Anonymous signcryption against linear related-key attacks

(1)

Research Online

Faculty of Engineering and Information

Sciences - Papers: Part A

Faculty of Engineering and Information

Sciences

1-1-2013

Anonymous signcryption against linear related-key attacks

Hui Cui

University of Wollongong, [email protected]

Yi Mu

Man Ho Au

Follow this and additional works at: https://ro.uow.edu.au/eispapers

Part of the Engineering Commons, and the Science and Technology Studies Commons

Recommended Citation

Cui, Hui; Mu, Yi; and Au, Man Ho, "Anonymous signcryption against linear related-key attacks" (2013). Faculty of Engineering and Information Sciences - Papers: Part A. 1837.

https://ro.uow.edu.au/eispapers/1837

Research Online is the open access institutional repository for the University of Wollongong. For further information contact the UOW Library: [email protected]

(2)

Abstract

A related-key attack (RKA) occurs when an adversary tampers the private key stored in a cryptographic hardware device and observes the result of the cryptographic primitive under this modified private key. In this paper, we concentrate on the security of anonymous signcryption schemes under related-key attacks, in the sense that a signcryption system should contain no information that identifies the sender of the signcryption and the receiver of the message, and yet be decipherable by the targeted receiver. To achieve this, we consider our anonymous signcryption scheme being semantically secure against chosen

ciphertext and related-key attacks (CC-RKA), existentially unforgeable against chosen message and related-key attacks (CM-RKA), and anonymous against chosen ciphertext and related-key attacks (ANON-RKA). Specifically, we require that an anonymous signcryption scheme remains secure even when an adversary is allowed to access the signcryption oracle and the designcryption oracle on linear shifts of the private keys of the sender and the receiver, respectively. After reviewing some basic definitions related to our construction, based on the existing work on cryptographic primitives in the setting of related-key attacks, we give a concrete anonymous signcryption scheme from BDH which achieves CC-RKA security, CM-RKA security, ANON-RKA security in the random oracle model.

Keywords

signcryption, against, linear, related, key, anonymous, attacks

Disciplines

Engineering | Science and Technology Studies

Publication Details

Cui, H., Mu, Y. & Au, M. (2013). Anonymous signcryption against linear related-key attacks. Lecture Notes in Computer Science, 8209 165-183.

(3)

Related-Key Attacks

Hui Cui, Yi Mu, and Man Ho Au

School of Computer Science and Software Engineering, University of Wollongong, Wollongong, NSW 2522, Australia

[email protected],{ymu,aau}@uow.edu.au

Abstract. A related-key attack (RKA) occurs when an adversary tam-pers the private key stored in a cryptographic hardware device and ob-serves the result of the cryptographic primitive under this modified pri-vate key. In this paper, we concentrate on the security of anonymous signcryption schemes under related-key attacks, in the sense that a sign-cryption system should contain no information that identifies the sender of the signcryption and the receiver of the message, and yet be decipher-able by the targeted receiver. To achieve this, we consider our anony-mous signcryption scheme being semantically secure against chosen ci-phertext and related-key attacks (CC-RKA), existentially unforgeable against chosen message and related-key attacks (CM-RKA), and anony-mous against chosen ciphertext and related-key attacks (ANON-RKA). Specifically, we require that an anonymous signcryption scheme remains secure even when an adversary is allowed to access the signcryption or-acle and the designcryption oror-acle on linear shifts of the private keys of the sender and the receiver, respectively. After reviewing some basic definitions related to our construction, based on the existing work on cryptographic primitives in the setting of related-key attacks, we give a concrete anonymous signcryption scheme from BDH which achieves CC-RKA security, CM-CC-RKA security, ANON-CC-RKA security in the random oracle model.

Keywords: Signcryption, CC-RKA, CM-RKA, Anonymity.

1 Introduction

In recent decades, physical attacks like side channel attacks [29] that exploit information leakage from the implementation of an algorithm are becoming in-creasingly popular and come in a large variety, where an adversary observes some “physical output” of a computation (such as radiation, power, temperature, run-ning time), in addition to the “logical output” of the computation. In some of these situations, the adversary might get some partial information about private key through certain physical methods, which are referred to as key-leakage at-tacks. However, such attacks are not anticipated by the designer of the system and, correspondingly, not taken into account when arguing its security. Since modern notions of security, such as semantic security [17] and CCA security [30]

(4)

in encryption systems, is formulated in a very desired way that the adversary can fully control almost all aspects of the system (that is, the adversary is able to encrypt messages and decrypt ciphertexts at its choice), but have no access to the private keys of the entities in the communication. Unfortunately, this assumption is too ideal to satisfy in the above scenarios.

To achieve such security requirements, it requires to capture security under the context where some information of the private key are leaked to the adver-sary. In this paper, we consider a special case of such attacks, where an adversary tampers the private key stored in a cryptographic hardware device and observes the result of the cryptographic primitive under this modified private key, called related-key attack (RKA) [16, 8]. The key here could be a signing key of a cer-tificate authority or a decryption key of an encryption scheme. In related-key attacks, the adversary attempts to break a cryptographic system by invoking it with several private keys satisfying some known relations.

Although the RKA security has been achieved in various cryptographic prim-itives, there are few considering anonymity, which requires that the identities of participants should not be leaked during the communication [1]. With this in mind, in this work, we propose an approach for anonymous signcryption secure against related-key attacks. Suppose the signcryption system is composed of al-gorithms, public parameters, as well as private and public key pairs of the sender and the receiver respectively, of which the private and public keys are subject to related-key attacks, and the public parameters are system-wide, i.e., they are set beforehand and independent of users. In a protocol run, all these parameters are possible to be tampered when distributed via a public channel.

For an anonymous signcryption system, the designcryption needs the private key of the receiver while the signcryption needs the private key of the sender, hence we consider related-key attacks on private keys of both sides: chosen ci-phertext attack security under related-key attack (CC-RKA), chosen message attack security under related-key attack (CM-RKA), as well as anonymity un-der chosen ciphertext attack and related-key attack (ANON-RKA). The design-cryption oracle is forbidden when the signdesign-cryption is equal to the challenged signcryption and the derived receiver’s private key matches the original one. Also, the signcryption oracle will not be executed if the given plaintext is equal to the challenged plaintext and the derived sender’s private key matches the original one. Note that we define our model on the basis of the definitions in [7, 8, 33].

To begin with, we need to solve a problem how to designcrypt a signcryp-tionC with the private keyφ(skR), whereφdenotes a linear shift. This can be

achieved with key homomorphism [33], which can reduce a signcryption scheme against related-key attacks with chosen ciphertext attack security and anonymity to a general chosen ciphertext attack secure and anonymous signcryption scheme with additional properties that the designcryption of a signcryptionC with the private key φ(skR) equals the designcryption of another signcryption C0 with

the original private key skR. To consider the security one step further, key

(5)

in the chosen ciphertext attack security and anonymity games. Anyway, with the adaptive trapdoor relations mentioned in [22, 32, 33], this event will never happen, which can simply formulate that the challenge signcryption is an invalid signcryption for any receiver’s private keysk0_R6=skR, such that a valid

signcryp-tion with the public parameters decides a consistent private key uniquely. Next, we should consider to signcrypt a plaintextmwith the private keyφ(skS), where

φdenotes a linear shift, yet the case where the plaintext min the signcryption

C0 equals the plaintext in the output signcryption where φ(skS) 6= skS. We

adopt a collision resistant hash function in the signcryption, which disables the adversary to output a valid signcryption for any sender’s private keysk0_S 6=skS.

In this way, a valid signcryption with public parameters can only be constructed by a correct private key.

1.1 Related Work

Signcryption, introduced by Zheng [35] in 1997, is a cryptographic primitive “Signcryption” to combine the functions of digital signature and encryption in a single step with a cost lower than that required by signature-then-encryption approach. In 2002, Baek, Steinfeld, and Zheng [5] formalized and defined secu-rity notions for signcryption, which are similar to the chosen ciphertext attack security and chosen message attack security. The notion was first defined by Jee Hea An, Yevgeniy Dodis, Tal Rabin [3], where an adversary not only access the public keys of both the sender and the receiver but also know the private key of the sender, which later was extended to the security properties of signcryption [28, 25]. Malone-Lee [28] proposed the first identity-based signcryption scheme, and claimed that their scheme achieves both privacy and unforgeability. Libert and Quisquater [25] pointed out that the scheme in [28] is not semantically se-cure in privacy as the signature of the message is not hidden in the signcrypted message, and proposed a signcryption scheme with ciphertext anonymity [26] based on gap Diffie-Hellman assumption, but Yang, Wong and Deng [34] found that it is not secure. Chow et al. [15] designed an identity-based signcryption scheme with public verifiability and forward security. Concurrently, Boyen [14] extended the security model in [28] via adding three new security notions: ci-phertext unlinkability, cici-phertext authentication and cici-phertext anonymity. In addition, there are also some works concentrating on efficiency [6, 23, 24]. Bar-reto et al. [6] constructed an identity-based signcryption scheme which greatly improves the efficiency. Chung et al. [23] described a key privacy preserving sign-cryption scheme with high efficiency and simple design, and then they extended it to a ring signcryption scheme based on the technique due to Boneh et al. [13]. In 2004, Micali and Reyzin [29] put forward a comprehensive framework for modeling security against side-channel attacks, which relies on the assumption that there is no leakage of information in absence of computation. Halderman et al. [19] in 2008 described a set of attacks violating the assumption of the framework of Micali and Reyzin. Specially speaking, their “cold boot” attacks showed that a significant fraction of the bits of a cryptographic key can be recov-ered if the key is ever stored in memory, of which the framework was modeled by

(6)

Akavia, Goldwasser and Vaikuntanathan [2]. Similarly, fault injection techniques can be used to falsify, inducing the internal state of the devices being modified, if given physical access to the hardware devices [11]. Bellare and Kohno [9] in-vestigated related-key attacks from a theoretical point of view and presented an approach to formally handle the notion of related-key attacks. Followed the approach in [9], Lucks [27] presented some constructions for block ciphers and pseudorandom function generators. To solve the open problem in related-secret security whether or not related-key secure blockciphers exist, in 2010, Bellare and Cash [7] provided the first constructions to create related-secret pseudoran-dom bits. On the basis of the work in [7], Applebaum, Harnik, and Ishai [4] put forward some RKA secure symmetric encryption schemes, which can be used in garbled circuits in secure computation. In [8], Bellare, Cash and Miller found the approaches to build high-level primitives secure against related-key attacks like signatures, CCA secure public-key encryption, identity-based encryption, based on RKA secure pseudorandom functions. So far, efforts have been made to achieve RKA security about cryptographic systems such as signatures [18, 10], CCA secure public-key encryption [33, 10], identity-based encryption [10], in the setting of related-key deriving function being a class of constant functions, linear functions, affine functions, and polynomial functions.

The remainder of this paper is organized as follows. In Section 2, we briefly present the concepts associated to this work and our defined security model of RKA secure signcryption. In Section 3, we review the bilinear pairs and the complexity assumptions. In Section 4, we propose a specific construction of RKA secure signcryption from BDH, and prove its security in the random oracle model. Finally, we conclude this paper in Section 5.

2 Preliminaries

Firstly, we briefly describe the framework of signcryption, and some concepts related to RKA security. Then we details the security definitions of signcryption schemes with anonymity in the setting of related-key attacks.

2.1 Signcryption

Let M be the message space. An signcryption scheme is composed of the fol-lowing four algorithms [24]: Setup, Keygen, Signcrypt, Designcrypt.

– Setup(1λ₎_→_params_{: Taking a security parameter}_λ_{as input, this algorithm}

outputs the public parametersparams.

– Keygen(1λ_,_params₎_→₍_sk

R,pkR),(skS,pkS): Taking a security parameter

λand the public parametersparams as input, this algorithm outputs two private and public key pairs (skR,pkR), (skS,pkS).

– Signcrypt(1λ, params,m,skS, pkR)→ C: Taking a security parameter λ,

the public parametersparams, a plaintextm∈ M, the private keyskS and

(7)

– Designcrypt(1λ_,_params_,_C_,_sk

R,pkS)→m/⊥: Taking a security parameter

λ, the public parameters params, a signcryption C, the private key skR,

and the public keypkS as input, this algorithm first computes a message

and signature pair (m,σ) withskR, and checks its validity withpkS. Then

it outputs eitherm ∈ Mfor a valid signcryption, or ⊥in case of a invalid signcryption.

We require that a signcryption system is correct, meaning that ifparams←

Setup(1λ_{), (}_sk

R,pkR),(skS,pkS)←Keygen(1λ,params) andC←Signcrypt(1λ,

params,m,skS,pkR), thenm←Designcrypt(1λ,params,C,skR,pkS).

2.2 RKA Security

Related-key deriving functions.Our definition follows the notion of related-key deriving functions given in [9]. Briefly speaking, a class Φ of related-key deriving functionsφ:sku→skuis a finite set of functions with the same domain

and range, which map a key to a related key. Additionally, Φ should allow an efficient membership test, and φshould be efficiently computable. Note that in this paper, we only consider the classΦ+ _{as linear shifts.}

The familyΦ+_._{Any function}_φ_:_Z∗

q →Zq∗in this class is indexed by4 ∈Zq∗,

whereφ4(sku) : =sku+4.

Informally, we consider a secure anonymous signcryption scheme against related-key attacks to be semantically secure against chosen ciphertext and related-key attacks (CC-RKA), existentially unforgeable against chosen message and related-key attacks (CM-RKA), and anonymous against related-key attacks in the sense that a signcryption should contain no information that identifies the sender of the signcryption and the receiver of the message (ANON-RKA), and yet be decipherable by the targeted receiver.

CC-RKA Security.A signcryption scheme is semantically secure against

chosen ciphertext and related-key attacks (CC-RKA security) if no probabilis-tic polynomial-time adversary has a non-negligible advantages in the following game.

– Initialization. The challenger algorithm B runs params ← Setup(1k_{), and}

(skR,pkR),(skS,pkS)←Keygen(1λ,params). AlgorithmBgives the public

parameters params, the private and public key pair (skS, pkS), and the

public keypkRto the adversary algorithmA.

– Phase 1. AlgorithmAissues a series of queries to RKA.Designcrypt oracle. On input a signcryptionC, and a related-key deriving functionφ∈Φ, algo-rithmBruns (m,σ)←Designcrypt(1λ_,_params_,_C_,_φ₍_sk

R)), and sends (m,

σ) to algorithmA. Note that asskS is given to algorithmA, we remove the

queries to RKA.Signcrypt oracle.

– Challenge. AlgorithmAoutputs two messagesM₀∗,M₁∗∈ M,|M₀∗|=|M₁∗|, on which it wishes to be challenged. Algorithm B chooses a random d ∈ {0,1}, and runs C∗ ←Signcrypt(1λ, params, md, skS, pkR). Algorithm B

(8)

– Phase 2. AlgorithmAcontinues to adaptively issue queries to RKA.Designcrypt oracle. On input a signcryptionC, and a related-key deriving functionφ∈Φ, with the constraint (φ(skR), C) = (6 skR, C∗), algorithm B responds as in

Phase 1.

– Output. AlgorithmAoutputs its guessd0 ∈ {0,1} fordand wins the game ifd0=d.

We define algorithmA’s advantage in this game to be AdvCC-RKA_A (λ)def= |Pr[d=d0]−1/2|.

CM-RKA Security. A signcryption scheme is existentially unforgeable

against chosen message and related-key attacks (CM-RKA security) if no prob-abilistic polynomial-time adversary has a non-negligible advantages in the fol-lowing game.

(skR,pkR),(skS,pkS)←Keygen(1λ,params). AlgorithmBgives the public

parameters params, the private and public key pair (skR, pkR), and the

public keypkS to the adversary algorithmA.

– Phase 1. Algorithm A issues a series of queries to RKA.Signcrypt oracle. On input a message m ∈ M, and a related-key deriving function φ ∈ Φ, algorithmB runs C ←Signcrypt(1λ, params, m, φ(skS),pkR), and sends

Cto algorithmA. Note that asskR is given to algorithmA, we remove the

queries to RKA.Designcrypt oracle.

– Output. AlgorithmAoutputs a signcryptionC∗, and wins the game if (m∗,

σ∗) ←Designcrypt(1λ, params, C∗, skR), andtrue ←Verify(1λ, params,

m∗,σ∗).

ANON-RKA Security.A signcryption scheme is anonymous against

cho-sen ciphertext and related-key attacks (ANON-RKA security) if no probabilis-tic polynomial-time adversary has a non-negligible advantages in the following game.

(skR,0, pkR,0),(skS,0, pkS,0) ← Keygen(1λ, params), (skR,1, pkR,1),(skS,1,

pkS,1) ← Keygen(1λ, params), respectively. Algorithm B gives the public

parametersparams, the private and public key pairs (skS,0,pkS,0), (skS,1,

pkS,1), and the public keys pkR,0, pkR,1 to the adversary algorithmA. – Phase 1. AlgorithmAissues a series of queries to RKA.Designcrypt oracle.

On input skS ∈ {skS,0, skS,1}, pkR ∈ {pkR,0, pkR,1}, a signcryption C,

and a related-key deriving function φ ∈ Φ, algorithm B runs (m, σ) ←

Designcrypt(1λ, params, C, φ(skR)), and sends (m, σ) to algorithm A.

Note that asskS,0, skS,1 are given to algorithmA, we remove the queries to

RKA.Signcrypt oracle.

– Challenge. Algorithm A outputs a message M∗ ∈ M on which it wishes to be challenged. Algorithm B chooses random d, e ∈ {0,1}, and runs C∗ ← Signcrypt(1λ, params, m, skS,d, pkR,e). Algorithm B sends C∗ as the

(9)

– Phase 2. AlgorithmAcontinues to adaptively issue queries to RKA.Designcrypt oracle. On inputskS ∈ {skS,0,skS,1},pkR ∈ {pkR,0,pkR,1}, a signcryption

C, and a related-key deriving functionφ∈Φ, with the constraint (φ(skR,d),

C)6= (skR,d,C∗), algorithmBresponds as in Phase 1.

– Output. AlgorithmAoutputs its guess d0,e0 ∈ {0,1} ford, e, and wins the game ifd0=dande0=e.

We define algorithmA’s advantage in this game to be AdvANON-RKA_A (λ)def= |Pr[d=d0∧e=e0]−1/4|.

3 Bilinear Maps and Complexity Assumptions

In this section, we review a few facts related to groups with efficiently computable bilinear maps, and the security assumptions that our new schemes based on.

3.1 Bilinear Maps

Let G and GT be two multiplicative cyclic groups of prime order q. Let g be

a generator of G, and ˆe : G×G → GT be a bilinear map with the following

properties [12, 20, 21]: (1) Bilinear: for allg∈Ganda,b∈Z_q∗, we have ˆe(ga_{, g}b₎

= ˆe(g, g)ab; (2) Non-degenerate: ˆe(g, g)6= 1.

We say thatGis a bilinear group if the group action inGcan be computed efficiently and there exists a group GT and an efficiently computable bilinear

map ˆe:G×G→GT as above.

3.2 Complexity Assumptions

Computational DL. The computational Discrete Logarithm (DL) problem is

that for any probabilistic polynomial-time algorithm, it is difficult to computeb

given (g, gb_{), where}_g _∈_G_,_b _∈_Z∗

q are chosen independently and uniformly at

random.

Computational BDH.The computational bilinear Diffie-Hellman (BDH)

prob-lem is that for any probabilistic polynomial-time algorithm, it is difficult to compute ˆe(g, g)abc given (g, ga, gb, gc), where g ∈ G, a, b, c ∈ Z_q∗ are chosen independently and uniformly at random.

Decisional BDH. The decisional bilinear Diffie-Hellman (BDH) problem is

that for any probabilistic polynomial-time algorithm, it is difficult to distinguish (g, ga, gb, gc, ˆe(g, g)abc) from (g, ga, gb, gc, Z), where g ∈ G, Z ∈ GT, a, b,

(10)

4 Anonymous Signcryption from RKA Security

In this section, we propose a specific anonymous signcryption scheme in the setting of related-key attacks, and analyze its CC-RKA, CM-RKA and ANON-RKA security.

4.1 Techniques in Our Solution

To achieve key homomorphism [33], we make use of a class of functions with an additional input (namely tag), called adaptive trapdoor relations [22, 32], which is easy to compute and invert withtag, but hard to invert withouttag.

More specifically, our adaptive trapdoor relationFpku satisfies the following

features.

– Generation. This is a randomized algorithmGthat outputs a pair (pku,sku)

on input a security parameterλ.

– Sampling. On inputpku and tag, this randomized algorithmF outputs (θ,

Fpku(tag, θ)) for a randomθ.

– Inversion. For alltag,yand (pku,sku), this efficient algorithmF0 computes

F0(sku,tag, y) =Fpk−1u(tag, y).

– One-wayness. For a stateful adversaryA, it holds that

Pr     θ=θ0 tag∗← A(1λ₎_. (pku, sku)←G(1λ). (θ, y)←F(pku,tag∗). θ0 ← AF_pku−1(·,·)₍_pk u, y).    

is a negligible function inλ, where adversaryAis allowed to queryF_pk−1 u(·,·)

on anytag different from tag∗.

Key Homomorphism.LetΦbe a set of related-key deriving functions. We

say thatFpku is Φ-key homomorphic if there is a probabilistic polynomial-time

algorithm T such thatF0(φ(sku), tag, y) =F0(sku, tag, T(φ, tag, y)) holds with

overwhelming probability for allφ∈Φ,sku,tag andy.

4.2 Construction

Let ˆe:G×G→GT be a bilinear map over a bilinear group Gof prime order

qwith a generatorg∈G. The scheme is described as follows.

– Setup. To generate the system public parameters, this algorithm works as follows.

1. Chooses randomβ,γ∈Z_q∗, and computesg1=gβ,g2=gγ.

2. Chooses collision resistant hash functions H0: G2→G, H : G2 → Zq∗,

H0:G5_×_G2

T →Z ∗ q.

(11)

– Keygen. To generate two private and public key pairs for receiver R and senderSrespectively, the system chooses randomxR,xS∈Zq∗as the private

keys, and computesYR =gxR,YS =gxS as the public keys.

– Signcrypt. To signcrypt a messagem∈GT for receiverR, senderS runs as

follows.

1. Chooses a randomr∈Z_q∗, and computesµ=gr_,_θ₌_g

1r.

2. Chooses a randome∈Zq∗, and computestag=ge.

3. Computesψ= ˆe(θ, g2)·m, and

τ= (YR·g1H(µ,tag))r·H0(µ, YRr),

σ=e−xS·H0(µ, τ, ψ, YRr, YRxS, tag, m),

4. Outputs the signcryptionC = (µ,τ, ψ,tag,σ).

– Designcrypt. To designcrypt a signcrypitonCfrom senderS, receiverRruns as follows.

1. Computesθasθ = (_H τ

0(µ,µxR)·µ

−xR₎H(µ,tag)1 _{. If ˆ}_e₍_{θ, g}_{) = ˆ}_e₍_{µ, g}₁_),

com-putes m = ψ/ˆe(θ, g2), and outputs (µ, τ, ψ, m, tag, σ). Otherwise, it

outputs⊥.

2. Check the validity ofσ via tag = gσ_·_Y SH

0₍_µ,τ,ψ,µxR_,Y_SxR_,tag,m₎

. If the equation holds, it outputsm. Otherwise, it outputs⊥.

4.3 Proof of Security

We analyze the security of our proposed signcryption scheme against related-key attacks by reducing its CC-RKA security, CM-RKA security, and ANON-RKA security under the security games defined in Section 2.

Theorem 1. Assume that the decisional BDH assumption holds in G, GT, the

computational BDH problem holds in G, GT, then our signcryption scheme is CC-RKA secure regarding linear related-key deriving functionsφ+_{in the random}

oracle model.

Let (µ∗,τ∗, ψ∗, tag∗,σ∗) be the challenge signcryption of the messageMd

given to algorithmAby algorithmB. Denote Failure by the event that algorithm

Aissues (µ∗, τ∗,ψ∗, Y1, Y2, M0) or (µ∗, τ∗,ψ∗, Y1, Y2, M1) to random oracle

H0, and (µ,Y1) to random oracle H0, where ˆe(Y1, g) = ˆe(YR, µ∗).

In what follows we prove that if the event Failure does not occur, then our signcryption scheme is CC-RKA secure. We conclude this proof by showing that the event Failure has a negligible probability to occur.

Lemma 1. If the decisional BDH assumption holds in G, GT, and the event

Failure does not happen, then our signcryption scheme is CC-RKA secure.

Proof.Suppose that algorithmAis an adversary algorithm against the CC-RKA security of our signcrypiton scheme, then we can construct a challenger algorithm

(12)

(g,ga_,_gb_,_gc_,_Z_{) and outputs 1 (}_Z _{is ˆ}_e₍_{g, g}₎abc_{) or 0 (}_Z _{is a random element in}

GT).

Initialization.To simulate the system parameters, algorithmBruns as follows. 1. Chooses a collision resistant hash functionH :G2_→_Z∗

q.

2. Chooses a random e∗_∈_Z∗

q, computestag∗=ge

∗

.

3. Chooses a random xS ∈Zq∗, computes computesYS =gxS.

4. Chooses a random xr ∈ Zq∗, computes YR = (gb)−H(g

c_,tag∗₎

gxr_{. Note that} xR = loggYR =−b·H(gc, tag∗) +xr is unknown to algorithmB.

5. Sends the public parameters (g,g1,g2,H0,H,H0) of whichg1=gb,g2=ga,

H0,H0are the random oracles controlled by algorithmB, receiverR’s public

keyYR, and senderS’s public and private key pair (xS,YS) to algorithmA.

H0-query. At any time algorithm Acan query the random oracle on (µ, Y1).

AlgorithmBmaintains a listLH0 of tuples ((µ,Y1),H0(µ, Y1)) which is initially

empty. When algorithm Aissues a hash query on Y, algorithm B responds as follows.

– If (µ,Y1) already appears in listLH0, algorithmBresponds withH0(µ,Y1).

– Otherwise, algorithmB chooses a randomti ∈Zq∗, setsH0(µ, Y1) =ti, and

adds ((µ,Y1),ti) to listLH0.

H0-query. At any time algorithmA can query the random oracle on (µ, τ,ψ,

Y1, Y2, tag, m). Algorithm B maintains a list LH0 of tuples ((µ, τ, ψ, Y₁, Y₂,

tag,m),H0(µ,τ,ψ,Y1,Y2,tag,m)) which is initially empty. When algorithmA

issues a hash query on (µ,τ,ψ,Y1,Y2,tag,m), algorithmBresponds as follows. – If (µ,τ,ψ,Y1,Y2,tag,m) already appears in listLH0, algorithmBresponds

withH0(µ,τ,ψ,Y1,Y2,tag,m).

– Otherwise, algorithmB chooses a randomsi ∈Zq∗, setsH0(µ,τ, ψ, Y1,Y2,

tag,m) =si, sends si to algorithmA, and adds ((µ,τ,ψ,Y1,Y2, tag,M),

si) to listLH0.

Phase 1. Algorithm A adaptively issues the RKA designcryption queries to

algorithm B. For a query (C, φ) to RKA.Designcrypt oracle whereC = (µ, τ,

ψ, tag,σ), algorithmBresponds as follows.

1. Algorithm B computes θ0 with φ(xR). To see how algorithm B obtains θ

withoutxR, we rewriteτ such that

τ ti

= (YR·g1H(µ,tag))r=µ−b·H(g

c_,tag∗₎₊_x

r+b·H(µ,tag)

= (µb)H(µ,tag)−H(gc,tag∗)·µxr ₌_θH(µ,tag)−H(gc,tag∗)_·_µxr

⇒θ= ( τ

ti·µxr

(13)

On the other hand, θ0= (τ ti ·µ−(xR+4)₎H(µ,tag)1 _{= ((}τ ti ·µ−4)·µ−xR₎H(µ,tag)1 =θ·(µ−4)H(µ,tag)1 _.

Note that this reflects how key homomorphism works in the adaptive trap-door relation [33].

2. If ê(θ0, g) = ê(µ, g1), algorithm B outputs m = ψ/ê(θ0, g2). Otherwise, it

outputs⊥.

Challenge.AlgorithmAoutputs two messagesM0,M1∈GT on which it wishes

to be challenged. AlgorithmBchooses randoms∗,t∗∈Zq∗, a randomd∈ {0,1},

setsµ∗=gc, and computes

τ∗ _{= (}_gc₎xr_·_t∗_, _ψ∗ ₌_Z_·_M

d, σ∗ =e∗−xS·s∗.

Algorithm B outputs the signcryption C∗ = (µ∗, τ∗, ψ∗, tag∗, σ∗), and adds ((µ∗,τ∗,ψ∗,YRc,YRxS,Md),s∗) to listLH0, ((µ,Y_Rc),t∗) to listL_H

0.

Phase 2. Algorithm A adaptively issues the RKA designcryption queries to

algorithm B. For a query (C, φ) to RKA.Designcrypt oracle whereC = (µ, τ,

ψ, tag,σ), algorithmBresponds as follows.

– H(µ, tag)6=H(gc, tag∗). AlgorithmB responds as in Phase 1.

– H(µ, tag) = H(gc_{, tag}∗_{), and (}_µ_,_τ_, _ψ_, _σ₎₆_{= (}_µ∗_, _τ∗_, _ψ∗_, _σ∗_{). If algorithm}

Baccepts this signcryption, it means algorithmAbreaks the security of the CM-RKA security of our scheme, which we will analyze later. Therefore, algorithmBoutputs⊥except with negligible probability.

– H(µ, tag) =H(gc_{, tag}∗_{), and (}_µ_,_τ_,_ψ_,_σ_{) = (}_µ∗_,_τ∗_,_ψ∗_,_σ∗_{) and}_φ₍_x

R)6=xR.

If algorithmB accepts this signcryption, it means algorithmA can output

φ∈Φsuch that (τ∗

t∗ ·(µ∗)−φ(xR))

1

H(gc ,tag∗) ₆₌_⊥_{. That is, ˆ}_e₍_θ0_{, g}_{) = ˆ}_e₍_{µ, g}

1), to guarantee this, (τ ∗ t∗ ·(µ ∗₎−xR₎H(gc ,tag1 ∗) _{= (}τ ∗ t∗ ·(µ ∗₎−φ(xR)₎H(gc ,tag1 ∗) _⇒_x R=φ(xR)

should hold. Therefore, algorithmBoutputs⊥except with negligible prob-ability.

In fact this is the one-wayness property of the adaptive trapdoor relation, which on the other hand reflects how the key fingerprint property, which is indispensable according to the definitions given in [7, 4, 33], works in our construction.

Note that (C, φ) satisfying H(µ, tag) = H(gc, tag∗), (µ, τ, ψ, σ) = (µ∗,

τ∗, ψ∗, σ∗) and φ(xR) = xR, is not allowed by the definition of the CC-RKA

(14)

Output. Algorithm A outputs a guess d0 ∈ {0,1}. If d = d0, algorithm A

wins the game, and algorithmBoutputs 1 indicatingZ = ˆe(g, g)abc. Otherwise, algorithmB outputs 0 indicatingZ is random inGT.

Let be the advantage that algorithm A breaks the CC-RKA security of the above game. We can see that if algorithm B’s input tuple is (g, ga_, _gb_, _gc_,

Z) where Z= ˆe(g, g)abc_{, then algorithm}_A_{’s view of this simulation is identical}

to the real attack, thus algorithm A’s probability in outputting d0 = d must satisfy Pr[d = d0] = 1/2 +. On the other hand, if algorithm B’s input tuple (g,ga, gb, gc,Z) where Z ∈GT, then algorithmA’s advantage is nil and thus

Pr[d0=d] = 1/2. To sum up, algorithmB’s probability in solving the decisional BDH problem is

Pr[B(g, ga, gb, gc, Z)] = 1/2·(1/2 +) + 1/2·1/2 = 1/2 +/2.

In the following, we prove that the event Failure has a negligible probability to occur due to the security of the computational DH problem hiding in hash functionH0_.

Lemma 2. If the computational BDH problem holds in G, GT, then the event

Failure happens with a negligible probability.

Proof.Given algorithmAfor which the event Failure happens with a noticeable probability, we construct an algorithm B0 _{that solves the computational BDH}

problem. Specifically, we consider the following game where algorithmB0 _solves

the computational BDH problem. Suppose that algorithmB0 _{is given a random}

tuple (g,ga,gb,gc) as input and outputs ˆe(g, g)abc.

Initialization.The same as in Lemma 1.

AlgorithmBmaintains a listLH0 of tuples ((µ,Y1),H0(µ, Y1)) which is initially

empty. When algorithmAissues a hash query on (µ,Y1), algorithmBresponds

as follows.

– If ˆe(Y1, g) = ˆe(YR, gc), algorithmBsolves the computational BDH problem

immediately. To see this, we have

Y1=YRc= (gbc)−H(g c_,tag∗₎ gc·xr ⇒gbc= ( Y1 gc·xr) − 1 H(gc ,tag∗) ⇒_e_ˆ₍_{g, g}₎abc_{= ˆ}_e₍_ga_{, g}bc₎_.

– If (µ,Y1) already appears in listLH0, algorithmBresponds withH0(µ, YR

r_).

(15)

Y1, Y2, tag, m), Algorithm B maintains a list LH0 of tuples ((µ, τ, ψ, Y₁, Y₂,

tag, m),H0(µ, τ, ψ, Y1, Y2, tag, m)) which is initially empty. When algorithm A

issues a hash query on (µ,τ,ψ,Y1,Y2,tag,m), algorithmBresponds as follows. – If ˆe(Y1, g) = ˆe(YR, gc), the same as that inH0query.

– If (µ,τ,ψ,Y1,Y2,tag,m) already appears in listLH0, algorithmBresponds

tag,m) =si, sends si to algorithmA, and adds ((µ, τ,ψ,Y1, Y2,tag, m),

si) to listLH0.

Phase 1. The same as in Lemma 1.

Challenge.AlgorithmAoutputs two messagesM0,M1∈GT on which it wishes

to be challenged. AlgorithmB0 _{chooses random}_r∗_,_s∗_,_t∗_∈_Z∗

q, and computes µ∗=gr∗, τ∗= (YR·g1H(µ ∗_,tag∗₎ )r∗·t∗, ψ∗= ˆe(g1, g2)r ∗ ·Md, σ∗=e∗−xS·s∗,

Algorithm B outputs the signcryption C∗ = (µ∗, τ∗, ψ∗, tag∗, σ∗), and adds ((µ∗,τ∗,ψ∗,YRr

∗

,YRxS,tag∗,Md),s∗) to listLH0, (Y_Rr ∗

,t∗) to listLH0.

Phase 2. The same as in Lemma 1.

Lemma 1 makes sure that as long as the event Failure does not happen, then our signcryption scheme preserves CC-RKA security. Lemma 2 guarantees that as long as the event Failure does not happen, algorithmB0 _{is the same as}

algorithm B such that algorithm A cannot differentiate between algorithm B

and algorithmB0_.

This completes the proof of CC-RKA security of our signcryption scheme.

Theorem 2. Assume that the computational DL problem holds in G, then our

signcryption scheme is CM-RKA secure regarding linear related-key deriving functionsφ+ _{in the random oracle.}

Proof.Suppose that algorithmAis an adversary breaks the CM-RKA security of our signcrypiton scheme, we construct algorithmBthat solves the computational DL problem which is given input a random tuple (g,gb_{) and outputs}_b_.

Initialization.To simulate the system parameters, algorithmBruns as follows. 1. Chooses collision resistant hash functions H0:G2→G, H:G2→Zq∗,

2. Chooses a random a∈Zq∗, computes g2 =ga, and then chooses a random

xR∈Zq∗, computesYR=gxR, and a randomxs∈Zq∗, computesYS = (gb)xs.

Note thatxS = loggYS =b·xs, which is unknown to algorithmB.

3. Sends the public parameters (g, g1, g2, H0,H, H0) of whichg1=gb, where

H0 is a random oracle controlled by algorithm B, receiver R’s public and private key pair (xR,YR), and senderS’s public keyYS to algorithm A.

(16)

issues a hash query on (µ,τ,ψ,Y1,Y2,tag,m), algorithmBresponds as follows. – If (µ,τ,ψ,Y1,Y2,tag,m) already appears in listLH0, algorithmBresponds

si) to listLH0.

Phase 1.AlgorithmAadaptively issues the RKA signcryption queries to algo-rithmB. Once algorithmAqueries (m,φ) to RKA.Signcrypt oracle, algorithm

Bresponds as follows. 1. Chooses a random r∈Z∗

q, and computesµ=gr.

2. Chooses random σ, si ∈ Zq∗, and computes tag = gσ ·YSsi, τ = (YR ·

g1H(µ,tag))r·H0(µ, YRr), andψ= ˆe(g1r, g2)·m.

3. Outputs the signcryption C = (µ, τ, ψ, tag, σ), and adds ((µ, τ, ψ, YRr,

YRxS+4,tag,m),si) to listLH0.

Output.AlgorithmAoutputs a signcryption C∗= (µ∗,τ∗,ψ∗,tag∗,σ∗), and algorithm B designcrypts it following the designcryption algorithm. If this is a valid signcryption, from the Forking Lemma in [31], after a polynomial replay attack of algorithm A, we obtain two valid signcryption (µ∗, τ∗, ψ∗,tag∗, σ∗) and (µ∗,τ∗,ψ∗, tag∗,σ) withsi 6=s∗, from which we have

tag∗=gσ∗·YSs ∗ =gσ·YSsi⇒YS =g σ−σ∗ s∗ −si _⇒_b₌ σ−σ ∗ xs·(s∗−si) .

That is, algorithmBsolves the computational DL problem.

This completes the proof of CM-RKA security of our signcryption scheme.

Theorem 3. Assume that the computational BDH assumption holds in G, GT,

then our signcryption scheme is ANON-RKA secure regarding linear related-key deriving functions φ+ _{in the random oracle model.}

Proof. This part is similar to that of Theorem 1. Denote Failure by the event that algorithmAissues (µ∗, τ∗,ψ∗, Y1,Y2,M∗) to random oracleH0, and (µ,

Y1) to random oracleH0, where ˆe(Y1, g) = ˆe(YR, µ∗). We firstly prove that if the

event Failure does not occur, our signcryption scheme is ANON-RKA secure; then conclude it by that the event Failure has a negligible probability to occur. Suppose there is an adversary algorithm A against the anonymity of our RKA secure signcryption scheme. We construct a challenge algorithm B that

(17)

solves the computational BDH problem, which is given a random tuple (g, ga_,

gb,gc) as input and outputsZ= ˆe(g, g)abc.

Initialization.To simulate the system parameters, algorithmBruns as follows. 1. Chooses a collision resistant hash functionH :G2→Z_q∗.

2. Chooses a random e∗∈Z_q∗, computestag∗=ge∗.

3. Chooses randomxS,0,xS,1∈Zq∗, computesYS,0 =gxS,0,YS,1=gxS,1.

4. Chooses random xr,0,xr,1∈Zq∗, computesYR,0 = (gb)−H(g

c_,tag∗₎

gxr,0_,_Y

R,1

= (gb₎−H(gc,tag∗)_gxr,1_.

5. Sends (g,g1,g2,H0,H,H0, (xS,0,YS,0), (xS,0,YS,1),YR,0,YR,1) to algorithm

A, where g1 = gb, g2 = ga, H0, H0 are the random oracles controlled by

algorithmB.

AlgorithmBmaintains a listLH0of tuples ((µ,Y1),H0(µ,Y1)) which is initially

empty. When algorithmAissues a hash query on (µ,Y1), algorithmBresponds

as follows.

– If ˆe(Y1, g) = ˆe(YR,e, gc) fore∈ {0,1}, algorithmBsolves the computational

BDH problem immediately. To see this, we have

Y1=YR,ec= (gbc)−H(g c_,tag∗₎ gc·xr ⇒gbc= ( Y1 gc·xr) − 1 H(gc ,tag∗) ⇒_e_ˆ₍_{g, g}₎abc_{= ˆ}_e₍_ga_{, g}bc₎_.

– If (µ,Y1) already appears in listLH0, algorithmBresponds withH0(µ, Y1).

issues a hash query on (µ,τ,ψ,Y1,Y2,tag,m), algorithmBresponds as follows. – If ˆe(Y1, g) = ˆe(YR,e, gc) fore∈ {0,1}, the same as that inH0query. – If (µ,τ,ψ,Y1,Y2,tag,m) already appears in listLH0, algorithmBresponds

si) to listLH0.

Phase 1.AlgorithmAchooses (xS, YR), where xS ∈ {xS,0,xS,1},YR∈ {YR,0,

YR,1}, and adaptively issues the RKA designcryption queries to algorithm B.

For a query (C, φ) to RKA.Designcrypt oracle where C = (µ, τ, ψ, tag, σ), algorithmB responds as follows.

(18)

1. Algorithm B computes θ0 with φ(xR). To see how algorithm B obtains θ

withoutxR, we rewriteτ such that

τ ti

= (YR·g1H(µ,tag))r=µ−b·H(g

c_,tag∗₎₊_x

r+b·H(µ,tag)

= (µb)H(µ,tag)−H(gc,tag∗)·µxr ₌_θH(µ,tag)−H(gc,tag∗)_·_µxr

⇒θ= ( τ

ti·µxr

)H(µ,tag)−1H(gc ,tag∗)_.

On the other hand,

θ0= (τ ti ·µ−(xR+4)₎H(µ,tag)1 _{= ((}τ ti ·µ−4)·µ−xR₎H(µ,tag)1 =θ·(µ−4)H(µ,tag)1 _.

2. If ê(θ0, g) = ê(µ, g1), algorithm B outputs m = ψ/ê(θ0, g2). Otherwise, it

outputs⊥.

Challenge.AlgorithmAoutputs a messageM∗∈GT on which it wishes to be

challenged. AlgorithmBchooses randoms∗,t∗∈Zq∗,d,e∈ {0,1},Z ∈GT, sets

µ∗=gc, and computes

τ∗= (gc)xr,e_·_t∗_, _ψ∗₌_Z_·_M∗_, _σ∗₌_e∗₋_x

S,d·s∗.

Algorithm B outputs the signcryption C∗ = (µ∗, τ∗, ψ∗, tag∗, σ∗), and adds ((µ∗,τ∗, ψ∗, (YR,e)c, YR,exS,d, tag∗, M∗),s∗) to list LH0, ((gc, (Y_R,e)c), t∗) to

listLH0.

Phase 2.AlgorithmAchooses (xS,YR), wherexS ∈ {xS,0,xS,1},YR∈ {YR,0,

YR,1}, and adaptively issues the RKA designcryption queries to algorithm B.

For a query (C, φ) to RKA.Designcrypt oracle where C = (µ, τ, ψ, tag, σ), algorithmB responds as follows.

– H(µ, tag)6=H(gc_{, tag}∗_{). Algorithm}_B _{responds as in Phase 1.}

– H(µ, tag) = H(gc_{, tag}∗_{), and (}_µ_,_τ_, _ψ_, _σ₎₆_{= (}_µ∗_, _τ∗_, _ψ∗_, _σ∗_{). If algorithm}

Baccepts this signcryption, it means algorithmAbreaks the security of the CM-RKA security of our scheme. Therefore, algorithmBoutputs⊥except with negligible probability.

– H(µ, tag) =H(gc_{, tag}∗_{), (}_µ_, _τ_, _ψ_,_σ_{) = (}_µ∗_, _τ∗_, _ψ∗_,_σ∗_{) and} _φ₍_x

R)6=xR.

If algorithmB accepts this signcryption, it means algorithmA can output

φ∈Φ such that (τ_t∗∗·(µ∗)−φ(xR))

1

H(gc ,tag∗) 6₌⊥_{. That is, ˆ}_e₍_θ0_{, g}_{) = ˆ}_e₍_{µ, g}₁_).

To guarantee this, (τ ∗ t∗ ·(µ ∗₎−xR₎H(gc ,tag1 ∗) _{= (}τ ∗ t∗ ·(µ ∗₎−φ(xR)₎H(gc ,tag1 ∗) ⇒_x_R₌_φ₍_x_R₎

should hold. Therefore, algorithmBoutputs⊥except with negligible prob-ability.

(19)

Analysis.AlgorithmAhas negligible probability to issue (gc_,_Y

1) to random

oracle H0 such that ˆe(Y1, g) = ˆe(gc, YR,e) fore∈ {0,1}. If so, algorithm Bcan

solve the computational BDH problem immediately. On the other hand, without the value ofH0(µ, YR,ec), algorithmAhas no idea about the identity of receiver

Rfrom the challenge signcryptionC∗. Likewise, algorithmAhas negligible prob-ability to issue (µ∗_,_τ∗_,_ψ∗_,_Y

1,Y2,M∗) to random oracle H0 such that ˆe(Y1, g)

= ˆe(gc_{, Y}

R,e); otherwise, algorithmBcan solve the computational BDH problem

immediately. Obviously, without the value ofH0(µ∗, τ∗, ψ∗, YR,ec, YR,exS,d, M∗),

algorithmAcannot distinguish the identity of senderSfrom the challenge sign-cryption C∗ via verification.

This completes the proof of ANON-RKA security of our signcryption scheme.

5 Conclusions

With the development of information technology, there has been a great interest in anonymous systems. On the other hand, traditional security notions cannot meet the requirements in the scenarios where the adversaries might get some partial information about private keys through certain physical methods. Mo-tivated by the above, following the work in [8, 33], in this paper, we focus on the construction of anonymous signcryption schemes secure against related-key attacks. We put forward a specific anonymous signcryption scheme from BDH under the setting of related-key attacks, where an adversary can subsequently observe the outcome of the signcryption and designcryption algorithms under a series of modified private keys of the sender and the receiver (related to the original private keys of the sender and the receiver), respectively. On the basis of the work in [10, 33], we define the security model for anonymous signcryption systems which can resist related-key attacks while maintaining chosen ciphertext attack security (CC-RKA security), chosen message attack security (CM-RKA security) and anonymity, in the sense that a signcryption should contain no in-formation that identifies the sender of the signcryption and the receiver of the message (ANON-RKA), where an adversary is allowed to issue queries to design-cryption oracle on linear shifts of the private key of the receiver, and signdesign-cryption oracle on linear shifts of the private key of the sender.

References

1. M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, and H. Shi. Searchable encryption revisited: Consistency properties, relation to anonymous ibe, and extensions. InCRYPTO, volume 3621 ofLecture Notes in Computer Science, pages 205–222. Springer, 2005.

2. A. Akavia, S. Goldwasser, and V. Vaikuntanathan. Simultaneous hardcore bits and cryptography against memory attacks. In TCC, volume 5444 of Lecture Notes in Computer Science, pages 474–495. Springer, 2009.

3. J. H. An, Y. Dodis, and T. Rabin. On the security of joint signature and encryption. InEUROCRYPT, volume 2332 ofLecture Notes in Computer Science, pages 83–107. Springer, 2002.

(20)

4. B. Applebaum, D. Harnik, and Y. Ishai. Semantic security under related-key attacks and applications. InICS. Tsinghua University Press, 2011.

5. J. Baek, R. Steinfeld, and Y. Zheng. Formal proofs for the security of signcryption. In Public Key Cryptography, volume 2274 of Lecture Notes in Computer Science, pages 80–98. Springer, 2002.

6. P. S. L. M. Barreto, B. Libert, N. McCullagh, and J.-J. Quisquater. Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. In ASIACRYPT, volume 3788 ofLecture Notes in Computer Science, pages 515–532. Springer, 2005.

7. M. Bellare and D. Cash. Pseudorandom functions and permutations provably secure against related-key attacks. InCRYPTO, volume 6223 ofLecture Notes in Computer Science, pages 666–684. Springer, 2010.

8. M. Bellare, D. Cash, and R. Miller. Cryptography secure against related-key at-tacks and tampering. InASIACRYPT, volume 7073 ofLecture Notes in Computer Science, pages 486–503. Springer, 2011.

9. M. Bellare and T. Kohno. A theoretical treatment of related-key attacks: Rka-prps, rka-prfs, and applications. In EUROCRYPT, volume 2656 of Lecture Notes in Computer Science, pages 491–506. Springer, 2003.

10. M. Bellare, K. G. Paterson, and S. Thomson. Rka security beyond the linear barrier: Ibe, encryption and signatures. In ASIACRYPT, volume 7658 ofLecture Notes in Computer Science, pages 331–348. Springer, 2012.

11. E. Biham. New types of cryptoanalytic attacks using related keys (extended ab-stract). InEUROCRYPT, volume 765 ofLecture Notes in Computer Science, pages 398–409. Springer, 1993.

12. D. Boneh and M. Franklin. Identity-based encryption from the weil pairing. In CRYPTO, volume 2139 of Lecture Notes in Computer Science, pages 213–219. Springer-Verlag, 2001.

13. D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and verifiably en-crypted signatures from bilinear maps. In EUROCRYPT, volume 2656 ofLecture Notes in Computer Science, pages 416–432. Springer, 2003.

14. X. Boyen. Multipurpose identity-based signcryption (a swiss army knife for identity-based cryptography). InCRYPTO, volume 2729 ofLecture Notes in Com-puter Science, pages 383–399. Springer, 2003.

15. S. S. M. Chow, S.-M. Yiu, L. C. K. Hui, and K. P. Chow. Efficient forward and provably secure id-based signcryption scheme with public verifiability and public ci-phertext authenticity. InICISC, volume 2971 ofLecture Notes in Computer Science, pages 352–369. Springer, 2003.

16. R. Gennaro, A. Lysyanskaya, T. Malkin, S. Micali, and T. Rabin. Algorithmic tamper-proof (atp) security: Theoretical foundations for security against hardware tampering. In TCC, volume 2951 of Lecture Notes in Computer Science, pages 258–277. Springer, 2004.

17. S. Goldwasser and S. Micali. Probabilistic encryption and how to play mental poker keeping secret all partial information. InSTOC, pages 365–377. ACM, 1982. 18. V. Goyal, A. O’Neill, and V. Rao. Correlated-input secure hash functions. InTCC, volume 6597 ofLecture Notes in Computer Science, pages 182–200. Springer, 2011. 19. J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calan-drino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: Cold boot attacks on encryption keys. In USENIX Security Symposium, pages 45–60. USENIX Association, 2008.

20. A. Joux. A one round protocol for tripartite diffie-hellman. InANTS, volume 1838 ofLecture Notes in Computer Science, pages 385–394. Springer-Verlag, 2000.

(21)

21. A. Joux and K. Nguyen. Separating decision diffie-hellman from computational diffie-hellman in cryptographic groups. J. Cryptology, 16(4):239–247, 2003. 22. E. Kiltz, P. Mohassel, and A. O’Neill. Adaptive trapdoor functions and

chosen-ciphertext security. In EUROCRYPT, volume 6110 ofLecture Notes in Computer Science, pages 673–692. Springer, 2010.

23. C. K. Li, G. Yang, D. S. Wong, X. Deng, and S. S. M. Chow. An efficient sign-cryption scheme with key privacy. In EuroPKI, volume 4582 ofLecture Notes in Computer Science, pages 78–93. Springer, 2007.

24. C. K. Li, G. Yang, D. S. Wong, X. Deng, and S. S. M. Chow. An efficient sign-cryption scheme with key privacy and its extension to ring signsign-cryption. Journal of Computer Security, 18(3):451–473, 2010.

25. B. Libert and J.-J. Quisquater. New identity based signcryption schemes from pairings. IACR Cryptology ePrint Archive, 2003:23, 2003.

26. B. Libert and J.-J. Quisquater. Efficient signcryption with key privacy from gap diffie-hellman groups. InPublic Key Cryptography, volume 2947 ofLecture Notes in Computer Science, pages 187–200. Springer, 2004.

27. S. Lucks. Ciphers secure against related-key attacks. In FSE, volume 3017 of Lecture Notes in Computer Science, pages 359–370. Springer, 2004.

28. J. Malone-Lee. Identity-based signcryption. IACR Cryptology ePrint Archive, 2002:98, 2002.

29. S. Micali and L. Reyzin. Physically observable cryptography (extended ab-stract). InTCC, volume 2951 ofLecture Notes in Computer Science, pages 278–296. Springer, 2004.

30. M. Naor and M. Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. InSTOC, pages 427–437. ACM, 1990.

31. D. Pointcheval and J. Stern. Security proofs for signature schemes. In EU-ROCRYPT, volume 1070 of Lecture Notes in Computer Science, pages 387–398. Springer, 1996.

32. H. Wee. Efficient chosen-ciphertext security via extractable hash proofs. In CRYPTO, volume 6223 of Lecture Notes in Computer Science, pages 314–332. Springer, 2010.

33. H. Wee. Public key encryption against related key attacks. InPublic Key Cryptog-raphy, volume 7293 ofLecture Notes in Computer Science, pages 262–279. Springer, 2012.

34. G. Yang, D. S. Wong, and X. Deng. Analysis and improvement of a signcryption scheme with key privacy. InISC, volume 3650 ofLecture Notes in Computer Science, pages 218–232. Springer, 2005.

35. Y. Zheng. Digital signcryption or how to achieve cost(signature & encryption)<<

cost(signature) + cost(encryption). In CRYPTO, volume 1294 ofLecture Notes in Computer Science, pages 165–179. Springer, 1997.