Securing messaging services through efficient signcryption with designated equality test

(1)

Singapore Management University

Institutional Knowledge at Singapore Management University

Research Collection School Of Information Systems

School of Information Systems

7-2019

Securing messaging services through efficient

signcryption with designated equality test

Yujue WANG

Guilin University of Electronic Technology

Hwee Hwa PANG

Singapore Management University, [email protected]

Robert H. DENG

Singapore Management University, [email protected]

Yong DING

Guilin University of Electronic Technology

Qianhong WU

Beijing University of Aeronautics and Astronautics (Beihang University)

See next page for additional authors

DOI:

https://doi.org/10.1016/j.ins.2019.03.039

Follow this and additional works at:

https://ink.library.smu.edu.sg/sis_research

Part of the

Databases and Information Systems Commons

, and the

Information Security

Commons

This Journal Article is brought to you for free and open access by the School of Information Systems at Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in Research Collection School Of Information Systems by an authorized administrator of Institutional Knowledge at Singapore Management University. For more information, please [email protected].

Citation

WANG, Yujue; PANG, Hwee Hwa; DENG, Robert H.; DING, Yong; WU, Qianhong; and QIN, Bo. Securing messaging services

through efficient signcryption with designated equality test. (2019). Information Sciences. 490, 145-165. Research Collection School

Of Information Systems.

(2)

Yujue WANG, Hwee Hwa PANG, Robert H. DENG, Yong DING, Qianhong WU, and Bo QIN

This journal article is available at Institutional Knowledge at Singapore Management University:

https://ink.library.smu.edu.sg/

sis_research/4349

(3)

Singapore Management University

Institutional Knowledge at Singapore Management University

Research Collection School Of Information Systems

School of Information Systems

7-2019

Securing messaging services through efficient

signcryption with designated equality test

Yujue WANG

Hwee Hwa PANG

Singapore Management University, [email protected]

Robert H. DENG

Singapore Management University, [email protected]

Yong DING

Qianhong WU

See next page for additional authors

DOI:

https://doi.org/10.1016/j.ins.2019.03.039

Follow this and additional works at:

https://ink.library.smu.edu.sg/sis_research

Part of the

Data Storage Systems Commons

This Journal Article is brought to you for free and open access by the School of Information Systems at Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in Research Collection School Of Information Systems by an authorized administrator of Institutional Knowledge at Singapore Management University. For more information, please [email protected].

Citation

WANG, Yujue; PANG, Hwee Hwa; DENG, Robert H.; DING, Yong; WU, Qianhong; and QIN, Bo. Securing messaging services

through efficient signcryption with designated equality test. (2019). Information Sciences. 490, 145-165. Research Collection School

Of Information Systems.

(4)

Yujue WANG, Hwee Hwa PANG, Robert H. DENG, Yong DING, Qianhong WU, and Bo QIN

This journal article is available at Institutional Knowledge at Singapore Management University:

https://ink.library.smu.edu.sg/

sis_research/4349

(5)

ContentslistsavailableatScienceDirect

Information

Sciences

journalhomepage:www.elsevier.com/locate/ins

Securing

messaging

services

through

eﬃcient

signcryption

with

designated

equality

test

Yujue

Wang

a,b

_,

_HweeHwa

_Pang

c

_,

_Robert

_H.

_Deng

c

_,

_Yong

_Ding

a,d,∗

_,

Qianhong

Wu

e,f

_,

_Bo

_Qin

g

a Guangxi Key Laboratory of Cryptography and Information Security, Guilin University of Electronic Technology, Guilin 541004, China b State Key Laboratory of Cryptology, P. O. Box 5159, Beijing 100878, China

c School of Information Systems, Singapore Management University, 188065, Singapore d Cyberspace Security Research Center, Peng Cheng Laboratory, Shenzhen 518055, China e School of Electronic and Cyber Science and Technology, Beihang University, Beijing 100191, China

f State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 10 0 093, China g School of Information, Renmin University of China, Beijing 100872, China

a

r

t

i

c

l

e

i

n

f

o

Article history: Received 27 March 2018 Revised 17 February 2019 Accepted 19 March 2019 Available online 22 March 2019

Keywords: Messaging system Encryption Conﬁdentiality Authentication Signcryption

Equality test on ciphertexts Equijoin

Data outsourcing

a

b

s

t

r

a

c

t

Toaddresssecurityandprivacyissuesinmessagingservices,wepresentapublickey sign-cryption schemewithdesignated equality teston ciphertexts(PKS-DET)in thispaper. The schemeenablesasendertosimultaneouslyencryptandsign(signcrypt)messages,andto designateatestertoperformequalitytestonciphertexts,i.e.,todeterminewhethertwo ciphertexts signcryptthesameunderlyingplaintextmessage.We introducethePKS-DET framework,presentaconcreteconstructionand formallyproveitssecurityagainst three typesof adversaries,representingtwo securityrequirementsonmessageconfidentiality against outsidersand thedesignatedtester, respectively,and arequirementonmessage unforgeabilityagainstthedesignatedtester.Wealsopresentthreeextensions,analyzethe efficiency ofour PKS-DETconstruction and extensions, and compare them withrelated schemesintermsofciphertextsizesandcomputationcostsofsigncryption(encryption), unsigncryption(decryption)and ciphertextequality testing.Experimentalresults further confirmedthepracticalityofourconstruction.

1. Introduction

Withincreased businessand consumerawareness ofdata securityandprivacy, popular messagingservices havebuilt end-to-endencryptionintotheirplatformsinrecentyears.Yet,thisprivacyprotectioncanandhasbeenabused,for exam-plefororganizingcoordinatedattacksorspreadingfakenews.Consequently,theregulatoryframeworkofmanyjurisdictions mandatesa businessorindividual toreleaseprotectedmessagestolawenforcement,on thegroundofnational/social in-terests oreﬃcient operation ofgovernment functions. It would be desirable fora securemessaging platform to balance betweenprivacyprotection andlawenforcement,bymaking thefollowing provisionsbesidesprivacyandauthentication:

∗ _{Corresponding author at: Guangxi Key Laboratory of Cryptography and Information Security, Guilin University of Electronic Technology, Guilin 541004,}

China.

E-mail address: [email protected] (Y. Ding).

https://doi.org/10.1016/j.ins.2019.03.039

Published in Information Sciences, Vol 490, July 2019, Pages 145–165 DOI 10.1016/j.ins.2019.03.039

(6)

Fig. 1. Secure messaging system.

(a)Foruserstodiscloseonlyrequisitionedmessagestolawenforcementwithoutcompromisingothermessages,aswellas (b)forlawenforcementtotrackthecommunicationpatternsofencryptedmessagesthatarebeingmonitored.

Tothebestofourknowledge,thereisnoexistingsolutionthatsatisﬁesalltheaboverequirements.Publickey signcryp-tion (PKS)schemes [52] concurrently sign andencrypt messages, thus providing dataconﬁdentiality andauthentication; however,they donot supportequalitytestonciphertextsbyathirdparty.Ontheotherhand,existingpublickey encryp-tionschemeswithequalitytestonciphertexts(PKEET)[26,31,32,43,46,47,50]donotsupportdataauthentication.

1.1. Contributions

Inthispaper,wepresentapublickeysigncryptionschemewithdesignatedequalitytestonciphertexts(PKS-DET),inwhich asender can signcrypt(i.e., simultaneouslyencrypt andsign)messages, andallowa designated testerto performone or bothofthefollowingfunctions(seeFig.1):

• Verifythat aplaintextmessagesurrenderedby auserindeedcorrespondstoaspeciﬁcciphertext.Withthisfunction,a useronlyneedstosurrendertherequisitionedplaintextmessagesandlawenforcementcanverifythatthemessagesare genuine; theuserdoesnot needtograntanyoneaccesstohermessagingdevice nordiscloseherdecryptionkey, thus keepingherremainingmessagesprotected.

• Test the equalityof two ciphertexts, i.e., determine whethertwo ciphertexts signcrypt the same underlyingplaintext message.Inasecuremessagingservice,thesamemessagecouldbeforwardedfromusertouser,orausercouldretweet amessagetoherfriends.Theforwardedmessageorretweetwouldgetre-encryptedtoadifferentciphertexteachtime. The abilityto comparetheplaintext messages behindtwo ciphertexts, withoutdecrypting them,enables law enforce-menttomonitortraﬃcpatternstoisolatemessagesthatmaywarrantfurtherinvestigation.Notethatinadata outsourc-ingscenario,thisfunctionalitycanalsobedelegatedtoaremoteserver,sothattheservercouldexecuteadeduplication procedureonoutsourcedencrypteddatatosavestoragespace.

OurnotionofPKS-DETcombinesthefunctionalitiesofPKSandPKEET.PKS-DETallowsasendertogenerateaciphertext thatsimultaneously encryptsandsignsa message,whiledesignatinga tester toperform equalityteston ciphertexts,i.e., test the equality ofthe underlyingplaintext messages of two ciphertexts. We formulate the security model of PKS-DET againstthreetypesofadversaries,representingtwosecurityrequirementsonmessageconfidentialityandarequirementon messageunforgeability.Specifically,thetwomessageconfidentialityrequirementsareIND-CCA2securityagainstanoutsider andOW-CCA2security againstthe designatedtester, respectively, andthe messageunforgeability requirementisEU-CMA securityagainstthedesignatedtester.

Wepresent a concretePKS-DET construction onbilinear groups, whichenables a designatedtester to perform equal-itytest on ciphertextsassociated witharbitrarysender andrecipient pairs. Moreover, thedesignated tester can match a surrenderedplaintextmessageagainst aciphertextwithoutresortingtounsigncryption (whichhastheundesirable conse-quenceofallowingthetestertounsigncryptarbitraryciphertexts),orsequentiallysigncryptingthemessageandtestingthe equalityofciphertextswhichisinefficient(asshowninourexperimentsinSection4.4,directplaintext-ciphertext match-ingrequiresonly12 msec,comparedwith17msec forsigncryption plus18msec forciphertext-ciphertextmatching). We thenextend ourPKS-DETconstruction to supportlonger andshortermessages, andtoallow moreflexible delegation on ciphertextequalitytest. Thesecurityofourconstructionisprovedagainst thethreetypesofadversariesasdefinedinour securityframework inthe random oracle model.Theoretical comparisonwithrelatedschemes andexperimental analysis demonstratethatourconstructionispracticalinapplications.

(7)

Table 1

Property comparison with existing encryption schemes supporting equality test on ciphertexts.

Scheme Conﬁdentiality Authentication Token

Outsider Tester (Prior to Aut) Tester (After Aut)

Yang et al. [50] – – OW-CCA2 ✗ –

Tang [41] IND-CCA2 IND-CCA2 OW-CCA2 ✗ Required

Tang [43] IND-CCA2 IND-CCA2 OW-CCA2 ✗ Required

Lee et al. [25] IND-CCA2 IND-CCA2 OW-CCA2 ✗ Required

Lee et al. [27] IND-CCA2 IND-CCA2 OW-CCA2 ✗ Required

Ma et al. [31] IND-CCA2 IND-CCA2 OW-CCA2 ✗ Required

Ma [30] IND-CCA2 IND-CCA2 OW-ID-CCA2 ✗ Required

Ma et al. [32] IND-CCA2 IND-CCA2 OW-CCA2 ✗ Required

Wang and Pang [46] IND-CCA2 IND-CCA2 OW-CCA2 ✗ Required

Slamanig et al. [40] IND-CCA2 IND-CCA2 OW-CCA2 ✗ Required

Wang et al. [47] IND-CCA2 IND-CCA2 OW-CCA2 ✗ Required

Pang and Ding [35] IND-CPA IND-CPA OW-CPA ✗ Required

PKS-DET Section 3 IND-CCA2 – OW-CCA2 √ No

Section 4.1 (1) IND-CCA2 – OW-CCA2 √ No

Section 4.1 (2) IND-CCA2 – OW-CCA2 √ No

Section 4.2 IND-CCA2 IND-CCA2 OW-CCA2 √ Required

1.2. Relatedwork

Thenotionofpublickeyencryptionwithequalitytest (PKEET)andaconcreteconstruction onbilinear groupswere in-troducedbyYangetal.[50].PKEETallowsanyonetoverifywhethertwociphertextsencryptthesameplaintext,evenifthey aregeneratedwithdifferentpublickeys.Sincethen,thefunctionalityofauthorized/delegableequalitytestonciphertextshas beenincorporatedintoPKEETschemes[19,31,32,40,41,43],toenableanauthorized/delegatedtestertocompareciphertexts. Notethattheauthorized/delegatedtesterin[19,31,32,43]canbeauthorizedbytwouserstocompareciphertextsfromboth users or ciphertextsfrom one ofthe users. The security properties ofour PKS-DET construction and theexisting PKEET schemes are summarizedin Table 1, where ‘Aut’ denotes the authorization/delegation/designation of testingequality on ciphertexts,whereas‘1’and‘2’denotecase1andcase2ofextensionsofPKS-DETinSection4.1,respectively.

Tangproposed anall-or-nothingPKEET(AoN-PKEET)[43],inwhicha testercan beauthorizedbytwo users,acting in-dependently, to compare their ciphertexts. In [40],Slamanig etal. proposed an AoN-PKEET∗ construction on asymmetric bilineargroupsbasedontheElGamalencryptionscheme[14],whichisaspecialcaseofAoN-PKEET[43] inthatthetester is only able to compare ciphertexts generated with the same public key. The AoN-PKEET∗ construction [40] only offers IND-CPAsecurityforciphertextspriortotheauthorization ofthetester;Table1referstoanenhancedconstructionthatis IND-CCA2secureintherandomoraclemodel,derivedwiththeapproachin[13,33,34].

Ma [30]studied identity-basedencryptionsupporting outsourcedequalityteston ciphertexts(IBEET),whichcombines thefunctionalitiesofPKEETandidentity-basedencryption(IBE).In[25],Leeetal.identifiedaflawintheschemeproposed in[19]andprovidedasolutiontoenhanceitssecurity.Semi-genericconstructionsforPKEETandIBEETweregivenin[26]. Leeetal.[27]presentedageneric PKEETconstructionbasedon2-levelhierarchicalIBEandstronglyunforgeableone-time signaturewithoutusingrandomoracles,andextendedittotheIBEETconstruction.Theyalsonotedin[27,Section6.2]that a PKEET construction can be instantiated from [2]and [5]following their generic framework, which is the construction comparedinTable1.Wangetal.[47]proposed aschemeinType-3bilineargroupsbasedontheElGamalscheme,which guaranteestheconfidentialityofciphertextsaswellastokensinstandardmodel.

PangandDing[35]fortheﬁrsttimestudiedcontrolledequijoininrelationaldatabasesandproposedanIND-CPAsecure construction in symmetric bilinear groups in the secretkey setting. The idea behind[35] is equality test on encrypted ﬁeldsinoutsourcedrecords.In[46],WangandPangpresentedapublickeyencryptionforcontrolledequijoininrelational databases,whichoffers IND-CCA2securityforoutsourcedrecordsbeforethe testergets theauthorization token.Recently, ciphertextcomparabilitywasadoptedin[9,48,49]toaddresstheproblemofdeduplicationonencrypteddata,andin[45]to identifythesameroadconditionreportsinclouds.

To save the costs of separately signing and encrypting a message, Zheng [52] introduced the notion of public key signcryption (PKS). Since then, identity-based signcryption [1,6,7] and (threshold/dynamic) attribute-based signcryption

[12,15,37,38,51],andtheir applications[36],havebeenextensivelystudied.Lietal.[28]presentedaPKSschemewith con-ﬁdentiality,existentialunforgeability andanonymity,andextendedit toaring signcryptionscheme.Huang etal.[20] de-signeda heterogeneoussigncryptionscheme,wherethesenderhasan identity-basedsecretkeywhiletherecipientholds acertiﬁcate-basedkeypair.In[44],Wangetal.analyzedthesecurityoftwosigncryptionschemes[18,23],andfoundthat

[18]cannotprovideconfidentialitywhile[23]doesnotprovideunforgeability,coalition-resistance,andtraceability. Herranzetal.[17]presentedaPKSthatsupports thresholdunsigncryption inamulti-usersetting.Cuietal.[10,11] ad-dressedthesecurityissueregardingrelated-keyattacksinPKS.In[24],Laietal.presentedanonline/offlinePKSschemein therandomoraclemodel,wherethesigncryptionprocedureisdividedintotwophasessuchthatmostcomputationcanbe pre-computedintheofflinephasewithoutknowingtheplaintexttobesigncrypted.Lietal.[29]designedacertificateless

(8)

signcryptionschemetoachieve accesscontrol inindustrialwireless sensornetworks. Karatietal.[21]usedidentity-based signcryptiontosecurecrowdsourcedindustrialIoTdatainclouds.

1.3.Paperorganization

Theremainderofthispaperisorganizedasfollows.InSection 2,we formulatethePKS-DETframeworkandthe corre-spondingsecurity requirements.Wepresenta PKS-DETconstruction andproveits security inSection 3.InSection 4, we describethree extensionsofourPKS-DETconstruction, comparetheir performance withthoseofexisting schemesin the literature,andconductexperimentalanalysis.Finally,Section5concludesthepaper.

2. PKS-DETframeworkandsecuritydeﬁnitions

APKS-DETbasedsecuremessagingsystemshouldsatisfythefollowingrequirements:

• Designatedequalitytest onciphertexts:Onlythedesignated testeris abletocheck whethertwociphertextssigncrypt thesameplaintextmessage.

• Plaintext-ciphertextmatching:Thedesignatedtesterisabletomatchasurrenderedplaintextagainstagivenciphertext withoutunsigncryption.

• Message/ciphertext authentication: Both the recipient and designated tester can verifywhether a given ciphertext is reallyproducedbytheclaimedsender.

• Message conﬁdentiality: Even though the tester is designated to perform equality test on ciphertexts and plaintext-ciphertextmatching,heisunabletoinferunsurrenderedplaintextsfromciphertexts.

2.1. PKS-DETframework

APKS-DETschemeconsistsofthefollowingprocedures:

• Setup

(

1λ

)

→gp:Givenasecurityparameter

λ

,thesystemsetupprocedureproducesaglobalparametergp.

• KeyGens

(

gp

)

→

(

sks,pks

)

:Withtheglobalparametergp,asenderrunsthesenderkeygenerationproceduretoproduce

apairofsecretkeysksandpublickeypks.

• KeyGenr

(

gp

)

→

(

skr,pkr

)

:Withtheglobalparametergp,arecipientrunstherecipientkeygenerationprocedureto

pro-duceapairofsecretkeyskrandpublickeypkr.

• KeyGent

(

gp

)

→

(

skt,pkt

)

:Withtheglobalparametergp,atesterrunsthetesterkeygenerationproceduretoproducea

pairofsecretkeyskt andpublickeypkt.

• Signcrypt

(

gp,pkr,pkt,sks,m

)

→C:Withtheglobalparametergp,therecipient’spublickeypkr,thetester’spublickeypkt

andthesender’ssecretkeysks,thesenderrunsthesigncryptionprocedureonmessagem∈Mtoproduceaciphertext

C.

• Unsigncrypt

(

gp,pks,pkt,skr,C

)

→m/⊥:Withtheglobalparametergp,thesender’spublickeypks,thetester’spublickey

pkt and the recipient’s secret key skr, the recipient runs the unsigncryption procedure on ciphertext C to produce a

messagemor⊥thatsigniﬁesanerrorinunsigncryption.

• PCMatch

(

gp,skt,

(

pks,pkr,C

)

,m

)

→1/0:Withtheglobalparametergpandthetester’ssecretkeyskt,thetesterrunsthe

plaintext-ciphertextmatchingprocedureonaciphertextCalongwithitssenderandrecipient’spublickeyspks,pkr,and

a messagem∈M.The procedureoutputs 1ifthe messagesigncryptedinCis equalto m;otherwise,the procedure outputs0.

• EqTest

(

gp,skt,

(

pks,pkr,C

)

,

(

pks,pkr,C

))

→1/0:Withtheglobalparametergpandthetester’ssecretkeyskt,thetester

runsthe equalitytestprocedure ontwociphertextsC andC along withtheir respectivesenderandrecipient’s public keys pks,pkr,pksandpkr.The procedureoutputs 1ifCandC signcrypt thesamemessage;otherwise,the procedure

outputs0.

APKS-DETschememustbe soundin thesensethat: (1)Everyciphertext generatedbySigncryptisunsigncryptableby Unsigncrypt;(2)Foranypairofciphertextandplaintext,theprocedurePCMatchmustoutput1whentheciphertext sign-cryptsthegivenplaintext; (3)Foranypairofciphertextandplaintext, theprocedurePCMatch must output 0 with over-whelmingprobabilitywhentheciphertextdoesnotsigncryptthegivenplaintext;(4)Foranytwociphertextsthatsigncrypt thesameplaintext,whichmaybegeneratedbydifferentsendersfordifferentrecipientsbutaredesignatedtothesametester toperformciphertextequalitytest,theprocedureEqTestmustoutput1;(5)Foranytwociphertextsthatsigncryptdifferent plaintexts,theprocedureEqTestmustoutput0withoverwhelmingprobability.

Deﬁnition 2.1(Soundness). A PKS-DETscheme issoundif, for anysecurity parameter

λ

∈N,any globalparametergp← Setup

(

λ

)

,anysecret/public keypairs oftwosenders

(

sks,pks

)

←KeyGens

(

gp

)

,

(

sks,pks

)

←KeyGens

(

gp

)

,anysecret/public

key pairs of two recipients

(

skr,pkr

)

←KeyGenr

(

gp

)

,

(

skr,pkr

)

←KeyGenr

(

gp

)

, and any secret/public key pair of tester

(

skt,pkt

)

←KeyGent

(

gp

)

,thefollowingconditionsaresatisﬁed:

(9)

2. For any m_,m_∈_M such that C_←Signcrypt

(

gp,pkr,pkt,sks,m

)

, if m=m, then PCMatch

(

gp,skt,

(

pks,pkr,C

)

,m

)

=1,

otherwisePr[PCMatch

(

gp,skt,

(

pks,pkr,C

)

,m

)

=1]≤

(

λ

)

,where

(·)isanegligiblefunction.

3. Forany m,m∈M such that C←Signcrypt

(

gp,pkr,pkt,sks,m

)

andC←Signcrypt

(

gp,pkr,pkt,sks,m

)

, ifm=m, then

EqTest

(

gp,skt,

(

pks,pkr,C

)

,

(

pks,pkr,C

))

=1, otherwise Pr[EqTest

(

gp,skt,

(

pks,pkr,C

)

,

(

pks,pkr,C

))

=1]≤

(

λ

)

, where

(·)isanegligiblefunction.

2.2. Securitydeﬁnitions

In a messaging system, ciphertexts may be subjected to three types of attacks. First, anyone in the system listening to the communication channel may interceptthe transmitted ciphertextsand try to deduce the corresponding plaintext messages.Second,thelawenforcement(tester)thatismonitoringalltheciphertextsmaytrytoinfertheplaintextmessages ofciphertexts, whichiseasierthanthat intheﬁrstcasesincethe testerhasbeendesignatedto performequalityteston ciphertexts.Third,someonemaytrytoforgeaciphertextofamessage,inabidtogeneratefakenews.

Accordingly,weconsiderthreetypesofadversaries:

• Type-1 adversarymodels a curiousoutsiderwho hasthe globalparameter gpand publickeys pks, pkr andpkt ofthe

sender,recipientandtester,andtriestodistinguishbetweenciphertexts.

• Type-2adversarymodels acurioustester who hasbeendesignatedby thesender. Thetester hastheglobalparameter gp,thepublickeyspks,pkrofthesenderandrecipient,andthetester’ssecret/publickeypair

(

skt,pkt

)

,andtriestoget

theplaintextscorrespondingtosomeciphertexts.

• Type-3adversarymodelsamalicioustesterwhohasbeendesignatedbythesender.Thetesterhastheglobalparameter gp,thepublickeyspks,pkrofsenderandrecipient,andthetester’ssecret/publickeypair

(

skt,pkt

)

,andtriestoforgea

ciphertextforsomemessage.

The firsttwo typesofadversariescapturethe requirementofmessageconfidentiality, whilethethird capturesthe re-quirementofmessage/ciphertextunforgeability.WeformallydefinethesecurityofaPKS-DETschemeinthefollowingthree definitions.

Deﬁnition 2.2 (IND-CCA2security against Type-1adversary). Let

be a PKS-DET scheme. Suppose A isa probabilistic polynomial-time(PPT)adversarywhointeractswithachallenger_{C to}performthefollowingsecuritygame.

Set-up: Challenger C runs the Setup procedure to produce globalparameter gp andderives

(

sks,pks

)

←KeyGens

(

gp

)

,

(

skr,pkr

)

←KeyGenr

(

gp

)

and

(

skt,pkt

)

←KeyGent

(

gp

)

.Theglobalparametergpandpublickeyspks,pkrandpkt aregiven

to_A.

Phase1:Theadversaryisabletoadaptivelyissuetwotypesofqueries.

• Signcryptionquery:Foraqueriedmessagem_∈_M_,thechallengerrunsC_←Signcrypt

(

gp,pkr,pkt,sks,m

)

andreturnsC.

• Unsigncryption query: For a queried ciphertext C, the challenger returns m or ⊥ according to Unsigncrypt

(

gp,pks,pkt,skr,C

)

.

Challenge: AttheendofPhase1,theadversaryrandomly pickstwo messagesm0,m1 ←$ Mwiththesame length,and

sendsthemtoC.Thechallengerchoosesarandomvalued $

←

{

0,1

}

,computesCd←Signcrypt

(

gp,pkr,pkt,sks,md

)

,andgives

Cdtotheadversary.

Phase2:TheadversaryisabletoissuequeriesasinPhase1,exceptthatC_dcannotbesubmittedforunsigncryption.

Guess:AttheendofPhase2,theadversaryoutputsaguessd,andsucceedsinthesecuritygameifd=d.

Let

Advind_,-_Acca2=

Pr[d=d]−1 2

issaidto offerindistinguishabilityunderadaptivechosen ciphertextattack (IND-CCA2)against Type-1adversaryif,for allPPTadversaryA,thereexistsanegligiblefunction

(·)suchthatAdvind_,-_Acca2≤

(

·

)

.

Deﬁnition 2.3(OW-CCA2security against Type-2adversary). Let

bea PKS-DETscheme.Suppose Aisa PPTadversary whointeractswithachallengerC toperformthefollowingsecuritygame.

Set-up:ChallengerC runstheSetupproceduretoproduceglobalparametergpandderives

(

sks,pks

)

←KeyGens

(

gp

)

and

(

skr,pkr

)

←KeyGenr

(

gp

)

. The global parameter gp and public keys pks and pkr are given to A. The adversary runs the

KeyGen_t

(

gp

)

proceduretoobtainakeypair

(

skt,pkt

)

,wherepkt ispublished.

Phase1:Theadversaryisabletoadaptivelyissuetwotypesofqueries.

• Signcryptionquery:Foraqueriedmessagem_∈_M_,thechallengerrunsC_←Signcrypt

(

gp,pkr,pkt,sks,m

)

andreturnsC.

• Unsigncryption query: For a queried ciphertext C, the challenger returns m or ⊥ according to Unsigncrypt

(

gp,pks,pkt,skr,C

)

.

Challenge: At the end of Phase 1, the challenger randomly picks a message m∗ $

← M, computes C∗←Signcrypt

(

gp,pkr,pkt,sks,m∗

)

,andsendsC∗totheadversary.

(10)

Fig. 2. Application of the PKS-DET scheme in securing messaging systems.

Guess:AttheendofPhase2,theadversaryoutputsaguessm,andsucceedsinthesecuritygameifm₌m∗. Let

Advow_,-_Acca2=Pr[m=m∗]

issaidtoofferone-wayconﬁdentialityunderadaptivechosen ciphertextattack (OW-CCA2)againstType-2adversaryif, forallPPTadversaryA,thereexistsanegligiblefunction

(·)suchthatAdvow-cca2

,A ≤

(

·

)

.

Deﬁnition2.4(EU-CMAsecurityagainstType-3adversary). Let

beaPKS-DETscheme.Suppose_AisaPPTadversarywho interactswithachallengerC toperformthefollowingsecuritygame.

Set-up: Challenger C runs the Setup procedure to produce global parameter gp, and derives

(

sks,pks

)

←KeyGens

(

gp

)

and

(

skr,pkr

)

←KeyGenr

(

gp

)

. The global parameter gp and public keys pks and pkr are given to A. The adversary runs

(

skt,pkt

)

←KeyGent

(

gp

)

,wherepkt ispublished.

Queries:Theadversaryisabletoadaptivelyissuethefollowingqueries:

• Signcryptionquery:Foraqueriedmessagemi∈M,thechallengerreturnsCi←Signcrypt

(

gp,pkr,pkt,sks,mi

)

.

• Unsigncryption query: For a queried ciphertext Ci, the challenger returns mi or ⊥ according to

Unsigncrypt

(

gp,pks,pkt,skr,Ci

)

.

Output:Eventually,theadversaryoutputsatuple(m∗,C∗).

Adversary_Awinsthegameifbothofthefollowingconditionsaresatisﬁed: 1.m∗∈

{

mi

}

,thatis,m∗hasnotbeensubmittedinsigncryptionqueries;

2.Unsigncrypt

(

gp,pks,pkt,skr,C∗

)

=m∗.

Let

Adveu_,-_Acma=Pr[Awins]

issaidtoofferexistentialunforgeabilityunderadaptivechosenmessageattack(EU-CMA)againstType-3adversaryif,for allPPTadversary_A_,thereexistsanegligiblefunction

(_·)suchthatAdveu_,-_Acma≤

(

·

)

.

2.3.Applicationinsecuringmessagingsystems

Fig.2showshowPKS-DETcanbeappliedinasecuremessagingsystem.Therearethreetypesofentitiesinthesystem: senders,recipients,andtesters(whichcouldbe lawenforcementagencies).Thereisalsoamanager toinitiatethesystem by issuingglobal parameters, who can be some agency trusted by all systementities. To communicate witha recipient, asender runsthe signcryptionprocedure Signcrypton a messageusing hersecret key, therecipient’s public keyand a tester’spublickey.Thedesignatedtestercollectsciphertextsandtestsiftheycorrespondtothesameplaintextmessageby runningtheEqTestprocedure,withoutadditionalauthorizationfromthesenderorrecipient.Intheeventthatasenderor arecipientisrequiredtosurrenderaplaintextmessagecorrespondingtosomeciphertext,thedesignatedtestercanmatch thetwobyinvokingthePCMatchprocedurewithonlythesenderandrecipient’spublickeys.

2.4.Mathematicalassumptions

LetG1=

g1

,G2=

g2

andGTbecyclicgroupsofprimeorderp,where

gx

denotesthatgx isageneratorofGx

(

x=

1,2

)

.Themappingeˆ:G1× G2→GT isbilinearifthefollowingconditionshold:

• Bilinearity:

∀

u∈G1,v∈G2 anda,b∈Z∗p,eˆ

(

ua,

v

b

)

=eˆ

(

u,

v

)

ab.

• Non-degeneracy:eˆ

(

g1,g2

)

=1.

(11)

Table 2 Notation.

Symbol Meaning

G, G T Cyclic groups with bilinear mapping ˆ e : G × G → G T

p Large prime number, the order of G and G T

g A generator of G

H1 (.), H 2 (.), H 3 (.) One-way, collision-resistant hash functions

xs , X s Secret key and public key of sender

( x r,1 , x r,2 ), ( X r,1 , X r,2 ) Secret key and public key of recipient

xt , X t Secret key and public key of tester

m Message in domain M

C = (c1 , c 2 , c 3 , c 4) Ciphertext of m

α1 , α2 Random elements in Z ∗p

[ x ] l _{Substring with length l that is taken from string x}

PRG Pseudo-random bit generator

Moreover,ifG1=G2,theneˆisaType1(symmetric)bilinearmap;ifG1=G2andthereexistsan eﬃcientlycomputable

homomorphism from G2 to G1,then eˆis a Type 2 (asymmetric) bilinear map; if G1=G2 andthere exists no eﬃciently

computablehomomorphismfromG2 toG1,theneˆisaType3(asymmetric)bilinearmap[16].

OurPKS-DETconstructionreliesonthefollowingcomplexityassumptions.

ComputationalDiﬃe-Hellmanassumption(CDH).LetG=

g

beacyclicgroupwithbilinearmappingeˆ:G× G→GT,where

GandGThaveprimeorderp.Givenatuple(g,ga,gb)forrandomvaluesa,b∈RZ∗p,anyPPTalgorithmE wouldhave

negli-gibleprobabilityincomputinggab_∈_G_.

ComputationalbilinearDiﬃe-Hellmanassumption(BDH)[3].LetG₌

g

beacyclicgroupwithbilinearmapeˆ:G_{× G}_→GT,

whereGandGThaveprimeorderp.Givenatuple(g,ga,gb,gv)forsome randomvaluesa,b,

v

∈RZ∗p,anyPPTalgorithmE

wouldhavenegligibleprobabilityincomputingeˆ

(

g,g

)

abv_∈_G

T.

3. ConcretePKS-DETconstruction

We now present our basic PKS-DET construction in Type 1 bilinear groups. Table 2 summarizes the frequently used notationsinourconstructions.

Setup: This algorithm picks a symmetric bilinear map:eˆ:G_{× G}_→GT, whereG=

g

andGT are cyclicgroups with

primeorder p.Then itpicks two cryptographichash functionsH1:GT→GandH3:G4→

{

0,1

}

τm+logp, where

τ

mdenotes

themessagesizeindomainM=

{

0,1

}

τm _and

|

_M

|

₌

|

_G

|

_,_and_a _target_{collision-resistant}_hash_function_H

2 whichcanbea

bijectiveencodingfunctionfrom_MtoG[8,22].Theglobalparametersaregp=

(

G_,GT,g,eˆ,p,H1,H2,H3

)

.

KeyGens:Thesenderrandomlypicksasecretkeysks=xs←$ Z∗pandcomputesthecorrespondingpublickeypks=Xs=gxs.

KeyGenr:Therecipientrandomlypicksasecretkeyskr=

(

skr,1,skr,2

)

=

(

xr,1,xr,2

)

←$

(

Z∗p

)

2andcomputesthe

correspond-ingpublickeypkr=

(

Xr,1=gxr,1,Xr,2=gxr,2

)

.

KeyGent:Thetesterrandomlypicksasecretkeyskt=xt ←$ Z∗pandcomputesthecorrespondingpublickeypkt=Xt=gxt.

Signcrypt:Fora messagem∈M,thesenderrandomlyselects

α

1,

α

2 ←$ Z∗p,andgeneratesciphertextC=

(

c1,c2,c3,c4

)

asfollows:

c1=gα1 c2=gα2

c3=H1

(

eˆ

(

Xr,1,Xt

)

α2

)

· H2

(

m

)

α1+xs c4=H3

(

c1

c2

c3

Xrα,22

)

(

m

α

1

)

Unsigncrypt:GivenaciphertextC=

(

c1,c2,c3,c4

)

,therecipientcomputes

m

α

1=c4H3

(

c1

c2

c3

cx2r,2

)

thenveriﬁes c1=? gα1 (1) and ˆ e

c3 H1

(

eˆ

(

Xt,c2

)

xr,1

)

,g

=? eˆ

(

H2

(

m

)

,c1· Xs

)

(2)

Ifbothconditionsaremet,therecipientoutputsm.

PCMatch:GivenciphertextC,thetesterwhoisdesignatedtoperformequalitytestmaycheckwhetherCsigncryptsm

asfollows: ˆ e

c3 H1

(

eˆ

(

Xr,1,c2

)

xt

)

,g

? =eˆ

(

H2

(

m

)

,c1· Xs

)

(3)

(12)

EqTest:GivenciphertextsCandC,atesterwhoisdesignatedtoperformequalitytestmaycheckwhethertheysigncrypt thesamemessage(i.e.,m=m)asfollows:

ˆ e

c3 H1

(

eˆ

(

Xr,1,c2

)

xt

)

,c 1· Xs

? =eˆ

c₃ H1

(

eˆ

(

X_r,₁,c₂

)

xt

)

,c1· Xs

(4) Iftheconditionismet,thetesteroutputs1;otherwiseheoutputs0.

Soundness.Forunsigncryption,theequalityin(2)holdsbecause ˆ e

c3 H1

(

eˆ

(

Xt,c2

)

xr,1

)

,g

=eˆ

H1

(

eˆ

(

Xr,1,Xt

)

α2

)

· H2

(

m

)

α1+xs H1

(

eˆ

(

Xt,Xr,1

)

α2

)

,g

=eˆ

H2

(

m

)

α1+xs,g

=eˆ

(

H2

(

m

)

,c1· Xs

)

Theequalityin(3)holds inthesame wayasthe equalityin(2)ifthemessagem encryptedby Cisequalto m.Onthe otherhand,iftheequalityin(3)holds,then H2

(

m

)

=H2

(

m

)

mustbe true.SinceH2 isbijective,H2

(

m

)

=H2

(

m

)

implies m₌m.

Forciphertextequalitytest,wehave ˆ e

c3 H1

ˆ e

(

Xr,1,c2

)

xt

,c₁· Xs

=eˆ

H1

(

eˆ

(

Xr,1,Xt

)

α2

)

· H 2

(

m

)

α1+xs H1

(

eˆ

(

Xr,1,Xt

)

α2

)

,g α 1· gxs

=eˆ

H2

(

m

)

α1+xs,gα 1+xs

=eˆ

(

H2

(

m

)

,g

)

(α1+xs)(α 1+xs) andsimilarly ˆ e

c₃ H1

(

eˆ

(

Xr,1,c2

)

xt

)

,c1· Xs

=eˆ

_H 1

(

eˆ

(

Xr,1,Xt

)

α2

)

· H₂

(

m

)

α1+xs H1

(

eˆ

(

Xr,1,Xt

)

α 2

)

, gα1· gxs

=eˆ

H2

(

m

)

α 1+xs,_gα1+xs

=eˆ

H2

(

m

)

,g

(α 1+xs)(α1+xs)

Thus,ifm=m,thenequalityin(4)holds.Ontheotherhand,iftheequalityin(4)holds,thenH2

(

m

)

=H2

(

m

)

musthold,

whichimpliesm₌m.

TheproposedPKS-DETconstructionoffersIND-CCA2,OW-CCA2andEU-CMAsecurityforciphertexts.Toprovethe secu-rityofourPKS-DETconstruction,weneedthefollowingDifferenceLemma[39].

Lemma3.1. LetE1,E2,andFbeeventsdeﬁnedonsomeprobabilityspace.SupposethattheeventE1∧¬Foccursifandonlyif

E2∧¬Foccurs.Then

|

Pr[E1]− Pr[E2]

|

≤ Pr[F].

Theorem3.1. TheabovePKS-DETconstructionisIND-CCA2secureagainstType-1adversaryintherandomoraclemodel assum-ingthattheCDHandBDHassumptionshold.

ThefollowingproofforTheorem3.1followsthestandardframeworkestablishedin[32,39,50].

Proof.Let_Abe a PPTadversary thathas advantage

inattackingtheIND-CCA2 securityforciphertextsof thePKS-DET scheme.SupposeAissuesatmostqS signcryptionqueries,atmostqUunsigncryption queries,atmostqH₁ hashqueriesof

H1 andatmostqH3 hashqueriesofH3 (here,qS,qU,qH1 andqH3 arepositive). Weprovethetheoremthroughasequence

ofgames.

GameG0:WedeﬁneGameG0 asformulatedinDeﬁnition2.2.

1.xs,xr,1,xr,2,xt ←$ Z∗p,Xs=gxs,Xr,1=gxr,1,Xr,2=gxr,2,Xt=gxt. 2.

(

m0,m1

)

∈M2←AOH1,OH3,OS,OU

(

Xs,Xr,1,Xr,2,Xt

)

suchthat

|

m0

|

=

|

m1

|

. 3.d $ ←

{

0,1

}

,

α

∗ 1,

α

∗2 $ ← Z∗_p, C∗=

(

c∗₁,c∗₂,c∗₃,c∗₄

)

where c∗₁=gα1∗, c₂∗=gα2∗, c₃∗=H1

(

eˆ

(

c2∗,Xt

)

xr,1

)

· H2

(

md

)

xs+α ∗ 1, and c∗₄= H3

(

c∗1

c∗2

c∗3

(

c∗2

)

xr,2

)

(

md

α

∗1

)

. 4.d_∈

{

0_,1

}

_←_AOH₁,OH₃,OS,OU

(

_m

0,m1,C∗

)

,wheretheoraclesworkasfollows.

• H1oraclequery:Foraninputelementw∈GT,OH₁ respondswitharandomvalue

θ

∈Ginaconsistentway,meaning

thatthesamevaluewillbereturnedforthesameinput.

• H3oraclequery:Foraninputelement(ϖ1,ϖ2,ϖ3,ϖ4)∈G4,OH₃ respondswitharandomvalue

η

∈

{

0,1

}

τm+logpina

consistentway,meaningthatthesamevaluewillbereturnedforthesameinput.

• OS oraclequery:Foraninput messagem,OS respondswitha ciphertextC=

(

c1,c2,c3,c4

)

byrunningtheSigncrypt

(13)

• OU oracle query: For an input ciphertext C=

(

c1,c2,c3,c4

)

, OU responds witha message m or⊥ by running the

Unsigncryptprocedurewithxr,1andxr,2.Here,unsigncryptionqueriesonC∗arenotallowed.

Let_E_ibetheeventthatd₌d inGame_G_i.Thus,wehave Advind_,-_Acca2=

Pr[E0]−

1 2

(5)

WethendeﬁnethefollowinggamewhichisindistinguishablefromGame_G0.

GameG1: 1. xs,xr,1,xr,2,xt ←$ Z∗p,Xs=gxs,Xr,1=gxr,1,Xr,2=gxr,2,Xt=gxt,L3=∅. 2.

(

m0,m1

)

(

X_s,X_r_,₁,X_r_,₂,X_t

)

suchthat

|

m₀

|

=

|

m₁

|

. 3. d $ ←

{

0_,1

}

_,

α

₁∗_,

α

₂∗ $ ← Z∗_p_,

η

∗_∈

{

0_,1

}

τm+logp_, _C∗₌

(

_c∗ 1,c∗2,c∗3,c∗4

)

where c∗1=gα ∗ 1, c₂∗=gα2∗, c∗₃=H₁

(

eˆ

(

X_r_,₁,X_t

)

α∗2

)

· H2

(

md

)

xs+α ∗ 1,andc∗₄=

η

∗

₍

_m d

α

1∗

)

.L3←L3∪

{

(

c∗1,c∗2,c∗3,X α∗ 2 r,2,

η

∗

)

}

. 4. d∈

{

0,1

}

←AOH₁,OH₃,OS,OU

₍

_m

0,m1,C∗

)

• H1 oraclequery:ThesameasinGameG0.

• H3 oracle query:ForansweringOH₃ queries, challengerC maintainsa listL3 whichisinitiallyempty.Foran input

element(ϖ1,ϖ2,ϖ3,ϖ4)∈G4,ifthereexistsanentry

(

1,

2,

3,

4,

η

)

∈L3,thenOH3 respondswith

η

;otherwise,

arandomvalue

η

∈

{

0,1

}

τm+logp_is_picked_and_returned,_and_L

3 isupdatedasL3∪

(

1,

2,

3,

4,

η

)

.

• OS oracle query:For an input message m, OS randomly picks

α

1,

α

2 ←$ Z∗p, queries OH₁ to get H1

(

eˆ

(

Xr,1,Xt

)

α2

)

=

w∈G,computesc1=gα1,c2=gα2 andc3=w· H2

(

m

)

xs+α1,queriesOH₃ togetH3

(

c1,c2,c3,X_r,α₂2

)

=

η

∈

{

0,1

}

τm+logp,

computesc4=

η

(

m

α

1

)

,andrespondswiththeciphertextC=

(

c1,c2,c3,c4

)

.

• OU oracle query: For an input ciphertext C=

(

c1,c2,c3,c4

)

, OU queries OH3 to get H3

(

c1,c2,c3,c x_r,2

2

)

=

η

∈

{

0,1

}

τm+logp_,_computes_m

_α

1←c4

η

,andchecksEqualities(1)and(2),whereeˆ

(

Xt,c2

)

xr,1 isqueriedtooracleOH1.

Ifbothhold,thenmisreturned;otherwise,⊥isreturned.Also,unsigncryptionqueriesonC∗arenotallowed. Duetotheidealnessofrandomoracle,wehave

Pr[E1]=Pr[E0] (6)

Wenextmodifythesimulationinanindistinguishablemanner. GameG2: 1. xs,xr,1,xr,2,xt ←$ Z∗p,Xs=gxs,Xr,1=gxr,1,Xr,2=gxr,2,Xt=gxt,L3=∅. 2.

(

m0,m1

)

(

X_s,X_r_,₁,X_r_,₂,X_t

)

suchthat

|

m₀

|

=

|

m₁

|

. 3. d $ ←

{

0,1

}

,

α

∗ 1,

α

2∗ $ ← Z∗_p,

η

∗_∈

_{

₀_,₁

_}

τm+logp, _C∗=

(

_c∗ 1,c∗2,c∗3,c∗4

)

where c∗1=gα ∗ 1, c₂∗=gα2∗, c∗₃=H₁

(

eˆ

(

X_r_,₁,Xt

)

α∗2

)

· H2

(

md

)

xs+α ∗ 1,andc∗₄=

η

∗_._L₃_←_L₃_∪

_{

₍

_c∗ 1,c2∗,c∗3,X α∗ 2 r,2,

η

∗

(

md

α

∗1

))

}

. 4. d∈

{

0,1

}

(

_m

0,m1,C∗

)

,wheretheoraclesworkinthesamewayasinGameG1exceptforthefollowing

cases.

• H3 oraclequery:If

(

·,c∗2,·,

(

c∗2

)

xr,2

)

isqueried,thegameaborts.LetthisabortioneventbeF1.

• OU oraclequery:If

(

c∗1,c∗2,c∗3,¯c∗4

)

isqueriedsuchthat ¯c4∗=c∗4,then⊥isreturned.

Sincec∗₄ isarandomvalueinbothgames of_G1 andG2,thechallengeciphertextC∗generatedinGameG2 isidentically

distributedasinGameG1.Thus,ifeventF1doesnotoccur,thenG2 isidenticaltoG1.AccordingtoLemma3.1,wehave

|

Pr[E2]− Pr[E1]

|

≤ Pr[F1] (7)

Lemma3.2. Pr[_F1]≤ AdvCDH+2τqmUp.

Proof. SupposethateventF1happenswith non-negligibleprobability.Using adversaryA, wecanconstruct aPPTalgorithm I tobreaktheCDHassumption.Atﬁrst,algorithmI isgivenaCDHinstance(g,ga_,_gb₎_∈_G3_,_with_the_goal_of_computing_gab_.

AlgorithmI randomlypicksxs,xr,1,xt ←$ Z∗p,computesthepublickeysXs=gxs,Xr,1=gxr,1andXt=gxt,andsetsXr,2=ga.

Algorithm_{I invokes}adversary_AinGame_G2 onpublickeys(Xs,Xr,1,Xr,2,Xt).

AlgorithmI generatesachallengeciphertextC∗=

(

c₁∗,c₂∗,c∗₃,c∗₄

)

formdasfollows:

α

∗ 1 $ ←Z∗_p,c∗₁=gα∗1,c∗ 2=gb,c∗3=H1

(

eˆ

(

Xr,1,c∗2

)

xt

)

· H2

(

md

)

α ∗ 1+xs,

η

∗∈

{

₀,₁

}

τm+logp,_c 4=

η

∗

AlgorithmI addsthetuple

(

c∗₁,c∗₂,c∗₃,,

)

tolistL3,wheredenotesan‘unknown’value.ThechallengeciphertextC∗has

thesamedistributionasthatinGameG2.AlgorithmI simulatestheoraclesinthesamewayasinGameG2 exceptforthe

following:

• H3 oraclequery:If

(

·,c∗2,·,

χ

)

isqueried,algorithmI checkseˆ

(

c∗2,Xr,2

)

?

=eˆ

(

χ

,g

)

.Ifitholds,algorithmI outputs

χ

and abortsthegame.

(14)

• OU oraclequery:On inputa ciphertextC=

(

c1,c2,c3,c4

)

, ifcj=c∗j holds for1≤ j≤ 3 yetc4=c∗4,algorithm I returns

⊥. Otherwise, algorithm I performs the following steps: Search for an entry (c1, c2, c3, ∗, ∗) in L3. If some entry

(c1, c2, c3,

χ

,

η

) exists, then compute m

α

1←

η

c4. The unsigncryption m is returned only when both c1=gα1 and

ˆ

e

(

c3

H₁(eˆ(X_r,₁,c2)xt),g

)

=eˆ

(

H2

(

m

)

,c1· Xs

)

aresatisﬁed,otherwise⊥isreturned.

LetF2betheeventthatatuple

(

·,c∗2,·,gab

)

isqueriedtooracleOH3.IfeventF2doesnothappenbytheendofthe

sim-ulation,thenalgorithm_{I aborts}withfailure.Toshowthattheunsigncryptionqueriesto_OU aresimulatedindistinguishably

fromGameG2,weanalyzetheunsigncryptionqueriesasfollows:

• Case 1:

(

c1,c2,c3,ca2

)

hasbeen queried toOH₃ beforean unsigncryption query forC=

(

c1,c2,c3,c4

)

is issued.In this

case,c4isuniquelydetermined.Thus,theunsigncryptionoracleOU isperfectlysimulated.

• Case 2:

(

c1,c2,c3,ca2

)

has not been queried to OH3 before an unsigncryption query forC=

(

c1,c2,c3,c4

)

is issued.In

thiscase,_OU willoutput⊥.Thus,thesimulationswouldfailifCisavalidciphertext.DuetotheidealnessofOH₃,this

happenswithprobability1/2τm+logp_.

Letting_F3denotetheeventthatavalidciphertextisrejectedinthesimulation,wehave

Pr[F3]≤

qU

2τmp.

Thus,ifeventF3doesnothappen,thesimulationsareidenticaltoGameG2.AccordingtoLemma3.1,wehave

|

Pr[F2]− Pr[F1]

|

≤ Pr[F3].

Therefore,

AdvCDH=Pr[F2]≥ Pr[F1]− Pr[F3]≥ Pr[F1]−

qU

2τmp. (8)

ThiscompletestheproofofLemma3.2.

Wecontinuetomodifythesimulationinanindistinguishablemanner. GameG3: 1.xs,xr,1,xr,2,xt ←$ Z∗p,Xs=gxs,Xr,1=gxr,1,Xr,2=gxr,2,Xt=gxt,L1=∅,L3=∅. 2.

(

m0,m1

)

(

Xs,Xr,1,Xr,2,Xt

)

suchthat

|

m0

|

=

|

m1

|

. 3.d $ ←

{

0,1

}

,

α

∗ 1,

α

2∗ $ ←Z∗p,

θ

∗ ←$ G,

η

∗∈

{

0,1

}

τm+logp,C∗=

(

c∗1,c∗2,c3∗,c∗4

)

wherec∗1=gα ∗ 1,c₂∗=gα2∗, c∗₃=

θ

∗_{· H}₂

₍

_m_d

₎

xs+α∗1, andc∗₄=

η

∗_._L₁_←_L₁_∪

_{

₍

_e_ˆ

₍

_X_r ,1,Xt

)

α2∗,

θ

∗

)

}

,L₃←L₃∪

{

(

c∗₁,c∗₂,c₃∗,Xα ∗ 2 r,2,

η

∗

(

md

α

1∗

))

}

. 4.d_∈

{

0_,1

}

_←_AOH₁,OH₃,OS,OU

(

_m

0,m1,C∗

)

• H1oracle query:Foraninputw∈GT,ifthereexists

(

w,

θ

)

∈L1,thenOH₁ returns

θ

; otherwise,OH₁ randomlypicks

θ

$

←G,insertsL1←L1∪

{

(

w,

θ

)

}

,andreturns

θ

.

• H3oraclequery:ItworksinthesamewayasinGameG2.

• OSoraclequery:SimilartothatinGameG2,wherebothOH₁ andOH₃ shouldbequeried.

• OU oraclequery:SimilartothatinGameG2,wherebothOH₁ andOH₃ shouldbequeried.If

(

c∗1,c∗2,c∗3,¯c∗4

)

isqueried

suchthat ¯c∗₄=c∗₄,then⊥isreturned.

Duetotheidealnessofrandomoracle,theH1oracleOH₁ andsigncryptionoracleOSareidenticaltothoseinGameG2.To

showthattheunsigncryptionqueriestoOU aresimulatedindistinguishablyfromGameG2,weanalyzetheunsigncryption

queriesasfollows:

• Case 1: eˆ

(

X_r,1,c2

)

xt has beenqueried to OH1 beforean unsigncryption queryfor (c1, c2,c3,c4)is issued.In thiscase,

θ

←H1

(

eˆ

(

Xr,1,c2

)

xt

)

isuniquelydetermined.Thus,theunsigncryptionoracleOU isperfectlysimulated.

• Case2:eˆ

(

Xr,1,c2

)

xt hasnotbeenqueriedtoOH₁ beforeanunsigncryptionqueryfor(c1,c2,c3,c4)isissued.Inthiscase, OU willoutput⊥.Thus,thesimulationswouldfailif(c1,c2,c3,c4)isavalidciphertext.DuetotheidealnessofOH1,this

happenswithprobability1/p.

LettingF4denotetheeventthatavalidciphertextisrejectedinCase2,wehave

Pr[F4]≤

qU

p.

IfeventF4 doesnothappen,GameG3isidenticaltoGameG2.AccordingtoLemma3.1,wehave

|

Pr[E3]− Pr[E2]

|

≤ Pr[F4]≤

qU

p. (9)

Wecontinuetomodifythesimulationinanindistinguishablemanner. GameG4:

(15)

1. xs,xr,1,xr,2,xt ←$ Z∗p,Xs=gxs,Xr,1=gxr,1,Xr,2=gxr,2,Xt=gxt,L1=∅,L3=∅. 2.

(

m0,m1

)

(

Xs,Xr,1,Xr,2,Xt

)

suchthat

|

m0

|

=

|

m1

|

. 3. d $ ←

{

0,1

}

,

α

∗ 1,

α

2∗ $ ←Z∗_p,

θ

∗ $ ←G,

η

∗_∈

_{

₀_,₁

_}

τm+logp,_C∗=

(

_c∗ 1,c∗2,c∗3,c∗4

)

where c∗₁=gα1∗, c∗₂=gα∗2, c∗₃=

θ

∗_, _and _c∗ 4=

η

∗. L1←L1∪

{

(

eˆ

(

Xr,1,Xt

)

α2∗,

θ

∗/H₂

(

md

)

xs+α ∗ 1

)

}

, L₃←L₃∪

{

(

c∗₁,c₂∗,c∗₃,Xα2∗ r,2,

η

∗

(

md

α

∗1

))

}

. 4. d∈

{

0,1

}

(

_m

0,m1,C∗

)

• H1 oraclequery:ItworksinthesamewayasinGameG3,exceptthatifeˆ

(

c∗2,Xt

)

xr,1 isqueried,thegameaborts.Let

thisabortioneventbeF5.

• H3 oraclequery:ItworksinthesamewayasinGameG3.

• OS oraclequery:ItworksinthesamewayasinGameG3.

• OU oraclequery:ItworksinthesamewayasinGameG3.

Sincec∗₃isarandomvalueingamesG4 andG3,thechallengeciphertextC∗generatedinthesetwogamesareidentically

distributed.NotethatifeventF5 happens,then adversaryAcancorrectlyguessdwithprobability 1.IfeventF5 doesnot

occur,then_G4isidenticaltoG3.AccordingtoLemma3.1,wehave

|

Pr[E4]− Pr[E3]

|

≤ Pr[F5]. (10)

Innextlemma,weprovethateventF5canonlyhappenwithnegligibleprobability.

Lemma3.3. Pr[F5]≤

q_H 1

1−qU/pAdv BDH_.

Proof. SupposethateventF5happenswith non-negligibleprobability.Using adversaryA, wecanconstruct aPPTalgorithm I to breakthe BDHassumption.At ﬁrst,algorithmI is given a BDHinstance(g,ga_,_gb_,_gv₎_∈_G4_,_with_the_goal_of_computing

ˆ

e

(

g,g

)

abv_.

AlgorithmI randomlypicks xs,xr,2 ←$ Z∗p,computesXs=gxs andXr,2=gxr,2,andsets Xr,1=gaandXt=gb,respectively.

AlgorithmI generatesachallengeciphertextC∗=

(

c∗₁,c∗₂,c∗₃,c∗₄

)

asfollows:

α

∗ 1 $ ←Z∗_p,c∗₁=gα∗1,c∗ 2=gv,

θ

∗ $ ←G,c₃∗=

θ

∗_,

_η

∗ $ ←

{

0,1

}

τm+logp,_c 4=

η

∗

AlgorithmI initiateslistL1 asemptyandaddsthetuple

(

c∗1,c∗2,c∗3,,

)

tolistL3,wheredenotesan ‘unknown’value.

The challenge ciphertext C∗ hasthe samedistribution asthat inGame G4.AlgorithmI invokes adversaryAin GameG4

withpublickeys(Xs,Xr,1,Xr,2,Xt)andthechallengeciphertextC∗,wheretheoraclesaresimulatedbyI inthesamewayas

inGameG4 exceptforthefollowing:

• OU oraclequery:OninputaciphertextC=

(

c1,c2,c3,c4

)

,ifcj=c∗j holdsfor1≤ j≤ 3yetc4=c∗4,algorithmI returns⊥.

Otherwise,algorithm_{I performs}the followingsteps:Query_OH₃ to getH3

(

c1,c2,c3,c

x_r,₂

2

)

=

η

.Computem

α

1←

η

c4.

Continueto search each entry(w,

θ

) in L1,ifboth c1=gα1 andc3=

θ

· H2

(

m

)

α1+xs are satisﬁed,then m isreturned;

otherwise⊥isreturned.

Toshowthat theunsigncryption queriestoOU are simulatedindistinguishably fromGameG4,weanalyzethe

unsign-cryptionqueriesasfollows:

• Case1:eˆ

(

Xt,c2

)

xr,1 hasbeenqueriedtoOH1 beforeanunsigncryptionqueryforC=

(

c1,c2,c3,c4

)

isissued.Inthiscase,

θ

isuniquelydetermined.Thus,theunsigncryptionoracleOU isperfectlysimulated.

• Case2:eˆ

(

Xt,c2

)

xr,1 hasnotbeenqueried toOH₁ beforean unsigncryptionqueryforC=

(

c1,c2,c3,c4

)

isissued.Inthis

case, OU will output ⊥. Thus, the simulations would fail ifC is a valid ciphertext. Due to the idealness ofOH₁, this

happenswithprobability1/p.

Letting_F6 denotetheeventthatavalidciphertextisrejectedinthesimulation,wehave

Pr[F6]≤

qU

p.

Thus,ifevent_F6doesnothappen,thesimulationsareidenticaltoGameG4.AlgorithmI randomlypicksapair(w,

θ

)from L1,andsetswasthesolutiontothegivenBDHprobleminstance.LettingF7denotetheeventthatw=eˆ

(

g,g

)

abv.Wehave

Pr[F7

|¬

F6]=

1 qH1