DOI QR코드

DOI QR Code

Identity-based Deniable Authenticated Encryption for E-voting Systems

  • Jin, Chunhua (Faculty of Computer & Software Engineering, Huaiyin Institute of Technology) ;
  • Chen, Guanhua (Faculty of Computer & Software Engineering, Huaiyin Institute of Technology) ;
  • Zhao, Jianyang (Faculty of Computer & Software Engineering, Huaiyin Institute of Technology) ;
  • Gao, Shangbing (Faculty of Computer & Software Engineering, Huaiyin Institute of Technology) ;
  • Yu, Changhui (Faculty of Computer & Software Engineering, Huaiyin Institute of Technology)
  • Received : 2017.12.04
  • Accepted : 2018.11.13
  • Published : 2019.06.30

Abstract

Deniable authentication (DA) is a protocol in which a receiver can generate an authenticator that is probabilistically indistinguishable from a sender. DA can be applied in many scenarios that require user privacy protection. To enhance the security of DA, in this paper, we construct a new deniable authenticated encryption (DAE) scheme that realizes deniable authentication and confidentiality in a logical single step. Compared with existing approaches, our approach provides proof of security and is efficient in terms of performance analysis. Our scheme is in an identity-based environment; thus, it avoids the public key certificate-based public key infrastructure (PKI). Moreover, we provide an example that shows that our protocol is applicable for e-voting systems.

Keywords

1. Introduction

 Network communication has become an indispensable part of our daily lives. The security of network communication is a problem we have to consider. To achieve secure communication over the network, two basic security needs have to be considered: message confidentiality and message authentication. Message confidentiality typically means that a sender encrypts the message to be transmitted using the session key through symmetric cryptography; then, the session key is encrypted employing a receiver’s public key; finally, the resulting ciphertext is sent with the encrypted symmetric key (ESK) to the receiver. The receiver decrypts ESK using his secret key, and then decrypts the resulting ciphertext using the session key. Message authentication is generally realized through digital signatures; however, the digital signature scheme is a non-repudiation scheme, and any independent third party can certify its validity, which is undesirable for applications where privacy is needed (such as e-voting systems). Therefore, deniable authentication was developed to protect the privacy of users.

 Deniable authentication protocol (DAP) is designed to achieve two properties: (1) for a given message, only the prescribed receiver can determine its source; and (2) for any third party, the specified receiver is not capable of determining the provenience of a prescribed message. As such, DAPs are useful in many application scenarios that require privacy protection, such as electronic voting systems, e-tendering systems, and internet negotiations[1].

1.1 Related Work

 Dwork et al.[2] developed the first DAP, which achieves concurrent zero-knowledge by pushing all use of timing into a constant round preprocessing phase. In 2013, Chen and Chou[3] proposed an ECC-based DAP. Their protocol, which is very efficient, used the Fiat–Shamir heuristic to realize full deniability. In 2014, Li et al.[4] constructed an identity-based (IB) DAP in an ad hoc network. Their protocol provides provable security in the random oracle model (ROM). Gambs et al.[5] designed a distance bounding scheme which defines and models prover anonymity. The anonymity can insure that the server is not capable of distinguishing prover manner from rancorous verifier manner. Shi et al.[6] constructed a quantum DAP without entanglement. Their protocol has greater qubit efficiency and consumes fewer quantum resources. In terms of security, their design meets all known security requirements of DAP. Dimitriou and Al-Ibrahim[7] designed a deniable-LBS (location-based services) scheme. This scheme can protect user location privacy even if its location is leaked to any third-party. Mandal et al.[8] designed an IBDAP without pairings. Their scheme admits provable security in ROM under the ECCDH (elliptic curve computational Diffie–Hellman) problem and is applicable for mobile devices with limited resources. Hong and Wang[9] proposed a DA scheme without pairings. Their scheme provides provable security in the standard model and achieves a low computational cost by implementing a precomputation technique. In 2017, Zeng et al.[10] constructed an encryption scheme with multi-receiver which achieved CCA2 security to support deniable ring authentication. This protocol achieves full deniability, requires only two communication rounds, and can be applied in LBS to protect vehicle privacy. Later, Zeng et al.[11] designed a DA with a ring signature that can hide sources. Their construction is based on the projective hash function, and the encryption scheme is not required to achieve CCA security. Recently, Li et al.[12] proposed two heterogeneous DA protocols that allow the sender and the receiver to be in different environments.

 However, when we carefully examine the protocols listed above, we find that the messages are all transmitted in plaintext, and thus carry the risk of revealing the entities’ private information. For confidentiality, messages should be kept secret. Harn and Ren[13] designed a fully deniable authentication protocol that is supported by the current PGP and S/MIME to offer deniability and message authentication. Lu et al.[14] proposed a DAP. Their protocol provides proof of security in the ROM and achieves their alleged security requirements. Later, to resist receiver spoofing attacks, Yoon et al.[15] designed an improved DAP. They claimed that their construction meets all security requirements. Nevertheless, Li and Takagi[16] clear that Yoon et al.’s scheme has a security breach, where the receiver is capable of proving the provenience of a prescribed message to any independent third-party. Subsequently, based on their proposed signcryption, Hwang and Sung[17] designed a DAP that achieves confidentiality, sender anonymity and protection. Harn et al.[18] proposed a 1-out-of-∞ DAP that can achieve full deniability. Later, Hwang et al.[19] constructed a non-interactive (NIA) DAP that supports both fair protection and anonymity. Li et al.[20] designed a DAE scheme. They provide an example of how to apply their proposed DAE scheme to e-mail systems.

 Nevertheless, the above protocols must simplify the key management procedure, as they are all in a PKI environment. To eliminate various disadvantages brought by PKI, identity-based DAE (IBDAE) was proposed[21,22,23]. Wu et al.[21] proposed the first IBDAE protocol. They provide the proof of security of their scheme in the ROM. Later, Li et al.[22] presented an IBDAE protocol using a hybrid signcryption mechanism. They provide proof of security in the ROM and had better performance by comprehensive performance evaluation. Jin and Zhao[23] designed an IBDAE scheme. Their scheme shows high efficiency in the light of comprehensive performance evaluation. Recently, many related protocols[24,25,26,27] have been presented. Jin et al.[24] proposed a DAE scheme, and their construction is applicable for e-voting systems. Unger and Goldberg[25] proposed three deniable authenticated key exchange protocols. These three protocols can support forward secrecy against future quantum adversaries. Ahene et al.[26] proposed a DAE scheme in a certificateless setting. They provide concrete instantiation in e-voting systems. Jin and Zhao[27] devised an efficient ciphertext length (CL) aggregate DA protocol. Their protocol adopts aggregate verification, which expedites authenticator verification.

1.2 Motivation and Contribution

 Signature-then-encryption schemes have disadvantages in terms of computational and communication costs. To solve these problems, Zheng[28] presented the concept of signcryption (SC). Nevertheless, the SC scheme is a non-repudiation scheme, which is undesirable, especially for some confidential occasions. In this paper, our goal is to design a scheme that satisfies the deniability. Motivated by the aforementioned studies, in this paper, we construct a novel IBDAE scheme that provides confidentiality and deniable authentication in one logical step. Our construction provides proof of security in the ROM under the DBDH and BDH assumptions and shows high efficiency in terms of performance analysis. Moreover, we provide an example that involves integrating our scheme into e-voting systems.

1.3 Organization of the Paper

 Section 2 depicts preliminary work. We define the security model for IBDAE in Section 3, and the IBDAE scheme is designed in Section 4. In Section 5, we analyze the IBDAE scheme and discuss formal security in the ROM. Section 6 presents the results of the performance tests of our design. A secure e-voting system is constructed in Section 7, and the conclusions are provided in Section 8.

2. Preliminaries

 This section discusses the basics of bilinear pairings.

 Let G1 and G2 be a cycle additive group and a cycle multiplication group, respectively. G1 is generated by P. G1 and G2 have the same prime order q. A bilinear pairing is a map \(e: G_{1} \times G_{1} \rightarrow G_{2}\), with the properties as below:

Bilinearity: For all \(P, Q \in G_{1}, a, b \in Z_{q}^{*}, e(a P, b Q)=e(P, Q)^{a b}\);

Non-degeneracy: There exists P,Q ∈ G1 such that e(P, Q) ≠ 1;

Computability: There exists an efficient algorithm for computing e(P, Q) for all P, Q ∈ G1

 The admissible maps of this type are the modified Weil pairing and the Tate pairing (Refs.[29,30] provide more information). The security of this scheme lies in the difficulty of the below problems.

 Definition 2.1 According to the aforementioned basic definition of bilinear pairings, the DBDH problem in \(\left(G_{1}, G_{2}, e\right)\) is to determine whether \(h=e(P, P)^{a b c}\) given \((P, a P, b P, c P)\) and an element \(h \in G_{2}\).

 Definition 2.2 According to the aforementioned basic definition of bilinear pairings, the BDH problem in \(\left(G_{1}, G_{2}, e\right)\) is to calculate \(h=e(P, P)^{a b c}\) given \((P, a P, b P, c P)\).

3. Formal Model for the IBDAE Protocol

 This section presents the framework and the security concepts.

3.1 Framework

 Four algorithms of the presented protocol is described as below.

 Setup: Upon inputting a security parameter k, a public key generator (PKG) produces the public system parameters params and a master private key s. For simplicity, the following algorithms do not include params.

 Extract: Upon inputting ID (an identity) and s, PKG calculates SID (the corresponding private key) and outputs it securely to its owner.

 DAE: Upon inputting a sender’s private key \(S_{I D_{s}}\), a message m, and a receiver’s identity IDr, the sender calculates \(\operatorname{DAE}\left(m, S_{I D_{s}}, I D_{r}\right)\) to obtain the ciphertext σ .

 DAD: Upon inputting a sender’s identity IDs , the ciphertext σ , and a receiver’s private key \(S_{I D_{r}}\) , the receiver calculates \(\operatorname{DAE}\left(m, S_{I D_{s}}, I D_{r}\right)\), obtaining either the message m or ⊥ when σ is an invalid ciphertext.

 For consistency, if \(\sigma=\operatorname{DAE}\left(m, S_{I D_{s}}, I D_{r}\right)\), then \(m=\mathrm{DAD}\left(\sigma, S_{I D_{r}}, I D_{s}\right)\) must also be true.

Fig. 1. Communication process in our scheme

 Fig. 1 presents the communication process in which the sender generates the ciphertext σ for message m using his/her identity IDs , private key \(S_{I D_{s}}\), and the receiver’s identity IDr. The receiver decryptsσ using his/her identity IDr with the corresponding private key \(S_{I D_{r}}\) and the sender’s identity IDs , resulting in either m or ⊥ . Note that \(S_{I D_{s}}\) and \(S_{I D_{r}}\) are from the PKG.

3.2 Security Concepts

 Our construction must achieve the desirable security requirements below:

  • Confidentiality: any independent third party other than the entities involved cannot acquire any valuable advice related to the plaintext of a ciphertext;
  • Deniable authentication: the receiver creates a deniable transcript that is probabilistically indistinguishable from the sender.

 For confidentiality, the standard security concept used in our construction is the indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2). For deniable authentication, the security concept used in our construction is the deniable authentication against adaptive chosen message attacks (DA-IBDAE-CMA) proposed in[4]. It is assumed that the following games (Definition 3.1 and Definition 3.2) are played between a challenger \(\mathcal{C}\) and an adversary \(\mathcal{A}\) .

 Definition 3.1 An IBDAE scheme is IND-IBDAE-CCA2 secure when no adversary has a non-negligible advantage in the game below.

 Setup: \(\mathcal{C}\) executes Setup algorithm to create param and then transmit it to \(\mathcal{A}\) .

 Phase 1: \(\mathcal{A}\) adaptively executes queries; any request may count on the responses to former queries.

  • Extract: \(\mathcal{A}\) elects an identity ID . \(\mathcal{C}\) executes the Extract algorithm and transmits the corresponding private key SID to \(\mathcal{A}\) .
  • DAE: \(\mathcal{A}\) elects a message m and two identities \(I D_{i}, I D_{j}\). \(\mathcal{C}\) first obtains the sender’s private key \(S_{I D_{i}}\) by implementing the Extract algorithm. Then, it transmits the result of \(D A E\left(m, S_{I D_{i}}, I D_{j}\right)\) to \(\mathcal{A}\) .
  • DAD: \(\mathcal{A}\) elects two identities IDi and IDj, and a ciphertext σ . \(\mathcal{C}\) first obtains the sender’s private key \(S_{I D_{j}}\) by executing the Extract algorithm. Then, it transmits the result of \(D A D\left(\sigma, I D_{i}, S_{I D_{j}}\right)\) to \(\mathcal{A}\) (if σ is invalid, the result is⊥ ).
  • Challenge: \(\mathcal{A}\) determines when Phase 1 is over. Then, \(\mathcal{A}\) outputs two challenged identities, IDA and IDB, and two equal-length messages, m0 and m1 . It cannot request the private key of identities IDA or IDB in Phase 1. \(\mathcal{C}\) elects a bit b ∈{0,1}, calculates \(\sigma=D A E\left(m_{b}, S_{I D_{A}}, I D_{B}\right)\) and transmits σ to \(\mathcal{A}\) .

 Phase 2: \(\mathcal{A}\) requests queries as in Phase 1. In this phase, it cannot execute an Extract query on identities IDor IDB nor can it execute a DAD query on (\(\sigma, I D_{A}, S_{I D_{B}}\)) to possess the message m forσ .

 Guess: \(\mathcal{A}\) outputs a guess b′ and wins the game if b'=b.

 The advantage of \(\mathcal{A}\) is defined as \(A d v(\mathcal{A})=\left|2 P\left[b^{\prime}=b\right]-1\right|\), where \(P\left[b^{\prime}=b\right]\) denotes the probability that b'=b.

 Definition 3.2 An IBDAE scheme is DA-IBDAE-CMA secure when no adversary has a non-negligible advantage in the game below

 Setup: The procedure is the same as Setup in Definition 3.1.

 Attack: \(\mathcal{A}\) adaptively executes queries (any query counts on the responses to former queries). The allowed types of queries, such as Extract, DAE and DAD, are the same as those in Definition 3.1.

 Forgery: \(\mathcal{A}\) exports a pair identities IDA and IDB and a ciphertext σ, which never emerge in any Extract query in the Attack phase. \(\mathcal{A}\) wins the game if the result of \(D A D\left(\sigma^*, I D_{A}, S_{I D_{B}}\right)\) is not ⊥.

 The advantage of \(\mathcal{A}\) is defined as the probability that it wins.

 In the previous definition, the adversary is unallowed to perform an Extract query on identity IDB, which is essential for realizing deniability. The sender and the receiver can create an indistinguishable transcript.

4. A New IBDAE Protocol

 This section presents our construction.

 Setup: Define G1,G2, e, k, and q as in Section 2. Let n, l be security parameters, H1, H2, and H3 be three hash functions, i.e., H1: {0,1} → G1, H2:G2→ Zq, and H3: {0,1}n × Zq→{0,1}l, and E and D be symmetric encryption and decryption algorithms, respectively. PKG elects s ∈ Zq* and calculates Ppub=sP. PKG publishes system parameters (G1, G2, n, l, e, P, q, Ppub, H1, H2, H3, E, D) but secretly retains s. The plaintexts must have a fixed bitlength of n where n + l < k ≈ log2q .

 Extract: On input an identity ID, the PKG calculates the user’s public key QID=H1(ID)∈G1 and the corresponding private key SID=sQID, which is sent to the owner securely.

 DAE: Upon inputting a message m, a sender’s private key \(S_{I D_{s}}\), and a receiver’s identity IDr, the sender performs the following work.

  • Select \(x \in Z_{q}^*\).
  • Calculate \(\tau=e\left(P_{p u b}, Q_{I D_{r}}\right)^{x}\).
  • Calculate \(k_{2}=H_{2}(\tau)\).
  • Calculate \(r=E_{k_{2}}\left(m \| H_{3}\left(m, k_{2}\right)\right)\).
  • Calculate \(S=x P_{p u b}-r S_{I D_{s}}\).
  • Calculate \(V=e\left(S, Q_{I D_{r}}\right)\).
  • Output \(\sigma=(r, V)\).

 DAD: Upon inputting a sender’s identity IDs, a ciphertext σ, and a receiver’s private key \(S_{I D_{r}}\), the receiver performs the procedure below

  • Calculate \(\tau=V e\left(Q_{I D_{s}}, S_{I D_{r}}\right)^{r}\).
  • Calculate \(k_{2}=H_{2}(\tau)\).
  • Calculate \(m^{\prime}=D_{k_{2}}(r)\).
  • Take m as the first n bits of m′ if and only if (m,H3(m, k2)) are the first n + l bits of m′ .

5. Analysis of the Protocol

 This section analyzes the presented protocol’s consistency and security.

5.1 Consistency

 We can certify the consistency of our construction by the equations below.

\(\begin{aligned} V &=e\left(S, Q_{I D_{r}}\right) \\ &=e\left(x P_{p u b}-r S_{ID_{s}}, Q_{ID_{r}}\right) \\ &=e\left(x P_{p u b}, Q_{ID_{r}}\right) e\left(-r S_{ID_{s}}, Q_{ID_{r}}\right) \\ &=e\left(P_{p u b}, Q_{ID_{r}}\right)^{x} e\left(S_{ID_{s}}, Q_{ID_{r}}\right)^{-r} \\ &=\tau e\left(S_{ID_{s}}, Q_{ID_{r}}\right)^{-r} \\ &=\tau e\left(Q_{ID_{s}}, S_{ID_{r}}\right)^{-r} \\ &=V \end{aligned}\)

5.2 Security

 We also certify that our design possesses deniability. A receiver with private key \(S_{I D_{r}}\) creates a ciphertext that is probabilistically indistinguishable from a ciphertext created by a sender possessing \(S_{I D_{s}}\). To imitate the ciphertext, the receiver can perform the following steps.

  • Select \(\bar{x} \in Z_{q}^{*}\) randomly.
  • Compute \(\bar{\tau}=e\left(P_{p u b}, Q_{I D_{r}}\right)^{\bar{x}}\).
  • Compute \(\overline{k_{2}}=H_{2}(\bar{\tau})\).
  • Calculate \(\bar{r}=E_{\overline{k_{2}}}\left(\bar{m} \| H_{3}(\bar{m}, \overline{k_{2}})\right)\).
  • Compute \(\bar{V}=\bar{\tau} e\left(Q_{I D_{s}}, S_{I D_{r}}\right)^{-\bar{r}}\).
  • Output is \(\bar{\sigma}=(\bar{r}, \bar{V})\).

 The generated ciphertext \(\bar{\sigma}=(\bar{r}, \bar{V})\) is indistinguishable from σ = (r, V) produced by the sender in Section 4. The sender randomly chooses a ciphertext σ′ = (r′ , V ′ ) from the sender’s valid set of ciphertexts that are intended for the receiver. The probability \(\mathrm{P}_{\mathrm{r}}[\bar{\sigma}\) = σ′ ] is 1/(q − 1) because \(\bar{\sigma}\) is chosen from \(\bar{x} \in Z_{q}^{*}\). Likewise, the probability that Pr[σ = σ′ ] is the same value, 1/(q − 1), because σ is chosen from \(x \in Z_{q}^{*}\), i.e., they have the same probability distribution.

 Next, we show that our design is provably secure. The two theorems below indicate that the design is secure with regard to both IND-IBDAE-CCA2 and DA-IBDAE-CMA.

 Theorem 5.1 In the ROM, if \(\mathcal{A}\) wins the game in Definition 3.1, with an advantage of ε within a time t by at most requesting \(q_{H_{i}}\) queries to oracle \(H_{i}(i=1,2,3), q_{K} K E\) queries, qE DAE queries, and qD DAD queries, then \(\mathcal{C}\) can settle the DBDH problem within a time of \(O\left(t+\left(2 q_{H_{3}}^{2}+q_{D}\right) T_{e}\right)\) with an advantage of

\(\operatorname{Adv}\left(\mathcal{C}^{D B D H\left(G_{1}, P\right)}\right)>\frac{2\left(\varepsilon-q_{D} / 2^{k-1}\right)}{q_{H_{1}}^{4}}\)

In which Te represents the calculation time of the bilinear pairing.

 Proof. \(\mathcal{C}\) acquires (P, aP, bP, cP) of the DBDH problem and attempts to determine whether h = e(P,P)abc. \(\mathcal{C}\) is \(\mathcal{A}\) ’s challenger in the IND-IBDAE-CCA2 game. \(\mathcal{C}\) consults \(\mathcal{A}\) for a response to H1, H2, and H3 which are randomly produced. \(\mathcal{C}\) maintains three lists, L1, L2, and L3, to save the response. \(\mathcal{A}\) will request H1(ID) before ID is employed.

 Setup: \(\mathcal{C}\) runs Setup algorithm and sends Ppub= cP to \(\mathcal{A}\) . Note that \(\mathcal{C}\) knows nothing about c, which serves as PKG’s master private key.

 Phase 1: \(\mathcal{A}\) adaptively executes queries.

  • H1 queries: \(\mathcal{C}\) randomly selects two index values \(i, j \in\left\{1, \ldots, q_{H_{1}}\right\}\). \(\mathcal{A}\) requests H1 queries on identities it chooses. For query H1, at the i-th, \(\mathcal{C}\) returns \(H_{1}\left(I D_{i}\right)\) as aP; \(\mathcal{C}\) returns \(H_{1}\left(I D_{j}\right)\) as bP at the j-th. For queries \(H_{1}\left(I D_{\alpha}\right)\) withα ≠ i, j, \(\mathcal{C}\) selects dα from \(Z_{q}^{*}\), stores (IDα,dα) in list L1, and returns \(H_{1}\left(I D_{\alpha}\right)=d_{\alpha} P\).
  • H2 queries: For query H2(ge), \(\mathcal{C}\) checks whether the value of H2 is in the list. If so, it returns the same answer to \(\mathcal{A}\) ; if not, \(\mathcal{C}\) randomly picks a value k\(Z_{q}^{*}\) as a response and stores (ge, k2) in L2
  • H3 queries: For query H3(m, k2), \(\mathcal{C}\) checks if the value of H3 is in the list. If so, it transmits the same answer to \(\mathcal{A}\) . If not, \(\mathcal{C}\) returns value u ∈ \(Z_{q}^{*}\)as a response and stores (m, k2, u) in list L3.
  • KE queries: When \(\mathcal{A}\) submits an identity to \(\mathcal{C}\) , if IDα=IDi or IDα = IDj , \(\mathcal{C}\)fails. If \(I D_{\alpha} \neq I D_{i}, I D_{j}\), the list L1 must have (IDα, dα) for some dα (indicating that \(\mathcal{C}\) previously answered H1(IDα)=dαP). The private key of IDα is dαPpub= dαcP. The failure probability in KE queries is at most \(2 / q_{H_{1}}\).
  • DAE queries: \(\mathcal{A}\) can perform DAE queries on m,IDα and IDβ.

(1). If \(I D_{\alpha} \neq I D_{i}, I D_{j}\), \(\mathcal{C}\) first calculates the private key \(S_{I D_{\alpha}}\) by executing KE query algorithm; then, it performs the DAE(m, \(S_{I D_{\alpha}}\), IDβ) algorithm to answer the query.

(2). If \(I D_{a}=I D_{i}\) or \(I D_{\alpha}=I D_{j}\), but ,\(I D_{\beta} \neq I D_{i}, I D_{j}\), \(\mathcal{C}\) runs a simulation as follows. It obtains the private key \(S_{I D_{\beta}}\) using the key extraction algorithm. Then, it selects the random elements \((r, V) \in Z_{q}^{*} \times G_{2}\) and computes \(\tau=V e\left(Q_{I D_{s}}, S_{I D_{r}}\right)^{r}\). The simulation depends on whether list Lhas a tuple of the form (τ,·). 

When Lcontains an entry (τ, k2) and L3 has an item (m, k2, u), when the first n bits of \(D_{k_{2}}(r)\) can be distinguished from m, \(\mathcal{C}\) selects another (r, V ) and repeats the procedure. When L3 contains no entry for (m, k2, u), \(\mathcal{C}\) takes \(u=\left[D_{k_{2}}(r)\right]_{n+1 \ldots n+l}\) (in which [x]i...j symbolises the bit string between the i-th and j-th leftmost bits of x) and stores (m, k2, u) in list L3

 When no entry (τ,·) exists in list L2, \(\mathcal{C}\) chooses a random \(k_{2} \in Z_{q}^{*}\). It also selects a random \(u \in\{0,1\}^{l}\) to ensure that (m, ·, u) is not in list L3. Then, it calculates \(m^{\prime}=m \| u\). When no item (m, k2, u′ ) with u′ ≠ u is in list L3, \(\mathcal{C}\) stores (τ, k2) and (m, k2, u) in lists Land L3, respectively. Otherwise, \(\mathcal{C}\) provides other alternative data (r, V) and repeats the procedure. 

\(\mathcal{C}\) updates lists Land L3 after it searches alternative data (r, V), and it returns (r, V) as the ciphertext. The procedure is repeated at most 2qH3. After each attempt, only one pairing is computed.

(3). When IDα = IDi , IDβ = IDj or IDβ = IDi , IDα = IDj, \(\mathcal{C}\) randomly selects x from \(Z_{q}^{*}\) and computes τ = e(Ppub, QB)x and k2 = H2(τ) such that no (τ, k2) exists in list L2. Then, \(\mathcal{C}\) verifies whether list L3 contains an item for (m,τ, u). If not, \(\mathcal{C}\) stores (m,τ, u) in list L3 and (τ, k2) in list L2. Then, \(\mathcal{C}\) computes \(r=E_{k_{2}}(m \| u)\), selects V∈G2 and transmits σ=(r, V) to \(\mathcal{A}\). \(\mathcal{A}\) would not know that σ is an invalid ciphertext, but it requests the decryption of σ.

  • DAD queries: \(\mathcal{A}\) generates a ciphertext σ for IDα and IDβ .When \(I D_{\beta} \neq I D_{i}, I D_{j}\), \(\mathcal{C}\) can obtain \(S_{I D_{\beta}}\) by running the KE algorithm and then running \(\operatorname{DAD}\left(\sigma, I D_{\alpha}, S_{I D_{\beta}}\right) \). Otherwise, \(\mathcal{C}\) fails. The failure probability is at the utmost \(q_{D} / 2^{k}\).

 After the first stage, \(\mathcal{A}\) selects two identities it wishes to challenge. The challenged identities are \(\left(I D_{i}, I D_{j}\right)\) with a probability of at least \(\). \(\mathcal{C}\) fails if \(\mathcal{A}\) requests the private key of IDi or IDj in first stage because it is unable to answer the question. \(\mathcal{C}\) also fails if \(\mathcal{A}\) does not pick these two identities as the target identities.

 Then, \(\mathcal{A}\) creates two messages, m0 and m1 . \(\mathcal{C}\) chooses a random bit b∈{0,1} and encrypts mb. It chooses \(r \in Z_{q}^{*}\) and V∈G2 and computes τ =Vhr (where h is \(\mathcal{C}\) ’s candidate for the DBDH problem) to receive \(k_{2}=H_{2}(\tau)\) (according to H2 simulation algorithm) and \(u_{b}=H_{3}\left(m_{b}, k_{2}\right)\) (according to H3 simulation algorithm). Then, it verifies whether L3 already contains the entry \(\left(m_{b}, k_{2}, u_{b}\right)\). If not, it stores \(\left(m_{b}, k_{2}, u_{b}\right)\) in list L3 ; otherwise, it selects another (r, V) and repeats the procedure. After looking up admissible element (r, V), \(\mathcal{C}\) sends the ciphertext \(\sigma=(r, V)\) to \(\mathcal{A}\).

 \(\mathcal{A}\) then executes the second stage queries as in the first stage. When the simulation is over, it creates a bit b′ as \(\sigma=D A E\left(m_{b^{\prime}}, S_{I D_{i}}, I D_{j}\right)\) from the standpoint of \(\mathcal{A}\) . If b = b′ , \(\mathcal{C}\) answers 1 because \(\mathcal{A}\) has produced a valid σ using its knowledge of h . Otherwise, \(\mathcal{C}\) responds 0.

 Now we consider \(\mathcal{C}\) 's probability of success.\(\mathcal{C}\) does not successful if \(\mathcal{A}\) requests the private key of IDi or IDj in the first stage. There are \(\left(\begin{array}{c} q_{H_{1}} \\ 2 \end{array}\right)\) options to pick \(\left(I D_{i}, I D_{j}\right)\). Of these identities, at least one will never have made a KE query from \(\mathcal{A}\). \(\mathcal{A}\) will not query Keygen(IDi) and Keygen(IDj) with a probability greater than \(2 / q_{H_{1}}\). Further, \(\mathcal{A}\) elects challenge identities \(\left(I D_{i}, I D_{j}\right)\) with a exactly probability \(​​\), and \(\mathcal{C}\) settles its DBDH problem if \(\mathcal{A}\) wins the IND-IBDAE-CCA game.

 In the end, because

\(\begin{aligned} &p_{1}=\operatorname{Pr}\left[b^{\prime}=b | \sigma=D A E\left(m_{b}, S_{ID_{i}}, I D_{j}\right)\right]=\frac{\varepsilon+1}{2}-\frac{q_{D}}{2^{k}}\\ &p_{0}=\operatorname{Pr}\left[b^{\prime}=i | h \in G_{2}\right]=1 / 2 \text { for } \mathrm{i}=0,1 \end{aligned}\)

 we have

\(\begin{array}{c} A d v(\mathcal{C})=|\underset{a, b, c \mathbb{Z}_{q}}{\operatorname{Pr}}\left[1 \leftarrow \mathcal{C}\left(a P, b P, c P, e(P, P)^{a b c}\right)\right]-\underset{a, b, c \in \mathbb{Z}_{q}, h \in G_{2}}{\operatorname{Pr}}[1 \leftarrow \mathcal{C}(a P, b P, c P, h)]| \\ =\frac{\left|p_{1}-p_{0}\right|}{\left(2 / q_{H_{1}}\right)^{2}}=\frac{\varepsilon-q_{D} / 2^{k-1}}{2\left(2 / q_{H_{1}}\right)^{2}}>\frac{2\left(\varepsilon-q_{D} / 2^{k-1}\right)}{q_{H_{1}}^{4}} \end{array}\)

 Note that the denominator is \(q_{H_{1}}^{4}\) rather than \(q_{H_{1}}^{2}\) because \(\mathcal{A}\) determines the challenged identities after the first stage.

 Theorem 5.2 In the ROM, if \(\mathcal{A}\) wins the game of Definition 3.2 with an advantage of \(\varepsilon \geq 5\left(q_{E}+1\right)\left(q_{E}+q_{H_{3}}\right) q_{H_{1}} /\left(2^{k}-1\right)\) within time t and by at most requesting \(q_{H_{i}}\) queries to \(H_{i}(i=1,2,3), q_{K}\) KE queries, qE DAE queries, and qD DAD queries, then \(\mathcal{C}\) settles the BDH problem in an expected time of \(t^{\prime} \leq 60343 q_{H_{3}} q_{H_{1}} 2^{k} t / \varepsilon\left(2^{k}-1\right)\).

 Proof. To wield the forking algorithm[31], we have to prove how our design is applicable for the signature scheme described in[31]. In DAE imitate steps, the sender's private key fails (implying that the master private key fails). In this case, a method is needed to settle the BDH problem.

 First, observe that the DAE of our design meets the requested three-phase honest-verifier zero-knowledge identification protocol, in which \(\sigma_{1}=k_{2}=H_{2}\left(e\left(P_{p u b}, Q_{B}\right)^{x}\right)\) is the commitment, \(h=H_{3}\left(m, k_{2}\right)\) is the hash value, and σ2=V is the answer.

 Second, we give a concrete imitate step and show a method of settling the BDH problem. Upon inputting (P, aP, bP, cP) of the BDH problem, \(\mathcal{C}\) is needed to calculate e(P,P)abc. \(\mathcal{C}\) executes\(\mathcal{A}\) as a subroutine. \(\mathcal{A}\) consults \(\mathcal{C}\) to answer H1, H2, and H3 and \(\mathcal{C}\) holds lists L1, L2, and L3 to save the randomly generated responses. The H1, H2, H3, DAE and DAD queries are requested in the way they are in the proof of Theorem 1.

 Forgery: \(\mathcal{A}\) outputs a triple \(\left(\sigma^{*}, I D_{i}, I D_{j}\right)\), where \(\sigma^{*}=\left(r^{*}, V^{*}\right)\). We coalesce the identities \(I D_{\theta}=\left\{I D_{i}, I D_{j}\right\}\) and the message m into (IDθ,m ) so that we can hide the IB aspect of the DA-IBDAE-CMA attacks and imitate an identity-less adaptive-CMA existential forgery.

 If \(\mathcal{A}\) is an attacker with adequate efficiency in the above interaction, we can create a Las Vegas machine \(\mathcal{A}\)' that returns two forgeries \(\left(\left(I D_{\theta}, m^{*}\right), r^{*}, V^{*}\right)\) and \(\left(\left(I D_{\theta}, m^{*}\right), \bar{r}^{*}\right.\bar{V}^{*})\) with \(r^{*} \neq \bar{r}^{*}\) and the same commitment x. To settle the BDH problem based on the machine \(\mathcal{A}\)′ derived from \(\mathcal{A}\), we construct a machine \(\mathcal{C}\)′ as follows.

  • \(\mathcal{C}\)′ executes \(\mathcal{A}\)′ to acquire two distinct forgeries \(\left(\left(I D_{\theta}, m^{*}\right), r^{*}, V^{*}\right)\) and \(\left(\left(I D_{\theta}, m^{*}\right)\right.,\left.\bar{r}^{*}, \bar{V}^{*}\right)\).
  • \(\mathcal{C}\)′ calculates e(P,P)abc as \(\left(V^{*} / \bar{V}^{*}\right)^{-1 /\left(\bar{r}^{*}-r^{*}\right)}\).

 The machine \(\mathcal{C}\)′ is our reduction of the BDH problem. If the success probability of \(\mathcal{A}\)′ is \(\varepsilon \geq 5\left(q_{E}+1\right)\left(q_{E}+q_{H_{3}}\right) q_{H_{1}} /\left(2^{k}-1\right)\), while its running time is t, then \(\mathcal{C}\)′ can settle the BDH problem in an expected time \(t^{\prime} \leq 60343 q_{H_{3}} q_{H_{1}} 2^{k} t / \varepsilon\left(2^{k}-1\right)\). Here, there is a change in the coefficient since the simulator has to bring forward two disparate identities.

6. A Secure E-voting Protocol

 The construction is employed in an e-voting system (EVS). Here, we provide the example shown in Fig. 2. An electronic power corporate expects to select a general manager by having all employees vote. However, if the votes are sent as plaintext, the process would be insecure. Each employee is a voter who first runs \(D A E\left(m, S_{I D_{s}}, Q_{I D_{r}}\right)\) to gain the ciphertext. Then, the voter sends the ciphertext to the electronic power tally authority (TA). In this protocol, a PKG exists in the company in charge of registration. The PKG gives a secret key to each employee and to the TA. The employees can use their smart devices to transmit their ciphertexts to the TA. Finally, the TA runs \(D A D\left(\sigma, Q_{I D_{S}}, S_{I D_{r}}\right)\) to obtain each message m. While the TA can know that the ciphertexts were sent by valid staff because the protocol owns the authentication, the TA cannot certify the sender’s identity of the ciphertext to any trusted entity, as this design is deniable. Moreover, if the TA and a third party were to cooperate, the third party might suspect the truth of the ciphertext as provided by the TA because the TA can also generate valid ciphertexts. Thus, the third party cannot force an employee to select a particular candidate.

Fig. 2: A secure e-voting protocol

7. Performance

 We will construct a detailed performance analysis of our design with the existing schemes[16,17,21,22] listed in Table 1. We employ the point add (PA) calculation and the point multiplication (PM) calculation in G1, the bilinear pairing (BP) calculation, the modular exponentiation (ME) calculation and the multiplication (MT) calculation in a finite field, and a certificate verification (CV) calculation (which generally costs approximately the same as two ME computations). Note that the ME calculation in a finite field (FF) is equivalent to a PM calculation in the elliptic curve cryptosystem (ECC) (i.e., ME=PM), and the MT calculation in a FF is equal to the PA calculation in ECC (i.e., MT=PA). The XOR, hash function, and add calculation in a FF are omitted because their computation speeds are sufficiently fast to be negligible. Additionally, let |G1| =160 bits, |m| = 160 bits, |p| = 512 bits, |cert| = 320 bits, |q| = 160 bits, hash value = 160 bits, and |G2| =1024 bits. Here, the key size (KS) is made up of both public key and private key size. As shown in Table 1, regarding KS and CL, our approach is highly efficient. Additionally, the scheme in [16] is interactive and lacks proof of security. Our design is in the ID-based setting. As such, our design avoids problems related to PKI.

 We conduct an experiment on the PBC library. As needed, we set the library’s embedding degree to 2. The experiment is executed on an Intel Pentium(R) Dual-Core processor running at 2.69 GHz, with 2,048 MB of RAM (2,007.04 MB available). On this machine, a PA computation and a PM computation require 0.065 ms and 15.927 ms using an ECC with 160 bits of q, respectively. A BP computation and a ME computation require 26.68 ms and 3.126 ms, respectively. DAE and DAD consume 95.562 ms and 95.562 ms in [16], 79.7 ms and 63.773 ms in [17], 88.34 ms and 42.672 ms in [21], and 101.206 ms and 58.534 ms in[22]. In our scheme, DAE and DAD consume 101.206 ms and 42.607 ms, respectively. [16,17,21,22], the computational expense for DAE in our design is the same as that in [22] but slightly higher than those in [16,17,21] because it requires two pairings that belong to G2. Our design has the lowest computational expense for DAD, although we have one pairing computation. In terms of type, [16,17] are in the PKI setting, while [21,22] and our design are in an ID-based setting and avoid the problems in PKI. Fig. 4 shows the CL for [16,17,21,22] and our scheme. Although our design must transmit V, which belongs to G2, our protocol still has the smallest communication overhead.

Table 1. Performance comparison

Fig. 3. Primary computational cost of DAE

Fig. 4. Communication overhead of DAE

8. Conclusion

 In this paper, we construct a novel non-interactive IBDAE scheme that realizes deniable authentication and confidentiality in a logical single step. Our construction provides proof of security and is efficient in terms of performance analysis. In addition, we provide an example to show how our construction can be used in e-voting systems. As such, our design is applicable to privacy protection scenarios.

Acknowledgements

 This work is supported by the Natural Science Foundation of Huai’an (Grant No.HAB201837), the Electric Power Company Technology Project of Jiangsu Province (Grant No.J2017123), the Natural Science Foundation of Jiangsu Province (Grant No.BK20161302), the National Key R & D Program of China (No. 2018YFB1004904), the Huai’an Science and Technology Project (No. HAC201705, No.HAB201803), the Key Project of JiangSu Provincial Department of Education (No.18KJA520001), the Six Talent Peaks Project in Jiangsu Province (XYDXXJS-011), and the Jiangsu 333 Engineering Research Funding Project (BRA2016454).

 

References

  1. Y. Aumann and M. Rabin, "Authentication, enhanced security and error correcting codes," in Proc. of 20th Annual International Cryptology Conference, CRYPTO 1998, pp. 299-303, August 23-27, 1998.
  2. C. Dwork, M. Naor and A. Sahai, "Concurrent zero-knowledge," in Proc. of the Thirtieth Annual ACM Symposium on the Theory of Computing Symposium on Theory of Computing (STOC'98), pp. 409-418, May 23-26, 1998.
  3. Y. Chen and J. Chou, "ECC-Based Non-Interactive Deniable Authentication with Designated Verifier," IACR Cryptology ePrint Archive, pp. 783, 2013.
  4. F. Li, P. Xiong and C. Jin, "Identity-Based Deniable Authentication for Ad Hoc Networks," Computing, vol. 96, no. 9, pp. 843-853, September, 2014. https://doi.org/10.1007/s00607-013-0321-5
  5. S. Gambs, C. Onete and J. Robert, "Prover anonymous and deniable distance-bounding authentication," in Proc. of the 9th ACM symposium on Information, computer and communications security, pp. 501-506, June 4-6, 2014.
  6. W. Shi, J. Zhang, Y. Zhou and Y. Yang, "A novel quantum deniable authentication protocol without entanglement," Quantum Information Processing, vol.14, no.6, pp. 2183-2193, January, 2015. https://doi.org/10.1007/s11128-015-0994-0
  7. T. Dimitriou and N. Al-Ibrahim, "Denying Your Whereabouts: A Secure and Deniable Scheme for Location-Based Services," in Proc. of Cryptology and Network Security- 15th International Conference, pp. 713-718, November 14-16, 2016.
  8. S. Mandal, S. Mohanty, and B. Majhi, "An ID-based Non-Interactive Deniable Authentication Protocol based on ECC," in Proc. of the 2017 the 7th International Conference on Communication and Network Security, pp. 48-52, November 24-26, 2017.
  9. X. Hong and B. Wang, "A non-interactive deniable authentication scheme in the standard model," Journal of Electrical and Electronic Engineering, vol. 5, no. 2, pp. 80, December, 2017. https://doi.org/10.11648/j.jeee.20170502.19
  10. S. Zeng, Y. Chen, S. Tan and M. He, "Concurrently deniable ring authentication and its application to LBS in VANETs," Peer-to-Peer Networking and Applications, vol.10, no.4, pp. 844-856, January, 2017. https://doi.org/10.1007/s12083-016-0433-8
  11. S. Zeng, Y. Mu, G. Yang and M. He, "Deniable Ring Authentication Based on Projective Hash Functions," in proc. of Provable Security- 11th International Conference, ProvSec 2017, pp. 127-143, October 23-25,2017.
  12. F. Li, J. Hong and A. Omala, "Practical deniable authentication for pervasive computing environments," Wireless Networks, vol.24, no.1, pp. 139-149, January, 2018. https://doi.org/10.1007/s11276-016-1317-9
  13. L. Harn and J. Ren, "Design of fully deniable authentication service for e-mail applications," Communications Letters, vol.12, no.3, pp. 219-221, January, 2008. https://doi.org/10.1109/LCOMM.2008.071793
  14. R. Lu, X. Lin, Z. Cao, L. Qin and X. Liang, " A simple deniable authentication protocol based on the Diffie-Hellman algorithm," International Journal of Computer Mathematics, vol.85, no.9, pp. 1315-1323, 2008. https://doi.org/10.1080/00207160701622741
  15. E. Yoon, K. Yoo, S. Yeo and S. Lee, "Robust deniable authentication protocol," Wireless personal communications, vol. 55, no. 1, pp. 81-90, September, 2010. https://doi.org/10.1007/s11277-009-9787-z
  16. F. Li and T. Takagi, "Cryptanalysis and Improvement of Robust Deniable Authentication Protocol," Wireless personal communications, vol. 69, no.4, pp. 1391-1398, January, 2013. https://doi.org/10.1007/s11277-012-0640-4
  17. S. Hwang and Y. Sung, "Confidential deniable authentication using promised signcryption," Journal of Systems and Software, vol. 84, no. 10, pp. 1652-1659, January, 2011. https://doi.org/10.1016/j.jss.2011.04.024
  18. L. Harn, C. Lee, C. Lin, and C. Chang, "Fully deniable message authentication protocols preserving confidentiality," The Computer Journal, vol. 54, no. 10, pp. 1688-1699, January, 2011. https://doi.org/10.1093/comjnl/bxr081
  19. S. Hwang, Y. Sung and J. Chi, "Deniable Authentication Protocols with Confidentiality and Anonymous Fair Protections," in Proc. of the International Computer Symposium ICS 2012, pp. 41-51, December 12-14, 2013.
  20. F. Li, D. Zhong and T. Takagi, "Efficient Deniably Authenticated Encryption and Its Application to E-Mail," IEEE Transactions on Information Forensics and Security, vol. 11, no. 11, pp. 2477-2486, November, 2016. https://doi.org/10.1109/TIFS.2016.2585086
  21. W. Wu and F. Li, "An Efficient Identity-Based Deniable Authenticated Encryption Scheme," KSII Transactions on Internet and Information Systems (TIIS), vol. 9, no. 5, pp. 1904-1919, January, 2015. https://doi.org/10.3837/tiis.2015.05.020
  22. F. Li, Z. Zheng and C. Jin, "Identity-based deniable authenticated encryption and its application to e-mail system," Telecommunication Systems, vol. 62, no. 4, pp. 625-639, May, 2016. https://doi.org/10.1007/s11235-015-0099-1
  23. C. Jin and J. Zhao, "Efficient and Short Identity-Based Deniable Authenticated Encryption," in proc. of International Conference on Cloud Computing and Security, pp. 244-255, June 17-18, 2017.
  24. C. Jin, G. Chen, C. Yu and J. Zhao, "Deniable authenticated encryption for e-mail applications," International Journal of Computers and Applications, pp. 1-10, May, 2018.
  25. N. Unger and I. Goldberg, "Improved Strongly Deniable Authenticated Key Exchanges for Secure Messaging," in Proc. of Privacy Enhancing Technologies, 2018, pp. 21-66,July 24-27, 2018.
  26. E. Ahene, C. Jin and F. Li, "Certificateless deniably authenticated encryption and its application to e-voting system," Telecommunication Systems, pp. 1-18, 2018.
  27. C. Jin and J. Zhao, "Certificateless aggregate deniable authentication protocol for ad hoc networks," International Journal of Electronic Security and Digital Forensics, vol. 10, no. 2, pp. 168-187, 2018. https://doi.org/10.1504/IJESDF.2018.090958
  28. Y. Zheng, "Digital signcryption or how to achieve cost (signature & encryption) << cost (signature) + cost(encryption)," in Proc. of Cryptology-CRYPTO'97,17th Annual International Cryptology Conference, pp. 165-179, August 17-21, 1997.
  29. J. Cha and J. Cheon, "An identity-based signature from gap Diffie-Hellman groups," in Proc. of Public Key Cryptography- PKC 2003, sixth International Workshop on Theory and Practice in Public Key Cryptography, pp. 18-30, January 6-8, 2003.
  30. D. Boneh and M. Franklin, "Identity-based encryption from the weil pairing," in Proc. of Cryptology- CRYPTO 2001, 21st Annual International Cryptology Conference, pp. 213-229, August 19-23, 2001.
  31. D. Pointcheval and J. Stern, "Security arguments for digital signatures and blind signatures," Journal of Cryptography, vol. 13, no. 3, pp. 61-396, 2003.