Certificateless signcryption scheme in the standard model
Introduction
Public key cryptography is an important technique to realize network and information security. Traditional public key infrastructure requires a trusted certification authority to issue a certificate binding the identity and the public key of an entity. Hence, the problem of certificate management arises. To solve the problem, Shamir defined a new public key paradigm called identity-based public key cryptography [27]. However, identity-based public key cryptography needs a trusted KGC to generate a private key for an entity according to his identity. So we are confronted with the key escrow problem. Fortunately, the two problems in traditional public key infrastructure and identity-based public key cryptography can be prohibited by introducing certificateless public key cryptography (CL-PKC) [1], which can be conceived as an intermediate between traditional public key infrastructure and identity-based cryptography.
In public key cryptography, when we want to realize both encryption and signature security goals, we need to sign a message and then encrypt the signature. In 1997, Zheng [36] proposed a cryptographic primitive called signcryption. A signcryption scheme can realize the security objectives of encryption and signature simultaneously. Hence, signcryption schemes have a lower computational cost and communication overhead than the sign-then-encrypt approach. In [36], Zheng also gave a concrete signcryption scheme based on the discrete logarithm problem, but failed to formalize the security notions for signcryption schemes. The properties of signcryption schemes were systematically studied by An et al. [2]. Furthermore, Malone-Lee [25] proposed the concept of identity-based signcryption, and defined a security model dealing with the notions of privacy and unforgeability. For more details of identity-based signcryption, we refer readers to the papers [8], [12], [20].
Since the certificateless public key cryptography [1] was introduced in 2003, most of the existing schemes only deal with certificateless encryption (CLE) (e.g. [6], [14], [21], [24], [34]) and certificateless signature (CLS) (e.g. [11], [13], [16], [17], [18], [28], [30], [35]). As far as the authors know, there is only one certificateless signcryption (CLSC) scheme proposed by Barbosa and Farshim [4]. However, the provable security goals of their scheme were obtained by considering the random oracle model [5]. It is well known that provable security is one of the basic requirements for public key cryptography. As shown in [10], a proof in the random oracle model can only serve as a heuristic argument and does not necessarily imply the security in the real implementation. Hence, the certificateless signcryption scheme in [4] is not necessarily practically secure. Moreover, many papers have considered how to construct schemes that are provably secure without using the random oracles (or in the standard model). For more details of the standard model, we refer readers to the papers [7], [9], [15], [22], [23], [26], [29], [31], [33].
The security model called Type II security model is formalized in the existing certificateless cryptographic schemes. However, Au et al. [3] pointed out that in Type II security model, malicious-but-passive KGCs can break most of certificateless cryptographic schemes by embedding extra trapdoors in the system parameters. As noticed in [4], it is an open problem to find a certificateless signcryption scheme which can be proven secure against a malicious-but-passive KGC in Type II security model. Fortunately, some cryptographic schemes secure against the malicious-but-passive KGC attacks had been constructed, for example, Hwang et al.’s improvement [19] on Dent et al.’s certificateless encryption scheme [15], and Xiong et al.’s modification [32] of Liu et al.’s certificateless signature scheme [22]. However, it is an interesting thing to construct a certificateless signcryption scheme secure against malicious-but-passive KGC attacks.
The contributions of the paper are listed below. Firstly, we extend security notions of identity-based signcryption schemes to the complex certificateless setting, and consider both Type I and Type II (i.e. malicious-but-passive KGC) adversaries. Secondly, we develop a certificateless signcryption scheme based on Waters’ identity-based encryption scheme [31] and its variants [15], [19], [22], [32]. Our scheme is proven to be semantically secure against Type I and Type II attackers under the decisional Bilinear Diffie–Hellman assumption, and existentially unforgeable in Type I and Type II attack models and under the computational Diffie–Hellman assumption. Furthermore, the proposed scheme reaches the insider security and resists the malicious-but-passive KGC attacks. Performance analysis shows that the proposed certificateless signcryption scheme is efficient and practical.
The rest of this paper is organized as follows: some preliminaries are presented in Section 2. The formal security model for certificateless signcryption scheme is described in Section 3. The proposed certificateless signcryption scheme is detailed in Section 4. We analyze the proposed scheme in Section 5. Finally, some concluding remarks are given in Section 6.
Section snippets
Preliminaries
In this section, we briefly review bilinear maps and some complexity assumptions. Let and be two cyclic multiplicative groups of prime order p, and g be a generator of . A bilinear map is a map satisfying the following properties:
- (1)
Bilinearity: for all and .
- (2)
Non-degeneracy: whenever .
- (3)
Computability: is efficiently computable for all .
Typical admissible bilinear maps are obtained from a modification of the Weil pairing or
Formal model of certificateless signcryption
The notion of a certificateless signcryption scheme was defined by Barbosa and Farshim [4]. A generic certificateless signcryption scheme consists of the following algorithms:
Setup: This algorithm takes as input a security parameter k and returns params (system parameters) and a randomly chosen master secret key msk. After the algorithm is performed, the KGC publishes the system parameters params and keeps the master key msk secret.
Partial-Private-Key-Extract: This algorithm takes as input
The proposed certificateless signcryption scheme
In this section, we propose a certificateless signcryption scheme secure against malicious-but-passive KGC attacks in the standard model. The proposed scheme involves three parties: a KGC, a sender with an identity and a receiver with an identity . In the following, all the identities will be assumed to be bit strings of length n. Our scheme is obtained from the modification of the certificateless schemes [15], [19], [22], [32] and consists of the following algorithms.
Setup: Let be
Analysis of the proposed scheme
In this section we state the security results for the certificateless signcryption scheme under the definition of Section 3, including the correctness, the proof of security and the performance.
Conclusions
We introduced a strengthened security model for certificateless signcryption, considered the malicious-but-passive KGC attacks, and proposed a certificateless signcryption scheme which is provably secure against Type I and Type II (a malicious-but-passive KGC) adversaries in the standard model. Furthermore, performance analysis shows that the proposed scheme is efficient. As far as the authors know, the proposed certificateless signcryption scheme is the first scheme in the public key
Acknowledgements
The authors thank the anonymous reviewers and Dr. Fagen Li, Dr. Baocang Wang for their valuable comments. The authors also thank the Editor-in-Chief for pointing out some linguistic problems. This research was supported by the National Natural Science Foundation of China under Grants 60673072, 60803149 and 60970119, and the National Basic Research Program (973 Program) of China under Grant 2007CB311201.
References (36)
Certificateless undeniable signature scheme
Information Sciences
(2008)- et al.
Certificateless threshold cryptosystem secure against chosen-ciphertext attack
Information Sciences
(2007) Breaking the short certificateless signature scheme
Information Sciences
(2009)Secure public-key encryption scheme without random oracles
Information Sciences
(2008)- et al.
Simulatability and security of certificateless threshold signatures
Information Sciences
(2007) - et al.
Identity based signcryption scheme without random oracles
Computer Standards and Interfaces
(2009) - S.S. Al-Riyami, K.G. Paterson, Certificateless public key cryptography, in: C.S. Laih (Ed.), Advances in...
- J.H. An, Y. Dodis, T. Rabin, On the security of joint signature and encryption, in: L.R. Knudsen (Ed.), Advances in...
- M. Au, J. Chen, J. Liu, Y. Mu, D. Wong, G. Yang, Malicious KGC attacks in certificateless cryptography, in: R. Deng, P....
- M. Barbosa, P. Farshim, Certificateless signcryption, in: M. Abe, V. Gligor (Eds.), Proceedings of the 2008 ACM...
Generic constructions of identity-based and certificateless KEMs
Journal of Cryptology
The random oracle methodology, revisited
Journal of the ACM
Cited by (135)
Certificateless multi-source signcryption with lattice
2022, Journal of King Saud University - Computer and Information SciencesHeterogeneous Signcryption Scheme with Group Equality Test for Satellite-Enabled IoVs
2024, IEEE Internet of Things JournalA Lightweight Certificateless Multi-User Matchmaking Encryption for Mobile Devices: Enhancing Security and Performance
2024, IEEE Transactions on Information Forensics and SecurityAn efficient certificateless group signcryption scheme using Quantum Chebyshev Chaotic Maps in HC-IoT environments
2023, Journal of SupercomputingCertificateless Anonymous Signcryption Scheme With Provable Security in the Standard Model Suitable for Healthcare Wireless Sensor Networks
2023, IEEE Internet of Things Journal