A Pairing-Based Three-Party Authenticated Encryption Scheme without Shared Secrets

: The Traditional Authenticated Encryption (AE) scheme is a single-user cryptographic mechanism which only enables one designated veriﬁer to authenticate the ciphertext. Although several group-oriented AE variants have also been proposed to eliminate such a limitation, they require shared veriﬁcation. This motivated us to think of a scenario of three-party communication environments where each party runs independent processes without cooperation. In this paper, we realize a novel three-party AE (abbreviated to TPAE) scheme in which two designated veriﬁers can solely decrypt the same ciphertext and then inspect the validity of embedded signature. Additionally, we also show that our TPAE construction is computationally secure using the well-deﬁned IND-CCA2 and the EF-CMA adversary games in the proof model of random oracles. The comparison results will demonstrate the computational e ﬃ ciency of our mechanism.


Introduction
In public key cryptosystems [1], digital signature schemes [2][3][4] are important mechanisms that serve the same function of handwritten signatures in the real world.A significant property of digital signatures is nonrepudiation [5], which guarantees that a signer cannot deny their generated signatures later.
To further provide the property of confidentiality [6,7] for some special signature applications such as online auction and electronic transactions, one can employ the so-called two-step measure which means an encryption process is performed after a signing operation.Nevertheless, this approach is inefficient.
In 1994, to provide a better solution, Horster et al. [8] introduced a hybrid method known as the authenticated encryption (AE) scheme that can fulfill the characteristic of confidentiality and authenticity [9].In such an approach, a signer combines the intended recipient's public key with the signing operation.In this way, the resulted authenticated ciphertext must be verified by the person holding the knowledge of correct private key.Thus, an AE scheme no longer exhibits the characteristic of public verification due to the confidentiality concern.However, this trait also leads to another problem of later dispute provided that a signer denies his/her behavior of making the signature.A designated verifier will have a difficulty in proving the signer's dishonesty without revealing his private key information.
To handle the above issue, Araki et al. [10] addressed a signature mechanism of limited verifier and an optional arbitration procedure is supplied.Yet, the procedure requires the signer's assistance to announce an extra parameter.Once the signer refuses cooperation, the arbitration mechanism is useless.Moreover, Zhang and Kim [11] showed that an adversary can choose an arbitrary message to launch universal forgery attacks against Araki et al.'s work successfully.
Later, Wu and Hsu [12] proposed a convertible AE protocol admitting a designated verifier to solely conduct the arbitration steps and then reveal a converted signature for public verification.A noticeable property of the Wu-Hsu scheme is that the signature conversion steps are computation-free, i.e., an originally signed signature would be acquired within the ciphertext decryption procedure.Next, Huang and Chang [13] also presented another enhanced scheme.However, Lv et al. [14] specified that the semantic security is not satisfied in both the Huang-Chang and the Wu-Hsu schemes.Concretely speaking, an adversary can easily distinguish a given authenticated ciphertext from only two candidate messages.
In 2005, Yang [15] proposed a secure scheme with provable security.In 2008, Chien [16] came up with a new AE variant permitting either an original signer or a determined recipient to run the conversion steps of signature.Constructed from famous ElGamal cryptosystems, in 2009, Lee et al. [17] introduced the ElGamal-based variant.In the same year, Wu and Lin [18] showed how to use RSA cryptosystems to build a concrete AE construction with convertibility.Aim at reducing the impact caused by key-compromise attacks, Hsu and Lin [19] presented a key-insulated AE scheme in which a helper is able to renew users' short-term private keys periodically with the increment of time periods.
Consider group-oriented applications, in 2011, Hsu and Lin [20] presented a convertible variation of multi-AE (a.k.a.MAE) method.To provide more flexible signing policy, in 2014 Lin [21] further introduced a threshold-AE scheme.In 2017, a new AE scheme supporting multisigner and the functionality of proxy delegation was also introduced [22].Up to present, lots of AE variants [23][24][25][26][27][28][29][30][31] have been proposed.However, all of existing mechanisms puts the emphasis on either the single-user setting or the group-oriented environments with cooperative groups.In this paper, we aim at proposing a better alternative for three-party communication environments where each entity usually runs independent processes without sharing their secrets with each other.

Preliminaries
Before presenting the proposed mechanism, we first revisit the operations of bilinear pairing together with some famous cryptographic assumptions, which will be utilized as the underlying building blocks of our work.

Concept of Bilinear Pairing
Let the symbols of G 1 and G 2 be an additive and a multiplicative group, respectively.Both groups have the same prime order q.A bilinear pairing e is expressed as e: G 1 × G 1 → G 2 .Some properties of bilinear pairing e are described as follows: ); (ii) Nondegeneracy: We say that in the group G 2 , the value e(Q, Q) is regarded as a generator provided that, in the group G 1 , Q is also a generator.(iii) Computability: There exists an efficient polynomial-time algorithm to compute e(P, Q) for any P, Q ∈ G 1 .

Elliptic Curve Discrete Logarithm Problem and Assumption
An Elliptic Curve Discrete Logarithm Problem (ECDLP) is to find some x ∈ Z * q satisfying the equality of X = xQ, where X and Q are two known points over an elliptic curve E. The ECDL assumption asserts that it is almost negligible advantage ε for any probabilistic algorithm A running in polynomial-time to solve ECDLPs.More precisely, the ECDL assumption is denoted by the following probability inequality:

Bilinear Diffie-Hellman Problem and Assumption
A Bilinear Diffie-Hellman Problem (BDHP) was used to calculate e(Q, Q) xyz ∈ G 2 from four given values (Q, X, Y, and Z) of the group G 1 .In particular, X = xQ, Y = yQ and Z = zQ for some x, y, z ∈ Z * q .The BDH assumption asserts that it is almost negligible advantage ε for any probabilistic algorithm A running in polynomial-time to solve BDHPs.Precisely speaking, the BDH assumption is denoted by the following probability inequality.

Proposed TPAE Construction
Using the operation and properties of bilinear pairing, this section is going to present the designed TPAE construction.At first, the roles of participated entities will be briefly described.Then we display the definition of constituted algorithms followed by a secure construction.

Participated Entity
A general TPAE construction has three participated entities, which cover an original signer and two designated receivers.The former will produce an authenticated ciphertext.Then, both specified receivers can independently decrypt the obtained ciphertext and inspect the validity of embedded signature.A TPAE scheme is said to be correct provided that a signer creates a valid authenticated ciphertext and merely the specified receivers have the privilege to decrypt it and check the validity of embedded signature.Each of the designated receivers could exhibit a transformed signature suitable for public proof when encountering a repudiation dispute, too.

Constituted Algorithms
The designed TPAE scheme can be divided into four algorithms.We describe the definition of each algorithm as follows.
Setup: This algorithm is used to initialize the constructed system by taking a security parameter k and then generates public parameters params.
Reg_U: The input of this algorithm is an index i while the corresponding output includes a private-public keypair (x i , Y i ) together with a public key certificate Cert i .
ESign: The input of this algorithm includes m, x s , Y a , and Y b , which separately represents a message, a signing key, and two verification keys.It will finally generate a corresponding authenticated ciphertext δ.
EVerify: The input of this algorithm includes δ, x a , ID s , ID a , and ID b , which separately denote a ciphertext, a decryption key, and the identities of one signer and two recipients.The output could be either a transformed signature Ω with the original message m or an error symbol ⊥.The latter case occurs if the input contains a false ciphertext.

Substantial Construction
Setup: Let k be a security parameter of the input.The algorithm first selects two groups, i.e., G 1 and G 2 , which have an identical order of prime q.There is a generator P in the group G 1 and a bilinear map e is defined as G 1 are collision resistant hash functions.The algorithm outputs public params which are composed of G 1 , G 2 , q, P, and e along with three hash functions.Reg_U: Given an index i, the algorithm randomly chooses an integer x i ∈ Z q as the corresponding private key and then calculates the value Y i = x i P to be its public key.Note that a public key certificate named Cert i is also returned by employing the standard of X.509 [32].
ESign: To produce an authenticated ciphertext for a message m in relation to two verification keys (Y a and Y b ) and a signing key x s , the algorithm chooses w ∈ Z * q to compute and then outputs the authenticated ciphertext δ = (W, σ, c).Note that in Equation ( 4), the ciphertext parameter c is computed by XOR-ing the message m and the hash result of h 2 (W, σ, T).This implies that the original message has to be split into k-bit blocks for facilitating the XOR operation.Therefore, the ciphertext parameter c is constituted by concatenating all XORed blocks.
EVerify: Given an authenticated ciphertext δ = (W, σ, c), one private key x i (for i ∈ {a, b}) of participated receivers and the signing key Y s , this algorithm can easily derive to decrypt the original message m as and then inspects the embedded redundancy of m.The algorithm further checks its signature by testing whether e(σ, Y s + h 1 (m, W, T)P) = e(W, P).
When the above equality is fulfilled, the algorithm returns the decrypted message m together with a transformed signature Ω = (W, σ, T).If not, an error symbol ⊥ is outputted to denote the false ciphertext.
The correctness of Equations ( 6) and ( 7) could be confirmed by the following derivations.In Equation ( 6), the right side can be written as (by Equation ( 4)) which is just the left side of Equation ( 6).
In Equation ( 7), the left side can be written as which is the right side of Equation (7).

Security Model and Proof
To prove the security of our TPAE scheme, we first revisit the general security models of confidentiality and unforgeability below.

Definition 1 (Requirement of IND-CCA2
).The proposed TPAE scheme satisfies the characteristic of indistinguishability for the confidentiality requirement provided that no probabilistic polynomial-time (PPT) adversary A plotting adaptive chosen ciphertext attacks has a non-negligible advantage to beat a player B acting as a challenger in the following game.
Setup (1 k ): By initializing the Setup(1 k ) algorithm, the challenger B first provides the adversary A with public params.
Phase 1: The querying capability of adversary A consists of the following oracles.
Reg_U query: A could choose an index i to request its Reg_U query.B would run the Reg_U algorithm and return the output of (Y i , Cert i ).
ESign query: A could request an ESign query for his/her chosen m, Y s , Y a , and Y b .B outputs a corresponding authenticated ciphertext δ to A.
EVerify query: A could request an EVerify query for his/her chosen ciphertext δ.B would send either an error symbol ⊥ or a message m along with its transformed signature Ω to A.
Challenge: After requesting several queries, the adversary A would create messages, say, m 0 and m 1 , where | m 0 | = | m 1 |.Then B determines λ ← {0, 1} by flipping an internal coin.An authenticated ciphertext δ* on m λ is also computed as a challenge designated for A.
Phase 2: In this phase, the adversary A continues to request new queries, but does not include any EVerify query on the target challenge.
Guess: At last, we say that the adversary A is the winner of this game provided that his/her guessed bit λ = λ.The advantage of A, denoted as Adv(A), could be written as Definition 2 (Requirement of EF-CMA).The proposed TPAE scheme satisfies the characteristic of existential unforgeability provided that no PPT adversary A plotting adaptive chosen-message attacks has a non-negligible advantage to beat a player B acting as a challenger in the following game: Setup(1 k ): By initializing the Setup(1 k ) algorithm, the challenger B first provides the adversary A with public params.
Phase 1: The querying capability of adversary A consists of Reg_U and ESign oracles just like those described in Definition 1.
Forgery: At the end of this game, we say that the winner is A if he/she outputs a valid δ* on an arbitrarily chosen m*.It should be noted that δ* could not be obtained via an ESign oracle.
We then adopt the techniques of random oracle proof models to formally show that the proposed mechanism satisfies the security of Definitions 1 and 2.

Theorem 1 (Proof of IND-CCA2).
It is said that the proposed TPAE scheme is (t, q h1 , q h2 , q h3 , q Reg_U , q ESign , q EVerify , ε)-secure in the requirement of IND-CCA2 when no PPT adversary has the non-negligible advantage ε to solve the BDHP within the running time t , where Here, t λ represents the required computation time of a bilinear map.
Proof.We first assume that within the running time, t, there is a PPT adversary, A, whose capability is sufficient to break the proposed TPAE construction by plotting adaptive chosen ciphertext attacks.The advantage of the adversary A is ε and the maximum query times of oracle i is denoted as q i .By utilizing A as a subroutine, it enables us to create a new algorithm, say B, to break the assumption of BDH within the expected time t and the success probability is ε .Let P, xP, yP, and zP be the inputted BDHP instance for B and the desired output would be e(P, P) xyz .In the following interactive processes, B acts as a challenger to answer queries submitted by A.
Setup: By performing the initial Setup(1 k ) algorithm, the challenger B provides the adversary A with public params = {G 1 , G 2 , q, P, e}.
Phase 1: In the beginning, A designates (ID s , ID a , and ID b ) as the identities of the signer and two designated verifiers, and could adaptively request queries stated below.
h 1 oracle: A could submit an h 1 (m, W, T) oracle to get the value v 1 ∈ R Z q .A record of (m, W, T, v 1 ) would also be written into a maintained h 1 -list by B.
Phase 2: In this phase, the adversary A continues to request new queries, but does not include any EVerify queries on the target challenge δ*.
Analysis of the game: In this game interaction, it is possible for the adversary A to get an error symbol with respect to an EVerify query on some valid δ = (W, σ, c).Such an event will happen in the case that the corresponding h 2 (W, σ, T) oracle had never been made before.We express this event as EVerify_Fat and Pr[EVerify_Fat] during the entire simulation game is not greater than q EVeri f y 2 k , as A can issue at most q EVerify EVerify queries.Besides, in the challenge phase, B sets W* = zP, which infers that the component Z* is formulated as h 3 (e(x(zP), yP)) = h 3 (e(P, P) xyz ).If the adversary A queries an h 3 oracle on the value e(P, P) xyz during the second phase, the simulation game would accidentically terminate.We denote such an event as QH 3 * and let PSG be the event of perfect simulation game.When the event PSG occurs, A has no better change to guess λ, i.
Additionally, it could also be learned that Integrating inequalities ( 9) with ( 10), we have According to the proof assumption, the adversary A is sufficient to break our TPAE construction with a non-negligible chance ε, which indicates that (by Definition 1) ≤ 0.5Pr [¬PSG] (by Equation ( 11) Further rewrite this inequality and it will have that When the event QH 3 * happens, we claim that e(P, P) xyz would be contained in a record of h 3 -list.For that reason, we could mean that the advantage of the algorithm B for breaking the designated BDHP instance is ε ≥ ( 1 The expected running time of B is calculated as t ≈ t + t λ (2q EVerify ).
Proof.We first assume that within the running time t, there is a PPT adversary, A, whose capability is sufficient to break the proposed TPAE construction by plotting adaptive chosen message attacks.The advantage of the adversary A is ε and the maximum query times of oracle i is denoted as q i .By utilizing A as a subroutine, it enables us to create a new algorithm, say B, to break the assumption of ECDL within the expected time t' and the success probability is ε'.Let (P, zP) be the inputted ECDLP instance for B and the purpose is to obtain z.In this proof, we use the technique of Forking Lemma [33] and B acts as a challenger to answer queries submitted by A.
Setup: By performing the initial Setup(1 k ) algorithm, the challenger B provides the adversary A with public params = {G 1 , G 2 , q, P, e} and a random tape which is constituted of a series of random bits.Given public params and an identical random tape, B would play two rounds of games with the adversary A below.
Phase 1: In the beginning, A designates (ID s , ID a , and ID b ) as the selected identities of the signer together with two intended verifiers, and then adaptively makes new queries as follows.For all h i (i∈{1, 2, 3}) oracles, B returns as those defined in Theorem 1.
Reg_U query: When A requests an Reg_U query on the index i = s, B directly sends (Y s = zP, Cert s ) to A. Otherwise, B calls the Reg_U algorithm for getting (x i , Y i , and Cert i ) and then returns (Y i , Cert i ) to A.
ESign query: When A submits an ESign query on his/her chosen m, Y s , Y a , and Y b , B performs the subsequent procedures: Step 1 Randomly pick two integers d, v 1 ∈ Z * q ; Step 2 Run the Reg_U algorithm to get (x a , Y a , Cert a ) and (x b , Y b , Cert b ); Step 3 Compute Step 4 Add the entry (m, W, T, v 1 ) into h 1 -list; The ciphertext δ = (W, σ, c) is then returned to A.
Analysis of the game: In the above simulation, it is obvious that the ESign query always returns a valid authenticated ciphertext, such that the adversary A is incapable of distinguishing it from the one outputted by the real scheme.When A successfully forges a fresh ciphertext δ = (W, σ, c) for the message m denoted by the event PF, we obtain Pr[PF] = ε as A owns a non-negligible chance ε of breaking our TPAE construction.Now we evaluate the probability that A does not query the corresponding h 1 oracle and we know that Pr[¬QH 1 ] ≤ 2 −k .Hence, it could be further expressed that the probability of A to generate a valid ciphertext δ = (W, σ, c) following making the corresponding h 1 (m, W, T) oracle to be Pr[PF ∧ QH 1 ] ≥ (ε − 1/2 k ).Afterwards, B plays the second round with A in the same environment.Because the inputted tape is formed by identical series of randomized bits, the challenger B is able to anticipate A's next query.According to the responses made in first run, B returns the same results until A queries the critical h 1 (m, W, T) oracle.Instead of returning original v 1 , B outputs a new value v 1 *.By the Forking Lemma, if A finally forges a valid ciphertext δ* = (W, σ*, c*) with h 1 (m, W, T) = v 1 *, B can solve the ECDLP.Concretely speaking, when the adversary A finally outputs two valid ciphertext (δ, δ*) with h 1 (m, W, T) h 1 *(m, W, T), we can obtain two equations: Thus, the ECDLP instance can be solved by computing z = σ * v 1 * −σv 1 σ−σ * .We could evaluate B's success probability after two simulation games as ε ≥ 10(q ESign + 1)(q ESign + q h1 )/2 k and the expected running time spent by B is t' ≤ 120686q h1 t/ε.
Note that an adversary might try to derive a valid ciphertext if he/she has access to multiple ciphertexts.Yet, each valid ciphertext will also contain a valid signature which is randomly generated and protected by a secret value chosen by the signer.Consequently, it is computationally infeasible for any adversary to plot the forgery attacks from multiple known ciphertexts.

Performance Evaluation
In a three-party communication environment, a party usually has to transmit the same message to the other two parties.When the message is encrypted with traditional asymmetric approaches, the sender is required to run the encryption process twice for two recipients who do not want to share their private keys with each other.In such a way, a sender engaged in three-party communication environments often incurs higher computational costs.From the above computational perspective, we will show that the proposed scheme is better than previous single-user setting mechanisms.
As our protocol is implemented on pairing-based systems, we only consider some time-consuming operations such as bilinear map, exponentiation, and scalar multiplication.The operations of XOR, addition and one-way hash function are ignored.We present the used symbols as Table 1.Table 2 is the summary of computational comparisons among our TPAE scheme and thee similar protocols involving Lee et al.'s (Lee10) [34], the Hsu-Lin (Hsu14) [24], and the Islam-Biswas (Islam13) [35].In order to obtain more united comparison results, we adopt Cao et al.'s experimental figures [36] to transform the above computation into approximate running time as Figures 1-3.Specifically, the computation of a bilinear pairing, exponentiation and scalar multiplication will take approximately 20.01 ms, 11.2 ms, and 6.38 ms, respectively.
Symmetry 2019, 11, x FOR PEER REVIEW 8 of 12 In Figure 1, a sender of the proposed scheme has to spend about 39.15 ms for generating a ciphertext intended for two recipients.The required time is minimal among all compared mechanisms.Although in Figure 2, each recipient's running time of both Lee et al.'s [34] and the Islam-Biswas [35] is better than that of ours and the proposed scheme still exhibits better performance as a whole in Figure 3. Accordingly, it is evident that our proposed scheme outperforms compared ones from either the sender side or the entire mechanism.In Figure 1, a sender of the proposed scheme has to spend about 39.15 ms for generating a ciphertext intended for two recipients.The required time is minimal among all compared mechanisms.Although in Figure 2, each recipient's running time of both Lee et al.'s [34] and the Islam-Biswas [35] is better than that of ours and the proposed scheme still exhibits better performance as a whole in Figure 3. Accordingly, it is evident that our proposed scheme outperforms compared ones from either the sender side or the entire mechanism.

Conclusions
AE schemes with convertibility have found numerous applications in online transactions such as e-auction and confidential contract signing.In this paper, we focused on the applications of three-party communication environments and proposed a novel three-party AE (TPAE) scheme.Unlike most group-oriented AE mechanisms which require cooperative verification, our TPAE scheme allows two designated recipients to solely decrypt acquired ciphertext along with inspecting the recovered signature without utilizing shared secrets.Moreover, the signature conversion process also exhibits the property of computation-free and can be carried out by each designated recipient alone.To make certain the realistic feasibility, the requirement of IND-CCA2 and that of EF-CMA for our construction are both fulfilled in the formal proof model of random oracles.Compared to previous similar protocols in terms of computational efforts, the designed approach is particularly appealing to the three-party applications.

Conclusions
AE schemes with convertibility have found numerous applications in online transactions such as e-auction and confidential contract signing.In this paper, we focused on the applications of three-party communication environments and proposed a novel three-party AE (TPAE) scheme.Unlike most group-oriented AE mechanisms which require cooperative verification, our TPAE scheme allows two designated recipients to solely decrypt acquired ciphertext along with inspecting the recovered signature without utilizing shared secrets.Moreover, the signature conversion process also exhibits the property of computation-free and can be carried out by each designated recipient alone.To make certain the realistic feasibility, the requirement of IND-CCA2 and that of EF-CMA for our construction are both fulfilled in the formal proof model of random oracles.Compared to previous similar protocols in terms of computational efforts, the designed approach is particularly appealing to the three-party applications.

h 3
oracle: A could submit an h 3 (E) oracle to get the value v 3 ∈ R G 1 .A record of (E, v 3 ) would also be written into a maintained h 3 -list by B. Reg_U query: A could choose an index i to request its Reg_U query.If i = a, B sends (Y a = xP, Cert a ) to A. If i = b, B returs (Y b = yP, Cert b ) to A. When i = s, B calls the Reg_U algorithm to get (x s , Y s , Cert s ) and then returns (Y s , Cert s ) to A. ESign query: A could request an ESign query on an arbitrarily chosen message m.B would run the ESign algorithm to return the corresponding result.EVerify query: A could request an EVerify query on a ciphertext δ = (W, σ, c).B utilizes (W, σ) as keywords to search the h 2 -list for all matched v 2 s.If one of matched v 2 s satisfies that e(σ, Y s + h 1 (c ⊕ v 2 , W, T)P) = e(W, P), B returns (c ⊕ v 2 , W, σ, T).If not, A will receive an error symbol.Challenge: After requesting several queries, the adversary A would create messages, say m 0 and m 1 , where | m 0 | = | m 1 |.Then B determines λ ← {0, 1} by flipping an internal coin and computes a ciphertext δ* for the selected m λ with the following steps:

Figure 1 .msFigure 1 .
Figure 1.Comparison of approximate running time for sender in three-party communication environments.

Figure 1 .
Figure 1.Comparison of approximate running time for sender in three-party communication environments.

Figure 2 .Figure 2 . 12 Figure 3 .
Figure 2. Comparison of approximate running time for each recipient in three-party communication environments. ms

Figure 3 .
Figure 3.Comparison of approximate running time for entire scheme in three-party communication environments.

Table 1 .
The used symbols.

Table 2 .
Computational comparison in three-party communication environments.