Self-Certified Proxy Convertible Authenticated Encryption Scheme
Han-Yu Lin
a,*, Tzong-Sun Wu
b, Ting-Yu Huang
aand Yi-Shiung Yeh
aa
Department of Computer Science
National Chiao Tung University, Taiwan
b
Department of Computer Science and Engineering
National Taiwan Ocean University, Taiwan
* [email protected]
Abstract
A proxy convertible authenticated encryption (CAE) scheme allows an original signer to delegate his signing power to a proxy signer such that the proxy signer can generate an authenticated ciphertext on behalf of the original signer. The generated authenticated ciphertext can only be decrypted and verified by the specific recipient instead of everyone else for the purpose of confidentiality. Integrating with self-certified public key systems, the proposed scheme can save more communication overheads and computation efforts, since it is not necessary to transmit and verify the public key certificate. That is, authenticating the public key can be combined with subsequent cryptographic operations such as the signature verification. In case of a later repudiation, the specific recipient has the ability to convert the signature into an ordinary one for convincing anyone of the signer’s dishonesty.
Keywords: self-certified, proxy signature, convertible, authenticated encryption.
1. Introduction
Since Diffie and Hellman [1] proposed the first public key systems in 1976, public key systems have been widely used in many applications. A critical issue for ensuring the system security is to authenticate the public key before using it. A common used solution is the public key certificate, e.g., X.509 [2]. The certificate is issued by the certification authority and everyone should first verify the corresponding certificate before using the public key. However, some extra communication and computation costs will increase due to the transmission and verification of the certificate. In 1984, Shamir [3] introduced the
ID-based public key system in which the public key of each user is straightly his identifier known to the public. Yet, each user’s private key is derived by the System Authority (SA) with a trapdoor one-way hash function. That is, the security is entirely relies on the SA and hence a malicious SA can impersonate any legitimate user by deriving his private key without being detected. To overcome the weakness, Girault [4] proposed the so-called self-certified public key system in 1991. A significant property of the self-certified public key system is that the validation of the public key can be combined with the subsequent cryptographic operations such as the signature verification within one step. This will contribute to the reduction of communication and computation costs. In addition, the private key of each user is no longer solely computed by the SA. It can be seen that the self-certified public key system is a better alternative to implement cryptographic schemes as compared with the certificate-based approach or the ID-based system.
In 1994, Horster et al. [5] proposed an authenticated encryption (AE) scheme allowing a signer to generate an authenticated ciphertext such that only the designated recipient has the ability to verify it. Such schemes can be applied to many business transactions like the credit card transaction. However, a later dispute on repudiation might occur if the signer denies having generated the signature. To overcome the drawback, Araki et al. [6] proposed a convertible limited verifier signature scheme. Yet, their scheme is impracticable, since the signature conversion requires the assistance of the dishonest signer. Moreover, Zhang and Kim [7] also pointed out that Araki et al.’s scheme couldn’t withstand a universal forgery attack on an arbitrary chosen message. In 2002, Wu and Hsu [8] proposed a convertible authenticated encryption (CAE) scheme, in which the signature conversion is rather simple and can be solely done by the recipient
without any computation efforts or communication overheads. The next year, Huang and Chang [9] also introduced a variant of the CAE schemes. Unfortunately, Lv et al. [10] pointed out that the Wu-Hsu scheme and the Huang-Chang scheme could not fulfill the requirement of semantic security.
To meet the need of more and more complicated business developments, Mambo et al. [11, 12] proposed the proxy signature schemes for facilitating the delegation operation in an organization. A proxy signature scheme allows the original signer to delegate his signing power to an authorized person called proxy signer, such that the proxy signer can generate a valid proxy signature on behalf of the original one. In this paper, we elaborate on the advantages of self-certified public key systems to propose a novel proxy CAE scheme. The proposed scheme allows a proxy signer to generate an authenticated ciphertext on behalf of the original signer and only the designated recipient has the ability to recover the message and verify its signature for the purpose of confidentiality. In case of a later repudiation, the designated recipient can convert the signature into an ordinary one for the public verification.
The rest of this paper is organized as follows. We present our scheme in Section 2. The security analyses will be discussed in Section 3. Finally, a conclusion is given in Section 4.
2. Self-Certified Proxy CAE Scheme
In this section, we present the proposed scheme over a finite field. Our scheme can be divided into four phases: the user registration, the proxy credential generation, the proxy signature generation and verification, and the proxy signature conversion phases. Initially, the system determines the following public information:
p, q: two large primes satisfying that q | (p − 1); g: a generator of order q over GF(p);
h(⋅): a secure one-way hash function which accepts the input of any length and generates a fixed length output;
γ : the SA’s private key γ ∈Z*q;
β: the SA’s public key computed as
β = gγ mod p. (1)
All the above parameters are made public except for the SA’s private key γ. Details of each phase are described as below:
The user registration phase: To join the system, each user Ui associated with the identifier IDi has to
perform the following interactive steps with the SA to obtain his key pair:
Step 1 Ui first chooses an integer ti∈Zq* to compute
p g
v hti IDi
i = ( , )mod , (2)
and then deliveries (vi, IDi) to the SA.
Step 2 Upon receiving (vi, IDi), the SA chooses
zi∈Z to compute *q p g ID h v y zi i i i = ( )−1 mod , (3) q ID y h z wi = i+ ( i, i)γmod , (4) and sends (yi, wi) back to Ui.
Step 3 Ui computes his private key xi as
xi = wi + h(ti, IDi) mod q, (5)
and then ensures its validity by checking
) (mod ) ( ? ) , ( i i h ID y gxi p i i ID y h = β . (6)
If it holds, Ui accepts (xi, yi) as his private-and-public
key pair. The correctness of Eq. (6) can be easily confirmed as Theorem 1, which also validates the authenticity of yi with respect to xi.
Theorem 1. A valid key pair (xi, yi) can pass the test of
Eq. (6).
Proof: From the left-hand side of Eq. (6), we have
i i i i i z i ID y h i i ID y h( , )h(ID)y β ( , )vg β = (by Eq. (3)) γ ) , ( i i i h y ID z ig v + = (by Eq. (1)) γ ) , ( ) , (tiIDi zi h yiIDi h g g + = (by Eq. (2)) i i i ID w t h g + = ( , ) (by Eq. (4)) i x g
= (mod p) (by Eq. (5)) which equals to the right-hand side of Eq. (6).
Q.E.D. The proxy credential generation phase: Let Uo be the
original user delegating his signing power to the proxy signer Up. Uo distributes the proxy credential to Up
with the following steps:
Step 1 Uo first randomly chooses an integer t∈Z q*
to compute
T = gt mod p, (7) σ = xo + t(h(mw, T)) mod q, (8)
and then sends (σ, mw, T) to Up where mw is
the warrant consisting of the identifier of the original and proxy signers, the delegation duration and so on.
) (mod ) ( ( , ) ) , ( h ID y T p gσ =βh yo IDo o o hmwT (9)
If it holds, Up proceeds to the next step; else, (σ, mw, T)
is requested to be sent again.
Theorem 2. The verification of Eq. (9) works
correctly.
Proof: By raising both sides of Eq. (8) to exponent
with base g, we have
) , (m T th xo w g gσ = + ) , ( ) , ( ( ) thm T o o ID y h o o hID y g w β = (by Eq. (6)) ) (mod ) ( ( , ) ) , ( h ID y Thm T p o o ID y h o o w β = (by Eq. (7)) which implies Eq. (9).
Q.E.D. The proxy signature generation and verification
phase: For signing the message m on behalf of the original signer Uo, Up chooses an integer k∈Z to *q
compute p y ID h C=(βh(yv,IDv) ( v) v)kmod , (10) r1 = m(h(C))−1 mod p, (11) r2 = h(m, h(gk mod p), C) mod q, (12) s = k − (xp + σ)h(r2, T) mod q, (13)
and then deliveries the proxy signature (mw, r1, r2, s, T)
to the designated recipient Uv. Upon receiving the
proxy signature (mw, r1, r2, s, T), Uv first computes
) ( ) ( ( h(y ,ID ) h(y ,ID ) o p s h ID h ID g K= β o o + p p p T y yo p h(mw,T))h(r2,T)mod , (14) p K C= xv mod . (15)
He then recovers the message m as
m = h(C)r1 mod p, (16)
and check the redundancy embedded in m. Uv can
further verify the proxy signature (mw, r1, r2, s, T) by
checking
r2 = h(m, h(K), C) mod q. (17)
Theorem 3. With the proxy signature (mw, r1, r2, s, T),
the designated recipient Uv can recover the message m
and check its validity with Eq. (16).
Proof: From the right-hand side of Eq. (16), we have
h(C)r1 1 ) mod (K p r h xv = (by Eq. (15)) ) ( ) ( ( ((gs h(y ,ID) h(y ,ID )h IDo h IDp h o o + p p = β 1 ) , ( ) , ( ) 2 ) modp)r T y y hmwT hr T xv p o (by Eq. (14)) 1 ) , ( ) ( ) mod ) ((g 2 p r h s+ xp+σ hr T xv =
(by Eqs. (9) and (6))
1 ) mod ) ((g p r h k xv = (by Eq. (13)) 1 ) , ( ( ) ) mod ) (( h ID y p r h βh yv IDv v v k = (by Eq. (6)) = h(C)r1 (by Eq. (10))
= m (mod p) (by Eq. (11)) which leads to the left-hand side of Eq. (16).
Q.E.D.
Theorem 4. If the proxy signature (mw, r1, r2, s, T) is
correctly generated, it will pass the test of Eq. (17).
Proof: From the right-hand side of Eq. (17), we have
h(m, h(K), C) ) mod ), ( , (mh K K p h xv = (by Eq. (15)) ) ( ) ( ( ( , (mh gs h(y ,ID ) h(y ,ID )h IDo h IDp h o o + p p = β ),y y Th(m ,T))h(r2,T)modp p o w ) ( ) ( ( (gs βh(yo,IDo)+h(yp,IDp)h IDo h IDp ) mod ) mod ) ( , ) ) , ( 2 p p T y y hmwT hr T xv p o (by Eq. (14)) ),=h(m,h(gs+(xp+σ)h(r2,T)modp ) mod )) , ( ) ( ( 2 p
g s+ xp+σ hr T xv (by Eqs. (9) and (6))
) mod ), mod ( , (mh g p g p h k kxv = (by Eq. (13))
= h(m, h(gk mod p), C) (by Eqs. (10) and (6)) = r2 (mod q) (by Eq. (12))
which leads to the left-hand side of Eq. (17).
Q.E.D. The proxy signature conversion phase: When the case
of a later dispute on repudiation occurs, the designated recipient Uv can reveal the converted proxy signature
(mw, r2, s, C, T) and the original message m to prove
the proxy signer’s dishonesty without any additional computation efforts or communication overheads. Thus, anyone can verify the converted proxy signature with the assistance of Eqs. (14) and (17).
3. Security Analyses
In this section, we first introduce the definitions of security notions with respect to the proposed scheme, i.e., the discrete logarithm problem (DLP) [1,
13, 14] and the discrete logarithm assumption [13]. We prove that our proposed scheme is secure on condition that the discrete logarithm assumption is intractable.
3.1. Related Definitions
Definition 1 (discrete logarithm problem; DLP)
Let (p, q) be two large primes satisfying that
q | p− 1 and g a generator of order q over GF(p). The discrete logarithm problem is, given an instance (y, p,
q, g) for some y∈Z*p, to derive x∈ Zq such that y = gx
mod p. Here, we denote the discrete logarithm
x = Logp, q, g(y).
Definition 2 (discrete logarithm assumption)
Let Ik = {(p, q, g)∈I | |p| = k} with k∈N, where I
is the universe of all instances and |p| represents the bit-length of p. For every probabilistic polynomial-time algorithm A, every positive polynomial P(⋅) and all sufficiently large k, the algorithm A can solve the DLP with an advantage at most ) ( 1 k P , i.e.,
Pr[A(y, p, q, g) = Logp, q, g(y),
(p, q, g)←⎯⎯u Ik, y←⎯⎯u Z ] *p ≤ ) ( 1 k P .
Note that “ ←⎯⎯u ” denotes uniformly and independently selected. The probability is taken over the uniformly and independently chosen instance with a given security parameter k and over the random choices of A.
3.2. Proof of the Proposed Scheme
This subsection proves that the proposed scheme is secure based on the DLP. A problem P is said to be “(t, ε)-solved” if and only if the problem P can be solved by a probabilistic polynomial-time (PPT) algorithm B with the probability ε within polynomial-time t. On the other hand, the PPT algorithm B is said to “(t, ε)-break” the problem P. We prove that a PPT adversary A who can (t, ε)-break the DLP is capable of forging a valid proxy signature at most (t + τ) polynomial-time with the same advantage
ε. The detailed proof is given as Theorem 5.
Theorem 5. If the DLP for the instance (y, p, q, g) can be (t, ε)-solved by any PPT adversary A, then he can (t + τ, ε)-break the proposed scheme where τ is the time required for performing (6 hash function + 4
modular multiplication + 3 modular exponentiation + 1 modular inverse) group operations over GF(p).
Proof:
To forge an authenticated ciphertext on an arbitrarily chosen message m', the adversary A first obtains a valid converted proxy signature (mw, r2, s, C, T) of the message m and computes
) ( ) ( ) , ( ) , ( p o ID y h ID y h ID h ID h D=β o o + p p p T y yo p h(mw,T)mod (18)
Afterward, the adversary A randomly and uniformly chooses a∈ Zq, and computes
W = Dga mod p. (19)
Since a is randomly and uniformly selected from Zq,
we know that W is also uniformly distributed in Z . *p
It can be seen that the DLP instance (W, p, q, g) for some W∈Z has the same distribution as any other *p
randomly chosen DLP instances. Solving the DLP for the instance (W, p, q, g) with the advantage ε provides the adversary A with the value Z = xp + σ + a.
Consequently, the adversary A can proceed to compute p y ID h C′=(βh(yv,IDv) ( v) v)amod , (20) r1' = m'h(C')−1 mod p, (21) r2' = h(m', h(ga mod p), C') mod q, (22) s' = a − (Z − a)h(r2', T) mod q. (23) Here, (mw, r1', r2', s', T) is the forged authenticated ciphertext of the message m'. Since the time required for computing Z is at most t and that, denoted by τ, for computing (r1', r2', s') is (6 hash function + 4 modular multiplication + 3 modular exponentiation + 1 modular inverse) group operations over GF(p), we conclude that the total execution time is bounded by t + τ, which is also polynomial-time. The validity of the forged proxy signature (mw, r1', r2', s', T) can be verified as follows:
From the right-hand side of Eq. (17), we have h(m', h(K'), C') ) ( ) ( ( ( , (m h gs h(y ,ID) h(y ,ID )h IDo h IDp h ′ ′ o o + p p = β ) ), mod ) ( , ) ) , ( 2 p C T y yo p hmwT hr T ′ (by Eq. (14)) ) ), mod ( , (m h g ( ) (2, ) p C h ′ s xp hr T ′ = ′+ +σ ′
(by Eqs. (9) and (6)) ) ), mod ( , (m h g ( ) (2, ) p C h ′ s Z ahr T ′ = ′+ − ′ ) ), mod ( , (m h g p C h ′ a ′ = (by Eq. (23))
= r2' (mod q) (by Eq. (22)) which leads to the left-hand side of Eq. (17). It can be
seen that the forged authenticated ciphertext (mw, r1', r2', s', T) will successfully pass the test of Eq. (17).
Q.E.D.
4. Conclusions
In this paper, we have proposed a self-certified proxy convertible authenticated encryption (CAE) scheme which allows the proxy signer to generate a valid authenticated ciphertext on behalf of the original signer, such that only the designated recipient has the ability to recover the message and verify its corresponding signature. One significant characteristic of our scheme is that validating the public key and verifying the signature can be simultaneously carried out within one step, which helps reducing the communication overheads and computation efforts. In case of a later repudiation, the designated recipient has the ability to solely release the converted proxy signature for the public verification. Moreover, we also proved that the proposed scheme is secure on condition that the discrete logarithm assumption is intractable.
5. References
[1] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Transactions on Information Theory, Vol. IT-22, No. 6, 1976, pp. 644-654.
[2] ISO/IEC 9594-8, “Information technology − open systems interconnection − the directory: public-key and attribute certificate frameworks,” International Organization for Standardization, 2001.
[3] A. Shamir, “Identity-based cryptosystems and signature schemes,” Advances in Cryptology − CRYPTO’84, Springer-Verlag, 1984, pp. 47-53.
[4] M. Girault, “Self-certified public keys,” Advances in Cryptology − EUROCRYPT’91, Springer-Verlag, 1991, pp. 491-497.
[5] P. Horster, M. Michel and H. Peterson, “Authenticated encryption schemes with low communication costs,” Electronics letters, Vol. 30, No. 15, 1994, pp. 1212-1213.
[6] S. Araki, S. Uehara and K. Imamura, “The limited verifier signature and its application,” IEICE Transactions on Fundamentals, Vol. E82-A, No. 1, 1999, pp. 63-68.
[7] F. Zhang and K. Kim, “A universal forgery on Araki et al.’s convertible limited verifier signature scheme,” IEICE Transactions on Fundamentals, Vol. E86-A, No. 2, 2003, pp. 515-516.
[8] T.S. Wu and C.L. Hsu, “Convertible authenticated encryption scheme,” The Journal of Systems and Software, Vol. 62, No. 3, 2002, pp. 205-209.
[9] H. Huang, C. Chang, “An efficient convertible authenticated encryption scheme and its variant,” Proceedings of the ICICS2003-Fifth International
Conference on Information and Communications Security, LNCS 2836, Springer-Verlag, Berlin, 2003, pp. 382-392.
[10] J. Lv, X. Wang and K. Kim, “Practical convertible authenticated encryption schemes using self-certified public keys,” Applied Mathematics and Computation, Vol. 169, No. 2, 2005, pp. 1285-1297.
[11] M. Mambo, K. Usuda and E. Okamoto, “Proxy signature for delegating signature operation,” Proceedings of the 3rd ACM Conference on Computer and Communications Security, ACM press, 1996, pp. 48-57.
[12] M. Mambo, K. Usuda and E. Okamoto, “Proxy signatures: delegation of the power to sign messages,” IEICE Transactions on Fundamentals of Electronic Communications and Computer Science, Vol. E79-A, No. 9, 1996, pp. 1338-1354.
[13] H. Delfs and H. Knebl, Introduction to Cryptography: Principles and Applications, Springer, 2002.
[14] A. Menezes, P. Oorschot and S. Vanstone, Handbook of applied cryptography, CRC Press, Inc., 1997.
