Convertible multi-authenticated encryption scheme with one-way hash function

Convertible multi-authenticated encryption scheme with one-way hash function

Jia-Lun Tsai

Department of E-Learning, National Chiao Tung University, No. 1001, Ta Hsueh Road, Hsinchu 300, Taiwan, ROC

a r t i c l e

i n f o

Article history:

Received 15 August 2008 Accepted 12 December 2008 Available online 24 December 2008

Keywords:

Multi-authenticated encryption scheme One-way hash function

Discrete logarithms

a b s t r a c t

To send the message to the recipient securely, authenticated encryption schemes were proposed. In 2008, Wu et al. [T.S. Wu, C.L. Hsu, K.Y. Tsai, H.Y. Lin, T.C. Wu, Convertible multi-authenticated encryption scheme, Information Sciences 178 (1) 256–263.] first proposed a convertible multi-authenticated encryp-tion scheme based on discrete logarithms. However, the author finds that the computaencryp-tional complexity of this scheme is rather high and the message redundancy is used. To improve the computational effi-ciency and remove the message redundancy, the author proposes a new convertible multi-authenticated encryption scheme based on the intractability of one-way hash functions and discrete logarithms. As for efficiency, the computation cost of the proposed scheme is smaller than Wu et al.’s scheme.

Ó 2008 Elsevier B.V. All rights reserved.

1. Introduction

Authenticated encryption scheme is important issue of the net-work security. It ensure that the message was sent to a specified recipient securely via the insecure network environment. In gen-eral, it must achieve the confidentiality, the authenticity, and the non-repudiation properties[1–7]. In 1994, Horster et al.[1] pro-posed an authenticated encryption by using one-way hash func-tion, which modified Nyberg and Ruppel’s message recovery signature[2]. Since then, some similar schemes have been pro-posed[8–21].

In 1999, Araki et al.[8]proposed a convertible limited verifier scheme to enable the recipient to convert the message and verify the signature. However, this scheme might be unworkable if the signer is unwilling to cooperate. In 2002, Wu et al.[18]found this weakness and then proposed a convertible authenticated encryp-tion scheme. The scheme has the following advantages: (1) The re-cipient easily prove the ordinary signature without the cooperation of the signer. (2) If the signer wants to repudiate his signature, he can reveal the converted signature and then any verifier can prove the dishonesty of the signer. Unfortunately, in 2003, Huang and Chang[12] found that Wu et al.’s scheme has a weakness. This weakness is that if an adversary knows the message, then he can easily convert a signature into an ordinary one. To overcome this weakness, they also proposed a new convertible authenticated encryption scheme. Letter, Chien[10] also proposed a new con-vertible authenticated encryption scheme. Unfortunately, in 2005, Zhang and Wang[20]found that Chen’s scheme have not

unforgeability and non-repudiation. Then, they also proposed an improvement of Chen’s scheme.

These convertible authenticated encryption schemes have a weakness. Their schemes can not work, when the signers are more than one. In order to improve this weakness, in 2008, Wu et al.[22]

propose a convertible multi-authenticated encryption scheme. The proposed scheme is used to deliver a message which is chosen and signed by multi-signer. The generated authenticated message of the proposed scheme is independent of the number of total partic-ipating signers, so it is very suitable for multi-signers.

In this paper, the author finds that the computational complex-ity of Wu et al.’s scheme[22]is rather high and message redun-dancy is used. To improve the computational efficiency and remove the message redundancy, the authors integrates

convert-ible authenticated encryption schemes and multisignature

schemes [23,24] into a new convertible multi-authenticated

encryption scheme with one-way hash function. The security of this proposed multi-authenticated encryption scheme is based on one-way hash function and discrete logarithms, and the message redundancy is not used in the proposed scheme. In additions, the total computational cost of our proposed scheme is also lower than Wu et al.’s scheme. Hence, this proposed scheme is better than Wu et al.’s scheme.

The rest of this paper is organized as follows. Section2reviews Wu et al.’s multi-authenticated encryption scheme. In the subse-quent two sections, we describe and evaluate our proposed scheme, respectively. Finally, conclusions are given in Section5. 2. Review of Wu et al.’s scheme

The scheme of Wu et al., manipulated over GF(p), can be divided into three phases: the signature encryption, the message recovery

0140-3664/$ - see front matter Ó 2008 Elsevier B.V. All rights reserved. doi:10.1016/j.comcom.2008.12.009

* Tel.: +886 3 3685557; fax: +886 3 3654872. E-mail address:[email protected]

Computer Communications 32 (2009) 783–786

Contents lists available atScienceDirect

Computer Communications

and the signature-conversion phases. Before reviewing of the Wu et al.’s scheme, all necessary parameters are described as follows:

p, q: large primes, such that qjðp  1Þ g: a generator of order q over GF(p) Ui: denote a user

Each Ui owns a private key xi2 Zq and a corresponding public key yi¼ gxi mod p which is publicly accessible. Each phase of Wu et al.’s scheme is described as follows.

2.1. The signature-encryption phase

Without loss of generality, let SG ¼ fU1;U2; . . . ;Ung be the signing group. For signing the message M (with redundancy embedded), each Ui2 SG performs the following steps:

Step 1: Uifirst chooses wi2 Zqto compute

ri¼ gwimod p ð1Þ

and then broadcasts rito Uj2 SG n fUi}. Step 2: Uicomputes R ¼ M Y Uj2SG rrj j 0 @ 1 Amod p ð2Þ si¼ wiriþ xiR mod q ð3Þ and sends sito Uj2 SG n fUig. Step 3: Ukverifies gsj_{¼ r}rj jy R jðmod pÞ ð4Þ

If the above equality holds, proceed to the next step; else, sj is requested to be sent again.

Step 4: When all ðrj;sjÞ’s are collected and verified, the clerk Uk, who can be any signer in SG, randomly chooses d 2 Zq to compute S ¼ X Uj2SG sj mod q ð5Þ C1¼ gd mod p ð6Þ C2¼ R  ðydv mod pÞ ð7Þ

Note that yvis the public key of the designated recipient Uv. Step 5: The clerk Uksend ðC1;C2;SÞ to the recipient Uv.

2.2. The message-recovery phase

Upon receiving ðC1;C2;SÞ, the recipient Uvperforms the follow-ing two steps:

Step 1: Compute

R ¼ C2 Cx1v mod p ð8Þ

Step 2: Recover the message M by computing

M ¼ R gS Y Uj2SG yj 0 @ 1 A R 0 @ 1 A mod p ð9Þ

If the redundancy embedded in the message M is correct, Uv accepts the signature; otherwise Uvrejects it.

2.3. The signature-conversion phase

In case of a later dispute on repudiation, Uvcan just release (R, S) for the message M, such that anyone can validate the signature with Eq.(9).

3. The proposed scheme

In this section, the author shows the proposed multi-authenti-cated encryption scheme. The proposed encryption scheme can be divided into three phases: the signature-encryption phase, the message-recovery and the signature-conversion phase. Let h() be a public one way hash function and every Ui has the private key xiand public key yi¼ gximod p which can be publicly accessible. Before executing signature-encryption phase, we need to deter-mine a clerk Uk in advance, who is randomly chosen among all the signers of the group. Each phases of our proposed multi-authenticated encryption scheme are described as follows. 3.1. The signature-encryption phase

Without loss of generality, assume that signers Ui2 SG want to

send Uv a message M, where 1 6 M 6 p  1. Let SG ¼ fU1;

U2; . . . ;Ung be the signing group. For signing the message M (with

redundancy embedded), each Ui2 SG performs the following

steps:

Step 1: Uifirst chooses a random number wi2 Zq to compute

ri¼ gwi mod p ð10Þ

And then broadcasts rito Uj2 SG n fUig.

Step 2: Upon receiving rjfrom Uj2 SG n fUig; Uicomputes

R ¼ M Y Uj2SG rj 0 @ 1 Amod p ð11Þ K ¼ hðR; MÞmod p ð12Þ si¼ xiK þ wimod q ð13Þ

and sends sito the clerk Uk, who can be any signer Uk2 SG. Step 3: After receiving ðri;siÞ from Uj2 SG n fUig, the clerk Uk verifies.

gsj_{?¼ ðy}

iÞ K

 rimod p ð14Þ

If they are equal, proceed to the next step; else, sjis requested to be sent again.

Step 4: When all ðrj;sjÞ are collected, the clerk Uk chooses an random number d 2 Zqto compute

S ¼ X

Uj2SG

sjmod q ð15Þ

C1¼ gdmod p ð16Þ

C2¼ R  ðydvmod pÞ ð17Þ

Note that yvis the public key of the designated recipient. Step 5: Then, this clerk Uksends ðC1;C2;S; KÞ to the recipient Uv.

3.2. The message-recovery phase

Upon receiving ðC1;C2;S; KÞ from the clerk Uk, the recipient Uv can perform as following four steps:

Step 1: The recipient Uvcomputes

R ¼ C2 ðC xv

1Þ

1_{mod p}

ð18Þ

Step 2: Recover the message M by computing M ¼ RðgS_Þ Y Ui2SG ðyiÞ !K mod p ð19Þ

Step 3: Uses SG’s public key y_j2 SG, M; K and S to compute and verify

K? ¼ hðR; MÞ ð20Þ

Theorem 1. The Uj2 SG n fUig verifies siby Eq.(14).

Proof. gsi ¼ gxiKþwimod q *_gxi_{¼ y} i and gwi¼ ri ¼ ðyiÞ K  rimod p 

Theorem 2. The recipient Uv uses public key yj2 SG; K and S to compute and verify by Eq.(21).

Proof. RðgS_Þ Y Ui2SG ðyiÞ !K *R ¼ M Y Uj2SG rj 0 @ 1 Amod p; si¼ xiK þ wi mod q ¼ M Y Ui2SG ri !! g P Ui2SGxiKþwi  ! Y Ui2SG ðyiÞ K ! ¼ M 

3.3. The signature-conversion phase

If dispute on repudiation, the recipient Uvcan release the ðS; KÞ for the message M. Anyone can use the conform its validity by computing K? ¼ h M gS Y Ui2SG ðyiÞ !K 0 @ 1 A 1 mod p; M 0 B @ 1 C A ð21Þ

4. Security analysis and performance of proposed encryption scheme

4.1. Security analysis

Suppose that all communication is under the control of the adversary. That is, this adversary can read the message produced by the parties, and modified the messages before they reach their destination. The security of this proposed scheme is based on the one-way hash function and solving the discrete logarithm problem, which are believed infeasible to solve in polynomial time. They are described as follows:

Assumption 1. Intractability of reversing a one-way hash func-tion[7]: It is computationally infeasible to derive x from a given hashed value hðxÞ, or to find two different values x; x0 _{such that}

hðxÞ ¼ hðx0_Þ.

Assumption 2. Discrete Logarithms problem[25]: for giveny 2 Zp, it is computationally infeasible to derive x such that y ¼ gx_{mod p.}

We shall consider some possible attacks against the proposed scheme, and then prove that the proposed scheme can withstand these possible attacks.

(1) Can the adversary reveal the Ui’s private keys xi from all public informations.

Assume that an adversary want to derive the Ui’s private ket xifrom the Ui’s public key yi¼ gxi mod p. It is as difficult as solving the discrete algorithm problems. From the signature si¼ xiK þ wimod q, this adversary also can not do it suc-cessfully, because si¼ xiK þ wimod q has two unknown variables xiand wi.

(2) Can the adversary forge the digital multi-signature of the

mes-sage M?The multi-signature S ¼P_U

j2SGsjmod p ¼

 P

Ui2SGxihðR; MÞ þ wimod p; KÞ of the message is generated

by Ui’s private key xi, random number wi, the message M and R. If an adversary wants to forge a converted multi-signa-ture ðS; KÞ of the message M, this adversary must find the dig-ital multi-signature which satisfies the following equation:

Y

Ui2SG

ðyiÞ

!hðR;MÞ

 K? ¼ gS _ð22Þ

From above equation, we can find that sj consists of random number wi;Ui’s private key xi and hðR; MÞ. Therefore, if an adversary wants to forge a signature ðS; KÞ of the message M, this adversary must know the random number wi;Ui’s pri-vate key xi, the message M and R. Assume that this adversary is an outsider. He can not get them, because the random num-ber wiand the Ui’s private key xiare only hold by the signer Ui, and R is the authenticated message for the message M. As-sume that this adversary is an insider. He can not get the ran-dom number wiand Ui’s private key xi, because the random number wi and the Ui’s private key xi are only hold by Ui. Thus, it is impossible for any adversary to forge the digital multi-signature of the message M.

(3) Can the adversary recover the message M from the signature sjor S?

In our proposed scheme, it is impossible for an adversary to recover the message M from the signature sjor S successfully. The message M is encrypted by one-way hash function and protected by the private key xiand the random number wi. Because of the difficulty of solving the one-way hash function, it is computationally infeasible to derive the message M from a given hashed value hðR; MÞ. In addition, the private key xiand the random number wiare only hold by the signer Ui2 SG. Hence, in our proposed scheme, any adversary can not recover the message from the signature sjor S.

(4) Can this scheme resist against the clerk attack?[26]. Assume that an adversary, say signer 1, is the clerk in our

proposed scheme. This adversary wish his partner

2; 3; . . . ; n to sign any message M0 _{chosen by him. His} partners abnegate it, but they approve to sign the eligible message M with him. Thus, every signer Ui selects his ran-dom number wi2 Zq and computes ri¼ gwi mod p. Then, they broadcast ri to every signer. Because one-way hash function and the Ui’s private key xi, it is difficult for this adversary to compute ri and wi which can eliminate the message M and replace it with the message M0_{. Check} the following equation:

si¼ xihðR; MÞ þ wi mod q; where R ¼ M Y Uj2SG rj 0 @ 1 Amod p ð23Þ

ri can not replace the message M with the message M0, because the message M is directly encrypted with one-way hash function and protected by the Ui’s private key xi and the Ui’s chosen random number wi.

4.2. Performance evaluation

In this section, we compare the performance evaluation of our proposed scheme with the one proposed by Wu et al. From show-ing our scheme and Wu et al.’s scheme, we can find that the total computation cost of multi-authenticated encryption scheme in-creases with the number of signers, because multi-authenticated encryption scheme allows a designated recipient to recover and verify an authenticated message which is signed by multiple sign-ers. Hence, we consider the performance comparisons not only in terms of the computational complexity of each phases but also in terms of the computational complexity required for all signers and the clerk in signature-encryption phase, for the recipient in message-recovery phase, and for the recipient in signature-conver-sion phase. The performance evaluation of Wu et al.’s scheme and our scheme are described asTable 1.

The time for performing the modular addition and the exclusive OR (XOR) operation is ignored because they are negligible as com-pared to the others. The total computation cost of our proposed scheme is ðn þ 1ÞThþ ðn2þ 2n þ 3ÞTmþ ð3n þ 2ÞTe, and the total

computation cost of Wu et al.’s scheme is ð2n2_{þ 4n þ 1Þ}

Tmþ ð3n2þ 2n þ 5ÞTe. Traditionally, the time for performing a mod-ular exponentiation computation is slower than time for performing a modular multiplication computation and time for performing a one-way hash function computation ð1Te 600ThÞ[25,27,28], so it could be easily checked that the total computational cost of our pro-posed scheme is lower than Wu et al.’s scheme.

5. Conclusions

In this paper, a new convertible multi-authenticated encryption scheme with one-way hash function has been proposed. The security of this proposed scheme is based on one-way hash function and dis-crete algorithms. As for efficiency, the computation cost of the pro-posed scheme is smaller than Wu et al.’s scheme. This scheme not only allows a group of singers to cooperatively produce a valid authen-ticated message, but also only the specific recipient can recover the message and verify by the signature. Besides, for avoiding the abuse of the signature, the proposed scheme provides ability to convert the signature into an ordinary one that can be verified by anyone. References

[1] P. Horster, M. Michels, H. Petersen, Meta Signature Schemes Giving Message Recovery Based on the Discrete Logarithm Problem, Advances in Cryptology -ASIACRYPT ’94, Springer-Verlag, 1994. 82–92.

[2] K. Nyberg, R.A. Ruppel, Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem, Advances in Cryptology - EUROCRYPT’94, Springer-Verlag, 1994. May, 182–193.

[3] Y. Zheng, Digital Signcryption or How to Achieve Cost (Signature & Encryption) Cost (Signature) + Cost (Encryption), Advances in Cryptology - CRYPTO’97, Springer-Verlag, 1997. 165–179.

[4] H. Petersen, M. Michels, Cryptanalysis and improvement of signcryption schemes, IEE Proceedings-Computer Digital Techniques 145 (2) (1998) 149– 151.

[5] W.B. Lee, C.C. Chang, Authenticated encryption scheme without using one-way hash function, Electronics Letter 31 (19) (1995) 1656–1657.

[6] M.K. Lee, D.K. Kim, K. Park, An authenticated encryption scheme with public verifiability, in: Japan-Korea Joint Workshop on Algorithms and Computation (WAAC2000), 2000, 49–56.

[7] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory IT 22 (6) (1976) 644–654.

[8] S. Araki, S. Uehara, K. Imamura, The limited verifier signature and its application, IEICE Transactions on Fundamentals E82-A (1) (1999) 63– 68.

[9] F. Bao, R.H. Deng, A signcryption scheme with signature directly verifiable by public key, Proceedings of the PKC’98-Public Key Cryptography LNCS 1431, Springer-Verlag, Berlin, 1998. 55–59.

[10] H.Y. Chien, Convertible authenticated encryption scheme without using conventional one-way function, Informatica 14 (4) (2003) 1–9.

[11] Y. Dodis, J.H. An, Concealment and Its Applications to Authenticated Encryption, Advance in Cryptology - EUROCRYPT’03, Springer-Verlag, 2003. 312–329.

[12] H.F. Huang, C.C. Chang, An efficient convertible authenticated encryption scheme and its variant, in: Proceedings of ICICS2003-Fifth International conference on Information and Communications Security, LNCS 2836, Springer-Verlag, Berlin, 2003, 382–392.

[13] C.L. Hsu, T.C. Wu, Authenticated encryption schemes with (t, n) shared verification, IEE Proceedings of the Computer and Digital Technology 145 (2) (1998) 117–120.

[14] W.B. Lee, C.C. Chang, Authenticated encryption schemes with linkage between message blocks, Information Processing Letters 63 (5) (1997) 247–250.

[15] J. Lv, X. Wang, K. Kim, Practical convertible authenticated encryption schemes using self-certified public keys, Applied Mathematics and Computation 169 (2) (2005) 1285–1297.

[16] A. Menezes, P. Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997.

[17] Y.M. Tseng, J.K. Jan, H.Y. Chien, Digital signature with message recovery using self-certified public keys and its variants, Applied Mathematics and Computation 136 (2–3) (2003) 203–214.

[18] T.S. Wu, C.L. Hsu, Convertible authenticated encryption scheme, Journal of Systems and Software 62 (3) (2002) 205–209.

[19] F. Zhang, K. Kim, A universal forgery of Araki et al.’s convertible limited verifier signature scheme, IEICE Transactions on fundamentals E86-A6 (2) (2003) 515– 516.

[20] J. Zhang, Y. Wang, On the security of a convertible authenticated encryption, Applied Mathematics and Computation 169 (22) (2005) 1063–1069. [21] Y. Zheng, Signcryption and its applications in efficient public key solutions, in:

Proceedings of the ISW’97-Information Security Workshop, LNCS 1396, 1997, 291–312.

[22] T.S. Wu, C.L. Hsu, K.Y. Tsai, H.Y. Lin, T.C. Wu, Convertible multi-authenticated encryption scheme, Information Sciences 178 (1) (2008) 256–263.

[23] S. Rahul, R.C. Hansdah, A multisignature scheme for implementating safe delivery rule in group communication systems. in: International Workshop on Distributed Computing (IWDC04), LNCS 3326, Springer-Verlag, pp. 231–239, 2004.

[24] M.L. Das, A. Saxena, V. Gulati. Cryptanalysis and improvement of a multisignature scheme. in: IWDC 2005, LNCS 3741, Springer-Verlag, pp. 398–403, 2005.

[25] B. Schneier, Applied Cryptography Protocols Algorithms and Source Code in C, second ed., John Wiley and Sons Inc., New York USA, 1996. pp.15.

[26] C.C. Chang, J.J. Leu, P.C. Hwang, W.B. Lee, A scheme for obtaining a message from the digital multisignature, in: International Workshop on Practice and Theory Public Key Cryptography, Springer-Verlag, Berlin, 1998, pp. 154–163.

[27] B. Schneier, Applied Cryptology, second ed., Wiley, New York, 1996. [28] T.F. Cheng, J.S. Lee, C.C. Chang, Security enhancement of an IC-card-based

remote login mechanism, Computer Networks 51 (2007) 2280–2287. Table 1

Total performance evaluation of Wu et al.’s scheme and our proposed scheme.

Phases Our scheme Wu et al.’s scheme

Signature-encryption phase (for all signers and the clerk) ðnÞThþ ðn2þ n þ 1ÞTmþ ð3nÞTe ð2n2þ 3nÞTmþ ð3n2þ 2n þ 2ÞTe

Message-recovery phase 1Thþ ðn þ 2ÞTmþ 2Te ðn þ 1ÞTmþ 3Te

Signature-conversion phase 0 0

Total ðn þ 1ÞThþ ðn2þ 2n þ 3ÞTmþ ð3n þ 2ÞTe ð2n2þ 4n þ 1ÞTmþ ð3n2þ 2n þ 5ÞTe

Tm: the time for performing a modular multiplication computation.

Te: the time for performing a modular exponentiation computation

Th: the time for performing a one-way hash function computation.