Authenticated encryption schemes with message linkage

Information

Processing

Letters

Authenticated encryption schemes with message linkage

Shin-Jia Hwang a*

* ,

Chin-Chen Chang b,‘, Wei-Pang Yang a

Received 15 August 1995; revised 15 January 1996 Communicated by S.G. Akl

Abstract

Authenticated encryption schemes need redundancy schemes to link up the message blocks; however, these redundancies increase communication costs. To construct links without increasing communication costs, we propose a general solution for all the authenticated encryption schemes based on the discrete logarithm problem. Because the computation cost to construct links is small, the improved scheme adopting our solution is almost as efficient as the original one. Moreover, by our solution, the recipient can easily determine the missing message blocks, and then acknowledge the sender to send only these blocks again. The communication cost will be also reduced. Adopting our solution, we also propose two new authenticated encryption schemes with message linkage.

Keywords: Authenticated encryption; Message recovery; Public key cryptography; Safety/security in digital systems

1. Introduction

Authenticated encryption schemes are useful for transmitting confidential data in insecure networks since they provide the data confidence, authentica- tion and integrity, simultaneously. Based on the dis- crete logarithm problem, Nyberg and Ruppel [4] proposed the first authenticated encryption schemes. To reduce the communication cost of Nyberg and Rupple’s schemes, Horster et al. [2] proposed their improved schemes. However, Horster et al.‘s schemes need the aid of additional one-way functions to provide the encryption function. To remove addi-

* Corresponding author. Email: [email protected]. edu.tw.

’ Email: [email protected].

tional one-way functions, Hwang et al. [3] proposed another authenticated encryption scheme without any additional one-way function.

However, there still exists a common disadvan- tage for the above authenticated encryption schemes. Usually, the length of the message is so long that the message must be divided into many message blocks first. Then the sender encrypts and signs these mes- sage blocks into the corresponding cipher-text blocks, respectively. Finally, the sender sends these cipher- text blocks out. Despite deriving no message block from the ciphertext block, an eavesdropper could remove some blocks from the ciphertext blocks. The recipient cannot detect this removal since the authen- ticated encryption schemes cannot use one-way hash functions. This removal is usually detected by a redundancy scheme on messages. That is, each mes-

0020-0190/96/$12.00 0 1996 Elsevier Science B.V. All rights reserved PIf SOO20-0 190(96)00032-4

190

Table 1

S.-J. Hwang et al./Infotmation Processing Letters 58 (1996) 189-194

The original signature equations for the authenticated encryption scheme Signature equation

(1) si X k, = 1 + r, X x,(mod Q)

The computation of y2 mod P y;i = ( ya X yJ;)ts~)- I mod P (2) ri X ki = 1 + si X x,(mod Q) yi = (ya X ~&sg)(~i)-’ mod P

(3) ki = si + ri X x,(mod Q) y?=ykXy2a mod P

(4) si X ki = r, + x,(mod Q> y4 = (~2 X yAaYsi)-’ mod P (5) rik, = si + x,(mod Q> y$ = (~2 X yABYrt)-’ mod P

(6) ki = ri + si X x,(mod Q) y2 = (yg X y&j mod P

sage block contains the redundant bits to link up message blocks, but these redundancies increase communication cost.

To link up the message blocks without increasing communication cost, we propose a general solution for the authenticated encryption schemes based on the discrete logarithm problem in the next section. In Section 3, by integrating our solution into Horster et al.‘s scheme, we propose our first authenticated en- cryption scheme, Scheme 1. To remove the addi- tional one-way function from Scheme 1, we propose Scheme 2, in Section 4. The final section states our conclusions.

2. Our general solution

In this section, we describe our general solution to link up message blocks without increasing communi- cation cost for the authenticated encryption schemes based on the discrete logarithm problem. To link up message blocks, we ought to construct the link be- tween any two successive message blocks, but the construction of links will increase the computation cost to encrypt (or decrypt) ciphertext blocks. To

reduce the cost, we have to utilize the computed item that is also authenticated by the recipient.

To find the computed and authenticated item, we reconsider the signature equation. In an authenticated encryption scheme based on the discrete logarithm problem, the sender adopts a signature equation to generate the ciphertext block (ri, si> for the ith message block. In the signature equation, there are three important items ri, ki, and x,, where ki is the secret random number selected by Sender A and x, is the secret key of Sender A. Besides the ith message block, ki is also authenticated by (rir si>. Moreover, ki is the function of the ith message block. Therefore, ki is the most suitable one to construct links among message blocks.

To construct the links, our general solution is to add the secret ki_ I for the (z’ - 1)th message block into the signature equation for the ith message block. If the original equation contains the constant item, the constant item can be removed. Then, the recipi- ent uses (ri, si> and pi_, as the authentication parameters of the ith message block, where pi_, = y$- I mod P and ya is the public key of the recipi- ent. Consequently, we have built the link between the itb and (i - 11th message blocks. Since pi_, has been computed before the ith message block is

Table 2

The six modified signature equations to linlr up message blocks

Signature equation The computation of y2 mod P (1) ~iXk,=ki_,+riXXA(mod Q) y$ = (~2-1 x yip)-’ mod p (2) ri X ki E ki_ , - si X x,(mod Q) yt = (yii- I x yip)-’ mod p

(3) ki = k,_ 1 + si + ri X x,(mod Q> y$=yk’-l Xy;Xyi;b mod P

(4) si X k, = ki_ , + ri + x,(mod Q) yk = (y$-1 X yfi X ~~a)(‘,)-’ mod P

(5) riki = ki_ , + si + x,(mod Q> y$ = (y$-1 x yk X bus)-’ mod P (6) ki=ki_, + r, + si X x,(mod Q) y$ = (yi’-1 X yk X y&) mod P

S.-J. Hwang et al./Information Processing Letters 58 (1996) 189-194 191

verified, we also reduce computation costs for the construction of links.

In Table 2, the six signature equations of Nyberg and Rupple [4] have been modified. Meanwhile Table 1 shows the original equations of Nyberg and Rupple [4]. To compare Table 2 with Table 1, we find that there is no additional computation cost for Eqs. (1) and (2). The additional computation cost for Eqs. (3)~(6) in Table 2 are all one multiplication modulo P and one addition modulo Q. The computation cost of our general solution is so small that the authenti- cated encryption scheme with message linkage is almost as efficient as the original one.

Since our solution links up message blocks, our method can detect which message block is missing. When some message blocks are missing, the recipi- ent can find them and tell the sender to send the correct ones again. Comparing with the one-way hash functions, although the one-way hash function can also detect whether or not the recovered message is incomplete, it cannot point out which is the miss- ing message block. Here the incomplete message is the message in which some information is lost. The sender must send all of the sent message blocks again. Upon detecting lost message blocks, our solu- tion is better than the one-way hash function. Our solution also avoids paying the heavy communica- tion cost to overcome the problem of missing mes- sage blocks.

3. A new authenticated encryption scheme

3.1. Review of Horster et al’s scheme

We give a brief description of Horster et al’s scheme in the following. A trusted center first pub- lishes two large primes P and Q, where Q I( P - 11, the element (Y of order Q modulo P, and one secure one-way function F : GF( P) + GF( P). Each user, say A, chooses his secret key xA and then computes his public key yn = CY~A mod P.

Suppose that User A wants to transmit User B the message m E GF( P) within a suitable redundancy scheme. User A first selects a random integer k from the range [I, Q] and computes r = m x F(yi)-’ mod P. Then he constructs s satisfying

the signature equation s = k - r X x,(mod Q). Fi- nally, User A sends the ciphertext (r, s) to User B. User B first computes y; = yi X yia(mod P), where the session key y,, = ( yAjX6 mod P. Then User B recovers m = r X F( yk) mod P and checks if m satisfies the redundancy scheme.

The redundancy scheme has to deal with the links among the message blocks because the authenticated encryption scheme does not provide the link func- tion. Next, the one-way function F is necessary for the encryption function; otherwise, an eavesdropper first derives the session key from yi mod P and then could recover any message block from the corresponding ciphertext block [2].

3.2. The description of our scheme

Now we present our authenticated encryption scheme, Scheme 1, which can link up the message blocks. Suppose that the parameters constructed by the trusted center and the users are the same as the ones in Horster et al.‘s scheme. Suppose that User A wants to transmit the message M to User B. First, User A partitions M into t message blocks {ml. m,,..., m,), where mi E GF(P) within a suit- able redundancy scheme for i = 1, 2,. . . , t. Here the redundancy scheme does not need to provide the function to link up message blocks. User A performs the following steps to encrypt and sign each message block.

Step 1. Select t distinct random integers k,, k 2 ,..., k, from the range [l, Q].

Step 2. Compute pi = y$ mod P and ri = m, X F(pi)-’ mod P for i= 1, 2 ,..., t.

Step 3. Construct si satisfying the signature equa- tion si + ki_ , = ki - ri X x,(mod Q) for i = 1,2,..., t, where k, = 0.

Finally, User A sends a set of ciphertext blocks {(r,, s,>, (r2, s,>,. . ., (r,, s,)} to User B. User B executes the following steps to recover all message blocks and checks whether the recovered message blocks are sent by User A.

Step 4. Compute pi E yi = yi-l X y; X yAb(mod P) for i = 1, 2,. . . , t, where the session key yAB = ( yA)‘n mod P.

Step 5. Recover m, = ri X F( pi) mod P and check whether mi satisfies the redundancy scheme

192 S.-J. Hwang et al./lnfomation Processing Letters 58 (1996) 189-194 for i= 1,2,..., t. If mi does not satisfy the redun-

dancy scheme, then he tells the sender to send m, again.

Since User B obtains and verifies all message blocks, he recovers and verifies the message M. In Step 5, the recipient can also determine whether there exists missing message blocks after m,_ , . The- orem 1 shows the recipient has the ability to obtain the correct message block mi from (ri, si>.

Theorem 1. The message block mi is obtained by

mi=riXF(yi-lXyaXy,‘g mod PImod P for i

= 1,2,..., t, where k, = 0.

Proof. First, we show that the recipient recovers the correct value p,, where p, = y$ mod P. Because s,=k,-r-,Xx*-kO=k,-r,XxA-O(modQ),

we have

pi = yk = ys; X y&,(mod P),

where y*n = ( y,, >” B mod P. Consequently, the re- cipient recovers the correct value pi, for i =

2, 3,. . . ) t by computing

pi~y~~y~-lxy~Xy~B mod P

for i=2,3,..., t, since ki=ki_, +riXxA+si mod Q, where pi = y$ mod P. Therefore the ith message block m, can be obtained by

mi=riXF(yk-lXygXy.& mod P) mod P

=miXF( &)-l XF( pi) mod P. 0 3.3. The security and performance considerations

Due to the following analysis, the user’s secret key x, the session key between any two users, and the random integers ki are secure. It is difficult to derive the secret key x and the random integer ki from the public key y and ri, respectively, because the derivations are equivalent to solving the discrete logarithm problem. The signature equations do not reveal the secret key and the random integers since the number of the unknown variables is more than the number of equations. Consequently, the session key yAa between Users A and B is still secure based

on the hardness of the Diffie and Hellman problem [ll. The intruder cannot derive the session key yAB from pi since pi is also protected by the secure one-way function F.

Consider whether an intruder can forge <r:, $1 for /3; = y$ mod P and m\. To forge (I,,, s’,) for PI and m’,, (rl,, s;> must satisfy s’, = k’, - I-; X x,(mod Q>. Since the secret key xA is secure, the intruder cannot construct ( r’, , s’, ) from the s; = k’, - ri x x,(mod Q). He is forced to forge <r;, s’,) satis- fying

/3; 2 yz = yi X yig(mod P).

This work is equivalent to solving the discrete loga- rithm problem, so he cannot forge (r;, s’,> for pi and m’,. Now both k, and m, are authenticated and fixed after verifying the first message block m, since m, satisfies the redundancy scheme. In addition, k, is secret. Assume that ki_ , is an authenticated and secret integer after verifying the (i - 11th message block. If the intruder forges (r{, s;> for /3,! and m\, he is faced with the same difficult work to forge <r;, s’,>. The intruder cannot forge (rj, si> for pi and mi.

The order of the message blocks is guaranteed by our message linkage in Scheme 1. Due to the above analysis, the intruder cannot forge (ri, si> for pi and m, for i= 1,2,..., t. That is, the k,‘s are authenti- cated by the recipient at the same time though the ki’s are secret. Consequently, the link constructed by ki is also authenticated. Therefore, these links guar- antee that the order of the message blocks is deter- mined by the sender.

The encryption function of Scheme 1 is secure. The intruder cannot obtain pi to decrypt the ith message block from the ciphertext block (ri, si> since the session key yAB is secure and secret in Scheme 1.

In Scheme 1, the Sender A performs one expo- nentiation modulo P and one inverse modulo P, then executes F once in Step 2. The Recipient B needs to compute two exponentiations modulo P in Step 4 and execute F once in Step 5. Comparing with the computation cost of Horster et al.‘s scheme, the recipient performs one additional multiplication modulo P while the sender performs one additional

S.-J. Hwang et al./lnformation Processing Letters 58 (1996) 189-194 193 addition modulo Q. That is, the one multiplication

modulo P and one addition modulo Q are the costs for integrating our general solution into Horster et al.‘s scheme. Since the additional cost is small, our Scheme 1 is almost as efficient as Horster et al.‘s scheme.

4. Another authenticated encryption scheme 4.1. The description of our other scheme

To remove the additional one-way functions in Scheme 1, we present another scheme, Scheme 2, which can also link up the message blocks. The parameters constructed by the trusted center and the users are the same as the ones in Scheme 1 exclud- ing the one-way function F. Suppose that User A wants to transmit the message M to User B. User A first partitions M into a set of t message blocks {m,, m2...., m,}, where mi E GF(P) within a re- dundancy scheme for i = 1, 2,. . . , t. Replacing Step 2 in Scheme 1 by Step 2’, User A executes Steps l-3 in Scheme 1.

Step 2’. Compute

Pi=Y$ mod P and ri = mi X CX-~~ mod Q mod P

for i= 1,2,..., t. Then the set of ciphertexts, {(r,, s,), (r2, s2> ,..., (rl, s,>}, is sent to User B. Replacing Step 5 in Scheme 1 by Step 5’, User B performs Steps 4 and 5 in Scheme 1.

Step 5’. Recover

mj=riX apgmodQ mod P

and check whether mi satisfies the redundancy scheme for i= 1, 2,..., t. If mi does not satisfy the redundancy scheme, he tells the sender to send m,

again.

Finally, User B has recovered and verified the message M. The following theorem shows why the message block mi obtained from (ri, si) is correct. Theorem 2. The message block mi

m, = ,.. x a(~k-1X~2X~ib mod P)mod Q I I

fori=1,2 ,..., t, wherek,=O.

is recovered by

mod P

Proof. Due to the same inference for pi in the proof of Theorem 1, we also show that the recipient recov- ers the correct value pi by

&~y$ey2-lXyaXy:~(m& p)

for i= 1,2,..., t, where pi = yi mod P and k, = 0. Thus the recipient recovers mi by

m, E ,., x aY(~klX~tfX~ib mod P)mod Q

1 I

=miXa -p,modQX crPrmodQ(mod p). r~

4.2. The security and pelformance considerations

Similar to the security analysis for Scheme 1, we find that the secret key x and all the random integers ki are secure. The session key is still secure without the one-way function F since it is also difficult to derive the session key yAB from

r, = m, x a(~%‘-lX~f(X~h mod 0 mod Q

I I mod P.

Due to the similar security analysis to forge <r:, sj> for j?ll= y$ mod P and rn:. in Scheme 1, an intruder cannot forge (r-i, si> for the /3,! and tii in Scheme 2. Since the session key y,, is still secure in Scheme 2, the encryption function of Scheme 2 is secure, too. In Scheme 2, the order of the message blocks is authenticated by the recipient because all the ki’s are

secret and authenticated.

In Scheme 2, the sender performs two exponentia- tions modulo P while the recipient performs three exponentiations modulo P. The computation cost to link up message blocks is also one multiplication modulo P and one addition modulo Q. It is still small. Scheme 2 is more efficient than Hwang et al.‘s scheme, since the total commutation cost of Hwang et al.‘s scheme is seven exponentiations modulo P.

5. Conclusions

In this paper, we propose a general solution to link up message blocks without increasing the com- munication cost for the authentication encryption schemes based on the discrete logarithm problem. The computation cost to construct the link between

194 S.-J. Hwang et al./Infonnation Processing Letters 58 (1996) 189-194 successive message blocks is small, so the improved

authenticated encryption scheme is almost as effi- cient as the original one. In addition, by our solution, the recipient can determine which message blocks are lost and then tell the sender to send only these lost ones again. This also reduces the communication costs caused by the missing problem of message blocks. Adopting our solution, we propose two au- thenticated encryption schemes: Schemes 1 and 2. Scheme 1 still needs additional one-way functions while Scheme 2 does not. In addition, our Scheme 2 is more efficient than Hwang et al.‘s scheme [2].

References

[ll W. Diffe and M.E. Hellman New directions in cryptography, IEEE Trans. Information Theory 22 (1976) 644-654. [2] P. Horster, M. Michels and H. Petersen, Authenticated encryp-

tion schemes with low communication costs, Electronics Lett. 30 (15) (1994) 1212-1212.

[3] S.J. Hwang, C.C. Chang and W.P. Yang, An encryption/sig- nature scheme with low message expansion, J. Chinese Inst. Engineers ( 1995).

[4] K. Nyberg and R.A. Ruppel, Message recovery for signature scheme based on the discrete logarithm problem, in: Prepro- ceedings Eurocrypt ‘94, Perugia, Italy (1994) 175-190.