Keywords

1 Introduction

Encryption and signature are the two basic cryptographic tools offered by public key cryptography for achieving confidentiality and authentication. Signcryption can realize the function of encryption and signature in a reasonable logic step which is proposed by Zheng [1]. Comparing to the traditional way of signature then encryption or encryption then signature, signcryption can lower the computational costs and communication overheads. As a result, a number of signcryption schemes [28] were proposed following Zheng’s work. The security notion for signcryption was first formally defined in 2002 by Baek et al. [9] against adaptive chosen ciphertext attack and adaptive chosen message attack. The same as signature and encryption, signcryption meets the attributes of confidentiality and unforgeability as well. In 1984, Shamir [10] introduced identity-based public key cryptosystem, in which a user’s public key can be calculated from his identity and defined hash function, while the user’s private key can be calculated by a trusted party called Private Key Generator (PKG). The identity can be any binary string, such as an email address and needn’t to be authenticated by the certification authentication. As a result, the identity-based public key cryptosystem simplifies the program of key management to the conventional public key infrastructure. In 2001, Boneh and Franklin [11] found bilinear pairings positive in cryptography and proposed the first practical identity-based encryption protocol using bilinear pairings. Soon, many identity-based [1218] schemes were proposed and the bilinear pairings became important tools in constructing identity-based protocols. Group-oriented cryptography [19] was introduced by Desmedt in 1987. Elaborating on this concept, Desmedt and Frankel [20] proposed a (t, n) threshold signature scheme based RSA system [21]. In such a (t, n) threshold signature scheme, any to out of n signers in the group can collaboratively sign messages on behalf of the group for sharing the signing capability. Identity-based signcryption schemes combine the advantages of identity-based public key cryptosystem and Signcryption. The first identity-based threshold signature scheme was proposed by Baek and Zheng [22]. Then Duan et al. [23] proposed an identity-based threshold signcryption scheme in the same year by combining the concepts of identity based threshold signature and encryption together. However, in Duan et al.’s scheme, the master-key of the PKG is distributed to a number of other PKGs, which creates a bottleneck on the PKGs. In 2005, Peng and Li proposed an identity-based threshold signcryption scheme [24] based on Libert and Quisquater’s identity-based signcryption scheme [25]. However, Peng and Li’s scheme dose not provide the forward security. In 2008, another scheme was proposed by Fagen Li et al. [26], which is more efficient comparing to previous scheme.

In this chapter, we show that the threshold signcryption scheme of Fagen Li et al. is vulnerable if the attacker can replaces the group public key or even the attacker can intercept the intermediate messages. Further, we propose a probably-secure improved scheme to correct the vulnerable and give the unforgeability and confidentiality of our improved scheme under the existing security assumption.

2 The Improvement of Fagen Li et al.’ Scheme

The scheme involves four roles: the PKG, a trust dealer, a sender group \( U_{A} = \left\{ {M_{1} ,M_{2} , \ldots ,M_{n} } \right\} \) with identity \( ID_{A} \) and a receiver Bob with identity \( ID_{B} .\)

Setup: given a security parameter k, the PKG chooses groups \( G_{1} \) and \( G_{2} \) of prime order q (with \( G_{1} \) additive and \( G_{2} \) multiplicative), a generator P of \( G_{1} ,\) a bilinear map \( e:G_{1} \times G_{1} \to G_{2} ,\) a secure symmetric cipher (E,D) and hash functions \( H_{1} :\left\{ {0,1} \right\}^{*} \to G_{1}, \)\( H_{2} :G_{2} \to \left\{ {0,1} \right\}^{{n_{1} }},\)\( H_{3} :\left\{ {0,1} \right\}^{*} \times G_{1} \times \left\{ {0,1} \right\}^{*} \times G_{1} \to Z_{q}^{*} .\) The PKG chooses a master-key \( s \in {}_{R}Z_{q}^{*} \) and computes \( P_{pub} = sP .\) The PKG publishes system parameters \( \left\{ {G_{1} ,G_{2} ,n_{1} ,e,P,P_{pub} ,E,D,H_{1} ,H_{2} ,H_{3} } \right\} \) and keeps the master-key s secret. Extract: Given an identity ID, the PKG computes \( Q_{ID} = H_{1} (ID) \) and the private key \( S_{ID} = sQ_{ID} .\) Then PKG sends the private key to its owner in a secure way.

Keydis: suppose that a threshold t and n satisfy \( 1 \le t \le n < q .\) To share the private key \( S_{{ID_{A} }} \) among the group \( U_{A} ,\) the trusted dealer performs the steps below.

  1. 1)

    Choose \( F_{1} , \ldots ,F_{t - 1} \) uniformly at random from \( G_{1}^{*} ,\) construct a polynomial \( F(x) = S_{{ID_{A} }} + xF_{1} + \cdots + x^{t - 1} F_{t - 1} \)

  2. 2)

    Compute \( S_{i} = F(i) \) for \( i = 0, \ldots ,n .\) (\( S_{0} = S_{{ID_{A} }} \)). Send \( S_{i} \) to member \( M_{i} \) for \( i = 1, \ldots ,n \) secretly.

  3. 3)

    Broadcast \( y_{0} = e(S_{{ID_{A} }} ,P) \) and \( y_{j} = e(F_{j} ,P) \) for \( j = 1, \ldots ,t - 1 .\)

  4. 4)

    Each \( M_{i} \) then checks whether his share \( S_{i} \) is valid by computing \( e(S_{i} ,P) = \prod {_{j = 0}^{t - 1} } y_{j}^{{i^{j} }} .\) If \( S_{i} \) is not valid, \( M_{i} \) broadcasts an error and requests a valid one.

Signcrypt: let \( M_{1} , \ldots ,M_{t} \) are the t members who want to cooperate to signcrypt a message m on behalf of the group \( U_{A} .\)

  1. 1)

    Each \( M_{i} \) chooses \( x_{i} \in {}_{R}Z_{q}^{*} ,\) computes \( R_{1i} = x_{i} P ,\) \( R_{2i} = x_{i} P_{pub} ,\) \( \tau_{i} = e(R_{2i} ,Q_{{ID_{B} }} ) \) and sends \( \left( {R_{1i} ,\tau } \right) \) to the clerk C.

  2. 2)

    The clerk C (one among the t cooperating players) computes \( R_{1} = \prod {_{i = 1}^{t} } R_{1i} ,\) \( \tau = \prod {_{i = 1}^{t} } \tau_{i} ,\) \( k = H_{2} (\tau ) ,\) \( c = E_{k} (m) ,\) and \( h = H_{3} (m,R_{1} ,k,Q_{{ID_{A} }} ) .\)

  3. 3)

    Then the clerk C sends h to \( M_{i} \) for \( i = 0, \ldots ,t .\)

  4. 4)

    Each \( M_{i} \) computes the partial signature \( W_{i} = x_{i} P_{pub} + h\eta_{i} S_{i} \) and sends it to the clerk C, where \( \eta = \prod {_{j = 1,j \ne i}^{t} } - j(i - j)^{ - 1} \) mod q.

  5. 5)

    Clerk C verifies the correctness of partial signatures by checking if the following equation holds: \( e(P,W_{i} ) = e(R_{1i} ,P_{pub} )(\prod {_{j = 0}^{t - 1} } y_{j}^{{i^{j} }} )^{{h\eta_{i} }} \)

If all partial signatures are verified to be legal, the clerk C computes \( W = \sum {_{i = 1}^{t} W_{i} } \); otherwise rejects it and requests a valid one.

  1. 6)

    The final threshold signcryption is \( \sigma = (c,R_{1} ,W) .\)

Unsigncrypt: when receiving \( \sigma ,\) Bob follows the steps below.

  1. 1)

    Compute \( \tau = e(R_{1} ,S_{{ID_{B} }} ) \) and \( k = H_{2} (\tau ) .\)

  2. 2)

    Recover \( m = D_{k} (c) \)

  3. 3)

    Compute \( h = H_{3} (m,R_{1} ,k,Q_{{ID_{A} }} ) \) and accept \( \sigma \) if and only if the following equation holds: \( e(P,W) = e(P_{pub}, R_{1}+ hQ_{ID_{A}})\)

3 Security Analysis of Our Improved Scheme

In this section, we will give a formal proof on Unforgeability and Confidentiality of our scheme under CDH problem and DBDH problem.

Theorem 1

(Unforgeability) Our improved scheme is secure against chosen message attack under the random oracle model if CDH problem is hard.

Proof

Suppose the challenger C wants to solve the CDH problem. That is, given \( (aP,bP) \) C should computes \( abP .\)

C chooses system parameters \( \left\{ {G_{1} ,G_{2} ,n_{1} ,e,P,P_{pub} ,E,D,H_{1} ,H_{2} ,H_{3} } \right\} ,\) sets \( P_{pub} = aP ,\) and sends parameters to the adversary E (the hash functions \( H_{1} ,H_{2} ,H_{3} \) are random oracles).

\( H_{1} \)query: C maintains a list \( L_{1} \) to record \( H_{1} \)queries.\( L_{1} \) has the form of \( (ID,\alpha ,Q_{ID} ,S_{ID} ) .\) Suppose the adversary Eve can make \( H_{1} \) queries less than \( q_{{H_{1} }} \) times. C selects a random number \( j \in [1,q_{{H_{1} }} ] .\) If C receives the j-th query, he will return \( Q_{{ID_{j} }} = bP \) to Eve and sets \( (ID_{j} , \bot ,Q_{{ID_{j} }} = bP, \bot ) \) on \( L_{1} .\) Else C selects \( \alpha_{i} \in Z_{q}^{*} \) computes \( Q_{{ID_{i} }} = \alpha_{i} P ,\)\( S_{{ID_{i} }} = \alpha_{i} P_{pub} ,\) returns \( Q_{{ID_{i} }} \) to E and sets \( (ID_{i} ,\alpha_{i} ,Q_{i} ,S_{i} ) \) on \( L_{1} .\)

\( H_{2} \)query: C maintains a list \( L_{2} \) to record \( H_{2} \)queries.\( L_{2} \) has the form of \( (\tau ,k) .\) If C receives a query about \( \tau_{i} ,\) selects \( k_{i} \in Z_{q}^{*} ,\) returns \( k_{i} \) to E, and sets \( (\tau_{i} ,k_{i} ) \) on \( L_{2} .\)

\( H_{3} \)query: C maintains a list \( L_{3} \) to record \( H_{3} \) queries. \( L_{3} \) has the form of \( (m,R,k,Q,h) .\) If C receives a query about \( (m_{i} ,R_{1i} ,k_{i} ,Q_{{ID_{i} }} ) ,\) selects \( h_{i} \in Z_{q}^{*} ,\) returns \( h_{i} \) to Eve, and sets \( (m_{i} ,R_{1i} ,k_{i} ,Q_{{ID_{i} }} ,h_{i} ) \) on \( L_{3} .\)

Signcrypt query: if C receives a query about Signcrypt with message \( m_{i} ,\) identity \( ID_{i} \)

  1. 1.

    Select \( x_{i} \in Z_{q}^{*} ,\) \( W_{i} \in G_{1} \)

  2. 2.

    Look-up \( L_{1} ,\) \( L_{2} ,\) set \( Q_{{ID_{i} }} = \alpha_{i} P \) in \( L_{1} ,\) \( k_{i} = k_{i} \) in \( L_{2}, \) and compute \( R_{i} = x_{i} Q_{{ID_{i} }} \)

  3. 3.

    Set \( h_{i} = H_{3} (m_{i} ,R_{i} ,k_{i} ,Q_{{ID_{i} }} ) .\)

  4. 4.

    Return \( (h_{i} ,W_{i} ) \) to Eve.

Finally, Eve output a forged signcryption \( (m,h_{i} ,W_{i} ,Q_{{ID_{i} }} ) .\) If \( Q_{{ID_{i} }} \ne Q_{{ID_{j} }} ,\) Eve fails. Else, if \( Q_{{ID_{i} }} = Q_{{ID_{j} }} ,\) Eve succeeds in forging a signcryption.

As a result, C gains two signcryption ciphertexts which meet:

$$ e(P,W_{i} ) = e(P_{pub} ,R_{i} + h_{i} Q_{{ID_{i} }} ) $$
$$ e(P,W_{j} ) = e(P_{pub} ,R_{j} + h_{j} Q_{{ID_{j} }} ) $$

Thus,

$$ e\left( {P,(W_{i} - W_{j} )} \right) = e\left( {P_{pub} ,(R_{i} + h_{i} Q_{{ID_{i} }} ) - (R_{j} + h_{j} Q_{{ID_{j} }} )} \right) $$
(4.1)

Note \( Q = Q_{{ID_{i} }} = Q_{{ID_{j} }} ,\) (4.1) can be expressed as

$$ e\left( {P,(W_{i} - W_{j} )} \right) = e\left( {P_{pub} ,(R_{i} - R_{j} ) + (h_{i} - h_{j} )Q} \right) $$
(4.2)
$$ \because P_{pub} = aP,Q_{{ID_{j} }} = bP $$

(4.2) can be expressed as \( e\left( {P,(W_{i} - W_{j} )} \right) = e\left( {aP,((\alpha_{i} - \alpha_{j} ) + (h_{i} - h_{j} ))bP} \right) \)

$$ \therefore W_{i} - W_{j} = \left( {(\alpha_{i} - \alpha_{j} ) + (h_{i} - h_{j} )} \right)abP $$

Hence, the CDH problem \( abP = \frac{{W_{i} - W_{j} }}{{(\alpha_{i} - \alpha_{j} ) + (h_{i} - h_{j} )}} \) can be computed by C with \( aP \) and \( bP .\)

Theorem 2

(Confidentiality) Our improved scheme is secure against adaptive chosen ciphertext and identity attack under the random oracle model if DBDH problem is hard.

Proof

Suppose the challenger C wants to solve the DBDH problem. That is, given \( (P,aP,bP,cP,\tau ) ,\) C should decide whether \( \tau = e(P,P)^{abc} \) or not. If there exists an adaptive chosen ciphertext and identity attacker for our improved scheme, C can solve the DBDHP.

C chooses system parameters \( \left\{ {G_{1} ,G_{2} ,n_{1} ,e,P,P_{pub} ,E,D,H_{1} ,H_{2} ,H_{3} } \right\} ,\) sets\( P_{pub} = aP ,\) and sends parameters to the adversary E (the hash functions \( H_{1} ,H_{2} ,H_{3} \)are random oracles).

\( H_{1} \) query: C maintains a list \( L_{1} \) to record \( H_{1} \) queries. \( L_{1} \) has the form of \( (ID,\alpha ,Q_{ID} ,S_{ID} ) .\) Suppose the adversary Eve can make \( H_{1} \) queries less than \( q_{{H_{1} }} \) times. C selects a random number \( j \in [1,q_{{H_{1} }} ] .\) If C receives the j-th query, he will return \( Q_{{ID_{j} }} = bP \) to Eve and sets \( (ID_{j} , \bot ,Q_{{ID_{j} }} = bP, \bot ) \) on \( L_{1} .\) Else C selects \( \alpha_{i} \in Z_{q}^{*} \) computes \( Q_{{ID_{i} }} = \alpha_{i} P ,\)\( S_{{ID_{i} }} = \alpha_{i} P_{pub} ,\) returns \( Q_{{ID_{i} }} \) to E and sets \( (ID_{i} ,\alpha_{i} ,Q_{i} ,S_{i} ) \) on \( L_{1} .\)

\( H_{2} \) query: C maintains a list \( L_{2} \) to record \( H_{2} \) queries.\( L_{2} \) has the form of \( (\tau ,k) .\) If C receives a query about \( \tau_{i} ,\) selects \( k_{i} \in Z_{q}^{*} ,\) returns \( k_{i} \) to E, and sets \( (\tau_{i} ,k_{i} ) \) on \( L_{2} .\)

\( H_{3} \) query: C maintains a list \( L_{3} \) to record \( H_{3} \) queries.\( L_{3} \) has the form of \( (m,R,k,Q,h) .\) If C receives a query about \( (m_{i} ,R_{1i} ,k_{i} ,Q_{{ID_{i} }} ) ,\) selects \( h_{i} \in Z_{q}^{*} ,\) returns \( h_{i} \) to Eve, and sets \( (m_{i} ,R_{1i} ,k_{i} ,Q_{{ID_{i} }} ,h_{i} ) \) on \( L_{3} .\)

Signcrypt query: if C receives a query about Signcrypt with message \( m_{i} ,\) identity \( ID_{i} \)

  1. 1.

    Select \( c_{i} \in Z_{q}^{*} ,\) \( W_{i} \in G_{1} \)

  2. 2.

    Look-up \( L_{1} ,\) \( L_{2} ,\) set\( Q_{{ID_{i} }} = \alpha_{i} P \) in \( L_{1} ,\) \( k_{i} = k_{i} \) in \( L_{2} .\) Compute \( R_{i} = c_{i} P ,\) if \( ID_{i} \ne ID_{j} .\) Else, if \( ID_{i} = ID_{j} ,\) compute \( R_{i} = cP \)

  3. 3.

    Set \( h_{i} = H_{3} (m_{i} ,R_{i} ,k_{i} ,Q_{{ID_{i} }} ) .\)

  4. 4.

    Return \( (h_{i} ,W_{i} ) \) to Eve.

After the first stage, Eve chooses a pair of identities on which he wishes to be challenged on \( (ID_{i} ,ID_{j} ) .\) Note that Eve can not query the identity of \( ID_{A} .\) Then Eve outputs two plaintexts \( m_{0} \) and \( m_{1} .\) C chooses a bit \( b \in \{ 0,1\} \) and signcrypts \( m_{b} .\) To do so, he sets \( R_{1}^{*} = cP ,\) obtains \( k^{*} = H_{2} (\tau ) \) from the hash function \( H_{2} ,\) and computes \( c_{b} = E_{{k_{1}^{*} }} (m_{b} ) .\) Then C chooses \( W^{*} \in G_{1} \) and sends the ciphertext \( \sigma^{*} = (c_{b} ,R_{1}^{*} ,W^{*} ) \) to Eve. Eve can performs a second series of queries like at the first one. At the end of the simulation, she produces a bit \( b^{'} \) for which he believes the relation \( \sigma^{*} \) = Signcrypt \( (m_{{b^{'} }} ,\{ S_{i} \}_{i = 1, \ldots ,t} ,ID_{j} ) \)holds. If \( b = b^{'} ,\) C outputs \( \tau = e(R_{1}^{*} ,S_{{ID_{j} }} ) = e(cP,abP) = e(P,P)^{abc} .\) Else, C outputs \( \tau \ne e(P,P)^{abc} .\) So C can solve the BDDH problem.

4 Conclusion

In this chapter, we show that the threshold signcryption scheme of Fagen Li et al. is vulnerable if the attacker can replaces the group public key. Then we point out that the receiver uses the senders’ public key without any verification in the unsigncrypt stage cause this attack. Further, we propose a probably-secure improved scheme to correct the vulnerable and give the unforgeability and confidentiality of our improved scheme under the existing security assumption.