Abstract
Public-key dual-receiver encryption (PK-DRE) is a kind of particular public-key encryption for enabling two independent recipients to obtain the same plaintext from the same ciphertext. Due to its dual-receiver property, PK-DRE is quite helpful in many scenarios, such as deniable authentication, global key escrow, security puzzle, and even blockchain. In this paper, we revisit the PK-DRE scheme <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\mathtt {CFZ}14$ </tex-math></inline-formula> proposed at CT-RSA 2014 and propose a variant. This variant is original from a new security proof which allows us to remove some steps in <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\mathtt {CFZ}14$ </tex-math></inline-formula> . To the best of our knowledge, the obtained variant is more efficient than the existing PK-DRE schemes in terms of public verifiability and key size.
Highlights
Public key dual-receiver encryption (PK-DRE) allows two independent recipients to recover the same plaintext from the same ciphertext
Due to the dual-receiver property and public verifiability, PK-DRE can be applied in the following scenarios, including deniable authentication [3], security puzzle [4], PKE with the non-interactive opening [5], and even blockchain [6]
Chow et al [7] refined the syntax of PK-DRE and proposed the first PKDRE scheme with CCA security in the standard model and public verifiability
Summary
Public key dual-receiver encryption (PK-DRE) allows two independent recipients to recover the same plaintext from the same ciphertext. Besides the dual-receiver property, PK-DRE usually requires public verifiability that enables everyone to check whether the two recipients can get the same plaintext. The key size of lattice-based schemes is usually quite large, and it is even as large as several megabytes in some cases [12] This situation hinders the use of lattice-based PK-DRE in some storage-limited settings, such as the Internet of Things. The scheme (we call it CFZ14 in this paper) proposed in [7] is the best one among the current pairing-based PK-DRE schemes in terms of the security level and computational cost. According to our new security proof, we can remove ‘‘gr ’’ from the ciphertext and obtain a more efficient PK-DRE scheme in terms of ciphertext size and encryption/decryption cost. Summary of the existing DRE schemes in terms of security, public verifiability, and key size.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have