No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
An Efficient Convertible Authenticated Encryption Scheme and Its Variant
Abstract
The authenticated encryption scheme allows the specified receiver to simultaneously recover and verify a message. Recently,
to protect the receiver’s benefit of a later dispute, Wu and Hsu proposed a convertible authenticated encryption scheme in
which the receiver can convert the signature into an ordinary one that can be verified by anyone. However, Wu and Hsu’s scheme
doesn’t consider that once the intruder knows the message then the intruder can also easily convert a signature into an ordinary
digital signature. In this situation, the intruder may force the signer to be responsible for the terms of agreement of the
documents and cause confusion. In this paper, we propose an efficient convertible authenticated encryption scheme which can
provide better protection for both the signer and the specified receiver. On the other hand, we also propose an efficient
and lower communication convertible authenticated encryption scheme with message linkages. It can be regarded as a variant
of the convertible authenticated encryption scheme in that it is designed to link up the message blocks to avoid the message
block being reordered, replicated, or partially deleted during the transmission.
... Wu and Hsu (2003), proposed an efficient CAE scheme, in which the conversion procedure is very easy and only recipient can solely manage this process, without any heavy computation. Huang and Chang (2003), point out that Wu and Hsu (2003), scheme is not safe, since the adversary is capable of signature conversion, if he has the knowledge of the actual message and project an improvised scheme. Unfortunately, Wang et al. (2004), scheme given by Huang and Chang (2003), is also insecure against known plain text attack. ...
... Huang and Chang (2003), point out that Wu and Hsu (2003), scheme is not safe, since the adversary is capable of signature conversion, if he has the knowledge of the actual message and project an improvised scheme. Unfortunately, Wang et al. (2004), scheme given by Huang and Chang (2003), is also insecure against known plain text attack. They analyzes that a new ciphertext can be decrypted by an adversary, if he has an idea of some of the of previous valid ciphertext. ...
... They analyzes that a new ciphertext can be decrypted by an adversary, if he has an idea of some of the of previous valid ciphertext. Lv et al. (2005), finds security was in Wu and Hsu (2003) and Huang and Chang (2003), schemes and presented better schemes based on SCPK. Shao (2006), realize the weakness of Lv et al. (2005), scheme and then puts forward a new scheme. ...
The Convertible Authentication Encryption (CAE) scheme, allows the signer to generate an authentic ciphertext signature, which can be recuperated and validated by a specific recipient only. In case of any kind of dispute the recipient is capable enough to convert the ciphertext signature as a normal signature and that can be validated publicly. The CAE schemes are used for transformation of confidential information over insecure networks, because they provide confidentiality, authenticity and integrity for the transmitted message or information. We propose a new CAE scheme by integrating the concepts of ECC- based self-certified public keys and encryption scheme. The security analysis shows that the proposed CAE scheme fulfill the basic security conditions such as indistinguishability of ciphertext signature, unforgeability and nonrepudiation. The performance analysis shows that our proposed CAE scheme has little advantage over Wu and Lin scheme regarding computational complexity and timings.
... On the other hand, as an independent interest, a generic sincryption scheme with three parameters (c, r, s) of the signcrypted ciphertext is also proposed. This scheme can be regarded as an improvement of Huang et al.'s scheme [6] since this scheme has been pointed out by Wang et al. [14] that it suffers some security weakness. Our generic signcryption scheme is similar to Huang et al.'s scheme but overcomes the weak points they have. ...
... In this section, we propose our first scheme with the property of public verifiability. This scheme is an improvement of [6] to overcome the above mentioned problem. ...
... Our scheme does not have the problem occurs in [6] ...
Signcryption is a new cryptographic primitive which simultaneously provides both confidentiality and authenticity. This paper proposes an improved signcryption scheme and a variant scheme providing message recovery. The first scheme is revised from an authenticated encryption scheme which has been found to have a security-flaw. Our scheme solves the security-flaw and provides an additional property called the public verifiability of the signature. The second scheme is a message recovery type. It surpasses most of the current signcryption schemes on the size of the signcrypted ciphertext. That is, in our second scheme, we require only two parameters, (r, s), with r epsi Z<sub>p</sub> and s epsi Z <sub>q</sub> while most signcryption schemes require three parameters (c, r, s) with the additional parameter c epsi Z<sub>p</sub>. This second scheme is modified from an authenticated encryption scheme with message recovery and surpasses the based authenticated encryption scheme on the property of non-repudiation of the origin
... The motivation is to achieve significantly lower overheads on both aspects of computation and communications than that of the traditional signature-then-encryption paradigm. Following Zheng's pioneering work, a number of new schemes and improvements have been proposed [3, 18, 24, 27, 1, 21, 6,121314, while literatures [22, 4, 1, 6] study the formal models and security proofs for signcryption schemes. Originally , signcryption is performed by a sender Alice for a designated receiver Bob. ...
... Convertible Signcryption. A convertible signcryption scheme should satisfy the following security requirements [3, 12]: ...
... Our Work. In this paper, we present a security analysis of the Huang-Chang convertible signcryption scheme [12], and the Kwak-Moon group signcryption scheme [13]. Note that authenticated encryption does not necessarily provide the property of non-repudiation, so we call Huang-Chang scheme as convertible signcryption scheme, instead of convertible authenticated scheme. ...
Signcryption is a new cryptographic primitive that performs signing and encryption simultaneously, at a cost significantly
lower than that required by the traditional signature-then-encryption approach. In this paper, we present a security analysis
of two such schemes: the Huang-Chang convertible signcryption scheme [12], and the Kwak-Moon group signcryption scheme [13].
Our results show that both schemes are insecure. Specifically, the Huang-Chang scheme fails to provide confidentiality, while
the Kwak-Moon scheme does not satisfy the properties of unforgeability, coalition-resistance, and traceability.
KeywordsSigncryption-digital signature-encryption
... A crucial characteristic of their protocol is that the signature conversion mechanism is cost-free, as the designated verifier needs to convert the signature before verifying it during the normal decryption procedures. In the next year, Huang and Chang [9] presented a more efficient variant. Unfortunately, Lv et al. [17] disclosed that these schemes [9,26] fail to fulfill the essential security property of confidentiality. ...
... In the next year, Huang and Chang [9] presented a more efficient variant. Unfortunately, Lv et al. [17] disclosed that these schemes [9,26] fail to fulfill the essential security property of confidentiality. In 2009, Lee et al. [11] further introduced the ElGamal-based AE scheme with convertible property. ...
When it comes to secure transactions online, the requirements of confidentiality and authenticity are usually concerned the most. The former prevents unauthorized reading, while the latter ensures authorized access. Hybrid cryptographic mechanisms such as authenticated encryption (AE) schemes, simultaneously combine the functions of public key encryption and digital signature. Some AE schemes also provide a cost-free arbitration mechanism to deal with the signer’s later repudiation. Such schemes have been found to have numerous practical applications like on-line credit card transactions, confidential contract signing and the protection of digital evidence, etc. However, a designated verifier should also have the ability to convince any third party that he/she is indeed the intended recipient. In this paper, the author presents a novel verifiable authenticated encryption (VAE) scheme with the functionality of recipient proof. Furthermore, the paper shows that the proposed VAE scheme is non-delegatable and provably secure under the random oracle proof models. A non-delegatable hybrid cryptographic scheme provides a higher security level even if the shared common key is compromised. Specifically, the author of the paper will demonstrate that the designed construction is proved secure against adaptive chosen-ciphertext attacks (CCA2) assuming the hardness of Bilinear Square Diffie-Hellman Problem (BSDHP) and secure against adaptive chosen-message attacks (CMA) assuming the hardness of q-Strong Diffie-Hellman Problems (q-SDHP).
... In 2002, Wu and Hsu [40] proposed a convertible authenticated encryption (CAE) scheme, in which the Information Technology and Control 2017/4/46 532 signature conversion is rather simple and can be solely done by the recipient without any computation effort or communication overhead. Huang and Chang [11] proposed an enhanced scheme in the next year. However, both the Wu-Hsu and the Huang-Chang schemes cannot fulfill the security requirement of confidentiality, i.e., the ciphertext is computationally distinguishable with respect to two candidate messages. ...
... by Eq. (11) . mod ) ( ...
This paper presents a novel proxy convertible multi-authenticated encryption (multi-AE) scheme and its variant with message linkages. The proposed scheme allows two or more original signers to cooperatively delegate their signing power to an authorized proxy signer, such that the proxy signer can generate a valid authenticated ciphertext on behalf of the original signing group and only a designated recipient is capable of decrypting the ciphertext and verifying its embedded proxy multi-signature. Its variant with message linkages further benefits the encryption of a large message by dividing it into many smaller message blocks. The proposed proxy convertible multi-AE scheme and its variant can simultaneously fulfill the security requirements of confidentiality and authenticity. Thus, they are applicable to those group-oriented confidential applications with proxy delegation, e.g., proxy on-line auction, proxy contract signing and so on. In case of a later dispute over repudiation, our proposed scheme also allows a designated recipient to convert the ciphertext into an original proxy multi-signature for public verification. In addition, the security of confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and that of unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA) are proved in the random oracle model.
... In 1994, Horster et al. [1] proposed an authenticated encryption by using one-way hash function , which modified Nyberg and Ruppel's message recovery signature [2] . Since then, some similar schemes have been pro- posed89101112131415161718192021. In 1999, Araki et al. [8] proposed a convertible limited verifier scheme to enable the recipient to convert the message and verify the signature. ...
... (2) If the signer wants to repudiate his signature, he can reveal the converted signature and then any verifier can prove the dishonesty of the signer. Unfortunately, in 2003, Huang and Chang [12] found that Wu et al.'s scheme has a weakness. This weakness is that if an adversary knows the message, then he can easily convert a signature into an ordinary one. ...
In 2008, a convertible multi-authenticated encryption (CMAE) scheme for group communications is proposed by Ting-Yi Chang. Chang¡¦s mechanism enables multiple signers to generate a multi-authenticated cipher text associated with the targeted message or document. After receiving this multi-authenticated cipher text, multiple verifiers can recover and verify the message from it. If those signers deny the message was sent by them afterward, the verifiers can convert the corresponding multi-authenticated signature into a traditional one and then submit it to the trusted third party to resolve the dispute. In this study, we propose a new CMAE scheme for group communications based on one-way hash function and discrete logarithm problem (DLP). The proposed scheme is more efficient than Chang¡¦s scheme in terms of computation cost. In addition, security robustness of the proposed CMAE scheme is evaluated under four general attack patterns.
... During which, the recipient can easily produce the ordinary signature without the cooperation of the signer, and if the signer wants to repudiate her signature, he can reveal the converted signature and then any verifier can prove the dishonesty of the signer. Unfortunately, Huang et al. [10] showed that Wu et al.'s scheme does not consider that once an intruder knows the message then he can also easily convert a signature into an ordinary one and claim that the signature is sent to him. Finally, they proposed a new convertible authenticated encryption scheme to solve this problem. ...
... After showing some weaknesses in Wu et al.'s [21] and Huang et al 's [10] convertible authenticated encryption schemes, we propose a convertible authenticated encryption scheme using self-certified public keys, so that the signer's public key can be simultaneously authenticated in checking a signature' validity. Then, we extend it to one with message linkages when the signing message is large. ...
A convertible authenticated encryption scheme allows a designated receiver to recover and verify a message simultaneously, during which the recipient can prove the dishonesty of the sender to any third party if the sender repudiates her signature later. In this paper, after showing some weaknesses in Wu and Hsu [T. Wu, C. Hsu, Convertible authenticated encryption scheme. The Journal of Systems and Software 62 (2002) 205–209] and Huang and Chang [H. Huang, C. Chang, An efficient convertible authenticated encryption scheme and its variant, in: Proceedings of the ICICS2003-Fifth International Conference on Information and Communications Security, Springer-Verlag, LNCS 2836, 2003, p. 382] convertible authenticated encryption schemes, we propose a practical convertible authenticated encryption scheme using self-certified public keys and then extend it to one with message linkages when the signing message is large. Each scheme could provide semantic security of the message, the signer’s public key can be simultaneously authenticated in checking a signature’ validity and only under the cooperation of the recipient could a verifier know to whom a specific signature is sent. Finally, we give a variant that could make a verifier know to whom a signature is sent while verifying its validity.
... How could A s achieve the above requirements? Obviously, more or less requirements above will not be met if A s would adopt some currently existing digital signature, such as an encryption scheme, like that in [9], a conventional authenticated encryption scheme, like those in [10,11,21], a ring signature scheme, like those in [1,3,14,19], a group signature scheme, like that in [5] or other kind of digital schemes. To our knowledge, there exists no scheme or concatenation of some existing schemes that could solve the above issue soundly. ...
... But the recipient needs the cooperation of the signer when converting the signature, which is obviously a drawback under the situations that the signer refuses to cooperate. Therefore, a few new convertible authenticated encryption schemes [4,6,11,15,21,22] have been proposed where the recipient does not need the signer's cooperation when converting an authenticated encryption signature to an ordinary signature. ...
Though cryptography is being used more and more widely in reality, it seems that there exists no scheme or a concatenation of some existing schemes that could deal soundly with such practical situations as providing a clue, where the provider of the clue may want to reserve his beneficial rights while keeping his identity secret. To address this problem, inspired by the two notions of the ring signature and the authenticated encryption signature, we propose a new type of authenticated encryption scheme, which we call the ring authenticated encryption scheme, which can enable any member of a group of persons to provide a clue to some designated recipient wisely.
... A noticeable property of the Wu-Hsu scheme is that the signature conversion steps are computation-free, i.e., an originally signed signature would be acquired within the ciphertext decryption procedure. Next, Huang and Chang [13] also presented another enhanced scheme. However, Lv et al. [14] specified that the semantic security is not satisfied in both the Huang-Chang and the Wu-Hsu schemes. ...
The Traditional Authenticated Encryption (AE) scheme is a single-user cryptographic mechanism which only enables one designated verifier to authenticate the ciphertext. Although several group-oriented AE variants have also been proposed to eliminate such a limitation, they require shared verification. This motivated us to think of a scenario of three-party communication environments where each party runs independent processes without cooperation. In this paper, we realize a novel three-party AE (abbreviated to TPAE) scheme in which two designated verifiers can solely decrypt the same ciphertext and then inspect the validity of embedded signature. Additionally, we also show that our TPAE construction is computationally secure using the well-defined IND-CCA2 and the EF-CMA adversary games in the proof model of random oracles. The comparison results will demonstrate the computational efficiency of our mechanism.
... Araki et al.'s literature [16] required the sender to cooperatively perform the arbitration process with the recipient and will increase extra computational burdens. Wu and Hsu [17] and Huang and Chang [18] further incorporated the functionality of signature conversion into AE schemes and could be viewed as ideal methods. Yet, Lv et al. [19] found out that both of their protocols fail to satisfy the semantic security. ...
Nowadays there are many social networking services supporting three-party communication such as Skype, Line, and Facebook Messenger. To ensure the message security, a cryptographic encryption scheme is a commonly adopted measure. However, the traditional asymmetric encryption only allows one designated recipient to decrypt the ciphertext with his/her private key. It is thus difficult for two parties to share the same ciphertext without exposing their private keys. In this paper, the author comes up with a novel dual authenticated encryption (DAE) scheme designed for three-party communication environments. Specifically, a DAE scheme enables a party to generate a single ciphertext that could be solely decrypted by the other two participants without sharing their private keys. It is also formally shown that the proposed scheme achieves the crucial security properties using the random oracle proof model.
... During which, the recipient can easily produce the ordinary signature without the cooperation of the signer, and he can reveal the converted signature and then any verifier can prove the dishonesty of the signer, if the signer wants to repudiate his signature. Recently, Huang et al. [8] showed that the scheme of Wu et al. does not consider that once an intruder knows the message then he can also easily convert a signature into an ordinary one, and they proposed a new convertible authenticated encryption scheme to overcome this weakness. However, we find that both these two schemes cannot provide semantic security for the message, since any adversary can determine whether his guessed message is the actual message signed by the original signer after he gets a valid signature. ...
By combining the two notations of ring signature and authenticated encryption to- gether, we introduce a new type of authenticated encryption signature, called ring authenticated encryp- tion, which has the following properties: signer-ambiguity, signer-verifiability, recipient-designation, semantic-security, verification-convertibility, verification-dependence and recipient-ambiguity. We also give a variant that does not hold the property of recipient-ambiguity but can make a verifier know to whom a signature is sent when he checks its validity. Horster et al. (7) first proposed an authenticated en- cryption scheme modified from Nyberg-Ruepple's mes- sage signature (12), which aimed to achieve the purpose that the signature can only be verified by some specified recipients while keeping the message secret from the public. Compared with the straightforward approach employing the encryption and the signature schemes for a message, respectively, authenticated schemes require smaller bandwidth of communications to achieve pri- vacy, integrity and anthentication of information. How- ever, Horster et al.'s authenticated encryption scheme has a weakness that no one except the specified recip- ient can be convinced of the signer's signature, so it cannot make the recipient prove the dishonesty of the signer to any verifier without releasing his secret if the signer wants to repudiate his signature. To protect the recipient in case that the signer would repudiate his signature, Araki et al. (2) proposed a convertible lim- ited verifier scheme to enable the recipient to convert the signature to an ordinary one so that any verifier can verify its validity. But it needs the cooperation of the signer when the recipient converts the signature, which is obviously a weakness under the situation that the signer is unwilling to cooperate. To overcome this weakness, Wu et al. (15) proposed another convert- ible authenticated encryption scheme. During which, the recipient can easily produce the ordinary signature without the cooperation of the signer, and he can re- veal the converted signature and then any verifier can prove the dishonesty of the signer, if the signer wants to repudiate his signature. Recently, Huang et al. (8) showed that the scheme of Wu et al. does not consider that once an intruder knows the message then he can also easily convert a signature into an ordinary one,
... A problem is that the value of y AB is the crux for some other cryptosystems, such as the strong designated verifier signature (SDVS) of Saeednia et al. [25], and the signcryption scheme of Huang and Cheng [19]. That is, if y AB is available to an adversary those cryptosystems are broken (Check [18] for more discussions on SDVS). ...
In Eurocrypt 2004, Chen, Kudla and Paterson introduced the concept of concurrent signatures, which allow two parties to produce two ambiguous signatures until the initial signer releases an extra piece of information
(called keystone). Once the keystone is publicly known, both signatures are bound to their true signers concurrently. In ICICS 2004, Susilo, Mu and Zhang further proposed perfect concurrent signatures to strengthen the ambiguity of concurrent signatures. That is, even if the both signers are known having issued one of the
two ambiguous signatures, any third party is still unable to deduce who signed which signature, different from Chen et al.’s
scheme. In this paper, we point out that Susilo et al.’s two perfect concurrent signature schemes are actually not concurrent signatures. Specifically, we identify an attack that enables the initial signer to release a carefully prepared
keystone that binds the matching signer’s signature, but not the initial signer’s. Therefore, their schemes are unfair for the matching signer. Moreover, we present an effective way to avoid this attack so that the improved schemes are truly
perfect concurrent signatures.
KeywordsConcurrent signature-fair exchange-security protocol
... The recipient can easily produce the ordinary signature without the cooperation of the signer, and if the signer wants to repudiate her signature, he can reveal the converted signature and then any verifier can prove the dishonesty of the signer. Unfortunately , Huang and Chang (2003) showed that the Wu et al.'s scheme does not consider the problem that once an intruder knows the message then he can also easily convert a signature into an ordinary one and claim that the signature is sent to him. Finally, they proposed a new convertible authenticated encryption scheme to solve this problem. ...
A convertible authenticated encryption scheme allows a specified recipient to recover and verify a message simultaneously. Moreover the recipient can prove the dishonesty of the sender to any third party if the sender repudiates her signature later. Recently, Lv et al. (2005) showed that the Wu et al.'s (1999) and the Huang et al.'s (2003) convertible authenticated encryption schemes cannot provide the semantic security of encrypted messages. Then they proposed a practical con- vertible authenticated encryption scheme using self-certified public keys, and extended it to one with message linkages when the signed message is large. In this paper, we show that the verifier can recover messages if given many triples of message, signature and ciphertext in the Lv et al.'s basic convertible authenticated encryption scheme. Finally we propose a new improvement to these schemes to overcome this weakness and to improve its efficiency.
To address security and privacy issues in messaging services, we present a public key signcryption scheme with designated equality test on ciphertexts (PKS-DET) in this paper. The scheme enables a sender to simultaneously encrypt and sign (signcrypt) messages, and to designate a tester to perform equality test on ciphertexts, i.e., to determine whether two ciphertexts signcrypt the same underlying plaintext message. We introduce the PKS-DET framework, present a concrete construction and formally prove its security against three types of adversaries, representing two security requirements on message confidentiality against outsiders and the designated tester, respectively, and a requirement on message unforgeability against the designated tester. We also present three extensions, analyze the efficiency of our PKS-DET construction and extensions, and compare them with related schemes in terms of ciphertext sizes and computation costs of signcryption (encryption), unsigncryption (decryption) and ciphertext equality testing. Experimental results further confirmed the practicality of our construction.
The convertible authentication encryption (CAE) scheme, enables the signatory to send a secret message and its associated signature to a designated receiver. If some dispute happens, then the receiver has the ability to get ordinary signature by converting the ciphertext signature. The receiver can solely perform this signature conversion without any extra computational costs. The recipient of the signature can prove himself that he/she is the actual designated recipient. We incorporate self - certified public key (SCPK) systems into a CAE scheme to propose our CAE scheme with authentication and computationally indistinguishable. Our CAE scheme provide robust security and apply it to different online financial applications. The security analysis reflects that, our CAE scheme satisfies all the security requirements. Moreover, it does not require additional certificate verification because the public key authentication and signature verification can be done in single logical step. Finally, from the result of performance analysis shows, that the presented CAE scheme is cost efficient than the existing Wu et al.'s scheme.
This paper presents a group-oriented proxy convertible multi-authenticated encryption (CMAE) scheme for strengthening the gradually wide applications which have to simultaneously fulfill the security requirements of integrity, authentication, confidentiality and non-repudiation. The proposed scheme allows a group of original signers to delegate their signing power to an authorized person called proxy signer, such that the proxy signer can generate an authenticated ciphertext on behalf of the original group. Instead of anyone else, only a designated recipient can decrypt the ciphertext and verify its corresponding signature for the purpose of confidentiality. In case of a later dispute over repudiation, the designated recipient also has the ability to convert the multi-signature into an ordinary one for convincing anyone of the signer's dishonesty. Moreover, the computational secrecy ensures that the produced ciphertext is computationally indistinguishable with respect to two candidate messages.
An authenticated encryption scheme allows a designated recipient to recover the message and then verify its authenticity while keeping the message secret from the public, and a convertible authenticated encryption scheme enables the recipient to convert the signature to an ordinary one so that any third party can verify its validity. The paper shows a weaknesses in Chien's [3] convertible authenticated encryption scheme, then based on the public discrete logarithm hard problem solely, we propose a novel convertible authenticated encryption scheme without using hash functions, and extend it to a (t, n) threshold scheme. The proposed schemes have the following characteristics: Each scheme provides semantic security of the message, that is, after getting a valid signature, any adversary cannot determine whether his guessed message is the actual message signed by the sender by checking if it satisfies the verification equalities. If the signer repudiates her signature, the recipient can prove, without the cooperation with the signer, the dishonesty of the signer to any third party by revealing the message and its converted signature; If the recipient does not reveal the converted signature, any third party cannot check the validity of the message even though he gets the message and its corresponding signature; There are no hash functions in the proposed convertible authenticated encryption schemes.
Convertible authenticated encryption schemes allow a signer to produce an authenticated ciphertext and only a designated recipient can verify its signature. Such schemes also provide an additional signature conversion mechanism to convince anyone of signer’s dishonesty when a later dispute occurs. Proxy signature schemes allow an authorized proxy signer to generate proxy signatures on behalf of the original signer according to the predefined signing policy. In this paper, we elaborate on the merits of both systems to propose the first novel Revocable Proxy Convertible Authenticated Encryption (RPCAE) scheme for confidential applications with proxy delegation. The revocation protocol is rather simple and incurs no extra computational efforts. Moreover, the IND-CCA2 and the EF-CMA security for the proposed scheme are also formally proved.
Multi-authenticated encryption scheme is message transmission scheme, which sends message in a secure and authentic way, and allows a group of signers to cooperatively produce a valid authenticated ciphertext so that only the specific recipient can recover the message and verify the signature. Recently, Wu et al. proposed a convertible multi-authenticated encryption scheme and claimed that the scheme was secure. In this paper, we show that Wu et. al’s scheme is not secure against rogue-key attacks. To overcome such attack, we give an improved multi-authenticated encryption scheme by including two hash functions. And our improved scheme is the same efficiency as Wu et.al.’s scheme.
With the diversity of business transactions, new application requirements will emerge. Many confidential transactions, such as online auctions and bank savings withdrawals, sometimes might be conducted by an authorized proxy. In this paper, we propose a bilinear pairing-based proxy convertible authenticated encryption scheme. The proposed scheme allows the delegated proxy signer to generate an authenticated ciphertext in behalf of the original signer while only the designated recipient is able to decrypt the ciphertext and verify the proxy signature. To benefit the encryption of a large message, we further present another variant with message linkages. Both schemes are publicly verifiable, that is, the designated recipient can convert the ciphertext into an ordinary proxy signature for public verification. In addition, the security requirement of confidentiality against indistinguishability under adaptive chosen-ciphertext attacks and that of unforgeability against existential forgery under adaptive chosen-message attacks are proved in random oracle models. Copyright © 2011 John Wiley & Sons, Ltd.
By integrating self-certified public-key systems and the designated verifier proxy signature with message recovery, Wu and Lin proposed the first self-certified proxy convertible authenticated encryption (SP-CAE) scheme and its variants based on discrete logarithm problem (DLP) in 2009. Though their schemes are claimed provably secure, we demonstrate that their schemes are existentially forgeable under adaptive chosen warrants, unconfidentiable and verifiable under adaptive chosen messages and designated verifiers. Then we propose a provably secure SP-CAE scheme in the random oracle model.
In 2009, Wu and Lin introduced the concept of self-certified proxy convertible authenticated encryption (SP-CAE) by integrating self-certified public-key system and designated verifier proxy signature with message recovery. They also presented the first SP-CAE scheme which is based the discrete logarithm problem. However, Wu-Lin scheme is not secure as Xie et al. recently showed that this scheme is existentially forgeable under adaptive chosen warrants, unconfidentiable and verifiable under adaptive chosen messages and designated verifiers. In this paper, we first discuss the security requirements of SP-CAE and then formally define unforgeability, message confidentiality, and unverifiability. Consequently, the first complete formal model of SP-CAE is proposed. After that, we propose a provably secure SP-CAE scheme by using two-party Schnorr signature introduced by Nicolosi et al. in 2003. Finally, we prove the formal security of the proposed scheme in the random oracle model under the discrete logarithm assumption. Copyright © 2013 John Wiley & Sons, Ltd.
In 2009, Tsai proposed an efficient convertible multi-authenticated encryption (CMAE) scheme. However, the author shows that his scheme is distinguishable under adaptive chosen-message attack, and that the designated verifier can generate the signature of the same message for other verifiers. Since no formal model of CMAE has been presented in the literature, the author presents the first complete formal model of CMAE. Then, a new scheme is proposed. The proposed scheme is provably secure in the random oracle model.
A convertible multi-authenticated encryption (CMAE) scheme providing confidentiality, authenticity and non-repudiation properties allows a designated recipient to recover and verify an authenticated message which is signed by multiple signers. The recipient has the ability to further prove the dishonesty of signers to any third party if they repudiate their signature latter. In 2008, Wu et al. first proposed a CMAE scheme based on discrete logarithms, but the computational complexity of their scheme is rather high and the message redundancy is required. To improve the performance and remove the message redundancy, Tsai adopted one-way hash functions (such as MD5) to propose a new scheme. In 2005, however, MD5 was cracked by Wang and Yu, which indicates that the schemes using one-way hash functions might turn out to be vulnerable to such an attack. This paper proposes a new efficient CMAE scheme. Neither the one-way hash
function nor the message redundancy is employed in the proposed scheme. The scheme not only preserves the advantages of Wu et al.’s, but also outperforms their scheme. With low computational cost, our proposed scheme can be practically implemented.
In 1993 Nyberg and Rupeel proposed an authenticated encryption scheme (AES) based on the DSA algorithm that reduces the computation time and communication costs for authenticated message transmission. Motivated by this, several researchers developed further AES approaches. However, when a dispute occurs between the sender and recipient, there is no mechanism for verification by a third party. To address this problem, in 2002 Wu and Hsu added an additional requirement of convertibility. However, to date there has been no scheme that satisfies all the properties of an ideal AES. In this paper, we propose a scheme that satisfies all the properties of an ideal AES.
In 2008, Wu et al. proposed a convertible multi-authenticated encryption (CMAE) scheme based on discrete logarithms. To improve the computational efficiency of Wu et al.’s scheme, Tsai proposed another CMAE scheme without using message redundancy. These CMAE schemes, however, might be inadequate for group-oriented applications. In the same year, Chang presented a CMAE scheme using message redundancy for group communications [published in Information Sciences 178 (17) (2008) 3426–3434]. In his scheme, multiple signers of the same group can cooperate with each other to generate a valid authenticated encryption signature for a designated verifying group with access structured multiple verifiers. In this paper, we propose a new convertible multi-authenticated encryption scheme without using message redundancy for generalized group communications. Multiple signers of the signing group can cooperate with each other to generate a valid authenticated encryption signature for a verifying group with access structured multiple verifiers. The verifiers in the same access structure can cooperatively recover and verify the signing group’s signature. In case of a later dispute, any participant verifier can convert the authenticated encryption signature into an ordinary one. As compared with previous works, our proposed scheme is more efficient in terms of computational efforts and communication overheads.
The authenticated encryption schemes can be used to provides integration, authentication, and non-repudiation for the signing message while keeping the message secret from the public. In this paper, we propose a new (t, n) threshold proxy authenticated encryption scheme, in which at least t out of n proxy signers delegated by the original signer can sign messages on behalf of the original signer. This scheme not only has the advantages such as unforgeablity, nonrepudiation and secrecy, but also provides flexibility. We can announce the parameters to change the threshold value t. Once the combined proxy signers of threshold value t and announcing parameters that can generate a legal proxy signature, this result can enable the security to increase or reduce the threshold value flexibility. Therefore, the scheme in this paper provides an easy and convenient way to delegate the power of digitally signed message.
To send the message to the recipient securely, authenticated encryption schemes were proposed. In 2008, Wu et al. [T.S. Wu, C.L. Hsu, K.Y. Tsai, H.Y. Lin, T.C. Wu, Convertible multi-authenticated encryption scheme, Information Sciences 178 (1) 256–263.] first proposed a convertible multi-authenticated encryption scheme based on discrete logarithms. However, the author finds that the computational complexity of this scheme is rather high and the message redundancy is used. To improve the computational efficiency and remove the message redundancy, the author proposes a new convertible multi-authenticated encryption scheme based on the intractability of one-way hash functions and discrete logarithms. As for efficiency, the computation cost of the proposed scheme is smaller than Wu et al.’s scheme.
A proxy convertible authenticated encryption (CAE) scheme allows an original signer to delegate his signing power to a proxy signer such that the proxy signer can generate an authenticated ciphertext on behalf of the original signer. The generated authenticated ciphertext can only be decrypted and verified by the specific recipient instead of everyone else for the purpose of confidentiality. Integrating with self-certified public key systems, the proposed scheme can save more communication overheads and computation efforts, since it is not necessary to transmit and verify the public key certificate. That is, authenticating the public key can be combined with subsequent cryptographic operations such as the signature verification. In case of a later repudiation, the specific recipient has the ability to convert the signature into an ordinary one for convincing anyone of the signer's dishonesty.
In 1994, Horster et al. first proposed an authenticated encryption scheme that can have the signature only be verified by the specified recipient while keeping the message secret from the public. Since then, several researchers proposed authenticated encryption schemes in which the recipient can convert the signature into an ordinary one for public verifiability. However, all of these schemes do not consider that once the attacker knows the message then he can also easily convert that signature into an ordinary signature. In this paper, at first we propose a new authenticated encryption scheme which prevents such an attack. We then propose the same scheme in ad-hoc groups based on the proposed authenticated encryption scheme
Multi-authenticated encryption is an important message transmission technique, which can send message in a secure and authentic way, and allows a group of signers to cooperatively produce a valid authenticated cipher text so that only the specific recipient can recover the message and verify the signature. In 2008, Wu et al. proposed a convertible multi-authenticated encryption scheme. However, Tsai et al. showed that the computational complexity of this scheme is rather high and the message redundancy is used. To improve the computational efficiency and remove the message redundancy, they proposed a new convertible multi-authenticated encryption scheme based on the intractability of one-way hash functions and discrete logarithms. In this paper, we show that Tsai et al.'s scheme is not secure against rogue-key attacks. To overcome such attack, we give an improved multi-authenticated encryption scheme by including two hash functions. And our improved scheme is the same efficiency as Tsai et.al.'s scheme.
The digital signature technique is a popular research branch in the field of contemporary cryptography because of its popularity in both economic and official applications. As more and more information gets processed digitally, digital signatures come to play a more and more important role. The prevention of the signature repudiation is therefore a basic requirement for digital signature techniques living up to. However, in some signature schemes, the validity of the signature is confirmed through some extra parameters or by certain trusted third parties. In 1999, Araki et al. proposed a scheme known for being convertible. In their scheme, certain verifiers can examine the signature without the help of the signers. Since then, many researchers have been devoted to the research and development of schemes with such a property. In this paper, we shall propose a new convertible group signature scheme. Our new scheme is based on two assumptions: the complexity of the discrete logarithm problem and the un-reversibility of the one-way hash function. In our discussion section later, we shall consider some possible attacks and prove that our new scheme is able to survive them. In addition, the special strength of our scheme is its efficient verification mechanism.
Elaborating on the merits of proxy signature schemes and convertible authenticated encryption (CAE) schemes, we adopt self-certified public key systems to construct efficient proxy CAE schemes enabling an authorized proxy signer to generate an authenticated ciphertext on behalf of the original signer. To satisfy the requirement of confidentiality, only the designated recipient is capable of decrypting the ciphertext and verifying the proxy signature. A significant advantage of the proposed schemes is that the proxy signature conversion process takes no extra cost, i.e., when the case of a later dispute over repudiation occurs, the designated recipient can easily reveal the ordinary proxy signature for the public arbitration. If needed, the designated recipient can also convince anyone that he is the real recipient. In addition, integrating with self-certified public key systems, our schemes can earn more computational efficiency, since authenticating the public key and verifying the proxy signature can be simultaneously carried out within one-step.
Convertible authenticated encryption (CAE) schemes allow a signer to produce an authenticated ciphertext such that only a designated recipient can decrypt it and verify the recovered signature. The conversion property further enables the designated recipient to reveal an ordinary signature for dealing with a later dispute over repudiation. Based on the ElGamal cryptosystem, in 2009, Lee et al. proposed a CAE scheme with only heuristic security analyses. In this paper, we will demonstrate that their scheme is vulnerable to the chosen-plaintext attack and then further propose an improved variant. Additionally, in the random oracle model, we prove that the improved scheme achieves confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA).
A convertible authenticated encryption scheme allows a designated recipient to retrieve an authenticated ciphertext and convert the authenticated ciphertext into an ordinary signature. Recently, Lee, Hwang, and Tzeng proposed a new convertible authenticated encryption scheme based on the ElGamal cryptosystem. In this paper, we show that the Lee-Hwang-Tzeng scheme is not secure against chosen plaintext attacks. In addition, we give a solution to repair it.
An authenticated encryption scheme is a message transmission scheme, which can send a message in a secure and authentic way, and allows the specified recipient to simultaneously recover and verify the validity of a message. In the large message transmission, traditional authenticated encryption schemes have the disadvantage that communication overheads and the computation costs are too high. In this work, we propose a secure authentication encryption scheme and show that the scheme is secure in the random oracle model. Comparisons of our proposed scheme with Wu-Hsus scheme and Huang-Changs scheme, the proposed scheme is more efficient for computation complexity and communication cost. Finally, we extend our proposed scheme to adapt to the authenticated encryption for a large message, which is secure against the message block being reordered, replicated or partially deleted during transmission.
We present an efficient interactive identification scheme and a related signature scheme that are based on discrete logarithms
and which are particularly suited for smart cards. Previous cryptoschemes, based on the discrete logarithm, have been proposed
by El Gamal (1985), Chaum, Evertse, Graaf (1988), Beth (1988) and Günter (1989). The new scheme comprises the following novel
features.
The digital signature provides the functions of integration, authentication, and non-repudiation for the signing message. In some applications, however, the signature only needs to be verified by some specified recipients while keeping the message secret from the public. The authenticated encryption schemes can be used to achieve this purpose. To protect the recipient's benefit in the case of a later dispute, we should further enable the recipient to convert the signature into an ordinary one that can be verified by anyone. Recently, Araki et al. proposed a convertible limited verifier scheme to resolve the problem. Their scheme equips the recipient with the ability to convert the signature into an ordinary one. However, the conversion requires the cooperation of the signer. In the paper, we proposed a convertible authenticated encryption scheme that can easily produce the ordinary signature without the cooperation of the signer. Further, the proposed scheme is more efficient than Araki et al.'s in terms of the computation complexities and the communication costs.
The new signature scheme presented by the authors in [13] is the first signature scheme based on the discrete logarithm problem that gives message recovery. The purpose of this paper is to show that the message recovery feature is independent of the choice of the signature equation and that all ElGamal-type schemes have variants giving message recovery. For each of the six basic ElGamal-type signature equations five variants are presented with different properties regarding message recovery, length of commitment and strong equivalence. Moreover, the six basic signature schemes have different properties regarding security and implementation. It turns out that the scheme proposed in [13] is the only inversionless scheme whereas the message recovery variant of the DSA requires computing of inverses in both generation and verification of signatures. In general, message recovery variants can be given for ElGamal-type signature schemes over any group with large cyclic subgroup as the multiplicative group of GF(2n) or elliptic curve over a finite field.
The present paper also shows how to integrate the DLP-based message recovery schemes with secret session key establishment and ElGamal encryption. In particular, it is shown that with DLP-based schemes the same functionality as with RSA can be obtained. However, the schemes are not as elegant as RSA in the sense that the signature (verification) function cannot at the same time be used as the decipherment (encipherment) function.
A possible application of the Nyberg-Rueppel digital signature
scheme is for authenticated encryption. The authors present schemes in
which the communication costs are low in comparison to the basic scheme
and which can be constructed from the Nyberg-Rueppel digital signature
scheme
In 1997, two new schemes for authenticated encryption, called
signcryption, were proposed by Zheng. In the paper, the authors point
out a serious problem with these schemes. In fact, the way to gain
nonrepudiation violates the confidentiality. The authors compare the
schemes to previously known authenticated encryption schemes which were
not mentioned by Zheng. Finally, the authors outline a solution that
helps to overcome the problem
A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
Introduction In ordinary digity signatU8 schemes, anyone can verify signatUPR wit signer's public key. However it is not necessary for anyonet be convinced a just(WUP tus of signer's dishonorable message such as a bill.It is enough for a receiver onlyt prove ajustRUPR7BN of tf signat(R if tU signer doesnot execut a contnURB Undeniablesignatbl schemes [2] or tU limitB verifier signatUR scheme [9] include suchprot cols as only a limit( verifier can be convincedit Ourt ypical applicatW ( oft8 limitU verifiersignatNJ scheme is tU case where a receiver is acredit company and a signer is a user. Thecredit company willtl t keep user's privacy in ordert get user's ter's provided a user executJ te contnUNR In such a sitRWWUP ourlimit7 verifier signatW8 scheme will be shown t be more efficient tie undeniablesignatab schemeswit respect t computW((8 cost Thereexist messages such as o#cial document which will befirst tstR) aslimit8 verifier signatign but aftn a few years as ordinarydigitr
. Signcryption is a new paradigm in public key cryptography that simultaneously fulfills both the functions of digital signature and public key encryption in a logically single step, and with a cost significantly lower than that required by the traditional "signature followed by encryption" approach. This paper summarizes currently known construction methods for signcryption, carries out a comprehensive comparison between signcryption and "signature followed by encryption", and suggests a number of applications of signcryption in the search of efficient security solutions based on public key cryptography. Keywords Authentication, Digital Signature, Encryption, Key Distribution, Secure Message Delivery/Storage, Public Key Cryptography, Security, Signcryption. 1 Introduction To avoid forgery and ensure confidentiality of the contents of a letter, for centuries it has been a common practice for the originator of the letter to sign his/her name on it and then seal it in an envelope, bef...
Convertible Limited Verifier Signature Based on Horster’s Authenticated Encryption
- S Araki
- S Uehara
- K Imamura
The Limited Verifier Signature and Its Application
- S Araki
- S Uehara
- K Imamura
- S. Araki