Variant with Message Linkages

Consider the practical implementation that an original message may be large. It therefore will cause the difficulty in encryption. In this subsection, we propose a variant with message linkages to benefit the encryption of a large message by dividing it into lots of small message blocks. The phases of Setup and PCG are defined the same as those in Section 5.1. We describe the other two phases as follows:

– Authenticated-Ciphertext-Generation (ACG): For signing a large message m on behalf of an original signer U_o, U_p first divides the message m into n pieces, i.e., m = m₁ || m₂ || …

|| m_n, m_i’s∈ GF(p), and then chooses r ∈_R Z_q and w₀ = 0 to compute

R = g^rh₃(m) mod p, (5.5.1)

K = y_v^σ mod p, (5.5.2)

s = r − x_ph₂(m, C, R) mod q, (5.5.3)

r₁ = s(K mod q) mod q, (5.5.4)

w_i = m_i ⋅ h₄(w_{i − 1} ⊕ h₄(K)) mod p, for i = 1, 2,…, n, (5.5.5) and then delivers the warrant m_w and the authenticated ciphertext δ = (r₁, R, T, w₁, w₂, …,

w_n) to a designated recipient U_v.

– Signature-Recovery-and-Verification (SRV): Upon receiving δ, U_v first computes

C = y_o^{h1(mw, T)} mod p, (5.5.6)

K = (TC ⁻¹)^xv mod p, (5.5.7)

s = (K mod q)⁻¹r₁ mod q, (5.5.8)

m_i = w_i ⋅ h₄(w_{i − 1} ⊕ h₄(K))⁻¹ mod p, for i = 1, 2,…, n, (5.5.9) and recovers the original message m as m₁|| m₂ || … || m_n. U_v can further verify the proxy

signature by checking if

R = g^sy_p^{h2(m, C , R)}h₃(m) mod p. (5.5.10)

When the case of a later dispute over repudiation occurs, U_v can reveal the converted proxy signature Ω = (R, s, T), the warrant m_w and the original message m to prove proxy signer’s dishonesty without any additional computation effort or communication overhead.

Thus, anyone can verify the converted proxy signature with the assistance of Eqs. (5.5.6) and (5.5.10).

We show that with the authenticated ciphertext (r₁, R, T, w₁, w₂, …, w_n) and the warrant m_w, a designated recipient U_v can recover the message m and check its validity with Eq.

(5.5.9). From the right-hand side of Eq. (5.5.9), we have w_i ⋅ h₄(r_{i − 1} ⊕ h₄(K))⁻¹

= m_i ⋅ h₄(r_{i − 1} ⊕ h₄(K)) ⋅ h₄(r_{i − 1} ⊕ h₄(K))⁻¹ (by Eq. (5.5.5))

= m_i (mod p)

which leads to the left-hand side of Eq. (5.5.9).

Since the variant with message linkages is based on our proposed PCAE-(II) scheme, we can adopt the similar approaches to prove its security in random oracle models.

6. PCAE-(III) Scheme

Since Wu and Hsu [WH02] proposed the first convertible authenticated encryption (CAE) scheme in 2002, lots of researchers have devoted themselves to the enhancement of CAE schemes. Recently, a so-called bilinear pairings cryptosystem from elliptic curves [Kob87, Men93, Mil85] has been found various applications [BKL⁺02, BF01, BLS01, GS02, Sma02, ZK02] in cryptography. In this section, we demonstrate the proposed third proxy CAE (abbreviated to PCAE-(III)) scheme based on BDHP.

6.1 Construction

– Setup: Taking as input 1^k, the system authority (SA) selects two groups (G₁, +) and (G₂, ×) of the same prime order q, where |q| = k. Let P be a generator of order q over G₁, e: G₁ × G₁

→ G₂ a bilinear pairing and h₀: {0, 1}* → G₁, h₁: G₂ × G₂ → {0, 1}^k, h₂: G₁ → G₁ and h₃: {0, 1}^k × G₂ × G₁ → Z_q collision resistant hash functions. The system publishes public parameters params = {G₁, G₂, q, P, e, h₀, h₁, h₂, h₃}. Each user U_i chooses his private key x_i ∈ Z_q and computes the corresponding public key as Y_i = x_iP.

– Proxy-Credential-Generation (PCG): Let U_o be an original signer delegating his signing power to a proxy signer U_p. U_o computes

D = x_o ⋅ h₀(m_w), (6.1.1)

where m_w is a warrant consisting of the identifiers of original signer, proxy signer and designated recipient, the delegation duration and so on. (D, m_w) is then sent to U_p. Upon receiving (D, m_w), U_p checks its validity by verifying whether

e(Y_o, h₀(m_w)) = e(D, P). (6.1.2)

If it does not hold, (D, m_w) is requested to be sent again.

– Authenticated-Ciphertext-Generation (ACG): For signing a message m∈_R{0, 1}^k on behalf of an original signer U_o, U_p chooses r ∈_R Z_q to compute

R = rP + D, (6.1.3)

T = e(D, Y_v), (6.1.4)

V = e(h₂(R), Y_v)^xp, (6.1.5)

S = r(h₃(m, T, R) + x_p)⁻¹P, (6.1.6)

X = h₁(T, V) ⊕ m, (6.1.7)

and then delivers the warrant m_w and the authenticated ciphertext δ = (R, S, X) to a designated recipient U_v.

– Signature-Recovery-and-Verification (SRV): Upon receiving it, U_v first computes

T = e(Y_o, h₀(m_w))^xv, (6.1.8)

V = e(h₂(R), Y_p)^xv, (6.1.9)

to recover the message m as

m = h₁(T, V) ⊕ X (6.1.10)

and checks the redundancy embedded in it. U_v further verifies the proxy signature by checking whether

e(Y_o, h₀(m_w))e(S, h₃(m, T, R)P + Y_p) = e(R, P). (6.1.11) Since the converted proxy signature Ω = (R, S, T) is derived during the verification process, a designated recipient U_v can easily announce it together with (m, m_w) in case of a later dispute over repudiation. Accordingly, anyone can check Eq. (6.1.11) to realize proxy signer’s dishonesty.

6.2 Correctness

We first show that the verification of Eq. (6.1.2) works correctly. From the left-hand side of Eq. (6.1.2), we have

e(Y_o, h₀(m_w)) = e(x_oP, h₀(m_w)) = e(x_oh₀(m_w), P)

= e(D, P) (by Eq. (6.1.1))

which leads to the right-hand side of Eq. (6.1.2).

Upon receiving δ = (R, S, X) with the warrant m_w, a designated recipient can correctly recover the message m and check its validity with Eq. (6.1.10). From the right-hand side of Eq.

(6.1.10), we have h₁(T, V) ⊕ X

= h₁(e(Y_o, h₀(m_w))^xv, e(h₂(R), Y_p)^xv) ⊕ X (by Eqs. (6.1.8) and (6.1.9)) = h₁(e(D, P)^xv, e(h₂(R), Y_v)^xp) ⊕ X (by Eq. (6.1.2))

= m (by Eqs. (6.1.4), (6.1.5) and (6.1.7))

which leads to the left-hand side of Eq. (6.1.10).

If an authenticated ciphertext (R, S, X) is correctly generated, it will pass the test of Eq.

(6.1.11). From the left-hand side of Eq. (6.1.11), we have e(Y_o, h₀(m_w))e(S, h₃(m, T, R)P + Y_p)

= e(Y_o, h₀(m_w))e(r(h₃(m, T, R) + x_p)⁻¹P, h₃(m, T, R)P + Y_p) (by Eq. (6.1.6))

= e(D, P)e(rP, P) (by Eq. (6.1.2))

= e(D + rP, P)

= e(R, P) (by Eq. (6.1.3))

which leads to the right-hand side of Eq. (6.1.11).

6.3 Security Proofs

We prove that the proposed PCAE-(III) scheme achieves the IND-CCA2 and the EF-CMA security in random oracle models as Theorems 6.3.1 and 6.3.2, respectively.

Theorem 6.3.1. (Proof of Confidentiality) The proposed PCAE-(III) scheme is (t, q_h0, q_h1, q_h2, q_h3, q_PCG, q_ACG, q_SRV, ε)-secure against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) in the random oracle model if there is no probabilistic polynomial-time adversary that can (t', ε')-break the BDHP, where

ε' ≥ (q_h1⁻¹)(2ε −q^SRV q^h _k q^h 2

) 1 ( ₁ + ₃ +

),

t' ≈ t + tλ(2q_ACG + 3q_SRV + 1).

Here t_λ is the time for performing one bilinear pairing computation.

Proof: Fig. 6.3.1 depicts the proof structure of this Theorem. Suppose that a probabilistic polynomial-time adversary A can (t, q_h0, q_h1, q_h2, q_h3, q_PCG, q_ACG, q_SRV, ε)-break the proposed PCAE-(III) scheme with a non-negligible advantage ε under adaptive chosen- ciphertext attacks after running in time at most t and asking at most q_hi h_i random oracle (for i = 0 to 3), q_PCG PCG, q_ACG ACG and q_SRV SRV queries. Then we can construct another algorithm B that (t', ε')-breaks the BDHP by taking A as a subroutine. Let all involved parties and parameters be defined the same as those in Section 6.1. The objective of B is to obtain e(P, P)^xoxpxv by taking (P, q, e, Y_o = x_oP, Y_p = xpP, Y_v = x_vP) as inputs. In this proof, B simulates a challenger to A in the following game.

Setup: The challenger B runs the Setup(1^k) algorithm and sends system’s public parameters params = {G₁, G₂, q, P, e, Y_o, Y_p, Y_v} to the adversary A.

Fig. 6.3.1. The proof structure of confidentiality in Theorem 6.3.1

Phase 1: A issues the following queries adaptively:

– h₀ oracle: When A asks an h0 oracle of h₀(m_w), B returns O-Sim(III)_h0(m_w). The simulated random oracle O-Sim(III)_h0 operates as Fig. 6.3.2.

Fig. 6.3.2. Algorithm of the simulated random oracle O-Sim(III)_h0

oracle O-Sim(III)_h0(m_w) // Let Q_h₀[q_h0] and A_h₀[q_h0][2] be two arrays.

1: for i = 0 to q_h0 − 1

2: if (Q_h₀[i] = m_w) then // It is an old query.

3: exit for;

4: else if (Q_h₀[i] = null) then // It is a new query.

5: insert(Q_h₀, m_w); insert(A_h₀, (σ ∈_R Z_q, V₀ = σP)); exit for;

7: end if 8: next i

9: return A_h₀[i][1];

B

A

λ′

{G₁, G₂, q, P, e, Y_o, Y_p, Y_v}

e(P, P)^xoxpxv

Random oracles PCG oracle ACG oracle SRV oracle (P, q, e, Y_o = x_oP, Y_p = xpP, Y_v = x_vP)

output

output input

input access

– h₁ oracle: When A asks an h1 oracle of h₁(T, V), B returns O-Sim_h1(T, V). The simulated random oracle O-Sim_h1 operates as Fig. 6.3.3.

Fig. 6.3.3. Algorithm of the simulated random oracle O-Sim(III)_h1

– h₂ oracle: When A asks an h2 oracle of h₂(R), B returns O-Sim(III)_h2(R). The simulated random oracle O-Sim(III)_h2 operates as Fig. 6.3.4.

Fig. 6.3.4. Algorithm of the simulated random oracle O-Sim(III)_h2

– h₃ oracle: When A asks an h3 oracle of h₃(m, T, R), B returns O-Sim(III)_h3(m, T, R). The simulated random oracle O-Sim(III)_h3 operates as Fig. 6.3.5.

oracle O-Sim(III)_h2(R) // Let Q_h₂[q_h2] and A_h₂[q_h2][2] be two arrays.

1: for i = 0 to q_h2 − 1

2: if (Q_h₂[i] = R) then // It is an old query.

3: exit for;

4: else if (Q_h₂[i] = null) then // It is a new query.

5: insert(Q_h₂, R); insert(A_h₂, (v₂ ∈ _R Z_q, V₂ = v₂P));

6: exit for;

7: end if 8: next i

9: return A_h₂[i][1];

oracle O-Sim(III)_h1(T, V) // Let Q_h₁[q_h1][2] and A_h₁[q_h1] be two arrays.

1: for i = 0 to q_h1 − 1

2: if (Q_h₁[i][0] = T and Q_h₁[i][1] = V) then // It is an old query.

3: exit for;

4: else if (Q_h₁[i][0] = null) then // It is a new query.

5: insert(Q_h₁, (T, V)); insert(A_h₁, v₁ ∈_R {0, 1}^k); exit for;

6: end if 7: next i

8: return A_h₁[i];

Fig. 6.3.5. Algorithm of the simulated random oracle O-Sim(III)_h3

– PCG queries: When A makes a PCG query, B chooses a proper mw and then returns (m_w, O-Sim(III)_PCG(mw)) as the result. The simulated PCG oracle O-Sim(III)_PCG operates as Fig. 6.3.6.

Fig. 6.3.6. Algorithm of the simulated PCG oracle O-Sim(III)_PCG

– ACG queries: When A makes an ACG query for some message m, B returns O-Sim(III)_ACG(m) as a result. The simulated ACG oracle O-Sim(III)_ACG operates as Fig. 6.3.7.

oracle O-Sim(III)_PCG(mw) 1: V₀← O-Sim_h0(m_w);

2: for i = 0 to q_h0 − 1

3: if (A_h₀[i][1] = V₀) then 4: σ ← A_h₀[i][0];

5: Compute D = σY_o; 6: return D;

7: end if 8: next i

oracle O-Sim(III)_h3(m, T, R) // Let Q_h₃[q_h3][3] and A_h₃[q_h3] be two arrays.

1: for i = 0 to q_h3 − 1

2: if (Q_h₃[i][0] = m) and (Q_h₃[i][1] = T) and (Q_h₃[i][2] = R) then 3: exit for; // It is an old query.

4: else if (Q_h₃[i][0] = null) then // It is a new query.

5: insert(Q_h₃, (m, T, R));

6: insert(A_h₃, v₃ ∈_R Z_q);

7: exit for;

8: end if 9: next i

10: return A_h₃[i];

Fig. 6.3.7. Algorithm of the simulated ACG oracle O-Sim(III)_ACG

– SRV queries: When A makes an SRV query for some authenticated ciphertext δ with a warrant m_w, B returns O-Sim(III)_SRV(δ, m_w) as the result. The simulated SRV oracle O-Sim(III)_SRV operates as Fig. 6.3.8.

Fig. 6.3.8. Algorithm of the simulated SRV oracle O-Sim(III)_SRV oracle O-Sim(III)_ACG(m)

1: Choose a proper m_w; D = O-Sim(III)_PCG(mw);

2: Choose s ∈_R Z_q to compute S = sP and T = e(D, Y_v);

3: do

4: Choose v₃ ∈_R Z_q; Compute R = sv₃P + sY_p + D;

5: while (check(Q_h₃, (m, T, R)) = true);

6: insert(Q_h₃, (m, T, R)); insert(A_h₃, v₃); // define h₃(m, T, R) = v₃ 7: V₂ = O-Sim_h2(R); v₂ = A_h₂[i][0]; // Assume that A_h₂[i][1] = V₂. 8: Compute V = e(Y_p, Y_v)^v2; X = O-Sim_h1(T, V) ⊕ m;

9: return δ = (R, S, X) along with m_w;

oracle O-Sim(III)_SRV(δ, m_w) // δ = (R, S, X)

1: if (check(Q_h₃, (*, *, R)) = true) then // h₃(*, *, R) has ever been queried.

2: m = Q_h₂[i][0]; T = Q_h₃[i][1]; // Assume that Q_h₃[i][2] = R.

3: if (check(Q_h₁, (T, *)) = true) then // h₁(T, *) has ever been queried.

4: V = Q_h₁[i][1]; v₁ = A_h₁[i]; // Assume that Q_h₁[i][0] = T.

5: if (X = v₁ ⊕ m) then

6: if (e(Y_o, h₀(m_w))e(S, h₃(m, T, R)P + Y_p) = e(R, P)) then 7: return (m, R, S, T, m_w);

8: else // Signature verification fails.

9: return ⊥;

10: end if

11: else // Message recovery fails.

12: return ⊥;

13: end if

14: else // h₁(T, *) has never been queried.

15: return ⊥;

16: end if

17: else // h₃(*, *, R) has never been queried.

18: return ⊥;

19: end if

Challenge: A generates two messages, m0 and m₁, of the same length. The challenger B flips a coin λ ← {0, 1} and produces an authenticated ciphertext δ* = (R*, S*, X*) for m_λ by running the simulated Sim(III)_Challenge(m_λ). The algorithm of Sim(III)_Challenge operates as Fig. 6.3.9.

Fig. 6.3.9. Algorithm of the simulated Sim(III)_Challenge

Phase 2: A makes new queries as those stated in Phase 1 except an SRV query for the target ciphertext δ*.

Analysis of the game: Consider the simulations of PCG and ACG queries. It can be seen that the simulated proxy credential D and authenticated ciphertext δ are computationally indistinguishable from those generated by a real scheme. We refer the simulations of PCG and ACG queries to be perfect. Then we evaluate the simulation of SRV queries. From the algorithms of O-Sim(III)_SRV, one can observe that it is possible for an SRV query of some valid δ = (R, S, X) to return an error symbol ⊥ on condition that A has the ability to produce δ without asking corresponding h₃(m, T, R) or h₁(T, V) random oracles in advance. Let SRV_ERR be an event that an SRV query returns an error symbol ⊥ for some valid δ during the entire game, AC-V an event that an authenticated ciphertext δ submitted by A is valid.

QH₃ and QH₁ separately denote the events that A has ever asked corresponding h3 and h₁ algorithm Sim(III)_Challenge(mλ)

1: Choose a proper m_w*; D* ← O-Sim(III)_PCG(mw*);

2: Choose z, s ∈_R Z_q to compute S* = sP and T* = e(D*, Y_v);

3: do

4: Choose v₃ ∈_R Z_q; Compute R* = sv₃P + sY_p + D*;

5: while (check(Q_h₃, (mλ, T*, R*)) = true);

6: insert(Q_h₃, (m_λ, T*, R*)); insert(A_h₃, v₃); // define h₃(m_λ, T*, R*) = v₃ 7: insert(Q_h₂, R*); insert(A_h₂, (∇, zY_o)) where ∇ denotes the null symbol;

// define h₂(R*) = zY_o 8: Choose v₁ ∈_R {0, 1}^k;

9: Compute X* = v₁ ⊕ mλ; // Implicitly define v₁ = h₁(T*, V*) where V* = e(zY_o, Y_v)^xp. 10: return δ* = (R*, S*, X*) and m_w*;

random oracles beforehand. Then we can express the error probability of any SRV query as

≤q^h_{k k} q^h_k

Since A can make at most qSRV SRV queries, we can further express the probability of SRV_ERR as

Additionally, in the challenge phase, B has returned a simulated authenticated ciphertext δ* = (R*, S*, X*) where h₂(R*) = zY_o, which implies the shared secret V* is implicitly defined as V* = e(dY_o, Y_v)^xp. Let GP be an event that the entire simulation game does not abort. Obviously, if the adversary A never makes an h1(T*, V*) query in Phase 2, the entire simulation game could be normally terminated. We denote an event that A does ask such a query in Phase 2 by QH₁*. When the entire simulation game does not abort, it can be seen A gains no advantage in guessing λ due to the randomness of output of random oracles, i.e.,

Pr[λ′ = λ | GP] = 1/2. (6.3.2)

With inequalities (6.3.3) and (6.3.4), we know that

| Pr[λ′ = λ] − 1/2 | ≤ (1/2)Pr[¬GP]. (6.3.5)

Recall that in Definition 3.3.3, A’s advantage is defined as Adv(A) = | Pr[λ′ = λ] − 1/2 |. By assumption, A has non-negligible probability ε to break the proposed scheme. We therefore have

ε = | Pr[λ′ = λ] − 1/2 |

≤ (1/2)Pr[¬GP] (by Eq. (6.3.5))

= (1/2)(Pr[QH₁* ∨ SRV_ERR]) ≤ (1/2)(Pr[QH₁*] + Pr[SRV_ERR])

Combining Eq. (6.3.1) and rewriting the above inequality, we get Pr[QH₁*] ≥ 2ε − Pr[SRV_ERR]

≥ 2ε −q^SRV q^h _k q^h 2

) 1 ( ₁ + ₃ +

.

If the event QH₁* happens, we claim that V* = e(zY_o, Y_v)^xp will be stored in some entry of Q_h₁ array. Consequently, B has non-negligible probability

ε' ≥ (q_h1⁻¹)(2ε −q^SRV q^h _k q^h 2

) 1 ( ₁ + ₃ +

)

to solve the BDHP by outputting (V*)^{z −1}. The computation time required for B is t' ≈ t + tλ(2q_ACG + 3q_SRV + 1).

Q.E.D.

Theorem 6.3.2. (Proof of Unforgeability) The proposed PCAE-(III) scheme is (t, q_h0, q_h1, q_h2, q_h3, q_PCG, q_ACG, ε)-secure against existential forgery under adaptive chosen-message attacks (EF-CMA) in the random oracle model if there is no probabilistic polynomial-time adversary

that can (t', ε')-breakthe BDHP, where ε' ≥ (ε − 2−(k + |G1|))/(q_h1q_h2),

t' ≈ t + t_λ(2q_ACG).

Here t_λ is the time for performing one bilinear pairing computation.

Fig. 6.3.10. The proof structure of unforgeability in Theorem 6.3.2

Proof: Fig. 6.3.10 depicts the proof structure of this Theorem. Suppose that a probabilistic polynomial-time adversary A can (t, q_h0, q_h1, q_h2, q_h3, q_PCG, q_ACG, ε)-break the proposed PCAE-(III) scheme with a non-negligible advantage ε under adaptive chosen-message attacks after running in time at most t and asking at most q_hi h_i random oracle (for i = 0 to 3), q_PCG PCG and q_ACG ACG queries. Then we can construct another algorithm B that (t', ε')-breaks the BDHP by taking A as a subroutine. Let all involved parties and parameters

be defined the same as those in Section 6.1. The objective of B is to obtain e(P, P)^xoxpxv by

B

δ = (R, S, X)

e(P, P)^xoxpxv

Random oracle PCG oracle ACG oracle (P, q, e, Y_o= x_oP, Y_p= xpP, Y_v= x_vP)

{G₁, G₂, q, P, e, Y_o, Y_p, Y_v} input

input

output output

access

A

taking (P, q, e, Y_o = x_oP, Y_p = xpP, Y_v = x_vP) as inputs. In this proof, B simulates a challenger to A in the following game.

Setup: The challenger B runs the Setup(1^k) algorithm and sends system’s public parameters params = {G₁, G₂, q, P, e, Y_o, Y_p, Y_v} to the adversary A.

Phase 1: A adaptively asks hi random oracle (for i = 0 to 3), PCG and ACG queries as those defined in Theorem 6.3.1. Note that in the j-th h₂ random oracle, where j is a random positive integer less than or equal to q_h2, B directly returns zYo for z ∈_R Z_q.

Forgery: Finally, A outputs an authenticated ciphertext δ* = (R*, S*, X*) and m_w* for his arbitrarily chosen message m*. If the ciphertext is valid, A wins the game.

Analysis of the game: According to analyses of Theorem 6.3.1, we know that the simulation of each PCG or ACG query will be normally terminated. Besides, B answers each hi random oracle with a computationally indistinguishable value without collision. Let AC-V and QH separately be the events that the outputted ciphertext δ* = (R*, S*, X*) is valid and A has ever asks corresponding h₁(T*, V*) and h₂(R*) random oracles. The probability that A can guess correct random values without asking h₁ and h₂ random oracles is not greater than 2−(k + |G1|). Since A has a non-negligible advantage ε to break the proposed scheme under adaptive chosen-message attacks, we have

ε = Pr[AC-V]

≤ Pr[AC-V | QH] + Pr[AC-V | ¬QH]

≤ Pr[AC-V | QH] + 2−(k + |G1|).

Further writing above inequality, we can also obtain Pr[AC-V | QH] ≥ ε − 2−(k + |G1|).

Seeing that in the j-th h₂ random oracle, B directly returned zYo as a result, i.e., Pr[R* = R_j] = q_h2⁻¹, we claim that when the event (AC-V | QH) ∧ (R* = R_j) occurs, B would have the probability of (q_h1⁻¹) to output

(V*)^z−1 = e(Y_o, Y_v)^xp

from some entry of Q_h₁ array. Therefore, we can express the probability of B to solve the BDHP problem as

ε' ≥ (ε − 2−(k + |G1|))/(q_h1q_h2).

The running time required for B is t' ≈ t + tλ(2q_ACG).

Q.E.D.

According to Theorem 6.3.2, the proposed PCAE-(III) scheme is secure against existential forgery attacks. That is, the delegated proxy signer cannot repudiate having generated his authenticated ciphertext. Hence, we obtain the following corollary.

Corollary 6.3.1. The proposed PCAE-(III) scheme satisfies the security requirement of non-repudiation.

7. Conclusions and Future Research

In this dissertation, the author proposed three PCAE schemes to solve the delegation problem for confidential transactions. The proposed schemes allow a proxy signer to produce an authenticated ciphertext on behalf of an original signer and only a designated recipient is capable of recovering the message and verifying its proxy signature for ensuring confidentiality.

It is unnecessary to establish a session key in advance between a proxy signer and a designated recipient. Without revealing the private key, a designated recipient can independently convert an authenticated ciphertext into an ordinary proxy signature for public arbitration in case of a later repudiation. Since a converted proxy signature is obtained during the message recovery and signature verification phase, the signature conversion process requires no extra computation efforts or communication overheads.

The author also presented a group-oriented PCAE variant allowing one proxy signer to generate a valid authenticated ciphertext on behalf of a signing group composed of n original signers. To benefit the encryption of large messages, the author addressed another variant with message linkages by dividing a large message into many small message blocks.

Furthermore, the proposed schemes are proved to achieve the security requirement of confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and that of unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA) in random oracle models. To the best of our knowledge, the proposed PCAE-(I) scheme is the first provably secure PCAE scheme based on RSA assumption. As compared with previous works, the proposed schemes not only have lower computation costs, but also provide better functionalities.

With more and more complicated business applications, the signing policy and the way of proxy delegation might vary depending on different needs. For example, one original signer can delegate his signing power to two or more proxy signers, such that all proxy signers must cooperatively generate a valid authenticated ciphertext on behalf of the original one. In some circumstances, an authenticated ciphertext intended for a designated group can only be decrypted if t-out-of-n verifiers are willing to corporate, which is referred to as (t, n)-shared verification.

To mitigate the impact caused by the key exposure, a key-insulated cryptosystem is a

better alternative for designing cryptographic protocols. In such a system, each user stores a long-term private key in a physically-secure but computation limited device (called base or helper). Another short-term private key is kept secret by the user and used to perform cryptographic protocols such as digital signature schemes. Integrating PCAE schemes with key-insulated systems will bring more benefits to realistic applicability. Therefore, in the future research, the author will devote himself to the study of more flexible PCAE schemes with provable security to fulfill all kinds of practical requirements.

Bibliography

[AUI99] S. Araki, S. Uehara and K. Imamura, “The limited verifier signature and its application,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E82-A, No. 1, 1999, pp. 63-68.

[BD98] F. Bao and R. H. Deng, “A signcryption scheme with signature directly verifiable by public key,” Workshop on Public Key Cryptography, Springer-Verlag, 1998, pp. 55-59.

[BF01] D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,”

Advances in Cryptology − CRYPTO 2001, Springer-Verlag, 2001, pp. 213-229.

[BJY97] M. Bellare, M. Jakobsson and M. Yung, “Round-optimal zero-knowledge arguments based on any one-way hash function,” Advances in Cryptology − EUROCRYPT’97, Springer-Verlag, 1997, pp. 280-305.

[BKL⁺02] P. S. L. M. Barreto, H. Y. Kim, B. Lynn and M. Scott, “Efficient algorithms for pairing-based cryptosystems,” Advances in Cryptology − CRYPTO 2002, Springer-Verlag, 2002, pp. 354-368.

[BLS01] D. Boneh, B. Lynn and H. Shacham, “Short signature from the Weil pairing,”

Advances in Cryptology − ASIACRYPT 2001, Springer-Verlag, 2001, pp.

514-532.

[BLS03] P. S. L. M. Barreto, B. Lynn, and M. Scott, “On the selection of pairing-friendly groups,” Selected Areas in Cryptography (SAC 2003), Springer-Verlag, 2003.

[Boy03] X. Boyen, “Multipurpose identity-based signcryption: A Swiss army knife for identity-based cryptography,” Advances in Cryptology − CRYPTO’03, Springer-Verlag, 2003, pp. 383-399.

[BSZ02] J. Baek, R. Steinfeld and Y. Zheng, “Formal proofs for the security of signcryption,” Public Key Cryptography - PKC’02, Springer-Verlag, 2002, pp.

80-98.

[CA90] D. Chaum and H. van Antwerpen, “Undeniable signature,” Advances in Cryptology − CRYPTO’90, Springer-Verlag, 1990, pp. 212-216.

[CC06] F. Cao and Z. Cao, “Cryptanalysis on a proxy multi-signature scheme,”

Proceedings of the 1st International Multi-Symposiums on Computer and Computational Sciences, 2006 (IMSCCS’06), Vol. 2, IEEE Press, Piscataway, USA, 2006, pp. 117-120.

[Cha08] T. Y. Chang, “A convertible multi-authenticated encryption scheme for group communications,” Information Sciences, Vol. 178, No. 17, 2008, pp.

3426-3434.

[Cha90] D. Chaum, “Zero-knowledge undeniable signatures,” Advances in Cryptology − EUROCRYPT’90, Springer-Verlag, 1990, pp. 458-464.

[Chi08] H. Y. Chien, “Selectively convertible authenticated encryption in the random oracle model,” The Computer Journal, Vol. 51, No. 4, 2008, pp. 419-434.

[DC06] S. Duan and Z. Cao, “Efficient and provably secure multi-receiver identity-based signcryption,” Information Security and Privacy, Springer-Verlag, 2006, pp. 195-206.

[DCZ05] S. Duan, Z. Cao and Y. Zhou, “Secure delegation-by-warrant ID-based proxy signcryption scheme” Proceedings of Computational Intelligence and Security Conference (CIS 2005), Springer-Verlag, 2005, pp. 445-450.

[DH76] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Transactions on Information Theory, Vol. IT-22, No. 6, 1976, pp. 644-654.

[DK02] H. Delfs and H. Knebl, Introduction to Cryptography: Principles and Applications, 2nd Ed., Springer-Verlag, 2002.

[DYD03] J. Z. Dai, X. H. Yang and J. X. Dong, “Designated-receiver proxy signature scheme for electronic commerce,” Proceedings of IEEE International Conference on Systems, Man and Cybernetics, Vol. 1, 2003, pp. 384-389.

[EA08] H. Elkamchouchi and Y. Abouelseoud, “A new proxy identity-based signcryption scheme for partial delegation of signing rights,” Cryptology ePrint Archive, Report 2008/041, 2008. http://eprint.iacr.org/2008/041

[EAM06] D. H. Elkamshoushy, A. K. AbouAlsoud and M. Madkour, “New proxy signcryption scheme with DSA verifier,” Proceedings of the 23th National

Radio Science Conference (NRSC 2006), 2006, pp. 1-8.

[ElG85] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, Vol. IT-31, No.

4, 1985, pp. 469-472.

[Gir91] M. Girault, “Self-certified public keys,” Advances in Cryptology − EUROCRYPT’91, Springer-Verlag, 1991, pp. 491-497.

[GS02] C. Gentry and A. Silverberg, “Hierarchical id-based cryptography,” Advances in Cryptology − ASIACRYPT 2002, Springer-Verlag, 2002, pp. 548-566.

[HC01] S. J. Hwang and C. C. Chen, “A new multi-proxy multisignature scheme,”

Proceedings of 2001 National Computer Symposium, 2001, pp. 19-26.

[HC03] H. F. Huang and C. C. Chang, “An efficient convertible authenticated encryption scheme and its variant,” Proceedings of the 5th International Conference on Information and Communications Security (ICICS2003), Springer-Verlag, 2003, pp. 382-392.

[Hen94] M. Hendry, Smart Card Security and Applications, Artech House, Inc., 1997.

[HLL00] M. S. Hwang, I. C. Lin. and J. L. Eric Lu, “A secure nonrepudiable threshold proxy signature scheme with known signers,” International Journal of Informatica, Vol. 11, No. 2, 2000, pp. 1-8.

[HLL⁺05] C. H. Huang, C. Y. Lee, C. H. Lin, C. C. Chang and K. L. Chen, “Authenticated encryption schemes with message linkage for threshold signatures,”

Proceedings of the IEEE 19th International Conference on Advanced Information Networking and Applications, Vol. 2, 2005, pp. 261-264.

Proceedings of the IEEE 19th International Conference on Advanced Information Networking and Applications, Vol. 2, 2005, pp. 261-264.

在文檔中 具代理授權特性的可轉換鑑別加密方法 (頁 77-0)