Identity-based Deniable Authenticated Encryption for E-voting Systems

Abstract

Deniable authentication (DA) is a protocol in which a receiver can generate an authenticator that is probabilistically indistinguishable from a sender. DA can be applied in many scenarios that require user privacy protection. To enhance the security of DA, in this paper, we construct a new deniable authenticated encryption (DAE) scheme that realizes deniable authentication and confidentiality in a logical single step. Compared with existing approaches, our approach provides proof of security and is efficient in terms of performance analysis. Our scheme is in an identity-based environment; thus, it avoids the public key certificate-based public key infrastructure (PKI). Moreover, we provide an example that shows that our protocol is applicable for e-voting systems.

1. Introduction

 Network communication has become an indispensable part of our daily lives. The security of network communication is a problem we have to consider. To achieve secure communication over the network, two basic security needs have to be considered: message confidentiality and message authentication. Message confidentiality typically means that a sender encrypts the message to be transmitted using the session key through symmetric cryptography; then, the session key is encrypted employing a receiver’s public key; finally, the resulting ciphertext is sent with the encrypted symmetric key (ESK) to the receiver. The receiver decrypts ESK using his secret key, and then decrypts the resulting ciphertext using the session key. Message authentication is generally realized through digital signatures; however, the digital signature scheme is a non-repudiation scheme, and any independent third party can certify its validity, which is undesirable for applications where privacy is needed (such as e-voting systems). Therefore, deniable authentication was developed to protect the privacy of users.

 Deniable authentication protocol (DAP) is designed to achieve two properties: (1) for a given message, only the prescribed receiver can determine its source; and (2) for any third party, the specified receiver is not capable of determining the provenience of a prescribed message. As such, DAPs are useful in many application scenarios that require privacy protection, such as electronic voting systems, e-tendering systems, and internet negotiations[1].

1.1 Related Work

 Dwork et al.[2] developed the first DAP, which achieves concurrent zero-knowledge by pushing all use of timing into a constant round preprocessing phase. In 2013, Chen and Chou[3] proposed an ECC-based DAP. Their protocol, which is very efficient, used the Fiat–Shamir heuristic to realize full deniability. In 2014, Li et al.[4] constructed an identity-based (IB) DAP in an ad hoc network. Their protocol provides provable security in the random oracle model (ROM). Gambs et al.[5] designed a distance bounding scheme which defines and models prover anonymity. The anonymity can insure that the server is not capable of distinguishing prover manner from rancorous verifier manner. Shi et al.[6] constructed a quantum DAP without entanglement. Their protocol has greater qubit efficiency and consumes fewer quantum resources. In terms of security, their design meets all known security requirements of DAP. Dimitriou and Al-Ibrahim[7] designed a deniable-LBS (location-based services) scheme. This scheme can protect user location privacy even if its location is leaked to any third-party. Mandal et al.[8] designed an IBDAP without pairings. Their scheme admits provable security in ROM under the ECCDH (elliptic curve computational Diffie–Hellman) problem and is applicable for mobile devices with limited resources. Hong and Wang[9] proposed a DA scheme without pairings. Their scheme provides provable security in the standard model and achieves a low computational cost by implementing a precomputation technique. In 2017, Zeng et al.[10] constructed an encryption scheme with multi-receiver which achieved CCA2 security to support deniable ring authentication. This protocol achieves full deniability, requires only two communication rounds, and can be applied in LBS to protect vehicle privacy. Later, Zeng et al.[11] designed a DA with a ring signature that can hide sources. Their construction is based on the projective hash function, and the encryption scheme is not required to achieve CCA security. Recently, Li et al.[12] proposed two heterogeneous DA protocols that allow the sender and the receiver to be in different environments.

 However, when we carefully examine the protocols listed above, we find that the messages are all transmitted in plaintext, and thus carry the risk of revealing the entities’ private information. For confidentiality, messages should be kept secret. Harn and Ren[13] designed a fully deniable authentication protocol that is supported by the current PGP and S/MIME to offer deniability and message authentication. Lu et al.[14] proposed a DAP. Their protocol provides proof of security in the ROM and achieves their alleged security requirements. Later, to resist receiver spoofing attacks, Yoon et al.[15] designed an improved DAP. They claimed that their construction meets all security requirements. Nevertheless, Li and Takagi[16] clear that Yoon et al.’s scheme has a security breach, where the receiver is capable of proving the provenience of a prescribed message to any independent third-party. Subsequently, based on their proposed signcryption, Hwang and Sung[17] designed a DAP that achieves confidentiality, sender anonymity and protection. Harn et al.[18] proposed a 1-out-of-∞ DAP that can achieve full deniability. Later, Hwang et al.[19] constructed a non-interactive (NIA) DAP that supports both fair protection and anonymity. Li et al.[20] designed a DAE scheme. They provide an example of how to apply their proposed DAE scheme to e-mail systems.

 Nevertheless, the above protocols must simplify the key management procedure, as they are all in a PKI environment. To eliminate various disadvantages brought by PKI, identity-based DAE (IBDAE) was proposed[21,22,23]. Wu et al.[21] proposed the first IBDAE protocol. They provide the proof of security of their scheme in the ROM. Later, Li et al.[22] presented an IBDAE protocol using a hybrid signcryption mechanism. They provide proof of security in the ROM and had better performance by comprehensive performance evaluation. Jin and Zhao[23] designed an IBDAE scheme. Their scheme shows high efficiency in the light of comprehensive performance evaluation. Recently, many related protocols[24,25,26,27] have been presented. Jin et al.[24] proposed a DAE scheme, and their construction is applicable for e-voting systems. Unger and Goldberg[25] proposed three deniable authenticated key exchange protocols. These three protocols can support forward secrecy against future quantum adversaries. Ahene et al.[26] proposed a DAE scheme in a certificateless setting. They provide concrete instantiation in e-voting systems. Jin and Zhao[27] devised an efficient ciphertext length (CL) aggregate DA protocol. Their protocol adopts aggregate verification, which expedites authenticator verification.

1.2 Motivation and Contribution

 Signature-then-encryption schemes have disadvantages in terms of computational and communication costs. To solve these problems, Zheng[28] presented the concept of signcryption (SC). Nevertheless, the SC scheme is a non-repudiation scheme, which is undesirable, especially for some confidential occasions. In this paper, our goal is to design a scheme that satisfies the deniability. Motivated by the aforementioned studies, in this paper, we construct a novel IBDAE scheme that provides confidentiality and deniable authentication in one logical step. Our construction provides proof of security in the ROM under the DBDH and BDH assumptions and shows high efficiency in terms of performance analysis. Moreover, we provide an example that involves integrating our scheme into e-voting systems.

1.3 Organization of the Paper

 Section 2 depicts preliminary work. We define the security model for IBDAE in Section 3, and the IBDAE scheme is designed in Section 4. In Section 5, we analyze the IBDAE scheme and discuss formal security in the ROM. Section 6 presents the results of the performance tests of our design. A secure e-voting system is constructed in Section 7, and the conclusions are provided in Section 8.

2. Preliminaries

 This section discusses the basics of bilinear pairings.

 Let G₁ and G₂ be a cycle additive group and a cycle multiplication group, respectively. G₁ is generated by P. G₁ and G₂ have the same prime order q. A bilinear pairing is a map \(e: G_{1} \times G_{1} \rightarrow G_{2}\), with the properties as below:

Bilinearity: For all \(P, Q \in G_{1}, a, b \in Z_{q}^{*}, e(a P, b Q)=e(P, Q)^{a b}\);

Non-degeneracy: There exists P,Q ∈ G₁ such that e(P, Q) ≠ 1;

Computability: There exists an efficient algorithm for computing e(P, Q) for all P, Q ∈ G₁. 

 The admissible maps of this type are the modified Weil pairing and the Tate pairing (Refs.[29,30] provide more information). The security of this scheme lies in the difficulty of the below problems.

 Definition 2.1 According to the aforementioned basic definition of bilinear pairings, the DBDH problem in \(\left(G_{1}, G_{2}, e\right)\) is to determine whether \(h=e(P, P)^{a b c}\) given \((P, a P, b P, c P)\) and an element \(h \in G_{2}\).

 Definition 2.2 According to the aforementioned basic definition of bilinear pairings, the BDH problem in \(\left(G_{1}, G_{2}, e\right)\) is to calculate \(h=e(P, P)^{a b c}\) given \((P, a P, b P, c P)\).

3. Formal Model for the IBDAE Protocol

 This section presents the framework and the security concepts.

3.1 Framework

 Four algorithms of the presented protocol is described as below.

 Setup: Upon inputting a security parameter k, a public key generator (PKG) produces the public system parameters params and a master private key s. For simplicity, the following algorithms do not include params.

 Extract: Upon inputting ID (an identity) and s, PKG calculates S_ID (the corresponding private key) and outputs it securely to its owner.

 DAE: Upon inputting a sender’s private key \(S_{I D_{s}}\), a message m, and a receiver’s identity ID_r, the sender calculates \(\operatorname{DAE}\left(m, S_{I D_{s}}, I D_{r}\right)\) to obtain the ciphertext σ .

 DAD: Upon inputting a sender’s identity ID_s , the ciphertext σ , and a receiver’s private key \(S_{I D_{r}}\) , the receiver calculates \(\operatorname{DAE}\left(m, S_{I D_{s}}, I D_{r}\right)\), obtaining either the message m or ⊥ when σ is an invalid ciphertext.

 For consistency, if \(\sigma=\operatorname{DAE}\left(m, S_{I D_{s}}, I D_{r}\right)\), then \(m=\mathrm{DAD}\left(\sigma, S_{I D_{r}}, I D_{s}\right)\) must also be true.

Fig. 1. Communication process in our scheme

 Fig. 1 presents the communication process in which the sender generates the ciphertext σ for message m using his/her identity ID_s , private key \(S_{I D_{s}}\), and the receiver’s identity ID_r. The receiver decryptsσ using his/her identity ID_r with the corresponding private key \(S_{I D_{r}}\) and the sender’s identity ID_s , resulting in either m or ⊥ . Note that \(S_{I D_{s}}\) and \(S_{I D_{r}}\) are from the PKG.

3.2 Security Concepts

 Our construction must achieve the desirable security requirements below:

• Confidentiality: any independent third party other than the entities involved cannot acquire any valuable advice related to the plaintext of a ciphertext;
• Deniable authentication: the receiver creates a deniable transcript that is probabilistically indistinguishable from the sender.

 For confidentiality, the standard security concept used in our construction is the indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2). For deniable authentication, the security concept used in our construction is the deniable authentication against adaptive chosen message attacks (DA-IBDAE-CMA) proposed in[4]. It is assumed that the following games (Definition 3.1 and Definition 3.2) are played between a challenger \(\mathcal{C}\) and an adversary \(\mathcal{A}\) .

 Definition 3.1 An IBDAE scheme is IND-IBDAE-CCA2 secure when no adversary has a non-negligible advantage in the game below.

 Setup: \(\mathcal{C}\) executes Setup algorithm to create param and then transmit it to \(\mathcal{A}\) .

 Phase 1: \(\mathcal{A}\) adaptively executes queries; any request may count on the responses to former queries.

• Extract: \(\mathcal{A}\) elects an identity ID . \(\mathcal{C}\) executes the Extract algorithm and transmits the corresponding private key S_ID to \(\mathcal{A}\) .
• DAE: \(\mathcal{A}\) elects a message m and two identities \(I D_{i}, I D_{j}\). \(\mathcal{C}\) first obtains the sender’s private key \(S_{I D_{i}}\) by implementing the Extract algorithm. Then, it transmits the result of \(D A E\left(m, S_{I D_{i}}, I D_{j}\right)\) to \(\mathcal{A}\) .
• DAD: \(\mathcal{A}\) elects two identities ID_i and ID_j, and a ciphertext σ . \(\mathcal{C}\) first obtains the sender’s private key \(S_{I D_{j}}\) by executing the Extract algorithm. Then, it transmits the result of \(D A D\left(\sigma, I D_{i}, S_{I D_{j}}\right)\) to \(\mathcal{A}\) (if σ is invalid, the result is⊥ ).
• Challenge: \(\mathcal{A}\) determines when Phase 1 is over. Then, \(\mathcal{A}\) outputs two challenged identities, ID_A and ID_B, and two equal-length messages, m₀ and m₁ . It cannot request the private key of identities ID_A or ID_B in Phase 1. \(\mathcal{C}\) elects a bit b ∈{0,1}, calculates \(\sigma=D A E\left(m_{b}, S_{I D_{A}}, I D_{B}\right)\) and transmits σ to \(\mathcal{A}\) .

 Phase 2: \(\mathcal{A}\) requests queries as in Phase 1. In this phase, it cannot execute an Extract query on identities ID_A or ID_B nor can it execute a DAD query on (\(\sigma, I D_{A}, S_{I D_{B}}\)) to possess the message m forσ .

 Guess: \(\mathcal{A}\) outputs a guess b′ and wins the game if b'=b.

 The advantage of \(\mathcal{A}\) is defined as \(A d v(\mathcal{A})=\left|2 P\left[b^{\prime}=b\right]-1\right|\), where \(P\left[b^{\prime}=b\right]\) denotes the probability that b'=b.

 Definition 3.2 An IBDAE scheme is DA-IBDAE-CMA secure when no adversary has a non-negligible advantage in the game below

 Setup: The procedure is the same as Setup in Definition 3.1.

 Attack: \(\mathcal{A}\) adaptively executes queries (any query counts on the responses to former queries). The allowed types of queries, such as Extract, DAE and DAD, are the same as those in Definition 3.1.

 Forgery: \(\mathcal{A}\) exports a pair identities ID_A and ID_B and a ciphertext σ, which never emerge in any Extract query in the Attack phase. \(\mathcal{A}\) wins the game if the result of \(D A D\left(\sigma^*, I D_{A}, S_{I D_{B}}\right)\) is not ⊥.

 The advantage of \(\mathcal{A}\) is defined as the probability that it wins.

 In the previous definition, the adversary is unallowed to perform an Extract query on identity ID_B, which is essential for realizing deniability. The sender and the receiver can create an indistinguishable transcript.

4. A New IBDAE Protocol

 This section presents our construction.

 Setup: Define G₁,G₂, e, k, and q as in Section 2. Let n, l be security parameters, H₁, H₂, and H₃ be three hash functions, i.e., H₁: {0,1}^∗ → G₁, H₂:G₂→ Z_q, and H₃: {0,1}ⁿ × Z_q→{0,1}^l, and E and D be symmetric encryption and decryption algorithms, respectively. PKG elects s ∈ Z_q^* and calculates P_pub=sP. PKG publishes system parameters (G₁, G₂, n, l, e, P, q, P_pub, H₁, H₂, H₃, E, D) but secretly retains s. The plaintexts must have a fixed bitlength of n where n + l < k ≈ log₂^q .

 Extract: On input an identity ID, the PKG calculates the user’s public key Q_ID=H₁(ID)∈G₁ and the corresponding private key S_ID=sQ_ID, which is sent to the owner securely.

 DAE: Upon inputting a message m, a sender’s private key \(S_{I D_{s}}\), and a receiver’s identity ID_r, the sender performs the following work.

• Select \(x \in Z_{q}^*\).
• Calculate \(\tau=e\left(P_{p u b}, Q_{I D_{r}}\right)^{x}\).
• Calculate \(k_{2}=H_{2}(\tau)\).
• Calculate \(r=E_{k_{2}}\left(m \| H_{3}\left(m, k_{2}\right)\right)\).
• Calculate \(S=x P_{p u b}-r S_{I D_{s}}\).
• Calculate \(V=e\left(S, Q_{I D_{r}}\right)\).
• Output \(\sigma=(r, V)\).

 DAD: Upon inputting a sender’s identity ID_s, a ciphertext σ, and a receiver’s private key \(S_{I D_{r}}\), the receiver performs the procedure below

• Calculate \(\tau=V e\left(Q_{I D_{s}}, S_{I D_{r}}\right)^{r}\).
• Calculate \(k_{2}=H_{2}(\tau)\).
• Calculate \(m^{\prime}=D_{k_{2}}(r)\).
• Take m as the first n bits of m′ if and only if (m,H₃(m, k₂)) are the first n + l bits of m′ .

5. Analysis of the Protocol

 This section analyzes the presented protocol’s consistency and security.

5.1 Consistency

 We can certify the consistency of our construction by the equations below.

\(\begin{aligned} V &=e\left(S, Q_{I D_{r}}\right) \\ &=e\left(x P_{p u b}-r S_{ID_{s}}, Q_{ID_{r}}\right) \\ &=e\left(x P_{p u b}, Q_{ID_{r}}\right) e\left(-r S_{ID_{s}}, Q_{ID_{r}}\right) \\ &=e\left(P_{p u b}, Q_{ID_{r}}\right)^{x} e\left(S_{ID_{s}}, Q_{ID_{r}}\right)^{-r} \\ &=\tau e\left(S_{ID_{s}}, Q_{ID_{r}}\right)^{-r} \\ &=\tau e\left(Q_{ID_{s}}, S_{ID_{r}}\right)^{-r} \\ &=V \end{aligned}\)

5.2 Security

 We also certify that our design possesses deniability. A receiver with private key \(S_{I D_{r}}\) creates a ciphertext that is probabilistically indistinguishable from a ciphertext created by a sender possessing \(S_{I D_{s}}\). To imitate the ciphertext, the receiver can perform the following steps.

• Select \(\bar{x} \in Z_{q}^{*}\) randomly.
• Compute \(\bar{\tau}=e\left(P_{p u b}, Q_{I D_{r}}\right)^{\bar{x}}\).
• Compute \(\overline{k_{2}}=H_{2}(\bar{\tau})\).
• Calculate \(\bar{r}=E_{\overline{k_{2}}}\left(\bar{m} \| H_{3}(\bar{m}, \overline{k_{2}})\right)\).
• Compute \(\bar{V}=\bar{\tau} e\left(Q_{I D_{s}}, S_{I D_{r}}\right)^{-\bar{r}}\).
• Output is \(\bar{\sigma}=(\bar{r}, \bar{V})\).

 The generated ciphertext \(\bar{\sigma}=(\bar{r}, \bar{V})\) is indistinguishable from σ = (r, V) produced by the sender in Section 4. The sender randomly chooses a ciphertext σ′ = (r′ , V ′ ) from the sender’s valid set of ciphertexts that are intended for the receiver. The probability \(\mathrm{P}_{\mathrm{r}}[\bar{\sigma}\) = σ′ ] is 1/(q − 1) because \(\bar{\sigma}\) is chosen from \(\bar{x} \in Z_{q}^{*}\). Likewise, the probability that Pr[σ = σ′ ] is the same value, 1/(q − 1), because σ is chosen from \(x \in Z_{q}^{*}\), i.e., they have the same probability distribution.

 Next, we show that our design is provably secure. The two theorems below indicate that the design is secure with regard to both IND-IBDAE-CCA2 and DA-IBDAE-CMA.

 Theorem 5.1 In the ROM, if \(\mathcal{A}\) wins the game in Definition 3.1, with an advantage of ε within a time t by at most requesting \(q_{H_{i}}\) queries to oracle \(H_{i}(i=1,2,3), q_{K} K E\) queries, q_E DAE queries, and q_D DAD queries, then \(\mathcal{C}\) can settle the DBDH problem within a time of \(O\left(t+\left(2 q_{H_{3}}^{2}+q_{D}\right) T_{e}\right)\) with an advantage of

\(\operatorname{Adv}\left(\mathcal{C}^{D B D H\left(G_{1}, P\right)}\right)>\frac{2\left(\varepsilon-q_{D} / 2^{k-1}\right)}{q_{H_{1}}^{4}}\)

In which T_e represents the calculation time of the bilinear pairing.

 Proof. \(\mathcal{C}\) acquires (P, aP, bP, cP) of the DBDH problem and attempts to determine whether h = e(P,P)^abc. \(\mathcal{C}\) is \(\mathcal{A}\) ’s challenger in the IND-IBDAE-CCA2 game. \(\mathcal{C}\) consults \(\mathcal{A}\) for a response to H₁, H₂, and H₃ which are randomly produced. \(\mathcal{C}\) maintains three lists, L₁, L₂, and L₃, to save the response. \(\mathcal{A}\) will request H₁(ID) before ID is employed.

 Setup: \(\mathcal{C}\) runs Setup algorithm and sends P_pub= cP to \(\mathcal{A}\) . Note that \(\mathcal{C}\) knows nothing about c, which serves as PKG’s master private key.

 Phase 1: \(\mathcal{A}\) adaptively executes queries.

• H₁ queries: \(\mathcal{C}\) randomly selects two index values \(i, j \in\left\{1, \ldots, q_{H_{1}}\right\}\). \(\mathcal{A}\) requests H₁ queries on identities it chooses. For query H₁, at the i-th, \(\mathcal{C}\) returns \(H_{1}\left(I D_{i}\right)\) as aP; \(\mathcal{C}\) returns \(H_{1}\left(I D_{j}\right)\) as bP at the j-th. For queries \(H_{1}\left(I D_{\alpha}\right)\) withα ≠ i, j, \(\mathcal{C}\) selects d_α from \(Z_{q}^{*}\), stores (ID_α,d_α) in list L₁, and returns \(H_{1}\left(I D_{\alpha}\right)=d_{\alpha} P\).
• H₂ queries: For query H₂(g_e), \(\mathcal{C}\) checks whether the value of H₂ is in the list. If so, it returns the same answer to \(\mathcal{A}\) ; if not, \(\mathcal{C}\) randomly picks a value k₂ ∈ \(Z_{q}^{*}\) as a response and stores (g_e, k₂) in L₂
• H₃ queries: For query H₃(m, k₂), \(\mathcal{C}\) checks if the value of H₃ is in the list. If so, it transmits the same answer to \(\mathcal{A}\) . If not, \(\mathcal{C}\) returns value u ∈ \(Z_{q}^{*}\)as a response and stores (m, k₂, u) in list L₃.
• KE queries: When \(\mathcal{A}\) submits an identity to \(\mathcal{C}\) , if ID_α=ID_i or ID_α = ID_j , \(\mathcal{C}\)fails. If \(I D_{\alpha} \neq I D_{i}, I D_{j}\), the list L₁ must have (ID_α, d_α) for some d_α (indicating that \(\mathcal{C}\) previously answered H₁(ID_α)=dαP). The private key of ID_α is d_αP_pub= d_αcP. The failure probability in KE queries is at most \(2 / q_{H_{1}}\).
• DAE queries: \(\mathcal{A}\) can perform DAE queries on m,ID_α and ID_β.

(1). If \(I D_{\alpha} \neq I D_{i}, I D_{j}\), \(\mathcal{C}\) first calculates the private key \(S_{I D_{\alpha}}\) by executing KE query algorithm; then, it performs the DAE(m, \(S_{I D_{\alpha}}\), ID_β) algorithm to answer the query.

(2). If \(I D_{a}=I D_{i}\) or \(I D_{\alpha}=I D_{j}\), but ,\(I D_{\beta} \neq I D_{i}, I D_{j}\), \(\mathcal{C}\) runs a simulation as follows. It obtains the private key \(S_{I D_{\beta}}\) using the key extraction algorithm. Then, it selects the random elements \((r, V) \in Z_{q}^{*} \times G_{2}\) and computes \(\tau=V e\left(Q_{I D_{s}}, S_{I D_{r}}\right)^{r}\). The simulation depends on whether list L₂ has a tuple of the form (τ,·). 

When L₂ contains an entry (τ, k₂) and L₃ has an item (m, k₂, u), when the first n bits of \(D_{k_{2}}(r)\) can be distinguished from m, \(\mathcal{C}\) selects another (r, V ) and repeats the procedure. When L₃ contains no entry for (m, k₂, u), \(\mathcal{C}\) takes \(u=\left[D_{k_{2}}(r)\right]_{n+1 \ldots n+l}\) (in which [x]_i...j symbolises the bit string between the i-th and j-th leftmost bits of x) and stores (m, k₂, u) in list L₃. 

 When no entry (τ,·) exists in list L₂, \(\mathcal{C}\) chooses a random \(k_{2} \in Z_{q}^{*}\). It also selects a random \(u \in\{0,1\}^{l}\) to ensure that (m, ·, u) is not in list L₃. Then, it calculates \(m^{\prime}=m \| u\). When no item (m, k₂, u′ ) with u′ ≠ u is in list L₃, \(\mathcal{C}\) stores (τ, k₂) and (m, k₂, u) in lists L₂ and L₃, respectively. Otherwise, \(\mathcal{C}\) provides other alternative data (r, V) and repeats the procedure. 

\(\mathcal{C}\) updates lists L₂ and L₃ after it searches alternative data (r, V), and it returns (r, V) as the ciphertext. The procedure is repeated at most 2qH₃. After each attempt, only one pairing is computed.

(3). When ID_α = ID_i , ID_β = ID_j or ID_β = ID_i , ID_α = ID_j, \(\mathcal{C}\) randomly selects x from \(Z_{q}^{*}\) and computes τ = e(P_pub, Q_B)^x and k₂ = H₂(τ) such that no (τ, k₂) exists in list L₂. Then, \(\mathcal{C}\) verifies whether list L₃ contains an item for (m,τ, u). If not, \(\mathcal{C}\) stores (m,τ, u) in list L₃ and (τ, k₂) in list L₂. Then, \(\mathcal{C}\) computes \(r=E_{k_{2}}(m \| u)\), selects V∈G₂ and transmits σ=(r, V) to \(\mathcal{A}\). \(\mathcal{A}\) would not know that σ is an invalid ciphertext, but it requests the decryption of σ.

• DAD queries: \(\mathcal{A}\) generates a ciphertext σ for ID_α and ID_β .When \(I D_{\beta} \neq I D_{i}, I D_{j}\), \(\mathcal{C}\) can obtain \(S_{I D_{\beta}}\) by running the KE algorithm and then running \(\operatorname{DAD}\left(\sigma, I D_{\alpha}, S_{I D_{\beta}}\right) \). Otherwise, \(\mathcal{C}\) fails. The failure probability is at the utmost \(q_{D} / 2^{k}\).

 After the first stage, \(\mathcal{A}\) selects two identities it wishes to challenge. The challenged identities are \(\left(I D_{i}, I D_{j}\right)\) with a probability of at least \(\). \(\mathcal{C}\) fails if \(\mathcal{A}\) requests the private key of ID_i or ID_j in first stage because it is unable to answer the question. \(\mathcal{C}\) also fails if \(\mathcal{A}\) does not pick these two identities as the target identities.

 Then, \(\mathcal{A}\) creates two messages, m₀ and m₁ . \(\mathcal{C}\) chooses a random bit b∈{0,1} and encrypts m_b. It chooses \(r \in Z_{q}^{*}\) and V∈G₂ and computes τ =Vh^r (where h is \(\mathcal{C}\) ’s candidate for the DBDH problem) to receive \(k_{2}=H_{2}(\tau)\) (according to H₂ simulation algorithm) and \(u_{b}=H_{3}\left(m_{b}, k_{2}\right)\) (according to H₃ simulation algorithm). Then, it verifies whether L₃ already contains the entry \(\left(m_{b}, k_{2}, u_{b}\right)\). If not, it stores \(\left(m_{b}, k_{2}, u_{b}\right)\) in list L₃ ; otherwise, it selects another (r, V) and repeats the procedure. After looking up admissible element (r, V), \(\mathcal{C}\) sends the ciphertext \(\sigma=(r, V)\) to \(\mathcal{A}\).

 \(\mathcal{A}\) then executes the second stage queries as in the first stage. When the simulation is over, it creates a bit b′ as \(\sigma=D A E\left(m_{b^{\prime}}, S_{I D_{i}}, I D_{j}\right)\) from the standpoint of \(\mathcal{A}\) . If b = b′ , \(\mathcal{C}\) answers 1 because \(\mathcal{A}\) has produced a valid σ using its knowledge of h . Otherwise, \(\mathcal{C}\) responds 0.

 Now we consider \(\mathcal{C}\) 's probability of success.\(\mathcal{C}\) does not successful if \(\mathcal{A}\) requests the private key of ID_i or ID_j in the first stage. There are \(\left(\begin{array}{c} q_{H_{1}} \\ 2 \end{array}\right)\) options to pick \(\left(I D_{i}, I D_{j}\right)\). Of these identities, at least one will never have made a KE query from \(\mathcal{A}\). \(\mathcal{A}\) will not query Keygen(ID_i) and Keygen(ID_j) with a probability greater than \(2 / q_{H_{1}}\). Further, \(\mathcal{A}\) elects challenge identities \(\left(I D_{i}, I D_{j}\right)\) with a exactly probability \(​​\), and \(\mathcal{C}\) settles its DBDH problem if \(\mathcal{A}\) wins the IND-IBDAE-CCA game.

 In the end, because

\(\begin{aligned} &p_{1}=\operatorname{Pr}\left[b^{\prime}=b | \sigma=D A E\left(m_{b}, S_{ID_{i}}, I D_{j}\right)\right]=\frac{\varepsilon+1}{2}-\frac{q_{D}}{2^{k}}\\ &p_{0}=\operatorname{Pr}\left[b^{\prime}=i | h \in G_{2}\right]=1 / 2 \text { for } \mathrm{i}=0,1 \end{aligned}\)

 we have

\(\begin{array}{c} A d v(\mathcal{C})=|\underset{a, b, c \mathbb{Z}_{q}}{\operatorname{Pr}}\left[1 \leftarrow \mathcal{C}\left(a P, b P, c P, e(P, P)^{a b c}\right)\right]-\underset{a, b, c \in \mathbb{Z}_{q}, h \in G_{2}}{\operatorname{Pr}}[1 \leftarrow \mathcal{C}(a P, b P, c P, h)]| \\ =\frac{\left|p_{1}-p_{0}\right|}{\left(2 / q_{H_{1}}\right)^{2}}=\frac{\varepsilon-q_{D} / 2^{k-1}}{2\left(2 / q_{H_{1}}\right)^{2}}>\frac{2\left(\varepsilon-q_{D} / 2^{k-1}\right)}{q_{H_{1}}^{4}} \end{array}\)

 Note that the denominator is \(q_{H_{1}}^{4}\) rather than \(q_{H_{1}}^{2}\) because \(\mathcal{A}\) determines the challenged identities after the first stage.

 Theorem 5.2 In the ROM, if \(\mathcal{A}\) wins the game of Definition 3.2 with an advantage of \(\varepsilon \geq 5\left(q_{E}+1\right)\left(q_{E}+q_{H_{3}}\right) q_{H_{1}} /\left(2^{k}-1\right)\) within time t and by at most requesting \(q_{H_{i}}\) queries to \(H_{i}(i=1,2,3), q_{K}\) KE queries, q_E DAE queries, and q_D DAD queries, then \(\mathcal{C}\) settles the BDH problem in an expected time of \(t^{\prime} \leq 60343 q_{H_{3}} q_{H_{1}} 2^{k} t / \varepsilon\left(2^{k}-1\right)\).

 Proof. To wield the forking algorithm[31], we have to prove how our design is applicable for the signature scheme described in[31]. In DAE imitate steps, the sender's private key fails (implying that the master private key fails). In this case, a method is needed to settle the BDH problem.

 First, observe that the DAE of our design meets the requested three-phase honest-verifier zero-knowledge identification protocol, in which \(\sigma_{1}=k_{2}=H_{2}\left(e\left(P_{p u b}, Q_{B}\right)^{x}\right)\) is the commitment, \(h=H_{3}\left(m, k_{2}\right)\) is the hash value, and σ₂=V is the answer.

 Second, we give a concrete imitate step and show a method of settling the BDH problem. Upon inputting (P, aP, bP, cP) of the BDH problem, \(\mathcal{C}\) is needed to calculate e(P,P)^abc. \(\mathcal{C}\) executes\(\mathcal{A}\) as a subroutine. \(\mathcal{A}\) consults \(\mathcal{C}\) to answer H₁, H₂, and H₃ and \(\mathcal{C}\) holds lists L₁, L₂, and L₃ to save the randomly generated responses. The H₁, H₂, H₃, DAE and DAD queries are requested in the way they are in the proof of Theorem 1.

 Forgery: \(\mathcal{A}\) outputs a triple \(\left(\sigma^{*}, I D_{i}, I D_{j}\right)\), where \(\sigma^{*}=\left(r^{*}, V^{*}\right)\). We coalesce the identities \(I D_{\theta}=\left\{I D_{i}, I D_{j}\right\}\) and the message m^∗ into (ID_θ,m^∗ ) so that we can hide the IB aspect of the DA-IBDAE-CMA attacks and imitate an identity-less adaptive-CMA existential forgery.

 If \(\mathcal{A}\) is an attacker with adequate efficiency in the above interaction, we can create a Las Vegas machine \(\mathcal{A}\)' that returns two forgeries \(\left(\left(I D_{\theta}, m^{*}\right), r^{*}, V^{*}\right)\) and \(\left(\left(I D_{\theta}, m^{*}\right), \bar{r}^{*}\right.\bar{V}^{*})\) with \(r^{*} \neq \bar{r}^{*}\) and the same commitment x. To settle the BDH problem based on the machine \(\mathcal{A}\)′ derived from \(\mathcal{A}\), we construct a machine \(\mathcal{C}\)′ as follows.

• \(\mathcal{C}\)′ executes \(\mathcal{A}\)′ to acquire two distinct forgeries \(\left(\left(I D_{\theta}, m^{*}\right), r^{*}, V^{*}\right)\) and \(\left(\left(I D_{\theta}, m^{*}\right)\right.,\left.\bar{r}^{*}, \bar{V}^{*}\right)\).
• \(\mathcal{C}\)′ calculates e(P,P)^abc as \(\left(V^{*} / \bar{V}^{*}\right)^{-1 /\left(\bar{r}^{*}-r^{*}\right)}\).

 The machine \(\mathcal{C}\)′ is our reduction of the BDH problem. If the success probability of \(\mathcal{A}\)′ is \(\varepsilon \geq 5\left(q_{E}+1\right)\left(q_{E}+q_{H_{3}}\right) q_{H_{1}} /\left(2^{k}-1\right)\), while its running time is t, then \(\mathcal{C}\)′ can settle the BDH problem in an expected time \(t^{\prime} \leq 60343 q_{H_{3}} q_{H_{1}} 2^{k} t / \varepsilon\left(2^{k}-1\right)\). Here, there is a change in the coefficient since the simulator has to bring forward two disparate identities.

6. A Secure E-voting Protocol

 The construction is employed in an e-voting system (EVS). Here, we provide the example shown in Fig. 2. An electronic power corporate expects to select a general manager by having all employees vote. However, if the votes are sent as plaintext, the process would be insecure. Each employee is a voter who first runs \(D A E\left(m, S_{I D_{s}}, Q_{I D_{r}}\right)\) to gain the ciphertext. Then, the voter sends the ciphertext to the electronic power tally authority (TA). In this protocol, a PKG exists in the company in charge of registration. The PKG gives a secret key to each employee and to the TA. The employees can use their smart devices to transmit their ciphertexts to the TA. Finally, the TA runs \(D A D\left(\sigma, Q_{I D_{S}}, S_{I D_{r}}\right)\) to obtain each message m. While the TA can know that the ciphertexts were sent by valid staff because the protocol owns the authentication, the TA cannot certify the sender’s identity of the ciphertext to any trusted entity, as this design is deniable. Moreover, if the TA and a third party were to cooperate, the third party might suspect the truth of the ciphertext as provided by the TA because the TA can also generate valid ciphertexts. Thus, the third party cannot force an employee to select a particular candidate.

Fig. 2: A secure e-voting protocol

7. Performance

 We will construct a detailed performance analysis of our design with the existing schemes[16,17,21,22] listed in Table 1. We employ the point add (PA) calculation and the point multiplication (PM) calculation in G₁, the bilinear pairing (BP) calculation, the modular exponentiation (ME) calculation and the multiplication (MT) calculation in a finite field, and a certificate verification (CV) calculation (which generally costs approximately the same as two ME computations). Note that the ME calculation in a finite field (FF) is equivalent to a PM calculation in the elliptic curve cryptosystem (ECC) (i.e., ME=PM), and the MT calculation in a FF is equal to the PA calculation in ECC (i.e., MT=PA). The XOR, hash function, and add calculation in a FF are omitted because their computation speeds are sufficiently fast to be negligible. Additionally, let |G₁| =160 bits, |m| = 160 bits, |p| = 512 bits, |cert| = 320 bits, |q| = 160 bits, hash value = 160 bits, and |G₂| =1024 bits. Here, the key size (KS) is made up of both public key and private key size. As shown in Table 1, regarding KS and CL, our approach is highly efficient. Additionally, the scheme in [16] is interactive and lacks proof of security. Our design is in the ID-based setting. As such, our design avoids problems related to PKI.

 We conduct an experiment on the PBC library. As needed, we set the library’s embedding degree to 2. The experiment is executed on an Intel Pentium(R) Dual-Core processor running at 2.69 GHz, with 2,048 MB of RAM (2,007.04 MB available). On this machine, a PA computation and a PM computation require 0.065 ms and 15.927 ms using an ECC with 160 bits of q, respectively. A BP computation and a ME computation require 26.68 ms and 3.126 ms, respectively. DAE and DAD consume 95.562 ms and 95.562 ms in [16], 79.7 ms and 63.773 ms in [17], 88.34 ms and 42.672 ms in [21], and 101.206 ms and 58.534 ms in[22]. In our scheme, DAE and DAD consume 101.206 ms and 42.607 ms, respectively. [16,17,21,22], the computational expense for DAE in our design is the same as that in [22] but slightly higher than those in [16,17,21] because it requires two pairings that belong to G₂. Our design has the lowest computational expense for DAD, although we have one pairing computation. In terms of type, [16,17] are in the PKI setting, while [21,22] and our design are in an ID-based setting and avoid the problems in PKI. Fig. 4 shows the CL for [16,17,21,22] and our scheme. Although our design must transmit V, which belongs to G₂, our protocol still has the smallest communication overhead.

Table 1. Performance comparison

Fig. 3. Primary computational cost of DAE

Fig. 4. Communication overhead of DAE

8. Conclusion

 In this paper, we construct a novel non-interactive IBDAE scheme that realizes deniable authentication and confidentiality in a logical single step. Our construction provides proof of security and is efficient in terms of performance analysis. In addition, we provide an example to show how our construction can be used in e-voting systems. As such, our design is applicable to privacy protection scenarios.