Elsevier

Information Sciences

Volume 180, Issue 3, 1 February 2010, Pages 452-464
Information Sciences

Certificateless signcryption scheme in the standard model

https://doi.org/10.1016/j.ins.2009.10.011Get rights and content

Abstract

Certificateless public key signcryption scheme is an important cryptographic primitive in cryptography. Barbosa and Farshim proposed a certificateless signcryption scheme. However, their construction is proven to be secure in the random oracle model but not the standard model, and the scheme is also vunlerable to the malicious-but-passive key generation center (KGC) attacks. To overcome these disadvantages, we introduce a formal security model for certificateless signcryption schemes secure against the malicious-but-passive KGC attacks and propose a novel certificateless signcryption scheme. The proposed certificateless signcryption scheme is proven to be IND-CCA2 secure under the decisional Bilinear Diffie–Hellman intractability assumption without using the random oracles. The proposed scheme is also proven to be existentially unforgeable under the computational Diffie–Hellman intractability assumptions. Furthermore, performance analysis shows that the proposed scheme is efficient and practical.

Introduction

Public key cryptography is an important technique to realize network and information security. Traditional public key infrastructure requires a trusted certification authority to issue a certificate binding the identity and the public key of an entity. Hence, the problem of certificate management arises. To solve the problem, Shamir defined a new public key paradigm called identity-based public key cryptography [27]. However, identity-based public key cryptography needs a trusted KGC to generate a private key for an entity according to his identity. So we are confronted with the key escrow problem. Fortunately, the two problems in traditional public key infrastructure and identity-based public key cryptography can be prohibited by introducing certificateless public key cryptography (CL-PKC) [1], which can be conceived as an intermediate between traditional public key infrastructure and identity-based cryptography.

In public key cryptography, when we want to realize both encryption and signature security goals, we need to sign a message and then encrypt the signature. In 1997, Zheng [36] proposed a cryptographic primitive called signcryption. A signcryption scheme can realize the security objectives of encryption and signature simultaneously. Hence, signcryption schemes have a lower computational cost and communication overhead than the sign-then-encrypt approach. In [36], Zheng also gave a concrete signcryption scheme based on the discrete logarithm problem, but failed to formalize the security notions for signcryption schemes. The properties of signcryption schemes were systematically studied by An et al. [2]. Furthermore, Malone-Lee [25] proposed the concept of identity-based signcryption, and defined a security model dealing with the notions of privacy and unforgeability. For more details of identity-based signcryption, we refer readers to the papers [8], [12], [20].

Since the certificateless public key cryptography [1] was introduced in 2003, most of the existing schemes only deal with certificateless encryption (CLE) (e.g. [6], [14], [21], [24], [34]) and certificateless signature (CLS) (e.g. [11], [13], [16], [17], [18], [28], [30], [35]). As far as the authors know, there is only one certificateless signcryption (CLSC) scheme proposed by Barbosa and Farshim [4]. However, the provable security goals of their scheme were obtained by considering the random oracle model [5]. It is well known that provable security is one of the basic requirements for public key cryptography. As shown in [10], a proof in the random oracle model can only serve as a heuristic argument and does not necessarily imply the security in the real implementation. Hence, the certificateless signcryption scheme in [4] is not necessarily practically secure. Moreover, many papers have considered how to construct schemes that are provably secure without using the random oracles (or in the standard model). For more details of the standard model, we refer readers to the papers [7], [9], [15], [22], [23], [26], [29], [31], [33].

The security model called Type II security model is formalized in the existing certificateless cryptographic schemes. However, Au et al. [3] pointed out that in Type II security model, malicious-but-passive KGCs can break most of certificateless cryptographic schemes by embedding extra trapdoors in the system parameters. As noticed in [4], it is an open problem to find a certificateless signcryption scheme which can be proven secure against a malicious-but-passive KGC in Type II security model. Fortunately, some cryptographic schemes secure against the malicious-but-passive KGC attacks had been constructed, for example, Hwang et al.’s improvement [19] on Dent et al.’s certificateless encryption scheme [15], and Xiong et al.’s modification [32] of Liu et al.’s certificateless signature scheme [22]. However, it is an interesting thing to construct a certificateless signcryption scheme secure against malicious-but-passive KGC attacks.

The contributions of the paper are listed below. Firstly, we extend security notions of identity-based signcryption schemes to the complex certificateless setting, and consider both Type I and Type II (i.e. malicious-but-passive KGC) adversaries. Secondly, we develop a certificateless signcryption scheme based on Waters’ identity-based encryption scheme [31] and its variants [15], [19], [22], [32]. Our scheme is proven to be semantically secure against Type I and Type II attackers under the decisional Bilinear Diffie–Hellman assumption, and existentially unforgeable in Type I and Type II attack models and under the computational Diffie–Hellman assumption. Furthermore, the proposed scheme reaches the insider security and resists the malicious-but-passive KGC attacks. Performance analysis shows that the proposed certificateless signcryption scheme is efficient and practical.

The rest of this paper is organized as follows: some preliminaries are presented in Section 2. The formal security model for certificateless signcryption scheme is described in Section 3. The proposed certificateless signcryption scheme is detailed in Section 4. We analyze the proposed scheme in Section 5. Finally, some concluding remarks are given in Section 6.

Section snippets

Preliminaries

In this section, we briefly review bilinear maps and some complexity assumptions. Let G and GT be two cyclic multiplicative groups of prime order p, and g be a generator of G. A bilinear map is a map e:G×GGT satisfying the following properties:

  • (1)

    Bilinearity: e(ga,hb)=e(g,h)ab for all a,bZp and g,hG.

  • (2)

    Non-degeneracy: e(g,h)1GT whenever g,h1G.

  • (3)

    Computability: e(g,h) is efficiently computable for all g,hG.

Typical admissible bilinear maps are obtained from a modification of the Weil pairing or

Formal model of certificateless signcryption

The notion of a certificateless signcryption scheme was defined by Barbosa and Farshim [4]. A generic certificateless signcryption scheme consists of the following algorithms:

  • Setup: This algorithm takes as input a security parameter k and returns params (system parameters) and a randomly chosen master secret key msk. After the algorithm is performed, the KGC publishes the system parameters params and keeps the master key msk secret.

  • Partial-Private-Key-Extract: This algorithm takes as input

The proposed certificateless signcryption scheme

In this section, we propose a certificateless signcryption scheme secure against malicious-but-passive KGC attacks in the standard model. The proposed scheme involves three parties: a KGC, a sender with an identity uS and a receiver with an identity uR. In the following, all the identities will be assumed to be bit strings of length n. Our scheme is obtained from the modification of the certificateless schemes [15], [19], [22], [32] and consists of the following algorithms.

  • Setup: Let(G,GT) be

Analysis of the proposed scheme

In this section we state the security results for the certificateless signcryption scheme under the definition of Section 3, including the correctness, the proof of security and the performance.

Conclusions

We introduced a strengthened security model for certificateless signcryption, considered the malicious-but-passive KGC attacks, and proposed a certificateless signcryption scheme which is provably secure against Type I and Type II (a malicious-but-passive KGC) adversaries in the standard model. Furthermore, performance analysis shows that the proposed scheme is efficient. As far as the authors know, the proposed certificateless signcryption scheme is the first scheme in the public key

Acknowledgements

The authors thank the anonymous reviewers and Dr. Fagen Li, Dr. Baocang Wang for their valuable comments. The authors also thank the Editor-in-Chief for pointing out some linguistic problems. This research was supported by the National Natural Science Foundation of China under Grants 60673072, 60803149 and 60970119, and the National Basic Research Program (973 Program) of China under Grant 2007CB311201.

References (36)

  • M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in: D. Denning et...
  • K. Bentahar et al.

    Generic constructions of identity-based and certificateless KEMs

    Journal of Cryptology

    (2008)
  • D. Boneh, X. Boyen, Efficient selective-id secure identity based encryption without random oracles, in: C. Cachin, J....
  • X. Boyen, Multipurpose identity based signcryption: a swiss army knife for identity based cryptography, in: D. Boneh...
  • R. Canetti, S. Halevi, J. Katz, A forward-secure public-key encryption scheme, in: E. Biham (Ed.), Advances in...
  • R. Canetti et al.

    The random oracle methodology, revisited

    Journal of the ACM

    (2004)
  • R. Castro, R. Dahab, Two notes on the security of certificateless signatures, in: W. Susilo, J.K. Liu, Y. Mu. (Eds.),...
  • L. Chen, J. Malone-Lee, Improved identity-based signcryption, in: S. Vaudenay (Ed.), Proceedings of the Eighth...
  • Cited by (135)

    View all citing articles on Scopus
    View full text