#### Abstract

In SCN12, Nieto et al. discussed an interesting property of public key encryption with chosen ciphertext security, that is, ciphertexts with public verifiability. Independently, we introduced a new cryptographic primitive, CCA-secure publicly verifiable public key encryption without pairings in the standard model (PVPKE), and discussed its application in proxy reencryption (PRE) and threshold public key encryption (TPKE). In Crypto’09, Hofheiz and Kiltz introduced the group of signed quadratic residues and discussed its application; the most interesting feature of this group is its “gap” property, while the computational problem is as hard as factoring, and the corresponding decisional problem is easy. In this paper, we give new constructions of PVPKE scheme based on signed quadratic residues and analyze their security. We also discuss PVPKE’s important application in modern information systems, such as achieving ciphertext checkable in the cloud setting for the mobile laptop, reducing workload by the gateway between the open internet and the trusted private network, and dropping invalid ciphertext by the routers for helping the network to preserve its communication bandwidth.

#### 1. Introduction

In modern information systems such as mobile wireless network, social network, open internet, and cloud computation, security is an important issue [1, 2]. Public key encryption [3] is among the most important basic tools to strengthen the whole system’s security. Along with the development of information system, the security notion for public key encryption has been strengthened. The first proposal on public key encryption, RSA, though a great breakthrough in cryptography, only achieves the security notion of one-way security [4]. In 1984, Goldwasser and Micali [5] proposed the notion of semantic security (also known as indistinguishable security (IND-CPA)). This security notion states that the challenge ciphertext needs to contain no more information than a randomly chosen ciphertext. Although it is a reasonable security notion, many applications using public key encryption as a basic tool need stronger security notion, that is, chosen ciphertext security (IND-CCA). Compared with the semantic security notion, this security notion considers that the adversary can get help from the decryption oracle (the adversary can query the decryption oracle with his chosen ciphertexts, except the challenge ciphertext which cannot be queried). Until now, many CCA-secure PKE schemes have been proposed [6–11].

Active attackers play more and more important role in breaking the security of modern information systems [1, 2]; thus chosen ciphertext security of the encryption scheme is essential for these systems. However, if the validity can only be checked by the decrypter privately with his secret key, the whole system can easily suffer from ciphertext-malleable attack. The active attackers can easily modify the right ciphertext transferred in the network to get numerous malicious ciphertexts and thus cost the precious bandwidth greatly. Although these ciphertexts can be rejected by the decrypter at the last moment, they have already caused great problem in the systems. These problems can affect the users’ feeling on using the system. Even more seriously, they cause shutting down the whole system and bring damage to the service providing corporations. If the validity of these ciphertexts can be checked publicly, the problems can be easily solved, the routers or the access infrastructure can drop these maliciously created ciphertexts, and the bandwidth has been effectively preserved [12]. As a concrete example, can you imagine, when using mobile phone for secure instant-message talking like MSN, you always have to deal with nonsense invalid ciphertexts maliciously created by active attackers? But if the access infrastructure equipped with PVPKE can help you to filter these invalid ciphertexts, you certainly will feel better. In one word, PVPKE is an important tool for smoothly running modern information systems if these systems have employed public key encryption as a basic way to achieve security.

However, researchers give little care to the property of public verifiability of the chosen ciphertext-secure ciphertexts. In bilinear map setting or by using the random oracle, public verifiability of ciphertexts coming from an IND-CCA-secure public key encryption can be easily achieved. Thus, in this paper, we care about how to construct publicly verifiable public key encryption without pairing in the standard model. Recently, in [13], we introduced an interesting cryptographic primitive: PVPKE, defined as publicly verifiable chosen ciphertext-secure public key encryption in the standard model without pairing. PVPKE is a very powerful building block to construct some other interesting cryptographic protocols and cloud computation [14, 15]. For example, it can be used to construct chosen ciphertext- (CCA-) secure threshold public key encryption (TPKE) [16–20]. In TPKE, chosen ciphertext security always requires that the distributed decryption server can check the ciphertext’s validity before decryption; otherwise some valuable information about decryption will be returned to the adversary and this will help the adversary to break the chosen ciphertext security. For another example, PVPKE can be a core block to construct chosen ciphertext-secure proxy reencryption (PRE) [21–26]. Chosen ciphertext attackers can query the delegator and delegatee’s decryption oracle arbitrarily; if invalid ciphertexts forwarded by the proxy to the delegatee have been decrypted by the delegatee, the attackers can get useful information to break CCA security. Since the proxy without secret keys needs to check the validity of the ciphertext for the delegatee before reencryption, thus public verifiability of the ciphertext seems to be an essential requirement for achieving CCA security for proxy reencryption.

In SCN12, Nieto et al. [27] discussed an interesting property of public key encryption with chosen ciphertext security, that is, ciphertexts with public verifiability. They also demonstrated an important application of this new primitive, that is, “nontrivial filtering” of an incoming IND-CCA-secure ciphertext to be an IND-CPA-secure ciphertext with reduced workload by a gateway. They formally defined (nontrivial) public variability of ciphertexts for general encryption schemes, key encapsulation mechanisms, and hybrid encryption schemes, encompassing public key, identity-based, and tag-based encryption and also gave several concrete constructions. But we also note that their constructions cannot simultaneously satisfy the four requirements on “PVPKE”: (1) chosen ciphertext-secure; (2) publicly verifiable; (3) in the standard model; (4) without pairing. Thus their work further explores PVPKE’s application but does not give concrete construction of PVPKE.

In Crypto’09, Hofheinz and Kiltz [28] introduced the group of signed quadratic residues and discussed its application; the most interesting feature of this group is its “gap” property, while the computational problem is as hard as factoring, and the corresponding decisional problem is easy. Membership in can be publicly and efficiently verified while it inherits some nice intractability properties of the quadratic residues. For example, computing square roots in is also equivalent to factoring the modulus . We therefore have a gap group, in which the corresponding decisional problem (i.e., deciding if an element is a signed square) is easy, whereas the computational problem (i.e., computing a square root) is as hard as factoring. We also can show that, in the group of signed quadratic residues, the Strong Diffie-Hellman problem is implied by the factoring assumption.

##### 1.1. Our Contribution

In [13], based on the core idea of changing the prime modular field to the composite modular field and masking the verifying secret key with secret order of the composite group and making the resulting “pseudosecret key” public, we find it is relatively easy to construct PVPKE scheme based on the Cramer-Shoup encryption and the Hanaoka-Kurosawa CCA-secure public key encryption.

In this paper, we show that, in case of basing some of Nieto et al.’s schemes on signed quadratic residues, the resulting schemes can meet the requirements of PVPKE. The core idea about this construction is that the DDH oracle can be publicly instantiated by bilinear pairing, while DDH oracle cannot be instantiated by discrete logarithm group or RSA group. But, in signed quadratic residues, the DDH oracle can be efficiently publicly instantiated. Based on this observation, we give new constructions of PVPKE scheme based on signed quadratic residues and discuss their security.

Furthermore, we discuss PVPKE’s important application in modern information system, such as achieving ciphertext checkable in the cloud setting for the mobile laptop, reducing the workload by the gateway between the open internet and the trusted private network, and dropping the invalid ciphertext by the routers for helping the network to preserve its communication bandwidth effectively.

##### 1.2. Related Works

###### 1.2.1. Chosen Ciphertext Security in the Standard Model

Naor and Yung [29] introduced the notion of CCA security for public key encryption, and this notion was further extended by Rackoff and Simon [30], Dolev et al. [31], and Sahai [32].* Noninteractive zero-knowledge (NIZK) proofs* are core blocks of these constructions, which is a relatively inefficient paradigm and its efficient realization always relies on bilinear pairing or random orale. In 1993, Bellare and Rogaway [33] introduced a so-called* random oracle* which idealizes the hash function as a perfect random function to devise efficient CCA-secure public key encryption with provable security. However, random oracle model has seen criticism by cryptographers for its unrealistic assumption [34]. More and more cryptographers show interest in constructing efficient CCA-secure PKE in the standard model. Till now, there are at least four ways to construct efficient CCA-secure PKE in the standard model. The first way is proposed by Cramer and Shoup [8], which was further extended by themselves and other cryptographers [35–37]. The second way to construct CCA-secure PKE is the paradigm of IBE * transformation*, which allows transforming selective-ID CPA-secure identity-based encryption (IBE) into a CCA-secure PKE [38–41]. The third way is based on* verifiable broadcast encryption*, which is proposed by Hanaoka and Kurosawa [9]. The fourth way is by relying on lossy trapdoor function introduced by Peikert and Waters [42] and further extended by Rosen and Segev [43] and many other works. Among the CCA-secure PKE schemes from these four ways, only the ones from the IBE transformation are publicly verifiable. However, most of existing practical IBE are based on the time-consuming pairings.

###### 1.2.2. Without Pairings

The bilinear pairings enable the construction of first practical identity-based encryption by Boneh and Franklin [44]. Since then, many wonderful results can be achieved by using the bilinear pairings, such as fully collusion resistant broadcast encryption [45], efficient practical zero-knowledge proof [46], searchable public key encryption [47, 48], attribute based encryption [49], and predicate encryption [50].

But we note that, on the one hand, bilinear pairing is a very powerful cryptographic tool; on the other hand, the implementation speed of bilinear pairing is still relatively slower. So recently many researchers show interest in construction of schemes without pairings, because, on the one hand, it can clarify to us which cryptographic task inherits the bilinear property of pairings and which does not; on the other hand, it gives us a new view on old cryptographic problems. For example, Baek et al. constructed the first certificateless public key encryption without pairing [51], while the concept of certificateless public key cryptography was first raised by using bilinear pairings [52]. Other examples include Deng et al. and Shao and Cao’s CCA-secure proxy reencryption without pairing [53, 54].

###### 1.2.3. Verifiable Public Key Encryption

Another related research area is (private) verifiable public key encryption, such as Camenisch and Shoup’s work [55]. However, their work was concerned with only the decryptor’s verifiability of the ciphertext instead of* public* verifiability. Kiayias et al. extended their work by introducing some new concepts for constructing group encryption [56]. Owing to bilinear property of pairings, CCA-secure public key encryption with public verifiability can be easily achieved in the bilinear pairing setting. However, the situation is completely different in the “without pairing” setting; constructing PVPKE scheme remains as an open problem left for almost decades.

##### 1.3. Organization

We organize our paper as follows: In Section 2, we give some preliminaries. In Section 3, we give our PVPKE’s construction based on signed quadratic residues and analyse its security. In Section 4, we discuss PVPKE’s applications. In the last section, we give our conclusion.

#### 2. Preliminaries

##### 2.1. Publicly Verifiable Public Key Encryption

A publicly verifiable public key encryption system consists of the following algorithms.(i)The randomized key generation algorithm Gen takes as input a security parameter and outputs a public key (PK) and a secret key (SK). We write .(ii)The randomized encryption algorithm takes as input a public key () and a message and outputs a ciphertext . We write .(iii)The verification algorithm takes as input a ciphertext and a public key (). It returns valid or invalid to indicate whether the ciphertext is valid or not. Note that the validity of can be verified publicly.(iv)The decryption algorithm takes as input a ciphertext and a secret key (). It returns a message or the distinguished symbol . We write . We require that, for all output by Gen, all , and all output by , we have .

##### 2.2. Chosen Ciphertext Security

We recall the standard definition of security against adaptive chosen ciphertext attack. A publicly verifiable public key encryption (PKE) scheme is secure against adaptive chosen ciphertext attacks (i.e., “CCA-secure”) if the advantage of any PPT adversary in the following game is negligible in the security parameter .(1) Gen() outputs (PK, SK). Adversary is given and PK.(2)The adversary may make many polynomial-many queries to a decryption oracle .(3)The adversary may make many polynomial-many queries to a verification oracle .(4)At some point, outputs two messages , with . A bit is randomly chosen and the adversary is given a “challenge ciphertext” .(5) may continue to query its decryption oracle except that it may not request the decryption of .(6) may continue to make polynomial-many queries to a verification oracle .(7)Finally, outputs a guess . We say that succeeds if and denote the probability of this event by . The adversary’s advantage is defined as .

##### 2.3. The Group of Signed Quadratic Residues

###### 2.3.1. RSA Instance Generator

Let be a constant and let be a function. Let RSAgen be an algorithm that generates elements , such that is an -bit Blum integer ( (where and ) and all prime factors of are pairwise distinct and at least -bit integers.

###### 2.3.2. Factoring Assumption

The factoring assumption is that computing , from (generated by RSAgen) is hard. We write The factoring assumption for RSAgen holds if is negligible for all efficient .

###### 2.3.3. The Group of Signed Quadratic Residues

Let be an integer. For we define as the absolute value of , where is represented as a signed integer in the set . For a subgroup of , we define the signed group, , as the group with the following group operation. Namely, for and an integer , we define More complicated expressions in the exponents are computed modulo the group order; for example, . Note that taking the absolute value is a surjective homomorphism from to with trivial kernel if does not belong to and with kernel if .

Let be a Blum integer such that does not belong to . We will mainly be interested in , which we call signed quadratic residues (modulo ). is a subgroup of , with absolute values as a convenient computational representation. The following basic facts hold.

Theorem 1. *Let be a Blum integer; then we have the following. *(1)* is a group of order .*(2)*. In particular, is efficiently recognizable (given only ).*(3)*If is cyclic, so is .*

###### 2.3.4. Strong DH Assumption Reduced to Factoring Assumption

Hofheinz and Kiltz [28] also proved that the strong DH assumption can be reduced to factoring assumption. Here we review the theorem and its proof.

Theorem 2. *If the factoring assumption holds then the strong DH assumption holds relative to RSAgen. In particular, for every strong DH adversary , there exists a factoring adversary (with roughly the same complexity as ) such that*

*Proof. *We construct from given . Concretely, receives a challenge , chooses uniformly , and sets . Note that, by definition of , we have except with probability . Then chooses and sets (here we omit operation, and hereafter we continue to omit for typical exponential modular operation). This implicitly defineswhere the discrete logarithms are of course considered in . Again, by definition of , the statistical distance between these and the input of in the strong DH experiment is bounded by . So runs on input and answers ’s oracle queries as follows. First, we may assume that since is efficiently recognizable. Next, since is a Blum integer, the group order is odd, and hence Thus, can implement the strong DH oracle by checking whether hold.

Consequently, with probability , will finally output from which can extract (using its knowledge about and ). Since is not in and are two nontrivially different square roots of , can factor by computing .

#### 3. CCA-Secure Publicly Verifiable Public Key Encryption in the Standard Model Based on Signed Quadratic Residues

##### 3.1. Review of Nieto et al.’s Publicly Verifiable PKE Scheme

Their construction is inspired by the IND-CCA public key KEM of Kiltz [57]; the PG(ParamGen) algorithm is similar to [57] except that it uses gap groups: outputs public parameters , where is a multiplicative cyclic group of prime order , , DDH is an efficient algorithm such that , and is a cryptographic hash function such that is a polynomial in . We also use a strong one-time signature scheme with verification key space such that is a polynomial in and a target collision resistant hash function . The message space is . The scheme works as follows.(i) PKE.KG(par)(ii) PKE.Enc(par, ek, M)(iii) PKE.Ver(par, ek, C)(iv) PKE.Dec′(par, ek, dk, C′)

##### 3.2. Our Proposed PVPKE Scheme Based on Signed Quadratic Residues

First we give the core idea behind our construction. We observe that Nieto et al.’s PKE scheme actually is a PVPKE scheme, but the only issue is that they use an abstract DDH oracle. They instantiate this oracle by bilinear pairings, but we require that PVPKE scheme cannot rely on bilinear pairings. We also observe that signed quadratic residues can also instantiate the abstract DDH oracle, so we modify Nieto et al.’s scheme to be based on signed quadratic residues group, which now give a natural new PVPKE scheme. Notation: we omit the operation and every modular exponentiation in signed quadratic residues such as the fact that is represented as , which implies all the modular exponentiation and other operations obey the rules defined in [28] instead of obeying the normal group rules. The following is the concrete scheme.(i) PVPKE.PG() is as follows.(a)Here we focus on group; we first generate an RSA modulus with RSAgen() [28], then choose uniformly , and set . Note that, by definition of , we have except with probability .(b) is a cryptographic hash function such that is a polynomial in .(c)We also use a strong one-time signature scheme with verification key space such that is a polynomial in and a target collision resistant hash function . The message space is .(d)DDH is an efficient algorithm such that . For the scheme relying on group, we can easily decide the DDH tuple; concretely, we do the following.(1)Choose and satisfying , , and is not very little. Then set (2)Publish , as the parameters for public verifying.(3)The DDHParams = .(e)PG() outputs public parameters , .(ii) PVPKE.KG(par)(iii) PVPKE.Enc(par, ek, M)(iv) PVPKE.Ver(par, ek, C)(v)PVPKE.Dec′(par, ek, dk, C′)

##### 3.3. Security Analysis

Based on Nieto et al.’s security result and the property of signed quadratic residues, we can give the following theorem.

Theorem 3. *Assume that TCR is a target collision resistant hash function and OTS is a strongly unforgeable one-time signature scheme. Under a variant of hashed Diffie-Hellman assumption for (signed quadratic residues group) and , the factoring assumption of RSAGen (which implies the strong Diffie-Hellman assumption in signed quadratic residues group proved in [28]), our PVPKE scheme based on signed quadratic residues is IND-CCA-secure.*

*Proof. *In the following we give our scheme’s security proof roughly. (1)We observe that, in Nieto et al.’s PKE scheme, plays two roles: one used to be deriving the DEM message mask key and the other used to be as part of the DDH test. But many research results show that it is secure to split these two roles separately [8]; thus we introduce as the role of part of the DDH test, while maintaining as the source of deriving DEM message mask key, which is the reason why we use instead of in our scheme.(2)In our scheme, we adopt Hofheinz and Kiltz’s technique of reducing SDH assumption to the factoring assumption; concretely, we set , , , , , and the same as theirs, but we make and public, which is used for public verifying. The verifying equation can also be used for deciding the DDH relationship of , but an attacker cannot figure out through finding root of , for we know finding square root in is as hard as factoring and this also holds in