An Improvement of the Ateniese’s Verifiable Encryption Protocol

Verifiable encryption is a primitive that can be used to build extremely efficient fair exchange protocols where the items exchanged represent digital signatures. Such protocols may be used to digitally sign contracts on the Internet. This paper presents an efficient protocol for verifiable encryption of digital signatures that improves the security and efficiency of the verifiable encryption scheme of Ateniese. Our protocol can be applied to group signatures, key escrow and publicly verifiable secret and signature sharing to prove the fairness. 
 
The author is presently at “Centre for Quantifiable Quality of Service in Communication Systems” (Q2S), NTNU, Trondheim, Norway. The centre is appointed Centre of Excellence by The Research Council of Norway. It is financed by the Research Council, NTNU and UNINETT, and supported by Telenor.


Introduction
Exchanging messages over the Internet is becoming a major business opportunity.Electronic commerce usually involves two distrusted parties exchanging one message for another, for instance an electronic check for an electronic ticket.Specialized applications may include contract signing, electronic purchase and certified electronic mail delivery.In simultaneous contract signing, Alice and Bob have agreed on a contract but neither wishes to sign unless the other signs as well.Face to face, this is easily solved: both simultaneously sign the contract.Unfortunately, simultaneity cannot be met in the discrete world.Therefore, it seems fruitful that many researchers have focused their attention on the fair exchange of digital signatures.
There have been several approaches to solve the fair exchange problem depending on the definition of fairness on which they are based.In (Even et al., 1985), fairness is interpreted as equal computational effort.That is, both Alice and Bob generate a signature of the contract and then they communicate by taking turns and sending bit by bit their signatures to each other.Recently, papers (Asokan et al., 2000) and (Bao et al., 1998) have presented protocols for optimistically exchanged commonly used digital signature schemes.Both show that it is possible to build fair exchange protocols by means of what the authors in (Asokan et al., 2000) have called verifiable encryption of digital signatures.This means to encrypt a signature under a designated public key and subsequently prove that the resulting cipher text indeed contains such a signature.The authors in (Camenisch and Damgaard, 2000), (Camenisch and Shoup, 2003) show how to generalize the scheme in (Asokan et al., 2000) achieving more efficient schemes that can be proved secure without relying on random oracles.The fair exchange protocol using verifiable encryption was proposed by Ateniese (Ateniese, 2000) and Bao, Deng and Mao (Bao et al., 1998) independently.These protocols apply ad-hoc techniques to create the fairness via a specific encryption scheme that confirms to a given signature.Unfortunately, the scheme proposed in (Ateniese, 2000) lack any formal security analysis.
In this paper we improve the security and efficiency of the verifiable encryption protocol of Ateniese (Ateniese, 2000), thus providing a valid primitive that is of interest in designing fair exchange protocols (Asokan et al., 1997).The security of our verifiable encryption protocol follows from the security of the underlying signature scheme: a modification of the Cramer-Shoup's digital signature scheme (Cramer and Shoup, 2000).We prove that the underlying signature scheme is secure against an adaptively chosen message attack.Also, we show that our protocol can be applied to construct group signatures, key escrow and publicly verifiable secret and signature sharing.
The remainder of this paper is organized as follows.In the next section, we review some cryptographic tools necessary in the subsequent design of our verifiable encryption protocol.Then, we present our verifiable encryption protocol in Section 3. Furthermore, we discuss some applications of our protocol in Section 4. Finally, Section 5 concludes the work of this paper.

Preliminaries
We assume that each communication party has the ability to generate and verify digital signatures.In this section we present signature schemes allowing a prover to convince a verifier of the equality of discrete logarithms (Ateniese, 2000).The problem is, given g x 1 , g x 2 and a message m, generating a signature on a message m and, at the same time, showing that D log g1 g x 1 = D log g2 g x 2 without revealing any useful information about x itself.We will denote an instance of this signature technique by EDLOG(m; g x 1 , g x 2 ; g 1 , g 2 ).We make use of so called proof of knowledge systems that allow demonstrating knowledge of a secret such that no useful information is revealed in the process.Namely, we define Schnorr-like signature schemes (Schnorr, 1991) in order to show knowledge of relations among secrets.Substantially, these are signature schemes based on proofs of knowledge performed non-interactively making use of an ideal hash function H (à la Fiat-Shamir (Fiat and Shamir, 1987)).
Let G q denote the unique subgroup of Z * p of order q.The parameters p, q are primes such that q divides p − 1, for instance p = 2q +1.Let g, h ∈ G q be publicly known bases.The prover selects a secret x mod q and computes y 1 = g x and y 2 = h x .The prover must convince the verifier that The protocol, described by Chaum and Pedersen (Chaum and Pedersen, 1992), is run as follows: 1.The prover randomly chooses t ∈ Z q and sends (a, b) = (g t , h t ) to the verifier.
2. The verifier chooses a random challenge c ∈ Z q and sends it to the prover.
3. The prover sends s = t − cx( mod q) to the verifier.The verifier accepts the proof if a = g s y c 1 and b = h s y c 2 .To turn the protocol above into a signature on an arbitrary message m, the signer can compute the pair (c, s) as where H is a suitable hash function.To verify the signature (c, s) on m, it is sufficient to check whether c = c, where In this paper we work into the subgroup of all quadratic residues modulo n, denoted by QR(n).We select n as product of two safe primes p and q, i.e., such that p = 2p + 1 and q = 2q + 1, with p , q primes.Thus, notice that QR(n) is a cyclic group of order p q .The symbol denotes the concatenation of two binary strings (or of the binary representation of group elements and integers).
Actually, the same signature scheme works properly even when the signer is working over a cyclic subgroup of Z * n , G =< g >, whose order #G = p q is unknown but its bit-length l G is publicly known.We make use of a hash function H: {0, 1} * → {0, 1} k , which maps a binary string of arbitrary length to a k-bit hash value.In the next definition we show the knowledge and equality of the two discrete logarithms.

DEFINITION 1. Let
> 1 be a security parameter.A pair 1 g s y c 2 h s ) is a signature of a message m ∈ {0, 1} * with respect to y 1 and y 2 and is denoted EDLOG(m; g x , h x ; g, h).
A signature (c, s) of a message m ∈ {0, 1} * can be computed as follows.An entity knowing the secret key x, is able to compute the signature (c, s), provided that x = D log g y 1 = D log h y 2 , by choosing a random t ∈ ±{0, 1} (l G +k) and then computing c and s as A way of proving the security of the signature scheme above is via the oracle replay technique formalized in (Pointcheval and Stern, 1996) by Pointcheval and Stern.Suppose now that g and h have different orders, q 1 and q 2 , respectively.Thus, given two elements y 1 = g x and y 2 = h x of different groups G 1 =< g >, G 2 =< h >, the verifier can only conclude that the signer knows a value x such that x mod q 1 = D log g y 1 and x mod q 2 = D log h y 2 .However, it is possible to prove that a secret x lies in a specific interval, more precisely given g x with −2 l < x < 2 l for an integer l, it is possible to prove that x lies in the extended interval [−2 (l+k) , 2 (l+k) ].Hence, we might build a signature scheme for showing that D log g y 1 = D log h y 2 in Z by combining the scheme for showing knowledge of a value x with x mod q 1 = D log g y 1 and x mod q 2 = D log h y 2 and the scheme for showing that −2 (l+k) < x < 2 (l+k) .Clearly, this can be done only if the length l can be chosen such that 2 (l+k)+1 < min{q 1 , q 2 }, where q 1 , q 2 are the orders of g and h, respectively.This idea is formalized in (Camenisch and Michels, 1999).Camenisch and Michels proposed in (Camenisch and Michels, 1999) a concrete protocol for proving equality of discrete logarithms from different groups.Their protocol is mostly based on a technique developed by Fujisaki and Okamoto (Fujisaki and Okamoto, 1998).To provide a viable example of how it is possible to show that x lies in the extended interval [−2 (l+k) , 2 (l+k) ] we present a signature scheme derived from a protocol due to Chan, Frankel and Tsiounis (Chan et al., 1998) and Camenisch and Michels (Camenisch and Michels, 1998) (see Definition 2).The scheme can trivially be extended to the more general interval [X − 2 (l+k) , X + 2 (l+k) ] for a given integer X.
This shows knowledge of the discrete logarithm of y = g x with respect to base g and that this logarithm lies in [−2 (l+k) , 2 (l+k) ].
To produce (c, s), the signer in possession of the secret x = D log g y ∈ [−2 l , 2 l ] chooses a random t ∈ ±{0, 1} (l+k) and then computing c and s as The underlying interactive protocol is proved to be a proof of knowledge under the strong RSA assumption.
The Strong RSA assumption was independently introduced by Baric and Pfitzmann (Baric and Pfitzmann, 1997) and by Fujisaki and Okamoto (Fujisaki and Okamoto, 1997).It strengthens the widely accepted RSA assumption that finding e th -roots modulo n, where e is the public and thus fixed exponent, is hard to the assumption that finding an e th -root modulo n for any e > 1 is hard.DEFINITION 3 (Strong RSA Problem).Let n = pq be an RSA-like modulus and let G be a cyclic subgroup of Z * n of order l g .Given n and z ∈ G, the Strong RSA Problem consists of finding w ∈ G and v ∈ Z >1 satisfying z ≡ w v ( mod n).
Assumption 1 (Strong RSA Assumption).There exists a probabilistic polynomial time algorithm K which on input 1 lg outputs a pair (n, z) such that for all probabilistic polynomial-time algorithms P , the probability that P can solve the Strong RSA Problem is negligible.

The Verifiable Encryption Protocol
We note that our improvement refer to the Ateniese's protocol (Ateniese, 2000) which is based on the signature scheme of Cramer and Shoup (Cramer and Shoup, 2000).
Let Alice and Bob be two users willing to exchange digital signatures on a message m.We make use of a trusted third party, i.e., the trusted third party takes part in the protocol only if one user cheats or simply crashes.Let T be a trusted third party and let P U (m) denote the encryption of the message m with U 's public key, whereas S U (m) denotes the signature generated by U on a message m.Alice generates a signature S A (m) and sends it encrypted to Bob by computing C(S A (m)) = P T (S A (m)).The problem is that Alice must prove to Bob that the signature is valid and that T is able to get S A (m) from C(S A (m)).
In our protocol, P U is the ElGamal encryption scheme and S U is a modification of the Cramer-Shoup's digital signature scheme (Cramer and Shoup, 2000).That is, given a secret key x and a corresponding public key y = g x ( mod n), a message m is encrypted by generating a random r and computing First, we describe a modification of the Cramer-Shoup's digital signature scheme (Cramer and Shoup, 2000).Let ε > 1 be a security parameter and let l p , l λ1 > l λ2 , l γ1 > l γ2 denote lengths.Define the integral ranges Finally, let H: {0, 1} * → Λ be a collision-resistant hash function.
To generate her public and secret keys, Alice runs the following algorithm: 1. Select random secret l p -bit primes p , q such that both p = 2p + 1 and q = 2q + 1 are also prime.Set the modulus n = pq.2. Chose two random elements a, a 0 ∈ QR(n).3. The public key consists of the tuple (n, a, a 0 , H). 4. The corresponding secret key consists of (p , q ).
To sign a message m ∈ {0, 1} * Alice uses the following algorithm: In order to make efficient the verifiable encryption of a modification of the Cramer-Shoup's digital signature scheme, we will make use of an initialization phase (Ateniese, 2000) by which the user and the trusted third party T agree on common parameters.
The initialization phase is as follows: 1. Alice sends (n, a, a 0 , H) to T , along with a certificate Cert A (Alice's certificate).2. T verifies that (n, a, a 0 , H) is the public key of Alice and randomly selects a g ∈ QR(n), such that y = g x ( mod n), where x is a secret random element.The trusted third party T signs and sends back Cert T A = S T (g, y = g x , ID A , (n, a, a 0 , H)), where ID A is an identity information of a user Alice.

Alice gets the certificate Cert
with g of order p q .
The protocol for verifiable encryption is as follows: 1. Alice encrypts the signature (u, e, r) using the ElGamal encryption scheme with public key y = g x ( mod n) as follows.Selects a random r and computes c 1 = uy r ( mod n) and c 2 = g r ( mod n) and show that D log y e y er = D log g g r via EDLOG(m; y er , g r ; y e , g).Then Alice sends e, r, c 1 , c 2 and Cert T A to Bob. 2. Bob verifies Cert T A and checks that e ∈ Γ and r ∈ Λ.

Bob computes B = H(m e r) and W
nition 1) and it ends the protocol if these are correct.
REMARK 1.The signer must generate a random prime e from the interval Γ with each signature.These prime need not be chosen from the uniform distribution primes.The only requirement is that the probability of generating two equal primes should be negligible (for more details, see (Cramer and Shoup, 2000)).In order to efficient generate these prime we use the Miller-Rabin test (Rabin, 1980) to test for primality.Suppose we choose random numbers from the interval Γ until we have found a number that passes a number of trial divisions and a single Miller-Rabin test.We will make a number of Miller-Rabin tests that reject some composite numbers that pass the trial division test.Once we have found a number that passes a single Miller-Rabin test, we have to perform a number of additional Miller-Rabin tests to reduce the error probability sufficiently.
The security of our verifiable encryption protocol follows from the security of the underlying signature scheme.Next, we prove that the modification of the Cramer-Shoup's digital signature scheme (Cramer and Shoup, 2000) is secure against an adaptively chosen message attack.Being similar to (Gennaro et al., 1999) we require that: • for every H a collision-resistant hash function, all primes e ∈ Γ and every two messages m 1 and m 2 the distribution H(m 1 e r) and H(m 2 e r) induced by the random choice of r are statistically close; • the Strong RSA Assumption holds in a world where there exists an oracle that on input a message m, a prime e ∈ Γ and an B ∈ Λ outputs an r ∈ Λ such that B = H(m e r).
Theorem 1.The signature scheme presented above is secure against adaptively chosen messages attack under the Strong RSA Assumption and the assumption that H is a collision-resistant hash function satisfying the above conditions.
Proof.This is derived from the proof in (Ateniese et al., 2000).Assume that the attacker A queries signature for K messages and then outputs a signature (u , e , r ) on the message m .We now show that if we take control over the hash function, then we can use this attacker to break the Strong RSA Assumption, i.e., we are given a z and an n and must find an w and v such that w v ≡ z( mod n).
Let ((u 1 , e 1 , r 1 ), m 1 ), ..., ((u K , e K , r K ), m K ) denote the signature-message pairs that are constructed during the interaction with A. In order for A to be successful its output ((u , e , r ), m ) must satisfy (u , e , r ) = (u i , e i , r i ) for 1 i K. Depending of whether e i e for some i, there are two games to calculate a pair (w, v) ∈ Z * n × Z >1 satisfying w v ≡ z ( mod n) from which we randomly chose one each time then play with the attacker.As mentioned before, we are assuming that there is an oracle that input a message m, a prime e ∈ Γ and a B ∈ Λ outputs an r ∈ Λ such that B = H(m e r).The adversary is allowed to query this oracle as well.The first game goes as follows: 1. Select x 1 , ..., x K ∈ Λ and e 1 , ..., e K ∈ Γ.
2. Set a = z 1 l K e l mod n. 3. Choose a random r ∈ {0, 1} 2lp and set a 0 = a r mod n.

For all
5. Start A, feed it the (u i , e i , r i ), where we get r i from the oracle, and eventually obtain (B ; [u = (a B a 0 ) 1/e mod n, e , r ]) with B , r ∈ Λ and e ∈ Γ. 6.If gcd(e , e j ) = 1 for all 1 j K output fail and stop.Otherwise, let e = (B + r) 1 l K e l .Since gcd(e , e j ) = 1 for all 1 j K, we have gcd(e , e) = gcd(e , (B +r)).Hence, by the extended Euclidean algorithm, there exist α, β ∈ Z such that αe + β e = gcd(e , (B + r)).Therefore, letting w = z α (u ) β mod n and v = e / gcd(e , (B + r)) > 1 since e > (B + r) we have w v ≡ z ( mod n).
The previous game is only successful if A returns a new signature with gcd(e , e j ) = 1 for all 1 j K.We now present a game that solves the Strong RSA Problem in the other case, that is, when gcd(e , e j ) = 1 for some 1 j K.Note that gcd(e , e j ) = 1 means gcd(e , e j ) = e j since e j is prime.The second game goes as follows: 1. Select x 1 , ..., x K ∈ Λ and e 1 , ..., e K ∈ Γ.
2. Choose a random j ∈ {1, ..., K} and set a = z 1 l K;l =j e l mod n.Consequently, by playing randomly one of game 1 or game 2 with A one can solve the Strong RSA Problem.Since the latter is assumed to be infeasible, it follows that no such attacker can exist.
We compare the modification of Cramer-Shoup's signature scheme, presented above, to the one by Cramer and Shoup (Cramer and Shoup, 2000).The public key size in our signature scheme is smaller than its counterpart in Cramer and Shoup.The latter consists of a tuple (n, h, x, e ), where n is a modulus, h and x are elements of QR(n) and e is a prime.In contrast, our signature scheme's public key is a tuple (n, a, a 0 , H), where n is a modulus, a and a 0 are elements of QR(n) and H is a hash function which is, incidentally, also needed in a Cramer and Shoup public key.Thus, the size difference is due to the prime e in the latter.A Cramer-Shoup signature is a tuple (y, y , e) where e is a small prime, y ∈ QR(n) and y ∈ Z * n , i.e., both are n-bit integers.This is about the same as for our signature scheme.The cost of signing in (Cramer and Shoup, 2000) amounts to generating a prime, computing its inverse and three exponentiations.Hence, the cost of signing is higher in (Cramer and Shoup, 2000) than in our signature scheme.
So, the efficiency of our verifiable encryption protocol is better than that of protocol in (Ateniese, 2000).For instance, compared to the scheme in (Ateniese, 2000), our verifiable encryption protocol is about two times smaller when choosing the same modulus (1200bit composite modulus n, 768-bit prime modulus p, 160-bit prime modulus q and 128-bit hash function H) for both schemes.

Applications
The presented verifiable encryption protocol has numerous applications, including fair exchange protocols, group signatures, key escrow, publicly verifiable secret and signature sharing.For instance, in a fair exchange protocol, two parties Alice and Bob want to exchange some valuable digital data (signatures on a contract, e-cash), but in a fair way: either each party obtains the other's data or neither party does.One way to do this is by employing a trusted party T , but for the sake of efficiency with T only involved in crisis situations.One approach to this problem is to have both parties verifiably encrypt to each other their data under T 's public key and only then reveal their data to each other.If one party backs out unexpectedly, the other can go to T to obtain the required data.
In a group signature scheme (Ateniese et al., 2000), (Ateniese and de Medeiros, 2003), (Popescu, 2000) when a user joined a group, whose membership is controlled by the group manager, the user may sign messages on behalf of the group, without revealing his individual identity.However, under appropriate circumstances, the identity of the individual who actually signed a particular message may be revealed, using an entity, called the anonymity revocation manager.Verifiable encryption protocol may be used in the following way as a component in such a system.When a group member signs a message, he encrypts enough information under the public key of the anonymity revocation manager, so that later, if the identity of the signer needs to be revealed, this information can be decrypted.To prove that this information correctly identifies the signer, he makes a Pedersen commitment to this information, proves that the committed value identifies the user, encrypts the opening of the commitment and proves that the cipher text decrypts to an opening of the commitment.
Although one can implement group signatures without it, by using verifiable encryption one can build a more modular system, in which the group manager and anonymity revocation manager are separate entities with independently generated public keys.

Conclusions
In this paper we proposed a secure and efficient verifiable encryption protocol to improve the Ateniese's scheme.Our protocol may be used as a building block for designing efficient fair exchange of digital signatures.Furthermore, our verifiable encryption protocol can be applied to group signatures, key escrow and publicly verifiable secret and signature sharing.

3 .
Choose a random r ∈ {0, 1} 2lp and set u j = a r mod n and a 0 = u ej j /a xj mod n.4.For all1 i K, i = j, compute u i = z (xi+ej r−xj ) 1 l K;l =i,je l mod n.5.Start A, feed it the (u i , e i , r i ), where we get r i from the oracle, and eventually obtain (B ; [u = (a B a 0 ) 1/e mod n, e , r ]) with B , r ∈ Λ and e ∈ Γ. 6.If gcd(e , e j ) = e j output fail and stop.Otherwise, we have e = te j for some t and can define b = (u ) t /u j mod n if B x j and b = u j /(u ) t mod n otherwise.Hence b ≡ (a |B −xj | ) 1/ej ≡ (z | e| ) 1/ej ( mod n) with e = (B − x j ) 1 l K;l =j e l .Since gcd(e j , 1 l K;l =j e l ) = 1 it follows that gcd(e j , | e|) = gcd (e j , |B − x j |).Hence, by the extended Euclidean algorithm, there exist α, β ∈ Z such that αe j + β | e| = gcd (e j , |B − x j |).Therefore, letting w = z α b β mod n and v = e j / gcd (e j , |B − x j |) > 1 since e j > |B − x j |, we have w v ≡ z ( mod n).