Contents lists available atSciVerse ScienceDirect
Computers and Mathematics with Applications
journal homepage:www.elsevier.com/locate/camwa
Certificate-based signcryption with enhanced security features
Jiguo Li
a,∗, Xinyi Huang
b, Meixue Hong
a, Yichen Zhang
aaCollege of Computer & Information Engineering, Hohai University, Nanjing 210098, China bInstitute for Infocomm Research (I2R), Singapore
a r t i c l e i n f o Article history:
Received 26 September 2011
Received in revised form 31 December 2011 Accepted 3 January 2012
Keywords:
Public key cryptography Certificate-based cryptography Signcryption
Authentication Security model
a b s t r a c t
Certificate-based cryptography overcomes the inherent shortcomings in traditional public key cryptography and identity-based cryptography. It provides effective mechanisms to design efficient public key cryptography systems with less reliance on underlying infrastructure. As a classic primitive in public key cryptography, signcryption performs signature and encryption in a single logical step, by integrating confidentiality, integrity, authentication and non-repudiation much more efficiently than the traditional sign-then-encrypt approach. In this paper, we first define an enhanced security model for certificate-based signcryption. We then analyze an existing certificate-based signcryption scheme, and show that it is insecure due to two classic attacks. Furthermore, we propose a new certificate-based signcryption scheme. Our scheme is proven secure against adaptive chosen ciphertext attacks and adaptive chosen message attacks in the random oracle model.
©2012 Elsevier Ltd. All rights reserved.
1. Introduction
Certificate-based encryption (CBE) is a new public key encryption mechanism introduced by Gentry [1] in Eurocrypt 2003. As in the traditional PKI, each client in CBE generates its own public/private key pair and the Certificate Authority (CA) then generates a certificate which can guarantee the authenticity of the client’s public key. In CBE, the certificate has an additional feature, namely it also acts a partial private key. A successful decryption requires both the private key and the up-to-date certificate. This provides an implicit verification of one’s certificate and eliminates third-party queries for certificate status required in traditional PKI. Since CA does not know the client’s private key, there is no key escrow problem in CBE (which however is an inherent problem in identity-based public key encryption [2]). Furthermore, CBE does not have the secret key distribution problem, as opposed to certificateless public key encryption [3]. Thus, certificate-based encryption provides an efficient mechanism to design public key encryption, which requires less infrastructure and overcomes the inherent shortcomings in the aforementioned public key systems. Since its introduction in [1], certificate-based cryptography has attracted the attention of many researchers, and a number of certificate-certificate-based encryption and signature algorithms have been proposed so far, e.g. [1,4–12]. Following Gentry’s idea, Kang, Park and Hahn proposed the security notion of certificate-based signature (CBS) [5]. They also proposed two concrete certificate-based signature schemes and a certificate-based proxy signature scheme. Unfortunately, Li et al. [7] pointed out that one of their schemes was insecure against key replacement attack. They refined the security model of certificate-based signature and proposed a new efficient certificate-based signature scheme. Wu et al. [11] revisited the security models of certificate-based signature
∗Corresponding author.
E-mail addresses:[email protected],[email protected](J. Li). 0898-1221/$ – see front matter©2012 Elsevier Ltd. All rights reserved. doi:10.1016/j.camwa.2012.01.006
schemes. They divided the potential adversaries into three types: normal adversary, strong adversary and super adversary by attacking power. Recently, Li et al. [6,13] presented a certificate-based signature scheme, which is provably secure in the standard model. Furthermore, they proposed an efficient short certificate-based signature scheme, which requires only one pairing operation in signature generation and verification. In addition, the signature size of their scheme is only one group element.
The concept of public key signcryption was proposed by Zheng in 1997 [14]. The purpose of this primitive is to perform signature and encryption in a single logical step and thus signcryption can provide confidentiality, integrity, authentication and non-repudiation in a more efficient way than the traditional sign-then-encrypt approach. The drawback of the latter solution is the high cost in both computation and communication. Several efficient signcryption schemes [15–26] have been proposed since 1997 and the first scheme with formal security proofs in well-defined security models was proposed in [27]. Seo and Kim [28] proposed a domain-verifiable signcryption scheme, which is applied to the electronic funds transfer protocol. Mu and Varadharajan [29] proposed a distributed signcryption scheme that can be used for distributing a signcrypted message to a designated group. This definition can be extended for transmission of information between two or more designated groups. This means that any member of the designated group can signcrypt the message on behalf of the group and distribute it to the receiving group. Kwak and Moon [30] proposed an efficient distributed signcryption scheme and gave some heuristic arguments for security analysis of their scheme. Recently, Gupta and Saxena [31,32] proposed a formal security model for distributed signcryption for confidentiality and unforgeability and a scheme for distributed signcryption. Furthermore, they extended the distributed signcryption protocol to group signcryption. Libert and Quisquater [21] proposed an efficient signcryption scheme with key privacy from gap Diffie–Hellman groups. Li et al. [33] proposed a new identity-based signcryption scheme based on multiple private key generators, which was more suitable for multi-domainad hoc networks. In Crypto 2003, Boyen [16] proposed a comprehensive security model for multipurpose identity-based encryption-signature cryptosystems and presented a new cryptographic scheme that precisely implements all facets of the aforementioned notion of ‘‘secure signed communication’’ in the certificate-free world of identity-based cryptography. Recently, several new kinds of signcryption are proposed. Zhang and Xu [34] proposed an anonymous identity-based signcryption scheme for multiple receivers in the standard model. Selvi et al. [35] proposed the first efficient certificateless multi-receiver signcryption scheme, which does not require pairing to signcrypt a message for any number of receivers, and proved it secure in the random oracle model. They considered a more realistic adversarial model and proved the security against insider attacks, which guarantees non-repudiation and forward secrecy. Liu et al. [36] introduced a formal security model for certificateless signcryption schemes secure against the malicious-but-passive KGC attacks and proposed a novel certificateless signcryption scheme. Li and Wong [37] proposed a new generic construction for signcryption and showed that it was secure under the security models which were comparable to the security against adaptive chosen ciphertext attacks for public key encryption and the existential unforgeability against chosen message attacks for signatures. Li et al. [38,39] proposed an efficient signcryption scheme with key privacy that is proven secure under the standard assumption of the gap Diffie–Hellman problem in the random oracle model. Their scheme achieved confidentiality, existential unforgeability and anonymity with more precise reduction bounds. Furthermore, they gave a variation of the proposed scheme and extended it to a ring signcryption scheme. Duan and Cao [18] proposed an efficient multi-receiver identity based signcryption scheme which only needs one pairing computation to signcrypt a message fornreceivers and can provide confidentiality and authenticity simultaneously in a multi-receiver setting. Recently, Yu et al. [40] gave a complete security model for identity based generalized signcryption. Furthermore, they proposed an efficient identity based generalized signcryption scheme and proved their scheme was secure in the given security model. However, no certificate-based signcryption schemes have been proposed until 2008. Luo et al. [9] proposed the security notion of certificate-based signcryption and presented the first construction of certificate-based signcryption (hereinafter referred to as the LWZ scheme). It is claimed that their scheme is publicly verifiable and provably secure in the random oracle model.
Our contributions. In this paper, we first show that LWZ scheme is insecure by presenting two concrete attacks, namely the LWZ scheme is ciphertext distinguishable under adaptive chosen ciphertext attacks and is existentially forgeable under chosen message attacks. After that, we define an enhanced security model of certificate-based signcryption by integrating the strong security model of certificate-based signatures defined in [6,11]. Furthermore, we also construct a new certificate-based signcryption scheme which enjoys short signature length, low operation cost and provable security in the random oracle model.
Organization of the paper. In the next section, we review some preliminaries required in this paper. We describe the formal definition and the enhanced security model for certificate-based signcryption in Section3. Section4presents two concrete attacks on LWZ scheme. In Section5, we propose a new certificate-based signcryption scheme, together with the security proof in the random oracle and the performance analysis of the new scheme. Finally, we conclude the paper in Section6.
2. Preliminaries
This section introduces the notation of bilinear mapping and some mathematical assumptions that are required to understand the following sections.
LetG1be an additive group of prime orderqandG2be a multiplicative group of the same order. LetPbe a generator of
G1. A bilinear mappinge
:
G1×
G1→
G2has the following properties:– The map is bilinear:e
(
aP,
bQ)
=
e(
P,
Q)
abfor allP,
Q∈
G1
,
a,
b∈
Zq.– The map is non-degenerate:e
(
P,
P)
̸=
1G2. – The map is efficiently computable.Definition 1(DL Problem in G1).Given
(
P,
aP)
for some unknowna∈
Zq∗, outputa.The success probability of any probabilistic polynomial-time (denote as PPT) algorithmAin solving the DL problem in G1is defined to be
SuccDLA,G1
=
Pr[
A(
P,
aP)
=
a:
a∈
Zq∗]
.
The DL assumption states that for every probabilistic polynomial-time algorithmA
,
SuccDLA,G1is negligible.Definition 2(CDH Problem in G1).Given
(
P,
aP,
bP)
for some unknowna,
b∈
Zq∗, computeabP.The success probability of any probabilistic polynomial-time algorithmAin solving the CDH problem inG1is defined to
be
SuccCDHA,G
1
=
Pr[
A(
P,
aP,
bP)
=
abP:
a,
b∈
Z∗ q
]
.
The CDH assumption states that for every probabilistic polynomial-time algorithmA
,
SuccCDHA,G1is negligible.Definition 3(DDH Problem in G2).Given
(
g,
ga,
gb)
∈
(
G2)
3for some unknowna,
b∈
Zq∗andh∈
G2, decide whetherh
=
gabor not.The success probability of any probabilistic polynomial-time algorithmAin solving the DDH problem inG2is defined to
be
SuccDDHA,G
2
= |
Pr[
A(
g,
ga
,
gb,
gab)
=
1] −
Pr[
A(
g,
ga,
gb,
h)
=
1]|
.
The DDH assumption states that for every probabilistic polynomial-time algorithmA
,
SuccDDHA,G2is negligible.
Definition 4(GDH Problem in G2).Given
(
g,
ga,
gb)
∈
(
G2)
3for some unknowna,
b∈
Zq∗, computegabwith the help ofODDH.ODDHis a DDH oracle that on input
(
g,
ga,
gb,
h)
∈
(
G2)
4, outputs 1 ifh=
gaband 0 otherwise.The success probability of any probabilistic polynomial-time algorithmAin solving the GDH problem inG2is defined to be
SuccGDHA,G
2
=
Pr[
A(
g,
ga
,
gb,
ODDH
)
=
gab:
a,
b∈
Zq∗]
.
The GDH assumption states that for every probabilistic polynomial-time algorithmA
,
SuccGDHA,G2is negligible.
Definition 5(BDH Problem in
⟨
G1,
G2⟩
).Given(
P,
aP,
bP,
cP)
for some unknowna,
b,
c∈
Zq∗, computee(
P,
P)
abc.The success probability of any probabilistic polynomial-time algorithmAin solving the BDH problem in
⟨
G1,
G2⟩
isdefined to be SuccBDHA,G
1,G2
=
Pr[
A(
P,
aP,
bP,
cP)
=
e(
P,
P)
abc
:
a,
b,
c∈
Z∗ q]
.
The BDH assumption states that for every probabilistic polynomial-time algorithmA
,
SuccBDHA,G1,G2is negligible.
Definition 6(DBDH Problem in
⟨
G1,
G2⟩
).Given(
P,
aP,
bP,
cP)
for some unknowna,
b,
c∈
Zq∗andT∈
G2, decide whetherT
=
e(
P,
P)
abcor not.The success probability of any probabilistic polynomial-time algorithmAin solving the DBDH problem in
⟨
G1,
G2⟩
isdefined to be SuccDBDHA,G
1,G2
= |
Pr[
A(
P,
aP,
bP,
cP,
e(
P,
P)
abc
)
=
1] −
Pr[
A(
P,
aP,
bP,
cP,
T)
=
1]|
.
The DBDH assumption states that for every probabilistic polynomial-time algorithmA
,
SuccDBDHA,G1,G2is negligible.
Definition 7(GBDH Problem in
⟨
G1,
G2⟩
).Given(
P,
aP,
bP,
cP)
for some unknowna,
b,
c∈
Zq∗, computee(
P,
P)
abcwith thehelp ofODBDH.ODBDHis a DBDH oracle that on input
(
aP,
bP,
cP,
T)
, outputs 1 ifT=
e(
P,
P)
abcand 0 otherwise.The success probability of any probabilistic polynomial-time algorithmAin solving the GBDH problem in
⟨
G1,
G2⟩
isdefined to be
SuccGBDHA,G1,G2
=
Pr[
A(
P,
aP,
bP,
cP,
ODBDH)
=
e(
P,
P)
abc:
a,
b,
c∈
Zq∗]
.
The GBDH assumption states that for every probabilistic polynomial-time algorithmA
,
SuccGBDHA,G3. Certificate-based signcryption
In this section, we describe the formal definition and the enhanced security model of certificate-based signcryption. 3.1. Outline of certificate-based signcryption
LetAdenotes the sender Alice, letBdenotes the receiver Bob. A certificate-based signcryption scheme consists of the following five algorithms:
– Setup: Take a security parameterkas input, the CA uses this algorithm to generate its master public/secret key pair
(
PPub,
Msk)
and public parameterparams.– UserKeyGen: Take public parameterparamsand master public keyPPubas input, a userUuses this algorithm to produce
its public/secret key pair
(
PKU,
SKU)
.– CertGen: Take public parameterparams, master secret keyMsk, identity IDUand public key PKUof a userUas input, CA
computes the certificate for userU.
– Signcrypt: Sender Alice takes her certificate CertA, secret key SKA, a messagem, and the receiver’s public key PKBas input,
and runs this algorithm to output a signcryption
σ
.– Designcrypt: When Bob receives
σ
, he runs this algorithm on the input of his certificate CertB, secret key SKBand obtainsthe original messagemor the symbol
⊥
ifσ
is an invalid signcryption between IDAand IDB.3.2. Security models of certificate-based signcryption
Recently, Luo et al. [9] proposed a security model for certificate-based signcryption. Their model is a combination of Malone–Lee’s security model [41] for identity-based signcryption and the security model of certificate-based signature of Li et al. [7]. In this section, we provide an enhanced security model by incorporating the strong security requirements of certificate-based signature in [6,11].
There are two types of adversaries (denote asAI andAII), which simulate different attacking scenarios.AImodels a
dishonest entity who does not know the master secret key, but can obtain any user’s secret key and replace any user’s public key with his/her choice. In the game of confidentiality,AIis not allowed to query the certificates of the target sender
and the target receiver. In the game of unforgeability,AIis not allowed to query the target sender’s certificate.AIImodels a
malicious certifier with the master secret keyMsk. In the game of confidentiality,AIIis not allowed to query the secret keys
or replace public keys of the target sender and the target receiver. In the game of unforgeability,AIIis not allowed to query
the target sender’s secret key or replace the target sender’s public key.
Before presenting the details of the security definitions, we first define six oracles which can be accessed by the adversary in our game-based model.
Public key: ChallengerCkeeps a listLu
= {
(
IDU,
SKU,
PKU,
fU)
}
to record the secret/public keys of created users.Luis emptyat the beginning of the game. Given a public key query for a new user IDU
,
Cruns the UserKeyGen algorithm to obtain asecret/public key pair
(
SKU,
PKU)
, adds(
IDU,
SKU,
PKU,
0)
intoLuand sends PKUto the adversary. Otherwise, IDUhas beencreated before and its public key is returned.
In the following oracles, the challengerCsetsfU
=
1 if the public key of user IDUhas been replaced. Otherwise,fU=
0(which is the initial value when IDUwas created).
Public key replace: For a public key replace query
(
IDU,
PK),
C checks the listLu. If IDU is already inLu,
C updates thecorresponding tuple with
(
IDU,
⊥
,
PK,
1)
. Otherwise,Cadds(
IDU,
⊥
,
PK,
1)
intoLu. The symbol ‘‘⊥
’’ indicates thatCdoesnot know the corresponding private key.
Corruption: On a corruption query IDU
,
Cchecks the listLu. If IDUhas not been created yet,Cruns the UserKeyGen algorithmto obtain a secret/public key pair
(
SKU,
PKU)
, adds(
IDU,
SKU,
PKU,
0)
intoLuand sends SKUto the adversary. Otherwise, thereis a tuple inLuthat contains IDUand its secret key SKUis returned. Note that in this case SKUcould be ‘‘
⊥
’’ if IDU’s publickey has been replaced by the adversary.
CertGen: On a CertGen query IDU
,
Cchecks the listLu. If IDU is already inLu,
Cruns the CertGen algorithm and returnsthe certificate CertU. Otherwise,Cruns the UserKeyGen algorithm to obtain a secret/public key pair
(
SKU,
PKU)
and adds(
IDU,
SKU,
PKU,
0)
intoLu. After that,Cruns the CertGen algorithm with input(
IDU,
PKU,
Msk,
params)
and returns thecertificate CertU.
Signcrypt: On a signcrypt query
(
m,
IDA,
IDB),
C checks the listLufor tuple(
IDA,
SKA,
PKA,
fA)
. IffA=
1 then it asks theadversary to provide the secret key SKAof PKA. Otherwise, SKAin the tuple is a correct secret key of IDA. In both cases,Cwill
generate the certificate CertAof PKAand respond with a signcryption
σ
by running the signcrypt algorithm with input CertAand SKA.
Designcrypt: On a designcrypt query
(σ ,
IDA,
IDB),
Cchecks the listLufor tuple(
IDB,
SKB,
PKB,
fB)
. IffB=
1 then it asks theadversary to supply the secret key SKBof PKB. Otherwise, SKBin the tuple is a correct secret key of IDB. In both cases,Cwill
generate the certificate CertBof PKBand run the designcrypt algorithm using CertBand SKB, whose output is given to the
The security of certificate-based signcryption is defined by the following four games between the adversary and the challenger.
Game1:
Setup: The challengerCruns the setup algorithm to generate master secret keyMsk, master public keyPPub and public
parameterparams.Csends
(
PPub,
params)
toAIwhile keepingMsksecret.Phase1:AIcan adaptively query all six oracles defined previously.
Challenge:AIoutputs two equal length messagesm0
,
m1and selects two target identities ID∗A,
ID ∗Bas the sender and receiver
respectively. The restriction is that during the Phase 1AI does not make CertGen queries on ID∗A or ID ∗
B. IffA
=
1, thechallengerCrequires the adversary to supply the secret key corresponding to the current public key of ID∗
A. After that,C
randomly choosesd
∈
R{
0,
1}
, computesσ
∗=
Signcrypt(
md
,
Cert∗A,
SK ∗ A,
PK ∗ B)
and sendsσ
∗toAI, where PK∗Bmight not be
the one generated by the challenger. (In other words, the public key of ID∗Bmay have been replaced by the adversary.) Phase2:AIcontinues to query the oracles as in Phase 1, but cannot make a designcrypt query on
(σ
∗,
ID∗A,
ID∗
B
)
or a CertGenquery on ID∗Aor ID∗B.
Guess:AIoutputs a bitd′.AIwins the game ifd′
=
d. The advantage ofAIis defined as AdvIND-CBSC-CCA2AI= |
2Pr[
d′
=
d
] −
1|
.Definition 8(Confidentiality AgainstAI).A certificate-based signcryption scheme is said to be secure against adaptive
chosen ciphertext adversaryAI(IND-CBSC-CCA2-I), if no probabilistic polynomial time adversary can have non-negligible
advantage in winning the above game. Game2:
Setup: The challengerCruns the setup algorithm to generate master secret keyMsk, master public keyPPub and public
parameterparams.Csends
(
PPub,
Msk,
params)
toAII.Phase1: In this phase,AII can make requests to all oracles except CertGen oracle withMsk
,
AII does not need to makeCertGen queries.
Challenge:AIIoutputs two equal length messagesm0
,
m1and selects two target identities ID∗A,
ID ∗Bas the sender and receiver
respectively. The restriction is thatAII does not make corruption queries or public key replace queries on ID∗A
,
ID ∗ B.Crandomly choosesd
∈
R{
0,
1}
, computesσ
∗=
Signcrypt(
md
,
Cert∗A,
SK ∗ A,
PK ∗ B)
, and sendsσ
∗toA II.Phase2:AIIcontinues to query the oracles as in Phase 1 but is not allowed to make designcrypt query on
(σ
∗,
ID∗A,
ID ∗ B)
,corruption queries or public key replace queries on ID∗Aor ID∗B.
Guess:AIIoutputs a bitd′.AIIwins the game ifd′
=
d. The advantage ofAIIis defined as AdvIND-CBSC-CCA2AII= |
2P[
d′
=
d
] −
1|
.Definition 9(Confidentiality AgainstAII).A certificate-based signcryption scheme is said to be secure against adaptive
chosen ciphertext adversaryAII(IND-CBSC-CCA2-II), if no probabilistic polynomial time adversary can have non-negligible
advantage in winning the above game. Game3:
Setup: The challengerCruns the setup algorithm to generate master secret keyMsk, master public keyPPub and public
parameterparams.Csends
(
PPub,
params)
toAIwhile keepingMsksecret.Query:AIcan adaptively query all six oracles defined previously.
Forgery:AIoutputs
σ
∗as the signcryption of(
ID∗A,
ID ∗B
)
.AIwins if– Designcrypt
(σ
∗,
SK∗B,
Cert∗B,
PK∗A)
̸= ⊥
, where PK∗Ais the current public key of ID∗Aand may not be the one generated by the challenger. Similarly, SK∗Bcould also differ from the one generated by the challenger.–
σ
∗is not the output of the signcrypt oracle by taking(
m∗,
ID∗ A,
ID∗
B
)
as the input.– ID∗Ahas never been queried to CertGen oracle.
Definition 10 (Unforgeability AgainstAI).A certificate-based signcryption scheme is said to be unforgeable against adaptive
chosen message adversaryAI (EUF-CBSC-CMA-I), if no probabilistic polynomial time adversary can have non-negligible
advantage in winning the above game. Game4:
Setup: The challengerCruns the setup algorithm to generate master secret keyMsk, master public keyPPub and public
parameterparams. It sends
(
PPub,
Msk,
params)
toAII.Query: Similar to Game 2,AIIcan adaptively make requests to all oracles exceptCertGen.
Forgery:AIIoutputs
σ
∗as the signcryption of(
ID∗A,
ID ∗ B)
.AIIwins if – Designcrypt(σ
∗,
SK∗ B,
Cert ∗ B,
PK ∗ A)
̸= ⊥
is a messagem ∗, where PK∗Ais the original public key generated by the challenger.
–
σ
∗is not the output from the signcrypt oracle by taking(
m∗,
ID∗A,
ID∗B)
as the input. – ID∗Ahas never been queried to corruption oracle.Definition 11 (Unforgeability AgainstAII).A certificate-based signcryption scheme is said to be unforgeable against adaptive
chosen message adversaryAII(EUF-CBSC-CMA-II), if no probabilistic polynomial time adversary can have a non-negligible
advantage in winning the above game.
Remark 1. Our security model is similar to the one defined in [9] but with two improvements. Firstly, we define a public key replace oracle which allows the adversary to replace any user’s public key. Although this is the essence of a Type I adversary in certificate-based cryptography, the adversary defined in [9] does not allow the adversary to replace any user’s public key. The other improvement in our model is that we loose the restriction condition in Definition 5 in [9], namely the adversary can replace the public key PK∗Awith a value of his choice in Game 3 of our security model.
4. Analysis of LWZ certificate-based signcryption scheme
In this section, we show that the LWZ certificate-based signcryption scheme is insecure by two concrete attacks. In order to describe our attacks, we first review the LWZ scheme.
4.1. Review of LWZ certificate-based signcryption scheme
The scheme consists of the following six algorithms:Setup: Given a security parameterk, the algorithm works as follows: – LetG1
,
G2be groups of a prime orderpin which there exists a bilinear mapefromG1×
G1toG2.– Select a random numbers
∈
Z∗qas the master secret key, choose an arbitrary generator ofP
∈
G1and compute the masterpublic keyPpub
=
sP.– Choose four cryptographic hash functionsH1
: {
0,
1}
n×
G1→
G1,
H2: {
0,
1}
n×
G1×
G1→
G1,
H3:
G1×
G1× {
0,
1}
n→
Z∗
qandH4
:
G2→ {
0,
1}
n. The system parameters areparams= ⟨
G1,
G2,
e,
P,
Ppub,
H1,
H2,
H3,
H4⟩
.UserKeyGen: Givenparams, select a random numbersU
∈
Zq∗ as the user secret key and compute the user public keyPKU
=
sUP∈
G1. Suppose that Alice gets her public/secret key pair(
PKA=
sAP,
sA)
and Bob gets his public/secret keypair
(
PKB=
sBP,
sB)
.CertGen: Givenparams, master secret keys, user public key PKUand user identity IDU
∈ {
0,
1}
n, computeQU=
H1(
IDU∥
PKU
)
∈
G1and output a certificate CertU=
sQU∈
G1. We define Alice’s certificate as CertA=
sQA=
sH1(
IDA∥
PKA)
andBob’s certificate as CertB
=
sQB=
sH1(
IDB∥
PKB)
.Sender signcrypt: To send a messagemto Bob, Alice follows the steps below. – Choosex
∈
Z∗q and computeR
=
xPandS=
H2(
IDA,
PKA,
R)
.– Computeh
=
H3(
R,
S,
m)
andV=
x−1(
CertA+
sAS+
hPpub)
.– ComputeW
=
e(
PKA,
PKB)
x.– Computec
=
H4(
W)
⊕
m.The ciphertext is
σ
=
(
c,
R,
V)
.Receiver decrypt: When receiving
σ
=
(
c,
R,
V)
, Bob follows the steps below to decrypt the ciphertext. – ComputeW′=
e(
R,
sBPKA
)
.– Recoverm′
=
c⊕
H4
(
W′)
.Forward messagem′and signature
(
R,
V)
to receiver.Receiver verify: To verify Alice’s signature
(
R,
V)
on messagemwhere Alice has identity IDA:– ComputeS′
=
H2(
IDA,
PKA,
R)
andh′=
H3(
R,
S′,
m′)
.– Accept the message if and only if the following equation holds: e
(
R,
V)
=
e(
Ppub,
QA)
e(
PKA,
S′)
e(
P,
Ppub)
h′
.
4.2. Attack on the LWZ scheme’s confidentiality
During the challenge phase of the confidentiality proofs, the challengerCreceives two messagesm0andm1from the
adversary. The challenger randomly choosesb
∈ {
0,
1}
to computeσ
∗=
(
c∗,
R∗,
V∗)
and sends it to the adversary. Afterreceiving
σ
∗=
(
c∗,
R∗,
V∗)
, the adversary can distinguish whether it is the signcryption of messagem0or messagem1by
doing the following steps: – ComputeS
=
H2(
IDA,
PKA,
R∗)
.– Computeh
=
H3(
R∗,
S,
m0)
, then it can compute whethere(
R∗,
V∗)
=
e(
Ppub,
QA)
e(
PKA,
S)
e(
P,
Ppub)
hholds. If this holds,then it knowsm0is the plaintext of
σ
∗.Thus, without any interaction with the challengerCafter receiving the challenge ciphertext, the adversary can distinguish whether
σ
∗is the signcryption of messagem0orm1.
4.3. Attack on the LWZ scheme’s unforgeability
In this subsection, we show that the scheme is forgeable under a chosen message attack by a dishonest receiver Bob. The attack is as follows:
– Bob randomly choosesx′
∈
Z∗ q,
y∈
Z ∗ q, computesR ′=
x′P pub. – Set PK′A
=
yPpubas the public key of user Alice.– ComputeS′
=
H2(
IDA,
PK′A,
R ′)
.
– Randomly select a messagem, computeh′
=
H3
(
R′,
S′,
m)
. – SetW′=
e(
R′,
sBPK′A)
, computec ′=
H4(
W′)
⊕
m. – ComputeQA=
H1(
IDA∥
PK′A),
V ′=
x′−1(
QA+
yS′+
h′P)
.The forged signcryption on messagemunder the public key PK′
A
=
yPpubof user Alice isσ
=
(
c′,
R′,
V′)
.A third party will believe that the signcryption
σ
=
(
c′,
R′,
V′)
on messagemis really signcrypted by Alice to Bob, because(
m,
R′,
V′)
satisfies the verification equation.e
(
Ppub,
QA)
e(
PK′A,
S ′)
e
(
P,
Ppub)
h ′=
e(
Ppub,
QA)
e(
yPpub,
S′)
e(
h′P,
Ppub)
=
e(
Ppub,
QA+
yS′+
h′P)
=
e(
x′Ppub,
x′−1(
QA+
yS′+
h′P))
=
e(
R′,
V′).
Thus, a dishonest receiver can forge a valid signcryption on arbitrary messages.
5. A new certificate-based signcryption scheme
Our scheme consists of the following five concrete algorithms:
Setup: The system’s security parameter isk. LetG1 be an additive group with prime orderqandG2 be a multiplicative
group with the same order, where there exists an admissible bilinear mape
:
G1×
G1→
G2. LetP be an arbitrarygenerator ofG1. Select a random numbers
∈
Zq∗ as the master secret key, compute the master public keyPpub=
sP.Choose three cryptographic hash functionsH1
: {
0,
1}
n×
G2→
G1,
H2:
G1×
G2×
G2→ {
0,
1}
n,
H3: {
0,
1}
n×
G2
×
G2→
Zq∗ and a secure symmetric encryption scheme(
E,
D)
. Setg=
e(
P,
P)
∈
G2. The system parameters areparams
= ⟨
G1,
G2,
e,
q,
P,
Ppub,
g,
H1,
H2,
H3,
E,
D⟩
.UserKeyGen: Givenparams, a user IDU selects a random numbersU
∈
Zq∗as his secret key and computes the public keyPKU
=
gsU=
e(
P,
P)
sU∈
G2.CertGen: Givenparams, the master secret keys, a user public key PKU and an identity IDU
∈ {
0,
1}
n, the CA computesQU
=
H1(
IDU∥
PKU)
∈
G1and outputs the certificate CertU=
sQU∈
G1.Signcrypt: To generate a signcryption on a messagemwith the receiver Bob, Alice randomly selectsr1
,
r2∈
Zq∗, computesp1
=
e(
P,
Ppub)
r1,
p2=
gr2,
R=
r1QA,
T=
e(
CertA,
QB)
r1,
U=
PKBsA,
K=
H2(
R,
T,
U),
c=
EK(
m),
h=
H3(
c,
p1,
p2)
andV
=
r1Ppub−
hCertA, v
=
r2−
sAh. Alice sends Bobσ
=
(
c,
h,
V, v,
R)
, which is the signcryption ofm.Designcrypt: Upon receiving
σ
=
(
c,
h,
V, v,
R)
, Bob computesT′=
e(
R,
CertB
),
U′=
PKsAB,
K ′=
H 2(
R,
T′,
U′),
p′1=
e(
P,
V)
e(
Ppub,
QA)
h,
p′2=
gvPK h A, recoversm ′=
DK′
(
c)
and acceptsσ
if and only ifh=
H3(
c,
p′ 1,
p′
2
)
.The correctness of our scheme is satisfied due to the following equations:
p′1
=
e(
P,
V)
e(
Ppub,
QA)
h=
e(
P,
r1Ppub−
hCertA)
e(
sP,
hQA)
=
e(
P,
r1Ppub)
=
p1;
p′2
=
gvPKhA=
gr2−sAhgsAh=
gr2=
p 2;
T′=
e(
R,
CertB)
=
e(
r1QA,
sQB)
=
e(
CertA,
QB)
r1=
T;
U′=
PKAsB=
e(
P,
P)
sAsB=
PKBsA=
U;
and K′=
H2(
R,
T′,
U′)
=
K.
Therefore, we haveh′=
H3(
c,
p′1,
p ′ 2)
=
handm ′=
DK′(
c)
=
m.Remark 2. Any third party can be convinced of the validity of a signcryption by calculatingp′1
,
p′2and verifying ifh=
H3(
c,
p′1,
p′
2
)
. In other words, one can verify the validity of a signcryption without the receiver’s private key. This we believe5.1. Security
Theorem 1. In the random oracle model, if there exists a polynomial-time IND-CBSC-CCA2 adversary AI who can win
Game1with an advantage
ε
, by making at most qHiqueries to oracles Hi(
i=
1,
2,
3),
qPKpublic key queries, qRpublic keyreplace queries, qKcorruption queries, qCCertGen queries, qSsigncrypt queries and qDdesigncrypt queries, then there exists a PPT
algorithmBwhich can solve the Gap-BDH problem with an advantage at least
(
1/
e2)
·
1 q2 H1·
ε
+
1 2−
1 2k−
υ
.
Here, e is the base of natural logarithm, k is system’s security parameter and
υ
denotes the probability that an attacker can break the IND-CCA security of the symmetric encryption scheme(
E,
D)
.Proof. LetPbe the generator ofG1. AlgorithmBis given a random instance of the Gap-BDH problem
(
P,
aP,
bP,
cP,
ODBDH)
,whereODBDH is a DBDH oracle.B’s goal is to outpute
(
P,
P)
abc. AlgorithmBwill runAIas a subroutine and act asAI’schallenger.Bneeds to maintain four listsL1
,
L2,
L3,
Luwhich are initially empty. ListsL1,
L2,
L3are used to keep track ofanswers to queries made byAIto oraclesH1
,
H2,
H3, and the listLuwill be used to keep track of answers to public keyqueries and public key replace queries. We assume that anyH1query on an identity ID happens afterAI’s public key query
on ID. We also assume that any CertGen queries, signcrypt queries or designcrypt queries on ID will only occur afterAIasks
the hashingH1of ID.
Setup.BsetsPpub
=
aPas the master public key andg=
e(
P,
P)
, and sends them toAI.Phase1.Binteracts withAIas follows.
Public key queries. For a public key query on IDU
,
Bsearches a tuple(
IDU,
sU,
PKU,
•
)
in the listLu. If the tuple existsBanswers with PKU. OtherwiseBrandomly choosessU
∈
Zq∗, returns PKU=
gsU, and adds a new tuple(
IDU,
sU,
PKU,
0)
intolistLu.
H1queries.AIasks at mostqH1queries on identities of his choice.Bchooses two distinct random numbersi
,
j∈
1
, . . . ,
qH1
. For theith request,Bresponds withH1
(
IDi,
PKi)
=
bP and puts(
IDi,
PKi,
⊥
)
into listL1. For thejth request,BrespondswithH1
(
IDj,
PKj)
=
cP and puts(
IDj,
PKj,
⊥
)
into listL1. For other requests IDU̸∈ {
IDi,
IDj}
,
Bchoosesbu∈
Zq∗, puts(
IDU,
PKU,
bu)
into listL1and responds withH1(
IDU,
PKU)
=
buP.Public key replace queries.AImakes a public key replace query on
(
IDU,
PK)
.Bsearches a tuple(
IDU,
•
,
PKU,
•
)
in the listLu. If the tuple is not found,Bfirst generates the public key of IDUas he does in answering public key queries. Now there is
a tuple
(
IDU,
•
,
PKU,
•
)
inLu.Bthen replaces(
IDU,
•
,
PKU,
•
)
with(
IDU,
•
,
PK,
1)
.H2queries. On a queryH2
(
R,
T,
U),
Bsearches a tuple(
R,
•
,
U,
K)
in the listL2.(1) If the tuple has the form
(
R,
T,
U,
K),
BsendsKto the adversary.(2) Else, if the tuple has the form
(
R,
⊥
,
U,
K),
Bsends(
P,
R,
cP,
Ppub,
T)
toODBDH. If the oracle returns ‘‘1’’,BsendsKtothe adversary and replaces
(
R,
⊥
,
U,
K)
with(
R,
T,
U,
K)
.(3) Otherwise,Bresponds with a randomly chosen stringK
∈ {
0,
1}
nand adds(
R,
T,
U,
K)
into listL 2.H3queries. On a queryH3
(
c,
p1,
p2),
Bsearches a tuple(
c,
p1,
p2,
h)
in the listL3. If the tuple is foundBresponds withh.OtherwiseBreturns a randomh
∈
Zq∗and adds(
c,
p1,
p2,
h)
into listL3.Corruption queries. For a corruption query on IDU
,
Bsearches a tuple(
IDU,
sU,
PKU,
•
)
in the listLu. If the tuple is foundBresponds withsU. Otherwise it runs the UserKeyGen algorithm to obtain
(
sU,
PKU)
, adds(
IDU,
sU,
PKU,
0)
into listLuandresponds withsU.
CertGen queries. For a CertGen query on IDU, let PKUbe the public key of IDUin the listLu.Baborts ifH1
(
IDU,
PKU)
=
bPorH1
(
IDU,
PKU)
=
cP. Otherwise,Bretrieves the tuple(
IDU,
PKU,
bu)
fromL1and responds with CertU=
abuP=
buPpub.Signcrypt queries. We now show howBcan answer a signcrypt query
(
m,
IDA,
IDB)
. Let PKAand PKBbe the public keys of IDAand IDBrespectively. Note that iffA
=
1, the public key of IDAhas been replaced andAIneeds to provide the correspondingsecret keysA. There are three possible cases:
(1) If
(
IDA,
PKA)
is not theith orjthH1query,Bcan calculate the certificate CertAof(
IDA,
PKA)
by making a CertGen query.After that,Bresponds with the output ofSigncrypt
(
m,
sA,
CertA,
PKB)
.(2) Else, if
(
IDB,
PKB)
is not theith orjthH1queries,Bcan generate a correct answer as follows. In this case,Bcan calculatethe certificate CertBof
(
IDB,
PKB)
.Bthen choosesV∈
G1,
r1,
r2,
h∈
Zq∗, computesR=
r1QA,
T=
e(
R,
CertB),
U=
PKBsA
, v
=
r2−
sAh. After that,Bruns theH2simulation to findK=
H2(
R,
T,
U)
and computesc=
EK(
m)
. It thencomputesp1
=
e(
P,
V)
e(
Ppub,
QA)
h,
p2=
gr2. IfL3already contains a tuple(
c,
p1,
p2,
h′)
withh′̸=
h, thenBrepeats theprocess with another choice of
(
V,
r1,
r2,
h)
until finding a tuple(
c,
p1,
p2,
h)
whose first two elements do not appear ina tuple of the listL3. Once an admissible tuple
(
c,
p1,
p2,
h)
is found,Badds it onL3and responds with a valid ciphertext(3) Otherwise
(
IDA,
IDB)
=
(
IDi,
IDj)
. In this caseBchoosesV∈
G1,
r1,
r2,
h∈
Zq∗, and computesR=
r1QA,
U=
PKAsB.Bthen tries to search a tuple
(
R,
•
,
U,
K)
in the listL2.•
If the tuple is found and has the form(
R,
T,
U,
K),
Bsends(
P,
R,
cP,
Ppub,
T)
toODBDH. If the oracle returns ‘‘1’’,BwilluseKas the encryption key.
•
Else, if the tuple is found and has the form(
R,
⊥
,
U,
K),
Bwill useKas the encryption key.•
Otherwise,Brandomly choosesK∈ {
0,
1}
nand adds(
R,
⊥
,
U,
K)
onL2.In all three cases,Bcomputesc
=
EK(
m),
p1=
e(
P,
V)
e(
Ppub,
QA)
h,
p2=
gr2 andv
=
r2−
sAh, and checks ifL3alreadycontains a tuple
(
c,
p1,
p2,
h′)
withh′̸=
h. If the tuple does not exist,Badds(
c,
p1,
p2,
h)
toL3. Otherwise, it repeats theprocess with another choice of
(
V,
r1,
r2,
h)
until finding a tuple(
c,
p1,
h)
whose first two elements do not appear in a tupleof the listL3. Once an admissible tuple
(
c,
p1,
p2,
h)
is found,Bresponds with a valid signcryption(
c,
h,
V, v,
R)
.Designcrypt queries. We now show howBcan correctly decrypt a signcryption
(σ
=
(
c,
h,
V, v,
R),
IDA,
IDB)
. Let PKAandPKBbe the public keys of IDAand IDBrespectively. IffB
=
1,
AIneeds to provide the corresponding secret keysB.(1) If
(
IDB,
PKB)
is not theith orjthH1queries,Bcan calculate the certificate of(
IDB,
PKB)
and perform a normal decryptionusing the corresponding certificate and secret key.
(2) Otherwise,Bcomputesp1
=
e(
P,
V)
e(
Ppub,
QA)
h,
p2=
gvPKhA. Ifh̸=
H3(
c,
p1,
p2)
, thenσ
is invalid and an error symbol⊥
is returned to the adversary. If the equation is satisfied,BcomputesU=
PKAsBand searches a tuple(
R,
•
,
U,
K)
inthe listL2.
•
If the tuple has the form(
R,
⊥
,
U,
K),
Bwill useKto decryptcand sends the result to the adversary.•
Else, if the tuple has the form(
R,
T,
U,
K)
.Bsends(
R,
cP,
Ppub,
T)
toODBDH. If the oracle returns ‘‘1’’,Bwill useKtodecryptcand sends the result to the adversary.
•
Otherwise,Brandomly choosesK∈ {
0,
1}
nand adds(
R,
⊥
,
U,
K)
intoL2
,
Bthen usesKto decryptcand sends theresult to the adversary.
Challenge.AIproduces two plaintextsm0
,
m1, and chooses a pair of identities(
ID∗A,
ID ∗B
)
on which it wishes to challenge. LetPK∗Aand PK∗Bbe the public keys of ID∗Aand ID∗Brespectively.Baborts if
(
ID∗A,
PK∗A)
and(
ID∗B,
PK∗B)
are not theith andjthH1queries. Otherwise,Brandomly choosesd
∈ {
0,
1}
,
V∗∈
G1
,
h∗,
r1∗,
r ∗ 2∈
Z ∗ q, computesp ∗ 1=
e(
P,
V ∗)
e(
P pub,
bp)
h ∗,
p∗2=
gr∗2, v
∗=
r∗ 2−
s ∗ Ah ∗,
R∗=
r∗ 1bP,
U ∗=
(
PK∗ B)
s ∗A. Recall that iffA
=
1, the adversary must provide the secret keys∗A.B
then searches a tuple
(
R∗,
•
,
U∗,
K∗)
in the listL2. If such a tuple is found,Brepeats the above process until the listL2does
not have the tuple
(
R∗,
•
,
U∗,
K∗)
.Bthen randomly choosesK∗∈ {
0,
1}
nand adds(
R∗,
⊥
,
U∗,
K∗)
intoL2. After that,Bcomputesc∗
=
EK∗
(
md)
and checks ifL3already contains a tuple(
c∗,
p∗ 1,
p∗
2
,
h′
)
withh′̸=
h∗. If the tuple is not found,Badds
(
c∗,
p∗1
,
p∗
2
,
h∗
)
intoL3. Otherwise, it repeats the process with another choice of
(
V∗,
h∗,
r1∗,
r∗
2
)
until finding a tuple(
c∗,
p∗1,
p∗2,
h∗)
whose first two elements do not appear in a tuple of the listL3. Once an admissible tuple(
c∗,
p∗1,
p∗
2
,
h∗
)
is found, it sends the ciphertext
(
c∗,
h∗,
V∗, v
∗,
R∗)
toAI.Phase2.AIcan continue making queries which are treated in the same way as inPhase1. Note that, it is not allowed to make
CertGen queries on IDior IDj, or a designcrypt query on
(σ
∗=
(
c∗,
h∗,
V∗, v
∗,
R∗),
IDi,
IDj)
.Guess.AIproduces a bitd′. Ifd′
=
dthenAIwins the game, whose advantage is defined asε
= |
2Pr[
d′=
d] −
1|
.We first consider the probability thatBdoes not abort during the simulation. E1 :AIdoes not make certificate queries on
(
ID∗A,
PK∗ A
)
or(
ID ∗ B,
PK ∗ B)
.E2 : At the challenge phase,AIchooses
(
ID∗A,
ID ∗B
)
as the challenge pair and their public keys are PK ∗ Aand PK∗
B, respectively.
Therefore the probability thatBdoes not abort is Pr
[
E1∧
E2]
>
1−
2 qH1q
C·
q
1 H1 2
> (
1/
e 2)
·
1 q2 H1.
Here,eis the base of natural logarithm. Since the hash functionH2is simulated as a random oracle, with probability at
least ‘‘
(ε
+
1)/
2−
1/
2k−
υ
’’AImust have sent a request
(
R∗,
T∗,
U∗,
K∗)
toH2oracle and(
R∗,
cP,
Ppub,
T∗)
is a valid BDHtuple (i.e.,e
(
P,
P)
abc=
(
T∗)
(r1∗) −1). Here,
υ
denotes the probability that an attacker can break the IND-CCA security of the symmetric encryption scheme(
E,
D)
.Thus, the probability thatBcan output a correct answer is at least
(
1/
e2)
·
1 q2 H1·
ε
+
1 2−
1 2k−
υ
.
Theorem 2.In the random oracle model, if there exists a polynomial-time IND-CBSC-CCA2 adversary AII who can win
replace queries, qKCorruption queries, qSsigncrypt queries and qDdesigncrypt queries, then there exists a PPT algorithmBwhich
can solve the GDH problem with an advantage at least
(
1/
e2)
·
1 q2PK·
ε
+
1 2−
1 2k−
υ
.
Here, e is the base of natural logarithm, k is system’s security parameter and
υ
denotes the probability that an attacker can break the IND-CCA security of the symmetric encryption scheme(
E,
D)
.Proof. LetPbe the generator ofG1andg
=
e(
P,
P)
∈
G2. AlgorithmBis given a random instance of the GDH problem(
g,
ga,
gb,
ODDH
)
whereODDHis a DDH oracle.B’s goal is to outputgab. AlgorithmBwill runAIIas a subroutine and act as AII’s challenger.Bneeds to maintain four listsL1,
L2,
L3,
Luwhich are initially empty. The listsL1,
L2,
L3are used to keeptrack of answers to queries made byAIIto oraclesH1
,
H2,
H3, and the listLuis used to keep track of answers to public keyqueries and public key replace queries. We assume that anyH1query on an identity ID happens afterAI’s public key query
on ID. We also assume that any signcrypt queries or designcrypt queries on ID will only occur afterAIIasks the hashingH1
of ID.
Setup.Brandomly choosess
∈
Z∗q as the master secret key, computesPpub
=
sPas the master public key and sends themtoAII.
Phase1.Binteracts withAIIas follows.
Public key queries.AII can make at mostqPKqueries on identities of his choice. At the beginning,Bchooses two distinct
random numbersi
,
j∈ {
1, . . . ,
qPK}
. For theith request,Bresponds with PKi=
gaand adds(
IDi,
⊥
,
PKi,
0)
into listLu. Forthejth request,Bresponds with PKj
=
gband adds(
IDj,
⊥
,
PKj,
0)
into listLu. For a query IDU̸∈ {
IDi,
IDj}
,
Bsearches atuple
(
IDU,
sU,
PKU,
•
)
in the listLu. If such a tuple is foundBresponds with PKU. OtherwiseBrandomly choosessU∈
Zq∗,sends PKU
=
gsUtoAII, and adds a new tuple(
IDU,
sU,
PKU,
0)
into listLu.H1queries. On a query
(
IDU,
PKU),
Bsearches a triple(
IDU,
PKU,
bu)
in the listLu. If such a triple is foundBresponds withH1
(
IDU,
PKU)
=
buP. OtherwiseBrandomly choosesbu∈
Zq∗, setsH1(
IDU,
PKU)
=
buPand adds(
IDU,
PKU,
bu)
into listL1.buPis sent toAIIas the answer ofH1
(
IDU,
PKU)
.Public key replace queries. Given a public key replace query
(
IDU,
PK),
Baborts if IDU∈ {
IDi,
IDj}
. For any other queries, Bsearches a tuple(
IDU,
•
,
PKU,
•
)
in the listLu. If no such tuple is foundBadds(
IDU,
⊥
,
PK,
1)
into listLu. Otherwise,Breplaces the tuple with
(
IDU,
⊥
,
PK,
1)
.H2queries. On a queryH2
(
R,
T,
U),
Bsearches listL2.•
If there is a tuple(
R,
T,
U,
K,
•
,
•
)
inL2,
BsendsKto the adversary.•
Else, if there is a tuple(
R,
T,
⊥
,
K,
PKA,
PKB)
inL2,
Bsends(
g,
PKA,
PKB,
U)
toODDH. If the oracle returns ‘‘1’’,BsendsKto the adversary and replaces
(
R,
T,
⊥
,
K,
PKA,
PKB)
with(
R,
T,
U,
K,
PKA,
PKB)
.•
Otherwise,Bresponds with a randomly chosen stringK∈ {
0,
1}
nand adds(
R,
T,
U,
K,
•
,
•
)
into listL 2.H3queries. On a queryH3
(
c,
p1,
p2),
Bsearches a tuple(
c,
p1,
p2,
h)
in the listL3. If such a tuple is foundBresponds withh, otherwiseBreturns a randomh
∈
Z∗qand adds
(
c,
p1,
p2,
h)
into listL3.Corruption queries. For a corruption query IDU
,
Baborts if IDU∈ {
IDi,
IDj}
. Else, if IDU̸∈ {
IDi,
IDj}
and there is a tuple(
IDU,
sU,
PKU,
•
)
in the listLu,
Bresponds withsU. OtherwiseBruns the UserKeyGen algorithm to generate(
sU,
PKU)
, adds(
IDU,
sU,
PKU,
0)
into listLuand responds withsU.Signcrypt queries. We now show howBcan answer a signcrypt query
(
m,
IDA,
IDB)
. Let PKAand PKBbe the public keys of IDAand IDBrespectively. Note that, iffA
=
1, the public key of IDAhas been replaced andAIIneeds to provide the correspondingsecret keysA. There are two possible cases:
(1) If IDAis not theith orjth public key query,Bresponds with the output ofSigncrypt
(
m,
sA,
CertA,
PKB)
.(2) Otherwise,Bcan generate a correct answer as follows.Bfirst choosesV
∈
G1,
r1,
h, v
∈
Zq∗, computesR=
r1QA,
T=
e
(
R,
CertB)
. After that,B chooses a randomK∈ {
0,
1}
n, adds(
R,
T,
⊥
,
K,
PKA,
PKB)
into the list L2 and computesc
=
EK(
m)
. It then computesp2=
gvPKhA andp1=
e(
P,
V)
e(
Ppub,
QA)
h. IfL3already contains a tuple(
c,
p1,
p2,
h′)
withh′
̸=
h,
Brepeats the process with another choice of(
V,
r1
, v,
h)
until finding a tuple(
c,
p1,
p2,
h)
whose first twoelements do not appear in a tuple of the listL3. Once an admissible tuple
(
c,
p1,
p2,
h)
is found,Badds it intoL3, andresponds with a valid ciphertext
(
c,
h,
V, v,
R)
.Designcrypt queries. We now show howBcan correctly decrypt a signcryption
(σ
=
(
c,
h,
V, v,
R),
IDA,
IDB)
. Let PKAandPKBbe the public keys of IDAand IDBrespectively. IffB
=
1,
AIIneeds to provide the corresponding secret keysB.(1) If IDBis not theith orjth public key query,Bcan perform a normal decryption using the corresponding certificate and
secret keysB.
(2) Otherwise,Bcomputesp1
=
e(
P,
V)
e(
Ppub,
QA)
h,
p2=
gvPKhA. Ifh̸=
H3(
c,
p1,
p2)
, thenσ
is invalid and an errorsymbol
⊥
is returned to the adversary. Otherwise, it computesT=
e(
R,
CertB)
and searches a tuple(
R,
T,
•
,
K,
•
,
•
)
in•
If the tuple has the form(
R,
T,
⊥
,
K,
PKA,
PKB)
or(
R,
T,
U,
K,
PKA,
PKB),
Bcomputesm=
DK(
c)
and sendsmto theadversary.
•
Otherwise, the tuple has the form(
R,
T,
U,
K,
•
,
•
)
.Bsends(
g,
PKA,
PKB,
U)
toODDH.If the oracle returns ‘‘1’’, B replaces
(
R,
T,
U,
K,
•
,
•
)
with(
R,
T,
U,
K,
PKA,
PKB)
and sends m=
DK(
c)
to theadversary.
Otherwise,Bchooses a random stringK
∈ {
0,
1}
n, adds(
R,
T,
⊥
,
K,
PKA
,
PKB)
into listL2, and sendsm=
DK(
c)
tothe adversary.
Challenge.AIIproduces two plaintextsm0
,
m1, and chooses a pair of identities(
ID∗A,
ID ∗B
)
on which it wishes to challenge.Let PK∗Aand PK∗Bbe the public keys of ID∗Aand ID∗Brespectively.Baborts if
{
ID∗A,
ID∗B} ̸= {
IDi,
IDj}
. Otherwise,Brandomlychoosesd
∈ {
0,
1}
,
V∗∈
G 1,
h∗