Identity Based Generalized Signcryption Scheme in the Standard Model

: Generalized signcryption (GSC) can adaptively work as an encryption scheme, a signature scheme or a signcryption scheme with only one algorithm. It is more suitable for the storage constrained setting. In this paper, motivated by Paterson–Schuldt’s scheme, based on bilinear pairing, we ﬁrst proposed an identity based generalized signcryption (IDGSC) scheme in the standard model. To the best of our knowledge, it is the ﬁrst scheme that is proven secure in the standard model.


Introduction
Confidentiality, integrity, non-repudiation and authentication are the important requirements for many cryptographic applications.A traditional approach to achieve these requirements simultaneously is to sign-then-encrypt or encrypt-then-sign.To enhance efficiency, Zheng [1] proposed the concept of signcryption in 1997.The main idea of this primitive is to perform signature and encryption simultaneously in a logical step.Compared with traditional methods [2], signcryption reduces the computational costs and communication overheads.Since then, many public key signcryption schemes have been proposed [3][4][5].
In 1984, Shamir [6] first proposed the idea of identity-based (ID-based) public key cryptography (ID-PKC) to simplify key management procedures of traditional certificate-based public key cryptography.The main idea of ID-PKC is that the user's public key can be calculated directly from his/her identity such as email addresses rather than being extracted from a certificate issued by a certificate authority (CA).Private keys are generated for the users by a trusted third party, called a Private Key Generator (PKG) using some master key related to the global parameters for the system.The direct derivation of public keys in ID-PKC eliminates the need for certificates and some of the problems associated with them.The first identity based signature scheme was given by Shamir [6], but the first identity based encryption scheme was presented by Boneh and Fanklin [7] in 2001.The first identity based signcryption scheme was proposed by Malone Lee [8] in 2002, and they also gave the security model for signcryption in identity based settings.Since then, many identity based signcryption schemes have been proposed [9][10][11][12][13][14][15][16][17].
The signcryption scheme was used in these application environments, which need simultaneous confidentiality and authenticity.However, it is not all application environments requiring both confidentiality and authenticity.If only one of the two functionalities is required, then the signcryption scheme is not efficient.To achieve this, we can use an encryption/signature scheme.However, in the low bandwidth environment, we have to afford to use three different cryptographic algorithms-encryption, signature and signcryption-to achieve confidentiality and authenticity separately or simultaneously.In 2006, to decrease implementation complexity, Han et al. [18] proposed the concept of generalized signcryption, which can work as an encryption scheme or a signature scheme or a signcryption scheme as required.They also proposed a concert construction based on the Elliptic Curve Digital Signature Algorithm (ECDSA) .Wang et al. [19] gave the security model of a generalized signcryption scheme and modified the scheme proposed in [18].In 2008, Lal et al. [20] presented the first identity based generalized signcryption (IDGSC) scheme.However, Yu et al. [21] showed that the security model in [20] is not complete.They modified the security model and gave a new scheme that is secure in this model.In 2011, Kushwah et al. [22] simplified the security model for IDGSC and proposed an efficient scheme.
Provable security is the basic requirement for ID-based generalized signcryption schemes.The security of all of the schemes [20][21][22] described above was only proven secure in the random oracle model.The random oracle model was introduced by Bellare and Rogaway in [23].The model is a formal model in analyzing cryptographic schemes, where a hash function is considered as a black box that contains a random function.Although the model is efficient and useful, it has received a lot of criticism that the proofs in the random oracle model are not proven.Canetti et al. [24] have shown that security in the random oracle model does not imply security in the real world, in that a scheme can be secure in the random oracle model and yet be broken without violating any particular intractability assumption, and without breaking the underlying hash functions.
Therefore, to design a provable secure ID-based generalized signcryption scheme in the standard model (without random oracles) remains an open and interesting research problem.
In this paper, we first proposed an ID-based generalized signcryption scheme in the standard model.Using the Paterson-Schuldt scheme [25], we give a concrete scheme.We also prove its semantic security under the hardness of the Decisional Bilinear Diffie-Hellman problem and its unforgeability under the computational Diffie-Hellman assumption.

Preliminaries
In this section, we briefly review the basic concepts on bilinear pairings and some related complexity assumptions.

Bilinear Pairings
Let G 1 and G 2 be two multiplicative cyclic groups of prime order q and let g be a generator of G 1 .
The map e : G 1 × G 1 → G 2 is said to be an admissible bilinear pairing with the following properties: • Bilinearity: For all u, v ∈ G 1 , and a, b ∈ Z q , e(u a , v b ) = e(u, v) ab .
• Computability: There exists an efficient algorithm to compute e(u, v) for all u, v ∈ G 1 .
We note that the modified Weil and Tate pairings associated with supersingular elliptic curves are examples of such admissible pairings.

Decisional Bilinear Diffie-Hellman (DBDH) Problem
Given g, g a , g b , g c ∈ G 1 , for unknown a, b, c ∈ Z * q and Z ∈ G 2 , decide whether Z = e(g, g) abc .Defining the advantage ε of a polynomial algorithm A against the DBDH problem is where the probability is over the randomly chosen a, b, c and the random bits consumed by A.
Definition 1.The (t, ε) DBDH assumption holds if no t-time adversary has at least ε advantage in solving the DBDH problem.

Computational Diffie-Hellman (CDH) Problem
Given g, g a , g b ∈ G 1 , for unknown a, b ∈ Z * q , compute g ab .The success probability δ of a polynomial algorithm A in solving the CDH problem is denoted as where the probability is over the randomly chosen a, b and the random bits consumed by A.
Definition 2. The (t, δ) CDH assumption holds if no t-time adversary has at least δ in solving the CDH problem.

Generic Scheme
An identity based generalized signcryption scheme consists of the following four algorithms: • Setup: Given a security parameter k, the private key generator (PKG) generates system parameters params and a master key s.params is made public while s is kept secret.• Extract: Given an identity ID, the PKG computes the corresponding private key d ID and transmits it to the ID via a secure channel.• Generalized Signcrypt: Given the sender's identity ID A and private key d A , the receiver's identity ID B and a message m, the sender outputs the ciphertext σ. • Generalized Unsigncrypt: Given the sender's identity ID A , the receiver's identity ID B and private key d B and the ciphertext σ, the receiver with identity ID B outputs m or the symbol ⊥ if σ is an invalid ciphertext under ID A and ID B .
There is no special sender (or receiver) when we encrypt (or sign) a message using IDGSC.We denote the absence of sender (or receiver) by ID Φ .If ID B = ID Φ , the IDGSC scheme becomes a signature scheme and output of the IDGSC is a signature of sender ID A on the message m.If ID A = ID Φ , the IDGSC scheme becomes an encryption scheme and output of the IDGSC is merely an encryption of message m for receiver ID B .If ID A = ID Φ and ID B = ID Φ , then IDGSC works as the signcryption scheme and output of IDGSC is the signcryption of message m for sender ID A and receiver ID B .Thus, the IDGSC scheme works in three models via signcryption mode, encryption mode and signature mode.

Security Model
According to Yu et al.'s scheme [21], the abilities of an adversary are formally modeled by queries issued by adversities.Each adversary may issue the following queries: • Private-Key-Extract: The adversary submits an identity, and the challenger responds with the private key of that identity.• Sign: The adversary submits a sender's identity and a message, and the challenger responds with the signature of the signer on the message.• Verify: The adversary submits a signer's identity and a message/signature pair, and the challenger responds with 1 if the signature is accepted and 0 otherwise.• Encrypt: The adversary submits a receiver's identity and a message, and the challenger responds with the ciphertext on this message for the receiver.• Decrypt: The adversary submits a receiver's identity and a ciphertext, and the challenger decrypts the ciphertext under the private key of the receiver and returns the corresponding plaintext.• Signcrypt: The adversary submits a sender's and receiver's identities and a message, and the challenger responds with the ciphertext under the sender's private key and the receiver's public key.
• Unsigncrypt: The adversary submits a ciphertext and a receiver's identity, and the challenger decrypts the ciphertext under the private key of the receiver and verifies that the resulting decryption is a valid message/signature pair under the public key of the decrypted identity.Then, the challenger returns the message.
The identity based generalized signcryption can work in three modes: encryption mode, signature mode and signcryption mode, denoted IDGSC-EN, IDGSC-SG and IDGSC-SC, respectively.
For the confidentiality, we define the following two games (Game 1 and Game 2) under IDGSC-EN and IDGSC-SC, respectively.

Game 1. Indistinguishability (IND)-(IDGSC-EN)-CCA2 Secure
Consider the following game played between a challenger C and an adversary A.
• Initial: The challenger C takes security parameters k and runs the Setup algorithm to generate system parameters params and the master key s.C sends params to A and keeps s secret.• Phase 1: The adversary A can perform a polynomially bounded number of seven above types of queries.These queries may be made adaptively, i.e., each query may depend on the answers to the previous queries.• Challenge: The adversary A decides when Phase 1 ends, and chooses two equal length plaintexts m 0 , m 1 and two identities ID A = ID Φ , ID B = ID Φ on which to be challenged.The identity ID B should not appear in any private key extract queries in Phase 1. C chooses randomly a bit b, encrypts m b and then sends the ciphertext σ to A. • Phase 2: The adversary A makes a polynomial number of queries adaptively again as in Phase 1 with the restriction that it cannot make private key extract queries on ID B and cannot make an unsigncrypt query on σ.

Game 2. IND-(IDGSC-SC)-CCA2 Secure
Consider the following game played between a challenger C and an adversary A.
• Initial: The challenger C takes security parameters k and runs the Setup algorithm to generate system parameters params and the master key s.C sends params to A and keeps s secret.• Phase 1: The adversary A can perform a polynomially bounded number of the seven types of queries above.These queries may be made adaptively, i.e., each query may depend on the answers to the previous queries.For the unforgeability, we define the following two games (Game 3 and Game 4) under IDGSC-SG and IDGSC-SC, respectively.Game 3. EF-(IBGSC-SG)-Adaptive Chosen Message Attack (ACMA) Secure Consider the following game played between a challenger C and an adversary A.
• Initial: The challenger C runs the Setup algorithm with a security parameter k and obtains system parameters params and the master secret key s.C sends params to A. Definition 5 (Unforgeability-IDGSC-SG).An IDGSC scheme is said to have the existential unforgeability against chosen adaptive message attacks (EF-(IDGSC-SG)-ACMA) if no polynomially bounded adversary has a non-negligible advantage in Game 3.

Game 4. EF-(IDGSC-SC)-ACMA Secure
Consider the following game played between a challenger C and an adversary A.
• Initial: The challenger C runs the Setup algorithm with a security parameter k and obtains system parameters params and the master secret key s.C sends params to A.

The Proposed Scheme
Our IDGSC scheme is described as the following algorithms.
• Setup: Given a security parameter k, the PKG chooses groups G 1 and G 2 of prime order q, a generator g of G 1 , a admissible bilinear pairing e : G 1 × G 1 → G 2 , and hash functions H : {0, 1} * → {0, 1} l and H m : {0, 1} * → {0, 1} n m .The PKG chooses a random value α ∈ Z * q , computes g 1 = g α and selects g 2 ∈ G 1 .Furthermore, the PKG computes z = e(g 1 , g 2 ) and picks u , m ∈ G 1 and vectors u = {u i }, m = {m i } of length n u and n m , respectively, whose entries are random elements from G 1 .The system parameters are params = {G 1 , G 2 , e, p, g, g 1 , g 2 , H, H m , z, u , m , u, m} and the master secret key g α 2 .
Let f (ID) be a special function, where ID ∈ {0, 1} n u .If identity is vacant, that is ID = ID Φ , f (ID) = 0, otherwise f (ID) = 1.• Extract: Let ID be a bit string of length n u , representing an identity and let ID[i] be the i-th bit of ID.Define U ID ⊂ {1, 2, • • •, n u } to be the set of indices i such that ID[i] = 1.A private key d ID for identity ID is generated as follows.The PKG picks r ID ∈ Z * q and computes Therefore, the sender with identity ID A and the receiver with identity ID B private keys are • Generalized Signcrypt: Suppose the sender A with identity ID A wants to send a message m ∈ {0, 1} l to the receiver B with identity ID B , A picks randomly r ∈ Z * q and does the following: Here π is an n m bit string and π[j] denotes the j-th bit of π, and M ⊂ {1, 2, • • •, n m } denotes the set of j for which π The ciphertext is σ = (σ 1 , σ 2 , σ 3 , σ 4 , c).
• Generalized Unsigncrypt: When receiving σ, the receiver with identity ID B follows the steps below: σ 3 , w) and generate the corresponding set M, the set of all j for which π[j] = 1. 5. Accepted the message if and only if the following equality holds: Remark 1.Our Setup, Extract algorithm in our scheme is from the existing work, i.e., Paterson-Schuldt's scheme [25].However, our Setup algorithm has some differences from [25], and we added some parameters: H and H m .Other algorithms such as Generalized Signcrypt and Generalized Unsigncrypt are new designs.

Correctness
e(σ 4 , g) = e((g There are three cases to be considered.

Case 1. In the IDGSC-SC Model
In this case, there is The generalized signcryption scheme in signcryption model is as follows: • Signcrypt: Here π is an n m bit string and π[j] denotes the j-th bit of π, and The ciphertext is σ = (σ 1 , σ 2 , σ 3 , σ 4 , c).
Case 3. In the IDGSC-EN Model In this case, there is ID A = ID Φ , ID B = ID Φ , so f (ID A ) = 0, f (ID B ) = 1.The generalized signcryption scheme in the encryption model as follows: • Encrypt: Here π is an n m bit string and π[j] denotes the j-th bit of π[j], and M ⊂ {1, 2, • • •, n m } denotes the set of j for which π σ 3 , w) and generate the corresponding set M, the set of all j for which π[j] = 1. 4. Accepted the message if and only if the following equality holds: e(σ 4 , g) = e(u ∏ i∈U B u i , σ 1 )e(m ∏ j∈M m j , σ 1 ).

Theorem 1. (Confidentiality in the IDGSC-EN model) Assume there is an adversary IND (IBGSC-EN) CCA2
A that is able to distinguish two valid ciphertexts during the defined in Game 1 with an advantage ε when running in a time t, then there exists an algorithm D that can break Waters' identity based encryption scheme in a time t = t with an advantage ε = ε.
Proof.When the IDGSC scheme works as an encryption scheme, it is a actually the identity based encryption proposed by Waters [26] and one-time signature.Owing to the theorem proposed by Canetti et al. [27], this scheme is secure against the normal adaptive chosen-ciphertext attack.Considering the signcrypt/unsigncrypt query, the adversary cannot transform the target encryption ciphertext into a valid signcryption ciphertext.This conclusion is based on the EF-ACMA security of PS.So IDGSC scheme in encryption model is IND-CCA2 secure.Thus, the theorem follows.

Theorem 2. (Confidentiality in the IDGSC-SC model). Assume there is an adversary IND (IDGSC-SC) CCA2
A that is able to distinguish two valid ciphertexts during the defined in Game 2 with an advantage ε when running in a time t and making at most q k private key extract queries, q s sign queries, q v verify queries, q e encrypt queries, q d decrypt queries, q sc signcrypt queries and q us unsigncrypt queries.Then, there exists a distinguisher that can solve an instance of the DBDH problem in a time t = t + (5q k + 2q s + 4q e + 4q sc )t e + (4q d + 7q us + 4q v )t p with an advantage ε = ε 8(q k +q d +q s +q sc +q us )(n u +1)q sc (n m +1) , where t e denotes the time of an exponentiation in G 1 and t p denotes the time of a pairing in (G 1 , G 2 ).
We summarize the comparisons of the four schemes in Table 1.The Generalized Signcrypt column and the Generalized Unsigncrypt column demonstrate the computational costs of each identity based generalized signcryption scheme.The Security Model column specifies the security model that the schemes rely on, where RO and SM represent Random Oracle and Standard Model, respectively.1, in Generalized Signcrypt, the computation cost of our scheme is less than Lal et al.'s scheme [20] and Yu et al.'s scheme [21] and more than Kushwash et al.'s scheme [22].Our scheme has slightly higher computation costs than other schemes [20][21][22] in Generalized Unsigncrypt, whereas our scheme is proven secure in the standard model.To the best of our knowledge, it is the first scheme that is proven secure in the standard model.All previous schemes mentioned above have proven their security on the random oracle model.For some special applications that require very high security, it is believed that only those schemes that can be proven in the standard model must be employed.Thus, our scheme is suitable for secure e-mail and electronic commerce, where the confidentiality and authenticity are simultaneously or separately required to enable a secure and trustable communication environment.

Conclusions
The main purpose of identity based generalized signcryption is to reduce implementation complexity.According to different application environments, identity based generalized signcryption can fulfill the function of identity based signature, encryption or signcryption, respectively.In this paper, we proposed a concrete, ID-based generalized signcryption scheme based on the Paterson-Schuldt scheme.To the best of our knowledge, this is the first ID-based generalized signcryption scheme that can be proven secure in the standard model.
• Guess: The adversary A produces a bit b and wins the game if b = b.The advantage of A is defined as Adv I ND−CCA2 IDGSC−EN (A) = |2 Pr[b = b] − 1|, where Pr[b = b] denotes the probability that b = b.Definition 3 (Confidentiality-IDGSC-EN).An IDGSC scheme is said to have the indistinguishability against chosen adaptive ciphertext attacks (IND-(IDGSC-EN)-CCA2) or semantic security if no polynomially bounded adversary has a non-negligible advantage in Game 1.

•
Challenge: The adversary A decides when phase 1 ends, chooses two equal length plaintexts m 0 , m 1 and two identities ID A = ID Φ , ID B = ID Φ on which to be challenged.The identity ID B should not appear in any private key extract queries in Phase 1. C chooses randomly a bit b, encrypts m b and then sends the ciphertext σ to A.• Phase 2: The adversary A makes a polynomial number of queries adaptively again as in Phase 1with the restriction that it cannot make private key extract queries on ID B and cannot make an unsigncrypt query on σ. • Guess: The adversary A produces a bit b and wins the game if b = b.The advantage of A is defined as Adv I ND−CCA2 IDGSC−SC (A) = |2 Pr[b = b] − 1|, where Pr[b = b] denotes the probability that b = b.Definition 4 (Confidentiality-IDGSC-SC).An IDGSC scheme is said to have the indistinguishability against adaptive chosen ciphertext attacks (IND-(IDGSC-SC)-CCA2) or semantic security if no polynomially bounded adversary has a non-negligible advantage in Game 2.
• Queries: The adversary A performs a polynomially bounded number of queries adaptively just like in Game 1.• Forgery: Finally, the adversary A produces two identities ID A = ID Φ , ID B = ID Φ and a ciphertext (signature) σ.The adversary wins the game if ID A = ID Φ ; σ was a valid ciphertext (signature) on m, ID A ; no private key extract query was made on ID A ; σ did not result from signature query on m, ID A .The advantage of A is defined as Adv EF−ACMA IDGSC−SG (A) = Pr[Awins].

•
Queries:The adversary A performs a polynomially bounded number of queries adaptively just like in Game 1.• Forgery: Finally, the adversary A produces a new tuple (σ, ID A , ID B ).Let m be the result of unsigncryption σ under the private key of ID B .The adversary wins the game if ID A = ID Φ , ID B = ID Φ ; no private key extract query was made on ID A ; σ is a valid signature under m, ID A ; (σ, ID A , ID B ) was not output by a signcrypt query.The advantage of A is defined as Adv EF−ACMA IDGSC−SC (A) = Pr[Awins].Definition 6 (Unforgeability-IDGSC-SC).An IDGSC scheme is said to have the existential unforgeability against chosen adaptive message attacks (EF-(IDGSC-SC)-ACMA) if no polynomially bounded adversary has a non-negligible advantage in Game 4.

Table 1 .
Comparison of identity based generalized signcryption schemes.