Signcryption Scheme
S. Sharmila Deva Selvi1, S. Sree Vivek1,?, C. Pandu Rangan1,?
1
Department of Computer Science and Engineering, Indian Institute of Technology Madras.
[email protected],[email protected],[email protected].
Abstract. Certificateless cryptography aims at combining the advan-tages of identity based and public key cryptography, so as to avoid the key escrow problem inherent in the identity based system and cumber-some certificate management in public key infrastructure. Signcryption achieves confidentiality and authentication simultaneously in an efficient manner. Multi-receiver signcryption demands signcrypting the same mes-sage efficiently for a large number of receivers. In this note, we strengthen the security of the certificateless multi-receiver signcryption scheme in [23] by proposing suitable enhancement to the scheme.
Keywords.Certificateless, Signcryption, Multi-receiver, Bilinear Pairing, Cryptanalysis.
1
Introduction
Signcryption proposed by Zheng in [3] is a cryptographic primitive provid-ing signature and encryption simultaneously, at a lower computational cost and communication overhead than the signature-then-encryption approach. A proper signcryption scheme should provide confidentiality as well as authentication and non-repudiation. Besides this, security model for signcryption should consider insider attacks also i.e. a corrupted receiver should not be able to forge a valid signcryption from any legal userAto another userBon a message that was not already sent fromAtoB. Sometimes forward secrecy is also a desired property, which requires that even if a sender’s secret key is exposed at some point of time, the past messages sent by him should remain secret.
Need for multi-receiver signcryption arises when the same message is to be sent to a large number of receivers. Consider the case of a company in which there are several managers and each of them has to send authenticated and con-fidential report to a large number of employees. In this case, simply signcrypting the message for each receiver will be highly inefficient. Therefore, there is a need
?Work supported by Project No. CSE/05-06/076/DITX/CPAN on Protocols for
to design efficient schemes for this task. In [23], an efficient multi-receiver sign-cryption scheme(CLMSC) in certificateless setting was proposed to achieve this functionality.
The certificateless multi receiver signcryption scheme in [23] is secure against Type-II adversary, but it does not resist TYPE-I adversary. Also, the Type-I forgeability is reported in [24]. In order to make it secure against the attacks we propose some enhancement to the existing scheme in [23].
2
Preliminaries
2.1 Computational Assumptions
In this section, we recall the computational assumptions related to bilinear maps [16] that are relevant to the security of our scheme:
1. Strong Diffie-Hellman Problem (SDHP) SDH problem is a stronger version of DHI(Diffie-Hellman Inversion problem)[16]. Given (P, aP) ∈ G21 for any randoma∈Z∗q, the SDH problem inG1is to compute h,(a+h)−1P
,
h∈Z∗Q.
The advantage of any probabilistic polynomial time algorithmAin solving the SDH problem inG1 is defined as:
AdvSDHA =P r
A(P, aP) = h,(a+h)−1P
|a, h∈Z∗q
We say that SDH is (t, ) hard if for any t time probabilistic algorithm A, the advantageAdvSDH
A < .
2. Collusion Attack Algorithm with k-traitors (k-CAA)Given (P, aP,
(h1+a)−1P, . . ., (hk+a)−1P)∈Gk1+2 for any random a∈Z∗q and known valuesh1, . . . , hk∈Z∗q, the k-CAA problem inG1 is to compute (a+h)−1P for someh /∈ {h1, . . . , hk}.
The advantage of any probabilistic polynomial time algorithmAin solving the k-CAA problem inG1is defined as:
Advk−CAAA =P r[A(P, aP,(h1+a)−1P, . . . ,(hk+a)−1P, h1, . . . , hk) = (a+h)−1P|a, h∈Z∗q, h /∈ {h1, . . . , hk}]
We say that k-CAA is (t, ) hard if for anyttime probabilistic algorithm
A, the advantage AdvAk−CAA< .
3. Modified BDHI for k-values (k-mBDHIP) k-mBDHIP is the bilin-ear variant of the k-CAA problem [22]. Given (P, sP,(h1+s)−1P, . . ., (hk+
s)−1P)∈
Gk1+2for any randoms∈Z∗q and known valuesh1, . . . , hk ∈Z∗q, the k-mBDHIP problem is to compute ˆe(P, P)(s+h)−1 for someh /∈ {h1, . . . , hk}. The advantage of any probabilistic polynomial time algorithmAin solving the k-mBDHIP problem in is defined as:
= ˆe(P, P)(s+h)−1|s, h∈Z∗q, h /∈ {h1, . . . , hk}]
We say that k-mBDHIP is (t, ) hard if for anyt time probabilistic algo-rithmA, the advantageAdvk−mBDHIPA < .
4. Gap Bilinear Diffie-Hellman Problem (GBDHP)[12] Given (P, aP, bP, cP)∈G41 for any random a, b, c∈Z∗q, the GBDH problem in (G1,G2,ˆe) is to compute ˆe(P, P)abc given access to DBDH oracle O
Γ which on input (P, aP, bP, cP, T)∈G41×G2 outputs 1 ifT = ˆe(P, P)abcand 0 otherwise. The advantage of any probabilistic polynomial time algorithmAin solving the GBDH problem in (G1,G2,ˆe) is defined as:
AdvGBDHA (OΓ, qDBDH) =P rAOΓ(P, aP, bP, cP) = ˆe(P, P)abc |a, b, c∈Z∗q
where qDBDH is the number of queries to the decisional oracle. We say that GBDHP is (t, , qDBDH) hard if for any ttime probabilistic algorithm
Aasking qDBDH oracle queries, advantage Advk−CAAA < .
3
Certificateless Multi-receiver Signcryption
3.1 Framework of Certificateless Multi-receiver Signcryption
Any generic certificateless multi-receiver signcryption scheme is a five tuple of probabilistic polynomial time algorithms defined as
follows-1. Setup(1κ): This algorithm is run by the KGC. It takes as input the secu-rity parameter 1κ and returns the KGC’s master secret key M sk, master public key M pk, public parameters P arams and a description of message space(MCLM SC) and cipher-text space (CCLM SC).
2. Partial Private Key Extract(IDi, M sk, P arams): This algorithm is run by the KGC. It takes as input M sk, P arams, a string IDi ∈ {0,1}∗ and returns a partial private keyDi.
3. Key Extract(IDi, Di, P arams): This algorithm is run by the user. It takes as input the partial private key of the user and returns a public key P Ki and a secret valuexi. The full secret key of the user is set toSKi=hxi, Dii. 4. Signcrypt(m, IDS, SKS, P KS, L={ID1, ID2, . . . , IDn}, P K1, . . . , P Kn,
P arams): The signcryption algorithm takes as input a messagem∈ MCLM SC, identityIDSand the full secret keySKS of the sender, a listLof the receiver identities and their public keys and returns a ciphertextσ∈ CCLM SC. 5. Designcrypt(σ, SKR, IDR, P KR, IDS, P KS, L): This is a deterministic
al-gorithm which takes as input the ciphertextσ, receivers full secret keySKR, identityIDR, the public keyP KRof the receiver, list of receiversL, the iden-tityIDSand the public keyP KSof the sender and returns either a plaintext
m∈ MCLM SC or an error symbol⊥. For consistency, we require that
if σ =Signcrypt(m, IDS, SKS, P KS, L = {IDR1, . . . , IDRn}, P K1, . . . , P Kn,
P arams), then m=Designcrypt(σ, SKRi, IDRi, P KRi, IDS, P KS, L) for 1≤
3.2 Security Model For Certificateless Multi-receiver Signcryption
Now, we describe the security model for certificateless multi-receiver signcryp-tion. In confidentiality and unforgeability game we provide access to the following six oracles :
1. Extract Partial Private Key: On input of an identity IDi, this oracle returns the partial private keyDi generated using the Partial Private Key
Extract algorithm.
2. Extract Secret Key: On input of an identityIDi, this oracle returns the full secret key SKi = hxi, Dii of the identity using the appropriate algo-rithms.
3. Request Public Key: On input of an identityIDi, this oracle returns the corresponding public key P Ki associated withIDi. If such a key does not exist then it is constructed usingKey Extract algorithm.
4. Replace Public Key: On input of an identityIDi and a valid public key
P Ki0, this oracle replaces the public key associated with IDi with P Ki0. If such a key does not exist then it is generated using theKey Extractalgorithm and then the public key corresponding toIDi is replaced withP Ki0. 5. Signcrypt: On input of a message, a sender’s identityIDS and a set of
re-ceiver identitiesL={IDR1, IDR2, . . . , IDRn}, this oracle returns the result
of running the signcryption algorithm on the message, sender’s full secret key and the receiver’s public parameters.
6. Designcrypt: On input of a ciphertext, a sender’s identity IDS and a re-ceiver’s identity IDR, this oracle returns the result of running the
Design-crypt algorithm on the ciphertext, the sender’s public parameters and the receiver’s full secret key.
Next, we give the security definitions. Following the trend in literature we also consider Type-I and Type-II adversary. Roughly speaking Type-I adversary models a common user who is not in possession of the master secret key M sk
and a type-II adversary models the honest but curiousKGC.
Confidentiality: Security game that captures the confidentiality is based on the ciphertext indistinguishability. We define it separately for I and Type-II adversary:
Type-I: A certificateless multi-receiver signcryption scheme is Type-I-iCCA2 secure if every probabilistic polynomial-time attackerAhas negligible advantage in winning the IND-CLMSC-iCCA2-I game. A type-I adversary is given access to all the 6 oracles defined above under the following
constraints-1. Adversary does not have access to master secret key M sk.
2. NoExtract Secret Key query is allowed on any of the challenge identities. 3. Adversary is not allowed to ask Extract Partial Private Key query for any
IND-CLMSC-iCCA2-I game played between the challengerC and the adversary
Ais defined below:
Setup: Challenger C runs the setup algorithm to generate master secret key
M skand public parametersP arams.CgivesP aramstoAwhile keepingM sk
secret. After receiving P arams A outputs list of target identities denoted by
L∗={ID∗1, ID2∗, . . . , IDn∗} respectively.C interacts withAin two phases:
Phase1: Ais given access to all the six oracles.Aadaptively queries the oracles consistent with the constraints described above.
Challenge: A outputs two equal length messages m0, m1 and an arbitrary sender’s identity IDS. C randomly chooses a bit b ∈R {0,1} and computes a signcryption
σ∗=Signcrypt(mb, IDS, SKS, P KS, L={ID1∗, . . . , ID ∗ n}, P K
∗
1, . . . , P K ∗ n)
σ∗ is sent toAas challenge.
Phase2:A adaptively queries the oracles consistent with the constraints de-scribed above. Besides this it cannot query Designcrypt on σ∗ for any ID ∈ {ID∗1, ID∗2, . . . , IDn∗}.
Guess: A outputs a bit b0 at the end of the game. A wins if b = b0. The advantage ofAis defined
as-AdvAIN D−CLM SC−iCCA2−I =|2P r[b=b0]−1|
Type-II: A certificateless multi-receiver signcryption scheme is Type-II-iCCA2 secure if every probabilistic polynomial-time attackerAhas negligible advantage in winning the IND-CLMSC-iCCA2-II game. A type-II adversary is given access to all the 6 oracles defined above and master secret keyM skunder the following
constraints-1. NoExtract Secret Key query is allowed on any of the challenge identities. 2. No Replace Public Key query is allowed on any of the challenge identities
before the challenge phase.
IND-CLMSC-iCCA2-II game played between the challengerCand the adversary
A is same as the IND-CLMSC-iCCA2-I game with the restrictions mentioned above
The advantage ofAis defined
as-AdvAIN D−CLM SC−iCCA2−II =|2P r[b=b0]−1|
Authenticity: Strong existential unforgeability(sEUF-CLMSC-iCMA) game captures the authenticity as a security requirement for any certificateless multi-receiver signcryption. By strong unforgeability we mean that adversary should not be able to signcrypt a message on behalf of a sender even if it knows the secret keys of all the receivers. The game is defined as below :
constraints-1. Adversary does not have access to master secret key M sk.
2. NoExtract Secret Key query is allowed on any of the challenge identities. 3. Adversary is not allowed to ask Extract Partial Private Key query for any
of the challenge identities.
sEUF-CLMSC-iCMA-I game played between the challengerCand the adversary
F is defined below:
Setup: Challenger C runs the setup algorithm to generate master secret key
M skand public parametersP arams.CgivesP aramstoF while keepingM sk
secret. After receiving P arams F outputs list of target identities denoted by
L∗={ID∗1, ID2∗, . . . , ID∗n}respectively. C interacts withF in two phases:
Attack: Fis given access to all the six oracles.F adaptively queries the oracles consistent with the constraints described above.
Forgery: F outputs a signature σ∗ and n arbitrary receiver’s identitiesL =
{IDR1, . . . , IDRn}(there exists atleast one receiverIDRi such that,IDRi ∈/ L
∗).
Fwins ifDesigncrypt(σ∗, SKRi,IDRi,P KRi, ID
∗
j, P Kj∗, L) returnsmfori, j∈
{1, . . . , n}andσ∗ was not the output of any signcrypt querySigncrypt(m,IDi∗, L={IDR1, . . . , IDRn}).That is,F wins if it outputs a valid signcryption from
a target identity to the set of receiver identities L by itself.
AdvFsEU F−CLM SC−iCM A−II is defined as the probability that F wins the above game.
Type-II: A certificateless multi-receiver signcryption scheme is Type-II-sEUF-iCMA secure if every probabilistic polynomial-time attacker F has negligible advantage in winning the sEUF-CLMSC-iCMA-II game. A type-II adversary is given access to all the 6 oracles defined above and the master secret key M sk
under the following
constraints-1. NoExtract Secret Key query is allowed on any of the challenge identities. 2. Adversary is not allowed to askReplace Public Key for any of the challenge
identities.
sEUF-CLMSC-iCMA-II game played between the challengerCand the adversary
F is same as sEUF-CLMSC-iCMA-I with the restrictions given above.
AdvFsEU F−CLM SC−iCM A−II is defined as the probability thatF wins the sEUF-CLMSC-iCMA-II game.
4
Enhancement of the Scheme in [23]
The scheme in [23] doesnot resist type-I adversary. When the adversary sees any signcryption σ = hc, d1, d2, . . . , dn, Li from IDS to L = {ID1, . . . , IDn}. The adversary can perform the following,
d=di1−dj1 ,IDi, ID−j ∈L =r1P
Knowing d = r1P the type-I adversary can compute both the keys used for encryption namely ˆe(P, Q)r1 = ˆe(d, Q) and (ˆe(P, Q)r1)xi, because the type-I
because of the randomness being re-used in the computation ofdi1of all receivers. Hence, we overcome the weaaknes by performing the following enhancement,
Setup(1κ): On providing security parameter 1κ as input, the KGC chooses two groups G1 and G2 of prime order q, two random generators P and Q of G1 such that P 6= Q and a bilinear map ˆe : G1×G1 → G2. It then com-putes g = ˆe(P, Q) ∈ G2 and defines five hash functions H1 : {0,1}∗ → Z∗q,
H2:G2× {0,1}∗→Z∗q,H3:{0,1} m
×G2× {0,1}∗×G2×G1× {0,1}∗→Z∗q,
H4:Z∗q×{0,1} ∗
→ {0,1}k1+lm,H
5:G2×G2×G2×{0,1}∗→ {0,1}k1+k2, where
k1,k2andlmare the number of bits required to representG1elements, Z∗q ele-ments and message respectively. Then KGC choosess∈RZ∗qas the master secret key and setsPpub=sP. The KGC now publishes the public parametersP arams of the system ashG1,G2, P, Q, Ppub,eˆ:G1×G1→G2, g, H1, H2, H3, H4, H5i.
Partial Private Key Extract(IDi, msk, P arams): On inputIDi, the par-tial private key of user with identity IDi is computed as Di = (qi+s)−
1
Q, whereqi=H1(IDi).
Key Extract(IDi, Di, P arams): This algorithm is run by each user to com-pute his private and public keys. The user IDi chooses xi ∈R Z∗q and sets his private key SKi = hxi, Dii and sets his public key as P ki =hP Ki1, P Ki2i =
hgxi, x
iTii, whereTi= (qi+s)P.
Signcrypt(m, IDS, SKS, P KS, L = {IDR1, IDR2, . . . , IDRn}, P KR1, P KR2,
. . . , P KRn, P arams):
1. Choose r∈RZ∗q and computeα=rP
2. h=H2(α, m, IDS, L) andh3=H3(m, α, h, IDS, P KS1, P KS2, L) 3. ComputeZS=
r
(xS+h3)
DS
4. Computec=H4(h, IDS, L)⊕mkα
5. Repeat the following steps for all IDRi ∈L,i= 1,2, . . . , n.
(a) Chooseri∈Z∗q
(b) ParseP KRi as hP Ki1, P Ki2i
(c) Set h5i=H5(gri,(P Ki1)ri, P Ki1, IDRi)
(d) Computedi1=ri(qi+s)P anddi2=h5i⊕hkZS (e) Set di =hdi1, di2i
6. Return ciphertextσ=hc, d1, d2, . . . , dn, Li.
Designcrypt(σ=hc, d1, d2, . . . , dn, Li, IDS, IDi, SKi, P arams): 1. Parsedi ashdi1, di2iandSKi ashxi, Dii
2. Computeω0= ˆe(di1, Di) and (ω0)xi= (P Ki1)ri 3. Seth05i=H5(ω0,(ω0)xi, P K
i1, IDi) 4. Computeh0kZ0
S =h05i⊕di2
5. Computem0kα0=c⊕H4(h0, IDS, L) 6. Seth03=H3(m0, α0, h0, IDS, P KS1, P KS2, L)
7. Ifh0=? H2(α0, IDS, L) and ˆe(P KS2+h03(qS+s)P, ZS0) = ˆe(α0, Q) then return
5
Conclusion
We have proposed an enhancement for the security weakness in the certifi-cateless signcryption scheme for multiple receivers in [23].
References
1. S.S. Al-Riyami and K.G. Paterson.:Certificateless Public-Key Cryptography.In: Advances in Cryptology ASIACRYPT 2003, LNCS 2894:452473, Springer-Verlag, 2003.
2. Yong Yu, Bo Yang, Xinyi Huang and Mingwu Zhang.: Efficient identity-based signcryption scheme for multiple receivers.In: ATC 2007, LNCS 4610, pp. 13-21, Springer-Verlag Berlin Heidelberg, 2007.
3. Zheng Y.:Digital signcryption or How to achieve cost (signature & Encrytpion) cost(signature) + cost(encryption).In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS vol. 1294, pp. 165-179. Springer, Heidelberg 1997.
4. Malone-Lee J., Mao M:Two birds one stone: signcryption using RSA.In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol.2612, pp. 211-226. Springer, Heidelberg 2003. 5. Malone-Lee J.:Identity based signcryption.In: Cryptology ePrint Archive. Report
2002/098, 2002.
6. Libert B., Quisquator J.J.:A new identity based signcryption scheme from pair-ings.In: 2003 IEEE information theory workshop.Paris, France, pp.155-158, 2003. 7. Boyen X.:Multipurpose identity based signcryption: a swiss army knife for iden-tity based cryptography.In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 383-399. Springer, Heidelberg 2003.
8. Barreto P.S.L.M., Libert B., McCullagh N., Quisquater J.J.: Efficient and provably-secure identity based signatures and signcryption from bilinear maps. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 515-532. Springer, Heidelberg 2005.
9. Zheng Y.: Signcryption and its applications in efficient public key solutions.In: Okamoto, E. (ed.) ISW 1997. LNCS, vol. 1396, pp. 291-312. Springer, Heidelberg 1998.
10. Duan S., Cao Z.:Efficient and provably secure multi-receiver identity-based sign-cryption.In: Batten, L.M., Safavi-Naini, R. (eds) ACISP 2006. LNCS, vol. 4058, pp. 195-206. Springer, Heidelberg 2006.
11. K. Kurosawa:Multi-recipient public-key encryption with shortened ciphertextIn: Public Key Cryptography, 2002, pp. 48-63.
12. M. Barbosa and P. Farshim:Certificateless Signcryption In: Conference on Com-puter and Communications Security archive Proceedings of the 2008 ACM sym-posium on Information, Computer and Communications Security.
13. S. Sharmila Deva Selvi, S. Sree Vivek, Ragavendran Gopalakrishnan, Naga Naresh Karuturi and C. Pandu Rangan:Cryptanalysis of ID-Based Signcryption Scheme for Multiple Receivers.In: http://eprint.iacr.org/2008/238.pdf
14. R. Canetti, S. Halevi, J. Katz:A forward-secure public-key encryption schemeIn: EUROCRYPT, 2003, pp. 255-271.
16. Ratna Dutta, Rana Barua and Palash Sarkar :Pairing-Based Cryptographic Pro-tocols : A Survey. In http://eprint.iacr.org/2004/064.pdf.
17. Baek J., Steinfeld R., Zheng Y.:Formal proofs for the security of signcryption.. In:Public Key Cryptography - PKC 2002, volume 2274 of Lecture Notes in Com-puter Science, pages 80-98. Springer-Verlag, 2002.
18. M. Bellare, A. Boldyreva, S. Micali:Public-key encryption in a multi-user setting: Security proofs and improvementsIn: B. Preneel (Ed.), Advances in Cryptology EUROCRYPT 2000, Vol. 1807 of Lecture Notes in Computer Science, Springer-Verlag, Berlin Germany, Brugge, Belgium, 2000, pp. 259-274.
19. Alexander W. Dent :A Survey of Certificateless Encryption Schemes and Security ModelsIn : eprint.iacr.org/2006/211.pdf.
20. Alexander W. Dent, Benoit Libert, Kenneth G. Paterson:Certificateless Encryp-tion Schemes Strongly Secure in the Standard Model: In R. Cramer, editor(s), 11th International Workshop on Practice and Theory in Public-Key Cryptog-raphy (PKC 2008), Volume 4939 of Lecture Notes in Computer Science, pages 344-359, Springer, March 2008.
21. Benoit Libert, Jean-Jacques Quisquater:On Constructing Certificateless Cryp-tosystems from Identity Based Encryption, In : M. Yung, editor(s), Public Key Cryptography 2006 (PKC’06), Volume 3958 of Lecture Notes in Computer Sci-ence, pages 474-490, Springer, April 2006.
22. Sherman S.M. Chow, Lucas C.K. Hui, S.M. Yiu and K.P. Chow :Two Improved Partially Blind Signature Schemes from Bilinear Pairings, InInformation Secu-rity and Privacy, Volume 3574/2005 ofLNCS, Pages 316-328. Springer. 2005 23. S. Sharmila Deva Selvi, S. Sree Vivek, Deepanshu Shukla and C. Pandu
Ran-gan :Efficient and Provably Secure Certificateless Multi-receiver SigncryptionIn Provable Security, Volume 5324/2008 ofLNCS, Pages 52-67, Springer, 2008. 24. Songqin Miao, Futai Zhang, Lei Zhang:Cryptanalysis of a Certificateless
