A Threshold Authenticated Encryption Scheme Using Hybrid Problems

In this paper, we propose a threshold authenticated encryption scheme using both factoring and discrete logarithm problems. We apply the concept of threshold cryptography in the verification and message recovery phase, where t out of n recipients are required to verify and recover the message. Security analysis shows that our scheme will remain secure even if one of these problems can be solved.


Introduction
An authenticated encryption scheme is a cryptographic scheme that ensures the confidentiality, integrity and authenticity of online documents or messages by allowing the user to sign and encrypt a message at the same time.In such a scheme, the receiver can not only recover the message sent, but also verify the message.By combining the digital signature scheme and the encryption scheme into a single scheme, communication and operation costs can be less than when performing both schemes separately [1].
Diffie and Hellman's [2] introduction of the concept of public-key cryptography has led to the development of a number of digital signature schemes based on various problems in number theory, such as factoring [3], discrete logarithm [4], quadratic residue [5], and elliptic curve [6,7].However, if one of the problems can be solved, then the single-problem scheme will not be secure.To overcome this problem, digital signature schemes using two problems have been proposed [8,9,10,11,12].Furthermore, two-problem or hybrid-problem schemes are also suitable for applications that need long-term security [13].
The idea of developing an authenticated encryption scheme emerged from the modification of the digital signature.Nyberg and Rueppel [14] proposed a modified version of the Digital Signature Algorithm to facilitate message recovery.However, their scheme allowed only a single signer and a single verifier in the signing and verifying phases.Since then, the development of an authenticated encryption scheme has turned to multiple-participant society-oriented cryptography, also known as threshold cryptography [15,16].Hsu and Wu [17], for example, presented an authenticated encryption scheme with (t, n) shared verification, and Wang et.al. [18], Hsu et.al. [19], and Chen et.al [1] developed schemes with (t, n) signers and (k, l) verifiers.
All authenticated encryption schemes reviewed here were developed using a single number theory problem.In this paper, considering the need for long-term security, we develop a threshold authenticated encryption scheme using two number theory problems: factoring and discrete logarithm.The security of our scheme arises from the difficulty of solving both problems simultaneously.We show that our scheme remains secure, even when one of the problems is solved.

The Proposed Authenticated Encryption Scheme
In this paper, a hybrid problem-based authenticated encryption scheme is proposed.Like all authenticated encryption schemes, the proposed scheme comprises the following phases: 1. generating parameters and keys; 2. signing and encrypting message; and 3. verifying and decrypting the message.

Phase 1: Generating parameters and keys
In this phase, the system authority generates the keys that will be used throughout the scheme.Before s/he generates the secret and public keys for senders and receivers, s/he will set the following parameters: i.
a factor of , where and are two safe primes.iii.
̅ ̅ ̅ -a factor of , where ̅ and ̅ are two safe primes.iv.

Threshold authenticated encryption scheme
a generator of of order .
In our scheme, a single sender and many receivers are involved in both signing/encrypting and verifying/decrypting phases.The system authority generates the secret and public keys for both sender and group of receivers, and then sets the threshold polynomial functions to share the secret keys for the receivers.In the key generation procedure, the system authority , where and the corresponding public key ( ); and 6. sets a secret key for the signer and the corresponding public key ( ).
The summary of secret and public keys for sender and receivers is given in Table 1.The recovered can be verified by checking the validity of the redundancy within it.Theorem 1.If the algorithms in Phases 1 and 2 run smoothly, then the decryption of the encrypted message in Phase 3 is correct.

Proof:
All equations in Phase 3 are true for all ( ) since: 1. Calculation of .

Security Analysis
In this section, we show that our scheme is heuristically secure against some cryptographic attacks.We consider the following attacks: Attack 1 (i) Suppose that the adversary (Adv) tries to obtain the secret keys for the sender ( ) from the equations ( ( ̅ )) and ( ).It is clearly infeasible due to the difficulty of solving factoring and discrete logarithm problems.(ii) Adv also might try to derive the secret keys for the recipients ( ) from the equations ( ( )) and ( ) .However, without solving factoring and discrete logarithm problems, s/he will never succeed in deriving the secret keys from both equations.

Attack 2
Adv discovers the value of from the equation ( ̅ ) and then tries to obtain the secret key from the equation ( ).Since is a one-time secret integer and can only be discovered if both factoring and discrete logarithm problems are solvable, extracting the secret key from the equation ( ) will always be infeasible.

Attack 3
Assume that the factoring problem is solvable.(i) Adv could find the secret key for the sender and try to generate the signature-ciphertext ( ) of a fake message.However, without knowing another secret key , which can only be obtained if the discrete logarithm problem is solvable, Adv cannot calculate and fails to generate from the signature-ciphertext. (ii) Adv also could find the secret key and try to recover the message from the signature-ciphertext ( ) .However, without solving the discrete logarithm problem, s/he cannot find another secret key .Thus, the value of remains concealed and Adv's attempt to recover the message from the equation ( ) fails.

Attack 4
Assume that the discrete logarithm problem is solvable.(i) Adv knows the secret and tries to generate the signature-ciphertext ( ).Since the factoring problem remains unsolved, Adv does not know the other secret key and so fails to generate from the signature-ciphertext.
(ii) With the information about the signature-ciphertext ( ) and the secret key , Adv tries to verify and recover the message.In this case, he tries to calculate the value of from the equation ( ).However, without solving the factoring problem and finding the value of , s/he cannot calculate and so fails to recover the message from the equation ( ).

Performance Evaluation
It has been shown that the proposed authenticated encryption scheme is secure against some attacks.In this section, the efficiency of this scheme is evaluated, in terms of the number of secret and public keys, computational complexity, and communication cost.The following notations are used to analyze the efficiency of this scheme. SK and PK are the number of secret and public keys, respectively. is the time complexity for executing the modular exponentiation computation. is the time complexity for executing the modular multiplication computation. is the time complexity for executing the modular inverse computation. | | denotes the bit length of . is the number of recipients involved in verifying and decrypting message phase.
The performance of this scheme is shown in Table 2.
In Table 2, we show the performance of our new scheme.In this paper, we do not compare the performance with other schemes because to our knowledge, this is the first threshold authenticated encryption scheme developed using two number theoretical problems.However, compared with a single problem-based scheme, our scheme is less efficient since it needs more computation for two problems.Nevertheless, this is the best hybrid problem-based scheme that we can develop.

Conclusion
In this paper, we propose a threshold authenticated encryption scheme using two common number theoretical problems used in cryptography, namely, factoring and discrete logarithm.Security analysis shows that our scheme remains secure even if one of the problems is solved.In performance evaluation, it is shown that this is the best hybrid problem-based scheme that we can develop.Although this scheme appears to perform well, future development will be needed to develop a more efficient threshold authenticated encryption scheme using hybrid problems.

Phase 3 :
Verifying and decrypting messageUpon receiving () from the sender, out of recipients execute the following steps to verify and recover the message: 1.From the individual secret key ( ) and ( ), each of them calculates along with the public identity to the other participants through a secure channel.2. After all participants receive and from the other participants, they calculate

Table 1 :
Secret and public keys for sender and receivers

Threshold authenticated encryption scheme 1505TABLE 2 .
Performance of the proposed authenticated encryption scheme