Certificateless Key-Insulated Generalized Signcryption Scheme without Bilinear Pairings

Zhou, Caixue; Zhao, Zhiqiang; Zhou, Wan; Mei, Yuan

doi:https://doi.org/10.1155/2017/8405879

Security and Communication Networks

On this page

Abstract Introduction Related Work Preliminaries Conclusions Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2017 | Article ID 8405879 | https://doi.org/10.1155/2017/8405879

Certificateless Key-Insulated Generalized Signcryption Scheme without Bilinear Pairings

Caixue Zhou,¹Zhiqiang Zhao,¹Wan Zhou,¹and Yuan Mei²

Academic Editor: Jiankun Hu

Received23 Mar 2017

Revised15 May 2017

Accepted22 Jun 2017

Published02 Aug 2017

Abstract

Generalized signcryption (GSC) can be applied as an encryption scheme, a signature scheme, or a signcryption scheme with only one algorithm and one key pair. A key-insulated mechanism can resolve the private key exposure problem. To ensure the security of cloud storage, we introduce the key-insulated mechanism into GSC and propose a concrete scheme without bilinear pairings in the certificateless cryptosystem setting. We provide a formal definition and a security model of certificateless key-insulated GSC. Then, we prove that our scheme is confidential under the computational Diffie-Hellman (CDH) assumption and unforgeable under the elliptic curve discrete logarithm (EC-DL) assumption. Our scheme also supports both random-access key update and secure key update. Finally, we evaluate the efficiency of our scheme and demonstrate that it is highly efficient. Thus, our scheme is more suitable for users who communicate with the cloud using mobile devices.

1. Introduction

With the rapid development of cloud storage technology, its security has become increasingly important. For cloud storage, confidentiality and authentication are the two main aspects of security that must be addressed. In general, confidentiality can be realized by encryption and authentication via signature. When both methods are needed simultaneously, the sign-then-encrypt approach is traditionally utilized. However, in this traditional method, the computational costs and communication overhead are the sum of those of signature and encryption, being very high. Signcryption [1] can realize both confidentiality and authentication simultaneously in a single logic step, and the cost is much lower than that of the traditional approach.

Zheng’s original signcryption scheme [1] is based on the public key infrastructure (PKI), whose drawback is the high management cost of the public key certificate. An identity-based cryptosystem [2] can greatly reduce the cost of public key management, but it suffers from the private key escrow problem (i.e., the trusted third-party private key generator [PKG] knows all users’ private keys).

In 2003, Al-Riyami and Paterson [3] proposed the certificateless cryptosystem, for which a user’s private key is composed of two parts: the partial-private key produced by the trusted third-party key generation center (KGC) and a secret value chosen by the user. Accordingly, a user’s public key is also composed of two parts: the user’s identity information and the public key corresponding to the secret value. Because the public key does not require a certificate, the cost of public key management is greatly reduced. Meanwhile, the KGC does not know the user’s secret value, and thus, there is no private key escrow problem. Certificateless cryptosystems have attracted widespread attention since their introduction.

Returning to cloud storage, we sometimes need confidentiality and authentication separately, whereas, at other times, both are needed simultaneously. For example, an announcement needs only authentication, private information requires only confidentiality, and information sent to others needs both. To meet this requirement, we can use three algorithms (i.e., encryption, signature, and signcryption). However, three algorithms require three pairs of keys, and hence, the key management cost is high. To reduce the complexity of key management and increase the flexibility of implementation, Han et al. [4] proposed the concept of generalized signcryption (GSC) in 2006, which is the natural extension of signcryption. GSC can realize encryption, signature, and signcryption with only one algorithm and one key pair. Because it can adaptively switch between encryption mode, signature mode, and signcryption mode, GSC can realize confidentiality and authentication separately/simultaneously in an efficient manner. Therefore, we can use GSC to achieve confidentiality and authentication separately/simultaneously in a cloud storage scenario.

In Han et al.’s original GSC scheme [4], however, the private key exposure problem was not considered. With the widespread use of mobile devices, key exposure has become a serious and realistic threat. If an attacker can obtain a victim’s private key, he/she does not need to solve the hard problems on which the cryptosystem is based. To minimize the damage caused by private key exposure, forward-secure [5], key-insulated [6], and intrusion-resilient [7] technologies have been introduced. In forward-secure technology, the lifetime of a system is divided into separate time periods. At the beginning of each time period, a user’s private key must be updated, whileas the public key remains unchanged throughout the lifetime. Thus, the private key exposure of a given time period affects only the security of the current and later time periods, while the previous time periods are protected. Thus, the attacker cannot decrypt the encryption and signcryption ciphertexts in the previous time periods and also cannot forge the signature and signcryption ciphertexts in the previous time periods. As forward-secure technology does not provide backward security, key-insulated technology has been introduced. In this technology, a physically secure but computationally limited device (the helper) is introduced and stores a helper private key. The lifetime of a system is divided into separate time periods, as in forward-security technology. When a user’s private key is updated at the beginning of a time period, the helper is needed to produce an update key. The user updates his/her private key by combining the update key and his/her old time period private key. The public key remains unchanged throughout the lifetime, as in the forward-secure technology. The signature, signcryption, decryption, and un-signcryption computations need only the user’s current time period private key, and the helper is not involved. Thus, a user’s private key being compromised in some given time periods does not affect the security of other time periods. Therefore, both forward and backward security are achieved. In addition, if the helper’s private key is exposed, as long as the user’s period private key in each time period is not exposed, security will be guaranteed. However, if the helper’s private key is exposed at the same time that the user’s private key in any time period is exposed, both forward and backward security will be breached. In intrusion-resilient technology, at the beginning of each time period, both the user’s private key and the helper’s private key must be updated. Thus, it retains the advantage of a key-insulated system while gaining the following advantages. If the helper’s private key is exposed in a given time period, both forward and backward security will still hold as long as the user’s private key is not exposed within the same time period. If the helper’s private key and the user’s private key are exposed in the same time period, forward security will be maintained. Obviously, key-insulated technology is more secure than forward-security technology, and intrusion-resilient technology is more secure than key-insulated technology. Due to the complexity and low efficiency of the current intrusion-resilient technology, here, we consider only key-insulated technology.

In this paper, we introduce key-insulated technology into GSC for the first time and propose a certificateless key-insulated GSC scheme to meet the security requirements of cloud storage. Our scheme has the following advantages. First, we use only one algorithm and one key pair to realize the key-insulated encryption, key-insulated signature, and key-insulated signcryption functions. The algorithm can switch between the encryption, signature, and signcryption modes adaptively. Therefore, it can realize confidentiality and authentication separately or simultaneously, and the total number of keys in the system is greatly reduced. Second, the user’s private keys may be exposed during some time periods, whereas they are not affected in other time periods. Third, our scheme possesses the advantages of a certificateless cryptosystem: low public key management costs and no private key escrow problem. Fourth, our scheme does not rely on costly bilinear pairings. Bilinear pairing is a useful tool in the design of cryptography schemes, but the computational cost of a pairing can be almost 20 times that of elliptic curve point multiplication [8]. Therefore, the computational efficiency of our scheme is high. Fifth, our scheme supports unbounded time periods. In comparison, in the first key-insulated scheme [6], the total number of time periods must be given in advance. Sixth, our scheme supports random-access key update; that is, for any current time period and any desired time period , the private key can be updated from to in one step. Seventh, our scheme supports secure key update. We considered the possibility that an adversary may break into the user’s storage while a key update is occurring. In this scenario, a key update exposure from time period to is equivalent to key exposures in time periods and . Other time periods remain secure.

We give a formal definition and the security concept of certificateless key-insulated GSC. Based on the CDH hard problem, we prove that our scheme is confidential in both encryption and signcryption modes. Based on the EC-DL hard problem, we prove that our scheme is unforgeable in both signature and signcryption modes. Finally, we evaluate the efficiency of our scheme and demonstrate that it is highly efficient.

The remainder of this paper is organized as follows. In Section 2, various related works are described. Section 3 addresses various hard problems. In Section 4, the formal definition and security model are introduced. Section 5 presents the concrete certificateless key-insulated GSC scheme without bilinear pairings. In Section 6, we analyze the security of our scheme. In Section 7, we evaluate the efficiency of our scheme. We conclude the paper in Section 8.

Han et al. [4] first introduced the notion of GSC in 2006. Subsequently, Han and Gui [9] described a multireceiver GSC scheme and applied it to wireless multicast communication in 2009. Wang et al. [10] gave a formal definition and security model of GSC in the PKI setting for the first time and improved the scheme [4] in 2010. Later, Yu et al. [11] proposed an identity-based GSC scheme and a security model in the same year. Kushwah and Lal [12] simplified the security model of scheme [11] and proposed a more efficient identity-based GSC scheme in 2011. Zhou et al. [13] proposed a certificateless GSC scheme that can resist a malicious-but-passive KGC attack [14] in 2014. Wei et al. [15] proposed an identity-based GSC scheme in the standard model and applied it to big data security in 2015. Zhou [16] described an attack on scheme [9] and improved it in the same year. Subsequently, Han and Lu [17] proposed an attribute-based GSC scheme in the standard model and applied it to online social networks. Zhou et al. [18, 19] extended GSC, introduced two new concepts (generalized proxy signcryption and generalized ring signcryption), and proposed a concrete scheme in 2016. Zhang et al. [20] proposed a lightweight certificateless GSC scheme and applied it to a mobile health system in 2017.

Key-insulated encryption was first introduced by Dodis et al. [6] in 2002. Dodis et al. [21] extended the key-insulated encryption to a key-insulated signature and proposed a concrete scheme in 2003. However, in the two schemes, the total number of time periods must be given in advance. Hanaoka et al. [22] introduced key-insulated encryption into the identity-based setting and proposed an identity-based hierarchical key-insulated encryption scheme in 2005. Zhou et al. [23] proposed the first identity-based key-insulated signature in 2006. Weng et al. [24] developed an identity-based key-insulated signature in the standard model in the same year. Subsequently, Hanaoka et al. [25] introduced parallel key-insulated encryption and proposed some concrete schemes. Later, Bellare and Palacio [26] proposed a key-insulated encryption scheme in which the total number of time periods does not need to be determined in advance in the PKI setting. Li et al. [27] introduced the key-insulated mechanism into the group signature and proposed a concrete scheme in 2007. Liu and Wong [28] introduced the key-insulated mechanism into the ring signature and proposed a concrete scheme in 2008. Wan et al. [29] proposed the first certificateless key-insulated signature in 2009; their scheme was designed in the standard model. In the same year, Liu and Cao [30] noted that scheme [24] is insecure. Later, Wan et al. [31] introduced a key-insulated mechanism into the proxy signature and proposed a concrete scheme. Du et al. [32] proposed the first certificate-based key-insulated signature in 2012. Chen et al. [33] proposed the first key-insulated signcryption in the same year and proved their scheme in the standard model. Fan et al. [34] proposed a PKI-based key-insulated signcryption scheme, and Wang et al. [35] suggested an identity-based key-insulated signcryption scheme in 2013. Zhao et al. [36] introduced the key-insulated mechanism into the aggregate signature and proposed a concrete scheme in 2014. Chen et al. [37] proposed the first attribute-based key-insulated signature and applied it to anonymous authentication for a bidirectional broadcasting service in the same year. Subsequently, Zhu et al. [38] determined that scheme [33] is insecure and reported an improvement. Li et al. [39] proposed a certificate-based key-insulated signature scheme in the same year. Xiong et al. [40] proposed a pairing-free certificate-based key-insulated signature scheme for low-power devices, and Lu et al. [41] proposed a certificateless strong key-insulated signature in the standard model in 2015. Li et al. [42] proposed a certificate-based key-insulated signature in the standard model in 2016. Hong and Sun [43] proposed an attribute-based key-insulated signcryption without bilinear pairings and applied it to mobile networks during the same year.

3. Preliminaries

(1)Elliptic curve discrete logarithm (EC-DL) problem: let be an elliptic curve over the finite field , where is a prime number, and let be an additive group of prime order on . Given for unknown randomly chosen , one must compute .(2)Computational Diffie-Hellman (CDH) problem: given for unknown randomly chosen , one must compute .

4. Formal Definition and Security Model of Certificateless Key-Insulated GSC

4.1. Formal Definition

A certificateless key-insulated GSC scheme consists of the following eight algorithms.

(1) Setup. Given a security parameter , it produces a master private key and a global public parameter . It is usually run by the KGC.

(2) Partial-Private-Key-Gen. Given a user’s identity , the , and the master private key , it produces a partial private key for the user. It is also usually run by the KGC, and the KGC sends to the user securely.

(3) User-Key-Gen. Given a user’s identity and the , it produces a secret value and the corresponding public key for the user. It is usually run by the user.

(4) Set-Initial-Key. Given a user’s identity , the , his/her partial private key , and his/her secret value , it produces a helper private key for the helper and a period private key in time period 0 for the user. It is usually run by the user. Then, the user sends the helper private key to the helper and deletes it from the user.

(5) Key-Update-H. Given a user’s identity , the , the helper private key , the old time period , and the new time period , it produces an update key . It is usually run in the helper device.

(6) Key-Update-U. Given a user’s identity , the , the update key , and a user’s period private key , it produces the user’s period private key . It is usually run by the user.

(7) GSC. Given a sender’s identity , a receiver’s identity , the , a message , a time period , and the sender’s period private key , it produces a GSC ciphertext . It is usually run by the sender or anyone in encryption mode.

This algorithm can be run in three modes.(a) Encryption mode: if is null and is not, then the GSC ciphertext is an encryption ciphertext.(b) Signature mode: if is null and is not, then the GSC ciphertext is a signature.(c) Signcryption mode: if neither nor is null, then the GSC ciphertext is a signcryption ciphertext.

(8) Un-GSC. Given a sender’s identity , a receiver’s identity , the , a GSC ciphertext , a time period , and the receiver’s period private key , it recovers the message in encryption or signcryption mode or returns true in signature mode; otherwise, it returns , indicating decryption failure or an invalid signature. It is usually run by the receiver or anyone in signature mode.

This algorithm can also be run in three modes.(a) Decryption mode: if is null and is not, it runs in this mode.(b) Signature verification mode: if is null and is not, it runs in this mode. Any person can verify the signature .(c) Un-signcryption mode: if neither nor is null, it runs in this mode.

Note. The scheme can switch between different modes automatically. If the input of the sender’s identity is null and the receiver’s identity is not, it automatically runs in encryption mode. If the input of is not null and is, it automatically runs in signature mode. If the input of neither nor is null, it automatically runs in signcryption mode. Both and being null is disallowed.

4.2. Security Model

There are two types of attackers in the certificateless cryptosystem [3]. A type I attacker does not know the system master private key, but he/she can replace the public key of any user. This considers an attack by any user other than the KGC. A type II attacker knows the system master private key, but he/she cannot replace anyone’s public key. This considers the attack launched by the KGC, but the KGC is honest-but-curious. Thus, the KGC generates the system parameters honestly according to the Setup algorithm. Then, he/she attempts to attack the system. In 2007, Au et al. [14] introduced a new type of KGC attack: the malicious-but-passive KGC attack. This type of KGC attack assumes that the KGC may imbed some trapdoors in the system parameters when he/she runs the Setup stage. We consider this type of KGC attack in our security model.

In terms of key-insulated security, there are three types of key exposures [6]: () ordinary key exposure, which involves the user-period-private key being compromised; () key-update exposure, which involves the user’s device being compromised during the key-updating step; and () helper-key exposure, which involves the physically secure device being compromised. Security against the first type of exposure is called basic key-insulated security, security against the second type of exposure is called secure key update, and security against the last type of exposure is called strong key-insulated security. Compromising both the user-period-private key and helper key is not allowed because, in this case, the adversary can compute the user-period-private key in any time period.

The security of GSC includes confidentiality and unforgeability. Specifically, the scheme must possess indistinguishability under an adaptively chosen ciphertext attack in encryption and signcryption modes and unforgeability under an adaptively chosen message attack in signature and signcryption modes.

By referring to the security models of schemes [6, 13, 33, 34, 39, 41], we have the following nine definitions. The first four definitions focus on the first type of exposure, Definitions 5–8 focus on the last type of exposure, and Definition 9 focuses on the second type of exposure.

There are nine oracles that can be accessed by adversary as follows.

(a) User-Creation Query. Adversary provides an identity . If it has been created, returns the public key to . Otherwise, runs the partial-key-gen and user-key-gen algorithms to produce the partial private key and the user’s secret-value/public key pair . runs the set-initial-key algorithm to produce the helper private key . Then, returns the public key to .

(b) Partial-Private-Key Query. provides a created identity , and returns the partial private key to .

(c) Secret-Value Query. provides a created identity , and returns the secret value to .

(d) Public-Key Query. provides a created identity , and returns the public key to .

(e) Public-Key-Replacement Query. provides a created identity and a new public/secret-value pair , and replaces the old public/secret-value pair with the new one .

(f) User-Period-Private-Key Query. provides a created identity and a time period , and returns the user’s period private key to (first running the key-update-h and key-update-u algorithms, if necessary).

(g) Helper-Key Query. provides a created identity . returns the user’s helper key to .

(h) GSC Query. provides two created identities (one of them may be null), a message , and a time period . runs the GSC algorithm and returns its output to .

(i) Un-GSC Query. provides two created identities (one of them may be null), a ciphertext , and a time period . runs the Un-GSC algorithm and returns its results to .

4.2.1. Basic Key-Insulated Security

Definition 1 (type I confidentiality, encryption, and signcryption modes). A certificateless key-insulated GSC scheme is said to be indistinguishability-certificateless-basic key-insulated-GSC-adaptive chosen ciphertext attack-type I (IND-CL-Basic-KI-GSC-CCA2-I) secure if no probabilistic polynomial time (PPT) adversary has a nonnegligible advantage in the following game.
(1) Setup. Given a security parameter , challenger runs the setup algorithm to produce the system public parameter and a master private key . He/she returns to adversary and keeps secret.
(2) Find Stage. can adaptively ask all the above oracles, except the helper-key oracle.
(3) Challenge Stage. provides two distinct messages with equal length, a created sender’s identity ( may be null), a created receiver’s identity , and a time period . randomly chooses and computes . Then, returns to .
(4) Guess Stage. can ask the same queries as in the Find stage adaptively. Finally, gives his/her guess . If , he/she wins the game. The restrictions on are as follows:(a)The receiver’s identity cannot be null.(b) cannot ask for ’s period private key in time period .(c) cannot ask for the partial private key of .(d)In the Guess stage, cannot make an Un-GSC query on the challenge ciphertext under , , and unless the public key of or has been replaced after the Challenge stage. ’s advantage is defined as .

Note. In the above Challenge stage, the sender’s identity may be null. In this case, it runs in encryption mode; otherwise it runs in signcryption mode. Thus, the encryption and signcryption modes share the same game, as described above.

Definition 2 (type II confidentiality, encryption, and signcryption modes). A certificateless key-insulated GSC scheme is said to be IND-CL-Basic-KI-GSC-CCA2-II secure if no PPT adversary has a nonnegligible advantage in the following game.
(1) Setup. Given a security parameter , adversary runs the setup algorithm to produce the system public parameter and a master private key . He/she returns and to challenger .
(2) Find Stage. can adaptively ask all the above oracles except the helper-key, partial-private-key, and public-key-replacement oracles. holds the master private key and thus he/she can compute the partial private key by himself/herself. is not allowed to replace anyone’s public key in the certificateless cryptographic system.
(3) Challenge Stage. provides two distinct messages with equal length, a created sender’s identity ( may be null), a created receiver’s identity , and a time period . randomly chooses and computes . Then, returns to .
(4) Guess Stage. can ask the same queries adaptively as in the Find stage. Finally, gives his/her guess . If , he/she wins the game. The restrictions on are as follows:(a)The receiver’s identity cannot be null.(b) cannot ask for ’s period private key in time period .(c) cannot ask for ’s secret value (d)In the Guess stage, cannot make an Un-GSC query on the challenge ciphertext under , , and . ’s advantage is defined as .

Note 1. In the above Challenge stage, the sender’s identity may be null. In this case, it runs in encryption mode; otherwise, it runs in signcryption mode. Thus, the encryption and signcryption modes share the same game, as described above.

Note 2. To resist the malicious-but-passive KGC attack, it must let adversary produce the system parameters and master private key in the Setup stage.

Definition 3 (type I unforgeability, signature, and signcryption modes). A certificateless key-insulated GSC scheme is said to be existentially unforgeable-certificateless-basic key-insulated-GSC-adaptive chosen message attack-type I (EUF-CL-Basic-KI-GSC-CMA-I) secure if no PPT adversary has a nonnegligible advantage in the following game.
(1) Setup. The same as in Definition 1.
(2) Queries. The same as in Definition 1.
(3) Forgery. Finally, outputs a forged GSC ciphertext in time period with as the sender and as the receiver. wins the game if the output of the Un-GSC algorithm is not the symbol and if the following conditions hold:(a)The sender’s identity cannot be null.(b) cannot ask for ’s period private key in time period .(c) cannot ask for ’s partial private key .(d) is not the output of the GSC query. ’s advantage is its probability of victory.

Note. In the above Forgery stage, the receiver’s identity may be null. In this case, it runs in signature mode; otherwise, it runs in signcryption mode. Thus, the signature and signcryption modes share the same game, as described above.

Definition 4 (type II unforgeability, signature, and signcryption modes). A certificateless key-insulated GSC scheme is said to be EUF-CL-Basic-KI-GSC-CMA-II secure if no PPT adversary has a nonnegligible advantage in the following game.
(1) Setup. The same as in Definition 2.
(2) Queries. The same as in Definition 2.
(3) Forgery. Finally, outputs a forged GSC ciphertext in time period with as the sender and as the receiver. wins the game if the output of the Un-GSC algorithm is not the symbol and if the following conditions hold:(a)The sender’s identity cannot be null.(b) cannot ask for ’s period private key in time period .(c) cannot ask for ’s secret value .(d) is not the output of the GSC query. ’s advantage is its probability of victory.

Note. In the above Forgery stage, the receiver’s identity may be null. In this case, it runs in signature mode; otherwise, it runs in signcryption mode. Thus, the signature and signcryption modes share the same game, as described above.

4.2.2. Strong Key-Insulated Security

Definition 5 (type I confidentiality, encryption, and signcryption modes). A certificateless key-insulated GSC scheme is said to be IND-CL-Strong-KI-GSC-CCA2-I secure if no PPT adversary has a nonnegligible advantage in the following game.
(1) Setup. The same as in Definition 1.
(2) Find Stage. can adaptively ask all the above oracles except the user-period-private-key oracle.
(3) Challenge Stage. The same as in Definition 1.
(4) Guess Stage. can adaptively make the same queries as in the Find stage. Finally, gives his/her guess . If , he/she wins the game. The restrictions on are as follows:(a)The receiver’s identity cannot be null.(b) cannot ask for the partial private key of .(c)In the Guess stage, cannot make an Un-GSC query on the challenge ciphertext under , , and unless the public key of or has been replaced after the challenge stage. ’s advantage is defined as .

Note. In the above Challenge stage, the sender’s identity may be null. In this case, it runs in encryption mode; otherwise, it runs in signcryption mode. Thus, the encryption and signcryption modes share the same game, as described above.

Definition 6 (type II confidentiality, encryption, and signcryption modes). A certificateless key-insulated GSC scheme is said to be IND-CL-Strong-KI-GSC-CCA2-II secure if no PPT adversary has a nonnegligible advantage in the following game.
(1) Setup. The same as in Definition 2.
(2) Find Stage. can adaptively ask all the above oracles except the user-period-private-key, partial-private-key, and public-key-replacement oracles.
(3) Challenge Stage. The same as in Definition 2.
(4) Guess Stage. can make the same queries adaptively as in the Find stage. Finally, gives his/her guess . If , he/she wins the game. The restrictions on are as follows:(a)The receiver’s identity cannot be null.(b) cannot ask for ’s secret value .(c)In the Guess stage, cannot make an Un-GSC query on the challenge ciphertext under , , and . ’s advantage is defined as .

Note 1. In the above Challenge stage, the sender’s identity may be null. In this case, it runs in encryption mode; otherwise, it runs in signcryption mode. Thus, the encryption and signcryption modes share the same game, as described above.

Note 2. To resist the malicious-but-passive KGC attack, it must let adversary produce the system parameters and master private key in the Setup stage.

Definition 7 (type I unforgeability, signature, and signcryption modes). A certificateless key-insulated GSC scheme is said to be EUF-CL-Strong-KI-GSC-CMA-I secure if no PPT adversary has a nonnegligible advantage in the following game.
(1) Setup. The same as in Definition 5.
(2) Queries. The same as in Definition 5.
(3) Forgery. Finally, outputs a forged GSC ciphertext in time period with as the sender and as the receiver. wins the game if the output of the Un-GSC algorithm is not the symbol and if the following conditions hold:(a)The sender’s identity cannot be null.(b) cannot ask for ’s partial private key .(c) is not the output of the GSC query. ’s advantage is its probability of victory.

Note. In the above Forgery stage, the receiver’s identity may be null. In this case, it runs in signature mode; otherwise, it runs in signcryption mode. Thus, the signature and signcryption modes share the same game, as described above.

Definition 8 (type II unforgeability, signature, and signcryption modes). A certificateless key-insulated GSC scheme is said to be EUF-CL-Strong-KI-GSC-CMA-II secure if no PPT adversary has a nonnegligible advantage in the following game.
(1) Setup. The same as in Definition 6.
(2) Queries. The same as in Definition 6.
(3) Forgery. Finally, outputs a forged GSC ciphertext in time period with as the sender and as the receiver. wins the game if the output of the Un-GSC algorithm is not the symbol and if the following conditions hold:(a)The sender’s identity cannot be null.(b) cannot ask for ’s secret value .(c) is not the output of the GSC query. ’s advantage is its probability of victory.

Note. In the above Forgery stage, the receiver’s identity may be null. In this case, it runs in signature mode; otherwise, it runs in signcryption mode. Thus, the signature and signcryption modes share the same game, as described above.

4.2.3. Secure Key Update

Definition 9. A certificateless key-insulated GSC scheme is said to support secure key update if a key update exposure from time period to is equivalent to user-period-private-key exposures in both time periods and .

5. A Concrete Certificateless Key-Insulated GSC Scheme

5.1. Concrete Scheme

By referring to Seo et al.’s [44] pairing-free certificateless signcryption tag key encapsulation mechanism, we propose an efficient pairing-free certificateless key-insulated GSC scheme.

Setup. Given a security parameter , the KGC produces two large prime numbers and . Then, he/she defines a secure elliptic curve on the finite field . Let be a cyclic group of order on , and let be a generator of . He/she randomly chooses as the master private key and computes as the master public key. He/she chooses seven hash functions: , and , where is the bit length of message . He/she defines a special function : if the identity is null, then ; otherwise, . The system public parameters are . He/she keeps the master private key secret.

Partial-Private-Key-Gen. Given a user’s identity , the KGC randomly chooses and computes and , where . KGC sends to securely.

User-Key-Gen. The user with identity randomly chooses as his/her secret value. He/she computes the public key as .

Set-Initial-Key. The user with identity randomly chooses and computes , , , , , and . Finally, the helper private key is , and the user’s period private key in time period 0 is . The user broadcasts . Then, the user sends the helper key and the ephemeral variable in time period 0 to the helper and deletes them from the user.

Key-Update-H. Given a user’s identity and , the old time period , and the new time period , the helper chooses and computes , , , , , and . Then, the update key is . The helper saves and deletes .

Key-Update-U. Given the update key , the user updates his/her period private key from time period to as . Then, he/she broadcasts .

GSC. Let , let the sender’s identity be , let the receiver’s identity be , and let the time period be . The sender randomly chooses and computes , , , and . Then, he/she computes , , , , , , and . Finally, the output is .

This algorithm can be run in three modes. We add a in the ciphertext.

(1) Encryption Mode. If is null and is not, then and . The ciphertext is an encryption ciphertext. In this case, , , , and are all set to the infinite point on , and is set to zero. Additionally, in this case, .

(2) Signature Mode. If is null and is not, then and . The ciphertext is a signature. In this case, , , , and are all set to the infinite point on . Additionally, in this case, and .

(3) Signcryption Mode. If neither nor is null, then and . The ciphertext is a signcryption ciphertext.

Un-GSC. The ciphertext is .(a). is an encryption ciphertext. The receiver computes and and recovers the message . Then, he/she computes and verifies whether holds true or not. If it does, he/she accepts it.(b). is a signature. In this case, . The verifier computes , , , , , and . Then, he/she verifies whether holds true or not. If it does, he/she accepts the signature.(c). is a signcryption ciphertext. The receiver computes and and recovers the message . Then, he/she computes , , , , , and and verifies whether holds true or not. If it does, he/she accepts it.

5.2. Correctness

①

②

5.3. Random-Access Key Update

Obviously, our scheme supports random-access key update; thus, for any current time period and any desired time period , the private key can be updated from to in one step.

6. Security Analysis of the Proposed Scheme

6.1. Confidentiality of Basic Key Insulation

Theorem 10 (type I confidentiality). In the random oracle model, if there is a PPT adversary with a nonnegligible advantage against the IND-CL-Basic-KI-GSC-CCA2-I security of the scheme running in encryption or signcryption mode in time and performing at most queries, user-creation queries, partial-private-key queries, period-private-key queries, GSC queries, and Un-GSC queries, then the CDH problem can be solved with probability in time , where denotes the time for a scalar multiplication on .

Proof. Suppose challenger is given for random . does not know the values of and and is asked to compute . To utilize adversary , challenger will simulate all the oracles defined in Definition 1.
Setup. sets . Other public parameters are produced normally. gives the system public parameters to . maintains nine lists, , and , which are initially empty. randomly selects .
Find Stage. makes queries to the following oracles adaptively.
User-Creation Query. provides an identity . looks up list to determine whether it contains the item. If it does, returns ’s public key and public parameters to . Otherwise, proceeds as follows and returns public key and public parameters to .
randomly selects as the secret value and computes the public key as . randomly selects as the helper private key and computes . (1). randomly selects and computes . inserts the tuple into list .(2). randomly selects and computes . inserts the tuple into list . If there is a collision in list , rechooses and repeats the process. inserts the tuple into list .. supplies a tuple . first checks list to determine whether it contains the item . If it does, returns . Otherwise, randomly selects and repeats the process until is not in list . stores the tuple in list and returns to .
. supplies a tuple . first checks list to determine whether it contains the item . If it does, returns . Otherwise, randomly selects and repeats the process until is not in list . stores the tuple in list and returns to .
. supplies a tuple . first checks list to determine whether it contains the item . If it does, returns . Otherwise, randomly selects and repeats the process until is not in list . stores the tuple in list and returns to .
. supplies a tuple . first checks list to determine whether it contains the item . If it does, returns . Otherwise, randomly selects and repeats the process until is not in list . stores the tuple in list and returns to .
Query. supplies a tuple . first checks list to determine whether it contains the item . If it does, returns . Otherwise, randomly selects and repeats the process until is not in list . stores the tuple in list and returns to .
Query. supplies a tuple . first checks list to determine whether it contains the item . If it does, returns . Otherwise, randomly selects and repeats the process until is not in list . stores the tuple in list and returns to .
Query. supplies a tuple . first checks list to determine whether it contains the item . If it does, returns . Otherwise, randomly selects and repeats the process until is not in list . stores the tuple in list and returns to .
Partial-Private-Key Query. provides a created identity . (1). retrieves from list and returns it to .(2). aborts.Secret-Value Query. provides a created identity . retrieves from list and returns it to .
Public-Key Query. provides a created identity . retrieves the public key and public parameters from list and returns them to .
Public-Key-Replacement Query. provides a created identity and a new public/secret-value pair . replaces the old public/secret-value pair with the new one and updates list .
User-Period-Private-Key Query. provides a created identity and a time period . first checks list to determine whether it contains the item . If it does, returns . Otherwise, we consider two cases.(1). randomly chooses and computes . retrieves from list . Then makes an query with the tuple and obtains a response . makes an query with the tuple and obtains a response . makes an query with the tuple and obtains a response . retrieves from list and computes the period private key in time period as . inserts the tuple into list and returns .(2). aborts.GSC Query. provides two created identities (one of them may be null), a message , and a time period . If is null, it is equal to an encryption oracle, which only requires the public parameters. Otherwise, we consider two cases. (1). runs the GSC algorithm as normal because can obtain the private key of in time period .(2). first checks list to determine whether it contains the item . If it does, retrieves ; otherwise, randomly chooses , computes , and inserts the tuple into list . randomly chooses and computes , , , and . Then, he/she computes , , and . The values needed for the above computations can be obtained by querying associated oracles. inserts the tuple into list . If there is a collision, rechooses and repeats the process. Finally, returns to .
Un-GSC Query. provides two created identities (one of them may be null), a ciphertext , and a time period . If is null, it is equal to a signature verification oracle, which needs only the public parameters. Otherwise, we consider two cases.(1). runs the Un-GSC algorithm as normal because can obtain the private key of in time period .(2). does not know the period private key of in time period . retrieves and from list (if or does not exist in list , then makes a period-private-key or GSC query to ensure that they are produced). starts from the first item of list to compute and verifies whether the equation holds true, where , , , , , and . The values needed for the above computations can be obtained by querying associated oracles. If the equation holds true, returns the message ; else moves to the next item of list and repeats the process. If no message returns when traverses all the items of list , returns .Challenge Stage. chooses two different messages with equal length, two created challenge identities ( may be null), and a time period . If , aborts. Otherwise, randomly chooses and randomly chooses . retrieves and from list (if or does not exist in list , then makes a period-private-key or GSC query to ensure that they are produced). sets . randomly chooses . computes and . Then, computes and . The values needed for the above computations can be obtained by querying associated oracles. inserts the tuple into list . If there is a collision, rechooses and repeats the process. returns the challenge ciphertext to .
Guess Stage. can make the same queries adaptively as in the Find stage with the restrictions given in Definition 1. Finally, must give his/her guess . cannot discover that is not a valid ciphertext unless he/she asks the oracle with the tuple , where = . If this occurs, retrieves , , and from list , and it retrieves and from list . makes associated hash oracle queries to obtain , , , and . Then, can output .
Now, we assess the probability of success. In the Challenge stage, the probability that is . In both the partial-private-key and user-period-private-key queries, the probability of querying is . In the Un-GSC stage, the probability of refusing the right ciphertext is less than .
In terms of the time complexity, GSC and Un-GSC queries need 7 and 8 computations, respectively.

Theorem 11 (type II confidentiality). In the random oracle model, if there is a PPT adversary with a nonnegligible advantage against the IND-CL-Basic-KI-GSC-CCA2-II security of the scheme running in encryption or signcryption mode in time and performing at most queries, user-creation queries, secret-value queries, period-private-key queries, GSC queries, and Un-GSC queries, then the CDH problem can be solved with probability in time , where denotes the time for a scalar multiplication on .

Proof. Suppose challenger is given for random . does not know the values of and and is asked to compute .
Setup. Adversary randomly selects as the master private key and computes the master public key as . Other public parameters are produced normally. gives the system public parameters and master private key to . maintains nine lists , and , which are initially empty. randomly selects .
Find Stage. makes queries to the following oracles adaptively: , public-key, user-period-private-key, GSC, and Un-GSC queries are the same as in Theorem 10. The partial-private-key and public-key-replacement queries are not needed for .
User-Creation Query. provides an identity . looks up list to determine whether it contains the item. If it does, returns ’s public key and public parameters to . Otherwise, proceeds as follows and returns public key and public parameters to .
randomly selects and computes and . randomly selects as the helper private key and computes .(1). sets the public key as and inserts the tuple into list .(2). randomly selects as the secret value and computes the public key as . inserts the tuple into list .Secret-Value Query. provides a created identity . (1). retrieves from list and returns it to (2). aborts.Challenge Stage. The same as in Theorem 10.
Guess Stage. can make the same queries adaptively as in the Find stage with the restrictions given in Definition 2. Finally, must give his/her guess . cannot discover that is not a valid ciphertext unless he/she asks the oracle with the tuple , where = . If this occurs, retrieves and from list as well as and from list . makes associated hash oracles to obtain , , , and . Then, can output .
Now, we assess the probability of success. In the challenge stage, the probability that is . In both the secret-value and user-period-private-key queries, the probability of querying is . In the Un-GSC stage, the probability of refusing the right ciphertext is less than .
In terms of the time complexity, GSC and Un-GSC queries need 7 and 8 computations, respectively.

6.2. Unforgeability of Basic Key Insulation

Theorem 12 (type I unforgeability). In the random oracle model, if there is a PPT adversary with a nonnegligible advantage against the EUF-CL-Basic-KI-GSC-CMA-I security of the scheme running in signature or signcryption mode in time and performing at most queries, user-creation queries, partial-private-key queries, period-private-key queries, GSC queries, and Un-GSC queries, then the EC-DL problem can be solved with probability in time , where denotes the time for a scalar multiplication on .

Proof. Suppose that challenger is given for random . does not know the value of and is asked to compute . To utilize adversary , challenger will simulate all the oracles defined in Definition 3.
Setup. The same as in Theorem 10.
Queries. The same as in Theorem 10.
Forgery. Finally, outputs a forged GSC ciphertext in message in time period with as the sender and as the receiver. If , aborts. Otherwise, if can pass the validation of the Un-GSC algorithm and does not violate the restrictions of Definition 3, according to the multiple-forking lemma [45], we can obtain four valid signatures: , , and , where and are two different hash values corresponding to the oracle and , , , and are four different hash values corresponding to the oracle. Because , we can obtain four equations: Then, can computeNow, we assess the probability of success. In the Forgery stage, the probability of is . In both the partial-private-key and user-period-private-key queries, the probability of querying with is . In the Un-GSC stage, the probability of refusing the right ciphertext is less than . In conjunction with the multiple-forking lemma, the EC-DL problem can be solved with probability .
In terms of the time complexity, GSC and Un-GSC queries need 7 and 8 computations, respectively.

Theorem 13 (type II unforgeability). In the random oracle model, if there is a PPT adversary with a nonnegligible advantage against the EUF-CL-Basic-KI-GSC-CMA-II security of the scheme running in signature or signcryption mode in time and performing at most queries, user-creation queries, secret-value queries, period-private-key queries, GSC queries, and Un-GSC queries, then the EC-DL problem can be solved with probability in time , where denotes the time for a scalar multiplication on .

Proof. Suppose that challenger is given for random . does not know the value of and is asked to compute . To utilize adversary , challenger will simulate all the oracles defined in Definition 4.
Setup. The same as in Theorem 11.
Queries. The same as in Theorem 11.
Forgery. Finally, outputs a forged GSC ciphertext in message in time period with as the sender and as the receiver. If , aborts. Otherwise, if can pass the validation of the Un-GSC algorithm and does not violate the restrictions of Definition 4, according to the multiple-forking lemma [45], we can obtain four valid signatures: , , and , where and are two different hash values corresponding to the oracle and , , , and are four different hash values corresponding to the oracle. Because , we can obtain four equations: Then, can compute Now, we assess the probability of success. In the Challenge stage, the probability of is . In both the secret-value and user-period-private-key queries, the probability of querying is . In the Un-GSC stage, the probability of refusing the right ciphertext is less than . In conjunction with the multiple-forking lemma, the EC-GDL problem can be solved with probability .
In terms of the time complexity, GSC and Un-GSC queries need 7 and 8 computations, respectively.

6.3. Confidentiality of Strong Key Insulation

Theorem 14 (type I confidentiality). In the random oracle model, if there is a PPT adversary with a nonnegligible advantage against the IND-CL-Strong-KI-GSC-CCA2-I security of the scheme running in encryption or signcryption mode in time and performing at most queries, user-creation queries, partial-private-key queries, GSC queries, and Un-GSC queries, then the CDH problem can be solved with probability in time , where denotes the time for a scalar multiplication on .

Proof. The proof is almost the same as that of Theorem 10. The difference is that cannot make a user-period-private-key query but can adaptively ask the helper-key oracle. The GSC oracle is also slightly different.
Helper-Key Query. provides a created identity and a time period . returns the user’s helper key and the ephemeral variable in time period to .
GSC Query. provides two created identities (one of them may be null), a message , and a time period . If is null, it is equal to an encryption oracle, which needs only the public parameters. Otherwise, we consider two cases. (1). first checks list to determine whether it contains the item . If it does, retrieves the period private key in time period and runs the GSC algorithm as normal. Otherwise, randomly chooses and computes . retrieves from list . Then, makes an query with the tuple and obtains a response . makes an query with the tuple and obtains a response . makes an query with the tuple and obtains a response . retrieves from list and computes the period private key in time period as . inserts the tuple into list and runs the GSC algorithm as normal.(2). It is the same as in Theorem 10.Finally, returns the GSC ciphertext and to .

Theorem 15 (type II confidentiality). In the random oracle model, if there is a PPT adversary with a nonnegligible advantage against the IND-CL-Strong-KI-GSC-CCA2-II security of the scheme running in encryption or signcryption mode in time and performing at most queries, user-creation queries, secret-value queries, GSC queries, and Un-GSC queries, then the CDH problem can be solved with probability in time , where denotes the time for a scalar multiplication on .

Proof. The proof is almost the same as that of Theorem 11. The difference is that cannot make a user-period-private-key query but can adaptively ask the helper-key oracle.
The user-creation query, secret-value query, public-key query, and Un-GSC queries are the same as in Theorem 11.
The helper-key query and GSC query are the same as in Theorem 14.

6.4. Unforgeability of Strong Key Insulation

Theorem 16 (type I unforgeability). In the random oracle model, if there is a PPT adversary with a nonnegligible advantage against the EUF-CL-Strong-KI-GSC-CMA-I security of the scheme running in signature or signcryption mode in time and performing at most queries, user-creation queries, partial-private-key queries, GSC queries, and Un-GSC queries, then the EC-DL problem can be solved with probability in time , where denotes the time for a scalar multiplication on .

Proof. The proof is almost the same as that of Theorem 12. The difference is that cannot make a user-period-private-key query but can adaptively ask the helper-key oracle.
All the oracle queries are the same as in Theorem 14.

Theorem 17 (type II unforgeability). In the random oracle model, if there is a PPT adversary with a nonnegligible advantage against the EUF-CL-Strong-KI-GSC-CMA-II security of the scheme running in signature or signcryption mode in time and performing at most queries, user-creation queries, secret-value queries, GSC queries, and Un-GSC queries, then the EC-DL problem can be solved with probability in time , where denotes the time for a scalar multiplication on .

Proof. The proof is almost the same as that of Theorem 13. The difference is that cannot make a user-period-private-key query but can adaptively ask the helper-key oracle.
All the oracle queries are the same as in Theorem 15.

6.5. Secure Key Update

Theorem 18. Our certificateless key-insulated GSC scheme supports secure key update.

Proof. If an adversary compromises the user’s storage while a key is being updated from time period to , then he/she can obtain the user’s period private key in time period and the update key from to . Then, he/she can compute the user’s period private key in time period . The adversary cannot obtain any other useful information except , , and . In addition, from the equation , he/she cannot derive any private information because the number of unknown variables is greater than the number of equations. Furthermore, he/she cannot derive any private information from the equation either.

7. Efficiency Comparison of the Proposed Scheme

Because a certificateless key-insulated signcryption scheme has yet to be proposed and because only five key-insulated signcryption schemes have been reported in the literature, we compare the performance of our scheme in signcryption mode with these schemes. These five schemes are Chen et al.’s identity-based key-insulated signcryption scheme [33], Fan et al.’s PKI-based key-insulated signcryption scheme [34], Wang et al.’s identity-based key-insulated signcryption scheme [35], Zhu et al.’s identity-based key-insulated signcryption scheme [38], and Hong and Sun’s attribute-based key-insulated signcryption scheme [43]. Their common computations are set-initial-key, key-update-h, key-update-u, signcryption, and un-signcryption. The comparisons are presented in Tables 1 and 2. The symbols , , , and denote a pairing computation, a pairing-based scalar multiplication computation on , an ECC-based scalar multiplication computation on , and an exponentiation computation on , respectively. Other computations are ignored because they are not time consuming. , , , , and represent the bit length of an element on , , and , a message , and an identity, respectively. “S” denotes the standard model. “ROM” denotes the random oracle model. S-I-K, K-U-H, K-U-U, Sc, and Un-Sc denote set-initial-key, key-update-h, key-update-u, signcryption, and un-signcryption, respectively.

To show the comparisons more directly, we use the Multiprecision Integer and Rational Arithmetic C Library (MIRACL) [46] to test the runtime of the basic cryptographic operations. The average runtime is shown in Table 3 (we tested it 1000 times). The experiment was run on a Windows 7 Home Basic 64-bit operating system. The hardware consisted of an Intel Core i7-4510U CPU running at 2.0 GHz with 8 GB of memory. For pairing-based schemes, we use the supersingular elliptic curve with an embedding degree of 2, where is a 160-bit Solinas prime and is a 512-bit prime satisfying . Its security level is equivalent to 80-bit Advanced Encryption Standard (AES). To achieve the same security level, for elliptic curve cryptography- (ECC-) based schemes, we use secp160r1, which is recommended by Certicom Corporation [47].

When we take the above parameters, for pairing-based schemes, and ; for ECC-based schemes, and . Let . We can obtain Table 4 by combining Tables 1, 2, and 3.

From Table 4, we can see that scheme [43] is the most efficient one in the S-I-K and K-U-H stages. Our scheme is very similar to scheme [43] and outperforms other schemes. In the Sc and Un-Sc stages, our scheme is the most efficient scheme. Scheme [43] is very similar to our scheme, whereas other schemes are much less efficient than our scheme. In terms of ciphertext size, our scheme is the shortest.

We also compared our scheme with two certificateless GSC schemes. These schemes are Zhou et al.’s scheme [13] and Zhang et al.’s scheme [20]. The comparisons are shown in Table 5. Let , and we can obtain Table 6 by combining Tables 3 and 5.

From Table 6, we can see that scheme [20] is the most efficient scheme in terms of Sc, Un-Sc, and ciphertext size. Scheme [20] is a lightweight scheme and achieves the greatest efficiency. Our scheme is very similar to this scheme and outperforms scheme [13]. None of the schemes [13, 20] consider the private key exposure problem, whereas our scheme achieves high efficiency even after considering this problem.

In general, the efficiency of our scheme is very similar to those of the lightweight schemes [20, 43]; therefore, our scheme is more suitable for users who communicate with the cloud using mobile devices.

8. Conclusions

In this paper, we propose a certificateless key-insulated GSC scheme without bilinear pairings. Our scheme can be used to ensure cloud storage security. We provide a formal definition and security model of certificateless key-insulated GSC. Our scheme is demonstrated to be confidential under the CDH assumption and unforgeable under the EC-DL assumption, and it supports both random-access key update and secure key update. Efficiency evaluations show that our scheme is efficient compared with current key-insulated signcryption schemes and certificateless GSC schemes. Our future work will include designing highly efficient intrusion-resilient GSC schemes.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This research was supported by the National Natural Science Foundation of China under Grant nos. 61462048, 61562047, and 61662039. The authors express their thanks to Ms. Yan Di, who checked their manuscript.

References

Y. L. Zheng, “Digital signcryption or how to achieve cost (signature & encryption) << cost (signature) + cost(encryption),” in Advances in cryptology-CRYPTO 1997, pp. 165–179, Springer, Berlin, Germany, 1997.
View at: Google Scholar
A. Shamir, “Identity-based cryptosystems and signature schemes,” in Advances in cryptology- CRYPTO 1984, Lecture Notes in Computer Science, pp. 47–53, Springer, Berlin, Germany, 1984.
View at: Publisher Site | Google Scholar | MathSciNet
S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Advances in Cryptology-ASIACRYPT, vol. 2894 of Lecture Notes in Computer Science, pp. 452–473, Springer, Berlin, Germany, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Han, X. Yang, P. Wei, Y. Wang, and Y. Hu, “ECGSC: Elliptic Curve Based Generalized Signcryption,” in Ubiquitous Intelligence and Computing, Third International Conference, vol. 4159 of Lecture Notes in Computer Science, pp. 956–965, Springer, Berlin, Germany, 2006.
View at: Publisher Site | Google Scholar
R. Anderson, “Two remarks on public key cryptology,” in Proceedings of the 4th ACM Conference on Computer and Communications Security, ACM, 1997.
View at: Google Scholar
Y. Dodis, J. Katz, S. Xu, and M. Yung, “Key-insulated public key cryptosystems,” in Advances in cryptology- EUROCRYPT 2002, vol. 2332 of Lecture Notes in Comput. Sci., pp. 65–82, Springer, Berlin, Germany, 2002.
View at: Publisher Site | Google Scholar | MathSciNet
G. Itkis and L. Reyzin, “SiBIR: Signer-base intrusion-resilient signatures,” in Advances in cryptology—CRYPTO 2002, vol. 2442 of Lecture Notes in Comput. Sci., pp. 499–514, Springer, Berlin, Germany, 2002.
View at: Publisher Site | Google Scholar | MathSciNet
L. Chen, Z. Cheng, and N. P. Smart, “Identity-based key agreement protocols from pairings,” International Journal of Information Security, vol. 6, no. 4, pp. 213–241, 2007.
View at: Publisher Site | Google Scholar
Y. Han and X. Gui, “Adaptive secure multicast in wireless networks,” International Journal of Communication Systems, vol. 22, no. 9, pp. 1213–1239, 2009.
View at: Publisher Site | Google Scholar
X. A. Wang, X. Yang, and J. Zhang, “Provable secure generalized signcryption,” Journal of Computers, vol. 5, no. 5, pp. 807–814, 2010.
View at: Publisher Site | Google Scholar
G. Yu, X. Ma, Y. Shen, and W. Han, “Provable secure identity based generalized signcryption scheme,” Theoretical Computer Science, vol. 411, no. 40–42, pp. 3614–3624, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
P. Kushwah and S. Lal, “An efficient identity based generalized signcryption scheme,” Theoretical Computer Science, vol. 412, no. 45, pp. 6382–6389, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
C. Zhou, W. Zhou, and X. Dong, “Provable certificateless generalized signcryption scheme,” Designs, Codes and Cryptography. An International Journal, vol. 71, no. 2, pp. 331–346, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
M. H. Au, J. Chen, J. K. Liu, Y. Mu, D. S. Wong, and G. Yang, “Malicious KGC attacks in certificateless cryptography,” in Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS '07, pp. 302–311, March 2007.
View at: Publisher Site | Google Scholar
G. Wei, J. Shao, Y. Xiang, P. Zhu, and R. Lu, “Obtain confidentiality or/and authenticity in big data by ID-based generalized signcryption,” Information Sciences. An International Journal, vol. 318, pp. 111–122, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
C.-X. Zhou, “An improved multi-receiver generalized signcryption scheme,” International Journal of Network Security, vol. 17, no. 3, pp. 340–350, 2015.
View at: Google Scholar
Y. Han and W. Lu, “Attribute based generalized signcryption for online social network,” in Proceedings of the 34th Chinese Control Conference, pp. 6434–6439, July 2015.
View at: Publisher Site | Google Scholar
C.-X. Zhou, “Identity based generalized proxy signcryption scheme,” Information Technology and Control, vol. 45, no. 1, pp. 13–26, 2016.
View at: Publisher Site | Google Scholar
C. Zhou, Z. Cui, and G. Gao, “Efficient identity-based generalized ring signcryption scheme,” KSII Transactions on Internet and Information Systems, vol. 10, no. 12, pp. 5553–5571, 2016.
View at: Publisher Site | Google Scholar
A. Zhang, L. Wang, X. Ye, and X. Lin, “Light-Weight and Robust Security-Aware D2D-Assist Data Transmission Protocol for Mobile-Health Systems,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 3, pp. 662–675, 2017.
View at: Publisher Site | Google Scholar
Y. Dodis, J. Katz, S. Xu, and M. Yung, “Strong key-insulated signature schemes,” in Public Key Cryptography—PKC 2003, vol. 2567 of Lecture Notes in Computer Science, pp. 130–144, Springer, Berlin, Germany, 2002.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Hanaoka, G. Hanaoka, J. Shikata, and H. Imai, “Identity-based hierarchical strongly key-insulated encryption and its application,” in Advances in cryptology—ASIACRYPT 2005, vol. 3788 of Lecture Notes in Comput. Sci., pp. 495–514, Springer, Berlin, Germany, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Zhou, Z. Cao, and Z. Chai, “Identity Based Key Insulated Signature,” in Information Security Practice and Experience, vol. 3903 of Lecture Notes in Computer Science, pp. 226–234, Springer, Berlin, Germany, 2006.
View at: Publisher Site | Google Scholar
J. Weng, K. Chen, S. Liu, and C. Ma, “Identity-based key-insulated signature without random oracles,” in Proceedings of the 2006 International Conference on Computational Intelligence and Security, ICCIAS 2006, pp. 1253–1258, October 2006.
View at: Publisher Site | Google Scholar
G. Hanaoka, Y. Hanaoka, and H. Imai, “Parallel key-insulated public key encryption,” in Proceedings of the 9th International Workshop on Theory and Practice in Public Key Cryptography, vol. 3958 of Lecture Notes in Comput. Sci., pp. 105–122, Springer, Berlin, Germany, 2006.
View at: Publisher Site | Google Scholar | MathSciNet
M. Bellare and A. Palacio, “Protecting against key-exposure: strongly key-insulated encryption with optimal threshold,” Applicable Algebra in Engineering, Communication and Computing, vol. 16, no. 6, pp. 379–396, 2006.
View at: Publisher Site | Google Scholar | MathSciNet
R. P. Li, J. Yu, J. Wang, G. W. Li, and D. X. Li, “Key-insulated group signature scheme with verifier-local revocation,” in Proceedings of the 8th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, pp. 273–278, IEEE, 2007.
View at: Google Scholar
J. K. Liu and D. S. Wong, “Solutions to key exposure problem in ring signature,” International Journal of Network Security, vol. 6, no. 2, pp. 170–180, 2008.
View at: Google Scholar
Z.-M. Wan, X.-J. Lai, J. Weng, S.-L. Liu, Y. Long, and X. Hong, “Certificateless key-insulated signature without random oracles,” Journal of Zhejiang University: Science A, vol. 10, no. 12, pp. 1790–1800, 2009.
View at: Publisher Site | Google Scholar
L. Liu and Z. Cao, “Analysis of two signature schemes from CIS'2006,” in Proceedings of the 2009 International Conference on Computational Intelligence and Security, CIS 2009, pp. 405–408, December 2009.
View at: Publisher Site | Google Scholar
Z. Wan, X. Lai, J. Weng, S. Liu, and X. Hong, “Identity-based key-insulated proxy signature,” Journal of Electronics, vol. 26, no. 6, pp. 853–858, 2009.
View at: Publisher Site | Google Scholar
H. Du, J. Li, Y. Zhang, T. Li, and Y. Zhang, “Certificate-Based Key-Insulated Signature,” in Data and Knowledge Engineering, vol. 7696 of Lecture Notes in Computer Science, pp. 206–220, Springer, Berlin, Germany, 2012.
View at: Publisher Site | Google Scholar
J. Chen, K. Chen, Y. Wang, X. Li, Y. Long, and Z. Wan, “Identity-based key-insulated signcryption,” Informatica, vol. 23, no. 1, pp. 27–45, 2012.
View at: Google Scholar | MathSciNet
J. Fan, Y. Zheng, and X. Tang, “Key-insulated signcryption,” Journal of Universal Computer Science, vol. 19, no. 10, pp. 1351–1374, 2013.
View at: Google Scholar | MathSciNet
H. Wang, H. Cao, and D. Li, “Identity-based key-insulated signcryption scheme,” Journal of Computational Information Systems, vol. 9, no. 8, pp. 3067–3075, 2013.
View at: Google Scholar
H. Zhao, J. Yu, S. Duan, X. Cheng, and R. Hao, “Key-insulated aggregate signature,” Frontiers in Computer Science, vol. 8, no. 5, pp. 837–846, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
J. Chen, Y. Long, K. Chen, and J. Guo, “Attribute-based key-insulated signature and its applications,” Information Sciences. An International Journal, vol. 275, pp. 57–67, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
G. Zhu, H. Xiong, and Z. Qin, “Fully Secure Identity Based Key-Insulated Signcryption in the Standard Model,” Wireless Personal Communications, vol. 79, no. 2, pp. 1401–1416, 2014.
View at: Publisher Site | Google Scholar
J. Li, H. Du, Y. Zhang, T. Li, and Y. Zhang, “Provably secure certificate-based key-insulated signature scheme,” Concurrency Computation Practice and Experience, vol. 26, no. 8, pp. 1546–1560, 2014.
View at: Publisher Site | Google Scholar
H. Xiong, S. Wu, J. Geng, E. Ahene, S. Wu, and Z. Qin, “A pairing-free key-insulated certificate-based signature scheme with provable security,” KSII Transactions on Internet and Information Systems, vol. 9, no. 3, pp. 1246–1259, 2015.
View at: Publisher Site | Google Scholar
Y. Lu, Q. Zhang, and J. Li, “An improved certificateless strong key-insulated signature scheme in the standard model,” Advances in Mathematics of Communications, vol. 9, no. 3, pp. 353–373, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
J. Li, H. Du, and Y. Zhang, “Certificate-based key-insulated signature in the standard model,” Computer Journal, vol. 59, no. 7, pp. 1028–1039, 2016.
View at: Publisher Site | Google Scholar
H. Hong and Z. Sun, “A Key-Insulated Ciphertext Policy Attribute Based Signcryption for Mobile Networks,” Wireless Personal Communications, pp. 1–14, 2016.
View at: Publisher Site | Google Scholar
S.-H. Seo, J. Won, and E. Bertino, “pCLSC-TKEM: a pairing-free certificateless signcryption-tag key encapsulation mechanism for a privacy-preserving IoT,” Transactions on Data Privacy, vol. 9, no. 2, pp. 1000–1029, 2016.
View at: Google Scholar
A. Boldyreva, A. Palacio, and B. Warinschi, “Secure proxy signature schemes for delegation of signing rights,” Journal of Cryptology. The Journal of the International Association for Cryptologic Research, vol. 25, no. 1, pp. 57–115, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
Shamus Software Ltd. Miracl library, http://github.com/miracl/MIRACL.
The Certicom Corporation. Sec 2: recommended elliptic curve domain parameters. The Standard for Efficient Cryptography Group, 2000.

Copyright

Copyright © 2017 Caixue Zhou et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1336

Downloads

1082

Citations

Security and Communication Networks

Certificateless Key-Insulated Generalized Signcryption Scheme without Bilinear Pairings

Abstract

1. Introduction

2. Related Work

3. Preliminaries

4. Formal Definition and Security Model of Certificateless Key-Insulated GSC

4.1. Formal Definition

4.2. Security Model

4.2.1. Basic Key-Insulated Security

4.2.2. Strong Key-Insulated Security

4.2.3. Secure Key Update

5. A Concrete Certificateless Key-Insulated GSC Scheme

5.1. Concrete Scheme

5.2. Correctness

5.3. Random-Access Key Update

6. Security Analysis of the Proposed Scheme

6.1. Confidentiality of Basic Key Insulation

6.2. Unforgeability of Basic Key Insulation

6.3. Confidentiality of Strong Key Insulation

6.4. Unforgeability of Strong Key Insulation

6.5. Secure Key Update

7. Efficiency Comparison of the Proposed Scheme

8. Conclusions

Conflicts of Interest

Acknowledgments

References

Copyright