Cryptanalysis of publicly verifiable authenticated encryption.

TLDR: Ma and Chen as discussed by the authors proposed a new authenticated encryption scheme with public verifiability, which does not satisfy three security properties: unforgeability, confidentiality and non-repudiation.

Abstract: Ma and Chen proposed a new authenticated encryption scheme with public verifiability. This scheme requires less computational costs and communication overheads than the conventional signature-then-encryption approaches. In this letter, we show that the Ma-Chen scheme does not satisfy three security properties: unforgeability, confidentiality and non-repudiation. Introduction: For electronical commercial applications, evidence of possession of documents is especially important. A digital signature is analogous to an ordinary hand-written signature and establishes both of signer authenticity and data integrity assurance. However, it is necessary to keep commercial documents confident to protect the privacy of users in many applications. One simple way to implement such authenticated encryption scheme is to sign and encrypt message separately, first-sign-then-encrypt or first-encrypt-then-sign. This way perhaps results in separation of signature and ciphertext. Other way is to combine signature and encryption together in order to reduce the amount of computational cost and communication overheads. In 1997, Zheng proposed two new combined schemes [1], called signcryption scheme, in which message encryption and digital signature are simultaneously fulfilled in a logically single step. Besides some security shortcomings [2, 3], the Zheng schemes are not efficient as a zero-knowledge proof is required in its non-repudiation protocol. Recently, Ma and Chen proposed a new authenticated encryption scheme with public verifiability [4]. They claimed that their scheme is as efficient as the Zheng signcryption schemes with respect to both computational costs and communication overheads. In addition, their scheme has an efficient non-repudiation procedure without using a zero-knowledge proof protocol. Ma and Chen further claimed that their scheme satisfy three security properties: unforgeability, confidentiality and non-repudiation. In this letter, we would show the Ma-Chen scheme is not only erroneous but also insecure. The honest receiver cannot convince the judge that the valid signature is signed by the true signer, while the dishonest receiver can deceive the judge into believing the forged signature of any message. Moreover, if the scheme is adapted for the case of a long message, it cannot withstand the known plaintext-ciphertext attack. Belief review of the Ma-Chen scheme: Initially, two large primes p and q with q|(p – 1) and an element g ∈ Zp of order q are computed by a trusted third party (TTP for short) and are authenticated to each user. Each user i ∈{A, B} chooses a secret key xi∈ Zqand computes his public key yi = i x g mod p. He publishes yi which is 1 of 4 Tuesday , September 09, 2003