A construction of encryption protocols over some semidirect products

2.1 Semidirect product

For a group G , ord ( G ) denotes the order of G . The symbol e is used for the identity element of groups. Let G 1 and G 2 be two subgroups of a group G . The group G is called a semidirect product of G 1 by G 2 if the following three conditions hold:

1. G 1 ⊲ G ,

2. G 1 ∩ G 2 = { e } , and

3. G = G 1 G 2 , that is, any element h ∈ G can be written in the form h = h 1 h 2 for some h 1 ∈ G 1 and h 2 ∈ G 2 .

As platform groups of our encryption protocol, we use a “semidirect product of a semidirect product,” that is, a group G of the form G = ( G 1 ⋊ G 2 ) ⋊ G 3 for some subgroups G 1 , G 2 , and G 3 . In particular, we exclusively consider the case where ord ( G 1 ) = p 1 and ord ( G 2 ) = ord ( G 3 ) = p 2 for some distinct primes p 1 and p 2 . Let g i be a generator of G i for each i = 1 , 2 , 3 , and we write G = ( ⟨ g 1 ⟩ ⋊ ⟨ g 2 ⟩ ) ⋊ ⟨ g 3 ⟩ . The group G has the following properties (S1)–(S3):

1. ⟨ g 1 ⟩ ⊲ ⟨ g 1 ⟩ ⋊ ⟨ g 2 ⟩ and ⟨ g 1 ⟩ ⋊ ⟨ g 2 ⟩ ⊲ G ;

2. ⟨ g 1 ⟩ ∩ ⟨ g 2 ⟩ = { e } and ( ⟨ g 1 ⟩ ⋊ ⟨ g 2 ⟩ ) ∩ ⟨ g 3 ⟩ = { e } ; and

3. ⟨ g 1 ⟩ ⋊ ⟨ g 2 ⟩ = ⟨ g 1 ⟩ ⟨ g 2 ⟩ and G = ⟨ g 1 ⟩ ⟨ g 2 ⟩ ⟨ g 3 ⟩ .

Equation (2.1) implies that the orders of α and β in Z p 1 × are either 1 or p 2 . Hence, unless p 2 ∣ p 1 − 1 , we must have α = β = 1 because they cannot have order p 2 in Z p 1 × , and therefore, g 1 g 2 = g 2 g 1 and g 1 g 3 = g 3 g 1 by equation (2.2). In this article, we assume that p 2 ∣ p 1 − 1 and that α ≠ 1 , β ≠ 1 , and γ ≠ 0 . This implies that the generators g 1 , g 2 , and g 3 do not mutually commute.

2.2 Word

Let T = { t 1 , … , t n } be a set of n elements, called a set of formal letters. We consider new formal letters t 1 − 1 , … , t n − 1 and define the set of inverse letters by T − 1 = { t 1 − 1 , … , t n − 1 } , which is assumed to be disjoint from T . We define ( t i − 1 ) − 1 = t i for each letter t i . A finite (possibly empty) sequence w = t i 1 ε 1 ⋯ t i l ε l , where t i j ∈ T and ε j ∈ { 1 , − 1 } , is called a word in T . We often write w ( T ) to denote that w is a word in T . The empty sequence is called the empty word. For any words w 1 and w 2 , [ w 1 , w 2 ] = w 1 w 2 w 1 − 1 w 2 − 1 denotes the commutator of them.

Let G be a group, and let S = ( s 1 , … , s n ) ∈ G n . For a word w in a set T = { t 1 , … , t n } of formal letters, we substitute t i = s i and t i − 1 = s i − 1 into w for each i = 1 , … , n , where s i − 1 denotes the inverse of s i in G , to produce an element, denoted by w ( S ) , of G . When w is the empty word, we set w ( S ) = e . We define g S g − 1 = ( g s 1 g − 1 , … , g s n g − 1 ) for any g ∈ G . The following proposition is easily obtained by direct calculation.

In this article, we use two “two-letter sets” T = { t 2 , t 3 } and T ¯ = { t ¯ 2 , t ¯ 3 } and consider only words of the form w ( T ) = [ t 2 , t 3 ] n 1 t 2 n 2 t 3 n 3 and w ( T ¯ ) = [ t ¯ 2 , t ¯ 3 ] n 1 t ¯ 2 n 2 t ¯ 3 n 3 for some n 1 ∈ Z p 1 and n 2 , n 3 ∈ Z p 2 , where p 1 and p 2 are distinct primes.

3.1 Group generation and hashing scheme

We first define a group generation algorithm GGen . It is a probabilistic polynomial-time (PPT) algorithm. Let k denote the security parameter. On input 1 k , the juxtaposition of k copies of the letter 1, GGen outputs a tuple G = ( G , p 1 , p 2 , g 1 , g 2 , g 3 , a 2 , a 3 , b 2 , b 3 ) , where

1. p 1 = Ω ( 2 k ) and p 2 = Ω ( 2 k ) are distinct primes with p 2 ∣ p 1 − 1 ;

2. G = ( ⟨ g 1 ⟩ ⋊ ⟨ g 2 ⟩ ) ⋊ ⟨ g 3 ⟩ is a semidirect product generated by g 1 , g 2 , and g 3 with ord ( g 1 ) = p 1 and ord ( g 2 ) = ord ( g 3 ) = p 2 ;

3. there exist α , β ∈ Z p 1 × , and γ ∈ Z p 1 such that

   (3.1) α ≠ 1 , β ≠ 1 , γ ≠ 0 ,

   (3.2) α p 2 = β p 2 = 1 ( mod p 1 ) ,

   (3.3) g 2 g 1 g 2 − 1 = g 1 α , g 3 g 1 g 3 − 1 = g 1 β , g 3 g 2 g 3 − 1 = g 1 γ g 2

   so that g 1 , g 2 , and g 3 do not mutually commute (see Proposition 2.1), and

4. a 2 , a 3 , b 2 , and b 3 are uniformly and independently chosen from Z p 2 so that the following conditions are fulfilled:

   (3.4) a 2 b 3 − a 3 b 2 ≠ 0 ( mod p 2 ) ,

   (3.5) [ g 2 a 2 g 3 a 3 , g 2 b 2 g 3 b 3 ] ≠ e , and

   (3.6) g 1 ( g 2 a 2 g 3 a 3 ) g 1 − 1 ≠ g 2 a 2 g 3 a 3 , g 1 ( g 2 b 2 g 3 b 3 ) g 1 − 1 ≠ g 2 b 2 g 3 b 3 .

Set G 0 = ( G , p 1 , p 2 , g 1 ) and S = ( g 2 , g 3 ) , and write G = ( G 0 , S , a 2 , a 3 , b 2 , b 3 ) for ease of writing. As a computational foundation, we should assume that any output G = ( G 0 , S , a 2 , a 3 , b 2 , b 3 ) of GGen ( 1 k ) satisfies the following conditions (I) and (II). If a string g represents an element of G , we identify the string g with the represented element of G , causing no confusion.

• (I)  The following three polynomial-time deterministic algorithms, Mem , Comp , and Inv , are assigned to the group G :

  • – Membership: for any given string g , Mem determines whether or not g ∈ G ;

  • – Composition: for any given elements g , g ′ ∈ G , Comp computes the product g g ′ ∈ G ; and

  • – Inversion: for any given element g ∈ G , Inv computes the inverse g − 1 ∈ G .

• (II) For any PPT algorithm A , the probability

  Pr g = g 2 n 2 ′ g 3 n 3 ′ G ← GGen ( 1 k ) , ( n 2 , n 3 ) ← U Z p 2 2 , g = g 2 n 2 g 3 n 3 , ( n 2 ′ , n 3 ′ ) ← A ( 1 k , G , g )

  is negligible in k .

Condition (I) is entirely a computational requirement, which means that the elementary group operations can be efficiently done and ensures that the encryption and decryption operations can be efficiently executed. Condition (II) means that the factorization search problem on the subset ⟨ g 2 ⟩ ⟨ g 3 ⟩ is infeasible.

We assign a PPT algorithm GGen † to GGen : on input 1 k , GGen † works as follows:

1. Execute GGen ( 1 k ) , and obtain a tuple G = ( G 0 , S , a 2 , a 3 , b 2 , b 3 ) .

2. Set S ¯ = ( a , b ) = ( g 2 a 2 g 3 a 3 , g 2 b 2 g 3 b 3 ) , and output a tuple G † = ( G 0 , S , S ¯ ) .

For any k ∈ N and any output G = ( G 0 , S , a 2 , a 3 , b 2 , b 3 ) of GGen ( 1 k ) , we define

and then define

We now define a hashing scheme HF associated with the family G † . It specifies the following two items:

1. A family KS k , G † of non-empty finite key sets indexed by k ∈ N and G † ∈ G k † . We assume that there exists a PPT algorithm, which, on input 1 k and G † , uniformly outputs an element hk of KS k , G † .

2. A family of hash functions HF hk k , G † : G 5 → Z p 1 indexed by k ∈ N , G † ∈ G k † and hk ∈ KS k , G † . We assume that there exists a deterministic polynomial-time algorithm, which, on input 1 k , G † ∈ G k † , hk ∈ KS k , G † , and ( h 1 , h 2 , h 3 , h 4 , h 5 ) ∈ G 5 , outputs the element HF hk k , G † ( h 1 , h 2 , h 3 , h 4 , h 5 ) ∈ Z p 1 .

1. For any PPT algorithm A , the function

   Adv A TCR ( k ) = Pr h 5 ∗ ∈ ⟨ g 1 ⟩ ∧ ∃ ( u 2 ∗ , u 3 ∗ , u ¯ 2 ∗ , u ¯ 3 ∗ ) ∈ G 4 s.t. U ∗ = ( u 2 ∗ g 2 u 2 ∗ − 1 , u 3 ∗ g 3 u 3 ∗ − 1 ) ∧ U ¯ ∗ = ( u ¯ 2 ∗ a u ¯ 2 ∗ − 1 , u ¯ 3 ∗ b u ¯ 3 ∗ − 1 ) ∧ ( U ∗ , U ¯ ∗ , h 5 ∗ ) ≠ ( U , U ¯ , h 5 ) ∧ HF hk k , G † ( U ∗ , U ¯ ∗ , h 5 ∗ ) = HF hk k , G † ( U , U ¯ , h 5 ) G † ← GGen † ( 1 k ) , hk ← U KS k , G † , ( u 2 , u 3 , u ¯ 2 , u ¯ 3 ) ← U G 4 , h 5 ← U ⟨ g 1 ⟩ U = ( u 2 g 2 u 2 − 1 , u 3 g 3 u 3 − 1 ) , U ¯ = ( u ¯ 2 a u ¯ 2 − 1 , u ¯ 3 b u ¯ 3 − 1 ) , ( U ∗ , U ¯ ∗ , h 5 ∗ ) ← A ( 1 k , G † , hk , U , U ¯ , h 5 )

   is negligible in k , where G † = ( G 0 , S , S ¯ ) with G 0 = ( G , p 1 , p 2 , g 1 ) , S = ( g 2 , g 3 ) , and S ¯ = ( a , b ) = ( g 2 a 2 g 3 a 3 , g 2 b 2 g 3 b 3 ) .

3.2 Description of our protocol

We now propose our protocol Σ = ( KGen , Enc , Dec ) .

The key generation algorithm KGen . On input 1 k , execute the following steps:

1. Execute GGen ( 1 k ) , and obtain a tuple G = ( G 0 , S , a 2 , a 3 , b 2 , b 3 ) , where G 0 = ( G , p 1 , p 2 , g 1 ) and S = ( g 2 , g 3 ) .

2. Independently and uniformly choose tuples ( x i 1 , x i 2 , x i 3 ) , ( y i 1 , y i 2 , y i 3 ) , ( z i 1 , z i 2 , z i 3 ) ∈ Z p 1 × Z p 2 2 for i = 1 , 2 , and set

   w x 1 ( T ) = [ t 2 , t 3 ] x 11 t 2 x 12 t 3 x 13 , w y 1 ( T ) = [ t 2 , t 3 ] y 11 t 2 y 12 t 3 y 13 , w z 1 ( T ) = [ t 2 , t 3 ] z 11 t 2 z 12 t 3 z 13 , w x 2 ( T ¯ ) = [ t ¯ 2 , t ¯ 3 ] x 21 t ¯ 2 x 22 t ¯ 3 x 23 , w y 2 ( T ¯ ) = [ t ¯ 2 , t ¯ 3 ] y 21 t ¯ 2 y 22 t ¯ 3 y 23 , w z 2 ( T ¯ ) = [ t ¯ 2 , t ¯ 3 ] z 21 t ¯ 2 z 22 t ¯ 3 z 23 .

3. Compute S ¯ = ( a , b ) = ( g 2 a 2 g 3 a 3 , g 2 b 2 g 3 b 3 ) .

4. Compute x 1 = w x 1 ( S ) , y 1 = w y 1 ( S ) , z 1 = w z 1 ( S ) , x 2 = w x 2 ( S ¯ ) , y 2 = w y 2 ( S ¯ ) , and z 2 = w z 2 ( S ¯ ) , and set X = x 1 x 2 S x 2 − 1 x 1 − 1 , Y = y 1 y 2 S y 2 − 1 y 1 − 1 , and Z = z 1 z 2 S z 2 − 1 z 1 − 1 . Explicitly,

   x 1 = [ g 2 , g 3 ] x 11 g 2 x 12 g 3 x 13 , x 2 = [ g 2 a 2 g 3 a 3 , g 2 b 2 g 3 b 3 ] x 21 ( g 2 a 2 g 3 a 3 ) x 22 ( g 2 b 2 g 3 b 3 ) x 23 , X = ( x 1 x 2 g 2 x 2 − 1 x 1 − 1 , x 1 x 2 g 3 x 2 − 1 x 1 − 1 ) ,

   for instance.

5. Uniformly choose a key hk ∈ KS k , G † , where G † = ( G 0 , S , S ¯ ) .

6. Output pk = ( 1 k , G 0 , S , S ¯ , X , Y , Z , hk ) as a public key and

   sk = ( x 1 , x 2 , y 1 , y 2 , z 1 , z 2 , w x 1 , w x 2 , w y 1 , w y 2 , w z 1 , w z 2 )

   as a secret key.

The encryption algorithm Enc . Given a message m ∈ ⟨ g 1 ⟩ and a public key pk , execute the following steps:

1. Independently and uniformly choose a tuple ( r 01 , r 02 , r 03 ) ∈ Z p 1 × Z p 2 2 , and set

   w r 0 ( T ) = [ t 2 , t 3 ] r 01 t 2 r 02 t 3 r 03 .

2. Compute r 0 = w r 0 ( S ) , and set R = r 0 S r 0 − 1 and R ¯ = r 0 S ¯ r 0 − 1 .

3. Compute c = m r 0 w r 0 ( Z ) − 1 .

4. Compute v = HF hk k , G † ( R , R ¯ , c ) , where G † = ( G 0 , S , S ¯ ) .

5. Compute d 1 = r 0 w r 0 ( X ) − 1 , d 2 = r 0 w r 0 ( Y ) − 1 , and d = d 1 d 2 v .

6. Output C = ( R , R ¯ , c , d ) as a ciphertext.

The decryption algorithm Dec . Given a ciphertext C ∗ , the public key pk , and the secret key sk , execute the following steps:

1. Check whether or not C ∗ satisfies the following conditions:

   1. C ∗ can be parsed as a tuple C ∗ = ( R ∗ , R ¯ ∗ , c ∗ , d ∗ ) belonging to G 6 ; and

   2. R ∗ = ( r g 2 ∗ , r g 3 ∗ ) = ( r 2 ∗ g 2 r 2 ∗ − 1 , r 3 ∗ g 3 r 3 ∗ − 1 ) and R ¯ ∗ = ( r ¯ a ∗ , r ¯ b ∗ ) = ( r ¯ 2 ∗ a r ¯ 2 ∗ − 1 , r ¯ 3 ∗ b r ¯ 3 ∗ − 1 ) hold for some r 2 ∗ , r 3 ∗ , r ¯ 2 ∗ , r ¯ 3 ∗ ∈ G .

   If this is not the case, then output ⊥ and abort.

2. Compute v ∗ = HF hk k , G † ( R ∗ , R ¯ ∗ , c ∗ ) .

3. Compute d 1 ∗ = w x 1 ( R ∗ ) w x 2 ( R ¯ ∗ ) x 2 − 1 x 1 − 1 and d 2 ∗ = w y 1 ( R ∗ ) w y 2 ( R ¯ ∗ ) y 2 − 1 y 1 − 1 .

4. Check whether or not d ∗ = d 1 ∗ ( d 2 ∗ ) v ∗ holds. If this is not the case, then output ⊥ and abort.

5. Compute m ∗ = c ∗ z 1 z 2 w z 2 ( R ¯ ∗ ) − 1 w z 1 ( R ∗ ) − 1 , and output m ∗ .

We should make a few remarks on those algorithms. Proposition 3.2 is proved in Appendix A.3, which claims that the elements x i , y i , z i , and r 0 computed in the algorithms KGen and Enc are uniformly distributed over G .