AN EFFICIENT ID-BASED PUBLIC VERIFIABLE SIGNCRYPTION SCHEME

SWAPNA G.; REDDY P.V.

AN EFFICIENT ID-BASED PUBLIC VERIFIABLE SIGNCRYPTION SCHEME

SWAPNA G.¹, REDDY P.V.²*
¹Department of Engineering Mathematics, A.U. College of Engineering, Andhra University, Visakhapatnam- 530 003, AP, India.
²Department of Engineering Mathematics, A.U. College of Engineering, Andhra University, Visakhapatnam- 530 003, AP, India.
* Corresponding Author : vasucrypto@yahoo.com

Received : 22-06-2012 Accepted : 10-01-2013 Published : 14-01-2013
Volume : 3 Issue : 1 Pages : 41 - 46
Int J Cryptography Secur 3.1 (2013):41-46

Conflict of Interest : None declared

Cite - MLA : SWAPNA G. and REDDY P.V. "AN EFFICIENT ID-BASED PUBLIC VERIFIABLE SIGNCRYPTION SCHEME." International Journal of Cryptography and Security 3.1 (2013):41-46.

Cite - APA : SWAPNA G., REDDY P.V. (2013). AN EFFICIENT ID-BASED PUBLIC VERIFIABLE SIGNCRYPTION SCHEME. International Journal of Cryptography and Security, 3 (1), 41-46.

Cite - Chicago : SWAPNA G. and REDDY P.V. "AN EFFICIENT ID-BASED PUBLIC VERIFIABLE SIGNCRYPTION SCHEME." International Journal of Cryptography and Security 3, no. 1 (2013):41-46.

Copyright : © 2013, SWAPNA G. and REDDY P.V., Published by Bioinfo Publications. This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution and reproduction in any medium, provided the original author and source are credited.

Abstract

Signcryption is a cryptographic scheme that combines the functionalities of signature and encryption in a single logical step. In a conventional signcryption scheme, the message is hidden and thus the validity of the signcryption can be verified only after the unsigncryption process. Thus, a third party will not be able to verify the validity of the signcryption. Signcryption schemes that allow anyone to verify the validity of signcryption without knowledge of the message are called public verifiable signcryption schemes. Third party verifiable signcryption schemes allow the receiver of signcryption, to convince a third party that the signcryption is valid, by providing some additional information (other than the receiverâ€™s private key) along with the signcryption. In this paper we propose an efficient ID-based signcryption scheme that offers public verifiability and third party verification, based on bilinear pairings over elliptic curves. We prove that our scheme satisfies the security notions such as confidentiality and unforgeability with the assumptions that the CBDHP, CDHP respectively is intractable in the random oracle model.

Keywords

Identity-based cryptography, bilinear pairings, signcryption, unforgeability, public verifiability

Introduction

Confidentiality, integrity, authentication and non- repudiation are the important requirements for many cryptographic applications. Confidentiality is keeping information secret from all other than those who are authorized to see it. Integrity is ensuring that the information has not been altered by unauthorized entities. Authentication is the assurance that the communicating party is the one that it claims to be. Non-repudiation is preventing the denial of the previous commitments or actions. Encryption can achieve the confidentiality and digital signature can achieve the integrity, authentication, and non- repudiation. If we need to achieve simultaneously confidentiality, integrity, authentication and non- repudiation, a traditional approach is first to sign a message and then to encrypt it, called sign-then-encrypt or signature-then-encryption approach. In 1997,Zheng [1] proposed a new cryptographic primitive called signcryption that fulfills both the functions of digital signatures and public key encryption simultaneously, at a cost of significantly lower than that required by the traditional signature-then-encryption approach. Signcryption has to found many applications, such as electronic transaction protocol, mobile agent protocol, key management, and routing protocol. The original scheme in [1] is based on the discrete logarithm problem but not security proof is given. Zhengâ€™s original schemes were only proven secure by Beak et al. [2] who described a formal security model in a multi-user setting. In the above mentioned traditional signcryption schemes, the public key of a user are essentially a random bit string picked from a given set. So, the signcryption does not provide the authentication of the user by itself. This problem can be solved via a certificate, which provides an unforgeable and trusted link between the public key and the identity of the user by the signature of a certificate authority (CA), and there is a hierarchical framework that is called public key infrastructure (PKI) to issue and manage certificates. However, the certificates management, including revocation, storage, distribution, and the computational cost of certificates verification are the main difficulties against traditional PKI.
To simplify the key management procedures of traditional PKI, Shamir [3] proposed the concept of identity - based cryptography (IBC) in 1984. The idea of IBC is to get rid of certificates by allowing a userâ€™s public key to be any binary string that uniquely identifies the user. Examples of such strings include e-mail addresses and IP addresses. Several practical identity-based signature (IBS) schemes [13] have been proposed since 1984, but a satisfying identity-based encryption (IBE) scheme only appeared in 2001 [4] . It was devised by Boneh and Franklin and cleverly uses bilinear maps (the Weil or Tate paring) over super singular elliptic curves.
The first identity based signcryption scheme proposed by Malone Lee [5] in 2002. Since then, many identity based signcryption schemes have been proposed in literature [6-10] . Their main objective is to reduce the computational complexity and to design the more efficient identity based signcryption scheme. In conventional signcryption, the sender signs the message which is hide it the receiverâ€™s public key. Thus, only the receiver can decrypt the message using his /her private key and can verify the authenticity of the cipher text.
Normally, in a signcryption scheme, the message is hidden and thus the validity of the signcryption can be verified only after the unsigncryption process. Thus, a third party (who is the unaware of the receiverâ€™s private key) will not be able to verify whether a signcryption is valid or not. Public verifiable signcryption scheme is well motivated in the following scenarios.
One of the main applications of signcryption scheme is secure e-mail systems. Public verifiable signcryption schemes are applicable in filtering out the spamâ€™s in secure e-mail systems. The spam filter should be able to verify the authenticity of the signcrypted e-mail without knowing the message (i.e., check whether the signcryption is generated from the claimed sender or not). Here, if the signcryption does not satisfy the public verifiability, it can be considered a spam and can be filtered out. Moreover, in applications such as private contract signing, made between two parties, the receiver of the signcryption should be able to convince the third party that indeed the sender has signed the corresponding message hidden in the signcryption. In this case, the receiver should not reveal his secret key in order to convince the third party; instead he reveals the message and some information computable with his private key required for the signature verification.
In 2004, Chow et al. [7] proposed the first ID-based public verifiable signcryption scheme. In 2010, Selvi et al. [11] showed attacks on confidentiality and unforgeability of the chow et al. [7] scheme, and proposed a new ID-based signcryption scheme with public verifiability and third party verification. In 2011, Prashant Kushwah et al. [12] proposed another identity based public verifiable signcryption scheme with third party verification and forward security.
In this paper we present an efficient ID-based public verifiable signcryption (ID-PVSC) scheme with third party verification, using bilinear pairings over elliptic curves. The proposed scheme satisfies the security notions such as confidentiality and unforgeability with the assumptions that the CBDH and CDH problems are intractable.
The rest of the paper is organized as follows: Section 2 briefly explains the bilinear pairings and some computational problems on which our scheme is based. The syntax and security requirements of our ID-PVSC scheme are given in Section 3. We present our ID-PVSC scheme in section 4. The correctness, security and efficiency analysis of the proposed scheme are given in Section 5. Section 6 concludes this paper.

Preliminaries

In this section, we briefly review bilinear pairings and some computational problems.

Bilinear Pairings

Bilinear pairing is an important primitive and has been widely adapted in many positive applications in cryptography. Let G₁ be an additive cyclic group with a prime order q and G₂ be a multiplicative cyclic group with the same order q. G₁ is a subgroup of the group of points on an elliptic curve and P is the generator of G₁Â·G₂ is a subgroup of the multiplicative group over a finite field. A bilinear pairing is a map $\tiny \dpi{150} \hat{e}:G_{1}\times G_{1}\rightarrow G_{2}$ which satisfies the following properties.
1. Bilinear: $\tiny \dpi{150} \hat{e}(aP,bP)=\hat{e}(P,P)^{ab}$ for all $\tiny \dpi{150} P\in G_{1}$ and $\tiny \dpi{150} a,b\in Z_{q}^{*}$ .
2. Non-degenerate: There exists $\tiny \dpi{150} P,Q\in G_{1}$ such that $\tiny \dpi{150} \hat{e}(P,Q)\neq 1$ .
3. Computability: There exists an efficient algorithm to compute $\tiny \dpi{150} \hat{e}(P,Q)$ for all $\tiny \dpi{150} P,Q\in G_{1}$ .
We call such a bilinear map Ãª as an admissible bilinear pairing, and the Weil pairing in elliptic curve can give a good implementation of the admissible pairing [4] .

Computational Problems

Now, we give some computational problems which will form the basis of security for our ID-PVSC scheme.
Definition 1 (Computational Diffie-Hellman Problem CDHP): The CDHP in G₁ is such that given $\tiny \dpi{150} (P,aP,bP)$ with uniformly random choices of $\tiny \dpi{150} a,b\in Z_{q}^{*}$ , to compute ab. The CDH assumption states that there is no polynomial time algorithm with a non-negligible advantage in solving the CDHP.
Definition 2 (Computational Bilinear Diffie-Hellman Problem CBDHP): The CBDHP is such that given $\tiny \dpi{150} (P,ap,bP,cP)$ with uniformly random choices of $\tiny \dpi{150} a,b,c\in Z_{q}^{*}$ , to compute $\tiny \dpi{150} \hat{e}(P,P)^{abc}$ .

Syntax and Security Model for ID-PVSC Scheme

In this section, we give the syntax for identity based signcryption scheme (ID-PVSC scheme) which supports both public verifiability and third party verification. We also give the security model for our ID-PVSC scheme.

Syntax of ID-PVSC Scheme

Our identity based signcryption scheme consists of the following algorithms.

Setup (1^Îº): Given the security parameter k, the Private Key Generator (PKG) generates the master private key M_sk and public parameters Params. Params are made public while M_sk is kept secret by the PKG.

Extract (IDi): Given an identity IDi as input, the PKG executes this algorithm to generate the private key ^SID_i corresponding to ID_i and ^SID_i sends to the user ID_i through a secure channel.

Signcrypt

(M,ID_A,^SID_A,ID_B): A sender with identity ID_A and private key ^SID_A in order to signcrypt a message M to a receiver whose identity is ID_B, runs this algorithm to generate the corresponding signcryption Ïƒ.

Unsigncrypt

(Ïƒ,ID_A,^SID_B,ID_B) On receiving the signcryption Ïƒ from sender ID_A, the receiver with identity ID_B and the private key ^SID_B of the receiver, the receiver executes this algorithm to obtain the message M, if Ïƒ is a valid signcryption of M from ID_A to ID_B or â€œInvalidâ€, indicating that the signcryption is not valid.

Public-Verify (Ïƒ, ID_A, ID_B)

This algorithm allows any third party to verify the authenticity of the signcryption Ïƒ without knowing the message used for the generation of the signcryption Ïƒ It takes the signcryption Ïƒ, the sender identity ID_A and the receiver identity ID_B as input and outputs â€œValidâ€, if Ïƒ is a valid signcryption or â€œInvalidâ€, otherwise.

TP-Verify (Ï†, ID_A, ID_B):

This algorithm allows the receiver ID_B to prove the authenticity of the signcryption Ïƒ to third party by providing additional information needed (other than the private key ^SID_B). This algorithm runs by the third party and takes Ï† (Ïƒ and additional information provided by ID_B), the sender identity ID_A and receiver identity ID_B as input, and outputs â€œValidâ€, if Ïƒ is a valid signcryption from ID_A to ID_B or â€œInvalidâ€, otherwise.

Security Model for ID-PVSC Scheme

Definition 3: (Message confidentiality):
An ID-based public verifiable signcryption scheme is said to be indistinguishable against adaptive chosen cipher text attacks (IND-ID-PVSC-CCA2) if no polynomially bounded adversary has non-negligible advantage in the following game.

Setup: The challenger C runs setup algorithm with a security parameter k and sends the system parameters to the adversary A.

Phase1: The adversary A performs a polynomially bounded number of queries to C. The queries made by A may be adaptive, i.e. current query may depend on the answers to the previous queries. The various oracles and the queries made to these oracles are defined below:

â€¢ Key Extraction Queries (Oracle OExtract(ID_i): A chooses an identity IDi; C computes private key ^SID_i = O_Extract(ID_i) to response to A.

â€¢ Signcryption Queries (Oracle O_Signcrypt(M, ID_A, ID_B): A produces a signer identity ID_A, the recipient identity ID_B and a message M. C computes ^SID_A = O_Extract(ID_A) and generates the signcryption Ïƒ for the message M using ^SID_A by following the signcryption protocol and sends Ïƒ to A.

â€¢ Unsigncryption Queries (Oracle O_Unsigncrypt (Ïƒ, ID_A, ID_B): A produces ID_A, ID_B and the signcryption Ïƒ as input to this algorithm and requests the unsigncryption of Ïƒ. The challenger C runs unsigncrypt algorithm on input (Ïƒ, ID_A, ID_B) and returns its output to A. The result of the unsigncryption will be â€œInvalidâ€ if Ïƒ is not a valid signcryption. It returns the message M, if Ïƒ is a valid signcryption.

â€¢ TP-Verify Queries (Oracle O_TP-Verify (Ïƒ, ID_A, ID_B): A submits the information Ï†, the sender identity ID_A and the receiver identity ID_B. C generates the private key corresponding ^SID_B to ID_B, un- signcrypts Ïƒ using ^SID_B and returns the information required for TP-Verify corresponding to Ïƒ, if Ïƒ is a valid signcryption returns â€œValidâ€ if Ïƒ is a proper and correct signcryption. â€œInvalidâ€ otherwise.

Selection and Challenge

At the end of the phase-1, A chooses two equal length plaintext M₀, M₁ and a sender identity ID_A and the recipient identity ID_B on which he wants to be challenged, and submits them to C. However A should not have queried the private key corresponding to ID_B in phase-1. C now chooses $\tiny \dpi{150} \delta \in _{R}\left \{ 0,1 \right \}$ and computes Ïƒ* =O_Signcrypt (M_Î´, ID_A, ID_B) and sends Ïƒ* to A. It is to be noted that the private key ^SID_A corresponding to the sender IDA can be queried by A.

Phase-2

A is allowed to interact with C as in phase-1 with the following restrictions.

â€¢ A should not query the extract oracle for the private key corresponding to the receiver identity ID_B.
â€¢ A should not query the Unsigncrypt oracle with (Ïƒ*, ID_A, ID_B) as input, i.e., a query of the form O_Unsigncrypt (Ïƒ*, ID_A, ID_B) is not allowed.
â€¢ Output (Guess): Finally A produces a bit Î´1 and wins the game if Î´¹=Î´ The advantage of A in the above game is defined by
Adv(A) = 2|Pr[Î´¹=Î´ ]Ââ€“1| where [Î´¹=Î´] denotes the probability that Î´¹=Î´.
The confidentiality game described above deals with insider security since the adversary is given access to the private key of the sender ID_A used for the challenge phase.

Definition 4 (Unforgeability)

An ID-Based sign- cryption scheme is said to be existentially unforgeable against adaptive chosen message attacks (EUF- ID-PVSC-CMA) if no polynomially bounded adversary has a non-negligible advantage in the following game.

Setup

The challenger C runs the Setup algorithm with security parameter k and obtains public parameters Params and the master private key M_sk. C sends Params to the adversary A and keeps M_sk secret.

Training phase

The adversary A performs a polynomially bounded number of queries to C as in Phase-1 of confidentiality game.

Forgery

After a sufficient amount of training, A produces a signcryption (Ïƒ, ID_A, ID_B) to C. Here A should not have required the private key of ID_A during the training phase and Ïƒ is not the output of signcrypt oracle with (M, ID_A, ID_B) as input (M=O_Unsigncrypt (Ïƒ, ID_A, ID_B)). A wins the game, if Unsigncrypt (Ïƒ, ID_A, ID_B) is valid. It is to be noted that the private key ^SID_B corresponding to the receiver ID_B can be queried by A.
The security model discussed above captures the notion of insider security since the adversary is provided access to the private key of the receiver with identity ID_B used for generating the signcryption Ïƒ during the forgery phase.

Proposed ID-based Public Verifiable Signcryption Scheme (ID-PVSC Scheme)

In this section, we proposed an ID-based signcryption scheme that offers public verifiability and third party verification. We call it as ID-PVSC scheme. The ID-PVSC scheme consists of the following algorithms.

Setup: Given a security parameter k, this algorithm chooses two groups G₁ and G₂ with the same order q. Let Ãª:G₁XG₂â†’G₂ be an admissible bilinear pairing. Let P be the generator of G₁. Randomly choose $\tiny \dpi{150} s\in Z_{q}^{*}$ and compute public key P_pub=sP.H₁,H₂,H₃,H₄ are hash functions and they satisfy $\tiny \dpi{150} H_{1}:\left \{ 0,1 \right \}^{*}\rightarrow G_{1},H_{2}:G_{2}\rightarrow \left \{ 0,1 \right \}^{*},H_{3}:\left \{ 0,1 \right \}^{n}\rightarrow \left \{ 0,1 \right \}^{*},H_{4}:\left \{ 0,1 \right \}^{n}\times G_{1}^{3}\rightarrow Z_{q}^{*}$ (E,D) is a secure symmetric encryption scheme. Then the system parameters are Params = {k,n,G₁,G₂,P,Ãª,H₁,H₂,H₃,H₄,E,D}.

Key Gen / Key Extract: For every user with identity ID_i, the PKG uses his master key $\tiny \dpi{150} s\in Z_{q}^{*}$ and userâ€™s public key ^QID_i=H₁(ID_i) to compute the corresponding secret key of ^SID_i = ^sQID_i the user with identity ID_i.

Signcrypt (M, ID_A, ^SID_A, ID_B): To produce a signcryption on the message M under the recipient with identity ID_B the signer with identity ID_A uses his secret key ^SID_A to respond as follows.
1. Pick $\tiny \dpi{150} s\in Z_{q}^{*}$ and compute $\tiny \dpi{150} U=xP\in G_{1}$

2. Compute $\tiny \dpi{150} \hat{a}=\hat{e}(P_{pub},^{Q}ID_{B})^{x}\in G_{2}$

3. Compute $\tiny \dpi{150} a_{2}=H_{2}(\hat{a})$

4. Compute $\tiny \dpi{150} h=H_{3}(M,\hat{a},U,^{Q}ID_{A},^{Q}ID_{B})$

5. Compute $\tiny \dpi{150} C=E_{a_{2}}(M\left | \right |h)$

6. Compute $\tiny \dpi{150} R=H_{4}(C,U,^{Q}ID_{A},^{Q}ID_{B})$

7. Compute $\tiny \dpi{150} V=^{S}ID_{A}+xRP_{pub}$

8. The resultant signcryption text (ciphertext) on message M is Ïƒ =(C,U,V)

Public Verify $\tiny \dpi{150} (\sigma ,^{Q}ID_{A},^{Q}ID_{B})$
1. The verifier first computes $\tiny \dpi{150} \bar{R}=H_{4}(C,U,^{Q}ID_{A},^{Q}ID_{B})$

2. If $\tiny \dpi{150} \hat{e}(P,V)=\hat{e}(P_{pub},^{Q}ID_{A}+\bar{R}U)$ then return â€œValidâ€. Otherwise, return â€œInvalidâ€.

Unsigncrypt $\tiny \dpi{150} (\sigma ,^{Q}ID_{A},^{Q}ID_{B},^{S}ID_{B})$
1. If public verifiability $\tiny \dpi{150} (\sigma ,^{Q}ID_{A},^{Q}ID_{B})\neq$ â€œValidâ€ output â€œInvalidâ€. Otherwise,

2. Compute $\tiny \dpi{150} {\hat{a}}'=\hat{e}(U,^{S}ID_{B})$

3. Compute $\tiny \dpi{150} {a}'_{2}=H_{2}({\hat{a}}')$

4. Compute $\tiny \dpi{150} M'\left | \right |h'=D_{a{_{2}}'}(C)$

5. Output $\tiny \dpi{150} \varphi =({M}',{h}',{\hat{a}}',\sigma )\: \: \mathrm{if}\: h=H_{3}(M,\hat{a},U,^{Q}ID_{A},^{Q}ID_{B})$ else, return â€œInvalidâ€.

TP-Verify $\tiny \dpi{150} (\varphi ,\sigma ,ID_{A},ID_{B})$
1. If Public Verify $\tiny \dpi{150} (\sigma ,^{Q}ID_{A},^{Q}ID_{B})\neq$ â€œValidâ€ output â€œInvalidâ€. Otherwise,

2. $\tiny \dpi{150} \bar{a}_{2}=H_{2}(\hat{a}')$

3. $\tiny \dpi{150} \bar{M}\left | \right |\bar{h}=D_{\bar{a_{2}}}(C)$

4. Accept Ïƒ and output â€œValidâ€ if $\tiny \dpi{150} \bar{h}=H_{3}(\bar{M},\hat{a}',U,^{Q}ID_{A},^{Q}ID_{B})$ and $\tiny \dpi{150} \bar{h}={h}'$ , Otherwise, â€œInvalidâ€.

Analysis of the Proposed ID-PVSC Scheme

In this section, we discuss the proof of correctness, security analysis and efficiency analysis of the proposed ID-PVSC scheme.

Proof of the Correctness

The following equations give the correctness of signature verification:

$\begin{matrix} \hat{e}(P,V)& =\hat{e}(P,^{S}ID_{A}+x\bar{R}P_{pub})\\ & \\ & =\hat{e}(sP,H_{1}(ID_{A})+x\bar{R}P)\\ & \\ & \hat{e}(P_{pub},^{Q}ID_{A}+\bar{R}U)\\ & \end{matrix}$

Correctness of

$\begin{matrix} \hat{a}':\hat{a}=\hat{e}(P_{pub},^{Q}ID_{B})^{x} & =\hat{e}(xP_{pub},^{Q}ID_{B})\\ & \\ & =\hat{e}(xP,s^{Q}ID_{B})\\ & \\ & =\hat{e}(U,^{S}ID_{B})=\hat{a}'\\ & \end{matrix}$ .

Security Analysis

In this section, we will formally prove the confidentiality and unforgeability of the proposed ID-PVSC scheme in the random oracle model.

Unforgeability of ID-PVSC Scheme

Theorem 1: The proposed ID-PVSC Scheme is unforgeable in the random oracle model with the assumption that the Computational Diffie-Hellman Problem is intractable.
Proof: Given a random instance $\tiny \dpi{150} (P,A=aP,B=bP)\in G_{1}$ of the computational Diffie-Hellmann problem (CDHP), where $\tiny \dpi{150} a,b\in Z_{q}^{*}$ . We are going to construct a probabilistic polynomial time turing machine âˆ† which use the attacker A as a subroutine in order to compute CDH solution abP in G₁. In the whole game, A will consult âˆ† for answers to the random oracles $\tiny \dpi{150} H_{1},H_{2},H_{3},H_{4}$ and âˆ† needs to maintain hash lists $\tiny \dpi{150} L_{1},L_{2},L_{3}$ and $\tiny \dpi{150} L_{4}$ that are initially empty and are used to keep track of answers to queries asked by A to oracle $\tiny \dpi{150} H_{1},H_{2},H_{3}$ and $\tiny \dpi{150} H_{4}$ . We assume that hash functions $\tiny \dpi{150} H_{1},H_{2},H_{3}$ and $\tiny \dpi{150} H_{4}$ were queried before signcryption.

â€¢ Setup: algorithm âˆ† sets $\tiny \dpi{150} P_{pub}=A=aP$ as public key of PKG and sends the system parameters to the attacker attacker A.

â€¢ Training Phase: during the signing phase, the adversary A is allowed to access the various oracles provided by âˆ†. A can get sufficient training before generating the forgery. The various oracles provided by âˆ† to A during training are as follows.

H₁-queries (O_H1(ID_i)): To respond H₁-queries, âˆ† maintains a hash list L₁ which consists of $\tiny \dpi{150} (ID,Q_{ID},d,T)$ . When A queries the oracle H₁ at point ID, âˆ† responses as follows:
1. If the query ID already exists in the list L₁, then âˆ† responses with $\tiny \dpi{150} H_{1}(ID)=Q_{ID}$ .

2. Otherwise, âˆ† picks a random number $\tiny \dpi{150} T\in \left \{ 0,1 \right \}$ . If T=0 then âˆ† computes $\tiny \dpi{150} Q_{ID}= dbP$ for a random $\tiny \dpi{150} d\in Z_{q}^{*}$ . If T=1 then âˆ† computes $\tiny \dpi{150} S_{ID}= dP$ for a random $\tiny \dpi{150} d\in Z_{q}^{*}$ . âˆ† adds the tuple $\tiny \dpi{150} (ID,Q_{ID},d,T)$ to the list L₁ and returns to A with $\tiny \dpi{150} H_{1}(ID)=Q_{ID}$ .

H₂â€¾queries $\tiny \dpi{150} (O_{H_{2}}(\hat{a}))$ : To respond H₂â€¾queries, âˆ† maintains a hash list L₂ which consists of $\tiny \dpi{150} (a_{2},\hat{a})$ When A makes a query $\tiny \dpi{150} \hat{a}$ , with input âˆ† responses as follows.
1. If the query ID already exists in the list L₂ then âˆ† responses with $\tiny \dpi{150} a_{2}=H_{2}(\hat{a})$ .

2. Otherwise, âˆ† picks a random number $\tiny \dpi{150} a_{2}\in Z_{q}^{*}$ to add the tuple $\tiny \dpi{150} (a_{2},\hat{a})$ to the list L₂ and responds to A with $\tiny \dpi{150} a_{2}=H_{2}(\hat{a})$ .

H₃â€¾queries $\tiny \dpi{150} (O_{H_{3}}(M,U,\hat{a},^{Q}ID_{A},^{Q}ID_{B}))$ : To respond H₃â€¾queries, âˆ† maintains a hash list L₃ which consists of $\tiny \dpi{150} (M,U,\hat{a},^{Q}ID_{A},^{Q}ID_{B})$ . When A queries the oracle H₃ at the point âˆ† $\tiny \dpi{150} (M,U,\hat{a},^{Q}ID_{A},^{Q}ID_{B})$ responses as follows.
1. If the query $\tiny \dpi{150} (M,U,\hat{a},^{Q}ID_{A},^{Q}ID_{B})$ already exists in L₃ then âˆ† returns r from L₃.

2. Otherwise, âˆ† picks a new random number $\tiny \dpi{150} r\in Z_{q}^{*}$ and add the tuple $\tiny \dpi{150} (M,U,\hat{a},^{Q}ID_{A},^{Q}ID_{B},r)$ to the list L₃ and responds to A with $\tiny \dpi{150} H_{3}(M,U,\hat{a},^{Q}ID_{A},^{Q}ID_{B},)=r$ .

H₄â€¾queries $\tiny \dpi{150} (O_{H_{4}}(C,U,^{Q}ID_{A},^{Q}ID_{B}))$ : To respond H₄â€¾queries, âˆ† maintains a hash list L₄ which consists of $\tiny \dpi{150} (C,U,^{Q}ID_{A},^{Q}ID_{B})$ , âˆ† responds as follows.
1. If $\tiny \dpi{150} (C,U,^{Q}ID_{A},^{Q}ID_{B},R)$ is available in the list L₄ then âˆ† retrieves R from the list L₄.

2. Otherwise âˆ† picks a new random number $\tiny \dpi{150} \hat{r}\in Z_{q}^{*}$ and sets $\tiny \dpi{150} R=\hat{r}$ to add the tuple $\tiny \dpi{150} (C,U,^{Q}ID_{A},^{Q}ID_{B},\hat{r},R)$ to the list L₄ and responds to A with $\tiny \dpi{150} H_{4}(C,U,^{Q}ID_{A},^{Q}ID_{B},\hat{r})=R$ .

Key Gen / Key Extract queries (O_Extract(ID)): When A submits an identity ID to the extract oracle, âˆ† recovers the corresponding (ID,T,d) entry from the list L₁.
1. If T=0, then âˆ† outputs â€˜failureâ€™ and halts, because it is unable to answer the query legitimately.

2. Otherwise, if T=1 it means that H₁(ID) was previously defined as $\tiny \dpi{150} dP\in G_{1}$ âˆ† computes $\tiny \dpi{150} S_{ID}=dP_{pub}=dA$ and returns to A.

Signcrypt Oracle (O_Signcrypt (M, IDA,

When A asks for Signcrypt query on a message M under the signerâ€™s identity IDA and the receivers identity ID_B âˆ† responses as follows: âˆ† generates the signcryption Ïƒ by doing the following computations.
1. Randomly choose $\tiny \dpi{150} \hat{r},x\in Z_{q}^{*}$ and sets $\tiny \dpi{150} U=xP-\hat{r}^{-1}Q_{ID_{A}}$ .

2. Sets $\tiny \dpi{150} a_{2}=H_{2}(\hat{a}=\hat{e}(U,S_{ID_{B}}))$ .

3. Computes $\tiny \dpi{150} C=E_{a_{2}}(M\square r)$ .

4. Sets $\tiny \dpi{150} R=O_{H_{4}}(C,U,Q_{ID_{A}},Q_{ID_{B}})=\hat{r}$ and

5. Compute $\tiny \dpi{150} V=x\hat{r}P_{pub}$ and stores $\tiny \dpi{150} (C,U,Q_{A},Q_{B},R)$ in the list L₄. Here it should be noted that if a similar entry exists in L₄, repeat the procedure by choosing different $\tiny \dpi{150} \hat{r}$ .

6. Finally send the ciphertext Ïƒ=(U,V,C) to A.
Correctness of V can be shown as follows:

$\begin{matrix} \hat{e}(P_{pub},Q_{ID_{A}}+RU) & =\hat{e}(P_{pub},Q_{ID_{A}}+\hat{r}(xP-\hat{r}^{-1}Q_{ID_{A}}))\\ & \\ & =\hat{e}(P_{pub},Q_{ID_{A}}+x\hat{r}P-Q_{ID_{A}})\\ & \\ & =\hat{e}(P,x\hat{r}P_{pub})\\ & \\ & =\hat{e}(P,V)\\ \end{matrix}$

Unsigncrypt Oracle (O_Unsigncrypt (Ïƒ,ID

When A makes an unsigncrypt query with a senderâ€™s identity ID_A, a recipientâ€™s identity ID_B, and a ciphertext (U,V,C), D follows the steps below.
1. First, obtain the secret $\tiny \dpi{150} S_{ID_{B}}$ key of the recipient by key extraction algorithm.

2. Then, check whether the signcryption or ciphertext (U,V,C) is valid by the recipientâ€™s secret key and returns the corresponding output $\tiny \dpi{150} \varphi (M',h',\hat{a}',\sigma )$ .

TP-Verify Oracle (O_TP-Verify (Ïƒ,IDA,ID

When A makes query with Ïƒ as input âˆ† performs the following:
âˆ† does the computations as given in unsigncrypt oracle and returns $\tiny \dpi{150} \varphi (\sigma ,M',\hat{a}',Q_{ID_{A}},Q_{ID_{B}})$ if Ïƒ is valid, else, return â€œInvalidâ€.

Output

Finally, A outputs a forgery Ïƒ*=(U*,V*,C*) under the signerâ€™s identity $\tiny \dpi{150} ID_{A}^{*}$ and the recipientâ€™s identity $\tiny \dpi{150} ID_{B}^{*}$ . Then âˆ† checks $\tiny \dpi{150} ID_{A}^{*}$ in the list L₁. If in $\tiny \dpi{150} T_{A}^{*}\neq 0$ the list L₁. Then âˆ† outputs failure and stops. Otherwise, the forgery is successful. By Forking lemma, after replaying A with the same random tape, âˆ† can obtain another signcryption text $\tiny \dpi{150} \sigma _{1}^{*}(C_{1}^{*},U_{1}^{*},V_{1}^{*})$ . For the two signcryption texts Ïƒ* and $\tiny \dpi{150} \sigma _{1}^{*}$ they satisfy the following relations: $\tiny \dpi{150} V^{*}=S_{ID_{A}^{*}}+x^{*}R^{*}P_{pub}$ and $\tiny \dpi{150} V_{1}^{*}=S_{ID_{A}^{*}}+x^{*}R_{1}^{*}P_{pub}$ . Then we have $\tiny \dpi{150} R_{1}^{*}V^{*}-R^{*}V_{1}^{*}=(R_{1}^{*}-R^{*})S_{ID_{A}^{*}}=(R_{1}^{*}-R^{*})d^{*}abP$ . Thus we can solve the CDH problem as $\tiny \dpi{150} R_{1}^{*}V^{*}-R^{*}V_{1}^{*}=(R_{1}^{*}-R^{*})S_{ID_{A}^{*}}=(R_{1}^{*}-R^{*})d^{*}abP abP=\frac{R_{1}^{*}V^{*}-R^{*}V_{1}^{*}}{(R_{1}^{*}-R^{*})d^{*}}$ .

Confidentiality of ID-PVSC Scheme

Theorem 2: The proposed ID-PVSC Scheme satisfies the confidentiality property in the random oracle model with the assumption that the Computational Bilinear Diffie-Hellman Problem is intractable.
Proof: For proving the confidentiality of the ID-PVSC scheme, A is allowed to interact with âˆ†, as given in section 3. Assume that the challenger âˆ† is provided with the CBDHP instance $\tiny \dpi{150} P,\bar{a}P,\bar{b}P,\bar{c}P$ from G₁ and is supposed to generate the solution $\tiny \dpi{150} \hat{e}(P,P)^{\bar{a}\bar{b}\bar{c}}\in G_{2}$ . Assume that there exists an algorithm A (adversary), capable of breaking ID-PVSC-CCA2 security of the scheme in polynomial time âˆ† can make use of A to find the solution for the CBDHP instance.

Setup: In order to provide the system parameters to A, âˆ† uses the CBDHP instance to cook up the system parameters as given below:
Choose G₁, G₂ as the underlying group and P as the generator of G₁. Choose $\tiny \dpi{150} P_{pub}=\bar{a}P$ . Publishes $\tiny \dpi{150} < G_{1},G_{2},q,P,P_{pub}>$ âˆ† also maintains lists L₁,L₂,L₃,L₄, and L_Sign, consistency in giving the responses to the queries made by A to various oracles.

Phase-I: During phase-I of training, the adversary A is allowed to access the various oracles provided by âˆ†. A can get sufficient training before taking up the challenge. The various oracles provided by âˆ† to A during Phase-I are similar to the oracles described in training phase of unforgeability proof.

Challenge Phase: At the end of the phase-1 interaction A picks two messages 0,M₁>of equal length, the sender identity ID_A and the receiver identity ID_B, and submits to âˆ†. On getting this, âˆ† chooses a random bit $\tiny \dpi{150} \delta \in \left \{ 0,1 \right \}$ and generates the signcryption on mÎ´ as follows.

â€¢ Chooses a random $\tiny \dpi{150} \hat{r}\in Z_{q}^{*}$ sets and $\tiny \dpi{150} R^{*}=\hat{r}$ .

â€¢ Picks a random $\tiny \dpi{150} C^{*}\in _{R}\left \{ 0,1 \right \}^{*}$ .

â€¢ Stores the tuple $\tiny \dpi{150} (C^{*},U^{*},R^{*},Q_{ID_{A}},Q_{ID_{B}})$

â€¢ Computes $\tiny \dpi{150} V^{*}=\hat{R}\bar{C}P_{pub}+S_{ID_{A}}$ . This is equivalent to $\tiny \dpi{150} V^{*}=R^{*}\bar{C}P_{pub}+S_{ID_{A}}$ .

â€¢ Sets $\tiny \dpi{150} \sigma ^{*}=(U^{*},V^{*},C^{*})$ .

âˆ† provides Ïƒ* as the challenge signcryption to A.

Phase-II: Now, A Interacts with âˆ† as in Phase-I, but with the following restrictions:
• A should not query the private key corresponding to ID_B to the extract oracle.
• A should not query the unsigncryption of Ïƒ* with ID_A as a sender and ID_B as receiver.
• A should not query for the third party verification of Ïƒ* with ID_A as a sender and IDB as receiver.
Here, it should be noted that for getting the message MÎ´ from Ïƒ*, A should have queried H₂ or H₃ oracle. If A has H₂ or H₃ oracle, then it leaves an entry $\tiny \dpi{150} (\hat{a}^{*},a_{2})$ in list L₂, where $\tiny \dpi{150} \hat{a}^{*}=\hat{e}(U,S_{ID_{B}})=\hat{e}(\bar{c}P,\bar{a}\bar{b}P)=\hat{e}(P,P)^{\bar{a}\bar{b}\bar{c}}$ . If A has queried the H₃ oracle, then A should have computed $\tiny \dpi{150} \hat{a}^{*}=\hat{e}(P,P)^{\bar{a},\bar{b},\bar{c}}$ . This leaves an entry $\tiny \dpi{150} (M,U,\hat{a}^{*},Q_{ID_{A}},Q_{ID_{B}},r)$ in the list L₃. Therefore, on receiving Aâ€™s response, âˆ† ignores the result and picks an from the list L₂ or L₃ and returns it as the solution to the CBDHP instance.

Efficiency Analysis of ID-PVSC Scheme

We compare the major computational costs and communication overhead (the length of the ciphertext) of our ID-PVSC scheme with those of Chow et al. scheme [7] , Selvi et al. scheme [11] , and Prashant Kushwah et al. scheme [12] in the [Table-1] . We consider only the costly operations which includes point scalar multiplications in G₁ (mul in G₁), exponentiation in G₂ (exp in G₂), and pairing operations (P).
In case of computational efficiency, our scheme needs 3 pairing operations as well as in scheme [12] . But the schemes in [7,11] needs 4 pairing operations. Since the pairing computation is the most time consuming, the proposed scheme is more efficient than the schemes [7] and [11] . The size of the ciphertext in our scheme is 2|G₁|+|M|, which is same as in the schemes [7,11] and is less than the size of the ciphertext in the scheme [12] . Thus, our scheme has less computational overhead than Chow et al., Selvi et al. schemes and lower communication overhead than the Prashant Kushwah et al. scheme [12] .

Conclusion

We have proposed a new ID-based signcryption scheme with public verifiability and third party verification. This scheme uses the bilinear pairings over elliptic curves. We have proved that our scheme satisfies the confidentiality and the unforgeability in the random oracle model with the assumption that CBDHP and CDHP computationally hard. Our scheme is efficient in terms of computational cost when compared with Chow et al., and Selvi et al., schemes and has lower communication overhead when compared with Prashant Kushwah scheme.

References

[1] Zheng Y. (1997) Advances in Cryptology, CRYPTO, 1294, 165-179.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus

[2] Baek J., Steinfeld R. and Zheng Y. (2002) Public Key Cryptography, 2274, 80-98.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus

[3] Shamir A. (1985) Advances in Cryptology, CRYPTO, 196, 47-53.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus

[4] Boneh D. and Franklin M. (2001) Advances in Cryptology, CRYPTO, 2139, 213-229.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus

[5] Malone-Lee J. (2002) Cryptology e-Print Archive, Report 2002/098.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus

[6] Libert B. and Quisquater J.J. (2003) IEEE Information Theory Workshop, 155-158.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus

[7] Chow S.S.M., Yiu S.M., Hui L.C.K and Chow K.P. (2003) 6th International Conference Information Security and Cryptology, 2971, 352-369.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus

[8] Boyen X. (2003) 23rd Annual International Cryptology Conference, CRYPTO, California, USA, 2729, 383-399.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus

[9] Chen L. and Malone-Lee (2005) Public Key Cryptography, 3386, 362-379.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus

[10] Barreto P.S.L.M., Libert B., McCullagh N. and Quisquater J.J. (2005) Advances in Cryptology, ASIACRYPT, 3788, 515-532.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus

[11] Selvi S.S.D., Vivek S.S. and Rangan C.P. (2010) Prov. Sec. 4th International Conference, 6402, 244-260.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus

[12] Prashant K. and Lal S. (2011) International Journal Of Computer Science & Technology, 2(3), 513-518.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus

[13] Gorantla M.C., Gangi Setti R. and Saxena A. (2005) Cryptology e-print Archive, Report 2005/094.
» CrossRef » Google Scholar » PubMed » DOAJ » CAS » Scopus

Images

Table 1- Computation and Communication overheads of the proposed ID-PVSC scheme

Licence

ISSN & EISSN

Scan QR Code

Journal Details

Special Issues

Publishing Ethics

Share

AN EFFICIENT ID-BASED PUBLIC VERIFIABLE SIGNCRYPTION SCHEME

Translate Article

Article Category

Article Statistics

Downloads

Citations

Cited By

Cite

Import Cite

Share

Related Article

Google Scholar

PubMed