For the shake of convience, I will try to make the post independent.
So, in the proof of Theorem 8, the authors claim that a key pair indistinguishability if we use instead if g_2 the element g_1^a for some uniformly random a from \Bbb Z_q.
Let me be precise.
Let G=\langle g_1 \rangle =\langle g_2 \rangle be a cyclic group of prime order q and H be an universal OW hash function.
Consider the Cramer-Shoup scheme \Pi=(\sf KG,Enc,Dec), where we recall the key generation algorithm:
Algorithm \sf KG(1^\lambda)
- x_1,x_2,y_1,y_2,z\gets \Bbb Z_q
- c\gets g_1^{x_1}g_2^{x_2} \ ; \ d \gets g_1^{y_1}g_2^{y_2} \ ; \ h\gets g_1^z \ \in \ G
- Return ({\sf sk}:=(x_1,x_2,y_1,y_2,z),{\sf pk}:=(c,d,h))
So, my question is:
Question. if g_2 is not necessarily a generator, and instead it’s the element g_2:=g_1^a \in G for some uniformly sampled a from \Bbb Z_q. Then, would this alter the distribution?
My feeling is that since g_1^{x_1} is a random element, then regardless of what we multiply it with, it the product will still be a random element of G and thus c=g_1^{x_1}g_1^a\in G will still be random. Same for d.
Is that correct? And if yes, why we really need g_2 to be a generator?
Possible answer. From Group Theory we know that if we pick any non-zero a, then g_1^a is a generator of G. Thus, g_2 is a generator with high probability, and that’s from the above argument we don’t really care.
Any help please?
Thank you
PS: It is my first post here, so apologies for the question format, I hope its fine.