An Efficient Certificateless Generalized Signcryption Scheme

Zhang, Bo; Jia, Zhongtian; Zhao, Chuan

doi:https://doi.org/10.1155/2018/3578942

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Applied Cryptography and Noise Resistant Data Security

View this Special Issue

Research Article | Open Access

Volume 2018 | Article ID 3578942 | https://doi.org/10.1155/2018/3578942

An Efficient Certificateless Generalized Signcryption Scheme

Bo Zhang,^1,2,3Zhongtian Jia,^1,3and Chuan Zhao¹

Academic Editor: Jiankun Hu

Received03 Nov 2017

Revised02 Mar 2018

Accepted05 Apr 2018

Published15 May 2018

Abstract

Generalized signcryption can adaptively work as an encryption scheme, a signature scheme, or a signcryption scheme with only one algorithm. The paper proposes an efficient certificateless generic signcryption scheme without utilizing bilinear pairing operations. It is proved to satisfy confidentiality and unforgeability against chosen ciphertext and message attacks in an adaptive manner, respectively, in the random oracle model. Due to the lower computational cost and communication overhead, the proposed scheme is suitable for low power and processor devices.

1. Introduction

In the traditional Public Key Infrastructure (PKI), a certificate authority (CA) which is a third party issues the certificates to bind the identity of a user and the corresponding public key. The certificate provides an unforgeable and trusted link by CA’s digital signature. However, the problem of certificate management, including the storage, revocation, and distribution of certificates, is complex in this kind of PKI. Identity-based Public Key Cryptosystems (ID-PKC) were introduced by Shamir [1] in 1984 to simplify certificate management problem. A user’s public key can be easily derived from arbitrary strings corresponding to his identity information, such as passport number, telephone number, name, and email address. A trusted third party named private key generator (PKG) computes private keys from a master secret and users’ identity information and distributes these private keys to users participating in the scheme. This eliminates the need for certificates as used in a traditional PKI. ID-based systems may be a good alternative for certificate-based systems from the viewpoint of efficiency and convenience. But an inherent problem of ID-based cryptosystems is the key escrow; that is, the PKG knows the user’s private key, resulting in no user privacy and authenticity. To eliminate these problems simultaneously, Al-Riyami and Paterson introduced the concept of certificateless public key cryptography (CL-PKC) in 2003 [2]. In a CL-PKC, a public/secret key pair is produced by the user himself independently without requiring the public key to be certified. Also, a partial private key is generated by a semi-trusted third party, called the key generation center (KGC), from the unique identifier information of the user. Knowing only one of them should not be able to impersonate the user and carry out any of the cryptographic operations as the user. In other words, CL-PKC can act as an intermediate between traditional PKI and ID-PKC.

The confidentiality and authenticity of messages are the basic requirement for secure communication. In 1997, Zheng proposed a cryptographic primitive signcryption [3], which simultaneously fulfils the integrated function of public encryption and digital signature with a computing and communication cost significantly smaller than that required by the signature-then-encryption method. According to the three public key authentication methods, signcryption can be divided into three types: PKI-based signcryption schemes [4–10], ID-based signcryption schemes (IBSC) [11–16], and certificateless signcryption schemes (CLSC) [17–20].

Sometimes, confidentiality and authenticity are needed separately, and sometimes, both of them are needed simultaneously. We can use encryption, signature, or signcryption to achieve the security properties, respectively. But maintaining three different primitives or components at the same time is quite a burden to a system, especially to the low power and processor devices in low-bandwidth environments. Generalized signcryption (GSC) was proposed [21–23] to solve this problem. GSC scheme can adaptively work as encryption scheme, signature scheme, or signcryption scheme with only one algorithm. In other words, without any additional modification and computation, it provides double functions when confidentiality and authenticity are required simultaneously and the separate encryption or signature function when one of them is required. So, the GSC scheme can be viewed as a primitive with three work modes. In 2010, the first certificateless generalized signcryption (CLGSC) scheme was introduced by Ji et al. [24]. In their work, the formal definition, security model, and a concrete scheme were proposed. But Kushwah and Lai [25] noted that the scheme [24] is not existentially unforgeable against Type I adversary, and they proposed a new secure and efficient CLGSC scheme. Zhou et al. [26] proposed a more efficient CLGSC scheme based on the certificateless signcryption proposed in [17]. However, all the existing CLGSC schemes are realized with bilinear pairing operations. Compared with other operations, the bilinear pairing operation is much more complicated. Therefore, a concrete scheme without bilinear pairing is more suitable for applications. Very recently, Zhou et al. [27] introduced the key-insulated mechanism into GSC and propose a concrete scheme without bilinear pairings in the certificateless cryptosystem setting.

In this paper, we give a formal definition and the security concept of CLGSC and propose an efficient concrete scheme without utilizing bilinear pairing operations based on a certificateless signcryption-tag key encapsulation mechanism [28]. The concrete scheme is proved to satisfy confidentiality and unforgeability against chosen ciphertext and message attacks in an adaptive manner, respectively, in the random oracle model. Due to less computational cost and communication overhead, the proposed scheme is suitable for low power and processor devices.

The rest of the paper is organized as follows. The security problems, complexity assumptions, and the formal model of CLGSC scheme are introduced in Section 2. We describe a new CLGSC scheme in Section 3 and give the security proof and performance analysis of the new scheme in Sections 4 and 5, respectively. Finally, the conclusions are given in Section 6.

2. Preliminaries

2.1. Security Problems and Complexity Assumptions

Several related mathematical hard problems and security assumptions are presented here.

(i) The Elliptic Curve Discrete Log Problem (ECDLP) [29]: for group which is generated by , given , to find such that .

Definition 1 (ECDLP assumption). For group which is generated by , given , the successful advantage of any probabilistic polynomial time (PPT) adversary is presented as . If there exists no PPT adversary with nonnegligible advantage in solving the ECDLP problem, we say that the ECDLP assumption holds.

(ii) One-sided Gap Diffie-Hellman problem (ECDLP) [30]: for group which is generated by , is a fixed point, given , to find with the help of a one-sided decision Diffie-Hellman (ODDH) oracle. The ODDH oracle gets the tuple as the input and outputs 1 if and 0 otherwise.

Definition 2 (ECDLP assumption). For group which is generated by , is a fixed point, given . The successful advantage of any PPT adversary is presented as . If there exists no PPT adversary with nonnegligible advantage by making ODDH oracle queries in solving the ECDLP problem, we say that the -ECDLP assumption holds.

2.2. Certificateless Generic Signcryption Scheme (CLGSC)

2.2.1. Framework

Certificateless generic signcryption scheme (CLGSC) consists of the following probabilistic polynomial time algorithms.

(1) Setup. Take a security parameter as input, KGC runs Setup algorithm to generate common parameters params and a master key msk. params are publicly available, whereas the msk is kept by the KGC secretly. Formally, we can write

(2) Set-User-Key. Take the common parameters params and the identity information of himself as input; each user runs Set-User-Key algorithm to generate a secure value and the corresponding public key value for himself. It returns the user’s secret value and a corresponding public value PV. Formally, we can write

(3) Extract-Partial-Private-Key. Given the common parameters params, an identity ID, and the corresponding public value PV, KGC runs Extract-Partial-Private-Key algorithm to generate the partial private key associated with ID. It distributes to the user via a secure channel. Formally, we can write

(4) Set-Private-Key. Given the common parameters params, the partial private key , and the secret value , the user with identity ID runs this algorithm to generate the full private key SK for himself. Formally, we can write

(5) Set-Public-Key. Given the common parameters params, the partial private key , the secret value , and the public value PV, the user with identity ID runs this algorithm to generate the full public key PK as the output. Formally, we can write

(6) CLGSC-Signcrypt. Given the common parameters params, the message , the receiver’s identity , and the full public value , the user with identity and the full private key runs this algorithm to generate the ciphertext as the output. Note that and could be null string. Formally, we can write

(7) CLGSC-Unsigncrypt. Given the ciphertext , the sender’s identity , and the public key , the receiver with identity and the full private key runs this algorithm to unsigncrypt (or decrypt) the ciphertext. It returns or true for the valid signcryption ciphertext or signature; return means invalid. Note that and could be null string. Formally, we can write

2.2.2. Security Model

A CLGSC must satisfy confidentiality in encryption mode or signcryption mode and unforgeability in signcryption mode or signature mode. In a CLGSC scheme, we must consider two types of adversaries: a common user of the system and a honest-but-curious KGC. A common user cannot be in possession of the master secret key generated by KGC. But he can replace the public key of the users with valid public keys of his choice in an adaptive manner. This type of adversary is modeled by the Type I adversary. An honest-but-curious KGC knows the KGC’s master secret key. But he is not able to replace the public keys of the users. This type of adversary is modeled by the Type II adversary.

An adversary can access seven kinds of oracles as follows.

Set-User-Key Queries. requests the secret value for a user with . uses the Set-User-Key algorithm to compute and sends to . If ’s public key has already been replaced, then a Type I adversary cannot submit ’s identity and requests the secret value of .

Extract-Partial-Private-Key Queries. requests the partial private key for a user with ; uses the Set-User-Key algorithm to compute and then sends a partial private key generated by the Extract-Partial-Private-Key algorithm to .

Set-Private-Key Queries. requests the private key for a user with ; sends the full private key generated by the Set-User-Key algorithm and Extract-Partial-Private-Key algorithm to . Note that if ’s public key has already been replaced, then a Type I adversary cannot submit the identity and requests the full private key of .

Set-Public-Key Queries. requests the public key for a user with ; returns the public key to generated by the Set-User-Key algorithm and Extract-Partial-Private-Key algorithm.

Public-Key-Replacement Queries. computes a new public key for and replaces . Note that a Type II adversary cannot access Public-Key-Replacement queries.

CLGSC-Signcrypt Queries. submits to , in which is a message and and are the sender’s and the receiver’s identities, respectively. returns the ciphertext to . Note that if the public key of the sender has been replaced, then may not return the ciphertext . In this case, must provide the secret value to .

CLGSC-Unsigncrypt Queries. submits to , in which is a signature or signcryption ciphertext and and are the sender’s and the receiver’s identities, respectively. returns the output of CLGSC-unsigncrypt to . Note that if the public key of the receiver is replaced, then may not return the corresponding value. In this case, must provide the secret value to .

Confidentiality

Definition 3 (IND-CLGSC-CCA2 confidentiality). A certificateless generic signcryption scheme in signcryption mode or encryption mode is semantically secure against adaptive chosen ciphertext attacks if, for all PPT adversary, the advantage is negligible in the following games. The games are played between a challenger and the adversaries and , respectively.

GAME 1 (IND-CLGSC-CCA2-I)

Initial. generates the system parameters params and the master secret key msk by running the Setup algorithm. It keeps msk secret and sends params to .

Phase I. performs a polynomially bounded number of the above queries.

Challenge. outputs a tuple , in which and are distinct messages of equal length and and are the sender’s and the receiver’s identities, respectively. Here, it is to be noted that ’s full private key has not been extracted by in Phase I. It is also to be noted that ’s partial private key has not been extracted and his public key has not been replaced simultaneously. picks randomly, runs the algorithm of CLGSC-signcrypt with , and sends the output to .

Phase II. asks queries adaptively again. However, the full private key for may not be extracted by and the partial private key for may not be extracted if the public key of has been replaced in Phase I. Only after the public key or has been replaced, CLGSC-unsigncrypt query on with sender and receiver is allowed.

Guess Stage. outputs his guess and if he wins the game.

The advantage of is .

GAME 2 (IND-CLGSC-CCA2-II)

Initial. generates params and msk by running the Setup algorithm. It sends params and msk to .

Phase I. performs a polynomially bounded number of queries just as in IND-CLGSC-CCA2-I game. Extract-Partial-Private-Key queries are not included here, because knows , and he can generate users’ partial private keys by himself.

Challenge. At the end of Phase I, outputs a tuple , in which and are distinct messages of equal length and and are the sender’s and the receiver’s identities, respectively. Here, it is to be noted that must have made no Set-Private-Key queries on in Phase I. picks randomly, runs the algorithm of CLGSC-signcrypt with , and sends the output to .

Phase II. asks queries adaptively again. However, the full private key for may not be extracted and only after the public key or has been replaced, CLGSC-unsigncrypt query on with sender and receiver is allowed.

Guess Stage. outputs his guess and if he wins the game.

The advantage of is .

Note that, in the above games, only the signcryption mode and encryption mode of the CLGSC scheme must be considered. The receiver’s identity cannot be vacant. If the sender’s identity is not vacant, the algorithm runs in signcryption mode; otherwise it runs in encryption mode.

Unforgeability

Definition 4 (EUF-CLGSC-CMA unforgeability). A certificateless generic signcryption scheme in signature mode or signcryption mode is existentially unforgeable against adaptive chosen message attacks if, for all PPT adversary, the advantage is negligible in the following games. The games are played between a challenger and the adversaries and , respectively.

GAME 3 (EUF-CLGSC-CMA-)

Initial. generates params and msk by running the Setup algorithm. It keeps msk secret and sends params to .

Training Phase. Like in Phase I of the IND-CLGSC-CCA2-I game, may perform a series of adaptive queries.

Forgery. outputs a tuple . It must not be an output of the CLGSC-signcrypt query. The full private key of must not be extracted by during the Training Phase. Moreover, must have not replaced ’s public key and extracted ’s partial private key simultaneously. If the output of CLGSC-unsigncrypt is not , wins the game.

GAME 4 (EUF-CLGSC-CMA-)

Initial. generates params and msk by running the Setup algorithm. It sends params and msk to .

Training Phase. Like in Phase I of the IND-CLGSC-CCA2-II game, may perform a series of adaptive queries.

Forgery. outputs a tuple . It must not be an output of the CLGSC-signcrypt query. During the Training Phase, must have made no Set-Private-Key queries and Set-User-Key queries on . If the output of CLGSC-unsigncrypt is not , wins the game.

Note that, in the above games, only the signcryption mode and signature mode of the CLGSC scheme must be considered. The sender’s identity cannot be vacant. If the receiver’s identity is not vacant, the algorithm runs in signcryption mode; otherwise it runs in signature mode.

3. The Concrete Scheme

Motivated by the pairing-free CLSC-TKEM protocol, in this section, we present a novel certificateless generalized signcryption scheme. It consists of seven algorithms.

(1) Setup. Given a security parameters , the KGC executes the following operations:(i)It chooses a -bits prime and the tuple , where is generated by .(ii)It chooses uniformly as the master key and computes .(iii)Let , , be cryptography hash functions, where , , , where is the plaintext block length.(iv)Define an index function as follows: if ; otherwise, .(v)The public parameters and functions are presented as .

(2) Set-User-Key. A user with the identity randomly chooses as its secret value and computes the corresponding public value as .

(3) Extract-Partial-Private-Key. sends to the KGC. In turn, the KGC generates and returns the partial private key of as follows:(i)It chooses and computes .(ii)It computes .

is the partial private key of . can accept as a valid partial private key by determining if holds.

(4) Set-Private-Key. The user takes the pair as its full private key .

(5) Set-Public-Key. The user takes the pair as its full public key .

(6) CLGSC-Signcrypt. With the message and the receiver’s identity , the sender performs as follows:(i)It chooses randomly and computes .(ii)It computes , .(iii)It computes , where .(iv)It computes .(v)It sets and returns as the ciphertext.

(7) CLGSC-Unsigncrypt. Given the ciphertext , the receiver decrypts and verifies the ciphertext as follows:(i)It computes , .(ii)It computes , where .(iii)It checks if . If the equation does not hold, then return indicating the message is not valid. Otherwise, return true when indicating it is a valid signature of user or indicating it is a valid encryption/signcryption ciphertext of the message sent to user .

Correctness of the Scheme. The correctness of the proposed concrete scheme is proved as follows.

(i) Correctness of the Encryption

(ii) Correctness of the Signature

4. Security Analysis of the Proposed Scheme

In this section, the security of the proposed concrete CLGSC scheme is proved as follows.

4.1. Confidentiality

Theorem 5. The CLGSC scheme is semantically secure against adaptive chosen ciphertext attacks in encryption mode or signcryption mode in the random oracle model.

Theorem 5 is proved based on Lemmas 6 and 7.

Lemma 6. If an adversary has a nonnegligible advantage against the IND-CLGSC-CCA2- security of our scheme and performing queries to oracles , Extract-Partial-Private-Key queries, and Set-Private-Key queries, then there is an algorithm that solves the ECDLP problem with probability .

Proof. Given an instance of the ECDLP problem, for group generated by and a fixed second point having as input , has to compute for the point such that with the help of a ODDH oracle. Suppose the IND-CLGSC-CCA2- security of the CLGSC can be violated by a Type adversary . can utilize to compute as the solution to this instance by the following interactive game.
chooses uniformly as the master key and computes . It sends params to and maintains lists to keep the consistency between the responses to the hash queries and a list of issued keys which are initially empty. selects randomly, where , and takes as the target identity. chooses and sets , , and . inserts into the list and into the list .
answers ’s queries to random oracles as follows.
(i) queries: when submits a query with for some , checks in , and if exists, returns . Otherwise, chooses and returns to . Then inserts into the list .
(ii) queries: when submits a query with for some , sets the tuple as the input of ODDH orale. If the output of ODDH oracle is 1, then returns as the solution and stops; else searches in , if exists, it replaces the symbol with and returns . Otherwise, chooses and returns to . Then inserts into the list .
(iii) queries: when submits a query with for some , checks in , and if exists in , returns . Otherwise, chooses and returns to . Then inserts into .
can answer ’s other queries as follows.
Phase I
(i) Set-User-Key Queries. requests a secret value of the user with . If the public key of has not been replaced, then responds with by retrieving from the list .
(ii) Extract-Partial-Private-Key Queries. requests the partial private key of a user with . If , aborts the execution. Otherwise, checks in , and if exists, returns . Otherwise, computes the partial private key of by using the actual Extract-Partial-Private-Key algorithm, and inserts into the list and returns .
(iii) Set-Private-Key Queries. requests a user’s full private key with . aborts the execution when . Otherwise, checks in , and if exists, returns the corresponding private key . Otherwise, picks , then sets , , and computes · and it satisfies the equation . returns to and inserts into the list and into .
(iv) Set-Public-Key Queries. requests a user’s public key with . checks in , and if exists, returns the corresponding public key . Otherwise, picks , then sets , , and computes the public key as and it satisfies the equation . returns to and inserts into the list and into .
(v) Public-Key-Replacement Queries. requests to replace a user’s public key with chosen values . updates corresponding tuple with .
(vi) CLGSC-Signcrypt Queries. sends the tuple to . For each query , if , executes the Set-Private-Key algorithm to compute corresponding to . Then, gets the ciphertext by running the actual CLGSC-signcrypt algorithm. sends to . If (and hence, ), can obtain the full private key corresponding to . computes , , sets , , and adds the tuples and to the list in which . computes and . outputs as the ciphertext.
The tuple can pass the verification as the valid ciphertext because the equality holds as follows: (vii) CLGSC-Unsigncrypt Queries. submits to . If , obtains the receiver’s private key and returns the output of CLGSC-unsigncrypt algorithm to . Note that if the receiver’s public value is replaced, may not obtain the receiver’s secret value. In this case, receiver’s secret value is requested to be provided by . Otherwise, searches in for and . If the entries exist and the equality holds, is retrieved. If can find a tuple in making the ODDH oracle return 1 when queries are on , then the message is .
Challenge. submits in which and are distinct messages of equal length and and are the sender’s and the receiver’s identities, respectively. Here, it is to be noted that must have made no Set-Private-Key queries on in Phase I. It is also to be noted that ’s partial private key has not been extracted and his public key has not been replaced simultaneously. aborts the game if . Otherwise, generates the challenge ciphertext as follows.(1)It sets and chooses .(2)It selects randomly a bit and a random hash value and sets .(3)It selects , satisfies the equation , and sends to .Phase II. asks queries adaptively again. In addition, the full private key for may not be extracted by and the partial private key for may not be extracted if the public key of has been replaced in Phase I. Only after the public key or has been replaced, CLGSC-unsigncrypt query on with sender and receiver is allowed.
Guess. Since is able to break the IND-CLGSC-CCA2-I security of the CLGSC, a query with should have been asked. Note that . Therefore, one of the ’s in is the ECDLP problem’s solution. chooses one randomly and outputs it as the solution.
In the above challenge query, the senders and can be for the encryption mode; otherwise, it works as signcryption. Thus, the proof is suitable for the two modes.
Analysis. Lets , , and be the events when aborts this game.
(i) is an event in which the target identity ’s partial private key is queried by . The probability of is .
(ii) is an event in which the target identity ’s private key is queried by . The probability of is .
(iii) is an event in which the target identity has not been chosen as the receiver by during the challenge phase. The probability of is .
Thus, does not abort this game’s probability of .
chooses the solution of ECDLP problem from ’s probability of . So, the successful advantage of is .

Lemma 7. If has nonnegligible advantage against the IND-CLGSC-CCA2-II security of our scheme and performing Extract-Secret-Value queries, Set-Private-Key queries, and queries to oracles , then there is an algorithm that solves the ECDLP problem with probability .

Proof. Given an instance of the ECDLP problem, for group generated by and a fixed second point having as input , has to compute for the point such that with the help of a ODDH oracle. Suppose the IND-CLGSC-CCA2-II security of the CLGSC can be violated by a Type II adversary . can utilize to compute as the solution to this instance by the following interactive game.
chooses uniformly as the master key and computes . sends params and to and maintains lists to avoid the inconsistency between the responses to the hash queries and a list of issued keys which is initially empty. selects randomly, where , and fixes as the target identity. chooses , sets , and computes , and the public key as . inserts into the list and into the list .
answers ’s queries to random oracles as follows:
(i) queries: when submits a query with for some , checks if there exists a tuple in . If such a tuple exists, answers with . Otherwise, chooses and returns as the answer. Then inserts into the list .
(ii) queries: when submits a query with , where , sets the tuple as the input of ODDH oracle. If the output of ODDH oracle is 1, then outputs as the solution; else searches with entries . If such a tuple exists, it replaces the symbol with and returns . Otherwise, chooses , inserts into , and returns to .
(iii) queries: when submits a query with , where , checks whether exists in . If it exists, returns . Otherwise, chooses , inserts into , and returns .
can answer ’s other queries as follows.
Phase I
(i) Set-User-Key Queries. requests a user’s secret value with . If , aborts. If , checks for a tuple in . If it exists, returns . Otherwise, chooses , then sets , and computes , , and the public key as . inserts into the list and into the list and returns .
(ii) Set-Private-Key Queries. produces to and requests a user’s private key with . If , aborts. Otherwise, checks for a tuple in . If it exists, returns . Otherwise, chooses , then sets , and computes , , and . inserts into the list and into the list and returns .
(iii) Set-Public-Key Queries. requests a user’s public key with . checks for a tuple . If it exists, returns the corresponding public key . Otherwise, chooses , then sets , and computes , , and the public key as . inserts into the list and into the list and returns .
(iv) CLGSC-Signcrypt Queries. sends the tuple to . For each query , if , executes the Set-Private-Key algorithm to compute corresponding to . Then, gets the ciphertext by running the actual CLGSC-signcrypt algorithm. sends to . If (and hence, ), can obtain the full private key corresponding to . computes , , sets , , and adds the tuples and to the list in which . computes and . outputs as the ciphertext.
The tuple can pass the verification as the valid ciphertext because the equality holds as follows: (v) CLGSC-Unsigncrypt Queries. submits to . If , obtains the receiver’s private key, runs the CLGSC-unsigncrypt algorithm, and returns the output of CLGSC-unsigncrypt to . Otherwise, searches in for and . If the entries exist and the equality holds, is retrieved. If can find a tuple in making the ODDH oracle return 1 when queries are on , then the message is .
Challenge. submits in which and are distinct messages of equal length and and are the sender’s and the receiver’s identities, respectively. Here, it is to be noted that must have made no Set-Private-Key queries on in Phase I. aborts the game if . Otherwise, generates the challenge ciphertext as follows. (1)It sets , where is given in the instance of the ECDLP problem and computes .(2)It selects randomly a bit and as a random hash value and sets .(3)It selects , satisfies the equation , and sends to .Phase II. asks queries adaptively again. In addition, it cannot query CLGSC-unsigncrypt on .
Guess. Since is able to break the IND-CLGSC-CCA2-II security of the CLGSC, a query with should have been asked. Note that . Therefore, one of the values of in is the ECDLP problem’s solution. chooses one randomly and outputs it as the solution.
In the above challenge query, the senders and can be for the encryption mode; otherwise, it works as signcryption. Thus, the proof is suitable for the two modes.
Analysis. In order to assess the probability of success of the challenger, lets , , and be the events in which aborts the IND-CLGSC-CCA2-II game.
(i) is an event in which asks to query the secret value of the target identity . The probability of is .
(ii) is an event in which asks to query the private key of the target identity . The probability of is .
(iii) is an event in which the target identity has not been chosen as the receiver by during the challenge. The probability of is .
Thus, does not abort the IND-CLGSC-CCA2-II game’s probability of .
So, the successful advantage of is .

4.2. Unforgeability

Theorem 8. The CLGSC scheme in signcryption mode or signature mode is existentially unforgeable.

Theorem 8 is proved based on Lemmas 9 and 10.

Lemma 9. If an adversary has nonnegligible advantage against the EUF-CLGSC-CMA-I security of our scheme and performing Extract-Partial-Private-Key queries, Set-Private-Key queries, and queries to oracles , then there is an algorithm that solves the ECDLP problem with probability .

Proof. Given an instance of the ECDLP problem , must find . Suppose the EUF-CLGSC-CMA-I security of the CLGSC can be violated by a forger . can utilize to compute as the solution by the following interactive game.
chooses uniformly as the master key and computes ; it sends params to and maintains lists to keep consistency between the responses to the hash queries and a list of issued keys which is initially empty.
Training Phase. may make a series of queries and all of the queries are responded to identically as those queries in the IND-CLGSC-CCA2-I game.
Forgery. returns a valid ciphertext from the sender to the receiver . If , aborts the execution of this game. We are ready to apply the forking lemma [31] that essentially says the following: consider the concrete scheme producing signatures or signcryption ciphertexts of the form , where each of corresponds to one of the three moves of a honest-verifier zero-knowledge protocol. If is a sufficiently efficient forger in the above interaction and forges a signature or signcryption ciphertext in a time with probability ( being a security parameter so that is uniformly taken from a set of elements) when making CLGSC-signcrypt queries and random oracle calls and if the triples can be simulated without knowing the private key, then there exists a Turing machine that uses to produce two valid ciphertexts and on the same message , in expected time . Thus, we can get and . Let . We can obtain the following value.Therefore, solve the ECDLP as for the ECDLP problem.
In the above forgery query, the receiver can be for the signature mode; otherwise it works as signcryption. Thus, the proof is suitable for the two modes.
Analysis. Let , , and be the events when aborts the game.
(i) is an event in which the target identity ’s partial private key is queried by . The probability of is .
(ii) is an event in which the target identity ’s private key is queried by . The probability of is .
(iii) is an event in which the target identity has not been chosen as the sender by during the forgery. The probability of is .
Thus, does not abort the EUF-CLGSC-CMA-I game’s probability of .
So, the successful advantage of is .

Lemma 10. If an adversary has nonnegligible advantage against the EUF-CLGSC-CMA-II security of our scheme performing Extract-Secret-Value queries and queries to oracles , then there is an algorithm that solves the ECDLP problem with probability .

Proof. Given an instance of the ECDLP problem , must find . Suppose the EUF-CLGSC-CMA-II security of the CLGSC can be violated by a forger . can utilize to compute as the solution by the following interactive game.
chooses uniformly as the master key and computes ; it sends params and to and maintains lists to keep consistency between the responses to the hash queries and a list of issued keys which is initially empty.
Training Phase. may make a series of queries and all the queries are responded to identically as those queries in the IND-CLGSC-CCA2-II game.
Forgery. Eventually, returns a valid ciphertext from the sender to the receiver . If , aborts the execution of this game. It follows from the forking lemma [31] that if is a sufficiently efficient forger in the above interaction, then we can construct another probabilistic polynomial time Turing machine that outputs two ciphertexts and on the same message . Thus, we can get and . Let . We can obtain the following value. Therefore, solves the ECDLP as for the ECDLP problem.
In the above forgery query, the receiver can be for the signature mode; otherwise it works as signcryption. Thus, the proof is suitable for the two modes.
Analysis. Let , , and be the events when aborts the game.
(i) is an event in which the target identity ’s secret value is queried by . The probability of is .
(ii) is an event in which the target identity ’s private key is queried by . The probability of is .
(iii) is an event in which the target identity has not been chosen as the sender by during forgery. The probability of is .
Thus, does not abort the EUF-CLGSC-CMA-II game’s probability of .
So, the successful advantage of is .

5. Performance Analysis

Since computation time and ciphertext size are two important factors affecting efficiency, we compare our scheme with several existing schemes in these two terms from two aspects: CLGSC-signcrypt and CLGSC-unsigncrypt. We pay attention to operations such as bilinear pairing operations, exponentiation operations, scalar multiplication operations, and hash operations. We define the notations in the Notations section and adopt the experiment testing results from [32–34].

The comparison is shown in Table 1; denotes the size of an element in , denotes the size of an element in , denotes the length of message , denotes the length of identity , and is the size of an element in .

Since the pairing and exponentiation operations require much more time than the multiplication operation, our proposed scheme is implemented without pairing and exponentiation operations. From Table 1, it shows that our proposed CLGSC scheme requires much less computational time than the other four schemes. So, our scheme has the shortest ciphertext size and is of high efficiency too.

6. Conclusion

In this paper, a concrete CLGSC scheme without utilizing bilinear pairing operations is proposed, and its security is proved in the random oracle model under the ECDLP and ECDLP assumptions, including security against both an adaptively chosen ciphertext attack and an existential forgery of Type I and II adversaries. The new scheme is computationally efficient and is suitable for low power and processor devices.

Notations

:	Time required for executing a modular multiplication operation
:	Time required for executing an exponentiation
:	Time required for executing a scalar multiplication
:	Time complexity for executing the simple hash function, which is negligible
:	Time required for executing a bilinear pairing operation .

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work is supported by the National Nature Science Foundation of China (no. 61702218), Shandong Provincial Natural Science Foundation (no. ZR2014FL011, no. ZR2015FL023), and International Joint Training Program for Young and Middle-Aged Scholar of Shandong Province.

References

A. Shamir, “Identity-based cryptosystem and signature scheme,” in Proceedings of the Cryptology-CRYPTO, vol. 196 of Lecture Notes in Computer Science, pp. 120–126, 1984.
View at: Google Scholar
S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Proceedings ofthe Proceedings of Cryptology-ASIACRYPT, vol. 2894 of Lecture Notes in Computer Science, pp. 452–474, 2003.
View at: Google Scholar
Y. L. Zheng, “Digital signcryption or how to achieve cost (signature & encryption) ≪ cost (Signature) + cost (encryption),” in Proceedings of the Cryptology-CRYPTO, vol. 1294 of Lecture Notes in Computer Science, pp. 165–179, 1997.
View at: Google Scholar
Y. L. Zheng, “Signcryption and its applications in efficient public key solutions,” in Proceedings of the Information Security Workshop (ISW '97), vol. 1397 of An invited lecture, pp. 291–312, 1997.
View at: Google Scholar
F. Bao and R. H. Deng, “A signcryption scheme with signature directly verifiable by public key,” in Proceedings of Public Key Cryptography, vol. 1431 of Lecture Notes in Computer Science, pp. 55–59, 1998.
View at: Google Scholar
C. Gamage, J. Leiwo, and Y. Zheng, “Encrypted message authentication by firewalls,” in Proceedings of the Public Key Cryptography, vol. 1560 of Lecture Notes in Computer Science, pp. 69–81, 1999.
View at: Google Scholar
J. Malone-Lee and W. Mao, “Two birds one stone: signcryption using RSA,” in Proceedings of the Cryptology-CT-RSA, vol. 2612 of Lecture Notes in Computer Science, pp. 211–226, 2003.
View at: Google Scholar
B. Libert and J. Quisquater, “Efficient Signcryption with Key Privacy from Gap Diffie- Hellman Groups,” in Proceedings of the Public Key Cryptography, vol. 2947 of Lecture Notes in Computer Science, pp. 187–200, 2004.
View at: Google Scholar
F. Li, H. Zhang, and T. Takagi, “Efficient signcryption for heterogeneous systems,” IEEE Systems Journal, vol. 7, no. 3, pp. 420–429, 2013.
View at: Publisher Site | Google Scholar
F. Li, B. Liu, and J. Hong, “An efficient signcryption for data access control in cloud computing,” Computing, vol. 99, no. 5, pp. 465–479, 2017.
View at: Publisher Site | Google Scholar | MathSciNet
J. Malone-Lee, “Identity based signcryption,” http://eprint.iacr.org.
View at: Google Scholar
B. Libert and J. J. Quisquater, “A new identity based signcryption scheme from pairings,” in Proceedings of the IEEE Information Theory Workshop, ITW '03, pp. 155–158, 2003.
View at: Google Scholar
X. Boyen, “Multipurpose identity-based signcryption: a Swiss Army knife for identity-based cryptography,” in Proceedings of the Cryptology-Crypto, vol. 2729 of Lecture Notes in Computer Science, pp. 383–399, 2003.
View at: Google Scholar
L. Chen and J. Malone-Lee, “Improved identity-based signcryption,” in Proceedings of the Public Key Cryptography, vol. 3386 of Lecture Notes in Computer Science, pp. 362–379, 2005.
View at: Google Scholar
P. S. Barreto, B. Libert, N. McCullagh, and J. J. Quisquater, “Efficient and provably-secure identity-based signatures and signcryption from bilinear maps,” in Proceedings of the Cryptology-ASIACRYPT 2005, vol. 3788 of Lecture Notes in Computer Science, pp. 515–532, 2005.
View at: Google Scholar
H. J. Jo, J. H. Paik, and D. H. Lee, “Efficient privacy-preserving authentication in wireless mobile networks,” IEEE Transactions on Mobile Computing, vol. 13, no. 7, pp. 1469–1481, 2014.
View at: Publisher Site | Google Scholar
M. Barbosa and P. Farshim, “Certificateless signcryption,” in Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS '08), pp. 369–372, ACM, Tokyo, Japan, March 2008.
View at: Publisher Site | Google Scholar
F. G. Li, M. Shirase, and T. Takagi, “Certificateless hybrid signcryption,” in Proceedings of the ISPEC '09, vol. 5451 of Lecture Notes in Computer Science, pp. 112–123, 2009.
View at: Google Scholar
A. Yin and H. Liang, “Certificateless hybrid signcryption scheme for secure communication of wireless sensor networks,” Wireless Personal Communications, vol. 80, no. 3, pp. 1049–1062, 2015.
View at: Publisher Site | Google Scholar
F. Li, Y. Han, and C. Jin, “Certificateless online/offline signcryption for the Internet of Things,” Wireless Networks, vol. 23, no. 1, pp. 145–158, 2017.
View at: Publisher Site | Google Scholar
Y. L. Han and X. Y. Yang, “New ECDSA-verifiable generalized signcryption,” Chinese Journal of Computers, vol. 29, no. 11, pp. 2003–2012, 2006.
View at: Google Scholar | MathSciNet
Y. L. Han, X. Y. Yang, P. Wei et al., “ECGSC: elliptic curve based generalized signcryption,” in Proceedings of the 3rd International Conference on Ubiquitous Intelligence and Computing- UIC '06, vol. 4159 of Lecture Notes in Computer Science, pp. 956–965, 2006.
View at: Google Scholar
Y. Han, “Generalization of signcryption for resources-constrained environments,” Wireless Communications and Mobile Computing, vol. 7, no. 7, pp. 919–931, 2007.
View at: Publisher Site | Google Scholar
H. F. Ji, W. B. Han, and L. Zhao, “Certificateless generalized signcryption,” Cryptology ePrint Archive, Report 2010/204, http://eprint.iacr.org.
View at: Google Scholar
P. Kushwah and S. Lai, “Efficient generalized signcryption schemes,” Cryptology ePrint Archive, Report 2010/346, http://eprint.iacr.org.
View at: Google Scholar
C. X. Zhou, W. Zhou, and X. W. Dong, “Provable certificateless generalized signcryption scheme,” Designs, Codes and Cryptography, vol. 71, no. 2, pp. 331–346, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
C. X. Zhou, Z. Zhao, W. Zhou et al., “Certificateless key-insulated generalized signcryption scheme without bilinear pairings,” Security and Communication Networks, vol. 2017, Article ID 8405879, 17 pages, 2017.
View at: Publisher Site | Google Scholar
S.-H. Seo, J. Won, and E. Bertino, “pCLSC-TKEM: a pairing-free certificateless signcryption- tag key encapsulation mechanism for a privacy-preserving IoT,” Transactions on Data Privacy, vol. 9, no. 2, pp. 101–130, 2016.
View at: Google Scholar
N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203–209, 1987.
View at: Publisher Site | Google Scholar | MathSciNet
N. Koblitz and A. Menezes, “Intractable problems in cryptography,” in Proceedings of the 9th International Conference on Finite Field and Their Applications, Contemporary Mathematics, pp. 279–300, 2010.
View at: Google Scholar
D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, vol. 13, no. 3, pp. 361–396, 2000.
View at: Publisher Site | Google Scholar
Y. F. Chung, K. H. Huang, F. Lai, and T. S. Chen, “ID-based digital signature scheme on the elliptic curve cryptosystem,” Computer Standards & Interfaces, vol. 29, no. 6, pp. 601–604, 2007.
View at: Publisher Site | Google Scholar
S. K. H. Islam and G. P. Biswas, “A pairing-free identity-based authenticated group key agreement protocol for imbalanced mobile networks,” Annals of Telecommunications-Annales des Télécommunications, vol. 67, no. 11-12, pp. 547–558, 2012.
View at: Publisher Site | Google Scholar
S. K. H. Islam and G. P. Biswas, “Provably secure and pairing-free certificateless digital signature scheme using elliptic curve cryptography,” International Journal of Computer Mathematics, vol. 90, no. 11, pp. 2244–2258, 2013.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2018 Bo Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1711

Downloads

979

Citations