An Efficient Public-Key Dual-Receiver Encryption Scheme

Public-key dual-receiver encryption (PK-DRE) is a kind of particular public-key encryption for enabling two independent recipients to obtain the same plaintext from the same ciphertext. Due to its dual-receiver property, PK-DRE is quite helpful in many scenarios, such as deniable authentication, global key escrow, security puzzle, and even blockchain. To the best of our knowledge, the PK-DRE scheme proposed by Chow, Franklin, and Zhang at CT-RSA 2014 is the best one among the existing schemes in terms of security, public verifiability, and key size. In this paper, we restudy their scheme and find a new security proof that leads to a variant. The resulting PK-DRE scheme is more efficient than the original scheme in terms of ciphertext size and encryption/decryption cost, without losing the CCA security in the standard model and public verifiability.

• All the existing lattice-based schemes do not support the public verifiability, which enables anyone to check whether the two independent recipients can recover the same plaintext from the same ciphertext. As mentioned in [7], public verifiability is useful in many applications, such as threshold decryption. • The key size of lattice-based schemes is usually quite large, and it is even as large as several megabytes in some cases [12]. This situation hinders the use of latticebased PK-DRE in some storage-limited settings, such as internet of things.
On the other hand, the scheme (we call it CFZ14 in this paper) proposed in [7] is the best one among the current pairingbased PK-DRE schemes in terms of the security level and computational cost. The detailed comparison can be found in Section II. In this paper, we restudy CFZ14, especially its security proof. We find another security proving method for CFZ14, which leads us to a variant of CFZ14. In particular, according to our new security proof, we can remove "g r " from the ciphertext and obtain a more efficient PK-DRE scheme in terms of ciphertext size and encryption/decryption cost. As a result, our variant of CFZ14 would be the best one among the current pairing-based PK-DRE schemes instead of CFZ14.
The rest of this paper is organized as follows. In section II, we summarize the existing PK-DRE schemes. Section III reviews the definition and security model for public-key dual-receiver encryption and some basic knowledge. In what follows, we give the description of the proposed variant of CFZ14 along with the description of CFZ14 for clarification. After that, we present the security proof of our variant and the performance comparison with CFZ14. At last, we end this paper with the conclusion in Section VI. VOLUME 4, 2016

II. RELATED WORK
As we mentioned before, the concept of public-key dualreceiver encryption was proposed by Diament et al. [6] at ACM CCS 2004. In the same work, they also proposed a concrete PK-DRE scheme with CCA security in the random oracle model by using the three-party key exchange protocol due to Joux [13]. After ten years later, Chow, Franklin, and Zhang [7] refined the syntax of PK-DRE and proposed the first PK-DRE scheme with CCA security in the standard model and public verifiability. Since then, many PK-DRE schemes with different properties have been proposed. For instance, Zhang et al. [8] and Patil and Purushothama [9] extended the PK-DRE to the identity-based setting and proxy re-encryption setting, respectively. However, due to the use of Waters' hash function [14], the key size and computational cost in Zhang et al.'s scheme [8] are linearly correlated with the bit-length of the identity. Furthermore, Patil and Purushothama's scheme [9] is only CPA-secure and does not support public verifiability.
The above PK-DRE schemes are all based on pairings, and several researchers tried to construct PK-DRE based on lattice. The first lattice-based (identity-based) PK-DRE scheme is proposed by Zhang et al. [10], and the corresponding CCA security can be obtained based on the standard Learning with Errors assumption. Based on this result, Liu et al. [11] proposed two generic constructions for PK-DRE and identity-based DRE by using (weak) lattice-based programmable hash functions with high min-entropy. Recently, Liu et al. [12] improved the result in [10] and proposed the concept of hierarchical identity-based DRE along with a concrete scheme. However, none of the above lattice-based schemes support public verifiability, and all of them suffer from the large key size problem.
We give a summary of the existing DRE schemes in Table 1, where we can see that CFZ14 is the best one among the existing DRE schemes, in terms of security level, public verifiability, and key size.

III. PRELIMINARIES
In this section, we review the definition of public-key dualreceiver encryption and the corresponding security model for chosen-ciphertext (CCA) security. We also review some basic knowledge related to the construction of CFZ14, including the bilinear groups and strong-unforgeable one-time signature.

A. PUBLIC-KEY DUAL-RECEIVER ENCRYPTION
Generally speaking, a public-key dual-receiver encryption (PK-DRE) scheme consists of the following four algorithms: Setup, KeyGen, Enc, and Dec.
• Enc(pp, pk 1 , pk 2 , m) → c: On input the public parameter pp, two independent users' public-keys pk 1 and pk 2 , and a message m from the plaintext space M, the encryption algorithm Enc outputs a ciphertext ct. • Dec(pp, pk 1 , pk 2 , sk i , ct) → m/⊥: On input the public parameter pp, two independent users' public-keys pk 1 and pk 2 , one private key sk i (i ∈ {1, 2}) of the corresponding two independent users, and a ciphertext c, the decryption algorithm Dec outputs a message m or a failure symbol ⊥.

2) Soundness
At CT-RSA 2014, Chow, Franklin, and Zhang [7] gave the definition of soundness for PK-DRE. In particular, the soundness states that any probabilistic polynomial time (ppt) adversary, even knowing the private keys of the two independent users, can generate a ciphertext c satisfying the following requirement only with a negligible probability.

3) Security against Chosen-Ciphertext Attacks
The security model for the confidentiality of messages in PK-DRE is given by the following chosen-ciphertext attack game played between an adversary A and a challenger C.
• Setup: In this phase, the challenger C runs Setup and KeyGen to get the public parameter pp and the two independent users' key pairs ((pk 1 , sk 1 ), (pk 2 , sk 2 )), respectively. After that, the challenger C sends pp and (pk 1 , pk 2 ) to the adversary A while keeping (sk 1 , sk 2 ) secret. • Phase 1: In this phase, the adversary A can adaptively issue queries to the two decryption oracles.
--O d1 : On input a ciphertext ct by the adversary A, the challenger C returns the result of Dec(pp, pk 1 , pk 2 , sk 1 ). --O d2 : On input a ciphertext ct by the adversary A, the challenger C returns the result of Dec(pp, pk 1 , pk 2 , sk 2 ).
• Challenge: Once the adversary A decides to close Phase 1, it can send the challenger C two messages m 0 and m 1 with the same length from the plaintext space M. The challenger C returns Enc(pp, pk 1 , pk 2 , m b ) to the adversary A as the challenge ciphertext ct * , where b is a random bit chosen by the challenger C.  ciphertext ct * cannot be issued to the decryption oracles. • Guess: The adversary A outputs a guess b on b. If b = b , then the adversary wins the game. Note that there is only one decryption oracle in [7] due to the soundness property. However, we list both two decryption oracles of the two independent users for easy understanding. Definition 1 (CCA Security): We say a PK-DRE scheme is chosen-ciphertext secure (CCA-secure) if for all ppt adversaries A's, the advantage of winning the CCA game

B. BILINEAR GROUPS
Assume that G and G t are two cyclic groups with prime order q. We say G and G t are bilinear groups if they are equipped with an admissible bilinear mapê : for all a, b ∈ Z * q and any g 1 , g 2 ∈ G. For convenience, we denote BSetup as an algorithm that takes the security parameter λ as the input and outputs the parameter of bilinear groups (G, G t , q, g,ê), where q ∈ Θ(2 λ ), and g is a generator of G.
The security proof of our variant is based on the DBSDH (decisional bilinear square Diffie-Hellman) assumption in the bilinear groups [15], which is stated as follows. Given g, h, g a ∈ G and T ∈ G t , it is hard to decide whether T =ê(g, h) a 2 . It is easy to see that the DBSDH assumption is a special case of the decisional 2-wBDHI * assumption proposed in [16].
The security proof of the original CFZ14 is based on the DBDH (decisional bilinear Diffie-Hellman) assumption in the bilinear groups. In particular, given g, g a , g b , g c ∈ G and T ∈ G t , it is hard to decide whether T =ê(g, g) abc .
Although the DBSDH assumption is stronger than the DBDH assumption, it has been shown that the CBSDH (computational bilinear square Diffie-Hellman) assumption and CBDH (computational bilinear Diffie-Hellman) assumption are equivalent [15].

C. ONE-TIME SIGNATURE
Expect that the key pair should be used only once, onetime signature OTS is almost the same as the regular digital signature. It also contains the following three algorithms OTS.G, OTS.S and OTS.V. Strong Unforgeability. The strong unforgeability of digital signature states that the adversary cannot output a any new valid signature on any message without knowing the corresponding signing key, even if the underlying message has been signed before. Strong-unforgeable one-time signature is usually applied for obtaining CCA security of public-key encryption [17].

IV. PROPOSED VARIANT OF CFZ14
In this section, we give the description of our variant of CFZ14 along with the description of the original CFZ14. In particular, we give them in Table 2, where we highlight the differences between the two schemes for easy clarification.

A. CORRECTNESS
The correctness of our variant can be obtained due to the following equations.

KeyGen
Input: pp Input: pp Output: where (x i , y i ) are random numbers from Z * q , and u i = g x i and v i = g y i .
where (x i , y i ) are random numbers from Z * q , and u i = g x i and v i = g y i .

C. CCA SECURITY OF OUR VARIANT
Theorem 1: If the underlying one-time signature is strongunforgeable and the DBSDH assumption holds, then our variant of CFZ14 described in Table 2 is a CCA-secure PK-DRE scheme.
Proof: Assume that there is an adversary A breaking the CCA security of our variant, we can build an algorithm S solving the DBSDH problem, i.e., on input the DBSDH tuple (g, h, g a , T ), the goal is to decide whether T =ê(g, h) a 2 .
• Setup: S sets pp = (G, G t , q, g,ê, OTS), u i = (g a ) αi , and v i = u −vk * i · g βi , ∀i ∈ {1, 2}, where α i and β i are random numbers from Z * q , and (vk * , sk * ) ← OTS.G(1 λ ). Note that S implicitly sets x i = a·α i mod q and y i = a·α i ·(−vk * )+β i mod q but without knowing their concrete values. • Phase 1: The adversary A can issue queries to the following two oracles adaptively.
--O d1 : On input a ciphertext ct = (vk, π 1 , π 2 , π, σ) by the adversary A, S first checks the validity of the ciphertext as the real execution. If it is invalid, it simply aborts; otherwise, S responds as follows. * If vk = vk * , it aborts and reports fail.
--O d1 : The input ciphertext c cannot be ct * .
--O d2 : The input ciphertext c cannot be ct * .
• Guess: The adversary A outputs a guess b on b. If b = b , then S decides that T =ê(g, h) a 2 ; otherwise, T = e(g, h) a 2 . The above simulation works well if the decryption oracles and challenge oracle work well, which is analyzed as follows.
• Decryption oracles. Regarding the case of vk = vk * , it means that the adversary can produce a valid signature without knowing the corresponding signing key, which is clearly against the strong unforgeability of the underlying one-time signature scheme. Hence, the case of vk = vk * happens with probability OTS at most, where OTS is the advantage that the adversary breaks the strong unforgeability of the underlying one-time signature scheme.
Regarding the case of vk = vk * , we just need to show that δ = (g a ) r holds.
, then the challenge ciphertext is valid (well-formed) ciphertext due to the following equations, and the adversary can get the right with probability at most, where is the advantage that the adversary breaks the CCA security of our variant.
, π * 1 and π * 2 have nothing to do with m b . Hence, in this case, the adversary can get the right b with probability 1/2.
As a result, if there is an adversary A breaking the CCA security of our variant, the algorithm S built as above can solve the DBSDH problem with the advantage − OTS at least.
Note that, in the CCA security proof of CFZ14 [7], c = g r and π 1 = (u vk 1 v 1 ) are used to simulate the decryption oracle without using π 2 . However, in our proof, we make use of π 1 and π 2 to do the decryption.

V. PERFORMANCE EVALUATION
We give the comparison between the original CFZ14 and our variant in Table 3, where T p , T e,G , T e,Gt , T me,G , T m,G , T m,Gt , and T d,Gt are respectively denoted as the computational cost of pairing, exponentiation in G, exponentiation in G t , multi-exponentiation in G, multiplication in G, multiplication in G t , and division in G t , and L G , L Gt , and L Z * q are the bit length of the element in G, G t , and Z * q , respectively. From Table 3, we can see that our variant achieves almost the same security level as the original CFZ14, except that the CCA security in the standard model is obtained by a slight stronger complexity assumption (DBSDH vs. DBDH).
From Table 3, we can also note that the main advantages of our variant over the original CFZ14 are the ciphertext size and encryption/decryption cost. In particular, the ciphertext size is reduced by an element in G, the encryption cost is reduced by an exponentiation in G, and the decryption cost is reduced by two pairings. Note that we ignore the storage and computational cost due to the underlying one-time signature scheme in Table 3, since the original CFZ14 and our variant are the same for this part.
To show the advantages of our variant on storage and computational cost more clearly, we also implemented the original CFZ14 and our variant by using the Java Pairing-Based Cryptography Library [18]. Both schemes are implemented with two versions. One strictly follows the description of the scheme, and the other utilizes some optimization methods, such as pre-computation and pre-processing. The underlying curve used in our experiments is Type A, and all the experiments were conducted in Windows 10 Pro running a machine with an Intel(R) Core(TM) i5-7300HQ CPU @ 2.50GHz 2.50GHz, 16.0GB RAM. All the values in Table 4 are the average values of 100 runs. Note that we still omit the cost due to the underlying one-time signature scheme. From Table 4, the encryption and decryption cost of our variant is about 75% of that of CFZ14 at most, no matter whether the optimization methods are applied or not. Furthermore, the ciphertext size of our variant is only 75% of CFZ14. As a result, it is fair to say that our variant is more efficient than the original CFZ14.

VI. CONCLUSION
In this paper, we have revisited a PK-DRE scheme-CFZ14, particularly its proof security. We found that the original security proof in [7] only utilizes g r and π 1 but without using π 2 . We also observed that the security proof can be also processed by using π 1 and π 2 with the DBSDH assumption. According to this observation, we proposed a variant of CFZ14. The experimental results show our variant is more efficient than the original CFZ14 in terms of storage and computational cost. Our variant can also be extended to dual-receiver KEM and threshold PKE-DRE like the original CFZ14, which we omit in this paper as the underlying methods are the same.

Enc
Tp + T e,G + 2T me,G + T e,G t + T m,G t Tp + 2T me,G + T e,G t + T m,G t Dec 5Tp + 2T e,G + 2T m,G + T e,G t + T d,G t 3Tp + 2T e,G + 2T m,G + T e,G t + T d,G t

Storage Cost
Key pair