Re: How to construct such one-way key chain without hash function



laicko wrote:
In someway, I'd like the scheme could follow this condition:
E_{K_i+j}(M)= A_e( E_{K_i}{M}, j) for i,j >=0
E is the encryption algorithm, A is function, e is public known
parameter

Note that such a scheme cannot be IND-CPA secure (since it is possible for
anyone who knows the public key to detect when a message M is sent more than
once, thanks to the above equation).

If the encryption E is probabilistic, CPA secure could be hold.

No, it couldn't. I already explained why not. Consider an adversary
who requests the encryption of two plaintexts. First the adversary
requests the encryption of message M (this gets encrypted at time 1, so
it is encrypted with key K_1); then the adversary requests encryption of
the same message M (this gets encrypted with key K_2). Let C_1 and C_2
be the resulting two ciphertexts. The adversary can recognize whether
C_1 and C_2 decrypt to the same thing by checking the equation C_2 =?=
A_e(C_1, 1).
.