Abstract
Signcryption can realize the function of encryption and signature in a reasonable logic step, which can lower computational costs and communication overheads. In 2008, Fagen Li et al. proposed an efficient secure id-based threshold signcryption scheme. The authors declared that their scheme had the attributes of confidentiality and unforgeability in the random oracle model. However, our previous analysis shows that scheme is insecure against malicious attackers. Further, we propose a probably-secure improved scheme to correct the vulnerable and give the unforgeability and confidentiality of our improved scheme under the existing security assumption.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Encryption and signature are the two basic cryptographic tools offered by public key cryptography for achieving confidentiality and authentication. Signcryption can realize the function of encryption and signature in a reasonable logic step which is proposed by Zheng [1]. Comparing to the traditional way of signature then encryption or encryption then signature, signcryption can lower the computational costs and communication overheads. As a result, a number of signcryption schemes [2–8] were proposed following Zheng’s work. The security notion for signcryption was first formally defined in 2002 by Baek et al. [9] against adaptive chosen ciphertext attack and adaptive chosen message attack. The same as signature and encryption, signcryption meets the attributes of confidentiality and unforgeability as well. In 1984, Shamir [10] introduced identity-based public key cryptosystem, in which a user’s public key can be calculated from his identity and defined hash function, while the user’s private key can be calculated by a trusted party called Private Key Generator (PKG). The identity can be any binary string, such as an email address and needn’t to be authenticated by the certification authentication. As a result, the identity-based public key cryptosystem simplifies the program of key management to the conventional public key infrastructure. In 2001, Boneh and Franklin [11] found bilinear pairings positive in cryptography and proposed the first practical identity-based encryption protocol using bilinear pairings. Soon, many identity-based [12–18] schemes were proposed and the bilinear pairings became important tools in constructing identity-based protocols. Group-oriented cryptography [19] was introduced by Desmedt in 1987. Elaborating on this concept, Desmedt and Frankel [20] proposed a (t, n) threshold signature scheme based RSA system [21]. In such a (t, n) threshold signature scheme, any to out of n signers in the group can collaboratively sign messages on behalf of the group for sharing the signing capability. Identity-based signcryption schemes combine the advantages of identity-based public key cryptosystem and Signcryption. The first identity-based threshold signature scheme was proposed by Baek and Zheng [22]. Then Duan et al. [23] proposed an identity-based threshold signcryption scheme in the same year by combining the concepts of identity based threshold signature and encryption together. However, in Duan et al.’s scheme, the master-key of the PKG is distributed to a number of other PKGs, which creates a bottleneck on the PKGs. In 2005, Peng and Li proposed an identity-based threshold signcryption scheme [24] based on Libert and Quisquater’s identity-based signcryption scheme [25]. However, Peng and Li’s scheme dose not provide the forward security. In 2008, another scheme was proposed by Fagen Li et al. [26], which is more efficient comparing to previous scheme.
In this chapter, we show that the threshold signcryption scheme of Fagen Li et al. is vulnerable if the attacker can replaces the group public key or even the attacker can intercept the intermediate messages. Further, we propose a probably-secure improved scheme to correct the vulnerable and give the unforgeability and confidentiality of our improved scheme under the existing security assumption.
2 The Improvement of Fagen Li et al.’ Scheme
The scheme involves four roles: the PKG, a trust dealer, a sender group \( U_{A} = \left\{ {M_{1} ,M_{2} , \ldots ,M_{n} } \right\} \) with identity \( ID_{A} \) and a receiver Bob with identity \( ID_{B} .\)
Setup: given a security parameter k, the PKG chooses groups \( G_{1} \) and \( G_{2} \) of prime order q (with \( G_{1} \) additive and \( G_{2} \) multiplicative), a generator P of \( G_{1} ,\) a bilinear map \( e:G_{1} \times G_{1} \to G_{2} ,\) a secure symmetric cipher (E,D) and hash functions \( H_{1} :\left\{ {0,1} \right\}^{*} \to G_{1}, \)\( H_{2} :G_{2} \to \left\{ {0,1} \right\}^{{n_{1} }},\)\( H_{3} :\left\{ {0,1} \right\}^{*} \times G_{1} \times \left\{ {0,1} \right\}^{*} \times G_{1} \to Z_{q}^{*} .\) The PKG chooses a master-key \( s \in {}_{R}Z_{q}^{*} \) and computes \( P_{pub} = sP .\) The PKG publishes system parameters \( \left\{ {G_{1} ,G_{2} ,n_{1} ,e,P,P_{pub} ,E,D,H_{1} ,H_{2} ,H_{3} } \right\} \) and keeps the master-key s secret. Extract: Given an identity ID, the PKG computes \( Q_{ID} = H_{1} (ID) \) and the private key \( S_{ID} = sQ_{ID} .\) Then PKG sends the private key to its owner in a secure way.
Keydis: suppose that a threshold t and n satisfy \( 1 \le t \le n < q .\) To share the private key \( S_{{ID_{A} }} \) among the group \( U_{A} ,\) the trusted dealer performs the steps below.
-
1)
Choose \( F_{1} , \ldots ,F_{t - 1} \) uniformly at random from \( G_{1}^{*} ,\) construct a polynomial \( F(x) = S_{{ID_{A} }} + xF_{1} + \cdots + x^{t - 1} F_{t - 1} \)
-
2)
Compute \( S_{i} = F(i) \) for \( i = 0, \ldots ,n .\) (\( S_{0} = S_{{ID_{A} }} \)). Send \( S_{i} \) to member \( M_{i} \) for \( i = 1, \ldots ,n \) secretly.
-
3)
Broadcast \( y_{0} = e(S_{{ID_{A} }} ,P) \) and \( y_{j} = e(F_{j} ,P) \) for \( j = 1, \ldots ,t - 1 .\)
-
4)
Each \( M_{i} \) then checks whether his share \( S_{i} \) is valid by computing \( e(S_{i} ,P) = \prod {_{j = 0}^{t - 1} } y_{j}^{{i^{j} }} .\) If \( S_{i} \) is not valid, \( M_{i} \) broadcasts an error and requests a valid one.
Signcrypt: let \( M_{1} , \ldots ,M_{t} \) are the t members who want to cooperate to signcrypt a message m on behalf of the group \( U_{A} .\)
-
1)
Each \( M_{i} \) chooses \( x_{i} \in {}_{R}Z_{q}^{*} ,\) computes \( R_{1i} = x_{i} P ,\) \( R_{2i} = x_{i} P_{pub} ,\) \( \tau_{i} = e(R_{2i} ,Q_{{ID_{B} }} ) \) and sends \( \left( {R_{1i} ,\tau } \right) \) to the clerk C.
-
2)
The clerk C (one among the t cooperating players) computes \( R_{1} = \prod {_{i = 1}^{t} } R_{1i} ,\) \( \tau = \prod {_{i = 1}^{t} } \tau_{i} ,\) \( k = H_{2} (\tau ) ,\) \( c = E_{k} (m) ,\) and \( h = H_{3} (m,R_{1} ,k,Q_{{ID_{A} }} ) .\)
-
3)
Then the clerk C sends h to \( M_{i} \) for \( i = 0, \ldots ,t .\)
-
4)
Each \( M_{i} \) computes the partial signature \( W_{i} = x_{i} P_{pub} + h\eta_{i} S_{i} \) and sends it to the clerk C, where \( \eta = \prod {_{j = 1,j \ne i}^{t} } - j(i - j)^{ - 1} \) mod q.
-
5)
Clerk C verifies the correctness of partial signatures by checking if the following equation holds: \( e(P,W_{i} ) = e(R_{1i} ,P_{pub} )(\prod {_{j = 0}^{t - 1} } y_{j}^{{i^{j} }} )^{{h\eta_{i} }} \)
If all partial signatures are verified to be legal, the clerk C computes \( W = \sum {_{i = 1}^{t} W_{i} } \); otherwise rejects it and requests a valid one.
-
6)
The final threshold signcryption is \( \sigma = (c,R_{1} ,W) .\)
Unsigncrypt: when receiving \( \sigma ,\) Bob follows the steps below.
-
1)
Compute \( \tau = e(R_{1} ,S_{{ID_{B} }} ) \) and \( k = H_{2} (\tau ) .\)
-
2)
Recover \( m = D_{k} (c) \)
-
3)
Compute \( h = H_{3} (m,R_{1} ,k,Q_{{ID_{A} }} ) \) and accept \( \sigma \) if and only if the following equation holds: \( e(P,W) = e(P_{pub}, R_{1}+ hQ_{ID_{A}})\)
3 Security Analysis of Our Improved Scheme
In this section, we will give a formal proof on Unforgeability and Confidentiality of our scheme under CDH problem and DBDH problem.
Theorem 1
(Unforgeability) Our improved scheme is secure against chosen message attack under the random oracle model if CDH problem is hard.
Proof
Suppose the challenger C wants to solve the CDH problem. That is, given \( (aP,bP) \) C should computes \( abP .\)
C chooses system parameters \( \left\{ {G_{1} ,G_{2} ,n_{1} ,e,P,P_{pub} ,E,D,H_{1} ,H_{2} ,H_{3} } \right\} ,\) sets \( P_{pub} = aP ,\) and sends parameters to the adversary E (the hash functions \( H_{1} ,H_{2} ,H_{3} \) are random oracles).
\( H_{1} \)query: C maintains a list \( L_{1} \) to record \( H_{1} \)queries.\( L_{1} \) has the form of \( (ID,\alpha ,Q_{ID} ,S_{ID} ) .\) Suppose the adversary Eve can make \( H_{1} \) queries less than \( q_{{H_{1} }} \) times. C selects a random number \( j \in [1,q_{{H_{1} }} ] .\) If C receives the j-th query, he will return \( Q_{{ID_{j} }} = bP \) to Eve and sets \( (ID_{j} , \bot ,Q_{{ID_{j} }} = bP, \bot ) \) on \( L_{1} .\) Else C selects \( \alpha_{i} \in Z_{q}^{*} \) computes \( Q_{{ID_{i} }} = \alpha_{i} P ,\)\( S_{{ID_{i} }} = \alpha_{i} P_{pub} ,\) returns \( Q_{{ID_{i} }} \) to E and sets \( (ID_{i} ,\alpha_{i} ,Q_{i} ,S_{i} ) \) on \( L_{1} .\)
\( H_{2} \)query: C maintains a list \( L_{2} \) to record \( H_{2} \)queries.\( L_{2} \) has the form of \( (\tau ,k) .\) If C receives a query about \( \tau_{i} ,\) selects \( k_{i} \in Z_{q}^{*} ,\) returns \( k_{i} \) to E, and sets \( (\tau_{i} ,k_{i} ) \) on \( L_{2} .\)
\( H_{3} \)query: C maintains a list \( L_{3} \) to record \( H_{3} \) queries. \( L_{3} \) has the form of \( (m,R,k,Q,h) .\) If C receives a query about \( (m_{i} ,R_{1i} ,k_{i} ,Q_{{ID_{i} }} ) ,\) selects \( h_{i} \in Z_{q}^{*} ,\) returns \( h_{i} \) to Eve, and sets \( (m_{i} ,R_{1i} ,k_{i} ,Q_{{ID_{i} }} ,h_{i} ) \) on \( L_{3} .\)
Signcrypt query: if C receives a query about Signcrypt with message \( m_{i} ,\) identity \( ID_{i} \)
-
1.
Select \( x_{i} \in Z_{q}^{*} ,\) \( W_{i} \in G_{1} \)
-
2.
Look-up \( L_{1} ,\) \( L_{2} ,\) set \( Q_{{ID_{i} }} = \alpha_{i} P \) in \( L_{1} ,\) \( k_{i} = k_{i} \) in \( L_{2}, \) and compute \( R_{i} = x_{i} Q_{{ID_{i} }} \)
-
3.
Set \( h_{i} = H_{3} (m_{i} ,R_{i} ,k_{i} ,Q_{{ID_{i} }} ) .\)
-
4.
Return \( (h_{i} ,W_{i} ) \) to Eve.
Finally, Eve output a forged signcryption \( (m,h_{i} ,W_{i} ,Q_{{ID_{i} }} ) .\) If \( Q_{{ID_{i} }} \ne Q_{{ID_{j} }} ,\) Eve fails. Else, if \( Q_{{ID_{i} }} = Q_{{ID_{j} }} ,\) Eve succeeds in forging a signcryption.
As a result, C gains two signcryption ciphertexts which meet:
Thus,
Note \( Q = Q_{{ID_{i} }} = Q_{{ID_{j} }} ,\) (4.1) can be expressed as
(4.2) can be expressed as \( e\left( {P,(W_{i} - W_{j} )} \right) = e\left( {aP,((\alpha_{i} - \alpha_{j} ) + (h_{i} - h_{j} ))bP} \right) \)
Hence, the CDH problem \( abP = \frac{{W_{i} - W_{j} }}{{(\alpha_{i} - \alpha_{j} ) + (h_{i} - h_{j} )}} \) can be computed by C with \( aP \) and \( bP .\)
Theorem 2
(Confidentiality) Our improved scheme is secure against adaptive chosen ciphertext and identity attack under the random oracle model if DBDH problem is hard.
Proof
Suppose the challenger C wants to solve the DBDH problem. That is, given \( (P,aP,bP,cP,\tau ) ,\) C should decide whether \( \tau = e(P,P)^{abc} \) or not. If there exists an adaptive chosen ciphertext and identity attacker for our improved scheme, C can solve the DBDHP.
C chooses system parameters \( \left\{ {G_{1} ,G_{2} ,n_{1} ,e,P,P_{pub} ,E,D,H_{1} ,H_{2} ,H_{3} } \right\} ,\) sets\( P_{pub} = aP ,\) and sends parameters to the adversary E (the hash functions \( H_{1} ,H_{2} ,H_{3} \)are random oracles).
\( H_{1} \) query: C maintains a list \( L_{1} \) to record \( H_{1} \) queries. \( L_{1} \) has the form of \( (ID,\alpha ,Q_{ID} ,S_{ID} ) .\) Suppose the adversary Eve can make \( H_{1} \) queries less than \( q_{{H_{1} }} \) times. C selects a random number \( j \in [1,q_{{H_{1} }} ] .\) If C receives the j-th query, he will return \( Q_{{ID_{j} }} = bP \) to Eve and sets \( (ID_{j} , \bot ,Q_{{ID_{j} }} = bP, \bot ) \) on \( L_{1} .\) Else C selects \( \alpha_{i} \in Z_{q}^{*} \) computes \( Q_{{ID_{i} }} = \alpha_{i} P ,\)\( S_{{ID_{i} }} = \alpha_{i} P_{pub} ,\) returns \( Q_{{ID_{i} }} \) to E and sets \( (ID_{i} ,\alpha_{i} ,Q_{i} ,S_{i} ) \) on \( L_{1} .\)
\( H_{2} \) query: C maintains a list \( L_{2} \) to record \( H_{2} \) queries.\( L_{2} \) has the form of \( (\tau ,k) .\) If C receives a query about \( \tau_{i} ,\) selects \( k_{i} \in Z_{q}^{*} ,\) returns \( k_{i} \) to E, and sets \( (\tau_{i} ,k_{i} ) \) on \( L_{2} .\)
\( H_{3} \) query: C maintains a list \( L_{3} \) to record \( H_{3} \) queries.\( L_{3} \) has the form of \( (m,R,k,Q,h) .\) If C receives a query about \( (m_{i} ,R_{1i} ,k_{i} ,Q_{{ID_{i} }} ) ,\) selects \( h_{i} \in Z_{q}^{*} ,\) returns \( h_{i} \) to Eve, and sets \( (m_{i} ,R_{1i} ,k_{i} ,Q_{{ID_{i} }} ,h_{i} ) \) on \( L_{3} .\)
Signcrypt query: if C receives a query about Signcrypt with message \( m_{i} ,\) identity \( ID_{i} \)
-
1.
Select \( c_{i} \in Z_{q}^{*} ,\) \( W_{i} \in G_{1} \)
-
2.
Look-up \( L_{1} ,\) \( L_{2} ,\) set\( Q_{{ID_{i} }} = \alpha_{i} P \) in \( L_{1} ,\) \( k_{i} = k_{i} \) in \( L_{2} .\) Compute \( R_{i} = c_{i} P ,\) if \( ID_{i} \ne ID_{j} .\) Else, if \( ID_{i} = ID_{j} ,\) compute \( R_{i} = cP \)
-
3.
Set \( h_{i} = H_{3} (m_{i} ,R_{i} ,k_{i} ,Q_{{ID_{i} }} ) .\)
-
4.
Return \( (h_{i} ,W_{i} ) \) to Eve.
After the first stage, Eve chooses a pair of identities on which he wishes to be challenged on \( (ID_{i} ,ID_{j} ) .\) Note that Eve can not query the identity of \( ID_{A} .\) Then Eve outputs two plaintexts \( m_{0} \) and \( m_{1} .\) C chooses a bit \( b \in \{ 0,1\} \) and signcrypts \( m_{b} .\) To do so, he sets \( R_{1}^{*} = cP ,\) obtains \( k^{*} = H_{2} (\tau ) \) from the hash function \( H_{2} ,\) and computes \( c_{b} = E_{{k_{1}^{*} }} (m_{b} ) .\) Then C chooses \( W^{*} \in G_{1} \) and sends the ciphertext \( \sigma^{*} = (c_{b} ,R_{1}^{*} ,W^{*} ) \) to Eve. Eve can performs a second series of queries like at the first one. At the end of the simulation, she produces a bit \( b^{'} \) for which he believes the relation \( \sigma^{*} \) = Signcrypt \( (m_{{b^{'} }} ,\{ S_{i} \}_{i = 1, \ldots ,t} ,ID_{j} ) \)holds. If \( b = b^{'} ,\) C outputs \( \tau = e(R_{1}^{*} ,S_{{ID_{j} }} ) = e(cP,abP) = e(P,P)^{abc} .\) Else, C outputs \( \tau \ne e(P,P)^{abc} .\) So C can solve the BDDH problem.
4 Conclusion
In this chapter, we show that the threshold signcryption scheme of Fagen Li et al. is vulnerable if the attacker can replaces the group public key. Then we point out that the receiver uses the senders’ public key without any verification in the unsigncrypt stage cause this attack. Further, we propose a probably-secure improved scheme to correct the vulnerable and give the unforgeability and confidentiality of our improved scheme under the existing security assumption.
References
Zheng Y (1997) Digital signcryption or how to achieve cost (signature & Encryption) ≪ cost (signature) + cost (encryption), In: Proceedings of advances in CRYPTO’97, LNCS 1294. Springer, Berlin, pp 165–179
Bao F, Deng RH (1997) A signcryption scheme with signature directly verifiable by public key. PKC’98 LNCS, vol 1431. Springer, Berlin, pp 55–59
Chow SSM, Yiu SM, Hui LCK, Chow KP (2004) Efficient forward and provably secure ID-based signcryption scheme with public verifiability and public ciphertext authenticity. ICISC’03 LNCS, vol 2971. Springer, Berlin, pp 352–269
Boyen X, Multipurpose identity based signcryption: a swiss army knife for identity based cryptography. CRYPT’03 LNCS, vol 2729. Springer, Berlin, pp 383–399
Mu Y, Varadharajan V (2000) Distributed signcryption. INDOCRYPT’00. LNCS, vol 1977. Springer, Berlin, pp 155–164
Yang G, Wong DS, Deng X (2005) Analysis and improvement of a signcryption scheme with key privacy. ISC’05. LNCS, vol 3650. Springer, Berlin, pp 218–232
SteinFeld R, Zheng Y (2000) A signcryption scheme based on integer factorization. ISW’00. LNCS, vol 1975. Springer, Berlin, pp 308–322
Libert B, Quisquater J (2004) Efficient signcryption with key prevacy from gap Diffie-Hellman groups. PKC’04. LNCS vol 2947. Springer, Berlin, pp 187–200
Baek J, Steinfeld R, Zheng Y (2002) Formal proofs for the security of signcryption. PKC’02. LNCS vol 2274. Springer, Berlin, pp 80–98
Shamir A (1984) Identity-based cryptosystems and signature schemes. CRYPTO’84. LNCS vol 196. Springer, Berlin, pp 47–53
Boneh D, Franklin M (2001) Identity-based encryption from well pairing. CRYPTO’01. LNCS vol 2139. Springer, Berlin, pp 213–229
Barreto PSLM, Libert B, Mccullagh N, Quisquater JJ (2005) Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. ASIACRYPT’05. LNCS, vol 3788. Springer, Berlin, pp 515–532
Li F, Hu X, Nie X (2009) A new multi-receiver ID-based signcryption scheme for group communication. ICCCAS’2009. IEEE Press, San Jose, pp 296–300
Han Y, Gui X (2009) Multi-recipient signcryption for secure group communication. ICIEA 2009, pp 161–165
Jin Z, Wen Q, Du H (2010) An improved semantically-secure identity-based signcryption scheme in the standard model. Comput Electr Eng 36(3):545–552
Huang X, Susilo W, Mu Y, Zhang E (2005) Identity-based ring signcryption schemes: cryptographic primitives for preserving privacy and authenticity in the ubiquitous world. 19th international conference on advanced information networking and applications, Taiwan, pp 649–654
Liu Z, Hu Y, Zhang X, Ma H (2010) Certificateless signcryption scheme in the standard model. Inf Sci 180(3):452–464
Yu Y, Bo Y, Sun Y, Zhu S-l (2009) Identity based signcryption scheme without random oracles. Comput Stand Interfac 31(1):56–62
Desmedt Y (1987) Society and group oriented cryptography: a now concept. CRYPTO’87. LNCS, vol 293. Springer, Berlin, pp 120–127
Desmedt Y, Frankel Y (1991) Shared generation of authenticators and signatures. CRYPTO’91. LNCS, vol 576. Springer, Berlin, pp 457–469
Rivest RL, Shamir A, Adleman L (1978) A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 2(2):120–126
Baek J, Zheng Y (2004) Identity-based threshold signature scheme from the bilinear pairings. International conference on information technology, Las Vegas, pp 124–128
Duan S, Cao Z, Lu R (2004) Robust ID-based threshold signcryption scheme from pairings. International conference on information security, Shanghai, pp 33–37
Peng C, Li X (2005) An identity-based threshold signcryption scheme with semantic security. Computational intelligence and security 2005. LNAI, vol 3902. Springer, Berlin, pp 173–179
Libert B, Quisquater JJ (2003) Anew identity based signcryption schemes from pairings. IEEE information theory workshop, Paris, pp 155–158
Li F, Yu Y (2008) An efficient and provably secure ID-based threshold signcryption scheme, ICCCAS. Springer, Xiamen, pp 488–492
Malone LJ (2002) Identity based signcryption. In: Cryptology ePrint archive. Report, (14):098–106
Chow SSM, Yiu SM, Hui LCK, Chow KP (2004) Efficient forward and provably secure ID-based signcryption scheme with public verifiability and public ciphertext authenticity. In: Lin J-I, Lee D-H (eds) ICISC 2003, LNCS, vol 2971. Springer, Berlin, pp 352–369
Boyen X (2003) Multipurpose identity based signcryption: a Swiss army knife for identity based cryptography. In: Boneh D (ed) CRYPTO 2003. LNCS, vol 2729. Springer, Berlin, pp 383–399
Acknowledgment
The authors would like to thank the editors and anonymous reviewers for their valuable comments. This work is supported by the National Natural Science Foundation of China under Grant No. 60873235 and 60473099, the National Grand Fundamental Research 973 Program of China (Grant No. 2009CB320706), Scientific and Technological Developing Scheme of Jilin Province (20080318), and Program of New Century Excellent Talents in University (NCET-06-0300).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer Science+Business Media B.V.
About this paper
Cite this paper
Yuan, W., Hu, L., Cheng, X., Li, H., Chu, J., Sun, Y. (2012). Improvement of an ID-Based Threshold Signcryption Scheme. In: He, X., Hua, E., Lin, Y., Liu, X. (eds) Computer, Informatics, Cybernetics and Applications. Lecture Notes in Electrical Engineering, vol 107. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-1839-5_4
Download citation
DOI: https://doi.org/10.1007/978-94-007-1839-5_4
Published:
Publisher Name: Springer, Dordrecht
Print ISBN: 978-94-007-1838-8
Online ISBN: 978-94-007-1839-5
eBook Packages: EngineeringEngineering (R0)