A Novel Identity-Based Signcryption Scheme in the Standard Model

Identity-based signcryption is a useful cryptographic primitive that provides both authentication and confidentiality for identity-based crypto systems. It is challenging to build a secure identity-based signcryption scheme that can be proven secure in a standard model. In this paper, we address the issue and propose a novel construction of identity-based signcryption which enjoys IND-CCA security and existential unforgeability without resorting to the random oracle model. Comparisons demonstrate that the new scheme achieves stronger security, better performance efficiency and shorter system parameters.


Introduction
In [1], Shamir introduced the seminal concept of identity-based (ID-based) cryptography in 1984, which is supposed to provide a possible alternative to conventional public key infrastructure in terms of efficiency and convenience.The interesting feature of this kind of cryptosystem is that a user's public key can be any binary string that can identify the user, such as an email address.Using identities as public keys eliminates the requirement for public-key certificates.The first ID-based signature was proposed in the pioneer paper due to Shamir [1], but ID-based encryption schemes were not founded until Boneh and Franklin [2] invented a practical ID-based encryption from a bilinear pairing in 2001.The ID-based cryptography along with its applications has become a hot research topic in the last decade.
The properties of confidentiality and authentication are essential for computer networks.It seems that they can be easily achieved by consecutively executing a secure encryption scheme and a digital signature scheme.However, this trivial combination is expensive and vulnerable to some subtle attacks [3].In [4], Zheng introduced the notion of signcryption in 1997, which is a cryptographic primitive that supplies both authentication and confidentiality in a reasonable logic step, at a lower price than that of the traditional signature-then-encryption approach.Many practical and novel signcryption schemes along with their applications have been proposed in the past years (such as [3,[5][6][7][8][9][10][11][12]).
An interesting research topic is to combine signcryption and ID-based cryptography [13] to construct secure and efficient ID-based signcryption schemes.In [5], Malone-Lee gave the first ID-based signcryption from bilinear pairings with a corresponding security model, which dealt with privacy and unforgeability.However, Libert and Quisquater [14] showed that Malone-Lee's scheme does not provide semantic security since the signature of the signcrypted message is visible in the final ciphertext.They also built three new ID-based signcryption schemes, but forward security and public verifiability are mutually exclusive in these schemes.Chow et al. [15] constructed an ID-based signcryption that provides both public verifiability and forward security.Boyen [16] also proposed a novel ID-based signcryption that provides public verifiability, forward security, ciphertext unlinkability and anonymity.Chen and Malone-Lee [17] enhanced the efficiency of Boyen's scheme in 2005.Subsequently, the concept of ID-based signcryption was further extended to cater to more applications.For example, in 2006, Duan and Cao [8] proposed a multi-receiver ID-based signcryption for more than one receiver scenario.In 2008, Li et al. [7] presented an ID-based broadcast signcryption for the application of broadcasting a message to multiple users in a secure and authenticated manner.In 2010, Liu et al. [18] proposed certificateless signcryption as an extension of ID-based signcryption.Unfortunately, Weng et al. [19] showed that Liu et al.'s scheme is neither semantically secure against chosen ciphertext attacks nor existentially unforgeable against chosen message attacks.
The early signcryption schemes only dealt with some informal security analysis.The situation changed since Baek et al. [20] proposed a formal security model for signcrytion and provided a security proof for Zheng's original scheme [4] using the random oracle model due to Bellare and Rogaway [21].In this model, hash functions are treated as ideal random functions.Although the model is powerful to validate the designs of cryptographic schemes, it has received some criticism since the security in this model does not always lead to the security in the real world [22].Accordingly, it is interesting to design secure ID-based signcryption schemes in the standard model.In 2009, Yu et al. [23] made the first attempt to construct an ID-based signcryption scheme without random oracles.Observing that Yu et al.'s scheme does not reach the semantic security, Jin et al. [24] proposed an improved scheme and claimed that the improvement is secure without using random oracles.Unfortunately, recent cryptanalysis due to Li et al. [25] shows that Jin et al.'s scheme [24] suffers from the indistinguishability against adaptive chosen ciphertexts attack and existential unforgeability against adaptive chosen messages attack.Zhang et al. [26] also built another new scheme, but Li et al. [27] found that Zhang et al.'s scheme does not have IND-CPA security and they proposed an improvement claiming it to achieve both IND-CCA2 and EUF-CMA security.However, a recent analysis due to Selvi et al. [28] concluded that Li et al.'s scheme reaches neither IND-CCA2 property nor EUF-CMA property.Another new construction was given by Li et al. in ProvSec 2011 [29], but, recently, Selvi et al. [28] showed that the proof of the scheme is not correct.

Our Contribution
A survey of the previous literature reveals that there does not exist a really secure ID-based signcryption scheme in the standard model.The attempts in ( [23,24]) show that a simple combination of Waters' ID-based encryption [30] and Paterson-Schuldt's ID-based signature [31] may not produce a secure ID-based signcryption.Therefore, the main contribution of this paper is to fill this gap by proposing an ID-based signcryption scheme whose security proof does not need to resort to the random oracle model.Our construction makes use of Paterson-Schuldt's ID-based signature [31], Waters' ID-based encryption [30] and the techniques of constructing selective identity-based encryption due to Boneh and Boyen [32].We also prove its CCA security and existential unforgeability under some well-studied complexity assumptions.Comparisons show that our scheme outperforms the previous ones in terms of security, computational efficiency and the size of system parameters.

Organization
The rest of this paper is organized in the following way.Some preliminaries used in our scheme are given in Section 2. The new ID-based signcryption along with the performance comparisons to the existing ones are given in Section 3. The security proof of the new scheme is provided in Section 4. Finally, conclusions are given in Section 5.

Preliminaries
Some basic knowledge, including bilinear pairings, complexity assumptions and a formal model for ID-based signcryption, is briefly revisited in this section.

Bilinear Pairings
G and G T are multiplicative cyclic groups of prime order p and g is a generator of G.The map ê : G × G → G T is an admissible bilinear pairing with the following properties [2]: ê can be efficiently computable.

Complexity Assumptions
Computational Diffie-Hellman (CDH) Problem [2]: The success probability of a polynomial algorithm A in solving the CDH problem is denoted as for some unknown a, b, c ∈ Z p and an element Z ∈ G T , determine whether Z = ê(g, g) abc or not.
The advantage of a distinguisher B against the DBDH problem is defined as DBDH Assumption: The (t, )-DBDH assumption [2] says that no t-time adversary has at least an advantage in solving the DBDH problem.

Our ID-Based Signcryption Scheme
In this section, we firstly describe our ID-based signcryption scheme.Then, we show the correctness and comparisons to the existing schemes in the same style.

The New Scheme
The proposed ID-based signcryption consists of the following algorithms.
Setup: On inputting a security parameter k, the PKG chooses two multiplicative cyclic groups G and G T of prime order p, a generator g of G and a bilinear pairing ê : G × G → G T .PKG also picks u , δ, v ∈ G, an n-length vector u = (u i ) whose elements are randomly from G and a collision resistant hash function H : {0, 1} * → Z * p .Additionally, PKG picks a secret α ∈ Z p , g 2 ∈ G and computes g 1 = g α .The public parameters are params = (G, G T , ê, g, g 1 , g 2 , u , δ, v, u) and the master secret key is msk = g α 2 .Extract: Identities in the new scheme are represented as bitstrings of length n, just as in Waters' scheme [30].Suppose the sender, say, Alice's identity is ID A , represented as a bit string e = (e 1 , e 2 , • • • , e n ), and the receiver Bob's identity is and computes their secret keys as follows: ) r e , g r e ), Signcrypt: To signcrypt a message M ∈ G T to Bob, Alice picks a random value r m and executes the steps below.
Unsigncrypt: Receiving a signcrypted ciphertext c = (c 1 , c 2 , c 3 , c 4 , c 5 ), Bob checks its validity and decrypts it as follows: 2. Verify if the following equality holds.If it holds, go to the next step.Otherwise, reject the ciphertext:

Correctness
The correctness of the proposed scheme can be verified directly by the property of bilinear pairing, and (2)

Comparisons
We compare the security and the performance efficiency of our scheme to those of the known ID-based signcryption without random oracles in [23,24,26,27].M G , E G , M G T , E G T , I G T , and ê, denote the multiplication in G, the exponentiation in G, the multiplication in G T , the exponentiation in G T , the inversion in G T and the pairing operation, respectively.The comparisons of the five schemes are summarized in Table 1.
The Extract algorithm is omitted in the comparison since these schemes utilize the same secret key extraction.The Signcrypt column and the Unsigncrypt column specify the computation cost of generating a signcrypted ciphertext and unsigncrypting a ciphertext in each scheme.The Size column shows the length of a ciphertext, represented by elements in G and G T .The Params column gives the number of group elements in G to be included in system parameters.The EUF column and CCA column indicate whether the scheme is secure against adaptive chosen message attack and adaptive chosen ciphertext attack.The symbol × means it is vulnerable to the attack while √ indicates that it can resist the attack.Note that the scheme in [23,24,26,27] can not be regarded as secure since they suffer either the IND-CCA attack or the IND-CCA attack.The new scheme achieves both IND-CCA security and EUF-CMA security.From this point of view, our scheme outperforms the previous ones in terms of security.
Assume that the output length of the secure hash functions used in the schemes are same, that is, n u = n m = n.2n + 5 group elements are required as public parameters in [23,24,26,27] while only n + 6 elements are needed in our scheme.Namely, the length of public parameters of the new scheme is only about one half of that of the schemes in [23,24,26,27].From this point of view, a shorter public parameter makes the new scheme more suitable for low storage requirement of applications.For the communication cost, the scheme in [26] shares the same size of the resulted signcryption ciphertext and [27], which is comparatively longer than that of our new scheme and the schemes in [23,24].Although the schemes [23,24] and the new scheme get the same length of a signcrypted ciphertext, our scheme achieves better performance than the schemes in [23,24] because nearly n/2 multiplications in G 1 are less required in Signcrypt and Unsigncrypt algorithms, respectively.Note that the proposed protocol is quite efficient.According to the the benchmark for exponentiations and pairing [33], it costs about 11.07 ms to signcrypt a plantext and 33.31 ms to unsigncrypt a ciphertext in our protocol.

Security of the New Scheme
In this section, we prove that the new scheme achieves the properties of IND-CCA and EUF-CMA in the standard model.Theorem 1. Assume that there exists an adversary A that can distinguish two valid signcrypted ciphertexts with an advantage when running in time t and asking at most q e private key extraction queries, q s signcryption queries and q u unsigncryption queries.Then, there exists a distinguisher C that can solve an instance of the DBDH problem in time t + O((q e + q s + q u )n u t mul + (q e + q s )t exp + q u t pair ) with an advantage Adv(C) > 1 8(q e + q s + q u )(n + 1) , where t mul , t exp and t pair denote the time for a multiplication, an exponentiation in G and a pairing computation, respectively.
Proof.The distinguisher C is given a random DBDH problem instance (g, g α , g β , g γ , Z ∈ G T ), and he tries to tell whether Z = e(g, g) αβγ or not.C will act as A's challenger and run A as a subroutine in the IND-CCA game.The following proof is inspired by the techniques due to [30][31][32].
Setup: C sets l = 4q e , picks the values below randomly and keeps them secret: 1. an integer 0 < k < n, 2. an integer x ∈ Z l , and an n-length vector x = (x i ) where x i ∈ Z l , 3. an integer y ∈ Z p , and an n-length vector y = (y i ) where y i ∈ Z p , 4. three integers t, a, c ∈ Z p .
Additionally, C chooses a collision resistent hash function H : {0, 1} * → Z p .For ease of description, we define the following functions as in [30] for an identity e = (e 1 , • • • , e n ): Then, C sets public parameters as follows: 1. Set g 1 = g α , g 2 = g β where g α , g β are from the input of the DBDH problem instance.2. Assign u = g p−kl+x 2 g y and u i = g x i 2 g y i and set u = (u 1 , u 2 , . . ., u n ). 3. Set δ = g a and v = g c .Note that from the viewpoint of the adversary A, the public parameters assigned above share the same distribution with the real construction.Additionally, for any identity e, we have Extract queries: Adversary A can issue at most q e private key extraction queries.For a private key query for an identity e, the challenger C first checks if F(e) = 0 and aborts with a random guess b of the challenger's value b in this situation.Otherwise, it picks a random r e ∈ Z p and responds A for the pair 1 g r e ).
Let re = r e − α F(e) , as shown by Waters [30], and the simulation is perfect since g J(e) ) re and C can generate a valid private key for e if and only if F(e) = 0 (mod l), for which it suffices to have F(e) = 0 (mod p) [30].
Signcryption queries: Adversary A can issue at most q s signcryption queries on messages M under a sender's identity e = (e 1 , • • • , e n ) and a receiver's identity f = ( C first generates a private key for e just as he did in the Extract query described above, and then runs the Signcrypt(M, d e , f) algorithm, creates a valid ciphertext and forwards it to answer A's query.If F(e) = 0 (mod l), C will simply abort.
Unsigncryption queries: Adversary A can issue at most q u unsigncryption queries on ciphertexts c = (c 1 , • • • , c 5 ) for identities e and f.C performs the following steps.
1. Compute h = H(e, f, c 2 , c 3 , c 4 , c 5 ). 2. Check if the following equality holds.If it holds, go to next step.Otherwise, reject the ciphertext: Suppose that the simulator was given a valid BDH tuple, which is Z = ê(g, g) αβγ , and we can see that c * is a valid signcryption ciphertext on M b .Otherwise, if Z is a random element of G, the challenging ciphertext gives no information about the simulator's choice of b.
Adversary A then issues a second series of queries adaptively that are treated in the same way as in the first stage.The restriction in this phase is that A is forbidden to make a key extraction query on identity f * and make an unsigncryption query on the challenging ciphertext c * to get the corresponding plaintext.At the end of the game, A outputs a guess b of b.If b = b, C answers 1 indicating that Z = ê(g, g) αβγ .Otherwise, C answers 0 to denote that Z = ê(g, g) αβγ .We now analyze C's probability of success.The simulation can be completed without aborting on the condition that all extraction queries on identities e satisfy F(e) = 0 (mod l), all signcryption queries (e, f, M) satisfy F(e) = 0 (mod l), all unsigncryption satisfy (c, e, andf) satisfyF(f) = 0 (mod l).In addition, in the DBDH problem solving phase, F(e * ) = 0 (mod l) and F(f * ) = 0 (mod l).Assume the identities queried in either extract queries or in signcryption queries and unsigncryption queries, not including the challenging identity, are e 1 , e 2 , • • • , e q I .Obviously, we have q I < q e + q s .The events A i and A * are defined as follows: A i : F(e i ) = 0 (mod l), A * : F(f * ) = 0 (mod l).
The probability that C does not abort is This probability can be assessed by utilizing Waters' technique [30].The computation is not repeated here since it is similar to Waters' process and the final lower bound is (q e +q s +q u )(n+1) .
The bound of C's computation time comes from the fact that O(n u ) multiplications and O(1) exponentiations are required in each extract query, O(n u ) multiplications and O(1) exponentiations are needed in each signcryption query, and O(n u ) multiplications and O(1) pairings are required in each unsigncryption query.
Theorem 2. Assume that there exists an adversary F that can (t, q e , q s , q u , ) forge a valid signcryption ciphertext on a message M.Then, we can construct a new algorithm C to solve the CDH problem.
Proof.This proof also proceeds by the reduction approach.Assuming a forger F for our scheme exists, we will construct a challenger C, who runs F as a subroutine, to solve an instance of the CDH problem, which contradicts the CDH assumption.Specifically, given a group G, a generator g and two elements g α , g β ∈ G, C's goal is to output g αβ .Firstly, C sets the public parameters of the proof in the same way as he did in the proof 1.Note that C assigns g 1 = g α , g 2 = g β , δ = g a and v = g c , and for an  3 ) a+ch * → g αβ as the solution to the instance of the given CDH problem.

Conclusions
In this paper, we put forth a novel identity-based signcryption scheme secure in the standard model since the existing schemes were showed to be insecure.The new construction makes use of the tricks of Boneh-Boyen selective identity-based encryption, Waters' identity-based encryption, and Paterson-Schuldt's identity-based signature.The proposed scheme outperforms the previous ones in terms of stronger security, higher performance efficiency and shorter system parameters.We also show that the new scheme achieves the CCA security under the decisional bilinear Diffie-Hellman assumption and the existential unforgeability against adaptive chosen messages attacks under the computational Diffie-Hellman assumption.

3 . 1 F 6 .F(e * ) 2 g
Check if F(f) = 0 (mod l) holds.If it holds, C firstly generates a private key (d f 1 , d f 2 ) for the receiver f, and then computes the plaintext c 2 ê(d f 2 , c 4 ) ê(d f 1 , c 3 ) −1 → M and forwards it to A. Otherwise, the simulation aborts.Challenge: After a polynomially bounded number of queries, A outputs two equal-length plaintexts M 0 , M 1 ∈ G T together with a pair of identities e * , f * on which he wishes to be challenged.C fails the simulation if A has queried a key extraction query on f * during the first stage and C will abort if F(f * ) = 0 (mod l).Otherwise, C picks a random bit b and constructs the challenging ciphertext on M b using the input of the DBDH problem (g, A, B, C, Z) as follows:1.Pick a random number r * e ∈ Z p , 2. Compute c * 2 = ZM b , 3. Set c * 3 = C, 4. Compute c * 4 = C J( f * ) , 5. Compute c * 5 = g −Compute h * = H(e * , f * , c * 2 , c * 3 , c * 4 , c * 5 ) ∈ Z p , J(e * ) )r * e C a+ch * , 8. Output the challenge ciphertext c * = (c * 1 , c * 2 , c * 3 , c * 4 , c * 5 ).

Table 1 .
Security and performance comparisons.