Abstract

Signcryption is a useful cryptographic primitive that achieves confidentiality and authentication in an efficient manner. As an extension of signcryption in certificate-based cryptography, certificate-based signcryption preserves the merits of certificate-based cryptography and signcryption simultaneously. In this paper, we present an improved security model of certificate-based signcryption that covers both public key replacement attack and insider security. We show that an existing certificate-based signcryption scheme is insecure in our model. We also propose a new certificate-based signcryption scheme that achieves security against both public key replacement attacks and insider attacks. We prove in the random oracle model that the proposed scheme is chosen-ciphertext secure and existentially unforgeable. Performance analysis shows that the proposed scheme outperforms all the previous certificate-based signcryption schemes in the literature.

1. Introduction

Public key cryptography (PKC) is an important technique to realize network and information security. In traditional PKC, a public key infrastructure (PKI) is used to provide an assurance to the users about the relationship between a public key and the holder of the corresponding private key by certificates. However, the need for PKI-supported certificates is considered the main difficulty in the deployment and management of traditional PKC. To simplify the management of the certificates, Shamir [1] introduced the concept of identity-based cryptography (IBC) in which the public key of each user is derived directly from his identity, such as an IP address or an e-mail address, and the corresponding private key is generated by a trusted third party called private key generator (PKG). The main practical benefit of IBC lies in the reduction of need for public key certificates. However, if the KGC becomes dishonest, it can impersonate any user using its knowledge of the user’s private key. This is due to the key escrow problem inherent in IBC. In addition, private keys must be sent to the users over secure channels, so private key distribution in IBC becomes a very daunting task.

To fill the gap between traditional PKC and IBC, Al-Riyami and Paterson [2] proposed a new paradigm called certificateless public key cryptography (CL-PKC) in Asiacrypt 2003. CL-PKC eliminates the key escrow problem inherent in IBC. At the same time, it preserves the advantage of IBC which is the absence of certificates and their heavy management overhead. In CL-PKC, a trusted third party called key generating center (KGC) is involved in the process of issuing a partial secret key for each user. The user independently generates its public/private key pair and combines the partial secret key from the KGC with its private key to generate the actual decryption key. By way of contrast to the PKG in IBC, the KGC does not have access to the user’s decryption key. Therefore, CL-PKC solves the key escrow problem. However, as partial secret keys must be sent to the users over secure channels, CL-PKC suffers from the distribution problem.

In Eurocrypt 2003, Gentry [3] introduced the notion of certificate-based cryptography (CBC). CBC provides an implicit certification mechanism for a traditional PKI and allows for a periodical update of certificate status. As in traditional PKC, each user in CBC generates his own public/private key pair and requests a certificate from a trusted third party called certifier. The certificate will be pushed only to the owner of the public/private key pair and act as a partial decryption key or a partial signing key. This additional functionality provides an efficient implicit certificate mechanism. For example, in the encryption scenario, a receiver needs both his private key and certificate to decrypt a ciphertext sent to him, while the message sender need not be concerned about the certificate revocation problem. The feature of implicit certification allows us to eliminate third-party queries for the certificate status and simply the public key revocation problem so that CBC does not need infrastructures like CRL and OCSP. Therefore, CBC can be used to construct an efficient PKI requiring fewer infrastructures than the traditional one. Although CBC may be inefficient when a certifier has a large number of users, this problem can be overcome by using subset covers [3]. Furthermore, there are no key escrow problem (since the certifier does not know the private keys of users) and key distribution problem (since the certificates need not be kept secret) in CBC.

Table 1 summarizes the comparison of the above cryptosystems.

Since its advent, CBC has attracted great interest in the research community and many schemes have been proposed, including many encryption schemes (e.g., [410]) and signature schemes (e.g., [1116]). As an extension of the signcryption [17] in CBC, Li et al. [18] introduced the concept of certificate-based signcryption (CBSC) that provides the functionalities of encryption and signature simultaneously. As far as we know, there exist three CBSC schemes in the literature so far. In [18], Li et al. proposed the first CBSC scheme based on Chen and Malone-Lee’s identity-based signcryption scheme [19]. However, they did not give a formal proof of their security claim. A subsequent paper by Luo et al. [20] proposed the second CBSC scheme alone with a security model of CBSC. Recently, Li et al. [21] proposed a publicly verifiable CBSC scheme that is provably secure in the random oracle model.

Our Motivations and Contributions. In this paper, we focus on the construction of a CBSC scheme that resists both the public key replacement attacks and the insider attacks.

Public key replacement attack was first introduced into CL-PKC by Al-Riyami and Paterson [2]. In this attack, an adversary who can replace a user’s public key with a value of its choice dupes any other third parties to encrypt messages or verify signatures using a false public key. It seems that this attack does not have effect on CBC since a certifier is employed for issuing a certificate for each user. Unfortunately, some previous research works [13, 16, 22] have demonstrated that it does. In CBC, the certifier does issue the certificates. However, as introduced above, CBC adopts the implicit certificate mechanism so that only the owner of a certificate needs to check the validity of his certificate and others need not be concerned about the status of his certificate. Thus, a malicious user is able to launch the public key replacement attack against an ill-designed certificate-based cryptographic scheme. We observe that Luo et al.’s CBSC scheme [20] is insecure under this attack. The concrete attack can be found in Section 4 of this paper.

Insider security [23] refers to the security against the attacks made by the insider (i.e., the sender or the receiver). It requires that, even if a sender’s private key is compromised, an attacker should not be able to designcrypt the message generated by the sender and, even with a receiver’s private key, an attacker should not be able to forge a valid signcryption as if generated by the same sender. In contrast to outsider security [23] that refers to the security against the attacks made by the outsider (i.e., any third party except the sender and the receiver), insider security can provide the stronger security for signcryption schemes [24, 25]. Therefore, it has been accepted as a necessary security requirement for a signcryption scheme to achieve. However, none of the previous constructions of CBSC [18, 20, 21] has considered insider security. The previous security models of CBSC [20, 21] only cover the case where the CBSC scheme is attacked by the outsiders. Actually, the public key replacement attack presented in Section 4 also shows that Luo et al.’s CBSC scheme [20] fails in providing insider security.

The main contributions of this paper are as follows.(1)We extend previous works by proposing an improved security model for CBSC that accurately models both the public key replacement attacks and the insider attacks. We show that Luo et al.’s CBSC scheme [20] is insecure in our security model.(2)We develop a new CBSC scheme and formally prove its security in our improved security model. In the random oracle, we prove that the proposed scheme is chosen-ciphertext secure and existentially unforgeable. To the best of our knowledge, it is the first signcryption scheme that achieves security under both the public key replacement attacks and the insider attacks in the certificate-based cryptographic setting. Furthermore, compared with the previous CBSC schemes, our scheme enjoys better performance, especially in the computation efficiency.

Paper Organization. The rest of this paper is organized as follows. In the next section, we briefly review some preliminaries required in this paper. In Section 3, we present an improved security model of CBSC. In Section 4, we show that Luo et al.’s CBSC scheme is insecure in our security model. The proposed CBSC scheme is described and analyzed in Section 5. Finally, we draw our conclusions in Section 6.

2. Preliminaries

Let be a security parameter and a -bit prime number. Let be an additive cyclic group of prime order and a multiplicative cyclic group of the same order, and let be a generator of . A bilinear pairing is a map satisfying the following properties.(i)Bilinearity: for all , , and all , , we have .(ii)Nondegeneracy: .(iii)Computability: for all , , can be efficiently computed.The security of our CBSC scheme is based on the following hard problems.

Definition 1. The computational Diffie-Hellman (CDH) problem in is, given a tuple for unknown , , to compute .

Definition 2 (see [26]). The bilinear Diffie-Hellman (BDH) problem in is, given a tuple for unknown , to compute .

Definition 3 (see [27]). The collusion attack algorithm with -traitors (-CAA) problem in is given a tuple for unknown , to compute for some value .

Definition 4 (see [28]). The modified bilinear Diffie-Hellman inversion for -values (-mBDHI) problem in is given a tuple for unknown , to compute for some value .

3. Improved Security Model for CBSC Schemes

In this section, we present an improved security model for CBSC that covers both public key replacement attack and insider security. Below, we first briefly review the definition of CBSC.

Formally, a CBSC scheme is specified by the following five algorithms.(i)Setup: on input a security parameter , this algorithm generates a master key and a list of public parameters . This algorithm is performed by a certifier. After the algorithm is performed, the certifier publishes and keeps secret.(ii)UserKeyGen: on input the public parameters , this algorithm generates a private key and public key pair for a user with identity .(iii)CertGen: on input the public parameters , the master key , a user’s identity , and public key , this algorithm generates a certificate . This algorithm is performed by a certifier. After this algorithm is performed, the certifier sends the certificate to the user via an open channel.(iv)Signcrypt, : on input the public parameters , a sender’s identity , public key , private key and certificate , a receiver’s identity , and public key , this algorithm generates a ciphertext .(v)Designcrypt: on input the public parameters , a ciphertext , the receiver’s identity , public key , private key and certificate , the sender’s identity , and public key , this algorithm outputs either a plaintext or a special symbol indicating a designcryption failure.As introduced in [3], the adversaries against a certificate-based cryptographic scheme should be divided into two types: Type I and Type II. Type I adversary (denoted by ) models an uncertified user while Type II adversary (denoted by ) models an honest-but-curious certifier who is equipped with the master key. In order to capture public key replacement attack, the Type I adversary in our CBSC security model is allowed to replace any user’s public key. Note that the Type II adversary should not be allowed to make public key replacement attacks; otherwise, it may trivially break the security of a CBSC scheme using a man-in-the-middle attack.

A CBSC scheme should satisfy both confidentiality (i.e., indistinguishability against adaptive chosen-ciphertext attacks (IND-CBSC-CCA2)) and unforgeability (i.e., existential unforgeability against adaptive chosen-messages attacks (EUF-CBSC-CMA)).

The confidentiality security of a CBSC scheme is defined via the following two games: “IND-CBSC-CCA2 Game-I” and “IND-CBSC-CCA2 Game-II,” in which a Type I adversary and a Type II adversary interact with a challenger, respectively.

IND-CBSC-CCA2 Game-I. This game is played between and a challenger.

Setup. The challenger runs the algorithm Setup to generate and . It then returns to and keeps to itself.

Phase 1. In this phase, makes requests to the following oracles adaptively.(i): on input an identity , if has already been created; the challenger outputs the current public key associated with . Otherwise, it performs the algorithm UserKeyGen to generate a private/public key pair , inserts into a list, and outputs . In this case, is said to be created. We assume that other oracles defined below only respond to an identity which has been created.(ii): on input an identity and a value , the challenger replaces the current public key of the identity with . Note that the current value of a user’s public key is used by the challenger in any computations or responses to ’s requests. This oracle models the ability of a Type I adversary to convince a legitimate user to use a false public key and thus enables our security model to capture the public key replacement attacks attempted by the Type I adversary .(iii): on input an identity , the challenger responds with a certificate CertU by running the algorithm CertGen.(iv): on input an identity , the challenger responds with a private key . Here, is disallowed to query this oracle on any identity for which the public key has been replaced. This restriction is imposed due to the fact that it is unreasonable to expect the challenger to be able to provide a private key of a user for which it does not know the private key.(v): on input a message , a sender’s identity , and a receiver’s identity , the challenger responds with . Note that it is possible that the challenger is not aware of the sender’s private key if the associated public key has been replaced. In this case, we require to provide it. In addition, we do not consider attacks targeting ciphertexts where the identities of the sender and receiver are the same. So, we disallow queries where .(vi): on input a ciphertext , a sender’s identity , and a receiver’s identity , the challenger responds with the result of Designcrypt. Note that it is possible that the challenger is not aware of the receiver’s private key if the associated public key has been replaced. In this case, we require to provide it. Again, we disallow queries where .Challenge. Once decides that Phase 1 is over, it outputs two equal-length messages and two distinct identities . The challenger picks a random bit , computes , and returns as the challenge ciphertext to .

Phase 2. In this phase, continues to issues queries as in Phase 1.

Guess. Finally, outputs a guess . We say that wins the game if and the following conditions are simultaneously satisfied: (1) cannot query on the identity at any point; (2) cannot query on an identity if the corresponding public key has been replaced; (3) in Phase 2, cannot query on unless the public key of the sender or that of the receiver has been replaced after the challenge was issued. We define ’s advantage in this game to be .

IND-CBSC-CCA2 Game-II. This game is played between and a challenger.

Setup. The challenger runs the algorithm Setup to generate and . It then returns and to .

Phase 1. In this phase, adaptively asks a polynomial bounded number of queries as in IND-CBSC-CCA2 Game-I. The only restriction is that cannot replace public keys of any users. In addition, need not make any queries to since it can compute the certificates for any identities by itself with the master key .

Challenge. Once decides that Phase 1 is over, it outputs two equal-length messages and two distinct identities . The challenger picks a random bit , computes , and returns as the challenge ciphertext to .

Phase 2. In this phase, continues to issue queries as in Phase 1.

Guess. Finally, outputs a guess . We say that wins the game if and the following two conditions are both satisfied: cannot query on the identity at any point; cannot query on in Phase 2. We define ’s advantage in this game to be .

Definition 5. A CBSC scheme is said to be IND-CBSC-CCA2 secure if no probabilistic polynomial time (PPT) adversary has nonnegligible advantage in the above two games.

Remark 6. The oracle defined in the game IND-CBSC-CCA2 Game-I models the ability of a Type I adversary to convince a legitimate user to use a false public key. It enables our security model to capture the public key replacement attacks attempted by the Type I adversary .

Remark 7. The adversary in the above definition of message confidentiality is allowed to be challenged on a ciphertext generated using a corrupted sender’s private key and certificate. This condition corresponds to the stringent requirement of insider security for confidentiality of signcryption [23]. This means that our security model ensures that the confidentiality of signcryption is preserved even if a sender’s private key is corrupted.

The unforgeability security of a CBSC scheme is defined via the following two games: “EUF-CBSC-CMA Game-I” and “EUF-CBSC-CMA Game-II,” in which a Type I adversary and a Type II adversary interact with a challenger, respectively.

EUF-CBSC-CMA Game-I. This game is played between and a challenger.

Setup. The challenger runs the algorithm Setup to generate and . It then returns to and keeps to itself.

Query. In this phase, can adaptively ask a polynomial bounded number of queries as in the game IND-CBSC-CCA2 Game-I.

Forge. Finally, outputs a forgery . We say that wins the game if the result of Designcrypt is not the symbol and the following conditions are simultaneously satisfied: (1) cannot query on the identity at any point; (2) cannot query on an identity if the corresponding public key has been replaced; (3) is not the output of any query on , where is a message. We define ’s advantage in this game to be the probability that it wins the game.

EUF-CBSC-CMA Game-II. This game is played between and a challenger.

Setup. The challenger runs the algorithm Setup to generate and . It then returns and to .

Query. In this phase, can adaptively ask a polynomial bounded number of queries as in the game IND-CBSC-CCA2 Game-II.

Forge. Finally, outputs a forgery (, , ). We say that wins the game if the result of Designcrypt) is not the symbol and the following conditions are simultaneously satisfied: (1) cannot query on the identity ; (2) is not the output of any query on (, , ), where is a message. We define ’s advantage in this game to be the probability that it wins the game.

Definition 8. A CBSC scheme is said to be EUF-CBSC-CMA secure if no PPT adversary has nonnegligible advantage in the above two games.

Remark 9. The adversary in the above definition of signature unforgeability may output a ciphertext generated using a corrupted receiver’s private key and certificate. Again, this condition corresponds to the stringent requirement of insider security for unforgeability of signcryption [23]. Hence, our security model also ensures that the unforgeability of signcryption is preserved even if a receiver’s private key is corrupted.

4. Cryptanalysis of Luo et al.’s CBSC Scheme

In this section, we give the review and attack of Luo et al.’s CBSC scheme [20].

4.1. Review of Luo et al.’s CBSC Scheme

Luo et al.’s CBSC scheme consists of the following six algorithms.(i)Setup: given a security parameter , the certifier performs as follows: generate two cyclic groups and of prime order such that there exists a bilinear pairing map ; select a random element and a random generator , and compute ; select four hash functions , , , and ; set the public parameters and the master key .(ii)UserKeyGen: given , a user with identity chooses a random as his private key and then computes his public key .(iii)CertGen: to generate a certificate for the user with identity and public key , the certifier computes and outputs the certificate .(iv)Sender Signcrypt: to send a message to the receiver , the sender does the following: randomly choose and compute and ; compute and ; compute and then ; set the ciphertext .(v)Receiver Decrypt: when receiving a ciphertext from the sender , the receiver does the following: compute where ; forward the message and signature to the algorithm Receiver Verify.(vi)Receiver Verify: to verify the sender ’s signature on the message , the receiver does the following: compute and ; check whether . If the check holds, output ; otherwise, output .

4.2. Attack on Luo et al.’s CBSC Scheme

A Type I adversary who is capable of replacing any user’s public key can forge a valid signcryption on any message from to by performing the following steps.(1)Replace the sender ’s public key with , where is a random value chosen from .(2)Choose a random value and compute and .(3)Choose a random message and compute , where and .(4)Randomly choose and set as the signcryption of the message . Note that if the adversary has corrupted the receiver ’s private key , it can compute , where .

The ciphertext passes the verification test as shown below:

This proves that the forged signcryption is valid.

Note that Luo et al.’s scheme also doses not resist insider attacks since the adversary can forge a valid signcryption using the corrupted receiver ’s private key in the step (4).

5. Our Proposed CBSC Scheme

5.1. Description of the Scheme

Our CBSC scheme is constructed from the certificate-based encryption scheme proposed by Lu et al. [8]. It consists of the following five algorithms.(i)Setup: given a security parameter , the certifier performs the following: generate two cyclic groups and of a -bit prime order such that there exists a bilinear pairing map ; choose two random generators , and compute ; choose a random element and set ; select three hash functions , and , where is the bit-length of the message to be signcrypted; set the public parameters and the master key .(ii)UserKeyGen: given , a user with identity chooses a random as his private key and then computes his public key .(iii)CertGen: to generate a certificate for a user with identity and public key , the certifier computes . The user can check the validness of the certificate by verifying whether .(iv)Signcrypt: to send a message to the receiver , the sender does the following: randomly choose and compute and ; compute and ; compute , where ; set the ciphertext .(v)Designcrypt: to designcrypt a ciphertext from the sender , the receiver does the following: compute and ; compute and then check whether , where . If the check holds, output ; otherwise, output .The consistency of our scheme can be easily verified by the following equalities:(1), ;(2);(3)

5.2. Security Proof

Theorem 10. The CBSC scheme above is IND-CBSC-CCA2 secure under the hardness of the q-mBDHI and BDH problems in the random oracle model.

This theorem can be proved by combining the following two lemmas.

Lemma 11. If a Type I adversary has advantage against our CBSC scheme when asking at most to queries, queries to , queries to , and queries to random oracles , then there exists an algorithm to solve the ()-mBDHI problem with advantage

Proof. Assume that is given a random -mBDHI instance , where . B interacts with as follows.
In the setup phase, randomly chooses and sets , , and . Furthermore, it randomly chooses a value such that and an index . Then, starts IND-CBSC-CCA2 Game-I by supplying with , where are random oracles controlled by .   can make queries on these random oracles at any time during the game. Note that the corresponding master key is which is unknown to .
Now, starts to respond to various queries as follows:
Queries. We assume that queries to are distinct. maintains a list H1List of tuples . On input , does the following.(1)If (, ) already appears on H1List in a tuple , then returns to .(2)Else if the query is on the th distinct (, ), then inserts into H1List and returns to . Note that the certificate for the identity is which is unknown to .(3)Else sets to be which has not been used and computes . It then inserts into H1List and returns .
Queries. maintains a list H2List of tuples . On input (, ), does the following. (1)If (, ) already appears on H2List in a tuple , returns to .(2)Otherwise, it returns a random and inserts into H2List.
Queries. maintains a list H3List of tuples . On input , does the following. (1)If already appears on H3List in a tuple , returns to .(2)Otherwise, it returns a random to . To anticipate possible subsequent queries to , it additionally simulates the random oracle on its own to obtain and then inserts into H3List.
Queries. maintains a list KeyList of tuples which is initially empty. On input (), does the following. (1)If already appears on KeyList in a tuple , returns to directly.(2)Otherwise, randomly chooses as the private key for the identity and computes the corresponding public key as . It then inserts into KeyList and returns to .
Queries. On input (), searches in KeyList to find a tuple and updates the tuple with .
Queries. On input (), searches in KeyList to find a tuple . If , it returns to ; otherwise, it rejects this query.
Queries. On input (), does the following. (1)If (, ) = (, ), then aborts.(2)Otherwise, searches in H1List to find a tuple and then returns to . If H1List does not contain such a tuple, queries on (, ) first.
Queries. On input (, , ), performs as follows.(1)If , can answer the query according to the specification of the algorithm Signcrypt since it knows the sender ’s private key and certificate.(2)Otherwise, randomly chooses , , and sets , , , , and , respectively. It is easy to verify that . Then, inserts and into H2List and H3List, respectively, and returns the ciphertext to . Note that fails if H2List or H3List is already defined in the corresponding value, but this only happens with probability smaller than .
Queries. On input (, , ), does the following.(1)If , can answer the query according to the specification of the algorithm Designcrypt since it knows the receiver ’s private key and certificate.(2)Otherwise, searches in H3List for all tuples of the form . If no such tuple is found, then is rejected. Otherwise, each one of them is further examined. For a tuple , first checks whether +. If the tuple passes the verification, then returns in this tuple to . If no such tuple is found, is rejected. Note that a valid ciphertext is rejected with probability smaller than across the whole game.
In the challenge phase, outputs , on which it wants to be challenged. If , then aborts. Otherwise, randomly chooses , , and , computes , and returns to as the challenge ciphertext. Observe that the decryption of is , .
In the guess phase, outputs a bit which is ignored by . Note that cannot recognize that is not a valid ciphertext unless it queries on , or on , where . Standard arguments can show that a successful is very likely to query on , or on () if the simulation is indistinguishable from a real attack environment. To produce a result, B picks a random tuple or from H2List or H3List. With probability (as H2List, H3List contain at most tuples, resp.), the chosen tuple will contain the value . Because , returns as the solution to the given -mBDHI problem.
We now derive ’s advantage in solving the -mBDHI problem. From the above construction, the simulation fails if any of the following events occurs: (1) : in the challenge phase, aborts because ; (2): makes an query on ; (3): aborts in answer one of ’s queries because of a collision on or ; (4): rejects a valid ciphertext at some point of the game.
We clearly have that and implies . We also already observed that and . Thus, we have that
Since selects the correct tuple from H2List or H3List with probability , we obtain the announced bound on ’s advantage in solving the -mBDHI problem.

Lemma 12. If a Type II adversary has advantage against our CBSC scheme when asking at most queries to , queries to , queries to , and queries to random oracles , then there exists an algorithm to solve the BDH problem with advantage

Proof. Assume that is given a BDH instance , where are three random elements from . interacts with as follows.
In the setup phase, randomly chooses , sets , and computes and . Furthermore, it randomly chooses an index with . Then, starts IND-CBSC-CCA2 Game-II by supplying with and , where are random oracles controlled by . can make queries on these random oracles at any time during the game.
Now, starts to respond various queries as follows.
Queries. maintains a list H1List of tuples . On input (), does the following: if () already appears on H1List in a tuple , then returns to ; otherwise, it returns a random and inserts into H1List.
Queries. responds as in the proof of Lemma 11.
Queries. responds as in the proof of Lemma 11.
Queries. maintains a list ` of tuples . On input (), does the following: if already appears on KeyList in a tuple , returns to . Else if , B returns to and inserts into KeyList. Note that the private key for the identity is which is unknown to . Else randomly chooses as the private key for the identity and computes the corresponding public key as . It then inserts into KeyList and returns to .
Queries. On receiving such a query on , does the following: if , then aborts; otherwise, searches in KeyList to find the tuple and returns to .
Queries. On input , does the following: if , can answer the query according to the specification of the Signcrypt algorithm since it knows the sender ’s private key and certificate. Otherwise, randomly chooses , and computes , , , , and , respectively. It is easy to verify that . It then inserts and into H2List and H3List, respectively, and returns the ciphertext to . Note that fails if H2List or H3List is already defined in the corresponding value, but this only happens with probability smaller than .
Queries. responds as in the proof of Lemma 11.
In the challenge phase, outputs , on which it wants to be challenged. If , then aborts. Otherwise, randomly chooses , , computes , and returns to as the challenge ciphertext. Observe that the decryption of is .
In the guess phase, outputs a bit, which is ignored by . Note that cannot recognize that is not a valid ciphertext unless it queries on or on , where . Standard arguments can show that a successful is very likely to query on or on if the simulation is indistinguishable from a real attack environment. To produce a result, picks a random tuple or from H2List or H3List. With probability (as H2List, H3List contain at most , tuples, resp.), the chosen tuple will contain the right element . then returns as the solution to the given BDH problem.
We now derive ’s advantage in solving the BDH problem. From the above construction, the simulation fails if any of the following events occurs: : in the challenge phase, aborts because ; : makes an query on ; : aborts in answer ’s query because of a collision on or ; : rejects a valid ciphertext at some point of the game.
We clearly have that and implies . We also already observed that and . Thus, we have that
Since selects the correct tuple from H2List or H3List with probability , we obtain the announced bound on ’s advantage in solving the BDH problem.

Theorem 13. The CBSC scheme above is EUF-CBSC-CMA secure under the hardness of the q-CAA and CDH problems in the random oracle model.

This theorem can be proved by combining the following two lemmas.

Lemma 14. If a Type I adversary asks at most queries to , queries to , queries to , and queries to random oracles and produces a valid forgery with probability , then there exists an algorithm to solve the -CAA problem with advantage .

Proof. Assume that is given a -CAA instance , where . interacts with as follows.
In the setup phase, randomly chooses , sets , and computes and . Furthermore, it randomly chooses a value such that and an index . Then, starts EUF-CBSC-CMA Game-I by supplying with , where are random oracles controlled by . Note that the corresponding master key is which is unknown to .
In the query phase, responds to various oracle queries as in the proof of Lemma 11.
Finally, in the forge phase outputs a valid forgery with probability [29]. If , aborts. Otherwise, having the knowledge of and , runs the algorithm (, , , , , , , ) to obtain the message and then simulates the random oracle on its own to obtain . Using the oracle replay technique [29], replays with the same random tape but with the different hash value to generate one more valid ciphertext such that . Since and are both valid ciphertexts for the same message and the randomness , we obtain the following relations:
Because , can compute as the solution to the given -CAA problem.
We now derive ’s advantage in solving the -CAA problem. From the above construction, the simulation fails after outputs a valid forgery if any of the following events occurs: : in the forge phase, aborts because ; : fails in using the oracle replay technique to generate one more valid ciphertext.
Clearly, . Moreover, from the forking lemma [29], we know that . Thus, we have that if produces a forgery, then will succeed in solving the -CAA problem with probability .

Lemma 15. If a Type II adversary asks at most queries to , queries to , queries to  , and queries to random oracles and produces a valid forgery with probability , then there exists an algorithm to solve the CDH problem with advantage .

Proof. Assume that is given a random CDH instance where are two random elements from . interacts with as follows.
In the setup phase, randomly chooses , sets , and computes and . Furthermore, it randomly chooses an index with . Then, starts EUF-CBSC-CMA Game-II by supplying with and , where are random oracles controlled by .
In the query phase, responds to various oracle queries as in the proof of Lemma 12.
Finally, in the forge phase outputs a valid forgery with probability [29]. If , then aborts. Otherwise, having the knowledge of and , runs the algorithm to obtain the message and then simulates the random oracle on its own to obtain , . Using the oracle replay technique [29], replays with the same random tape but with the different hash value to generate one more valid ciphertext such that . Since and are both valid ciphertexts for the same message and randomness , we obtain the following relations:
Then, we have the following relations:
Because and , can compute as the solution to the given CDH problem.
We now derive ’s advantage in solving the CDH problem. From the above construction, the simulation fails if any of the following events occurs: : in the forge phase, aborts because ; : fails in using the oracle replay technique to generate one more valid ciphertext. Clearly, . From the forking lemma [29], we know that . Thus, we have that if produces a valid forgery, then will succeed in solving the CDH problem with probability .

5.3. Performance

To evaluate the performance of our new CBSC scheme, we compare our scheme with the previous CBSC schemes in terms of the computational cost and the communicational cost.

In the computational cost comparison, we consider four major operations: pairing, exponentiation in , scalar multiplication in , and hash. Among these operations, the pairing is considered as the heaviest time-consuming one in spite of the recent advances in the implementation technique. For simplicity, we denote these operations by , and , respectively. In the communicational cost comparison, ciphertext overhead represents the difference (in bits) between the ciphertext length and the message length, denotes the bit-length of user’s identity, and and denote the bit-length of an element in and , respectively. Without considering precomputation, the performances of the compared CBSC schemes are listed in Table 2.

The efficiency of a pairing-based cryptosystem always depends on the chosen curve. Boyen [30] computes estimated relative timings for all atomic asymmetric operations (exponentiations and pairings) and representation sizes for group elements when instantiated in supersingular curves with 80-bit security (SS/80) and MNT curves with 80-bit security (MNT/80). In Table 3, we recall the data from [30].

To make a much clearer comparison, Table 4 gives the concrete values of the computational cost and the communicational cost for the compared CBE schemes according to the data in Table 3. As the hash operation is much more efficient than the multiplication in the group , the costs of the hash operations are ignored.

In our proposed CBSC scheme, the Signcrypt algorithm does not require computing any time-consuming pairings. It only needs to compute two exponentiations in , three scalar multiplications in and three hashes in each signcryption operation. The Designcrypt algorithm needs to compute two pairings, two exponentiations in , one scalar multiplication in , and three hashes to designcrypt a ciphertext. From Tables 2 and 4, we can see that our scheme is more efficient than the previous CBSC scheme, especially in the computational efficiency. Actually, the computational performance of our scheme can be further optimized when can be precomputed. Such a precomputation enables us to additionally reduce one scalar multiplication computation in and one hash computation in both the Signcrypt algorithm and the Designcrypt algorithm. In addition and most importantly, it is believed that our scheme is the first signcryption scheme in the certificate-based cryptographic setting that achieves security against both the public key replacement attacks and the insider attacks.

6. Conclusions

In this paper, we have introduced an improved security model of CBSC that captures both public key replacement attack and insider security. Our cryptanalysis has shown that Luo et al.’s CBSC scheme [20] is insecure in our security model. We have proposed a new CBSC scheme that resists both the key replacement attacks and the insider attacks. Compared with the previous CBSC schemes in the literature, the proposed scheme enjoys better performance, especially in the computation efficiency. However, a limitation of our schemes is that its security can only be achieved in the random oracle model [31]. Therefore, it would be interesting to construct a secure CBSC scheme without random oracles.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The authors would like to thank the anonymous referees for their helpful comments. This work is supported by the National Natural Science Foundation of China (Grant no. 61272542).