# A Pairing-Based Three-Party Authenticated Encryption Scheme without Shared Secrets

## Abstract

**:**

## 1. Introduction

## 2. Preliminaries

**Concept of Bilinear Pairing**

**G**

_{1}and

**G**

_{2}be an additive and a multiplicative group, respectively. Both groups have the same prime order q. A bilinear pairing e is expressed as e:

**G**

_{1}×

**G**

_{1}→

**G**

_{2}. Some properties of bilinear pairing e are described as follows:

- (i)
- Bilinearity:e(Q
_{1}+ Q_{2}, W) = e(Q_{1}, W)e(Q_{2}, W);e(Q, W_{1}+ W_{2}) = e(Q, W_{1})e(Q, W_{2}); - (ii)
- Nondegeneracy:We say that in the group
**G**_{2}, the value e(Q, Q) is regarded as a generator provided that, in the group**G**_{1}, Q is also a generator. - (iii)
- Computability:There exists an efficient polynomial-time algorithm to compute e(P, Q) for any P, Q ∈
**G**_{1}.

**Elliptic Curve Discrete Logarithm Problem and Assumption**

**Bilinear Diffie–Hellman Problem and Assumption**

^{xyz}∈

**G**

_{2}from four given values (Q, X, Y, and Z) of the group

**G**

_{1}. In particular, X = xQ, Y = yQ and Z = zQ for some x, y, z ∈ ${Z}_{q}^{*}$. The BDH assumption asserts that it is almost negligible advantage ε for any probabilistic algorithm $\mathcal{A}$ running in polynomial-time to solve BDHPs. Precisely speaking, the BDH assumption is denoted by the following probability inequality.

## 3. Proposed TPAE Construction

#### 3.1. Participated Entity

#### 3.2. Constituted Algorithms

_{i}, Y

_{i}) together with a public key certificate Cert

_{i}.

_{s}, Y

_{a}, and Y

_{b}, which separately represents a message, a signing key, and two verification keys. It will finally generate a corresponding authenticated ciphertext δ.

_{a}, ID

_{s}, ID

_{a}, and ID

_{b}, which separately denote a ciphertext, a decryption key, and the identities of one signer and two recipients. The output could be either a transformed signature Ω with the original message m or an error symbol ⊥. The latter case occurs if the input contains a false ciphertext.

#### 3.3. Substantial Construction

**G**

_{1}and

**G**

_{2}, which have an identical order of prime q. There is a generator P in the group

**G**

_{1}and a bilinear map e is defined as

**G**

_{1}×

**G**

_{1}→

**G**

_{2}. Assume that h

_{1}: {0, 1}

^{k}×

**G**

_{1}

^{2}→ Z

_{q}, h

_{2}:

**G**

_{1}

^{3}→ {0, 1}

^{k}and h

_{3}:

**G**

_{2}→

**G**

_{1}are collision resistant hash functions. The algorithm outputs public params which are composed of

**G**

_{1},

**G**

_{2}, q, P, and e along with three hash functions.

_{i}∈ Z

_{q}as the corresponding private key and then calculates the value Y

_{i}= x

_{i}P to be its public key. Note that a public key certificate named Cert

_{i}is also returned by employing the standard of X.509 [32].

_{a}and Y

_{b}) and a signing key x

_{s}, the algorithm chooses w ∈ ${Z}_{q}^{*}$ to compute

_{3}(e(wY

_{a}, Y

_{b})),

_{s}+ h

_{1}(m, W, T))

^{−1}W,

_{2}(W, σ, T),

_{2}(W, σ, T). This implies that the original message has to be split into k-bit blocks for facilitating the XOR operation. Therefore, the ciphertext parameter c is constituted by concatenating all XORed blocks.

_{i}(for i ∈ {a, b}) of participated receivers and the signing key Y

_{s}, this algorithm can easily derive

_{3}(e(x

_{a}W, Y

_{b})) = h

_{3}(e(Y

_{a}, x

_{b}W)),

_{2}(W, σ, T)

_{s}+ h

_{1}(m, W, T)P) = e(W, P).

c ⊕ h_{2}(W, σ, T) | ||

= | c ⊕ h_{2}(W, σ, h_{3}(e(x_{a}W, Y_{b}))) | (by Equation (5)) |

= | c ⊕ h_{2}(W, σ, h_{3}(e(x_{a}tP, Y_{b}))) | (by Equation (1)) |

= | c ⊕ h_{2}(W, σ, h_{3}(e(wY_{a}, Y_{b}))) | |

= | c ⊕ h_{2}(W, σ, T) | (by Equation (2)) |

= | m | (by Equation (4)) |

e(σ, Y_{s} + h_{1}(m, W, T)P) | ||

= | e((x_{s} + h_{1}(m, W, T))^{−1}W, Y_{s} + h_{1}(m, W, T)P) | (by Equation (3)) |

= | e((x_{s} + h_{1}(m, W, T))^{−1}W, (x_{s} + h_{1}(m, W, T))P) | |

= | e(W, P) |

## 4. Security Model and Proof

**Definition**

**1**

**.**The proposed TPAE scheme satisfies the characteristic of indistinguishability for the confidentiality requirement provided that no probabilistic polynomial-time (PPT) adversary $\mathcal{A}$ plotting adaptive chosen ciphertext attacks has a non-negligible advantage to beat a player $\mathcal{B}$ acting as a challenger in the following game.

^{k}): By initializing the Setup(1

^{k}) algorithm, the challenger $\mathcal{B}$ first provides the adversary $\mathcal{A}$ with public params.

_{i}, Cert

_{i}).

_{s}, Y

_{a}, and Y

_{b}. $\mathcal{B}$ outputs a corresponding authenticated ciphertext δ to $\mathcal{A}$.

_{0}and m

_{1}, where | m

_{0}| = | m

_{1}|. Then $\mathcal{B}$ determines λ ← {0, 1} by flipping an internal coin. An authenticated ciphertext δ* on m

_{λ}is also computed as a challenge designated for $\mathcal{A}$.

**Definition**

**2**

**.**The proposed TPAE scheme satisfies the characteristic of existential unforgeability provided that no PPT adversary $\mathcal{A}$ plotting adaptive chosen-message attacks has a non-negligible advantage to beat a player $\mathcal{B}$ acting as a challenger in the following game:

^{k}): By initializing the Setup(1

^{k}) algorithm, the challenger $\mathcal{B}$ first provides the adversary $\mathcal{A}$ with public params.

**Theorem**

**1**

**1**It is said that the proposed TPAE scheme is (t, q

_{h}

_{1}, q

_{h}

_{2}, q

_{h}

_{3}, q

_{Reg_U}, q

_{ESign}, q

_{EVerify}, ε)-secure in the requirement of IND-CCA2 when no PPT adversary has the non-negligible advantage ε′ to solve the BDHP within the running time t′, where

_{λ}(2q

_{EVerify}).

_{λ}represents the required computation time of a bilinear map.

**Proof.**

_{i}. By utilizing $\mathcal{A}$ as a subroutine, it enables us to create a new algorithm, say $\mathcal{B}$, to break the assumption of BDH within the expected time t′ and the success probability is ε′. Let P, xP, yP, and zP be the inputted BDHP instance for $\mathcal{B}$ and the desired output would be e(P, P)

^{xyz}. In the following interactive processes, $\mathcal{B}$ acts as a challenger to answer queries submitted by $\mathcal{A}$. □

^{k}) algorithm, the challenger $\mathcal{B}$ provides the adversary $\mathcal{A}$ with public params = {

**G**

_{1},

**G**

_{2}, q, P, e}.

_{s}, ID

_{a}, and ID

_{b}) as the identities of the signer and two designated verifiers, and could adaptively request queries stated below.

_{1}oracle:$\mathcal{A}$ could submit an h

_{1}(m, W, T) oracle to get the value v

_{1}∈

_{R}Z

_{q}. A record of (m, W, T, v

_{1}) would also be written into a maintained h

_{1}-list by $\mathcal{B}$.

_{2}oracle:$\mathcal{A}$ could submit an h

_{2}(W, σ, T) oracle to get the value v

_{2}∈

_{R}{0, 1}

^{k}. A record of (W, σ, T, v

_{2}) would also be written into a maintained h

_{2}-list by $\mathcal{B}$.

_{3}oracle:$\mathcal{A}$ could submit an h

_{3}(E) oracle to get the value v

_{3}∈

_{R}

**G**

_{1}. A record of (E, v

_{3}) would also be written into a maintained h

_{3}-list by $\mathcal{B}$.

_{a}= xP, Cert

_{a}) to $\mathcal{A}$. If i = b, $\mathcal{B}$ returs (Y

_{b}= yP, Cert

_{b}) to $\mathcal{A}$. When i = s, $\mathcal{B}$ calls the Reg_U algorithm to get (x

_{s}, Y

_{s}, Cert

_{s}) and then returns (Y

_{s}, Cert

_{s}) to $\mathcal{A}$.

_{2}-list for all matched v

_{2}

_{′}s. If one of matched v

_{2}

_{′}s satisfies that e(σ, Y

_{s}+ h

_{1}(c ⊕ v

_{2}, W, T)P) = e(W, P), $\mathcal{B}$ returns (c ⊕ v

_{2}, W, σ, T). If not, $\mathcal{A}$ will receive an error symbol.

_{0}and m

_{1}, where | m

_{0}| = | m

_{1}|. Then $\mathcal{B}$ determines λ ← {0, 1} by flipping an internal coin and computes a ciphertext δ* for the selected m

_{λ}with the following steps:

- Step 1
- Randomly choose v
_{1}∈ Z_{q}along with v_{2}∈ {0, 1}^{k}; - Step 2
- Let W* = zP;
- Step 3
- Compute σ* = (x
_{s}+ v_{1})^{−1}W* and c* = m_{λ}⊕ v_{2}; - Step 4
- Add the record of (m
_{λ}, W*, null, v_{1}) into h_{1}-list; - Step 5
- Add the record of (W*, σ*, null, v
_{2}) into h_{2}-list.The ciphertext δ* = (W*, σ*, c*) is served as a target challenge for $\mathcal{A}$.

_{2}(W, σ, T) oracle had never been made before. We express this event as EVerify_Fat and Pr[EVerify_Fat] during the entire simulation game is not greater than $\frac{{q}_{EVerify}}{{2}^{k}}$, as $\mathcal{A}$ can issue at most q

_{EVerify}EVerify queries. Besides, in the challenge phase, $\mathcal{B}$ sets W* = zP, which infers that the component Z* is formulated as h

_{3}(e(x(zP), yP)) = h

_{3}(e(P, P)

^{xyz}). If the adversary $\mathcal{A}$ queries an h

_{3}oracle on the value e(P, P)

^{xyz}during the second phase, the simulation game would accidentically terminate. We denote such an event as QH

_{3}* and let PSG be the event of perfect simulation game. When the event PSG occurs, $\mathcal{A}$ has no better change to guess λ, i.e.,

ε | = | Pr[λ′ = λ] − 0.5 | | (by Definition 1) |

≤ 0.5Pr[¬PSG] | (by Equation (11)) | |

= 0.5(Pr[QH_{3}* ∨ EVerify_Fat]) | ||

≤ 0.5(Pr[QH_{3}*] + Pr[EVerify_Fat]). |

_{3}*] ≥ 2ε − Pr[EVerify_Fat]

_{3}* happens, we claim that e(P, P)

^{xyz}would be contained in a record of h

_{3}-list. For that reason, we could mean that the advantage of the algorithm $\mathcal{B}$ for breaking the designated BDHP instance is ε′ ≥ $(\frac{1}{{q}_{{h}_{3}}})(2\epsilon -\frac{{q}_{EVerify}}{{2}^{k}})$. The expected running time of $\mathcal{B}$ is calculated as t′ ≈ t + t

_{λ}(2q

_{EVerify}).

**Theorem**

**2.**

**.**It is said that the proposed TPAE scheme is (t, q

_{h}

_{1}, q

_{h}

_{2}, q

_{h}

_{3}, q

_{Reg_U}, q

_{ESign}, ε)-secure in the requirement of EF-CMA when no PPT adversary having the non-negligible advantage ε′ solves the ECDLP within the running time t′, where

_{ESign}+ 1)(q

_{ESign}+ q

_{h}

_{1})/2

^{k},

_{h}

_{1}t/ε.

**Proof.**

_{i}. By utilizing $\mathcal{A}$ as a subroutine, it enables us to create a new algorithm, say $\mathcal{B}$, to break the assumption of ECDL within the expected time t’ and the success probability is ε’. Let (P, zP) be the inputted ECDLP instance for $\mathcal{B}$ and the purpose is to obtain z. In this proof, we use the technique of Forking Lemma [33] and $\mathcal{B}$ acts as a challenger to answer queries submitted by $\mathcal{A}$. □

^{k}) algorithm, the challenger $\mathcal{B}$ provides the adversary $\mathcal{A}$ with public params = {

**G**

_{1},

**G**

_{2}, q, P, e} and a random tape which is constituted of a series of random bits. Given public params and an identical random tape, $\mathcal{B}$ would play two rounds of games with the adversary $\mathcal{A}$ below.

_{s}, ID

_{a}, and ID

_{b}) as the selected identities of the signer together with two intended verifiers, and then adaptively makes new queries as follows. For all h

_{i}(i∈{1, 2, 3}) oracles, $\mathcal{B}$ returns as those defined in Theorem 1.

_{s}= zP, Cert

_{s}) to $\mathcal{A}$. Otherwise, $\mathcal{B}$ calls the Reg_U algorithm for getting (x

_{i}, Y

_{i}, and Cert

_{i}) and then returns (Y

_{i}, Cert

_{i}) to $\mathcal{A}$.

_{s}, Y

_{a}, and Y

_{b}, $\mathcal{B}$ performs the subsequent procedures:

- Step 1
- Randomly pick two integers d, v
_{1}∈ ${Z}_{q}^{*}$; - Step 2
- Run the Reg_U algorithm to get (x
_{a}, Y_{a}, Cert_{a}) and (x_{b}, Y_{b}, Cert_{b}); - Step 3
- Compute
- σ = dP,
- W = d(zP) + v
_{1}dP, - T = h
_{3}(e(x_{a}W, Y_{b})), - c = m ⊕ h
_{2}(W, σ, T);

- Step 4
- Add the entry (m, W, T, v
_{1}) into h_{1}-list;The ciphertext δ = (W, σ, c) is then returned to $\mathcal{A}$.

_{1}oracle and we know that Pr[¬QH

_{1}] ≤ 2

^{−k}. Hence, it could be further expressed that the probability of $\mathcal{A}$ to generate a valid ciphertext δ = (W, σ, c) following making the corresponding h

_{1}(m, W, T) oracle to be Pr[PF ∧ QH

_{1}] ≥ (ε − 1/2

^{k}). Afterwards, $\mathcal{B}$ plays the second round with $\mathcal{A}$ in the same environment. Because the inputted tape is formed by identical series of randomized bits, the challenger $\mathcal{B}$ is able to anticipate $\mathcal{A}$’s next query. According to the responses made in first run, $\mathcal{B}$ returns the same results until $\mathcal{A}$ queries the critical h

_{1}(m, W, T) oracle. Instead of returning original v

_{1}, $\mathcal{B}$ outputs a new value v

_{1}*. By the Forking Lemma, if $\mathcal{A}$ finally forges a valid ciphertext δ* = (W, σ*, c*) with h

_{1}(m, W, T) = v

_{1}*, $\mathcal{B}$ can solve the ECDLP. Concretely speaking, when the adversary $\mathcal{A}$ finally outputs two valid ciphertext (δ, δ*) with h

_{1}(m, W, T) ≠ h

_{1}*(m, W, T), we can obtain two equations:

_{s}+ h

_{1}(m, W, T))

^{−1}W = (z + v

_{1})

^{−1}W,

_{s}+ h

_{1}*(m, W, T))

^{−1}W = (z + v

_{1}*)

^{−1}W.

_{ESign}+ 1)(q

_{ESign}+ q

_{h}

_{1})/2

^{k}and the expected running time spent by $\mathcal{B}$ is t’ ≤ 120686q

_{h}

_{1}t/ε.

## 5. Performance Evaluation

## 6. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## Ethical Approval

## References

- Diffie, W.; Hellman, M. New Directions in Cryptography. IEEE Trans. Inf. Theory
**1976**, IT-22, 644–654. [Google Scholar] [CrossRef] - ElGamal, T. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Trans. Inf. Theory
**1985**, IT-31, 469–472. [Google Scholar] [CrossRef] - Rivest, R.; Shamir, A.; Adleman, L. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Commun. ACM
**1978**, 21, 120–126. [Google Scholar] [CrossRef] - Sekhar, M.R. Signatures Scheme with Message Recovery and Its Applications. Int. J. Comput. Math.
**2004**, 81, 285–289. [Google Scholar] [CrossRef] - Schneider, S. Formal Analysis of a Non-Repudiation Protocol. In Proceedings of the 11th IEEE Computer Security Foundations Workshop, Rockport, MA, USA, 9–11 June 1998; IEEE Press: Piscataway, NJ, USA, 1998; pp. 54–65. [Google Scholar]
- Hou, F.; Wang, Z.; Tang, Y.; Liu, Z. Protecting Integrity and Confidentiality for Data Communication. In Proceedings of the 9th International Symposium on Computers and Communications (ISCC’04), Alexandria, Egypt, 28 June–1 July 2004; pp. 357–362. [Google Scholar]
- Jacob, J. A Uniform Presentation of Confidentiality Properties. IEEE Trans. Softw. Eng.
**1991**, 17, 1186–1194. [Google Scholar] [CrossRef] - Horster, P.; Michel, M.; Peterson, H. Authenticated Encryption Schemes with Low Communication Costs. Electron. Lett.
**1994**, 30, 1212–1213. [Google Scholar] [CrossRef] - Stallings, W. Cryptography and Network Security: Principles and Practices, 7th ed.; Pearson: London, UK, 2017. [Google Scholar]
- Araki, S.; Uehara, S.; Imamura, K. The Limited Verifier Signature and Its Application. IEICE Trans. Fundam. Electron. Comput. Sci.
**1999**, E82-A, 63–68. [Google Scholar] - Zhang, F.; Kim, K. A Universal Forgery on Araki et al.’s Convertible Limited Verifier Signature Scheme. IEICE Trans. Fundam. Electron. Comput. Sci.
**2003**, E86-A, 515–516. [Google Scholar] - Wu, T.S.; Hsu, C.L. Convertible Authenticated Encryption Scheme. J. Syst. Softw.
**2002**, 62, 205–209. [Google Scholar] [CrossRef] - Huang, H.F.; Chang, C.C. An Efficient Convertible Authenticated Encryption Scheme and Its Variant. In Proceedings of the 5th International Conference on Information and Communications Security (ICICS 2003), Huhehaote, China, 10–13 October 2003; pp. 382–392. [Google Scholar]
- Lv, J.; Wang, X.; Kim, K. Practical Convertible Authenticated Encryption Schemes Using Self-Certified Public Keys. Appl. Math. Comput.
**2005**, 169, 1285–1297. [Google Scholar] [CrossRef] - Yang, F.Y. A Secure Scheme for Authenticated Encryption. Cryptology ePrint Archive, Report 2005/456. 2005. Available online: http://eprint.iacr.org/2005/456 (accessed on 11 February 2019).
- Chien, H.Y. Selectively Convertible Authenticated Encryption in the Random Oracle Model. Comput. J.
**2008**, 51, 419–434. [Google Scholar] [CrossRef] - Lee, C.C.; Hwang, M.S.; Tzeng, S.F. A New Convertible Authenticated Encryption Scheme Based on the ElGamal Cryptosystem. Int. J. Found. Comput. Sci.
**2009**, 20, 351–359. [Google Scholar] [CrossRef] - Wu, T.S.; Lin, H.Y. Secure Convertible Authenticated Encryption Scheme Based on RSA. Informatica-Lithuan
**2009**, 33, 481–486. [Google Scholar] - Lin, H.Y.; Hsu, C.L. A Novel Identity-Based Key-Insulated Convertible Authenticated Encryption Scheme. Int. J. Found. Comput. Sci.
**2011**, 22, 739–756. [Google Scholar] [CrossRef] - Hsu, C.L.; Lin, H.Y. New Identity-Based Key-Insulated Convertible Multi-Authenticated Encryption Scheme. J. Netw. Comput. Appl.
**2011**, 34, 1724–1731. [Google Scholar] [CrossRef] - Lin, H.Y. Group-Oriented Data Access Structure Using Threshold-CAE Scheme and Its Extension. Inf. Technol. Control
**2014**, 43, 252–263. [Google Scholar] [CrossRef] - Lin, H.Y. “PCMAE: A Proxy Convertible Multi-AE Scheme and Its Variant. Inf. Technol. Control
**2017**, 46, 530–545. [Google Scholar] [CrossRef] - Wu, T.S.; Lin, H.Y.; Ting, P.Y. A Publicly Verifiable PCAE Scheme for Confidential Applications with Proxy Delegation. Trans. Emerg. Telecommun. Technol.
**2012**, 23, 172–185. [Google Scholar] [CrossRef] - Hsu, C.L.; Lin, H.Y. Convertible Authenticated Encryption Scheme with Hierarchical Access Control. Appl. Math. Inf. Sci.
**2014**, 8, 1239–1246. [Google Scholar] [CrossRef] - Lin, H.Y.; Hsu, C.L.; Huang, S.K. Improved Convertible Authenticated Encryption Scheme with Provable Security. Inf. Process. Lett.
**2011**, 111, 661–666. [Google Scholar] [CrossRef] - Lin, H.Y.; Wu, T.S.; Huang, S.K. An Efficient Strong Designated Verifier Proxy Signature Scheme for Electronic Commerce. J. Inf. Sci. Eng.
**2012**, 28, 771–785. [Google Scholar] - Lin, H.Y.; Wu, T.S.; Huang, T.Y.; Yeh, Y.S. Self-Certified Proxy Convertible Authenticated Encryption Scheme. In Proceedings of the 8th International Conference on Intelligent System Design and Applications (ISDA 2008), Kaohsiung, Taiwan, 26–28 November 2008; pp. 479–483. [Google Scholar]
- Lu, C.F.; Hsu, C.L.; Lin, H.Y. Provably Convertible Multi-Authenticated Encryption Scheme for Generalized Group Communications. Inf. Sci.
**2012**, 199, 154–166. [Google Scholar] [CrossRef] - Wu, T.S.; Chen, Y.S.; Lin, H.Y.; Chang, T.K. Authenticated Encryption Scheme Based on Paillier System with Verifiable Public Keys. Commun. Comput. Secur.
**2012**, 2, 1–5. [Google Scholar] [CrossRef] - Wu, T.S.; Lin, H.Y. Efficient Self-Certified Proxy CAE Scheme and Its Variants. J. Syst. Softw.
**2009**, 82, 974–980. [Google Scholar] [CrossRef] - Wu, T.S.; Lin, H.Y.; Tsao, S.H.; Ting, P.Y. On the Construction of DL-Based Convertible Authenticated Encryption Scheme with Message Linkages. Inf. Int. Interdiscip. J.
**2013**, 16, 7983–7994. [Google Scholar] - ISO/IEC 9594-8. Information Technology—Open Systems Interconnection—The Directory: Public-Key and Attribute Certificate Frameworks; International Organization for Standardization: Geneva, Switzerland, 2001. [Google Scholar]
- Pointcheval, D.; Stern, J. Security Arguments for Digital Signatures and Blind Signatures. J. Cryptol.
**2000**, 13, 361–369. [Google Scholar] [CrossRef] - Lee, J.S.; Chang, J.H.; Lee, D.H. Forgery Attacks on Kang et al.’s Identity-Based Strong Designated Verifier Signature Scheme and Its Improvement with Security Proof. Comput. Electr. Eng.
**2010**, 36, 948–954. [Google Scholar] [CrossRef] - Islam, S.K.H.; Biswas, G.P. Provably Secure Certificateless Strong Designated Verifier Signature Scheme Based on Elliptic Curve Bilinear Pairings. J. King Saud Univ.-Comput. Inf. Sci.
**2013**, 25, 51–61. [Google Scholar] - Cao, X.; Kou, W.; Du, X. A Pairing-Free Identity-Based Authenticated Key Agreement Protocol with Minimal Message Exchanges. Inf. Sci.
**2010**, 180, 2895–2903. [Google Scholar] [CrossRef]

**Figure 1.**Comparison of approximate running time for sender in three-party communication environments.

**Figure 2.**Comparison of approximate running time for each recipient in three-party communication environments.

**Figure 3.**Comparison of approximate running time for entire scheme in three-party communication environments.

Symbol | Description |
---|---|

C_{1} | To execute a bilinear pairing computation |

C_{2} | To execute an exponentiation computation over G_{2} |

C_{3} | To execute a scalar multiplication over G_{1} |

Sender | Each Recipient | Entire Scheme | |
---|---|---|---|

Lee10 | 4C_{1} + 4C_{3} | 2C_{1} + C_{3} | 8C_{1} + 6C_{3} |

Hsu14 | 2C_{1} + 8C_{3} | 3C_{1} + 3C_{3} | 8C_{1} + 14C_{3} |

Islam13 | 6C_{1} + 6C_{3} + 2C_{2} | C_{1} + C_{3} + C_{2} | 8C_{1} + 8C_{3} + 4C_{2} |

This paper | C_{1} + 3T_{M} | 3C_{1} + 2C_{3} | 7C_{1} + 7C_{3} |

© 2019 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Lin, H.-Y.
A Pairing-Based Three-Party Authenticated Encryption Scheme without Shared Secrets. *Symmetry* **2019**, *11*, 605.
https://doi.org/10.3390/sym11050605

**AMA Style**

Lin H-Y.
A Pairing-Based Three-Party Authenticated Encryption Scheme without Shared Secrets. *Symmetry*. 2019; 11(5):605.
https://doi.org/10.3390/sym11050605

**Chicago/Turabian Style**

Lin, Han-Yu.
2019. "A Pairing-Based Three-Party Authenticated Encryption Scheme without Shared Secrets" *Symmetry* 11, no. 5: 605.
https://doi.org/10.3390/sym11050605