Blockchain as a CA: A Provably Secure Signcryption Scheme Leveraging Blockchains

Chen, Tzung-Her; Zhu, Ting-Le; Jeng, Fuh-Gwo; Wang, Chien-Lung

doi:https://doi.org/10.1155/2021/6637402

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Discussion Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 6637402 | https://doi.org/10.1155/2021/6637402

Blockchain as a CA: A Provably Secure Signcryption Scheme Leveraging Blockchains

Tzung-Her Chen,¹Ting-Le Zhu,¹Fuh-Gwo Jeng,²and Chien-Lung Wang³

Academic Editor: Kaitai Liang

Received07 Dec 2020

Revised25 Jan 2021

Accepted09 Mar 2021

Published26 Mar 2021

Abstract

Although encryption and signatures have been two fundamental technologies for cryptosystems, they still receive considerable attention in academia due to the focus on reducing computational costs and communication overhead. In the past decade, applying certificateless signcryption schemes to solve the higher cost of maintaining the certificate chain issued by a certificate authority (CA) has been studied. With the recent increase in the interest in blockchains, signcryption is being revisited as a new possibility. The concepts of a blockchain as a CA and a transaction as a certificate proposed in this paper aim to use a blockchain without CAs or a trusted third party (TTP). The proposed provably secure signcryption scheme implements a designated recipient beforehand such that a sender can cryptographically facilitate the interoperation on the blockchain information with the designated recipient. Thus, the proposed scheme benefits from the following advantages: (1) it removes the high maintenance cost from involving CAs or a TTP, (2) it seamlessly integrates with blockchains, and (3) it provides confidential transactions. This paper also presents the theoretical security analysis and assesses the performance via the simulation results. Upon evaluating the operational cost in real currency based on Ethereum, the experimental results demonstrate that the proposed scheme only requires a small cost as a fee.

1. Introduction

With the rapid development of information and network applications, confidentiality, integrity, and nonrepudiation are the main security concerns. Thus, encryption and digital signatures have become two main fundamental technologies for any well-defined cryptosystem.

In 1997, Zheng presented the first signcryption concept that simultaneously fulfilled the functions of both the digital signature and public key encryption in a logical single step and achieved significantly lower costs than those required by “signature followed by encryption” [1]. Since then, there have been increasingly more signcryption schemes formed using either traditional public key infrastructure- (PKI-) based [1, 2], identity-based [3–7], or certificateless-based [8–17] digital signatures.

In 1984, Shamir presented a novel identity-based cryptosystem (IBC) [18] in which a random string (identity) was set as the participant’s public key, and the corresponding private key was generated by a trusted third party (TTP) called the key generation center (KGC). This design eliminated the high cost of maintaining a traditional certificate-based PKI. Later, Boneh and Franklin proposed their identity-based encryption (IBE) [19] that fully exploited Shamir’s IBC; this method significantly decreased the computational overhead by eliminating the certificate management problem in the PKI. In 2002, Malone-Lee combined the concepts of the IBC and signcryption to present an identity-based signcryption scheme [5]. Unfortunately, the identity-based signcryption schemes in Ref. [4, 5], to name a few, suffer the key escrow problem.

In 2003, Al-Riyami and Paterson proposed certificateless public key cryptography [20], in which the problems of either the utilization of certificate in PKI or the key escrow in IBC are eliminated. Consequently, Barbosa and Farshim proposed the first certificateless-based signcryption scheme [8]. A certificateless signcryption scheme consists of four phases: (1) setup—the KGC generates its key pairs; (2) key generation—a participant chooses his key pair under the assistance of the KGC; (3) signcryption; and (4) unsigncryption. Notably, the participant’s private key is partially generated by the KGC in the key generation phase and the KGC is assumed to be trusted. Furthermore, the KGC’s public key and the signer’s public key are involved in the unsigncryption phase and the authentication of the public keys is necessary. It is obvious that the certificateless signcryption schemes in Ref. [13, 16, 17], to name a few, cannot avoid the high maintenance cost of TTP.

Herein, we briefly examine a traditional certificate-based digital signature. Certificates, used to authenticate public keys prior to adoption, are chained as an ordered list containing an entity certificate, a series of intermediate certificates in the middle, and a root certificate at the end of the chain. For example, when Alice intends to use Bob’s public key, the public key will be authenticated by verifying Bob’s certificate first. Bob’s certificate, including his identity information and his public key, is protected by the certificate issuer’s signature. Obviously, it is tamper-proof and unforgeable. However, if someone intends to verify the issuer’s signature, Alice needs to take the next step to confirm the issuer’s public key by verifying the corresponding certificate that is issued by another upper issuer called the intermediate certificate authority (CA). The signatures of the certificates in the certificate chain (see Figure 1) must be verified up to the root CA certificate.

It is clear that maintaining the certificate chain, along with the assumption of a TTP, will increase the overall computational overhead; thus, the use of a blockchain becomes more pertinent. Due to the emergence of Bitcoin [21] in 2009, Ethereum [22] in 2013, and Hyperledger Fabric [23] in 2016, blockchain technologies [21, 22], providing a trusted mechanism without a CA and TTP, have received significant attention and interest in academia and the IT industry.

The fundamental technology of blockchains, such as Bitcoin and Ethereum, has gained increasingly more attention and has begun to be applied to various fields, such as medical data access [24–26], the Internet of Things [27, 28], and privacy preservation [29–31]. However, the high cost of certificate-based public key authentication is still problematic.

A blockchain is a continuously appending list of blocks (see Figure 2) that are linked and secured using cryptographic technologies, and the chain terminates in a genesis block. Each block typically contains an external hash pointer as a link to its previous block and an internal hash of all transactions . A transaction is a group of data, which includes the messages of “” and “” and the signatures. Figure 3 illustrates an instance of a transaction in the block number 2752 in an Ethereum test blockchain.

Basically, an elliptic curve digital signature algorithm (ECDSA) [32] is what facilitates the blockchain concept in Bitcoin, Ethereum, and Hyperledger Fabric. The signature fields “” and “” in each transaction, as shown in Figure 3, are proven. For a user in a blockchain, his private key is regarded as his identity and security credential. It is worthwhile to note that the private key is generated and maintained by the user himself, not a trusted third party, and it is used to sign outgoing transactions. Instead of interacting with the blockchain, each user can directly interface with his blockchain node to deposit signed transactions and inspect the blockchain.

1.1. Motivation

A blockchain can be viewed as a public decentralized ledger to record all of the transactions in a publicly verifiable and permanent way. The data in are tamper-proof and cannot be changed retroactively without altering all subsequent blocks up to the genesis one. The cryptographic advantages of a blockchain are similar to those of a certificate chain such as providing public verification and being tamper-proof. The main difference is that the blockchain is a decentralized trusty mechanism requiring no trusted third party; however, the certificate chain is a centralized trust mechanism with a series of trusted third parties.

In this paper, new cryptographic paradigms called blockchain as a CA and transaction as a certificate are investigated to implement a blockchain without a CA or TTP. Precisely, users’ public keys are extracted and authenticated directly from transactions in blockchains instead of by CAs or a TTP. This combination is named blockchain as a CA (BaaCA). BaaCA has the following advantages.(1)Avoiding the high maintenance cost of CA and TTP: for a block in the blockchain, a transaction with its ECDSA signature can be treated as certificate-like and utilized to extract the ECDSA public key such that both the public key and the transaction itself are authenticated. In this way, the concepts of a blockchain as a CA and a transaction as a certificate become intriguingly analogous to that of a certificate chain in the PKI.(2)Seamlessly integrating with blockchains: due to the success of Bitcoin and Ethereum along with the promise of blockchain technologies, it is possible and feasible to combine blockchain technologies with signcryption to achieve the goals of confidentiality, integrity, and nonrepudiation simultaneously.(3)Providing transaction confidentiality: by combining encryption with a digital signature to achieve the goal of “lower computational cost and communication cost,” a novel signcryption scheme based on a blockchain that provides more benefits is proposed in this paper.

1.2. Contribution

In view of prior work, this paper proposes a provably secure BaaCA-based signcryption scheme. The main contributions of the proposed scheme are highlighted as follows.(1)Using blockchain as a CA and transaction as a certificate to form a new signcryption scheme, it is feasible to eliminate the high maintenance cost from involving CAs or a TTP compared with the related works.(2)The theoretical security analysis is demonstrated, and the experimental results show that the proposed scheme can work and interoperate with the Ethereum blockchain. In this way, the proposed scheme does seamlessly comply with a state-of-the-art blockchain.(3)By combining blockchain technologies with signature and encryption, the proposed scheme achieves the goals of confidentiality, integrity, and nonrepudiation simultaneously. It is worth noting that the proposed scheme presents a new paradigm of providing confidentiality to transactions in the Bitcoin and Ethereum blockchains with a minor impact.

The rest of this paper is organized as follows. The related preliminaries are given in the next section. The proposed scheme with the formal system and security models are illustrated in Section 3. Section 4 presents the formal theoretical security proofs under the random oracle model along with the experimental results. The performance analysis is given in Section 5. Discussion and conclusions are given in Sections 6 and 7, respectively.

2. Preliminaries

2.1. Signature via ECDSA

The ECDSA algorithm [32] includes four phases; they are the setup, key generation, signature generation, and signature verification phases. They are briefly described below. Setup phase: Let E be the given curve with its default field and equation. Then, base point of a prime order on the curve and the multiplicative order n of point can be determined. A hash function is given as follows: . Key generation phase: The signer performs the following operations.(1)Choose an integer , such that , as the private key.(2)Compute as the corresponding public key. Then, the private key is and the public key is , . Signature generation phase: The signer signs message by doing the following operations.(1)Compute .(2)Choose an integer such that , where is a cryptographically secure random number.(3)Compute the curve point .(4)Compute and . Message and its corresponding signatures are sent to the recipient/verifier. Signature verification phase: The verifier performs the following operations to verify the validation of the signature of message .(1).(2)Compute , , and .(3)Compute .(4)Choose -coordinate as .(5)Check .

If it holds, the signature of is successfully authenticated.

2.2. Encryption via ECC

To encrypt or decrypt message in ECC, the operations [33] are as follows. Encryption phase:(1)Choose an integer such that , where is a cryptographically secure random number.(2)Suppose message maps to the curve point M.(3)Compute the curve point .(4)Compute the curve point . Send to the recipient. Decryption phase:(1)Compute the curve point .(2)Decode point to obtain plaintext .

3. The Proposed Signcryption Scheme

The proposed BaaCA-based signcryption scheme including its system and security models is illustrated in this section. The notations used in the proposed scheme are described first in Table 1.

The proposed BaaCA-based signcryption scheme includes three different entities: a sender, a recipient, and the blockchain.(1)Sender: a sender called Alice, with her private/public key pair , is sending data to a specified recipient. First, the data are split into two parts: and . Note that the privacy-sensitive part of is put into and the other remaining part of will be packaged into . Second, Alice executes the BaaCA-based signcryption algorithm to generate the encryption key , which is used to transform into ciphertext and to create the signature at the same time. Finally, Alice posts the transaction to the recipient via the blockchain.(2)Recipient: a recipient called Bob, with his private/public key pair , will perform the decryption and verification processes when he gets transaction to obtain the original data . To decrypt ciphertext , Bob has to execute the signcryption algorithm first to generate the decryption key , which is the same as Alice’s encryption . Consequently, Bob uses to decrypt to obtain the privacy-sensitive data and then recover the original data . When performing verification, first, Bob uses both the signature and to generate Alice’s public key . Therefore, Bob can use to extract Alice’s account address and check whether the account address is the same as that in transaction . Please note that each account address is transformed from the relative public key in the blockchain. If they are the same, Bob can ensure that data are sent by sender Alice.(3)Blockchain: the blockchain acts as a digital ledger that records all transactions that have ever happened. That is, the blockchain is treated as a CA and the tamper-proof transactions are treated as the certificates to extract the related public keys.

The proposed scheme consists of five algorithms. They are system setup, key generation, public-key extraction, signcryption, and unsigncryption. For simplicity, we denote them as , , , , and , respectively. The details are described below.(i): it is a probabilistic algorithm for generating the public parameters params of the system using a security parameter as the input. It can be represented as .(ii): it is a probabilistic algorithm that randomly chooses private key as its input to generate its corresponding public key and its relative account address. It can be represented as .(iii): it is a deterministic algorithm that sets ECDSA signature as its input and returns its relative public key . It can be represented as (iv): it is a probabilistic algorithm that takes the sender’s private key , the recipient’s public key , and data as inputs and outputs the corresponding signature , ciphertext , and nonsensitive part of data . The outputs are denoted as . It can be represented as (v): it is a deterministic algorithm that takes the sender’s public key the recipient’s private key , and as inputs and outputs either the corresponding if the signature is valid or . It can be represented as .

3.1. Security Model

There are two security concerns about the security model of the proposed BaaCA-based signcryption scheme in this paper. They are confidentiality and unforgeability.(1)Confidentiality. The property of confidentiality in the proposed BaaCA-based signcryption scheme is essentially provided since it is only the specified recipient that knows data . The following experiment , played with the adversary IND-BaaCA-CCA denoted as and a challenger denoted as , proves the property of confidentiality under chosen ciphertext attacks.(i)Setup: runs this algorithm to obtain public parameters and then distributes the public parameters to the adversary .(ii)Queries (phase 1): makes a number of oracle queries to and would give some information to . In the experiment, the following queries are allowed:(a)KeyGen queries: sends to , and then runs and returns to .(b)Signcryption queries: sends to , and then runs and returns to .(c)Unsigncryption queries: sends to , and then runs and returns to .(iii)Challenge: after finishing phase 1, adversary chooses two data and with an arbitrary private key , which he wishes to challenge. randomly chooses a bit for the two challenged data and then runs signcryption queries to obtain the result . Finally, sends it to .(iv)Queries (phase 2): after receiving , adversary asks a number of queries similar to those in phase 1 but will be not sent to under unsigncryption queries.(v)Guess: finally, adversary chooses a bit from . The adversary is said to win this experiment if . We can define the advantage of in this experiment as.(2)Unforgeability. In the proposed BaaCA-based signcryption scheme, unforgeability is essential to ensuring that the signature is secure against adaptively chosen message attacks. The following experiment , played with an adversary EU-BaaCA-CMA denoted as and a challenger denoted as , proves the existential property of unforgeability under the chosen message attack.(i)Setup: it is the same as that in the experiment .(ii)Queries: it is the same as phase 1 of queries in the experiment .(iii)Output: the adversary is said to win this experiment if obtains the signature together with two arbitrary private keys and such that(1).(2) is never sent to as inputs for the signcryption queries, where are the data corresponding to the forgery.

Definition 1. The proposed BaaCA-based signcryption scheme is said to be secure if there is no adversary that wins the experiment with a nonnegligible probability .

Definition 2. The proposed BaaCA-based signcryption scheme is said to be secure if there is no adversary that wins the experiment with a nonnegligible probability . The security of the proposed BaaCA-based signcryption scheme is based on the computational difficulty of some well-known hard problems defined below.

Definition 3. The elliptic curve discrete logarithm problem (ECDLP): if is unknown, compute by giving and .

Definition 4. The elliptic curve computational Diffie–Hellman problem (ECCDHP): if is unknown, compute by giving , , and .
In this paper, the appropriate is determined by blockchains where the ECDLP and ECCDHP are assumed to be computationally difficult.

3.2. The Proposed Scheme

According to the benefits of the blockchain as a CA concept, the proposed scheme uses a variant of the ECDSA to produce a new signcryption scheme. Since the ECDSA is the default signature algorithm in Bitcoin, Ethereum, and Hyperledger Fabric, the proposed scheme is seamlessly compliant with the blockchains.

The proposed model consists of two participants of a blockchain: Alice as a sender and Bob as a recipient. Both of the participants are external actors of the blockchain and have their relative blockchain accounts and some recorded-in-block transactions. Suppose Alice and Bob, denoted as and , respectively, with the addresses in the fields “” or “” in Figure 3 have their private and public key pairs (, ) and (, ) in the blockchain network, respectively.

The main design comes from the method that generates the private key from the existing transactions signed by Bob and Alice in the blockchain. Herein, a transaction is regarded as a certificate of Alice or Bob.

Alice is connected with the blockchain, receives Bob’s previous signature from a transaction stored in the blockchain, and then extracts Bob’s public key. The encryption key is obtained by executing , where is a one-time padded random number generated by Alice since Bob can extract this key by performing when he has , where .

The proposed signcryption scheme consists of five phases: the setup phase, key generation phase, public-key extraction phase, signcryption phase, and unsigncryption phase.(i)Setup phase:(1)Determine the elliptic curve E in the finite field , where is a prime number such that all the points on E represent a finite group, e.g., , with the prime multiplicative order n and a generator . For example, the ECDSA curve used in Bitcoin and Ethereum is secp256k1, which refers to the curve E: y² = x³ + 7 [34] defined over the field , while the curves ECC P256 and P384 are adopted by Hyperledger Fabric.(2) and are two collision resistant hash functions, where and have been described in (1).(3)The system parameters are public.(ii)Key generation phase:(1)Suppose that Alice has her ECDSA private and public key pairs and Bob has his key pairs for their accounts on the blockchain, respectively.(2)The ECDSA private and public key pairs are used to specify the address, i.e., and . For Bitcoin, Bob’s address is computed as Base_58 (0x00||RIPEMD_160 (SHA_256 ())||. where Base_58 represents a large integer as alphanumeric text, RIPEMD_160 and SHA_256 are two well-known cryptographic hash functions, and || denotes concatenation. For Ethereum, the address is where B_96…255 is denoted as the right most 160 bits of the SHA-3 hash.(iii)Public-key extraction phase: because there is no certificate chain in the Bitcoin and Ethereum blockchains, Alice must extract Bob’s public key from Bob’s transaction , where is public verifiable and tamper-proof once stored in the blockchain. With the ECDSA signature and the transaction data , Alice is able to extract Bob’s public key by conducting the following operations.(1).(2), where , and .(3). . Actually, Bitcoin and Ethereum transactions require an extra parameter, i.e., the field “” in Figure 3, to identify which point is correct.(4)Check if the generated node address from via equations (1) or (2) for Bitcoin or Ethereum, respectively, is equal to Bob’s account address. If it is, is Bob’s public key and Bob’s transaction in the blockchain is also authenticated.(iv)Signcryption phase: suppose Alice’s transaction is , where are composed of two parts: are public and are privacy-sensitive. Alice does the following operations to generate the signature of and the ciphertext of . Note that the signature in this algorithm is designed to be verified by the designated verifier, i.e., Bob. (1).(2).(3). (4). (5)Return (5)–(7) are the operations of both key agreement and encryption. Finally, Alice broadcasts the transaction into the blockchain and discards the random number and the encryption key .(v)Unsigncryption phase: upon interacting with the blockchain to obtain , Bob verifies the validation of the signature and simultaneously decrypts the ciphertext to obtain by doing the following operations.(1)Find two points and of the same value as the x-coordinate. The transaction practically involves an extra parameter, say in Figure 3, to identify and , say . (2).(3) = .(4).(5).(6)Check if the generated node address from by equation (1) or (2) is equal to Alice’s account address.

(2)–(4) are both key agreement and decryption operations. If (7) is true, is Alice’s public key and this transaction is also authenticated. Then, the data are output; otherwise, we get .

3.3. Correctness of Public-Key Extraction, Encryption, and Signature

The correctness of public key extraction in the proposed protocol is derived from the precision of the hash value of the extracted public key to the address indicated in the transaction on the blockchain, where represents equation (1) or (2). We have = = = . Thus, the equation holds.

The correctness of the encryption in the proposed protocol is derived from the situation . If it holds, . In the signcryption phase, Alice’s encryption key is In addition, in the unsigncryption phase, the decryption key that Bob obtains is . Since , we have , and thus .

The correctness of the signature in the proposed protocol is derived from the same proof as that of correctness of public-key extraction. In this way, the signature is also authenticated. Thus, the proof is omitted here.

4. Security Analysis

Two theorems are described in detail before the security analytics and proofs of the proposed BaaCA-based signcryption scheme are given.

Theorem 1. (IND-BaaCA-CCA). The proposed BaaCA-based signcryption scheme is indistinguishable against chosen ciphertext attacks when the ECDDHP problem is hard to resolve.

Proof. Assume there exists an IND-BaaCA-CCA adversary, , who wins the experiment with a nonnegligible probability based on Definition 1. A challenger is designed to take as the subprogram to solve the ECCDHP problem based on Definition 4 with a nonnegligible probability. Challenger is assigned an instance and tries to compute the value .
At first, challenger maintains four lists , respectively, corresponding to , signcryption, and unsigncryption query oracles. Then, plays the following experiment with . In addition, we assume that queries oracle times and queries KeyGen times.(1)Setup: sends , which is an instance for solving the ECCDHP problem. Two hash functions , controlled by , are regarded as random oracles.(2)Queries (phase 1): makes a number of oracle queries to and should answer to give . In the experiment, the following queries are allowed.(1)Oracle : . Case 1: , return . Case 2: , choose random add to , and then return .(2)Oracle : . Case 1: and return . Case 2: , choose random , add to , and then return .(3)KeyGen queries: Case 1: , return Case 2: , generate public key and account address via equation (1) or (2), and then add to . Finally, return (.(4)Signcryption queries: (a)Choose random .(b)Compute (c).(d)Compute .(e)Compute (f)Compute , where is from oracle .(g)Compute .(h)Compute , where is from oracle .(i)Compute , where is taken from the KeyGen queries.(j)Add to .(k)Return .(5)Unsigncryption queries: (a)Find two points and with the same value as their x coordinate. The transaction practically involves an extra parameter to identify and , say .(b)Compute .(c)Compute .(d)Compute.(e)Check whether holds or not.(f)Return and add to ; otherwise, return .(1)Challenge: after finishing phase 1, chooses two datasets and with an arbitrary private key , which are to be challenged. Here, with probability . Then, randomly chooses a bit for the two challenged datasets and then runs the signcryption algorithm to obtain a result . Finally, sends to .(2)Queries (phase 2): after receiving , adversary asks a number of queries that are the same as in phase 1 but is never sent to for unsigncryption queries.(3)Guess: adversary produces a bit from . ignores the bit produces and randomly chooses , which is stored in , as the solution for the given instance of ECCDHP problem. If does not query oracle , will terminate. In contrast, if has some advantages to produce the bit correctly, it means that the query to is required. Therefore, there is enough information in to help obtain the correct with probability because queries oracle times and only one is right. If so, is the solution with probability for the given instance of ECCDHP problem. This is contradictory to our hypothesis at the beginning of the security proof. Thus, this concludes the proof of Theorem 1.

Theorem 2. (EU-BaaCA-CMA). The proposed BaaCA-based signcryption scheme is existentially unforgeable against an adaptively chosen message attack when the ECDLP problem is hard to resolve.

Proof. Assume there is an EU-BaaCA-CMA adversary, who wins the defined experiment with a nonnegligible probability . We will design a challenger to take as its subprogram for solving the ECDLP problem with a nonnegligible probability. The instance of the ECDLP problem is given to challenger , and will try to compute the value .
At first, challenger maintains five lists , respectively, corresponding to KeyGen, signcryption, and unsigncryption oracles. Then, plays the following experiment with . In addition, we assume that queries oracle times and queries KeyGen times.(1)Setup: sends to , where is an instance of the ECDLP problem. The hash functions , controlled by , are regarded as random oracles.(2)Queries (phase 1): makes a number of oracle queries to and should answer to give . In the experiment, the following queries are allowed:(1)Oracle : Case 1: and return . Case 2: , choose random add to , and then return .(2)Oracle : Case 1: and return . Case 2: , choose random , add to , and then return .(3)KeyGen queries: Case 1: and return Case 2: , generate the public key and the account address via equation (1) or (2), add to , and then return .(4)Signcryption queries: (a)Choose random .(b)Compute (c).(d)Compute .(e)Compute (f)Compute , where is from oracle.(g)Compute .(h)Compute where is from oracle .(i)Compute where is taken from the KeyGen queries.(j)Add to .(k)Return .(5)Unsigncryption queries: (a)Find two points and with the same value as their x coordinate. The transaction practically involves an extra parameter to identify and , say .(b)Compute .(c)Compute .(d)Compute .(e)Check whether holds or not.(f)Return and add to ; otherwise, return .(i)Output: after finishing phase 1, produces the signature along with the verifier with probability based on Definition 2. If , will terminate the experiment. However, if with probability, picks the correct from with probability to recover . Finally, can compute with the probability to solve the ECDLP problem. This is contradictory to our hypothesis at the beginning of the security proof. Thus, this concludes the proof of Theorem 2.Considering the strength of the keys, which is one of the primary factors of cryptographic algorithms, the security analysis of the key strength is further illustrated. There are three state-of-the-art algorithms for hard problems including integer factorization (such as RSA [35]), the discrete logarithm (such as DSA [35]), and the elliptic curve discrete logarithm (such as ECDSA). It is well known that the ECDSA achieves not only the same level of security with a smaller key size but also higher computational efficiency than those of the RSA and DSA. For example, ECC-256 (resp. ECC-224) provides comparable security to RSA-3072 (resp. RSA-2048) [36]. By employing the ECDSA over the standard elliptic curve “secp256k1,” which Ethereum and Bitcoin blockchains have adopted, the proposed scheme also provides the same level of security.

5. Performance Analysis

In this section, the performance of the proposed BaaCA-based signcryption scheme is analyzed by comparing the computational costs with those of other related works and the experimental results of the operational costs based on the Ethereum blockchain.

5.1. Computational Cost of Signcryption

The computational costs of the proposed scheme mainly come from two phases: the signcryption and unsigncryption phases. The operations executed in each phase are depicted in Table 2. In the signcryption phase, Alice will execute two elliptic curve scalar multiplication operations, one map-to-point hash function, and one modular inversion. In the unsigncryption phase, Bob will execute two elliptic curve scalar multiplication operations, one map-to-point hash function, and one modular inversion. It is noted that the proposed scheme does not adopt any pairing operation.

The proposed scheme is compared with several existing related works. The computational cost of primitive time-consuming cryptographic operations is adopted from [4, 37] and is summarized as follows. , , , , and are the times required to execute a bilinear pairing operation, an elliptic curve scalar point multiplication, a map-to-point hash function, an exponentiation, and a modular inversion, respectively, where is the time required to execute a scalar multiplication in .

The total computational cost required in the proposed scheme is ( + + ) = 214.2 . Table 2 shows that the computational cost of the proposed BaaCA-based signcryption scheme is nearly 49% that of Malone-Lee [5], 57% that of Karati et al. [4], 17% that of Zhou et al. [13], 71% that of Karati et al. [16], 22% that of Rastegari et al. [17], and 88% that of ECDSA + ECC.

Figure 4 shows the computational overhead during signcryption and unsigncryption among the proposed scheme and the related works.

5.2. Experimental Results Based on the Ethereum Blockchain

To prove the computational cost of the BaaCA-based signcryption scheme compared with the ECDSA in the original transaction on the Ethereum blockchain, we implement the proposed scheme using the Python programming language and the Ethereum Ropsten Testnet environments [38]. All experiments are carried out with the following settings:(1)CPU: Intel Core i5-4440 CPU @ 3.1 GHz (quad core).(2)Physical memory: 16 GB DDR3 1600 MHz.(3)OS: Windows 7.

Finally, the proposed scheme is executed 500 times and its average is taken as our experimental result. Figure 5 shows the computational costs of the signcryption and unsigncryption phases. We observe that the cost of the unsigncryption phase is higher than that of the signcryption phase. This is a reasonable result since unsigncryption executes one more elliptic curve scalar point multiplication operation, as shown in Table 2. Moreover, the interval among the test data size is set as 5 kB, and the ratio of the sensitive part to the public part is 1 : 4.

In addition to the computational cost, the proposed scheme is also evaluated in terms of its operational cost in real currency. In the proposed scheme, one transaction only is broadcasted into the blockchain in the signcryption phase. The operational cost is estimated by calculating the total amount of gas and then converting it into the real currency. We use the Ethereum Ropsten Testnet environment [38] since it is able to automatically calculate the amount of gas of the proposed scheme. After that, the amount of gas is converted into USD according to the CoinGecko conversion table [39]. At the time of inversion, the rate was gas = ETH = USD.

Figure 6 shows the operational costs for different amounts of data. It is observed that the cost increases when the amount of data increases. It is reasonable since more data will lead to greater amounts of gas. However, it seems useless for the result since the cost remains very low. Even if the amount of data increases to 30 kB, the cost in the real currency is still less than 0.35 USD. That means that the proposed scheme is a suitable solution to protect transaction privacy and it only requires a small cost as a fee.

6. Discussion

Since the security model has been formally analyzed in Section 3, the main advantages of the proposed scheme compared with related works will be given in this section. The comparisons between the previous related works and the proposed method are given in Table 2. It is obvious that the superiority of the proposed scheme is demonstrated by achieving the following advantages:(1)Removing the high maintenance cost of involving CAs or a TTP: without having a CA or TTP to register a user in the proposed scheme, key pairs are generated by users themselves. It is clear that with the concepts of blockchain as a CA and transaction as a certificate, users’ public keys are extracted and authenticated directly from transactions in blockchains instead of by CAs or a TTP. Since blockchains such as Bitcoin and Ethereum have no mechanism to publish users’ public keys, the public key extraction operation in the proposed scheme can achieve the goal of the settlement and the authentication of public keys from transactions directly.(2)Seamless compliance with blockchains: it is not necessary to maintain a KGC. In the proposed scheme, the signcryption scheme can exploit the ECDSA private/public keys without any modification of blockchains. Furthermore, the encryption key used for confidentiality is deduced under the Diffie–Hellman key exchange [40] such that both the prover and the verifier can obtain an identical secret key. In the signcryption phase, Alice’s transaction is , where are composed of public and privacy-sensitive . The field “” in Figure 3, which could be an arbitrary message, can be treated as a privacy-sensitive message while the rest of the fields are treated as public information. Precisely, the “” field is the ciphertext instead (not the plaintext) in the proposed BaaCA-based scheme. This implies that Alice performs the regular operations of generating a common transaction of blockchains except for the additional encryption-related operations. In this way, the implementation of the proposed scheme affects the “” field, and so the impact must be minimized.

Furthermore, the revisited applicability of the proposed scheme achieves the following advantages:(1)Preserving transaction confidentiality: the proposed scheme lowers the payload for only encrypting the privacy-sensitive part such that the other part of a transaction may remain as plaintext. Thus, the scheme is compliant with the design of blockchains and protects transaction confidentiality at the same time.(2)Reducing computational and communication costs: as we know, a signcryption scheme is proven to achieve lower computational and communication costs [1]. Thus, the proposed blockchain-compliant signcryption scheme benefits from the advantages of confidentiality, integrity, and nonrepudiation simultaneously.(3)Designated recipient: the proposed signcryption scheme sets a designated recipient. When trying to verify signature , a recipient must check whether is equal to Without knowing , the recipient cannot accomplish this task. Via Theorem 1, attackers have no feasible way to deduce the decryption key to compute and then obtain . Thus, the verification of must be performed by the designated verifier. Alternatively, if in the signcryption phase, every participant involved in the blockchain can be the verifier.

7. Conclusions

As mentioned above, the cryptographic advantages of a blockchain are similar to those of a certificate chain such as providing public verification and being tamper-proof. The main difference is that the blockchain is a decentralized trusty mechanism requiring no trusted third party; however, the certificate chain is a centralized trust mechanism with a series of trusted third parties. Because of the success of Bitcoin and Ethereum along with the promising blockchain technologies, it is possible and feasible to combine blockchain technologies with signcryption. Thus, the concept of blockchain as a CA proposed in this paper aims to skillfully leverage the blockchain and achieves the following advantages: (1) it removes the need to involve CAs or a TTP, (2) it seamlessly complies with blockchains, and (3) it preserves transaction privacy.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this article.

Acknowledgments

This study was supported in part by the Ministry of Science and Technology of Taiwan under grant nos. MOST 107-2221-E-415-001-MY3.

References

Y. L. Zheng, “Digital signcryption or how to achieve cost (signature & encryption) << cost(signature) plus cost (encryption),” in Proceedings of the 17th Annual International Cryptology Conference, pp. 165–179, Santa Barbara, CA, USA, August 1997.
View at: Google Scholar
J. Baek, R. Steinfeld, and Y. Zheng, “Formal proofs for the security of signcryption,” Journal of Cryptology, vol. 20, no. 2, pp. 203–235, 2007.
View at: Publisher Site | Google Scholar
F. Li and T. Takagi, “Secure identity-based signcryption in the standard model,” Mathematical and Computer Modelling, vol. 57, no. 11-12, pp. 2685–2694, 2013.
View at: Publisher Site | Google Scholar
A. Karati, S. H. Islam, G. P. Biswas, M. Z. A. Bhuiyan, P. Vijayakumar, and M. Karuppiah, “Provably secure identity-based signcryption scheme for crowdsourced industrial Internet of Things environments,” IEEE Internet of Things Journal, vol. 5, no. 4, pp. 2904–2914, 2017.
View at: Google Scholar
J. Malone-Lee, “Identity-based signcryption,” 2002, IACR Cryptol. ePrint Arch.
View at: Google Scholar
G. Wei, J. Shao, Y. Xiang, P. Zhu, and R. Lu, “Obtain confidentiality or/and authenticity in big data by id-based generalized signcryption,” Information Sciences, vol. 318, pp. 111–122, 2015.
View at: Publisher Site | Google Scholar
Y. Yu, B. Yang, Y. Sun, and S.-l. Zhu, “Identity based signcryption scheme without random oracles,” Computer Standards & Interfaces, vol. 31, no. 1, pp. 56–62, 2009.
View at: Publisher Site | Google Scholar
M. Barbosa and P. Farshim, “Certificateless signcryption,” in Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, pp. 369–372, Tokyo, Japan, March 2008.
View at: Google Scholar
F. Li, J. Hong, and A. A. Omala, “Efficient certificateless access control for industrial Internet of Things,” Future Generation Computer Systems, vol. 76, pp. 285–292, 2017.
View at: Publisher Site | Google Scholar
F. Li, M. Shirase, and T. Takagi, “Certificateless hybrid signcryption,” Mathematical and Computer Modelling, vol. 57, no. 3-4, pp. 324–343, 2013.
View at: Publisher Site | Google Scholar
Z. Liu, Y. Hu, X. Zhang, and H. Ma, “Certificateless signcryption scheme in the standard model,” Information Sciences, vol. 180, no. 3, pp. 452–464, 2010.
View at: Publisher Site | Google Scholar
A. Yin and H. Liang, “On security of a certificateless hybrid signcryption scheme,” Wireless Personal Communications, vol. 85, no. 4, pp. 1727–1739, 2015.
View at: Publisher Site | Google Scholar
C. Zhou, G. Gao, and Z. Cui, “Certificateless signcryption in the standard model,” Wireless Personal Communications, vol. 92, no. 2, pp. 495–513, 2017.
View at: Publisher Site | Google Scholar
C. Zhou, W. Zhou, and X. Dong, “Provable certificateless generalized signcryption scheme,” Designs, Codes and Cryptography, vol. 71, no. 2, pp. 331–346, 2014.
View at: Publisher Site | Google Scholar
M. Luo and Y. Wan, “An enhanced certificateless signcryption in the standard model,” Wireless Personal Communications, vol. 98, no. 3, pp. 2693–2709, 2018.
View at: Publisher Site | Google Scholar
A. Karati, C.-I. Fan, and R.-H. Hsu, “Provably secure and generalized signcryption with public verifiability for secure data transmission between resource-constrained IoT devices,” IEEE Internet of Things Journal, vol. 6, no. 6, pp. 10431–10440, 2019.
View at: Publisher Site | Google Scholar
P. Rastegari, W. Susilo, and M. Dakhlalian, “Efficient certificateless signcryption in the standard model: revisiting Luo and Wan’s scheme from wireless personal communications,” The Computer Journal, vol. 62, no. 8, pp. 1178–1193, 2019.
View at: Google Scholar
A. Shamir, “Identity-based cryptosystems and signature schemes,” in Workshop on the Theory and Application of Cryptographic Techniques, Springer, Berlin, Heidelberg, 1984.
View at: Google Scholar
D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,,” in Proceedings of the Annual International Cryptology Conference, pp. 213–229, Santa Barbara, CA, USA, August 2001.
View at: Google Scholar
S. S. Al-Riyami and K. G. Paterso, “Certificateless public key cryptography,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 452–473, Springer, Berlin, Heidelberg, 2003.
View at: Google Scholar
S. Nakamoto, Bitcoin: A Peer-To-Peer Electronic Cash System, 2008.
V. Buterin, Ethereum White Paper, 2013.
C. Cachin, “Architecture of the Hyperledger blockchain fabric,” in Workshop on Distributed Cryptocurrencies and Consensus Ledgers, 2016.
View at: Google Scholar
Q. Xia, E. B. Sifah, K. O. Asamoah et al., “MeDShare: trust-less medical data sharing among cloud service providers via blockchain,” IEEE Access, vol. 5, pp. 14757–14767, 2017.
View at: Publisher Site | Google Scholar
J. Sun, X. Yao, S. Wang, and Y. Wu, “Blockchain-based secure storage and access scheme for electronic medical records in IPFS,” IEEE Access, vol. 8, pp. 59389–59401, 2020.
View at: Publisher Site | Google Scholar
N. Garg, M. Wazid, A. K. Das et al., “BAKMP-IoMT: design of blockchain enabled authenticated key management protocol for Internet of medical Things deployment,” IEEE Access, vol. 8, pp. 95956–95977, 2020.
View at: Publisher Site | Google Scholar
A. Gauhar, N. Ahmad, Y. Cao et al., “xDBAuth: blockchain based cross domain authentication and authorization framework for Internet of Things,” IEEE Access, vol. 8, pp. 58800–58816, 2020.
View at: Google Scholar
M. Wazid, A. K. Das, S. Shetty, and M. Jo, “A tutorial and future research for building a blockchain-based secure communication scheme for Internet of intelligent Things,” IEEE Access, vol. 8, pp. 88700–88716, 2020.
View at: Publisher Site | Google Scholar
X. Li, Y. Mei, J. Gong, F. Xiang, and Z. Sun, “A blockchain privacy protection scheme based on ring signature,” IEEE Access, vol. 8, pp. 76765–76772, 2020.
View at: Publisher Site | Google Scholar
B. Ernest and J. Shiguang, “Privacy enhancement scheme (PES) in a blockchain-edge computing environment,” IEEE Access, vol. 8, pp. 25863–25876, 2020.
View at: Publisher Site | Google Scholar
Q. Wang, T. Ji, Y. Guo, L. Yu, X. Chen, and P. Li, “TrafficChain: a blockchain-based secure and privacy-preserving traffic map,” IEEE Access, vol. 8, pp. 60598–60612, 2020.
View at: Publisher Site | Google Scholar
Wiki, “Elliptic curve digital signature algorithm,” https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm.
View at: Google Scholar
N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, p. 203, 1987.
View at: Publisher Site | Google Scholar
D. R. L. Brown, “SEC 2: recommended elliptic curve domain parameters,” Standards for Efficient Cryptography Group (SECG), 2010, http://www.secg.org/sec2-v2.pdf.
View at: Google Scholar
B. Schneier, Applied Cryptography, Wiley, New York, NY, USA, 2nd edition, 1996.
T. M. Fernández-Caramès and P. Fraga-Lamas, “Towards post-quantum blockchain: a review on blockchain cryptography resistant to quantum computing attacks,” IEEE Access, vol. 8, pp. 21091–21116, 2020.
View at: Publisher Site | Google Scholar
A. Karati, S. Hafizul Islam, and G. P. Biswas, “A pairing-free and provably secure certificateless signature scheme,” Information Sciences, vol. 450, pp. 378–391, 2018.
View at: Publisher Site | Google Scholar
TESTNET Ropsten (ETH) Blockchain Explorer, https://ropsten.etherscan.io/.
CoinGecko:360^° Market Overview of Coins & Cryptocurrency, https://www.coingecko.com.
W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644–654, 1976.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Tzung-Her Chen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

653

Downloads

803

Citations