New Research Article New Construction of PVPKE Scheme and Its...

Research ArticleNew Construction of PVPKE Scheme and Its Application inInformation Systems and Mobile Communication

Minqing Zhang12 Xu An Wang2 Xiaoyuan Yang2 and Weihua Li1

1School of Computer Science Northwestern Polytechnical University Xirsquoan 710072 China2Key Laboratory of Information and Network Security Engineering University of Chinese Armed Police Force Xirsquoan 710086 China

Correspondence should be addressed to Xu AnWang wangxazjd163com

Received 29 August 2014 Accepted 1 September 2014

Academic Editor David Taniar

Copyright copy 2015 Minqing Zhang et alThis is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

In SCN12 Nieto et al discussed an interesting property of public key encryption with chosen ciphertext security that is ciphertextswith public verifiability Independently we introduced a new cryptographic primitive CCA-secure publicly verifiable public keyencryption without pairings in the standard model (PVPKE) and discussed its application in proxy reencryption (PRE) andthreshold public key encryption (TPKE) In Cryptorsquo09 Hofheiz and Kiltz introduced the group of signed quadratic residues anddiscussed its application the most interesting feature of this group is its ldquogaprdquo property while the computational problem is as hardas factoring and the corresponding decisional problem is easy In this paper we give new constructions of PVPKE scheme basedon signed quadratic residues and analyze their security We also discuss PVPKErsquos important application in modern informationsystems such as achieving ciphertext checkable in the cloud setting for themobile laptop reducingworkload by the gateway betweenthe open internet and the trusted private network and dropping invalid ciphertext by the routers for helping the network to preserveits communication bandwidth

1 Introduction

In modern information systems such as mobile wireless net-work social network open internet and cloud computationsecurity is an important issue [1 2] Public key encryption[3] is among the most important basic tools to strengthenthe whole systemrsquos security Along with the developmentof information system the security notion for public keyencryption has been strengthened The first proposal onpublic key encryption RSA though a great breakthrough incryptography only achieves the security notion of one-waysecurity [4] In 1984 Goldwasser andMicali [5] proposed thenotion of semantic security (also known as indistinguishablesecurity (IND-CPA)) This security notion states that thechallenge ciphertext needs to contain no more informationthan a randomly chosen ciphertext Although it is a rea-sonable security notion many applications using public keyencryption as a basic tool need stronger security notion thatis chosen ciphertext security (IND-CCA) Compared withthe semantic security notion this security notion considersthat the adversary can get help from the decryption oracle

(the adversary can query the decryption oracle with hischosen ciphertexts except the challenge ciphertext whichcannot be queried) Until now many CCA-secure PKEschemes have been proposed [6ndash11]

Active attackers play more and more important role inbreaking the security of modern information systems [1 2]thus chosen ciphertext security of the encryption schemeis essential for these systems However if the validity canonly be checked by the decrypter privately with his secretkey the whole system can easily suffer from ciphertext-malleable attack The active attackers can easily modify theright ciphertext transferred in the network to get numerousmalicious ciphertexts and thus cost the precious bandwidthgreatly Although these ciphertexts can be rejected by thedecrypter at the last moment they have already causedgreat problem in the systems These problems can affect theusersrsquo feeling on using the system Even more seriously theycause shutting down the whole system and bring damage tothe service providing corporations If the validity of theseciphertexts can be checked publicly the problems can beeasily solved the routers or the access infrastructure can drop

Hindawi Publishing CorporationMobile Information SystemsVolume 2015 Article ID 430797 10 pageshttpdxdoiorg1011552015430797

2 Mobile Information Systems

these maliciously created ciphertexts and the bandwidthhas been effectively preserved [12] As a concrete examplecan you imagine when using mobile phone for secureinstant-message talking like MSN you always have to dealwith nonsense invalid ciphertexts maliciously created byactive attackers But if the access infrastructure equippedwith PVPKE can help you to filter these invalid ciphertextsyou certainly will feel better In one word PVPKE is animportant tool for smoothly running modern informationsystems if these systems have employed public key encryptionas a basic way to achieve security

However researchers give little care to the property ofpublic verifiability of the chosen ciphertext-secure cipher-texts In bilinear map setting or by using the random oraclepublic verifiability of ciphertexts coming from an IND-CCA-secure public key encryption can be easily achievedThus in this paper we care about how to construct pub-licly verifiable public key encryption without pairing in thestandard model Recently in [13] we introduced an inter-esting cryptographic primitive PVPKE defined as publiclyverifiable chosen ciphertext-secure public key encryptionin the standard model without pairing PVPKE is a verypowerful building block to construct some other interestingcryptographic protocols and cloud computation [14 15] Forexample it can be used to construct chosen ciphertext-(CCA-) secure threshold public key encryption (TPKE) [16ndash20] In TPKE chosen ciphertext security always requires thatthe distributed decryption server can check the ciphertextrsquosvalidity before decryption otherwise some valuable informa-tion about decryption will be returned to the adversary andthis will help the adversary to break the chosen ciphertextsecurity For another example PVPKE can be a core blockto construct chosen ciphertext-secure proxy reencryption(PRE) [21ndash26] Chosen ciphertext attackers can query the del-egator and delegateersquos decryption oracle arbitrarily if invalidciphertexts forwarded by the proxy to the delegatee havebeen decrypted by the delegatee the attackers can get usefulinformation to break CCA security Since the proxy withoutsecret keys needs to check the validity of the ciphertext forthe delegatee before reencryption thus public verifiabilityof the ciphertext seems to be an essential requirement forachieving CCA security for proxy reencryption

In SCN12 Nieto et al [27] discussed an interestingproperty of public key encryption with chosen ciphertextsecurity that is ciphertexts with public verifiabilityThey alsodemonstrated an important application of this new primitivethat is ldquonontrivial filteringrdquo of an incoming IND-CCA-secureciphertext to be an IND-CPA-secure ciphertext with reducedworkload by a gateway They formally defined (nontriv-ial) public variability of ciphertexts for general encryptionschemes key encapsulationmechanisms and hybrid encryp-tion schemes encompassing public key identity-based andtag-based encryption and also gave several concrete con-structions But we also note that their constructions cannotsimultaneously satisfy the four requirements on ldquoPVPKErdquo(1) chosen ciphertext-secure (2) publicly verifiable (3) in thestandard model (4) without pairingThus their work furtherexplores PVPKErsquos application but does not give concreteconstruction of PVPKE

In Cryptorsquo09 Hofheinz and Kiltz [28] introduced thegroup of signed quadratic residues and discussed its appli-cation the most interesting feature of this group is its ldquogaprdquoproperty while the computational problem is as hard asfactoring and the corresponding decisional problem is easyMembership in 119876119877+

119873can be publicly and efficiently verified

while it inherits some nice intractability properties of thequadratic residues For example computing square roots in119876119877+

119873is also equivalent to factoring the modulus 119873 We

therefore have a gap group in which the correspondingdecisional problem (ie deciding if an element is a signedsquare) is easy whereas the computational problem (iecomputing a square root) is as hard as factoring We alsocan show that in the group of signed quadratic residues theStrong Diffie-Hellman problem is implied by the factoringassumption

11 Our Contribution In [13] based on the core idea ofchanging the prime modular field to the composite modularfield andmasking the verifying secret key with secret order ofthe composite group and making the resulting ldquopseudosecretkeyrdquo public we find it is relatively easy to construct PVPKE

scheme based on the Cramer-Shoup encryption and theHanaoka-Kurosawa CCA-secure public key encryption

In this paper we show that in case of basing someofNietoet alrsquos schemes on signed quadratic residues the resultingschemes canmeet the requirements of PVPKEThe core ideaabout this construction is that theDDHoracle can be publiclyinstantiated by bilinear pairing while DDH oracle cannotbe instantiated by discrete logarithm group or RSA groupBut in signed quadratic residues the DDH oracle can beefficiently publicly instantiated Based on this observation wegive new constructions of PVPKE scheme based on signedquadratic residues and discuss their security

Furthermore we discuss PVPKErsquos important applicationin modern information system such as achieving ciphertextcheckable in the cloud setting for the mobile laptop reducingthe workload by the gateway between the open internetand the trusted private network and dropping the invalidciphertext by the routers for helping the network to preserveits communication bandwidth effectively

12 Related Works

121 Chosen Ciphertext Security in the StandardModel Naorand Yung [29] introduced the notion of CCA security forpublic key encryption and this notion was further extendedby Rackoff and Simon [30] Dolev et al [31] and Sahai[32] Noninteractive zero-knowledge (NIZK) proofs are coreblocks of these constructions which is a relatively inefficientparadigm and its efficient realization always relies on bilinearpairing or random orale In 1993 Bellare and Rogaway[33] introduced a so-called random oracle which idealizesthe hash function as a perfect random function to deviseefficient CCA-secure public key encryption with provablesecurity However randomoraclemodel has seen criticism bycryptographers for its unrealistic assumption [34] More andmore cryptographers show interest in constructing efficient

Mobile Information Systems 3

CCA-secure PKE in the standard model Till now there areat least four ways to construct efficient CCA-secure PKE inthe standard modelThe first way is proposed by Cramer andShoup [8] which was further extended by themselves andother cryptographers [35ndash37] The second way to constructCCA-secure PKE is the paradigm of IBE transformationwhich allows transforming selective-ID CPA-secure identity-based encryption (IBE) into a CCA-secure PKE [38ndash41]The third way is based on verifiable broadcast encryptionwhich is proposed by Hanaoka and Kurosawa [9]The fourthway is by relying on lossy trapdoor function introducedby Peikert and Waters [42] and further extended by Rosenand Segev [43] and many other works Among the CCA-secure PKE schemes from these four ways only the onesfrom the IBE transformation are publicly verifiable How-ever most of existing practical IBE are based on the time-consuming pairings

122 Without Pairings The bilinear pairings enable the con-struction of first practical identity-based encryption byBoneh and Franklin [44] Since then many wonderful resultscan be achieved by using the bilinear pairings such asfully collusion resistant broadcast encryption [45] efficientpractical zero-knowledge proof [46] searchable public keyencryption [47 48] attribute based encryption [49] andpredicate encryption [50]

But we note that on the one hand bilinear pairing isa very powerful cryptographic tool on the other hand theimplementation speed of bilinear pairing is still relativelyslower So recently many researchers show interest in con-struction of schemes without pairings because on the onehand it can clarify to uswhich cryptographic task inherits thebilinear property of pairings andwhich does not on the otherhand it gives us a new view on old cryptographic problemsFor example Baek et al constructed the first certificatelesspublic key encryption without pairing [51] while the conceptof certificateless public key cryptography was first raised byusing bilinear pairings [52] Other examples include Denget al and Shao and Caorsquos CCA-secure proxy reencryptionwithout pairing [53 54]

123 Verifiable Public Key Encryption Another relatedresearch area is (private) verifiable public key encryptionsuch as Camenisch and Shouprsquos work [55] However theirwork was concerned with only the decryptorrsquos verifiabilityof the ciphertext instead of public verifiability Kiayias et alextended their work by introducing some new concepts forconstructing group encryption [56] Owing to bilinear prop-erty of pairings CCA-secure public key encryption withpublic verifiability can be easily achieved in the bilinear pair-ing setting However the situation is completely different inthe ldquowithout pairingrdquo setting constructing PVPKE schemeremains as an open problem left for almost decades

13 Organization We organize our paper as follows InSection 2 we give some preliminaries In Section 3 wegive our PVPKErsquos construction based on signed quad-ratic residues and analyse its security In Section 4 we

discuss PVPKErsquos applications In the last section we give ourconclusion

2 Preliminaries

21 Publicly Verifiable Public Key Encryption A publicly ver-ifiable public key encryption system consists of the followingalgorithms

(i) The randomized key generation algorithm Gen takesas input a security parameter 1119896 and outputs a publickey (PK) and a secret key (SK) We write (PK SK) larrGen(1119896)

(ii) The randomized encryption algorithm E takes asinput a public key (PK) and a message 119898 isin 0 1

lowast

and outputs a ciphertext 119862 We write 119862 larr EPK(119898)

(iii) The verification algorithmV takes as input a cipher-text119862 and a public key (PK) It returns valid or invalidto indicate whether the ciphertext is valid or not Notethat the validity of 119862 can be verified publicly

(iv) The decryption algorithm D takes as input a cipher-text 119862 and a secret key (SK) It returns a message119898 isin 01

lowast or the distinguished symbol perp We write119898 larr DSK(119862)

We require that for all (PK SK) output by Gen all 119898 isin

0 1lowast and all 119862 output by EPK(119898) we haveDSK = 119898

22 Chosen Ciphertext Security We recall the standard defi-nition of security against adaptive chosen ciphertext attackA publicly verifiable public key encryption (PKE scheme issecure against adaptive chosen ciphertext attacks (ie ldquoCCA-securerdquo) if the advantage of any PPT adversary 119860 in thefollowing game is negligible in the security parameter 119896

(1) Gen(1119896) outputs (PK SK)Adversary119860 is given 1119896 andPK

(2) The adversary may make many polynomial-manyqueries to a decryption oracleDSK(sdot)

(3) The adversary may make many polynomial-manyqueries to a verification oracleVPK(sdot)

(4) At some point 119860 outputs two messages 1198980 1198981with

|1198980| = |119898

1| A bit 119887 is randomly chosen and the

adversary is given a ldquochallenge ciphertextrdquo 119862lowast larr

EPK(119898119887)

(5) 119860may continue to query its decryption oracleDSK(sdot)except that it may not request the decryption of 119862lowast

(6) 119860may continue to make polynomial-many queries toa verification oracleVPK(sdot)

(7) Finally 119860 outputs a guess 1198871015840

We say that 119860 succeeds if 1198871015840 = 119887 and denote the probabilityof this event by Pr

119860PKE[Succ] The adversaryrsquos advantage isdefined as |Pr

119860PKE[Succ] minus 12|


23 The Group of Signed Quadratic Residues

231 RSA Instance Generator Let 0 le 120575 le 12 be a constantand let 119899(119896) be a function Let RSAgen be an algorithm thatgenerates elements (119873 119875 119876) such that 119873 = 119875119876 is an 119899-bitBlum integer (119873 = 119875119876 (where 119875 = 3 mod 4 and 119876 = 3 mod4)) and all prime factors of 120601(119873)4 are pairwise distinct andat least 120575119899-bit integers

232 Factoring Assumption The factoring assumption is thatcomputing 119875 119876 from119873 (generated by RSAgen) is hard Wewrite

AdvfacARSAGen

= Pr [119875 119876larr997888119877A (119873) (119873 119875 119876)larr997888

119877RSAGen (1119896)]

(1)

The factoring assumption for RSAgen holds if AdvfacARSAGenis negligible for all efficientA

233 The Group of Signed Quadratic Residues Let 119873 be aninteger For 119909 isin Z

119873we define |119909| as the absolute value of 119909

where 119909 is represented as a signed integer in the set minus(119873 minus

1)2 (119873 minus 1)2 For a subgroup G of Zlowast119873 we define the

signed group G+ as the group

G+

= |119909| 119909 isin G (2)

with the following group operation Namely for 119892 ℎ isin G+

and an integer 119909 we define

119892 ∘ ℎ =1003816100381610038161003816119892 sdot ℎ mod 1198731003816100381610038161003816

119892119909

= 119892 ∘ 119892 ∘ sdot sdot sdot ∘ 119892 =1003816100381610038161003816119892119909 mod 1198731003816100381610038161003816

(3)

More complicated expressions in the exponents are computedmodulo the group order for example 11989212 = 1198922

minus1 mod ord(119866+)Note that taking the absolute value is a surjective homomor-phism from G to G+ with trivial kernel if minus1 does not belongto G and with kernel minus1 1 if minus1 isin G

Let 119873 be a Blum integer such that minus1 does not belongto 119876119877

119873 We will mainly be interested in 119876119877+

119873 which we

call signed quadratic residues (modulo 119873) 119876119877+119873

is a sub-group of 119885lowast

119873 plusmn 1 with absolute values as a convenient

computational representationThe following basic facts hold

Theorem 1 Let 119873 be a Blum integer then we have the fol-lowing

(1) (119876119877+119873 ∘) is a group of order 120601(119873)4

(2) 119876119877+119873= 119869+

119873 In particular 119876119877+

119873is efficiently recogniz-

able (given only119873)(3) If 119876119877

119873is cyclic so is 119876119877+

119873

234 Strong DH Assumption Reduced to Factoring Assump-tion Hofheinz and Kiltz [28] also proved that the strong DHassumption can be reduced to factoring assumption Here wereview the theorem and its proof

Theorem 2 If the factoring assumption holds then the strongDH assumption holds relative to RSAgen In particular forevery strongDHadversaryA there exists a factoring adversaryB (with roughly the same complexity asA) such that

119860119889V119878119863119867A119877119878119860119892119890119899 (119896) le 119860119889V119891119886119888

B119877119878119860119892119890119899 (119896) + 119874 (2minus120575119899(119896)

) (4)

Proof We constructB from givenA ConcretelyB receivesa challenge119873 = 119875119876 chooses uniformly 119906larr

119877(119885lowast

119873)+

119876119877+

119873

and sets ℎ = 1199062 Note that by definition of 119873 we have

⟨ℎ⟩ = 119876119877+

119873except with probability 119874(2minus120575119899(119896)) Then B

chooses 119886 119887 isin [1198734] and sets

119892 = ℎ2

= ℎ ∘ 119892119886

= ℎ ∘ 119892119887 (5)

(here we omit mod119873 operation and hereafter we continueto omit mod119873 for typical exponential modular operation)This implicitly defines

119889 log119883119892= 119886 +

1

2mod ord (119876119877+

119873)

119889 log119884119892= 119887 +

1

2mod ord (119876119877+

119873)

(6)

where the discrete logarithms are of course considered in(119876119877+

119873 ∘) Again by definition of 119873 the statistical distance

between these (119892 119883 119884) and the input ofA in the strong DHexperiment is bounded by 119874(2minus120575119899(119896)) SoB runsA on input(119892 119883 119884) and answers Arsquos oracle queries ( 119885) as followsFirst we may assume that ( 119885) isin 119876119877+

119873since 119876119877+

119873= 119869+

119873is

efficiently recognizable Next since 119873 is a Blum integer thegroup order ord(119876119877+

119873) = (119875 minus 1)(119876 minus 1)4 is odd and hence

119889log119883119892

= 119885

lArrrArr 2119889log119883

119892

= 1198852

lArrrArr 2119886+1

= 1198852

(7)

Thus B can implement the strong DH oracle by checkingwhether 2119886+1 = 1198852 hold

Consequently with probability AdvSDHARSAgen(119896) minus

119874(2minus120575119899(119896)

)A will finally output

119885 = 119892(119889log119883119892

)(119889log119884119892

)

= 119892(119886+12)(119887+12)

= ℎ2119886119887+119886+119887+12

isin 119876119877+

119873

(8)

from which B can extract V = ℎ12

isin 119876119877+

119873(using its

knowledge about 119886 and 119887) Since 119906 is not in119876119877+119873and V isin 119876119877+

119873

are two nontrivially different square roots of ℎB can factor119873 by computing 119892119888119889(119906 minus V 119873)

3 CCA-Secure Publicly Verifiable Public KeyEncryption in the Standard Model Based onSigned Quadratic Residues

31 Review of Nieto et alrsquos Publicly Verifiable PKE SchemeTheir construction is inspired by the IND-CCA public key


KEM of Kiltz [57] the PG(ParamGen) algorithm is similarto [57] except that it uses gap groups PG(1119896) outputs publicparameters par = (G 119901 119892DDH 119867) where G = 119892 is amultiplicative cyclic group of prime order 119901 2119896 le 119901 le 2119896+1DDH is an efficient algorithm such that DDH(119892119886 119892119887 119892119888) =1 harr 119888 = 119886119887(119901) and 119867 G rarr 0 1

1198971

(119896) is a cryptographichash function such that 119897

1(119896) is a polynomial in 119896 We also use

a strong one-time signature scheme OTS = (KG SignVrfy)with verification key space 0 11198972(119896) such that 119897

2(119896) is a

polynomial in 119896 and a target collision resistant hash functionTCR G times 0 11198972(119896) rarr 119885

119901 The message space is MsgSp =

0 11198971

(119896) The scheme works as follows

(i) PKEKG(par)

119909 larr997888 119885lowast

119901

119906 larr997888 119892119909

Vlarr997888 G

119890119896 larr997888 (119906 V) 119889119896 larr997888 119909

Return (119890119896 119889119896)

(9)

(ii) PKEEnc(par ek M)

(119906 V) larr997888 119890119896

(V119896 sig 119896) larr997888 OTSKG (1119896)

119903larr997888119877119885lowast

119901 1198881larr997888 119892

119903

119905 larr997888 TCR (1198881 V119896) 120587 larr997888 (119906

119905V)119903

119870 larr997888 119867(119906119903

) 1198882larr997888 119872 oplus119870

119888 larr997888 (1198881 1198882 120587)

120575 larr997888 OTSSign (sig 119896 119888)

Return 119862 = (119888 120575 V119896)

(10)

(iii) PKEVer(par ek C)

(119906 V) larr997888 119890119896

(119888 120575 V119896) larr997888 119862

(1198881 1198882 120601) larr997888 119888

119905 larr997888 TCR (1198881 V119896)

If DDH (1198881 119906119905V 120587) = Or

OTSVrfy (119888 120575 V119896) =perp return perp

Return 1198621015840 = (1198881 1198882)

(11)

(iv) PKEDec1015840(par ek dk C1015840)

(1198881 1198882) larr997888 119862

1015840

119909 larr997888 119889119896

119870 larr997888 119867(119888119909

1) 119872 larr997888 119888

2oplus 119870

Return 119872

(12)

32 Our Proposed PVPKE Scheme Based on Signed QuadraticResidues First we give the core idea behind our constructionWe observe that Nieto et alrsquos PKE scheme actually is aPVPKE scheme but the only issue is that they use an abstractDDH oracle They instantiate this oracle by bilinear pairingsbut we require that PVPKE scheme cannot rely on bilinearpairings We also observe that signed quadratic residues canalso instantiate the abstract DDH oracle so we modify Nietoet alrsquos scheme to be based on signed quadratic residuesgroup which now give a natural new PVPKE schemeNotation we omit the mod119873 operation and every modularexponentiation in signed quadratic residues such as the factthat ℎ = 1199062 is represented as ℎ = 1199062 which implies all themodular exponentiation and other operations obey the rulesdefined in [28] instead of obeying the normal group rulesThefollowing is the concrete scheme

(i) PVPKEPG(1119896) is as follows

(a) Here we focus on 119876119877+119873group we first generate

an RSA modulus 119873 = 119875119876 with RSAgen(1119896)[28] then choose uniformly 119906larr

119877(119885lowast

119873)+

119876119877+

119873

and set ℎ = 1199062 Note that by definition of119873 wehave 119866 = ⟨ℎ⟩ = 119876119877

+

119873except with probability

119874(2minus120575119899(119896)

)(b) 119867 G rarr 0 1

1198971

(119896) is a cryptographic hashfunction such that 119897

1(119896) is a polynomial in 119896

(c) We also use a strong one-time signature schemeOTS = (KG SignVrfy) with verification keyspace 0 11198972(119896) such that 119897

2(119896) is a polynomial in

119896 and a target collision resistant hash functionTCR G times 0 11198972(119896) rarr 119885

119901 The message space

is MsgSp = 0 11198971(119896)(d) DDH is an efficient algorithm such that

DDH(119892119886 119892119887 119892119888) = 1 harr 119888 = 119886119887 mod 119901 For thescheme relying on 119876119877+

119873group we can easily

decide the DDH tuple concretely we do thefollowing(1) Choose 119886 119887 isin [1198734] and119898 119899 isin ord(119876119877+

119873)

satisfying 2119898(119886 + 12) gt 119899 times ord(119876119877+119873)

2119898(119887 + 12) gt 119899 times ord(119876119877+

119873) and 119898 is not

very little Then set

119892 = ℎ2

119883 = ℎ ∘ 119892119886

119884 = ℎ ∘ 119892119887

(13)

(2) Publish 1198861015840

= 2119898(119886 + 12) mod 119899 times

ord(119876119877+119873) 1198871015840 = 2

119898(119887 + 12) mod 119899 times

ord(119876119877+119873) as the parameters for public

verifying


(3) The DDHParams = (119892 119883 119884 1198861015840 1198871015840 2119898)

(e) PG(1119896) outputs public parameters par = (G119873DDHParams119867OTS) = (G 119873 119892119883 119884 11988610158401198871015840 2119898 119867OTS)

(ii) PVPKEKG(par)

119909 larr997888 119885lowast

119873

119906 larr997888 119892119909

119883 = ℎ ∘ 119892119886

119884 = ℎ ∘ 119892119887

119890119896 larr997888 (119906119883 119884) 119889119896 larr997888 119909

Return (119890119896 119889119896)

(14)

(iii) PVPKEEnc(par ek M)

(119906 119883 119884) larr997888 119890119896

(V119896 sig 119896) larr997888 OTSKG (1119896)

119903larr997888119877119885lowast

119873 1198881larr997888 119892

119903

119905 larr997888 TCR (1198881 V119896) 120587 larr997888 (119883

119905

119884)119903

119870 larr997888 119867(119906119903

) 1198882larr997888 119872 oplus119870

119888 larr997888 (1198881 1198882 120587)

120575 larr997888 OTSSign (sig 119896 119888)

Return 119862 = (119888 120575 V119896)

(15)

(iv) PVPKEVer(par ek C)

(119906 119883 119884) larr997888 119890119896

(119888 120575 V119896) larr997888 119862

(1198881 1198882 120587) larr997888 119888

119905 larr997888 TCR (1198881 V119896)

If 1198881198861015840

119905+1198871015840

1= (120587)2119898

Or


Return 1198621015840 = (1198881 1198882)

(16)

(v) PVPKEDec1015840(par ek dk C1015840)

(1198881 1198882) larr997888 119862

1015840

119909 larr997888 119889119896

119870 larr997888 119867(119888119909

1) 119872 larr997888 119888

2oplus 119870

Return 119872

(17)

33 Security Analysis Based on Nieto et alrsquos security resultand the property of signed quadratic residues we can give thefollowing theorem

Theorem 3 Assume that TCR is a target collision resistanthash function and OTS is a strongly unforgeable one-timesignature scheme Under a variant of hashed Diffie-Hellmanassumption for G (signed quadratic residues group) and 119867the factoring assumption of RSAGen (which implies the strongDiffie-Hellman assumption in signed quadratic residues groupproved in [28]) our PVPKE scheme based on signed quadraticresidues is IND-CCA-secure

Proof In the following we give our schemersquos security proofroughly

(1) We observe that in Nieto et alrsquos PKE scheme 119906 playstwo roles one used to be deriving the DEM messagemask key and the other used to be as part of theDDH test But many research results show that it issecure to split these two roles separately [8] thuswe introduce 119883 as the role of part of the DDH testwhile maintaining 119906 as the source of deriving DEMmessage mask key which is the reason why we use(119883119905119884) instead of (119906119905V) in our scheme

(2) In our scheme we adopt Hofheinz and Kiltzrsquos tech-nique of reducing SDH assumption to the factoringassumption concretely we set 119883 119884 119892 ℎ 119886 and119887 the same as theirs but we make 1198861015840 = 2

119898(119886 +

12) mod 119899 times ord(119876119877+119873) and 1198871015840 = 2119898(119887+12) mod 119899times

ord(119876119877+119873) public which is used for public verifying

The verifying equation (119892119903)1198861015840

119905+1198871015840

= ((119883119905119884)119903

)2119898

canalso be used for deciding the DDH relationship of(119892 119883119905119884 119892119903 (119883119905119884)119903

) but an attacker cannot figure out120587 = (119883

119905119884)119903 through finding 12119898 root of (119892119903)119886

1015840

119905+1198871015840

for we know finding square root in 119876119877

119873is as hard as

factoring and this also holds in 119876119877+119873

(3) We require 2119898(119886+12) gt 119899 times ord(119876119877+119873) 2119898(119887+12) gt

119899 times ord(119876119877+119873) for avoiding the trivial attack of com-

puting 119886 + 12 = 11988610158402119898 and 119887 + 12 = 11988710158402119898 withoutany modular operation and thus trivial computing120587 = (119883

119905119884)119903

= (119892119903)(119886+12)119905+(119887+12) Obviously this attack

can easily forge a valid 120587 and thus a valid ciphertextand break the IND-CCA property We also requirethat 119898 is not too little to resist the brute force attackon finding 119886 from 119886

1015840

(4) Generally speaking our scheme is almost identical toNieto et alrsquos scheme thus the security proof is almostthe same as theirs Below are the details

Let (119888lowast 120575lowast V119896lowast) be the challenge ciphertext Theproposed PKE without the CHK transform can beseen as a KEMDEM combination which is at leastIND-CPA-secure due to Herranz et al [58] As for theKEM a variant of the hashed Diffie-Hellman (HDH)assumption [48] can be used to prove the IND-CPAsecurity of the resulting PKE Note that the messagedoes not depend on V119896lowast and is just the signature on119888lowast Therefore 119888lowast being an output of the IND-CPA-secure scheme hides the value of the chosen 119887 fromthe adversary


Router

Receiver

Adversary

PubK

Router

Sender

SK

Figure 1 Routers drop the invalid ciphertexts via PVPKE

Below we prove that the IND-CCA adversary Amay access decryption oracle and will gain no helpin guessing the value of 119887 Suppose the adversarysubmits a ciphertext (1198881015840 1205751015840 V1198961015840) = (119888

lowast 120575lowast V119896lowast) to the

decryption oracle Now there are two cases

(i) When V1198961015840 = V119896lowast the decryption oracle willoutput perp as the adversary fails to break theunderlying strongly unforgeable one-time sig-nature scheme with respect to V1198961015840

(ii) When V1198961015840 = V119896 the attacker B against thevariant of HDH problem can set the publickeys as seen in the IND-CCA security prooffor the KEM by Kiltz [57] such that (1) B cananswer except for the challenge ciphertext alldecryption queries from A even without theknowledge of the secret key and (2) B solvesHDH if A wins Note in Nieto et alrsquos scheme119906 V is the public key while in our scheme 119906119883 119884is the public key but we observe V is randomlychosen from119866 while in our scheme119883119884 are setasℎ∘119892119886ℎ∘119892119887which are also randombecause119886 119887are randomThus our scheme roughly shares thesame security proof outline as in [57] except thatour scheme is in signed quadratic residues

4 Applications

41 Application 1 The Routers Drop the Invalid Ciphertextsvia PVPKE As shown in Figure 1 PVPKE can be usedin the open internet network to help the routers to filterthe invalid ciphertexts while traditional IND-CCA-securepublic key encryption does not have this function Firsta sender (encrypter) wants to encrypt his message to areceiver (decrypter) by using public key encryption and theciphertexts in many cases have to be sent through opennetworks which are not equipped with security guardsto resist malicious attack thus the sender should betterchoose an IND-CCA-secure public key encryption to encrypthis message When an error or a data loss occurs in theciphertexts through the transferring the PVPKE can help therouters drop invalid ciphertexts by using the algorithm ofpublic verifying Note here the routers need not any secret

Gateway

IND-CCAciphertext

IND-CPAciphertext

Open internet network Internal trusted network

Figure 2 Gateways reduce the workload via PVPKE

which will greatly reduce the cost of resetup of the oldsystem Also if there exists malicious attacker modifying theciphertexts the invalid ciphertexts will also be dropped Thiswill greatly help the network to preserve its communicationband only to effective data blocks and help the routers andthe receiver to reduce the workload for they now only needto do the necessary computation However PVPKE cannotresist the following case an attacker generates a ciphertextfollowing the right encryption algorithm and this ciphertextwill certainly pass through the algorithm of public verifyingWe think this time the attacker is indeed an encrypter whichwill be a trivial case and any verifying algorithm cannot avoidit

42 Application 2 The Gateways Reduce the Workload viaPVPKE The following scenarios are always existing cipher-texts need to be transferred from a public open networklike internet to an internal network like the governmentrsquosnetwork As shown in Figure 2 PVPKE can be used to helpthe gateways reduce the workload transforming an IND-CCAciphertext to be an IND-CPA ciphertextWhen an IND-CCA ciphertext was captured by the gateway the gateway firstverifies its validity by using the publicly verifying algorithmIf it has passed then the gateway can drop one part ofthe ciphertext the part which is used to authenticate theciphertext like (120575 V119896) in our PVPKE and Nieto et alrsquos PKEscheme (here we do not claim that any PVPKE schemehas this separate authentication part for there exist PVPKEschemes in which the authentication part has been integratedin the other parts of the ciphertext as a whole) Thus theremaining ciphertext will be IND-CPA-secure and will beshorter compared with the original ciphertext Because thegovernmentrsquos network usually will be protected well withmany security mechanisms IND-CPA security is enough toassure the security of the ciphertext This will also reduce theworkload of the employees whowork on the internal networkof the government

43 Application 3 Achieving Ciphertext Checkable in theClouds via PVPKE Today more and more people preferto upload their personal data contents to the clouds butthey do not want the cloud to know what the data contents


Storage

StorageStorage

Storage

Outsource ciphertext

Retrieve ciphertext

ProxyReliable ciphertext

Figure 3 Achieving ciphertext checkable in the clouds via PVPKE

are Thus they need to encrypt the personal data contentsbefore uploading them to the clouds PVPKE can be used toachieve ciphertext checkable in this case which can be seenin Figure 3 When the data owner uploads the ciphertexts tothe cloud there may exist incident things like data loss ormalicious attacker modifying the ciphertexts in these casesa proxy can be used to check the ciphertextrsquos validity byusing PVPKE When the data owner or data user needs toretrieve the content the clouds return the correspondingciphertext to them Also this time the proxy can be used tocheck the ciphertextrsquos validity by using PVPKENote here thatthe proxy needs only to be semitrusted it can perform thecheck without any secret this will greatly benefit reducingthe system management For example the proxy can be theaccess infrastructure in the wireless network setting Notehere that we do not claim that every ciphertext needs to bechecked which will be too heavy This check must be runprobabilistically with randomly chosen ciphertext

5 Conclusions

PVPKE is a very powerful block to construct other crypto-graphic primitives or protocols and its construction remainsopen for almost decades In [13] we give several constructionsand analyze their security In this paper by using the factthat the DDH oracle can be instantiated in signed quadraticresidues we give new PVPKE construction and roughlyprove its security The future work will be further exploringour idea and prove our proposalrsquos security strictly

Disclosure

This paper is a revised and expanded version of a papertitled ldquoNewConstruction of PVPKE Scheme Based on SignedQuadratic Residuesrdquo presented at the Incos 2013 Conference[59] The second author is the corresponding author

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

The authors would like to express their gratitude to theeditors for many helpful comments This work is supportedby the National Natural Science Foundation of China underContracts nos 61103230 61272492 61103231 and 61202492

References

[1] A J Jara S Varakliotis A F Skarmeta and P KirsteinldquoExtending the Internet of things to the future internet throughIPv6 supportrdquoMobile Information Systems vol 10 no 1 pp 3ndash17 2014

[2] A J Jara D Fernandez P Lopez M A Zamora and A FSkarmeta ldquoLightweight MIPv6 with IPSec supportrdquo MobileInformation Systems vol 10 no 1 pp 37ndash77 2014

[3] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[4] R L Rivest A Shamir and L Adleman ldquoA method forobtaining digital signatures and public-key cryptosystemsrdquoCommunications of the Association for Computing Machineryvol 21 no 2 pp 120ndash126 1978

[5] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984

[6] M Abe E Kiltz and T Okamoto ldquoChosen ciphertext securitywith optimal ciphertext overheadrdquo in Advances in CryptologymdashASIACRYP vol 5350 of Lecture Notes in Computer Science pp355ndash371 Springer Berlin Germany 2008

[7] M Bellare and P Rogaway ldquoOptimal asymmetric encryp-tion how to encrypt with RSArdquo in Advances in CryptologymdashEUROCRYPTrsquo94 vol 950 of Lecture Notes in Computer Sciencepp 92ndash111 1994

[8] R Cramer and V Shoup ldquoA practical public key cryptosystemprovably secure against adaptive chosen ciphertext attackrdquo inAdvances inCryptologymdashCRYPTO rsquo98 vol 1462 ofLectureNotesin Computer Science pp 13ndash25 Springer Berlin Germany 1998

[9] G Hanaoka and K Kurosawa ldquoEfficient chosen ciphertextsecure public key encryption under the computational Diffie-Hellman assumptionrdquo inAdvances in CryptologymdashASIACRYPT2008 vol 5350 of Lecture Notes in Computer Science pp 308ndash325 Springer Berlin Germany 2008

[10] DHofheinz E Kiltz andV Shoup ldquoPractical chosen ciphertextsecure encryption from factoringrdquo Journal of Cryptology vol26 no 1 pp 102ndash118 2013

[11] Y Lindell ldquoA simpler construction of cca2-secure public-key encryption under general assumptionsrdquo in Advances inCryptologymdashEUROCRYPT 2003 vol 2656 of Lecture Notesin Computer Science pp 241ndash254 Springer Berlin Germany2003

[12] K Goto Y Sasaki T Hara and S Nishio ldquoData gatheringusingmobile agents for reducing traffic in densemobile wirelesssensor networksrdquoMobile Information Systems vol 9 no 4 pp295ndash314 2013

[13] M Zhang XAWangW Li andX Yang ldquoCCA secure publiclyverifiable public key encryption without pairings nor randomoracle and its applicationsrdquo Journal of Computers vol 8 no 8pp 1987ndash1994 2013

[14] XChen J Li andW Susilo ldquoEfficient fair conditional paymentsfor outsourcing computationsrdquo IEEE Transactions on Informa-tion Forensics and Security vol 7 no 6 pp 1687ndash1694 2012


[15] X Chen J Li J Ma Q Tang and W Lou ldquoNew algorithms forsecure outsourcing of modular exponentiationsrdquo in ComputerSecuritymdashESORICS 2012 vol 7459 of Lecture Notes in ComputerScience pp 541ndash556 Springer Berlin Germany 2012

[16] R Canetti and S Goldwasser ldquoAn efficient threshold publickey cryptosystem secure against adaptive chosen ciphertextattackrdquo in Advances in CryptologymdashEUROCRYPTrsquo99 vol 1592of Lecture Notes in Computer Science pp 90ndash106 SpringerBerlin Germany 1999

[17] J Baek and Y Zheng ldquoIdentity-based threshold decryptionrdquo inPublic Key CryptographymdashPKC 2004 vol 2947 of Lecture Notesin Computer Science pp 262ndash276 Springer Berlin Germany2004

[18] D Boneh X Boyen and S Halevi ldquoChosen ciphertext securepublic key threshold encryption without random oraclesrdquo inTopics in CryptologymdashCT-RSA 2006 vol 3860 of Lecture Notesin Computer Science pp 226ndash243 2006

[19] V Shoup and R Gennaro ldquoSecuring threshold cryptosystemsagainst chosen ciphertext attackrdquo Journal of Cryptology vol 15no 2 pp 75ndash96 2002

[20] C Delerablee and D Pointcheval ldquoDynamic threshold public-key encryptionrdquo inAdvances in CryptologymdashCRYPTO vol 5157of Lecture Notes in Computer Science pp 317ndash334 SpringerBerlin Germany 2008

[21] G Ateniese K Fu M Green and S Hohenberger ldquoImprovedproxy re-encryption schemes with applications to secure dis-tributed storagerdquo in Proceedings of the 12th Annual Network andDistributed System Security Symposium (NDSS rsquo05) pp 29ndash43San Diego Calif USA 2005

[22] G Ateniese K Fu M Green and S Hohenberger ldquoImprovedproxy re-encryption schemes with applications to secure dis-tributed storagerdquo ACMTransactions on Information and SystemSecurity vol 9 no 1 pp 1ndash30 2006

[23] B Libert and D Vergnaud ldquoUnidirectional chosen-ciphertextsecure proxy re-encryptionrdquo in Public Key CryptographymdashPKC2008 vol 4939 of Lecture Notes in Computer Science pp 360ndash379 Springer Berlin Germany 2008

[24] R Canetti and S Hohenberger ldquoChosen ciphertext secureproxy re-encryptionrdquo inProceedings of the 14thACMConferenceon Computer and Communications Security (CCS rsquo07) pp 185ndash194 ACM 2007

[25] J Zhang and X A Wang ldquoOn the security of a multi-use CCA-secure proxy re-encryption schemerdquo in Proceedingsof the 4th International Conference on Intelligent Networkingand Collaborative Systems (INCoS rsquo12) pp 571ndash576 BucharestRomania September 2012

[26] J Zhang and XWang ldquoSecurity analysis of a multi-use identitybased CCA-secure proxy reencryption schemerdquo in Proceedingsof the 4th International Conference on Intelligent Networking andCollaborative Systems (INCoS rsquo12) pp 581ndash586 September 2012

[27] J Nieto M Manulis B Poettering J Rangasamy and DStebila ldquoPublicly verifiable ciphertextsrdquo in Proceedings of the8th International Conference on Security and Cryptography forNetworks (SCN rsquo12) vol 7485 of Lecture Notes in ComputerScience pp 393ndash410 Amalfi Italy 2012

[28] D Hofheinz and E Kiltz ldquoThe group of signed quadraticresidues and applicationsrdquo in Advances in CryptologymdashCRYPTO 2009 vol 5677 of Lecture Notes in Computer Sciencepp 637ndash653 Springer Berlin Germany 2009

[29] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of

the 22nd Annual ACM Symposium on Theory of Computing(STOC rsquo90) pp 427ndash437 May 1990

[30] C Rackoff and D R Simon ldquoNon-interactive zero-knowledgeproof of knowledge and chosen ciphertext attackrdquo in Advancesin CryptologymdashCRYPTO rsquo91 vol 576 of Lecture Notes in Com-puter Science pp 433ndash444 Springer Berlin Germany 1992

[31] D Dolev C Dwork and M Naor ldquoNon-malleable cryptogra-phyrdquo in Proceedings of the 23rd Annual ACM Symposium onTheory of Computing (STOC rsquo91) pp 542ndash552 May 1991

[32] A Sahai ldquoNon-malleable non-interactive zero knowledge andadaptive chosen-ciphertext securityrdquo in Proceedings of the 40thAnnual Symposium on Foundations of Computer Science (IEEEFOCS rsquo99) pp 543ndash553 New York NY USA October 1999

[33] M Bellare and P Rogaway ldquoRandom oracles are practical aparadigm for designing efficient protocolsrdquo in Proceedings of the1st ACMConference on Computer and Communications Security(CCS rsquo93) pp 62ndash73 November 1993

[34] R Canetti O Goldreich and S Halevi ldquoRandom oraclemethodology revisitedrdquo in Proceedings of the 30th Annual ACMSymposium on Theory of Computing (STOC rsquo98) pp 209ndash218May 1998

[35] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003

[36] K Kurosawa and Y Desmedt ldquoA new paradigm of hybridencryption schemerdquo in Advances in CryptologymdashCRYPTO2004 vol 3152 of Lecture Notes in Computer Science pp 426ndash442 2004

[37] M Abe R Gennaro K Kurosawa and V Shoup ldquoTag-kemdem a new framework for hybrid encryption and anew analysis of kurosawa-desmedt kemrdquo in Advances inCryptologymdashEUROCRYPT 2005 vol 3494 of Lecture Notes inComputer Science pp 128ndash146 Springer Berlin Germany 2005

[38] R Canetti S Halevi and J Katz ldquoChosen-ciphertext securityfrom identity-based encryptionrdquo in Advances in CryptologymdashEUROCRYPT 2004 vol 3027 of Lecture Notes in ComputerScience pp 207ndash222 Springer Berlin Germany 2004

[39] D Boneh and J Katz ldquoImproved efficiency for CCA-securecryptosystems built using identity-based encryptionrdquo in Topicsin CryptologymdashCT-RSA 2005 vol 3376 of Lecture Notes inComputer Science pp 87ndash103 Springer Berlin Germany 2005

[40] X Boyen Q Mei and B Waters ldquoDirect chosen ciphertextsecurity from identity-based techniquesrdquo in Proceedings ofthe 12th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo05 ) pp 320ndash329 November 2005

[41] E Kiltz ldquoChosen-ciphertext security from tag-based encryp-tionrdquo in Theory of Cryptography vol 3876 of Lecture Notesin Computer Science pp 581ndash600 Springer Berlin Germany2006

[42] C Peikert and B Waters ldquoLossy trapdoor functions andtheir applicationsrdquo in Proceedings of the 40th Annual ACMSymposium on Theory of Computing (STOC rsquo08) pp 187ndash1962008

[43] A Rosen and G Segev ldquoChosen-ciphertext security via corre-lated productsrdquo in Theory of Cryptography vol 5444 pp 419ndash436 Springer Berlin Germany 2009

[44] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 Pro-ceedings of the 21st Annual International Cryptology ConferenceSanta Barbara California USA August 19ndash23 2001 vol 2139 of


LectureNotes in Computer Science pp 213ndash229 Springer BerlinGermany 2001

[45] D Boneh C Gentry and B Waters ldquoCollusion resistantbroadcast encryption with short ciphertexts and private keysrdquoin Proceedings of the 25th Annual International Cryptology Con-ference (CRYPTO rsquo05) vol 3621 of Lecture Notes in ComputerScience pp 258ndash275 Santa Barbara Calif USA 2005

[46] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo in Advances in CryptologymdashEUROCRYPT2008 vol 4965 of Lecture Notes in Computer Science pp 415ndash432 Springer Berlin Germany 2008

[47] D Boneh G D Crescenzo R Ostrovsky and G PersianoldquoPublic key encryption with keyword searchrdquo inComputationalScience and Its ApplicationsmdashICCSA 2008 vol 3089 of LectureNotes inComputer Science pp 31ndash45 Springer BerlinGermany2004

[48] M Abdalla M Bellare D Catalano et al ldquoSearchable encryp-tion revisited consistency properties relation to anonymousIBE and extensionsrdquo in Advances in CryptologymdashCRYPTO2005 vol 3621 of Lecture Notes in Computer Science pp 205ndash222 Springer Berlin Germany 2005

[49] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 November2006

[50] J Katz A Sahai and B Waters ldquoPredicate encryption support-ing disjunctions polynomial equations and inner productsrdquoin Advances in CryptologymdashEUROCRYPT 2008 vol 4965 ofLecture Notes in Computer Science pp 146ndash162 Springer BerlinGermany 2008

[51] J Baek R Safavi-Naini and W Susilo ldquoCertificateless pub-lic key encryption without pairingrdquo in Information Securityvol 3650 of Lecture Notes in Computer Science pp 134ndash148Springer Berlin Germany 2005

[52] S Al Riyami and K Paterson ldquoCertificateless public keycryptographyrdquo in Advances in CryptologymdashASIACRYPT 2003vol 2894 of Lecture Notes in Computer Science pp 452ndash473Springer 2003

[53] R Deng J Weng S Liu and K Chen ldquoChosen cipher-text secure proxy re-encryption without pairingsrdquo in Cryp-tology and Network Security vol 5339 of Lecture Notes inComputer Science pp 1ndash17 Springer Berlin Germany 2008httpeprintiacrorg2008509

[54] J Shao and Z Cao ldquoCCA-secure proxy re-encryption withoutpairingsrdquo in Public Key CryptographymdashPKC 2009 vol 5443 ofLectureNotes inComputer Science pp 357ndash376 Springer BerlinGermany 2009

[55] J Camenisch and V Shoup ldquoPractical verifiable encryption anddecryption of discrete logarithmsrdquo in Advances in CryptologymdashCRYPTO 2003 vol 2729 of Lecture Notes in Computer Sciencepp 126ndash144 Springer Berlin Germany 2003

[56] A Kiayias Y Tsiounis and M Yung Group Encryption Cryp-tology ePrint Archive 2007 httpeprintiacrorg2007015pdf

[57] E Kiltz ldquoChosen-ciphertext secure key-encapsulation based ongap hashed Diffie-Hellmanrdquo in Public Key CryptographymdashPKCvol 4450 of Lecture Notes in Computer Science pp 282ndash297Springer Berlin Germany 2007

[58] J Herranz D Hofheinz and E Kiltz ldquoKEMDEM necessaryand sucffcient conditions for secure hybrid encryptionrdquo in IACRCryptology ePrint Archive Report 2006256 IACR 2006

[59] J Zhang and X Wang ldquoNew construction of PVPKE schemebased on signed quadratic residuesrdquo in Proceedings of the 5thInternational Conference on Intelligent Networking and Collabo-rative Systems (INCoS rsquo13) pp 434ndash437 September 2013

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Distributed Sensor Networks


Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014


ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014


Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications


Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia


Biomedical Imaging


ArtificialNeural Systems

Advances in


RoboticsJournal of



Computational Intelligence and Neuroscience

Industrial EngineeringJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in



these maliciously created ciphertexts and the bandwidthhas been effectively preserved [12] As a concrete examplecan you imagine when using mobile phone for secureinstant-message talking like MSN you always have to dealwith nonsense invalid ciphertexts maliciously created byactive attackers But if the access infrastructure equippedwith PVPKE can help you to filter these invalid ciphertextsyou certainly will feel better In one word PVPKE is animportant tool for smoothly running modern informationsystems if these systems have employed public key encryptionas a basic way to achieve security

However researchers give little care to the property ofpublic verifiability of the chosen ciphertext-secure cipher-texts In bilinear map setting or by using the random oraclepublic verifiability of ciphertexts coming from an IND-CCA-secure public key encryption can be easily achievedThus in this paper we care about how to construct pub-licly verifiable public key encryption without pairing in thestandard model Recently in [13] we introduced an inter-esting cryptographic primitive PVPKE defined as publiclyverifiable chosen ciphertext-secure public key encryptionin the standard model without pairing PVPKE is a verypowerful building block to construct some other interestingcryptographic protocols and cloud computation [14 15] Forexample it can be used to construct chosen ciphertext-(CCA-) secure threshold public key encryption (TPKE) [16ndash20] In TPKE chosen ciphertext security always requires thatthe distributed decryption server can check the ciphertextrsquosvalidity before decryption otherwise some valuable informa-tion about decryption will be returned to the adversary andthis will help the adversary to break the chosen ciphertextsecurity For another example PVPKE can be a core blockto construct chosen ciphertext-secure proxy reencryption(PRE) [21ndash26] Chosen ciphertext attackers can query the del-egator and delegateersquos decryption oracle arbitrarily if invalidciphertexts forwarded by the proxy to the delegatee havebeen decrypted by the delegatee the attackers can get usefulinformation to break CCA security Since the proxy withoutsecret keys needs to check the validity of the ciphertext forthe delegatee before reencryption thus public verifiabilityof the ciphertext seems to be an essential requirement forachieving CCA security for proxy reencryption

In SCN12 Nieto et al [27] discussed an interestingproperty of public key encryption with chosen ciphertextsecurity that is ciphertexts with public verifiabilityThey alsodemonstrated an important application of this new primitivethat is ldquonontrivial filteringrdquo of an incoming IND-CCA-secureciphertext to be an IND-CPA-secure ciphertext with reducedworkload by a gateway They formally defined (nontriv-ial) public variability of ciphertexts for general encryptionschemes key encapsulationmechanisms and hybrid encryp-tion schemes encompassing public key identity-based andtag-based encryption and also gave several concrete con-structions But we also note that their constructions cannotsimultaneously satisfy the four requirements on ldquoPVPKErdquo(1) chosen ciphertext-secure (2) publicly verifiable (3) in thestandard model (4) without pairingThus their work furtherexplores PVPKErsquos application but does not give concreteconstruction of PVPKE

In Cryptorsquo09 Hofheinz and Kiltz [28] introduced thegroup of signed quadratic residues and discussed its appli-cation the most interesting feature of this group is its ldquogaprdquoproperty while the computational problem is as hard asfactoring and the corresponding decisional problem is easyMembership in 119876119877+

119873can be publicly and efficiently verified

while it inherits some nice intractability properties of thequadratic residues For example computing square roots in119876119877+

119873is also equivalent to factoring the modulus 119873 We

therefore have a gap group in which the correspondingdecisional problem (ie deciding if an element is a signedsquare) is easy whereas the computational problem (iecomputing a square root) is as hard as factoring We alsocan show that in the group of signed quadratic residues theStrong Diffie-Hellman problem is implied by the factoringassumption

11 Our Contribution In [13] based on the core idea ofchanging the prime modular field to the composite modularfield andmasking the verifying secret key with secret order ofthe composite group and making the resulting ldquopseudosecretkeyrdquo public we find it is relatively easy to construct PVPKE

scheme based on the Cramer-Shoup encryption and theHanaoka-Kurosawa CCA-secure public key encryption

In this paper we show that in case of basing someofNietoet alrsquos schemes on signed quadratic residues the resultingschemes canmeet the requirements of PVPKEThe core ideaabout this construction is that theDDHoracle can be publiclyinstantiated by bilinear pairing while DDH oracle cannotbe instantiated by discrete logarithm group or RSA groupBut in signed quadratic residues the DDH oracle can beefficiently publicly instantiated Based on this observation wegive new constructions of PVPKE scheme based on signedquadratic residues and discuss their security

Furthermore we discuss PVPKErsquos important applicationin modern information system such as achieving ciphertextcheckable in the cloud setting for the mobile laptop reducingthe workload by the gateway between the open internetand the trusted private network and dropping the invalidciphertext by the routers for helping the network to preserveits communication bandwidth effectively

12 Related Works

121 Chosen Ciphertext Security in the StandardModel Naorand Yung [29] introduced the notion of CCA security forpublic key encryption and this notion was further extendedby Rackoff and Simon [30] Dolev et al [31] and Sahai[32] Noninteractive zero-knowledge (NIZK) proofs are coreblocks of these constructions which is a relatively inefficientparadigm and its efficient realization always relies on bilinearpairing or random orale In 1993 Bellare and Rogaway[33] introduced a so-called random oracle which idealizesthe hash function as a perfect random function to deviseefficient CCA-secure public key encryption with provablesecurity However randomoraclemodel has seen criticism bycryptographers for its unrealistic assumption [34] More andmore cryptographers show interest in constructing efficient








2 Preliminaries




lowast












|1198980| = |119898



EPK(119898119887)











AdvfacARSAGen

= Pr [119875 119876larr997888119877A (119873) (119873 119875 119876)larr997888

119877RSAGen (1119896)]

(1)







G+

= |119909| 119909 isin G (2)



119892 ∘ ℎ =1003816100381610038161003816119892 sdot ℎ mod 1198731003816100381610038161003816

119892119909


(3)





119873 which we







(2) 119876119877+119873= 119869+

119873 In particular 119876119877+



119873is cyclic so is 119876119877+

119873



119860119889V119878119863119867A119877119878119860119892119890119899 (119896) le 119860119889V119891119886119888

B119877119878119860119892119890119899 (119896) + 119874 (2minus120575119899(119896)

) (4)


119877(119885lowast

119873)+

119876119877+

119873


⟨ℎ⟩ = 119876119877+



119892 = ℎ2

= ℎ ∘ 119892119886

= ℎ ∘ 119892119887 (5)


119889 log119883119892= 119886 +

1

2mod ord (119876119877+

119873)

119889 log119884119892= 119887 +

1

2mod ord (119876119877+

119873)

(6)




119873since 119876119877+

119873= 119869+

119873is



119889log119883119892

= 119885


119892

= 1198852

lArrrArr 2119886+1

= 1198852

(7)



119874(2minus120575119899(119896)


119885 = 119892(119889log119883119892

)(119889log119884119892

)

= 119892(119886+12)(119887+12)

= ℎ2119886119887+119886+119887+12

isin 119876119877+

119873

(8)


isin 119876119877+

119873(using its


119873






1198971




2(119896) is a



0 11198971


(i) PKEKG(par)

119909 larr997888 119885lowast

119901

119906 larr997888 119892119909

Vlarr997888 G

119890119896 larr997888 (119906 V) 119889119896 larr997888 119909

Return (119890119896 119889119896)

(9)


(119906 V) larr997888 119890119896

(V119896 sig 119896) larr997888 OTSKG (1119896)

119903larr997888119877119885lowast

119901 1198881larr997888 119892

119903

119905 larr997888 TCR (1198881 V119896) 120587 larr997888 (119906

119905V)119903

119870 larr997888 119867(119906119903

) 1198882larr997888 119872 oplus119870

119888 larr997888 (1198881 1198882 120587)

120575 larr997888 OTSSign (sig 119896 119888)

Return 119862 = (119888 120575 V119896)

(10)


(119906 V) larr997888 119890119896

(119888 120575 V119896) larr997888 119862

(1198881 1198882 120601) larr997888 119888

119905 larr997888 TCR (1198881 V119896)

If DDH (1198881 119906119905V 120587) = Or


Return 1198621015840 = (1198881 1198882)

(11)


(1198881 1198882) larr997888 119862

1015840

119909 larr997888 119889119896

119870 larr997888 119867(119888119909

1) 119872 larr997888 119888

2oplus 119870

Return 119872

(12)





119877(119885lowast

119873)+

119876119877+

119873


+


119874(2minus120575119899(119896)

)(b) 119867 G rarr 0 1

1198971











119873)


2119898(119887 + 12) gt 119899 times ord(119876119877+

119873) and 119898 is not


119892 = ℎ2

119883 = ℎ ∘ 119892119886

119884 = ℎ ∘ 119892119887

(13)

(2) Publish 1198861015840

= 2119898(119886 + 12) mod 119899 times

ord(119876119877+119873) 1198871015840 = 2

119898(119887 + 12) mod 119899 times


verifying


(3) The DDHParams = (119892 119883 119884 1198861015840 1198871015840 2119898)


(ii) PVPKEKG(par)

119909 larr997888 119885lowast

119873

119906 larr997888 119892119909

119883 = ℎ ∘ 119892119886

119884 = ℎ ∘ 119892119887

119890119896 larr997888 (119906119883 119884) 119889119896 larr997888 119909

Return (119890119896 119889119896)

(14)


(119906 119883 119884) larr997888 119890119896

(V119896 sig 119896) larr997888 OTSKG (1119896)

119903larr997888119877119885lowast

119873 1198881larr997888 119892

119903

119905 larr997888 TCR (1198881 V119896) 120587 larr997888 (119883

119905

119884)119903

119870 larr997888 119867(119906119903

) 1198882larr997888 119872 oplus119870

119888 larr997888 (1198881 1198882 120587)

120575 larr997888 OTSSign (sig 119896 119888)

Return 119862 = (119888 120575 V119896)

(15)


(119906 119883 119884) larr997888 119890119896

(119888 120575 V119896) larr997888 119862

(1198881 1198882 120587) larr997888 119888

119905 larr997888 TCR (1198881 V119896)

If 1198881198861015840

119905+1198871015840

1= (120587)2119898

Or


Return 1198621015840 = (1198881 1198882)

(16)


(1198881 1198882) larr997888 119862

1015840

119909 larr997888 119889119896

119870 larr997888 119867(119888119909

1) 119872 larr997888 119888

2oplus 119870

Return 119872

(17)






119898(119886 +




119905+1198871015840

= ((119883119905119884)119903

)2119898




1015840

119905+1198871015840


119873is as hard as





119905119884)119903



1015840




Router

Receiver

Adversary

PubK

Router

Sender

SK







4 Applications


Gateway

IND-CCAciphertext

IND-CPAciphertext







Storage

StorageStorage

Storage


Retrieve ciphertext




5 Conclusions


Disclosure




Acknowledgments


References







































































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in










2 Preliminaries




lowast












|1198980| = |119898



EPK(119898119887)











AdvfacARSAGen

= Pr [119875 119876larr997888119877A (119873) (119873 119875 119876)larr997888

119877RSAGen (1119896)]

(1)







G+

= |119909| 119909 isin G (2)



119892 ∘ ℎ =1003816100381610038161003816119892 sdot ℎ mod 1198731003816100381610038161003816

119892119909


(3)





119873 which we







(2) 119876119877+119873= 119869+

119873 In particular 119876119877+



119873is cyclic so is 119876119877+

119873



119860119889V119878119863119867A119877119878119860119892119890119899 (119896) le 119860119889V119891119886119888

B119877119878119860119892119890119899 (119896) + 119874 (2minus120575119899(119896)

) (4)


119877(119885lowast

119873)+

119876119877+

119873


⟨ℎ⟩ = 119876119877+



119892 = ℎ2

= ℎ ∘ 119892119886

= ℎ ∘ 119892119887 (5)


119889 log119883119892= 119886 +

1

2mod ord (119876119877+

119873)

119889 log119884119892= 119887 +

1

2mod ord (119876119877+

119873)

(6)




119873since 119876119877+

119873= 119869+

119873is



119889log119883119892

= 119885


119892

= 1198852

lArrrArr 2119886+1

= 1198852

(7)



119874(2minus120575119899(119896)


119885 = 119892(119889log119883119892

)(119889log119884119892

)

= 119892(119886+12)(119887+12)

= ℎ2119886119887+119886+119887+12

isin 119876119877+

119873

(8)


isin 119876119877+

119873(using its


119873






1198971




2(119896) is a



0 11198971


(i) PKEKG(par)

119909 larr997888 119885lowast

119901

119906 larr997888 119892119909

Vlarr997888 G

119890119896 larr997888 (119906 V) 119889119896 larr997888 119909

Return (119890119896 119889119896)

(9)


(119906 V) larr997888 119890119896

(V119896 sig 119896) larr997888 OTSKG (1119896)

119903larr997888119877119885lowast

119901 1198881larr997888 119892

119903

119905 larr997888 TCR (1198881 V119896) 120587 larr997888 (119906

119905V)119903

119870 larr997888 119867(119906119903

) 1198882larr997888 119872 oplus119870

119888 larr997888 (1198881 1198882 120587)

120575 larr997888 OTSSign (sig 119896 119888)

Return 119862 = (119888 120575 V119896)

(10)


(119906 V) larr997888 119890119896

(119888 120575 V119896) larr997888 119862

(1198881 1198882 120601) larr997888 119888

119905 larr997888 TCR (1198881 V119896)

If DDH (1198881 119906119905V 120587) = Or


Return 1198621015840 = (1198881 1198882)

(11)


(1198881 1198882) larr997888 119862

1015840

119909 larr997888 119889119896

119870 larr997888 119867(119888119909

1) 119872 larr997888 119888

2oplus 119870

Return 119872

(12)





119877(119885lowast

119873)+

119876119877+

119873


+


119874(2minus120575119899(119896)

)(b) 119867 G rarr 0 1

1198971











119873)


2119898(119887 + 12) gt 119899 times ord(119876119877+

119873) and 119898 is not


119892 = ℎ2

119883 = ℎ ∘ 119892119886

119884 = ℎ ∘ 119892119887

(13)

(2) Publish 1198861015840

= 2119898(119886 + 12) mod 119899 times

ord(119876119877+119873) 1198871015840 = 2

119898(119887 + 12) mod 119899 times


verifying


(3) The DDHParams = (119892 119883 119884 1198861015840 1198871015840 2119898)


(ii) PVPKEKG(par)

119909 larr997888 119885lowast

119873

119906 larr997888 119892119909

119883 = ℎ ∘ 119892119886

119884 = ℎ ∘ 119892119887

119890119896 larr997888 (119906119883 119884) 119889119896 larr997888 119909

Return (119890119896 119889119896)

(14)


(119906 119883 119884) larr997888 119890119896

(V119896 sig 119896) larr997888 OTSKG (1119896)

119903larr997888119877119885lowast

119873 1198881larr997888 119892

119903

119905 larr997888 TCR (1198881 V119896) 120587 larr997888 (119883

119905

119884)119903

119870 larr997888 119867(119906119903

) 1198882larr997888 119872 oplus119870

119888 larr997888 (1198881 1198882 120587)

120575 larr997888 OTSSign (sig 119896 119888)

Return 119862 = (119888 120575 V119896)

(15)


(119906 119883 119884) larr997888 119890119896

(119888 120575 V119896) larr997888 119862

(1198881 1198882 120587) larr997888 119888

119905 larr997888 TCR (1198881 V119896)

If 1198881198861015840

119905+1198871015840

1= (120587)2119898

Or


Return 1198621015840 = (1198881 1198882)

(16)


(1198881 1198882) larr997888 119862

1015840

119909 larr997888 119889119896

119870 larr997888 119867(119888119909

1) 119872 larr997888 119888

2oplus 119870

Return 119872

(17)






119898(119886 +




119905+1198871015840

= ((119883119905119884)119903

)2119898




1015840

119905+1198871015840


119873is as hard as





119905119884)119903



1015840




Router

Receiver

Adversary

PubK

Router

Sender

SK







4 Applications


Gateway

IND-CCAciphertext

IND-CPAciphertext







Storage

StorageStorage

Storage


Retrieve ciphertext




5 Conclusions


Disclosure




Acknowledgments


References







































































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in







AdvfacARSAGen

= Pr [119875 119876larr997888119877A (119873) (119873 119875 119876)larr997888

119877RSAGen (1119896)]

(1)







G+

= |119909| 119909 isin G (2)



119892 ∘ ℎ =1003816100381610038161003816119892 sdot ℎ mod 1198731003816100381610038161003816

119892119909


(3)





119873 which we







(2) 119876119877+119873= 119869+

119873 In particular 119876119877+



119873is cyclic so is 119876119877+

119873



119860119889V119878119863119867A119877119878119860119892119890119899 (119896) le 119860119889V119891119886119888

B119877119878119860119892119890119899 (119896) + 119874 (2minus120575119899(119896)

) (4)


119877(119885lowast

119873)+

119876119877+

119873


⟨ℎ⟩ = 119876119877+



119892 = ℎ2

= ℎ ∘ 119892119886

= ℎ ∘ 119892119887 (5)


119889 log119883119892= 119886 +

1

2mod ord (119876119877+

119873)

119889 log119884119892= 119887 +

1

2mod ord (119876119877+

119873)

(6)




119873since 119876119877+

119873= 119869+

119873is



119889log119883119892

= 119885


119892

= 1198852

lArrrArr 2119886+1

= 1198852

(7)



119874(2minus120575119899(119896)


119885 = 119892(119889log119883119892

)(119889log119884119892

)

= 119892(119886+12)(119887+12)

= ℎ2119886119887+119886+119887+12

isin 119876119877+

119873

(8)


isin 119876119877+

119873(using its


119873






1198971




2(119896) is a



0 11198971


(i) PKEKG(par)

119909 larr997888 119885lowast

119901

119906 larr997888 119892119909

Vlarr997888 G

119890119896 larr997888 (119906 V) 119889119896 larr997888 119909

Return (119890119896 119889119896)

(9)


(119906 V) larr997888 119890119896

(V119896 sig 119896) larr997888 OTSKG (1119896)

119903larr997888119877119885lowast

119901 1198881larr997888 119892

119903

119905 larr997888 TCR (1198881 V119896) 120587 larr997888 (119906

119905V)119903

119870 larr997888 119867(119906119903

) 1198882larr997888 119872 oplus119870

119888 larr997888 (1198881 1198882 120587)

120575 larr997888 OTSSign (sig 119896 119888)

Return 119862 = (119888 120575 V119896)

(10)


(119906 V) larr997888 119890119896

(119888 120575 V119896) larr997888 119862

(1198881 1198882 120601) larr997888 119888

119905 larr997888 TCR (1198881 V119896)

If DDH (1198881 119906119905V 120587) = Or


Return 1198621015840 = (1198881 1198882)

(11)


(1198881 1198882) larr997888 119862

1015840

119909 larr997888 119889119896

119870 larr997888 119867(119888119909

1) 119872 larr997888 119888

2oplus 119870

Return 119872

(12)





119877(119885lowast

119873)+

119876119877+

119873


+


119874(2minus120575119899(119896)

)(b) 119867 G rarr 0 1

1198971











119873)


2119898(119887 + 12) gt 119899 times ord(119876119877+

119873) and 119898 is not


119892 = ℎ2

119883 = ℎ ∘ 119892119886

119884 = ℎ ∘ 119892119887

(13)

(2) Publish 1198861015840

= 2119898(119886 + 12) mod 119899 times

ord(119876119877+119873) 1198871015840 = 2

119898(119887 + 12) mod 119899 times


verifying


(3) The DDHParams = (119892 119883 119884 1198861015840 1198871015840 2119898)


(ii) PVPKEKG(par)

119909 larr997888 119885lowast

119873

119906 larr997888 119892119909

119883 = ℎ ∘ 119892119886

119884 = ℎ ∘ 119892119887

119890119896 larr997888 (119906119883 119884) 119889119896 larr997888 119909

Return (119890119896 119889119896)

(14)


(119906 119883 119884) larr997888 119890119896

(V119896 sig 119896) larr997888 OTSKG (1119896)

119903larr997888119877119885lowast

119873 1198881larr997888 119892

119903

119905 larr997888 TCR (1198881 V119896) 120587 larr997888 (119883

119905

119884)119903

119870 larr997888 119867(119906119903

) 1198882larr997888 119872 oplus119870

119888 larr997888 (1198881 1198882 120587)

120575 larr997888 OTSSign (sig 119896 119888)

Return 119862 = (119888 120575 V119896)

(15)


(119906 119883 119884) larr997888 119890119896

(119888 120575 V119896) larr997888 119862

(1198881 1198882 120587) larr997888 119888

119905 larr997888 TCR (1198881 V119896)

If 1198881198861015840

119905+1198871015840

1= (120587)2119898

Or


Return 1198621015840 = (1198881 1198882)

(16)


(1198881 1198882) larr997888 119862

1015840

119909 larr997888 119889119896

119870 larr997888 119867(119888119909

1) 119872 larr997888 119888

2oplus 119870

Return 119872

(17)






119898(119886 +




119905+1198871015840

= ((119883119905119884)119903

)2119898




1015840

119905+1198871015840


119873is as hard as





119905119884)119903



1015840




Router

Receiver

Adversary

PubK

Router

Sender

SK







4 Applications


Gateway

IND-CCAciphertext

IND-CPAciphertext







Storage

StorageStorage

Storage


Retrieve ciphertext




5 Conclusions


Disclosure




Acknowledgments


References







































































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in





1198971




2(119896) is a



0 11198971


(i) PKEKG(par)

119909 larr997888 119885lowast

119901

119906 larr997888 119892119909

Vlarr997888 G

119890119896 larr997888 (119906 V) 119889119896 larr997888 119909

Return (119890119896 119889119896)

(9)


(119906 V) larr997888 119890119896

(V119896 sig 119896) larr997888 OTSKG (1119896)

119903larr997888119877119885lowast

119901 1198881larr997888 119892

119903

119905 larr997888 TCR (1198881 V119896) 120587 larr997888 (119906

119905V)119903

119870 larr997888 119867(119906119903

) 1198882larr997888 119872 oplus119870

119888 larr997888 (1198881 1198882 120587)

120575 larr997888 OTSSign (sig 119896 119888)

Return 119862 = (119888 120575 V119896)

(10)


(119906 V) larr997888 119890119896

(119888 120575 V119896) larr997888 119862

(1198881 1198882 120601) larr997888 119888

119905 larr997888 TCR (1198881 V119896)

If DDH (1198881 119906119905V 120587) = Or


Return 1198621015840 = (1198881 1198882)

(11)


(1198881 1198882) larr997888 119862

1015840

119909 larr997888 119889119896

119870 larr997888 119867(119888119909

1) 119872 larr997888 119888

2oplus 119870

Return 119872

(12)





119877(119885lowast

119873)+

119876119877+

119873


+


119874(2minus120575119899(119896)

)(b) 119867 G rarr 0 1

1198971











119873)


2119898(119887 + 12) gt 119899 times ord(119876119877+

119873) and 119898 is not


119892 = ℎ2

119883 = ℎ ∘ 119892119886

119884 = ℎ ∘ 119892119887

(13)

(2) Publish 1198861015840

= 2119898(119886 + 12) mod 119899 times

ord(119876119877+119873) 1198871015840 = 2

119898(119887 + 12) mod 119899 times


verifying


(3) The DDHParams = (119892 119883 119884 1198861015840 1198871015840 2119898)


(ii) PVPKEKG(par)

119909 larr997888 119885lowast

119873

119906 larr997888 119892119909

119883 = ℎ ∘ 119892119886

119884 = ℎ ∘ 119892119887

119890119896 larr997888 (119906119883 119884) 119889119896 larr997888 119909

Return (119890119896 119889119896)

(14)


(119906 119883 119884) larr997888 119890119896

(V119896 sig 119896) larr997888 OTSKG (1119896)

119903larr997888119877119885lowast

119873 1198881larr997888 119892

119903

119905 larr997888 TCR (1198881 V119896) 120587 larr997888 (119883

119905

119884)119903

119870 larr997888 119867(119906119903

) 1198882larr997888 119872 oplus119870

119888 larr997888 (1198881 1198882 120587)

120575 larr997888 OTSSign (sig 119896 119888)

Return 119862 = (119888 120575 V119896)

(15)


(119906 119883 119884) larr997888 119890119896

(119888 120575 V119896) larr997888 119862

(1198881 1198882 120587) larr997888 119888

119905 larr997888 TCR (1198881 V119896)

If 1198881198861015840

119905+1198871015840

1= (120587)2119898

Or


Return 1198621015840 = (1198881 1198882)

(16)


(1198881 1198882) larr997888 119862

1015840

119909 larr997888 119889119896

119870 larr997888 119867(119888119909

1) 119872 larr997888 119888

2oplus 119870

Return 119872

(17)






119898(119886 +




119905+1198871015840

= ((119883119905119884)119903

)2119898




1015840

119905+1198871015840


119873is as hard as





119905119884)119903



1015840




Router

Receiver

Adversary

PubK

Router

Sender

SK







4 Applications


Gateway

IND-CCAciphertext

IND-CPAciphertext







Storage

StorageStorage

Storage


Retrieve ciphertext




5 Conclusions


Disclosure




Acknowledgments


References







































































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




(3) The DDHParams = (119892 119883 119884 1198861015840 1198871015840 2119898)


(ii) PVPKEKG(par)

119909 larr997888 119885lowast

119873

119906 larr997888 119892119909

119883 = ℎ ∘ 119892119886

119884 = ℎ ∘ 119892119887

119890119896 larr997888 (119906119883 119884) 119889119896 larr997888 119909

Return (119890119896 119889119896)

(14)


(119906 119883 119884) larr997888 119890119896

(V119896 sig 119896) larr997888 OTSKG (1119896)

119903larr997888119877119885lowast

119873 1198881larr997888 119892

119903

119905 larr997888 TCR (1198881 V119896) 120587 larr997888 (119883

119905

119884)119903

119870 larr997888 119867(119906119903

) 1198882larr997888 119872 oplus119870

119888 larr997888 (1198881 1198882 120587)

120575 larr997888 OTSSign (sig 119896 119888)

Return 119862 = (119888 120575 V119896)

(15)


(119906 119883 119884) larr997888 119890119896

(119888 120575 V119896) larr997888 119862

(1198881 1198882 120587) larr997888 119888

119905 larr997888 TCR (1198881 V119896)

If 1198881198861015840

119905+1198871015840

1= (120587)2119898

Or


Return 1198621015840 = (1198881 1198882)

(16)


(1198881 1198882) larr997888 119862

1015840

119909 larr997888 119889119896

119870 larr997888 119867(119888119909

1) 119872 larr997888 119888

2oplus 119870

Return 119872

(17)






119898(119886 +




119905+1198871015840

= ((119883119905119884)119903

)2119898




1015840

119905+1198871015840


119873is as hard as





119905119884)119903



1015840




Router

Receiver

Adversary

PubK

Router

Sender

SK







4 Applications


Gateway

IND-CCAciphertext

IND-CPAciphertext







Storage

StorageStorage

Storage


Retrieve ciphertext




5 Conclusions


Disclosure




Acknowledgments


References







































































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




Router

Receiver

Adversary

PubK

Router

Sender

SK







4 Applications


Gateway

IND-CCAciphertext

IND-CPAciphertext







Storage

StorageStorage

Storage


Retrieve ciphertext




5 Conclusions


Disclosure




Acknowledgments


References







































































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




Storage

StorageStorage

Storage


Retrieve ciphertext




5 Conclusions


Disclosure




Acknowledgments


References







































































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in



























































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in



New Research Article New Construction of PVPKE Scheme and Its...

Documents

Transcript of New Research Article New Construction of PVPKE Scheme and Its...