table 10.Comparison of Linear and Fast Linear Cramer-Shoup for decryption.planation for the result given in Fig. 10.This cannot be the only reason yet since the Fast Linear CS decryption is about twice as fast as the Linear CS.Indeed, the second explanation for such result concerns the modular explanation itself.
Recall the decryption computations of the schemes: LCS: M = e/(u z1 1 u z2 2 u z3 3 ) and Fast LCS: M = e(u q1 1 u q2 2 u q3 3 ).The exponents z 1 , z 2 , z 3 of standard scheme are drawn from Z p while the exponents q 1 , q 2 , q 3 of fast version have their size equal to the half of the security parameter.Hence, in average, the modular exponentiation costs less from the latter elements.This conclude the study of the actual decryption where our proposed scheme needs only half of the execution time of the standard scheme.Yet, this important gain is relative to the full decryption algorithm where verification phase constitutes the majority of the execution time.
's scheme is IND-CPA secure under the Decisional Diffie-Hellman (DDH) hypothesis.Cramer-Shoup is a cryptosystem proposed by Cramer et al. in [?].It is based on ElGamal's scheme and it is IND-CCA2 secure under the DDH assumption.Many versions based on Original Cramer-Shoup scheme [?] have been introduced.The original Cramer-Shoup's scheme presented in the eprint version [?], then the standard Cramer-Shoup's version published in CRYPTO'98 [?], the efficient Cramer-Shoup's version also proposed in [?] and finally Short Cramer-Shoup's version proposed in [?].The main difference of Original and Standard Cramer-Shoup schemes is that the Standard scheme uses only one exponent z to compute the public parameter h instead of two exponents z 1 and z 2 in the Original scheme.In Section 4 of [?], the efficient variant of the Cramer-Shoup scheme is presented.Note that Original and Efficient Cramer-Shoup encryption algorithms are exactly the same.But theirs key generation and decryption algorithms are slightly different.In Efficient Cramer-Shoup, the key generation uses less elements and then less exponentiations.Short Cramer-Shoup scheme [?] is a variant of the above Cramer-Shoup scheme [?].In Short Cramer-Shoup, key generation algorithm uses less generator and less elements in public and secret keys.Original, Standard and Efficient Cramer-Shoup schemes are IND-CCA secure under DDH but Short Cramer-Shoup scheme is IND-PCA secure under the DDH and the collision-resistance assumptions.In [?], Boneh et al. introduced the Decisional Linear Assumption (DLin) and proposed a linear scheme based on ElGamal.
Security Proof of Fast Short Cramer-Shoup Scheme.We use the same notions and follows the same proof technique as in [?,?].Theorem 3. The Fast Short Cramer-Shoup (FSCS) is IND-PCA under the DDH and the collision-resistance assumptions:

Fig. 4 .
Fig. 4. Comparison of Short and Fast Cramer-Shoup for the actual decryption.

Table 1 .
Comparison of Short and Fast Short Cramer-Shoup for key parameters.

Table 2 .
Comparison of Short and Fast Short Cramer-Shoup.We emphasize the minimum for each row with bold.

Table 3 .
Comparison of Short and Fast Short Cramer-Shoup for encryption.

Table 4 .
Comparison of Short and Fast Short Cramer-Shoup for decryption.

Table 6 .
Key Generation comparison of Linear and Fast Linear Cramer-Shoup.

Table 7 .
Key Parameters comparison of Linear and Fast Linear Cramer-Shoup.

Table 8 .
Encryption comparison of Linear and Fast Linear Cramer-Shoup.Comparison of Linear and Fast Linear Cramer-Shoup for encryption.Full Decryption comparison of Linear and Fast Linear Cramer-Shoup.

Table 9 .
Verification comparison of Linear and Fast Linear Cramer-Shoup.