Available online at www.sciencedirect.com

SciVerse ScienceDirect

Physics Procedía 33 (2012) 962 - 967

2012 International Conference on Medical Physics and Biomedical Engineering

Certificateless Generalized Signcryption

Huifang Ji,Wenbao Han,Long Zhao

ZhengZhou Information Science and Technology Institute,,Zhengzhou, 450002, China huifangji@126.com, wb.han@263.net, zhaolong_email@sohu.com

Abstract

Generalized Signcryption is a fresh cryptographic primitive that not only can obtain encryption and signature in a single operation, but also provide encryption or signature model alone when needed. This paper proposed a formal definition of certificateless generalized signcryption(CLGSC), then provide the security model of CLGSC. A concrete CLGSC scheme is also given in this paper.

© 2012 Published by Elsevier B.V. Selection and/or peer revi ew under responsibility of ICMPBE International Committee. Keywords:certificateless cryptography; generalized signcryption; security model; bilinear pairing;

l.Introduction

Signcryption is a cryptographic primitive proposed by Zheng in 1997 that could obtain encryption and signature in a single operation, which is more efficient than the traditional signature-then-encryption [1]. Since then, many schemes of signcryption are proposed. Malone-Lee gave the first identity based signcryption scheme in following which several other identity based signcryption schemes were

proposed.

Since the key escrow property of identity based cryptosystems is inherent, to avoid this problem, Al-Riyami and Paterson proposed a new cryptographic primitive as certificateless public key system [3]. The users' private keys are computed by the KGC and the users themselves, which eliminates the key escrow problem in identity based system and cumbersome certificate management problem in traditional public key system. Many certificateless signature and encryption schemes are provided. The first certificateless signcryption scheme was given by M.Barbosa and P.Farshim in 2003[4], several other certificateless signcryption schemes were proposed since then.

The notion of generalized signcryption was termed by Han Yiliang and Yang Xiaoyuan in 2006[5]. The idea is that using a special "signcryption", one not only can simultaneously get confidentiality and authentication, but also obtain confidentiality or authentication alone. This special "signcryption" is called generalized signcryption. Wang Xu-an el al gave the formal security model for generalized signcryption and improved the scheme in

1875-3892 © 2012 Published by Elsevier B.V. Selection and/or peer review under responsibility of ICMPBE International Committee. doi:10.1016/j.phpro.2012.05.161

In this paper, we first propose the formal definition of the certificateless generalized signcryption(CLGSC), then the security notion of CLGSC is also presented. A new CLGSC scheme is proposed based on M.Barbosa, P.Farshim's work in [4].

The paper is organized as follows: in the next section, we give the definition of bilinear pairing and related computational hard problem; the formal definition and the security model of CLGSC are proposed in section 3. In section 4 we give a concrete CLGSC. The correctness and security is analyzed in section 5. Section 6 concludes the paper.

2.Preliminaries

In this section, we briefly give the definition of bilinear pairings and complexity assumption related to the security proof of our scheme.

2.1.Bilinear Pairings

Let Gi and G2 be two cyclic groups of prime order p and P be a random generator of Gi. The map e: Gi xG1—» G2 is called an admissible bilinear pairing if the following conditions hold true.

• e is bilinear, i.e. e(aP, bP) = e(P, P)ab for all a, be Zp;

• e is non-degenerate, i.e. e(P, P) ^ 1G ;

• e is efficiently computable.

2.2.Complexity assumption

GBDH (gap bilinear Diffie-Hellman assumption) Given two cyclic groups G1 and G2 and map e: G1 xG1—► G2 defined as above, the gap bilinear Diffie-Hellman assumption holds if the advantage of any PPT adversary as defined below is negligible.

AdvGBDH(A,qDBDH) = Pr[T = e(P,P)abc| a, b, ce Zp; T = AO(aP, bP, cP)],

Here O denotes a decision bilinear Diffie-Hellman pracle which on input a tuple (aP, bP, cP, T) outputs 1 if T = e(P, P)abc and 0 otherwise. By qDBDH we denote the maximum number of queries that A asks its decision oracle.

CDHP (Computational Diffie-Hellman assumption) Given two cyclic groups G1 and G2 and map e: G1 xG1—»G2 defined as above, the computational Diffie-Hellman assumption holds in G1 if the advantage of any PPT adversary as defined below is negligible.

AdvGDH(A) = Pr[Q = abPI a, be Zp; Q = A (aP, bP)].

GDH'P Given two cyclic groups G1 and G2 and map e: G1 xG1—»G2 defined as above, the computational Diffie-Hellman assumption in the presence of a decision bilinear Diffie-Hellman oracle holds in G1 if the advantage of any PPT adversary as defined below is negligible.

AdvGDH(A,qDBDH) = Pr[Q = abP| a, be Zp; Q = AO(aP, bP)]

Here O and qDBDH are as in the above definition.

3.Formal model and security notion of CLGSC

In this section, we propose the formal definition of CLGSC and the security model of CLGSC.

3.1.Certificateless GeneralizedSigncryption

A certificateless generalized signcryption scheme is defined by the following five probabilistic polynomial-time algorithms.

• Setup (1k): Given a security parameter k, PKG executes this algorithm and generates a master key S and global parameters params. PKG publishes params and keep S secret.

• Extract-Partial-Private-Key(ID, S, params). Given a user identity ID, PKG runs the algorithm and returns a partial private key D.

• Set-User-Key (ID, D, params). Given a user ID, partial private key D and params, user runs the algorithm and returns a public key of the identity PK, and a secret key x, the private key of the user is (x, D).

• GSC. This algorithm has 3 scenarios: signcryption, signature and encryption.

Signcryption: if user A transmits a message m confidentially and authenticately to B, the input is (Sa, m, IDb), and outputs ct = GSC(SA, m, IDB).

Signature: if user A wants to sign a message m without definite receiver, the input is (SA, m, IDV), where IDV means the receiver is null, the output is ct = GSC(SA, m, ID ).

Encryption: if someone wants to send message m to B confidentially, the input is (Sp, m, IDB), where Sr denotes the private key corresponding to IDf. The output is ct = GSC(S , m,IDB).

• UGSC. Given a, if it is valid, the receiver B unsigncrypts the ciphertext and returns m and (or) the signature on m by A, otherwise return ±means fail.

3.2.Security Model of CLGSC

Now we describe the security model for certificateless generalized signcryption under the inside attacker. In confidentiality and unforgeability game we provide access to the following oracles:

• Extract Partial Private Key: given an identity ID, the oracle returns the partial private key D using the Extract-Partial-Private-Key algorithm.

• Extract Secret Key: given an identity ID, the oracle returns the full secret key SK=(x, D) of ID using the Set-User-Key algorithm.

• Request Public Key: given an identity ID, the oracle returns the public key PK of ID using the SetUser-Key algorithm.

• Replace Public Key: given an identity ID and a valid public key PK ', this oracle replace the public key of ID with PK. If the identity's public key doesn't exist, then it is obtained through the Set-user-key algorithm and then replaced by PK\

• GSC oracle: given a massage m, a sender identity A, a receiver identity B, this oracle returns the result of running algorithm GSC. Note that if A and B are not empty, then use the Signcryption model; if A is empty, use the encryption model; if B is empty, use the signature model. When the identity A isn't empty, and its' private key doesn't exist, first runs the Set-user-key algorithm to get A s full secret key and then runs algorithm GSC.

• UGSC oracle: given a ciphertext, sender identity A, a receiver identity B, the oracle returns the result of running UGSC algorithm.

As in many certificateless cryptosystems, we consider two types adversary, Type-I and Type-II adversary in the security definition of CLGSC. Roughly, the Type-I adversary models a common user without the master secret key, while the Type-II adversary models the honest but curious KGC.

Type-I adversary: since a Type-I adversary is a common user, he is allowed to request the above 6 oracles with the following constraint:

• Adversary is not allowed to request the master secret key;

• Adversary is not allowed to request the extract partial private key of the challenge identities if its public key has been replaced.

Type-II adversary: a Type-II adversary is an honest but curious KGC, so he is given the master secret key, he is allowed to request the above 6 oracles with the following constraint:

• No extract secret key query is allowed on the challenge identities.

• No replace public key query is allowed on the challenge identities before the challenge phase.

Confidentiality

Definition 1: A certificateless generalized signcryption is called IND-CLGSC-iCCA2 secure if every of the probabilistic polynomial time Type-I or Type-II adversary has negligible advantage in winning the following game between the challenger C and the adversary A:

Setup: Challenger C runs the setup algorithm to generate master key Msk and system parameters Params. C gives A Params while keeping Msk secret (C gives the Msk to A when A is a Type-II adversary). After receiving Params, A outputs a target identity ID*. C interacts with A in following phases:

Phase 1: A is given access to the above all the six oracles. A adaptively queries the oracles consistent with the constraints described above.

Challenge: A outputs two message m0, mi, and a sender's identity IDS, C randomly chooses a bit be R {0,l}and computes a generalized signcryption a = GSC(mb, IDS, SKS, PKS, ID*, PK*) and sends a* to A.

Phase 2: A makes the same queries as in phase, besides it cannot query UGSC oracle on a for ID*.

Guess: A output its guess b' on b at the end of the game. If b' = b, A wins the game. The advantage of A is defined as Adv/lND-CLGSC',CCA2=\2Pr[b = b']-1|.

Authenticity

Definition 2: A certificateless generalized signcryption is called xistential unforgeability (EUF-CLGSC-iCMA) if every of the probabilistic polynomial time Type-I or Type-II adversary has negligible advantage in winning the following game between the challenger C and the adversary F:

Setup: Challenger C runs the setup algorithm to generate master key Msk and system parameters Params. C gives F Params while keeping Msk secret (C gives the Msk to A when A is a Type-II adversary). After receiving Params, F outputs target identity ID*. C interacts with F in following phases:

Phase 1: F is given access to the above all the six oracles. F makes the same queries as in the game above.

Forgery: F output a signature a and a receiver IDR, we assume that IDR ^ ID*. If UGSC(o*, SR, IDR), returns m and a was not the output of any GSC query GSC(m, ID*, IDR), then F wins the game. The probability that F wins the game is defined as AdvAEUF'CLGSC"CMi.

4.A concrete scheme of CLGSC

We proposed a certificateless generalized signcryption scheme based on M.Barbosa, P.Farshim's work in [4], which is generalized as follows.

Setup(1k): given a security parameter 1k, the KGC chooses two groups G1 and G2 of prime order p, two random generator P, Q of G1 such that P and a bilinear map e: G1 xG1—>G2. Compute g = e(P, Q)e G2, define 5 hash functions as #1:{0,1}*-»G1, H2:{0,1}*->{0,1}k, H3: {0,1}*-^H4: {0,1}*->G1, where k denotes the number of bits to represent a message. KGC chooses random s e Zp as master secret key and set Ppub = sP. KGC publishes the system parameters as < G1, G2, P, Ppub, e: G1 XG1—► G2, H1 , H2, H3 , H4 >.

Extract-Partial-Private-Key: given ID, the partial private key of the user with identity IDt is computed by KGC as Dt = sQt = sH1 (ID).

Set-User-Key: given D,, the user with identity IDt chooses random x^ Zp and sets his private key SKi =< x, Di > and public key PKt = xi P.

GSC: This algorithm has 3 scenarios: signcryption, signature and encryption.

Signcryption: given message m, sender' identity A, receiver's identity B, A operates the following steps:

1A chooses random re Zp, computes U = rP, w = e (Ppub, QB)r;

2 computes h = H2U, w, rPKB, IDB, PKb);

3 computes V = m ® h;

4 computes H = H3(U, V, IDA, PKa);

5 computes H = H4U, V, IDa, PKa);

6 compute W = DA+rH+xAH;

7 return ciphertext c = (U, V, W).

Signature: given message m, sender' identity A, A operates the following steps: 1A chooses random re Zp, computes U = rP, w =1;

2 computes h =0;

3 computes V = m®h = m;

4 computes H = H3(U, V, IDa, PKa);

5 computes H = H4U, V, IDa, PKa);

6 compute W = DA+rH+xAH;

7 return ciphertext c = (U, V, W).

Encryption: given message m, receiver's identity B, someone operates the following steps: 1A chooses random re Zp, computes U = rP, w = e (Ppub, QB)r;

2 computes h = H2U, w, rPKB, IDB, PKb);

3 computes V = m ® h;

4 computes W =0;

5 return ciphertext c = (U, V, W).

UCLGSC: given c, a receiver's identity B, operates the following steps:

1 if W + 0; computes H = H(U, V, IDa, PKA)and H = H(U, V, IDa, PKa);

2 if e (P, W) +e (PpUb, Qa) e (U, H) e (PKa, H) when W± 0, return _L;

3 computes w = e (U, DB) (if the receiver's identity is empty, then w = e (U, 0) = 1);

4 computes h = H2(U, w, xBU, IDB, PKB) (if the receiver's identity is empty, then h = 1);

5 computes m = V® h;

6 returns m.

Note that in UGSC algorithm, the pairing e (Ppub, QA) can be precomputed. 5.Correctness and Security analysis

In this section, we analyze the correctness and security of our scheme. 5.1.Correctness

The correctness of our CLGSC scheme is below:

If W ± 0, then e(P, W)= e(P, DA+rH+xAH) = e(P, DA) e(P, rH) e(P, xAH) = e(sP, QA) e(rP, H) e(xAP, H) = e(PpUb, Qa) e(U, H) e(PKA, H).

5.2.Security analysis

Theorem 1 The certificateless generalized signcryption scheme above is IND-iCCA-I/II secure in the random oracle model under the assumption that the GBDHP is intractable in the underlying bilinear group.

Theorem 2 The certificateless generalized signcryption scheme above is sUF-iCMA-I/II secure in the random oracle model under the assumption that the GDH' is intractable in G1. The proof of the above theorems is similar to that in paper [4].

6.Conclusion

In this paper, we defined the formal notion of CLGSC, in which a "special" signcryption scheme could also be used as signature and encryption scheme. We modified the security model for certificateless signcryption scheme in [4] to adapt for our CLGSC scheme. The confidentiality and unforgeability have been formally defined in our security model. We proposed a concrete CLGSC scheme based on the CLSC scheme in [4]. The security proof of our scheme is similar to that of the CLSC scheme in [4].

Since the usefulness of generalized signcryption in real environment, in our future work, we intend to construct more efficient CLGSC schemes secure in random model and without random model.

Acknowledgment

The authors would like to thank anonymous reviewers for giving helpful suggestions.

References

[1] Y.Zheng, Digital signcryption or how to achieve cost (signature&encryption) <<cost (signature) + cost (encryption), Advances in CRYPTO' 97, LNCS 1294, Springer-Verlag, Berlin, 1997, pp. 165-179.

[2] Malone-Lee J., Identity based signcryption, in: Cryptology ePrint Archive. Report 2002/098.

[3] S.S.Al-Riyami, K.G. Paterson, Certificateless Public-key Cryptography, Advance in Cryptology ASIACRYPT 2003, LNCS2894, Springer-Verlag, 2003, pp.452-473.

[4] M.Barbosa, P.Farshim, Certifilateless Signcryption, Proceeding of the 2008 ACM Symposium on information, computer and communications security.

[5] Han Yiliang, Yang Xiaoyuan, New ECDSA— Verifable generalized signcryption, Chinese Journal of Computer, 2006(11), pp.2003-2012.

[6] X.Wang, X.Yang,Y.Han, Provable secure generalized signcryption, in: Cryptology ePrint Archive. Report 2007/173.

[7] Lal S, Kushwah P, ID-based generalized signcryption, in: Cryptology ePrint Archive. Report 2008/084.