DOI QR코드

DOI QR Code

Provably Secure Certificate-Based Signcryption Scheme without Pairings

  • Lu, Yang (College of Computer and Information Engineering, Hohai University) ;
  • Li, Jiguo (College of Computer and Information Engineering, Hohai University)
  • Received : 2013.12.24
  • Accepted : 2014.05.15
  • Published : 2014.07.29

Abstract

Certificate-based cryptography is a new cryptographic paradigm that provides an interesting balance between identity-based cryptography and traditional public key cryptography. It not only simplifies the complicated certificate management problem in traditional public key cryptography, but also eliminates the key escrow problem in identity-based cryptography. As an extension of the signcryption in certificate-based cryptography, certificate-based signcryption provides the functionalities of certificate-based encryption and certificate-based signature simultaneously. However, to the best of our knowledge, all constructions of certificate-based signcryption in the literature so far have to be based on the costly bilinear pairings. In this paper, we propose a certificate-based signcryption scheme that does not depend on the bilinear pairings. The proposed scheme is provably secure in the random oracle model. Due to avoiding the computationally-heavy paring operations, the proposed scheme significantly reduces the cost of computation and outperforms the previous certificate-based signcryption schemes.

Keywords

1. Introduction

In public-key cryptography, each user has a public key and a private key. The public key is published and publicly accessible while the corresponding private key is kept secret by its owner. In traditional public key cryptography, each public key is generated with no connection to the identity of its owner. Therefore, a public key infrastructure (PKI) is employed for vouching the relationship between a user’s identity and a public key by certificates. However, the traditional PKI technology is faced with many challenges in practice, especially the complicated certificate management problem. In 1984, Shamir [1] introduced the concept of identity-based cryptography. In identity-based cryptography, a user’s public key could be an arbitrary string related to his identity and his private key is computed from his identity by a trusted authority called private key generator (PKG). The biggest merit of identity-based cryptography is that it eliminates the need for public key certificates. However, identity-based cryptography inevitably suffers from the key escrow problem since all the users’ private keys are known to the PKG.

In order to fill the gap between traditional public key cryptography and identity-based cryptography, Al-Riyami and Paterson [2] proposed the notion of certificateless public key cryptography in Asiacrypt 2003. In certificateless public key cryptography, a trusted third party called key generation center (KGC) is employed for generating a partial private key for each user. Each user independently generates a pair of secret key and public key, and then combines his own secret key with the partial private key from the KGC to generate his full private key. Since KGC does not know any user’s private key, certificateless public key cryptography overcomes the key escrow problem. However, as partial private keys should be sent from KGC to users over secure channels, certificateless public key cryptography suffers from the key distribution problem.

In Eurocrypt 2003, Gentry [3] introduced another new paradigm called certificate-based cryptography that represents an interesting balance between identity-based cryptography and traditional public key cryptography. As in traditional public key cryptography, each user in certificate-based cryptography generates a pair of public key and private key, and then requests a certificate from a trusted third party called certifier. The difference is that certificate-based cryptography provides an effective implicit certificate mechanism so that a user needs both his private key and certificate to perform cryptographic operations (such as decryption and signing), while the other communication parties need not obtain the fresh information on this user’s certificate status. As a result, certificate-based cryptography eliminates the third-party queries for the certificate status and simplifies the certificate revocation problem in traditional PKI. Furthermore, since the certifier does not know any user’s private key and the certificates can be sent to their owners publicly, certificate-based cryptography overcomes both the key escrow and distribution problems.

Since its advent, certificate-based cryptography has attracted great interest in the research community and many schemes have been proposed, including many encryption schemes (e.g. [4-10]) and signature schemes (e.g. [11-16]). As an extension of the signcryption [17] in the certificate-based setting, Li et al. [18] introduced the concept of certificate-based signcryption, which simultaneously provides the functionalities of certificate-based encryption and certificate-based signature. To the best of our knowledge, there exist three certificate-based signcryption schemes in the literature so far. All these schemes are based on the bilinear pairings. In [18], Li et al. proposed the first certificate-based signcryption scheme based on Chen and Malone-Lee’s identity-based signcryption scheme [19]. A subsequent paper by Luo et al. [20] proposed a new certificate-based signcryption scheme alone with a security model. However, Luo et al. only partly proved the security of their scheme in the random oracle model [21]. Recently, Li et al. [22] proposed a publicly verifiable certificate-based signcryption scheme which is provably secure in the random oracle model.

In this paper, we focus on the construction of certificate-based signcryption that does not depend on the costly bilinear pairings. As we know, compared with other common cryptographic operations such as prime modular exponentiations in finite fields, the bilinear pairings may be the most expensive ones. As pairing operations will greatly aggravate the computation load of a device, they are extremely disliked by the power-constrained devices, such as wireless sensors, mobile intelligent terminals, etc. Therefore, it is interesting and worthwhile to construct cryptographic schemes without relying on bilinear parings. Based on the Schnorr signature scheme [23, 24] and the enhanced ElGamal public key encryption scheme proposed by Fujisaki and Okamoto [25], we develop a pairing-free certificate-based signcryption scheme. In the random oracle model, we prove that the proposed certificate-based signcryption scheme has chosen-ciphertext security under the gap Diffie-Hellman assumption and unforgeability security under the gap discrete logarithm assumption. Without pairings, our scheme significantly reduces the cost of computation and is more efficient than the previous pairing-based certificate-based signcryption schemes. This interesting property makes it be particularly suitable for the computation-limited environments, such as wireless sensor networks and mobile wireless networks.

In Section 2, we review some computational assumptions related to our paper. In Section 3, we present the definition and security model of certificate-based signcryption. The proposed certificate-based signcryption scheme is described in Section 4 and analyzed in Section 5 respectively. Finally, we draw our conclusion in Section 6.

 

2. Computational Assumptions

Let k be a security parameter and p be a k-bit prime number. Let G denote a cyclic group of prime order p, and g a generator of the group G. Below, we review the computational assumptions that are used to prove the security of our proposed certificate-based signcryption scheme.

Definition 1 [26]. The gap Diffie-Hellman (GDH) problem in G is, given a tuple (g, ga, gb) for unknown a, b ∈ Z*p and access to a decisional Diffie-Hellman (DDH) oracle ODDH that takes (g, gu, gv, z) as input and outputs 1 if z = guv and 0 otherwise, to compute gab. The advantage of any probabilistic polynomial-time algorithm AGDH in solving the GDH problem in G is defined as

The GDH assumption is that, for any probabilistic polynomial-time algorithm AGDH, the advantage Adv(AGDH) is negligible.

Definition 2 [27]. The gap Discrete Logarithm (GDL) problem in G is, given a tuple (g, ga) for unknown a ∈ Z*p and access to a restricted DDH oracle OrDDH that takes (g, ga, gb, z) as input and outputs 1 if z = gab and 0 otherwise, to compute a. The advantage of any probabilistic polynomial-time algorithm AGDL in solving the GDL problem in G is defined as

The GDL assumption is that, for any probabilistic polynomial-time algorithm AGDL, the advantage Adv(AGDL) is negligible.

 

3. Definition and Security Model of Certificate-Based Signcryption

In this paper, a certificate-based signcryption scheme is composed of the following five algorithms: (1) System setup algorithm Setup, which is performed by a certifier to generate a master key and a list of public system parameters; (2) Key-pair generation algorithm KeyPairGen, which is performed by the user to generate a pair of private key and partial public key; (3) Certification algorithm Certify, which is performed by a certifier to generate a certificate and public key for each user in the system; (4) Signcryption algorithm Signcrypt, which is performed by a sender to signcrypt the messages; (5) Designcryption algorithm Designcrypt, which is performed by a receiver to designcrypt the ciphertext sent to him.

Fig. 1 gives the functional description of a certificate-based signcryption scheme.

Fig. 1.Functional description of certificate-based signcryption

Definition 3. A certificate-based signcryption scheme Π = (Setup, KeyPairGen, Certify, Signcrypt, Designcrypt) is said to be correct if for any message m, m = Designcrypt(params, Signcrypt(params, m, idS, PKS, SKS, CertS, idR, PKR), idR, SKR, CertR, idS, PKS), where params are obtained from the system setup algorithm Setup, (SKS, PKS, CertS) and (SKR, PKR, CertR) are respectively generated according to the the specifications of the key-pair generation algorithm KeyPairGen and the certification algorithm Certify.

As introduced in [20, 22], the security model for certificate-based signcryption includes two types of adversaries: Type-I and Type-II. A Type-I adversary (denoted by AI) simulates a user who wants to gain some information about a message sent to him from its encryption without a certificate. A Type-II adversary (denoted by AII) simulates a malicious certifier in possession of the master key who wants to attack a target user without the knowledge of this user’s private key.

To simulate potential attacking scenarios, we will use the following six oracles which can be accessed by the adversaries. We assume that the game simulator keeps a history of “query-answer” while interacting with the adversaries. The six oracles are described as follows:

(1) OCreateUser-I(idU): This oracle is only queried by the Type-I adversary AI. On input an identity idU, if idU has already been created, the game simulator responds with the public key PKU associated with the identity idU. Otherwise, the game simulator generates a set of private key SKU, public key PKU and certificate CertU for the identity idU, and then returns PKU as the output. In this case, idU is said to be created. For simplicity, we assume that other oracles only respond to an identity which has been created.

(2) OCreateUser-II(idU): This oracle is only queried by the Type-II adversary AII. On input an identity idU, if idU has already been created, the game simulator responds with the public key PKU associated with the identity idU. Otherwise, the game simulator first generates a private key SKU and a partial public key PPKU for the identity idU, and then outputs PPKU to AII. Different from OCreateUser-I, this oracle requires AII to help the game simulator to create a new user. As AII simulates a malicious certifier who will generate a full public key and a certificate for any user by itself, it is possible that the game simulator is not aware of the secret(s) used by AII to generate the public key and the certificate of a user. Therefore, when creating a new user, AII should submit the secret(s) to the game simulator. Under the help of AII, the game simulator generates a full public key PKU and a certificate CertU for the identity idU. In this case, idU is said to be created. Similarly, we assume that other oracles only respond to an identity which has been created.

(3) ORequestPrivateKey(idU): On input an identity idU, the game simulator outputs the private key SKU associated with the identity idU.

(4) ORequestCertificate(idU): On input an identity idU, the game simulator outputs the certificate CertU associated with the identity idU.

(5) OSigncrypt(m, idS, idR): On input a message m, a sender’s identity idS and a receiver’s identity idR, the game simulator responds with the result of Signcrypt(params, m, idS, PKS, SKS, CertS, idR, PKR). Note that we disallow queries where idS = idR.

(6) ODesigncrypt(σ, idS, idR): On input a ciphertext σ, a sender’s identity idS and a receiver’s identity idR, the challenger responds with the result of Designcrypt(params, σ, idR, SKR, CertR, idS, PKS). Again, we disallow queries where idS = idR.

A certificate-based signcryption scheme should satisfy both confidentiality (indistinguishability against adaptive chosen-ciphertext attacks (IND-CBSC-CCA2)) and unforgeability (existential unforgeability against adaptive chosen-messages attacks (EUF-CBSC-CMA)).

For the confidentiality, we consider the following two different adversarial games “IND-CBSC-CCA2 Game-I” and “IND-CBSC-CCA2 Game-II”. IND-CBSC-CCA2 Game-I is the game played between the Type-I adversary AI and a game simulator, in which state represents some state information, Oracles-I means that the adversary AI can adaptively query the oracles {OCreateUser-I, ORequestPrivateKey, ORequestCertificate, OSigncrypt, ODesigncrypt} with the following constraints: (1) The identity id*R cannot be submitted to the oracle ORequestCertificate ; (2) (σ*, id*S, id*R) cannot be submitted to the oracle ODesigncrypt. IND-CBSC-CCA2 Game-II is the game played between the Type-II adversary AII and a game simulator, in which state represents some state information, Oracles-II means that the adversary AII can adaptively query the oracles {OCreateUser-II, ORequestPrivateKey, OSigncrypt, ODesigncrypt} with the following constraints: (1) The identity id*R cannot be submitted to the oracle ORequestPrivateKey; (2) (σ*, id*S, id*R) cannot be submitted to the oracle ODesigncrypt.

In both two games, we say that an adversary wins the game if b = b'. The adversary’s advantage in winning the game is defined to be Adv(AX) = 2|Pr[b = b'] - 1/2|, where X is either I or II.

Definition 4. A certificate-based signcryption scheme is said to be IND-CBSC-CCA2 secure if no probabilistic polynomial-time adversary has non-negligible advantage in both the games IND-CBSC-CCA2 Game-I and IND-CBSC-CCA2 Game-II.

For the unforgeability, we consider the following two different adversarial games “EUF-CBSC-CMA Game-I” and “EUF-CBSC-CMA Game-II”. EUF-CBSC-CMA Game-I is the game played between the Type-I adversary AI and a game simulator, in which Oracles-III means that the adversary AI can adaptively query the oracles {OCreateUser-I, ORequestPrivateKey, ORequestCertificate, OSigncrypt, ODesigncrypt} with the following constraints: (1) The identity id*S cannot be submitted to the oracle ORequestCertificate ; (2) (σ*, id*S, id*R) is not produced by the oracle OSigncrypt. EUF-CBSC-CMA Game-II is the game played between the Type-II adversary AII and a game simulator, in which Oracles-IV means that the adversary AII can adaptively query the oracles {OCreateUser-II, ORequestPrivateKey, OSigncrypt, ODesigncrypt} with the following constraints: (1) The identity id*S cannot be submitted to the oracle ORequestPrivateKey; (2) (σ*, id*S, id*R) is not produced by the oracle OSigncrypt.

In both two games, we say that an adversary wins the game if it outputs a valid forgery (σ*, id*S, id*R), namely that the result of Designcrypt(params, σ*, id*R, SK*R, Cert*R, id*S, PK*S) is not the symbol ⊥ . The adversary’s advantage is defined to be the probability that it wins the game.

Definition 5. A certificate-based signcryption scheme is said to be EUF-CBSC-CMA secure if no probabilistic polynomial-time adversary has non-negligible advantage in both the adversarial games EUF-CBSC-CMA Game-I and EUF-CBSC-CMA Game-II.

 

4. Description of the Proposed Certificate-Based Signcryption Scheme

We now present the proposed certificate-based signcryption scheme. As mentioned previously, our scheme is based on the Schnorr signature scheme [23, 24] and the enhanced ElGamal public key encryption scheme proposed by Fujisaki and Okamoto [25]. A formal description of the scheme is as follows:

(1) Setup(k): The certifier performs as follows: choose a group G of k-bit prime order p and a random generator g ∈ G; choose a random value α ∈ Z*p and compute g1 = ga; choose three cryptographic hash functions H1: {0,1}* × G × G → Z*p, H2:{0,1}lm× G × {0,1}* × G × G → Z*p and H3: G →{0,1}lm, where lm denotes the bit-length of a plaintext; output a list of public parameters params = {G, p, g, g1, lm, H1, H2, H3} and a master key msk = α.

(2) KeyPairGen(params): A user with identity idU chooses a random value x ∈ Z*p as his private key SKU and computes his partial public key PPKU = gx.

(3) Certify(params, msk, idU, PPKU): The certifier performs as follows: set PKU(1) = PPKU; choose a random value y ∈ Z*p and compute PKU(2) = gy; compute CertU = y + αH1(idU, PKU(1), PKU(2)); output the user idU’s public key PKU = (PKU(1), PKU(2)) and certificate CertU.

(4) Signcrypt(params, m, idS, PKS, SKS, CertS, idR, PKR): To send a message m ∈ {0,1}lm to a user idR, the sender idS does the following: choose a random value r ∈ Z*p and compute R = gr; compute u = r(SKS + CertS + h)-1, where h = H2(m, R, idS, PKS(1), PKS(2)); compute v = (PKR(1)⋅,PKR(2)⋅g1H1(idR,PKR(1),PKR(2)))r and then c = m ⊕ H3(v); output the ciphertext σ = (h, u, c).

(5) Designcrypt(params, σ, idR, SKR, CertR, idS, PKS): To designcrypt a ciphertext σ from the sender idS, the receiver idR does the following: parse the ciphertext σ as (h, u, c); compute R' = (PKS(1)⋅,PKS(2)⋅g1H1(idS,PKS(1),PKS(2))⋅gh)u and then v' = (R')SKR+CertR; compute m' = c ⊕ H3(v'); check whether h = H2(m', R', idS, PKS(1), PKS(2)). If it does, output the message m', otherwise output an invalid symbol ⊥.

 

5. Analysis of the Proposed Certificate-Based Signcryption Scheme

5.1 Correctness

Theorem 1. The proposed certificate-based signcryption scheme is correct.

Proof. This theorem can be proved by the following equations:

R' = (PKS(1)⋅PKS(2)⋅g1H1(idS,PKS(1),PKS(2))⋅gh)u = = gr = R, v' = (R')SKR+CertR = gr(SKR+CertR) = (PKR(1)⋅PKR(2)⋅g1H1(idR,PKR(1),PKR(2)))r = v.

5.2 Security

We show that our scheme achieves the IND-CBSC-CCA2 security under the GDH assumption and the EUF-CBSC-CMA security under the GDL assumption in the random oracle model.

Theorem 2. In the random oracle model, the proposed certificate-based signcryption scheme is IND-CBSC-CCA2 secure under the GDH assumption.

This theorem can be proved by combining the following two lemmas.

Lemma 1. Suppose that H1 ~ H3 are random oracles and AI is a Type-I adversary against the IND-CBCS-CCA2 security of the proposed scheme with advantage ε and running time τ. Assume also that AI makes at most qcu queries to the oracle OCreateUser-I, qpri queries to the oracle ORequestPrivateKey, qcer queries to the oracle ORequestCertificate, qsc queries to the oracle OSigncrypt, qdsc queries to the oracle ODesigncrypt and qi queries to the random oracles Hi (1 ≤ i ≤ 3) respectively. Then there exists an algorithm AGDH to solve the GDH problem in the group G with advantage

and running time τ' ≤ τ + (q1 + q2 + q3 + qcer + qpri)O(1) + qcu(3τexp + O(1)) + qsc(4τexp + O(1)) + qdsc(4τexp + τDDH + O(1)), where τexp and τDDH respectively denote thetime for computing an exponentiation in G and the one for a call to the DDH oracle.

Proof. Assume that the algorithm AGDH is given a random GDH problem instance (G, p, g, ga, gb, ODDH). Its goal is to compute gab by interacting with AI as follows:

At the beginning of the game, the algorithm AGDH randomly chooses an index θ ∈ [1, qcu] and sets g1 = ga. It then starts IND-CBCS-CCA2 Game-I by supplying the adversary AI with the public parameters params = {G, p, g, g1, lm, H1, H2, H3}, where H1 ~ H3 are random oracles controlled by AGDH. Note that the certifier’s master key is the value a which is unknown to the algorithm AGDH.

During the query-answer phase, the adversary AI can adaptively make queries to the oracles H1, H2, H3, OCreateUser-I, ORequestPrivateKey, ORequestCertificate, OSigncrypt and ODesigncrypt. The algorithm AGDH responds as follows:

H1 queries: AGDH maintains a list H1List of tuples 〈idi, PKi(1), PKi(2), h1〉. On receiving such a query on (idi, PKi(1), PKi(2)), AGDH first checks if H1List contains a tuple 〈idi, PKi(1), PKi(2), h1〉. If it does, AGDH outputs h1 to AI directly. Otherwise, it outputs a random value h1 ∈ Z*p to AI and inserts a new tuple 〈idi, PKi(1), PKi(2), h1〉 into H1List.

H2 queries: AGDH maintains a list H2List of tuples 〈m, R, idi, PKi(1), PKi(2), h2〉. On receiving such a query on (m, R, idi, PKi(1), PKi(2)), AGDH first checks if H2List contains a tuple 〈m, R, idi, PKi(1), PKi(2), h2〉. If it does, AGDH outputs h2 to AI directly. Otherwise, it outputs a random value h2 ∈ Z*p to AI and inserts a new tuple 〈m, R, idi, PKi(1), PKi(2), h2〉 into H2List.

H3 queries: AGDH maintains a list H3List of tuples 〈v, h3〉. On receiving such a query on v, AGDH first checks if H3List contains a tuple 〈v, h3〉. If it does, AGDH outputs h3 to AI directly. Otherwise, it outputs a random value v ∈ {0,1}lm to AI and inserts a new tuple 〈v, h3〉 into H3List.

OCreateUser-I queries: AGDH maintains a list UserList of tuples 〈idi, SKi, PKi, Certi〉. On receiving such a query on idi, AGDH performs as follows: (1) If UserList contains a tuple 〈idi, SKi, PKi, Certi〉, output PKi to AI directly; (2) Otherwise, if idi is the θ-th distinct identity submitted to this oracle, choose two random values xθ, yθ ∈ Z*p, set SKθ = xθ and compute PKθ =(gxθ, gyθ), insert a new tuple 〈idθ, SKθ, PKθ, ⊥〉 into UserList and output PKθ to AI; (3) Otherwise, randomly choose xi, ti, ei ∈ Z*p, set SKi = xi and Certi =ti, compute PKi = (PKi(1), PKi(2)) = (gxi, gti, g1−ei), insert 〈idi, PKi(1), PKi(2), ei〉 and 〈idi, SKi, PKi, Certi〉 into H1List and UserList respectively, and output PKi to AI.

ORequestPrivateKey queries: On receiving such a query on idi, AGDH retrieves a tuple of the form 〈idi, SKi, PKi, Certi〉 from the list UserList and returns SKi to AI.

ORequestCertificate queries: On receiving such a query on idi, AGDH aborts if idi = idθ. Otherwise, it retrieves a tuple of the form 〈idi, SKi, PKi, Certi〉 from UserList and returns Certi to AI.

OSigncrypt queries: On receiving such a query on (m, idS, idR), AGDH does the following: (1) If idS = idθ, AGDH randomly chooses u, h2 ∈ Z*p, h3 ∈{0,1}lm, runs the simulation algorithm for the random oracle H1 to get h1 = H1(idS, PKS(1), PKS(2)), and computes R = (⋅g1h1⋅gh2)u, v = RSKR+CertR, c = m ⊕ h3. Then, AGDH inserts 〈m, R, idθ, PKθ(1), PKθ(2), h2〉 and 〈v, h3〉 into H2List and H3List respectively and returns σ = (h2, u, c) as the ciphertext to AI. Note that AGDH fails if H2List or H3List is already defined in the corresponding value but this only happens with probability smaller than (q2 + q3 + 2qsc)/2k. (2) Otherwise, AGDH can answer the query according to the specification of the algorithm Signcrypt since it knows the sender idS’s private key and certificate.

ODesigncrypt queries: On receiving such a query on (σ = (h, u, c), idS, idR), AGDH does the following: (1) If idR = idθ, AGDH first runs the simulation algorithm for the random oracle H1 to get h1 = H1(idR, PKR(1), PKR(2)) and h'1 = H1(idS, PKS(1), PKS(2)), and then checks if there exist a tuple 〈m, R, idS, PKS(1), PKS(2), h〉 in H2List and a tuple 〈v, h3〉 in H3List such that R = (PKS(1)⋅PKS(2)⋅g1h'1⋅gh) u, m = c ⊕ h3 and ODDH(g, R, PKR(1)⋅PKR(2)⋅g1h1, v) = 1. If such two tuples exist, AGDH returns m to AI as the designcryption of σ; otherwise, it rejects σ. Note that a valid ciphertext is rejected with probability smaller than qdsc/2k across the whole game. (2) Otherwise, AGDH designcrypts σ in the normal way since it knows the receiver idR’s private key and certificate.

At the challenge phase, AI outputs two distinct messages m0 and m1 of equal length, a sender identity id*S and a receiver identity id*R, on which it wants to be challenged. If id*R idθ ≠, then AGDH aborts. Otherwise, AGDH randomly chooses c* ∈ {0,1}lm and u*, h*2, ∈ Z*p, sets R* = gb, and outputs σ* = (h*2, u*, c*) as the challenge ciphertext to AI. Observe that the decryption of c* is c* ⊕ H3(PKθ(1)⋅PKθ(2)⋅g1H1(idθ, PKθ(1), PKθ(2)))b).

At the guess phase, AI outputs a bit which is ignored by AGDH. Note that AI cannot recognize that the challenge ciphertext σ* is an invalid ciphertext unless it queries H3(PKθ(1)⋅PKθ(2)⋅g1H1(idθ, PKθ(1), PKθ(2)))b). It is clear that a successful AI is very likely to query H3(PKθ(1)⋅PKθ(2)⋅g1H1(idθ, PKθ(1), PKθ(2)))b) if the simulation is indistinguishable from a real attack environment. To produce a result, AGDH randomly chooses a tuple 〈v, h3〉 from H3List and outputs

as the solution to the given GDH problem. Obviously, if v = (PKθ(1)⋅PKθ(2)⋅g1H1(idθ, PKθ(1), PKθ(2)))b, then we have T = gab.

This completes the simulation. We now estimate the advantage of AGDH in solving the given GDH problem. From the above construction, the simulation fails if any of the following events occurs: (1) E1: AI does not choose idθ as the challenge receiver identity id*R; (2) E2: AI queries ORequestCertificate on the identity idθ; (3) E3: AGDH aborts in answer AI’s query to OSigncrypt because of a collision on H2 or H3; (4) E4: AGDH rejects a valid ciphertext at some point of the game. We clearly have that Pr[¬E1] = 1/qcu and ¬E1 implies ¬E2. We also already observed that Pr[E3] ≤ qsc(q2 + q3 + 2qsc)/2k and Pr[E4] ≤ qdsc/2k. Thus, we have that

Since AGDH selects the correct tuple from H3List with probability 1/(q3 + qsc), we have that the advantage of AGDH in solving the GDH problem is

The time complexity of the algorithm AGDH is dominated by the exponentiations and the calls to the DDH oracle in the oracle simulations. From the above description of AGDH, it is easy to see that thetime complexity of AGDH is bound by τ' ≤ τ + (q1 + q2 + q3 + qcer + qpri)O(1) + qcu(3τexp + O(1)) + qsc(4τexp + O(1)) + qdsc(4τexp + τDDH + O(1)) , where τexp and τDDH respectively denote thetime for computing an exponentiation in G and the one for a call to the DDH oracle.

Lemma 2. Suppose that H1 ~ H3 are random oracles and AII is a Type-II adversary against the IND-CBCS-CCA2 security of the proposed scheme with advantage ε and running time τ. Assume also that AII makes at most qcu queries to the oracle OCreateUser-II, qpri queries to the oracle ORequesrPrivateKey, qsc queries to the oracle OSigncrypt, qdsc queries to the oracle ODesigncrypt and qi queries to the random oracles Hi (1 ≤ i ≤ 3). Then there exists an algorithm AGDH to solve the GDH problem in the group G with advantage

and running time τ' ≤ τ + (q1 + q2 + q3 + qpri)O(1) + qcu(2τexp + O(1)) + qsc(4τexp + O(1)) + qdsc(4τexp + τDDH + O(1)), where τexp and τDDH respectively denote thetime for computing an exponentiation in G and the one for a call to the DDH oracle.

Proof. Assume that AGDH is given a random GDH problem instance (G, p, g, ga, gb, ODDH). Its goal is to compute gab by interacting with AII as follows:

At the beginning of the game, AGDH first randomly chooses α ∈ Z*p and an index θ ∈ [1, qcu]. It then computes g1 = ga and starts IND-CBSC-CCA2 Game-II by supplying AII with the master key msk = α and the public parameters params = {G, p, g, g1, lm, H1, H2, H3}, where H1 ~ H3 are random oracles controlled by AGDH.

During the question-answer phase, AII can adaptively make queries to the oracles H1, H2, H3, OCreateUser-II, ORequestPrivateKey, OSigncrypt and ODesigncrypt. AGDH answers AII’s queries to H1, H2, H3, OSigncrypt and ODesigncrypt as in the proof of Lemma 1 and handles other queries as follows:

OCreateUser-II queries: AGDH maintains a list UserList of tuples 〈idi, SKi, PKi, Certi, yi〉. On receiving such a query on idi, AGDH performs as follows: (1) If UserList contains a tuple 〈idi, SKi, PKi, Certi, yi〉, output PKi to AII directly. (2) Otherwise, if idi is the θ-th distinct identity submitted to this oracle, set PKθ(1) = ga and output PKθ(1) to AII. After receiving a value yθ ∈ Z*p from AII, compute PKθ(2) = gyθ, run the simulation algorithm for the random oracle H1 to get a hash value h1 = H1(idθ, PKθ(1), PKθ(2)), compute Certθ = yθ + αh1 and insert a new tuple 〈idθ, ⊥, PKθ, Certθ, yθ〉 into UserList. (3) Otherwise, randomly choose xi ∈ Z*p, set SKi = xi, compute PKi(1) = gxi and output PKi(1) to AII. After receiving a value yi ∈ Z*p from AII, compute PKi(2) = gyi, run the simulation algorithm for the random oracle H1 to get a hash value h1 = H1(idi, PKi(1), PKi(2)) , compute Certi = yi + αh1 and insert a new tuple 〈idi, SKi, PKi, Certi, yi〉 into UserList.

ORequestPrivateKey queries: On receiving such a query on idi, AGDH aborts if idi = idθ. Otherwise, it retrieves a tuple of the form 〈idi, SKi, PKi, Certi, yi〉 from UserList and returns SKi to AII.

At the challenge phase, AII outputs two distinct messages m0 and m1 of equal length, a sender identityid*S and a receiver identity id*R, on which it wants to be challenged. If id*R ≠ idθ, AGDH aborts. Otherwise, AGDH randomly chooses c* ∈ {0,1}lm and u*, h*2, ∈ Z*p, sets R* = gb, and outputs σ* = (h*2, u*, c*) to AII as the challenge ciphertext. Observe that the decryption of c* is c* ⊕ H3(PKθ(1)⋅PKθ(2)⋅g1H1(idθ,PKθ(1),PKθ(2)))b).

At the guess phase, AII outputs a bit which is ignored by AGDH. Note that AII cannot recognize that the challenge ciphertext σ* is not a valid ciphertext unless it queries H3(PKθ(1)⋅PKθ(2)⋅g1H1(idθ,PKθ(1),PKθ(2)))b). It is clear that a successful AII is very likely to query H3(PKθ(1)⋅PKθ(2)⋅g1H1(idθ,PKθ(1),PKθ(2)))b). if the simulation is indistinguishable from a real attack environment. To produce a result, AGDH randomly chooses a tuple 〈v, h3〉 from H3List and outputs

as the solution to the given GDH problem. Obviously, if v = (PKθ(1)⋅PKθ(2)⋅g1H1(idθ,PKθ(1),PKθ(2)))b, then we have T = gab.

We now estimate the advantage of AGDH in solving the given GDH problem.

From the above construction, the simulation fails if any of the following events occurs: (1) E1: AII does not choose idθ as the challenge receiver identity id*R; (2) E2: AII queries ORequestPrivateKey on the identity idθ; (3) E3: AGDH aborts in answer AII’s OSigncrypt query because of a collision on H2 or H3;(4) E4: AGDH rejects a valid ciphertext at some point of the game. We clearly have that Pr[¬E1] = 1/qcu and ¬E1 implies ¬E2. We also already observed that Pr[E3] ≤ qsc(q2 + q3 + 2qsc)/2k and Pr[E4] ≤ qdsc/2k. Thus, we have that

Since AGDH selects the correct tuple from H3List with probability 1/(q3 + qsc), the advantage of AGDH in solving the GDH problem is

The time complexity of the algorithm AGDH is dominated by the exponentiations and the calls to the DDH oracle in the oracle simulations. From the above description of AGDH, it is easy to see that thetime complexity of AGDH is bound by τ' ≤ τ + (q1 + q2 + q3 + qpri)O(1) + qcu(2τexp + O(1)) + qsc(4τexp+ O(1)) + qdsc(4τexp+ τDDH + O(1)), where τexp and τDDH respectively denote thetime for computing an exponentiation in G and the one for a call to the DDH oracle.

Theorem 3. In the random oracle model, the proposed certificate-based signcryption scheme is EUF-CBSC-CMA secure under the GDL assumption.

This theorem can be proved by combining the following two lemmas.

Lemma 3. Suppose that H1 ~ H3 are random oracles and AI is a Type-I adversary against the EUF-CBSC-CMA security of the proposed scheme who makes at most qcu queries to the oracle OCreateUser-I, qpri queries to the oracle ORequestPrivateKey, qcer queries to the oracle ORequestCertificate, qsc queries to the oracle OSigncrypt, qdsc queries to the oracle ODesigncrypt and qi queries to the random oracles Hi (1 ≤ i ≤ 3). Assume also that AI produces a forgery with probability ε ≥ (qsc + 1)(qsc +q2)/2k within atime τ. Then there exists an algorithm AGDL to solve the GDL problem in the group G with advantage ε' ≥ 1/9 and running time τ' ≤ 23qcuq2[τ + (q1 + q2 + q3 + qcer + qpri)O(1) + qcu(2τexp + O(1)) + qsc(4τexp + O(1)) + qdsc(4τexp + τrDDH + O(1))][ε(1 - qdsc/2k)(1 - qsc(q2 + q3 + 2qsc)/2k)]-1, where τexp and τrDDH respectively denote thetime for computing an exponentiation in G and the one for a call to the restricted DDH oracle.

Proof. Assume that AGDL is given a random GDL problem instance (G, p, g, ga, OrDDH). Its goal is to compute a by interacting with AI as follows:

At the beginning of the game, AGDL first randomly chooses α ∈ Z*p and an index θ ∈ [1, qcu]. It then computes g1 = gα and starts EUF-CBSC-CMA Game-I by supplying AI with the public parameters params = {G, p, g, g1, lm, H1, H2, H3}, where H1 ~ H3 are random oracles controlled by AGDL.

During the query-answer phase, AI can adaptively make queries to the oracles H1, H2, H3, OCreateUser-I, ORequestPrivateKey, ORequestCertificate, OSigncrypt and ODesigncrypt. AGDL answers AI’s queries to H1, H2, H3, ORequestPrivateKey, ORequestCertificate and OSigncrypt in the same way as the proof of Lemma 1 and handles other queries as follows:

OCreateUser-I queries: AGDL maintains a list UserList of tuples 〈idi, SKi, PKi, Certi〉. On receiving such a query on idi, AGDL performs as follows: (1) If UserList contains a tuple 〈idi, SKi, PKi, Certi〉, output PKi to AI. (2) Otherwise, if idi is the θ-th distinct identity submitted to this oracle, randomly choose xθ ∈ Z*p, set SKθ = xθ and PKθ = (gxθ, ga), insert 〈idθ, SKθ, PKθ, ⊥〉 into UserList and output PKθ to AI. (3) Otherwise, randomly choose xi, yi ∈ Z*p, set SKi = xi and PKi = (PKi(1), PKi(2)) = (gxi, gyi); run the simulation algorithm for the random oracle H1 to get a hash value h1 = H1(idi, PKi(1), PKi(2)) and compute Certi= yi + αh1; insert 〈idi, SKi, PKi, Certi〉 into UserList and output PKi to AI.

ODesigncrypt queries: On receiving such a query on (σ = (h, u, c), idS, idR), AGDL does the following: (1) If idR = idθ, AGDL first runs the simulation algorithm for the random oracle H1 to get h1 = H1(idR, PKR(1), PKR(2)) and h'1 = H1(idS, PKS(1), PKS(2)), and then checks if there exist a tuple 〈m, R, idS, PKS(1), PKS(2), h〉 in H2List and a tuple 〈v, h3〉 in H3List such that R = (PKS(1)⋅PKS(2)⋅g1h'1⋅gh)u, m = c ⊕ h3 and OrDDH(g, ga, R, v⋅R−SKR−αh1) = 1. If such two tuples exist, AGDL returns m to AI as the designcryption of σ; otherwise, it rejects σ. Note that a valid ciphertext is rejected with probability smaller than qdsc/2k across the whole game. (2) Otherwise, AGDL can answer the query according to the specification of the algorithm Signcrypt since it knows the sender idR’s private key and certificate.

Finally, AI outputs a valid ciphertext σ* = (h*, u*, c*) from id*S to id*R. If id*S ≠ idθ, then AGDL aborts. Otherwise, having the knowledge of id*R’s private key and certificate, AGDL can designcrypt σ* to obtain m* and R*. Then, AGDL uses the oracle replay technique [28] to generate one more valid ciphertext σ*′ = (h*′, u*′, c*′) from σ* such that h* ≠ h*′ and u* ≠ u*′. Since σ* and σ*′ are both valid ciphertexts for the same message and randomness, we obtain the following relations:

where h1 = H1(idθ, PKθ(1), PKθ(2)). Then, we have

Therefore, AGDL can compute

as the solution to the given GDL problem.

From the Lemma 4 in [28], if AI produces a forgery with probability ε ≥ 10(qsc + 1)(qsc + q2)/2k, then AGDL can use the oracle replay technique to generate one more valid ciphertext with advantage ε' ≥ 1/9. Since AGDL can resolve the given GDL problem after it generates one more valid ciphertext from the valid ciphertext forged by AI, we get that the advantage of AGDL in solving the GDL problem is ε' ≥ 1/9.

Also from the Lemma 4 in [28], thetime complexity of AGDL in solving the given GDL problem is bound by τ' ≤ 23qcuq2[τ + (q1 + q2 + q3 + qcer + qpri)O(1) + qcu(2τexp + O(1)) + qsc(4τexp + O(1)) + qdsc(4τexp + τrDDH + O(1))][ε(1 - qdsc/2k)(1 - qsc(q2 + q3 + 2qsc)/2k)]-1, where τexp and τrDDH respectively denote thetime for computing an exponentiation in G and the one for a call to the restricted DDH oracle.

Lemma 4. Suppose that H1 ~ H3 are random oracles and AII is a Type-II adversary against the EUF-CBSC-CMA security of the proposed scheme that makes at most qcu queries to the oracle OCreateUser-II, qpri queries to the oracle ORequestPrivateKey, qsc queries to the oracle OSigncrypt, qdsc queries to the oracle ODesigncrypt and qi queries to the random oracles Hi (1 ≤ i ≤ 3). Assume also that AII produces a forgery with probability ε ≥ 10(qsc + 1)(qsc + q2)/2k within atime τ. Then there exists an algorithm AGDL to solve the GDL problem in the group G with advantage ε' ≥ 1/9 and running time τ' ≤ 23qcuq2[τ + (q1 + q2 + q3 + qpri)O(1) + qcu(2τexp + O(1)) + qsc(4τexp + O(1)) + qdsc(4τexp + τrDDH + O(1))][ε(1 - qdsc/2k)(1 - qsc(q2 + q3+ 2qsc)/2k)]-1, where τexp and τrDDH respectively denote thetime for computing an exponentiation in G and the one for a call to the restricted DDH oracle.

Proof. Assume that AGDL is given a random GDL problem instance (G, p, g, ga, OrDDH). Its goal is to compute a by interacting with AII as follows:

At the beginning of the game, AGDL first randomly chooses α ∈ Z*p and an index θ ∈ [1, qcu]. It then computes g1 = ga and starts EUF-CBSC-CMA Game-II by supplying AII with the master key msk = α and the public parameters params = {G, p, g, g1, lm, H1, H2, H3}, where H1 ~ H3 are random oracles controlled by AGDL.

During the query-answer phase, AII can adaptively make queries to the oracles H1, H2, H3, OCreateUser-II, ORequestPrivateKey, OSigncrypt and ODesigncrypt. AGDL answers AII’s queries to H1, H2, H3, OCreateUser-II, ORequestPrivateKey and OSigncrypt in the same way as the proof of Lemma 2 and and handles other queries as follows:

ODesigncrypt queries: On receiving such a query on (σ = (h, s, c), idS, idR), AGDL does the following: (1) If idR = idθ, AGDL first runs the simulation algorithm for the random oracle H1 to get h1 = H1(idR, PKR(1), PKR(2)) and h'1 = H1(idS, PKS(1), PKS(2)), and then checks if there exist a tuple 〈m, R, idS, PKS(1), PKS(2), h〉 in H2List and a tuple 〈v, h3〉 in H3List such that R = PKS(1)⋅PKS(2)⋅g1h'1⋅gh)u, m = c ⊕ h3 and OrDDH(g, ga, R, v⋅R−CertR) = 1. If such two tuples exist, AGDL returns m to AII as the designcryption of σ; otherwise, it rejects σ. Note that a valid ciphertext is rejected with probability smaller than qdsc/2k across the whole game. (2) Otherwise, AGDL designcrypts σ in the normal way since it knows the receiver idR’s private key and certificate.

Finally, AII outputs a valid ciphertext σ* = (h*, u*, c*) from id*S to id*R. If id*S ≠ idθ, then AGDL aborts. Otherwise, having the knowledge of the userid*R’s private key and certificate, AGDL can designcrypt σ* to obtain m* and R*. Then, AGDL uses the oracle replay technique [28] to generate one more valid ciphertext σ*′ = (h*′, u*′, c*′) from σ* such that h* ≠ h*′ and u* ≠ u*′. Since σ* and σ*′ are both valid ciphertexts for the same message and randomness, we obtain the following relations:

where h1 = H1(idθ, PKθ(1), PKθ(2)). Then, we have

Therefore, AGDL can compute

as the solution to the given GDL problem.

From the Lemma 4 in [28], if AII produces a forgery with probability ε ≥ 10(qsc + 1)(qsc + q2)/2k, then AGDL can use the oracle replay technique to generate one more valid ciphertext with advantage ε' ≥ 1/9. Since AGDL can resolve the given GDL problem after it generates one more valid ciphertext from the valid ciphertext forged by AII, we get that the advantage of AGDL in solving the GDL problem is ε' ≥ 1/9.

Also from the Lemma 4 in [28], thetime complexity of AGDL in solving the given GDL problem is bound by τ'≤ 23qcuq2[τ + (q1 + q2 + q3 + qpri)O(1) + qcu(2τexp + O(1)) + qsc(4τexp + O(1)) + qdsc(4τexp + τrDDH + O(1))][ε(1 - qdsc/2k)(1 - qsc(q2 + q3 + 2qsc)/2k)]-1, where τexp and τrDDH respectively denote thetime for computing an exponentiation in G and the one for a call to the restricted DDH oracle.

5.3 Performance Comparison

We next make a comparison of our proposed scheme and the previous certificate-based signcryption schemes.

The details of the compared schemes are listed in Table 1, where we compare the schemes on computation complexity of signcryption and designcryption. We mainly consider four atomic operations: pairing, exponentiation in GT, exponentiation in G and hash. Here G is an additive or multiplicative cyclic group, GT is the target group in the setting of bilinear pairing, i.e., the bilinear pairing is e: G × G → GT. For simplicity, we denote these operations by Pa, ExpGT, ExpG and Ha respectively.

Table 1.Comparison of the certificate-based signcryption schemes

From Table 1, we can see that both the signcryption and designcryption algorithms in our scheme need computing four exponentiations and three hashes. In any other existing paring-based certificate-based signcryption scheme, the signcryption algorithm requires computing at least one bilinear pairing, five exponentiations and three hashes while the designcryption algorithm requires computing at least three pairings, two exponentiations and three hashes. Actually, the computation performance of our scheme can be further optimized when g1H1(idU,PKU(1), PKU(2)) can be pre-computed. Such a pre-computation enables us to additionally reduce one exponentiation and one hash computation in both the signcryption algorithm and the designcryption algorithm.

To give a much clearer comparison and also show that our scheme is more suitable for the computation-limited devices, we make a concretetime analysis of the compared schemes. The results are given in Table 2. Here, we estimate the computationtime of the compared schemes on a standard MICA2 sensor node. According to the experiment results in [29, 30], for 80-bit security, one pairing computation takes 1.90s and one exponentiation in the group G takes 0.32s on a MICA2 sensor node. However, the exponentiation in the target group GT takes moretime than the exponentiation in the group G because of the fact that it is computed in a field much bigger than the field in which G is defined. In usual implementations of pairing, one exponentiation in GT costs about equal to four exponentiations in G [31]. Considering that the overheads of hash operations and arithmetic operations in Z*p are very small compared to the expensive pairing and exponentiation operations, we ignore these costs in thetime analysis.

Table 2.Computationtime of the compared schemes on MICA2 sensors

From the comparison in Table 2, we can conclude that our scheme enjoys obvious advantage in the computationtime and is more suitable to be employed in the computation-limited environments.

 

6. Conclusion

In this paper, we presented a new certificate-based signcryption scheme and proved its security under the gap Diffie-Hellman assumption and the gap discrete logarithm assumption. As our proposed scheme does not require any costly pairing operation, it is more efficient than the previous certificate-based signcryption schemes which have to be based on the bilinear pairings. However, a limitation of our scheme is that its security can only be achieved in the random oracle model. So, it would be interesting to construct paring-free certificate-based signcryption in the standard model.

References

  1. A. Shamir, "Identity-based cryptosystems and signature schemes," in Proc. of Advances in Cryptology - Crypto 1984, pp. 47-53, August 19-22, 1984.
  2. S. S. Al-Riyami and K. G. Paterson, "Certificateless public key cryptography," in Proc. of Advances in Cryptology - Asiacrypt 2003, pp. 452-473, November 30-December 4, 2003.
  3. C. Gentry, "Certificate-based encryption and the certificate revocation problem," in Proc. of Advances in Cryptology - Eurocrypt 2003, pp. 272-293, May 4-8, 2003.
  4. C. Sur, C. D. Jung and K. H. Rhee, "Multi-receiver certificate-based encryption and application to public key broadcast encryption," in Proc. of 2007 ECSIS Symposium on Bio-inspired, Learning, and Intelligent Systems for Security, pp. 35-40, August 9-10, 2007.
  5. D. Galindo, P. Morillo and C. Ràfols, "Improved certificate-based encryption in the standard model," Journal of Systems and Software, vol. 81, no. 7, pp. 1218-1226, July, 2008. https://doi.org/10.1016/j.jss.2007.09.009
  6. J. K. Liu and J. Zhou, "Efficient certificate-based encryption in the standard model," in Proc. of 6th Int. Conf. on Security and Cryptography for Networks, pp. 144-155, September 10-12, 2008.
  7. Y. Lu, J. Li and J. Xiao, "Constructing efficient certificate-based encryption with paring," Journal of Computers, vol. 4, no. 1, pp. 19-26, January, 2009.
  8. Z. Shao, "Enhanced certificate-based encryption from pairings," Computers and Electrical Engineering, vol. 37, no. 2, pp. 136-146, March, 2011. https://doi.org/10.1016/j.compeleceng.2011.01.007
  9. Y. Lu and J. Li, "Constructing pairing-free certificate-based encryption," International Journal of Innovative Computing, Information and Control, vol. 9, no. 11, pp. 4509-4518, November, 2013.
  10. J. Yao, J. Li and Y. Zhang, "Certificate-based encryption scheme without pairing," KSII Transactions on Internet and Information Systems, vol. 7, no. 6, pp. 1480-1491, June, 2013. https://doi.org/10.3837/tiis.2013.06.008
  11. B. G. Kang, J. H. Park and S. G. Hahn, "A certificate-based signature scheme," in Proc. of Topics in Cryptology - CT-RSA 2004, pp. 99-111, February 23-27, 2004.
  12. M. H. Au, J. K. Liu, W. Susilo and T. H. Yuen, "Certificate based (linkable) ring signature," in Proc. of 3rd Information Security Practice and Experience Conference, pp.79-92, May 7-9, 2007.
  13. J. Li, X. Huang, Y. Mu, W. Susilo and Q. Wu, "Certificate-based signature: security model and efficient construction," in Proc. of 4th European PKI Workshop Theory and Practice, pp. 110-125, June 28-30, 2007.
  14. J. Li, X. Huang, Y. Mu, W. Susilo and Q. Wu, "Constructions of certificate-based signature secure against key replacement attacks," Journal of Computer Security, vol. 18, no. 3, pp. 421-449, August, 2010. https://doi.org/10.3233/JCS-2009-0366
  15. J. K. Liu, J. Baek, W. Susilo, and J. Zhou, "Certificate based signature schemes without pairings or random oracles," in Proc. of 11th Information Security conference, pp. 285-297, September 15-18, 2008.
  16. W. Wu, Y. Mu, W. Susilo, X. Huang, "Certificate-based signatures, revisited," Journal of Universal Computer Science, vol. 15, no. 8, pp. 1659-1684, 2009.
  17. Y. Zheng, "Digital signcryption or how to achieve cost (signature & encryption) << cost (signature) + cost (encryption)," in Proc. of Advances in Cryptology - Crypto 1997, pp. 165-179, August 17-21, 1997.
  18. F. Li, X. Xin and Y. Hu, "Efficient certificate-based signcryption scheme from bilinear pairings," International Journal of Computers and Applications, vol. 30, no. 2, pp. 129-133, March, 2008. https://doi.org/10.1080/1206212X.2008.11441891
  19. L. Chen and J.Malone-Lee, "Improved identity-based signcryption," in Proc. of 8th Int. Workshop on Theory and Practice in Public Key Cryptography, pp. 362-379, January 23-26, 2005.
  20. M. Luo, Y. Wen and H. Zhao, "A certificate-based signcryption scheme," in Proc. of 2008 Int. Conf. on Computer Science and Information Technology, pp. 17-23, August 29 - September 2, 2008.
  21. M. Bellare and P. Rogaway, "Random oracles are practical: a paradigm for designing efficient protocols," in Proc. of 1st ACM Conf. on Communications and Computer Security, pp. 62-73, November 3-5, 1993.
  22. J. Li, X. Huang, M. Hon and Y. Zhang, "Certificate-based signcryption with enhanced security features," Computers & Mathematics with Applications, vol. 64, no. 6, pp. 1587-1601, September, 2012. https://doi.org/10.1016/j.camwa.2012.01.006
  23. C. P. Schnorr, "Efficient identifications and signatures for smart cards," in Proc. of Advances in Cryptology - Crypto 1989, pp. 239-252, August 20-24, 1989.
  24. C. P. Schnorr, "Efficient signature generation by smart cards," Journal of Cryptology, vol. 4, no. 3, pp. 161-174, March, 1991.
  25. E. Fujisaki and T. Okamoto, "How to enhance the security of public-key encryption at minimum cost," in Proc. of 2nd Int. Workshop on Theory and Practice in Public Key Cryptography, pp. 53-68, March 1-3, 1999.
  26. T. Okamoto and D. Pointcheval, "The gap-problems: a new class of problems for the security of cryptographic schemes," in Proc. of 4th Int. Workshop on Theory and Practice in Public Key Cryptography, pp. 104-118, February 13-15, 2001.
  27. J. Baek, R. Steinfeld and Y. Zheng, "Formal proofs for the security of signcryption," Journal of Cryptology, vol. 20, no. 2, pp. 203-235, 2007. https://doi.org/10.1007/s00145-007-0211-0
  28. D. Pointcheval and J. Stern, "Security arguments for digital signatures and blind signatures," Journal of Cryptology, vol. 13, no. 3, pp. 361-396, 2000. https://doi.org/10.1007/s001450010003
  29. L. B. Oliveira, D. F. Aranha, C. P. L. Gouvêa, M. Scott, D. F. Câmara, J. López and R. Dahab, "TinyPBC: Pairings for authenticated identity-based non-interactive key distribution in sensor networks," Computer Communications, vol. 34, no. 3, pp. 485-493, 2011. https://doi.org/10.1016/j.comcom.2010.05.013
  30. D. F. Aranha, R. Dahab, J. López, and L. B. Oliveira, "Efficient implementation of elliptic curve cryptography in wireless sensors," Advances in Mathematics of Communications, vol. 4, no. 2, pp. 169-187, 2010. https://doi.org/10.3934/amc.2010.4.169
  31. L. Chen, P. Morrissey and N. P. Smart, "Pairings in trusted computing," in Proc. of 2nd International Conference on Pairing-based Cryptography, pp. 1-17, September 1-3, 2008.

Cited by

  1. Analysis of Certificateless Signcryption Schemes and Construction of a Secure and Efficient Pairing-free one based on ECC vol.12, pp.9, 2018, https://doi.org/10.3837/tiis.2018.09.022
  2. Pairing Free Certificate Based Signcryption Schemes Using ECQV Implicit Certificates vol.13, pp.3, 2019, https://doi.org/10.3837/tiis.2019.03.024