A Novel Dual Authenticated Encryption Scheme Suitable for Social Networking Services

Featured Application: Authors are encouraged to provide a concise description of the specific application or a potential application of the work. This section is not mandatory. Abstract: Nowadays there are many social networking services supporting three-party communication such as Skype, Line, and Facebook Messenger. To ensure the message security, a cryptographic encryption scheme is a commonly adopted measure. However, the traditional asymmetric encryption only allows one designated recipient to decrypt the ciphertext with his/her private key. It is thus difficult for two parties to share the same ciphertext without exposing their private keys. In this paper, the author comes up with a novel dual authenticated encryption (DAE) scheme designed for three-party communication environments. Specifically, a DAE scheme enables a party to generate a single ciphertext that could be solely decrypted by the other two participants without sharing their private keys. It is also formally shown that the proposed scheme achieves the crucial security properties using the random oracle proof model.


Introduction
With the rise of the Internet, people have changed their behavior models in daily life.Needless to say, there have been more and more transactions made online.The traditional telephone is no longer the only way for people to communicate with others.E-mails, chat rooms, and all kinds of instant messenger software are available and better options for free.However, the online security also raises serious concerns.The public key cryptography (PKC) [1] introduced by Diffie and Hellman in 1976 can provide several security properties such as confidentiality [2,3], integrity, authenticity [4], and non-repudiation [5].The cryptographic mechanisms of encryptions and digital signatures [6][7][8] are thus widely studied and adopted in various fields.
A conventional digital signature is publicly verifiable since the verification key is the signer's public key.To further control the capability of validating a given signature, a hybrid scheme that combines an encryption mechanism and a signature one is the commonly utilized approach.The so-called authenticated encryption (AE) scheme introduced by Horster et al. [9] is a representative of this approach.In such a scheme, the sender can designate an intended recipient as the only person who is able to decrypt the ciphertext and verify the corresponding signature.Later, Zheng [10] and Petersen and colleagues [11] also proposed different hybrid mechanisms called signcryption schemes, which employ the symmetric cryptographic operation to ensure confidentiality.
Since these hybrid systems only grant a designated recipient the access privilege to recover the message and verify its signature, a malicious sender can easily frame the recipient, resulting in a later dispute over repudiation.To deal with this problem, several researchers came up with various solutions.Zheng's work [12] adopted the technique of zero-knowledge proofs [13][14][15] along with a trusted tamper-resistant device.Araki et al.'s literature [16] required the sender to cooperatively perform the arbitration process with the recipient and will increase extra computational burdens.Wu and Hsu [17] and Huang and Chang [18] further incorporated the functionality of signature conversion into AE schemes and could be viewed as ideal methods.Yet, Lv et al. [19] found out that both of their protocols fail to satisfy the semantic security.Specifically, an adversary can easily decrypt a ciphertext with only two candidate messages.Since then, many improved hybrid schemes [20][21][22][23][24][25][26][27][28][29][30][31][32] have been proposed.
In recent years, social networking services including Facebook, Line, and Skype are widely utilized by people of any age.In addition to traditional two-party communication, multi-party (especially three-party) communication is commonly seen due to the development of broadband networks.To guarantee confidentiality and authenticity in the above applications, the design of group-oriented cryptographic mechanisms becomes quite important.In 2011, Hsu and Lin [33] introduced a new AE scheme supporting a group of signers to cooperatively deliver a designated ciphertext.Moreover, the private key of each user is updateable with unlimited time periods.In 2012, Lu et al. [34] further addressed a variant by extending one designated verifier to a group of n participants.In 2014, Lin [35] generalized the signing policy using a threshold value, i.e., only when the number of joined parties is equal to or greater than the threshold value, can they create a valid authenticated ciphertext.Nevertheless, most existing literatures focus on either the conventional two-party setting or the cooperative group environments.This motivates us to design a better alternative for more and more social networking services of three-party communication where each entity usually runs independent processes without cooperation.
Three-party communication is a natural extension of conventional two-party settings when someone joins the latter.For example, the sales representatives of two enterprises might chat online using the Line messenger service.When an important procurement is going to be made, a legal representative will be asked to join the communication for ensuring the validity of this transaction.Unlike many multi-party communication environments where those participants belong to the same group sharing a common key, a three-party communication usually contains independent recipients.We hence concentrate on a specific protocol that is suitable for the case of just three independent parties.
Although some existing protocols employed in social networking services also supports three-party communication, they usually utilize the techniques of group key management or symmetric key encryption.On the other hand, our scheme eliminates the cost of generating a group key and solves the problem of symmetric key encryption in which a ciphertext is bound by only a specific private key.One might further consider that the technique of (multi-party) attribute-based encryptions is applicable to the above three-party scenario.Nevertheless, the attribute issuing, verification, and management will increase the complexity of practical environments.Additionally, it would be a troublesome issue of how to prevent the attribute-collusion attack.

Preliminaries
We describe essential mathematical backgrounds and related computational assumptions in this section.

Bilinear Pairing
Let G1 and G2 be an additive and a multiplicative group of the same prime order q, respectively.We utilize the symbol of e to denote a bilinear map, i.e., e: G1 × G1 → G2 and it has the following properties: (i) Bilinearity: e(A1 + B2, P) = e(A1, P)e(B2, P); e(P, A1 + A2) = e(P, A1)e(P, A2); (ii) Non-degeneracy: Let P be a generator of the group G1.Then we say that e(P, P) would be a generator of the group G2.(iii) Computability: For any A1, B2 ∈ G1, there is an efficient algorithm to compute e(A1, B2).

Elliptic Curve Discrete Logarithm Problem; ECDLP
Given two points P, Q ∈ G1 2 where P is a base point and Q = aP for some integer a ∈ * q Z , the ECDLP is to compute a.

Elliptic Curve Discrete Logarithm (ECDL) Assumption
The advantage of every probabilistic polynomial-time (PPT) algorithm A to solve the ECDLP is negligible.More precisely, let D(k) be every positive polynomial with all sufficiently large k.Then we can express the algorithm A's probability to solve an ECDLP instance (P, Q) as The probability is evaluated over the uniformly and independently chosen instance and over the random choices of A.

Bilinear Diffie-Hellman (BDH) Assumption
The advantage of every PPT algorithm A to solve the BDHP is negligible.More precisely, let D(k) be every positive polynomial with all sufficiently large k.Then, we can express the algorithm A's probability to solve a BDHP instance (P, P1, P2, P3) as The probability is evaluated over the uniformly and independently chosen instance and over the random choices of A.

Proposed DAE Scheme
We present the proposed construction of DAE scheme utilizing bilinear pairing groups.Initially, the participated parties and the definition of algorithms are stated below.

Participated Parties
A DAE scheme consists of three participants including a sender and two designated recipients.The sender first utilizes his/her private key to create an authenticated ciphertext and transfers it to the other two participants.Then, each of the two designated recipients can run sole processes to decrypt the ciphertext and verify the corresponding signature.A DAE scheme is correct if a valid ciphertext generated by one party can only be solely decrypted and verified by the other two designated recipients in a three-party communication environment.

Algorithms
We describe the constituted algorithms of the proposed DAE scheme as follows: Setup: Taking a security parameter k as input, a system authority runs the algorithm to generate necessary public parameters params.

Keygen:
The algorithm takes as input an index i, and then outputs a corresponding key-pair (xi, Yi) along with a public key certificate Certi.Note that a valid certificate Certi should be issued by a Certificate Authority who also maintains a certificate revocation list (CRL) to store revoked public key certificates.Anyone obtaining a public key first requests its corresponding certificate to verify the public key validity.
AEncrypt: The algorithm accepts input of a message m, two public keys of designated recipients and the private key of sender.The output is a corresponding authenticated ciphertext δ.

ADecrypt:
The algorithm takes three parameters as input including an authenticated ciphertext δ, one private key of designated recipients and the public key of sender.If the ciphertext δ is valid, it outputs the decrypted message m and its signature Ω.Otherwise, an error symbol ⊥ is returned as a result.

Concrete Construction
Setup: Given a 512-bit security parameter k, the system authority first chooses an additive group G1 and a multiplicative group G2 of the same prime order q.There is a generator P of order q in G1 and a bilinear map e satisfying that G1 × G1 → G2.Some utilized collision-resistant hash functions are defined below.
Keygen: Given an index i, a party Ui runs this algorithm to obtain the corresponding key-pair (xi ∈R Zq, Yi = xiP) along with a public key certificate Certi.
AEncrypt: Assume that Ua, Ub and Uc are engaged in a three-party communication environment.To deliver a message m designated for Ub and Uc, Ua runs the algorithm choosing an Then, the generated authenticated ciphertext δ = (R, σ, r) is returned and sent to Ub and Uc.
ADecrypt: Upon receiving δ = (R, σ, r), Ub and Uc can employ his/her own private key to run this algorithm which first computes 2) and decrypts the original message m as With the redundancy embedded in m, it is able to check the validity of the recovered message.Moreover, the corresponding signature can be verified by checking if If the above equality holds, the algorithm returns the message m and its signature Ω = (R, σ); else, a symbol ⊥ is outputted to denote invalid ciphertext.
We prove that Equations ( 6) and ( 7) work correctly.From the right-hand side of Equation ( 6), we have (by Equation ( 4)) which leads to the left-hand side of Equation (6).
If an authenticated ciphertext δ = (R, σ, r) is correct, it should pass the test of Equation (7).From the left-hand side of Equation ( 7

Security Proof
In this section, we demonstrate the security of our DAE scheme based on some intractable computational problems.Specifically, we will adopt the random oracle proof model to show the essential security requirements of our mechanism.

Security Model
We first describe the critical security models of confidentiality and unforgeability for the proposed DAE scheme as follows:

Definition 1. (Confidentiality) In adaptive chosen-ciphertext attacks, a DAE scheme fulfills confidentiality against indistinguishability (IND-CCA2) if there is no probabilistic polynomial-time bounded adversary A having a non-negligible advantage in the following game played with a challenger B:
Setup: By initializing the Setup algorithm, the challenger B will return the system's public parameters params to the adversary A. Phase 1: To simulate the capability of the adversary A, we define three oracles that A could issue and B would respond with a consistent result.

Keygen oracle:
A submits a Keygen oracle on an index i and B responds with (Yi, Certi), i.e., (Yi, Certi) ← Keygen(i).

Challenge:
The adversary A sends B two messages, m0 and m1, of the same length.The challenger B will generate an authenticated ciphertext δ* for m λ which is determined by an internal flipped coin λ ← {0, 1} and then return it to A as a challenge.
Phase 2: In this phase, the adversary A is allowed to submit new oracles as those defined in Phase 1.
However, any ADecrypt oracle containing the target ciphertext δ* is prohibited.Guess: Finally, the adversary A will output a bit λ′.When λ′ = λ, we say that A wins the game.
Therefore, the advantage of A in the above game could be expressed as

Definition 2. (Unforgeability) In adaptive chosen-message attacks, a DAE scheme is existentially unforgeable (EF-CMA) if there is no probabilistic polynomial-time bounded adversary A having a non-negligible advantage in the following game played with a challenger B:
Setup: By initializing the Setup algorithm, the challenger B will return the system's public parameters params to the adversary A.
Phase 1: In this game, the capability of adversary A includes Keygen and AEncrypt oracles which are defined the same as those of Definition 1. Forgery: After querying enough oracles, the adversary A will arbitrarily choose a message m* and forge its corresponding ciphertext δ*.It is not allowed for A to directly obtain δ* from any AEncrypt oracle.If the forged ciphertext δ* for m* is valid, we say that the adversary A wins the game.

Security Proofs
Based on previously defined security models, we formally prove the security of our DAE scheme in the security notion of IND-CCA2 and EF-CMA.

Theorem 1. (Proof of Confidentiality)
In the IND-CCA2 security notion, the proposed DAE scheme is said to be (t, ε)-secure if no probabilistic polynomial-time bounded adversary having a non-negligible advantage ε' breaks BDHP within the time t', where Here, t λ represents the required time of executing all oracles.Proof: It is assumed that in the security notion of IND-CCA2, there is a probabilistic polynomial-time adversary A having a non-negligible advantage ε to break the proposed DAE scheme within the time t.The capability of the adversary A includes those stated in Definition 1 and hi oracles (for i = 1, 2, and 3).Let q O be the maximum times that A is allowed to query for each oracle O.The theorem is proven by the technique of contradiction, i.e., we will create a (t', ε')-algorithm B which utilizes the advantage of A to break an BDHP instance of (P, xP, yP, zP).
The goal of the algorithm B is to compute e(P, P) xyz .When A submits an oracle query, B also acts as a challenger to make a response.Setup: By initializing the Setup algorithm, the challenger B returns the system's public parameters params = {G1, G2, q, P, e} to the adversary A, who selects a target sender Ua and two participants Ub and Uc in the simulated three-party communication environment.Phase 1: The interactions between the adversary A and the algorithm B are described below.h1 oracle: When A submits a fresh h1 oracle on (m, R), B responds with an integer v1 ∈R Zq.
The record (m, R, v1) is also kept for future inspection.h2 oracle: When A submits a fresh h2 oracle on (R, σ, Z), B responds with a vale v2 ∈R {0, 1} k .The record (R, σ, Z, v2) is also kept for future inspection.
Then, the success probability of the algorithm B can be represented as ε' ≥ ε and the running time is t' ≈ t + t λ .As we know that BDHP is polynomial-time intractable, the simulation result of this game is clearly a contradiction, which indicates that our initial assumption is wrong.Therefore, we conclude that the proposed DAE scheme is secure in the IND-CCA2 security notion. Q.E.D.
Proof: Let A be a probabilistic polynomial-time adversary who can asks oracles as those stated in Definition 2 and hi oracles (for i = 1, 2 and 3).Let q O be the maximum times that A is allowed to query for each oracle O.It is assumed that in the security notion of EF-CMA, the adversary A has a non-negligible advantage ε to break the proposed DAE scheme within the time t.By using the techniques of oracle replay attack and Forking Lemma [36], we will create a (t', ε)-algorithm B which utilizes the advantage of A to break an ECDLP instance of (P, xP).The goal of the algorithm B is to compute x.When A submits an oracle query, B also acts as a challenger to make response.Setup: By initializing the Setup algorithm, the challenger B returns the system's public parameters params = {G1, G2, q, P, e} along with a prepared random tape consisting of random bits to the adversary A who also selects a target sender Ua and two participants Ub and Uc in the simulated three-party communication environment.Then, B initiates two rounds of the proposed DAE scheme with A on the same system parameters.

Phase 1:
The interactions between the adversary A and the algorithm B are described below.For all hash oracles, B behaves as those in Theorem 1. Keygen query: When A submits a fresh Keygen oracle on the index i = a, B directly returns (xP, Certa).Otherwise, B submits a Keygen(i) oracle to get (xi, Yi, Certi) and then responds with (Yi, Certi).
Forgery: At the end of this game, A outputs a forged ciphertext δ = (R, σ, r) with respect to (m, Ya, Yb, Yc).Analysis of the game: As mentioned before, the algorithm B will initiate two rounds of the proposed DAE scheme with the adversary A on the same parameters and random tape.By utilizing the same random tape in the second round, we can expect that the adversary A always chooses identical random bits as those used in the first round.However, in the second round, we will replace the oracle response of h1(m, R) with a new value, say v1*.If the final forgery δ* = (R, σ*, r*) in relation to (m, Ya, Yb, Yc) is also valid and h1(m, R) = v1*, the algorithm B can learn two equalities: Combining and further deriving the above equalities, we can compute and solve the ECDLP instance.Therefore, we can express the success probability of the algorithm B as ε ≥ 10(qAEncrypt + 1)(qAEncrypt + qh 1 )/2 k and the expected running time is t' ≤ 120686qh 1 t/ε.Since ECDLP is a well-known NP problem, the advantage and running time of the constructed algorithm B is clearly a contradiction.We thus can conclude that the proposed DAE scheme is secure in the EF-CMA security notion.Q.E.D.

Efficiency
To ensure the practical benefits, we evaluate the efficiency of our DAE scheme in terms of computational efforts in the three-party communication environment.For convenience, some time-consuming computation and their approximate running time experimented by [37] are first defined as Table 1.It is believed that the bilinear pairing operation is the most complicated operation in a pairing-based system.We show detailed evaluation with some related protocols including Lee et al.'s (LCL for short) [38], Hsu and Lin (HL for short) [22], Islam and Biswas (IB for short) [39] and Chen et al.'s (CZXY for short) [40] schemes in Table 2.The comparisons of communication overheads in terms of ciphertext length are also demonstrated in Table 3 utilizing a super singular elliptic curve E/Fp: y 2 = x 3 + x with a 160-bit prime q and a 512-bit prime p.It is obvious to see that the proposed DAE scheme is more efficient from either the computational perspective of sender or that of recipient.However, it should be noted that more than 100 ms total time would be unacceptable for a real-time synchronous voice or video communication.As for the text messaging, we claim that the transmission latency is noticeable, but acceptable with the tradeoff of higher security level.Figure 1 further demonstrates the difference of computational efforts among different quantities of ciphertext.

Conclusions
For facilitating the three-party applications of many social networking services, in this paper, the author introduced a novel DAE scheme based on bilinear pairings.In the proposed scheme, a sender engaged in a three-party communication environment is able to generate a single authenticated ciphertext that could be solely decrypted and verified by the other two participants without compromising the confidentiality of their private keys.Unlike attribute-based encryption mechanisms in which a user's attribute is usually associated with the ciphertext or the decryption key, our scheme is implemented in the conventional public key system without managing any attribute.As for the security, we showed that our approach is computationally secure in the notion of IND-CCA2 and that of EF-CMA by utilizing the random oracle proof model.In addition, we compared our scheme with two previous straightforward protocols in terms of computational efforts.The experimental results clearly reveal that the proposed DAE scheme is really a better alternative for three-party communication environments.

Phase 2 :
h3 oracle: When A submits a fresh h3 oracle on v3 ∈ G2, B responds with a vale V3 ∈R G1.The record (v3, V3) is also kept for future inspection.Keygen oracle: When A submits a fresh Keygen oracle on the index i ∈ (b, c), B directly returns either (yP, Certb) for i = b or (zP, Certc) for i = c.Otherwise, B submits a Keygen(i) oracle to get (xi, Yi, Certi) and then responds with (Yi, Certi).AEncrypt oracle: When A submits a fresh AEncrypt oracle on (m, Yi, Yj, Yk) where i ∉ (b, c), B responds with δ ← AEncrypt(m, Yi, Yj, Yk).Otherwise, B aborts.ADecrypt oracle: When A submits a fresh ADecrypt oracle on {δ = (R, σ, r), Yi, Yj, Yk} where (j, k) ≠ (b, c), B responds with ADecrypt(δ, Yi, Yj, Yk).In case that (j, k) = (b, c), B inspects all h2 oracle records containing the parameter (R, σ).If the value v2 of any matched record fulfills that R = σP + h1(r ⊕ v2, R)Yi, B responds with {m = r ⊕ v2, Ω = (R, σ)}; else, an error symbol is returned.Challenge: The adversary A sends B two messages, m0 and m1, of the same length.Next, the challenger B flips an internal coin λ ← {0, 1} to decide m λ , chooses v1, σ* ∈R Zq, v2 ∈R {0, 1} k and generates an authenticated ciphertext δ* = (R*, σ*, r*) where R* = xP and r* = m λ ⊕ v2.For consistency, two records of (m λ , R*, v1) and (R*, σ*, null, v2) are also separately added into the lists of h1 and h2 oracles.Finally, the ciphertext δ* is returned to A as a target challenge.The adversary A can issue new oracles as those stated in Phase 1. Yet, any ADecrypt oracle containing the target ciphertext δ* is prohibited.Analysis of the game: According to previous simulation of this game, it can be seen that the public keys Yb and Yc are set as yP and zP, respectively, and the ciphertext parameter R* is set as xP.When the adversary A queries an h3 oracle on (R*, σ*, Z*) where Z* = h3(e(Yc, xbR*)) = h3(e(P, P) xyz ) in phase 2, B would have a non-negligible advantage

2 for
BDHP instance.Such an event is referred to as H3O*.However, B might respond with an error symbol for an ADecrypt oracle on some valid ciphertext if A had never submitted the corresponding h2 oracle.We denote the event as ADecrypt_ERR and Pr[ADecrypt_ERR] ≤ k ADecrypt q the entire simulation game.When the game is perfectly simulated, represented as the event PS, the adversary A has no overwhelming probability in outputting λ, i.e., Pr[λ′ = λ | PS] = 1/2.Based on conditional probability and further derivations, we know that | Pr[λ′ = λ] − 1/2 | ≤ (1/2)Pr[¬PS].Since our initial assumption gives the adversary A the probability ε to break the proposed DAE scheme, we have

Figure 1 .
Figure 1.Comparison of computational costs among different quantities of ciphertext in the three-party communication environment.

Table 1 .
Definition of utilized notations.

Table 2 .
Comparisons of computational costs in three-party communication environments.

Table 3 .
Comparisons of communication overheads in three-party communication environments.