Appendix A
Security Model
The proposed EPDS scheme should satisfy the confidentiality and unforgeability. The security is defined by the following two interaction games executed by a challenger and an attacker . could make the following queries.
Hash queries: Upon receiving the query, returns a random value to .
Extract queries: Upon receiving the query on the pseudo identity , returns a private key to .
Signcryption queries: Upon receiving the query on the message under , returns a ciphertext to .
Definition A1 (Confidentiality). The proposed scheme is secure against indistinguishability under the chosen plaintext attack (IND-CPA), if any probabilistic polynomial-time attacker does not have the ability to win the below game with a non-negligible advantage.
The IND-CPA is defined by the following game.
Setup: generates the system parameters and returns to .
Phase 1: adaptively makes the hash, extract, and signcryption queries with polynomial bounded times.
Challenge: chooses a challenging identity , picks two messages and and sends to . randomly picks and produces the ciphertext of message under . Finally, returns the ciphertext to .
Phase 2: is able to adaptively perform the query in Phase 1 apart from that, it cannot make extract queries on .
Guess:
produces a guess
. The advantage that
wins the game is
Definition A2 (Unforgeability). The proposed scheme can achieve existential unforgeability against adaptive chosen message attacks (EUF-CMA), if any probabilistic polynomial-time attacker does not have the ability to win the below game with a non-negligible advantage.
The EUF-CMA is defined by the following game.
Initialization: selects a challenging pseudo identity and transmits to .
Setup: generates the system parameters and returns to .
Queries: adaptively makes hash, extract and signcryption queries.
Forgery: outputs a ciphertext on under , such that
Appendix B
Security Proof
Theorem A1. The proposed EPDS scheme can provide confidentiality if ElGamal encryption is secure against the IND-CPA.
Supposing there is an attacker is able to win the game defined in Definition 1 with a non-negligible probability , we can construct an algorithm that could break the IND-CPA of ElGamal encryption with probability .
Initialization: The simulator for ElGamal encryption generates the and transmits to .
Setup: chooses hash functions : and a super-increasing sequence . Finally, returns to .
To keep the rapidly response and consistency, maintains the following list:
: It consists of tuples .
: It consists of tuples .
: It consists of tuples .
Phase 1: adaptively is able to adaptively perform the following polynomial bounded times queries.
queries: performs a query on , executes as follows:
If contains , responds with the previous value to .
If does not contain , randomly chooses a number , adds into and returns to .
queries: performs a query on , executes as follows:
If contains , responds with the previous value to .
If does not contain , randomly chooses a number , adds into and returns to .
Extract queries: performs a query on , executes as follows:
If , aborts the game.
If , executes:
- -
If contains , returns to .
- -
If does not contain , randomly chooses and makes . If already appear in , chooses another and tries again. inserts and into and , respectively. Finally, returns the to .
Signcryption queries: makes a query on the message under , returns to . randomly chooses and computes , ,and returns them to . produces a ciphertext in accordance with the proposed scheme. Finally, returns the ciphertext to .
Challenge: selects a challenging identity , picks two same length message and and sends them to . Then transmits them to . randomly chooses , and computes , , and returns them to . produce a ciphertext in accordance with the proposed scheme. Finally, returns the ciphertext to .
Phase 2: is able to adaptively perform the query in Phase 1 apart from it cannot make a extract queries on .
Guess: can output as its guess against the IND-CPA of ElGamal encryption.
Probability analysis: Supposing that is able to make at most times queries, times queries, times extract queries and times signcryption queries. We define two events as follows:
According to the above simulation, we could obtain that
and
, and hence the advantage that
is able to break the
IND-CPA of ElGamal encryption is
In accordance with the above analysis, we can conclude that can break the IND-CPA of ElGamal encryption with a non-negligible probability, this is contradicts with the security of ElGamal encryption, so the proposed EPDS scheme could provide confidentiality.
Theorem A2. The proposed EPDS scheme can provide the unforgeability if the ECDL problem is hard.
Assuming that there is an attacker can break the unforgeability of the proposed EPDS scheme with a non-negligible advantage , we can construct an algorithm for solving the ECDL problem with probability .
Initialization: picks a challenging identity and returns to .
Setup: Given an instance of the ECDL problem, then sets and returns to .
queries: It is the same as Theorem 1.
queries: It is the same as Theorem 1.
Extract queries: It is the same as Theorem 1.
Signcryption queries: makes a query on the message under , executes as follows:
If , randomly selects and calculates , , . If the already appears in or already appears in , chooses another and tries again. Then, returns the ciphertext to , and inserts and into and , respectively.
If , generates a ciphertext in accordance with the proposed scheme. Then, returns the ciphertext to .
Forgery:
outputs a forged ciphertexts
on
under
. On the basis of the forking lemma [
40,
41],
is able to output another valid ciphertext
on
under
by choosing a different
. Since both ciphertexts are valid, we are able to gain the following two equations
We can gain the equations:
outputs as a solution of ECDL problem.
Probability analysis: Supposing that is able to make at most times queries, times queries, times extract queries, and times signcryption queries. We define three events as follows:
: never abort above game in extract and signcryption queries.
: is able to output a valid ciphertext.
: .
According to the above simulation, we could obtain that
,
, and
. Thus, the probability that
is able to solve the ECDL problem is shown as:
Due to the non-negligibility of
, we are able to know that
is non-negligible. In accordance with the above analysis, we are able to conclude that
can solve the ECDL problem with a non-negligible probability. This contradicts with the hardness of the ECDL problem [
42], and hence the proposed EP
DS scheme can provide unforgeability.