Provably secure certificateless encryption scheme in the standard model

Abstract

Recently, numerous certificateless encryption (CLE) schemes have been introduced. The security proofs of most schemes are given under the random oracle model (ROM). In the standard model, the adversary is able to calculate the hash function instead of asking the challenger. Currently, there is only one scheme that was proved to be secure in SM. In this paper, we constructed a new CLE scheme and gave the security proofs in SM. In the new scheme, the size of the storage space required by the system is constant. The computation cost is lower than other CLE schemes due to it needs only two pairing operations.

1. Introduction

With the continuous advancement of communication technique, a large amount of information is transmitted through the network, which improves work efficiency and brings convenience to people’s lives. In the same way, this also leads criminals to easily steal information from others through the Internet. People enjoy the convenience brought by information technology and also bear the risk of disclosure of personal privacy information. Public key encryption technology has become an important means to achieve information security. In order to meet different needs, researchers have done much work to build specific public key encryption schemes in recent years.

In public key infrastructure (PKI), the user freely picks his/her own private key, then generates a public key and sends it to the certification authority (CA). CA generates a certificate to bind the user to his/her public key. A large amount of fees are used for the safekeeping, storage and transmission of certificates. To resolve the problem, Shamir [1] came up with identity-based cryptography. The user's sole personal information (email address, identity number, etc.) is his/her public key. Private key generator (PKG) yields the private key based on the public key and forwards it to the user. The information security of all users will be threatened if PKG is captured by an adversary. In 2003, Al-Riyami and Paterson [2] came up with certificateless cryptography. For one thing, the user picks a confidential value and yields a partial public key. For another, the user gets a partial private key, yielded by a key generation center (KGC) based on the identity information, through an authenticated channel.

1.1. Related work

Al-Riyami and Paterson [2] came up with the first CLE scheme. But, Libert and Quisquater [3] demonstrated that the scheme [2] is insecure, and put forward a means to construct CLE schemes with provably security. In 2010, Sun and Li [4] proposed a new CLE scheme with short-ciphertext, and proved it to be secure against chosen-ciphertext attacks (CCAs). In 2005, Baek et al. [5] presented a CLE scheme that does not require pairing operation. Sun et al. [6] indicated that the scheme [5] can achieve the security goals only in a weaker model, where Type I adversary is not allowed to change the user's public key. In 2013, Yan et al. [7] put forward a pairing-free CLE scheme and provided the security proofs in ROM. In same year, Guo et al. [8] brought forward a CLE scheme that does not require pairing operation. However, Deng et al. [9] pointed out that there are security flaws in scheme [8], then proposed a modified scheme. In 2018, Zhou et al. [10] came up with a CLE scheme that does not require pairing operation, and showed that it is secure against CCAs. In 2015, SK Hafizul et al. [11] put forward a certificateless multi-receiver encryption (CLMRE) scheme, and provided security proofs in ROM. In 2017, He et al. [12] proposed a pairing-free CLMRE scheme, which is efficient due to no Hash-to-Point (HTP) operation is required. In the same year, Gao et al. [13] brought forward a new CLMRE scheme, and proved that the receiver’s identity information will not be leaked.

In 2007, Huang and Wong [14] came up with a common structure of CLE, which is provably secure in SM against the KGC attacks. In 2008, Dent et al. [15] presented a new CLE scheme, and asserted that it achieved confidentiality of the message in SM. But, Hwang et al. [16] indicated that the ciphertext indistinguishability against the KGC attacks does not hold for the scheme [15], then constructed a new CLE scheme. In 2009, Zhang and Wang [17] pointed out that the ciphertext indistinguishability against the key replacement attacks does not hold for the scheme [16], then constructed a new CLE scheme. However, Shen et al. [18] indicated that the ciphertext indistinguishability against the type II adversary does not hold for the scheme [17]. In 2014, Cheng et al. [19] evidenced that the ciphertext indistinguishability against the KGC attacks does not hold for the scheme [16], then proposed an improved scheme with provably security in SM. Reza et al. [20] put forward a common means to design CLE schemes with provably security in SM against CCAs, which come from a secure identity-based encryption scheme against chosen-plaintext attacks (CPAs).

1.2. Motivations and contributions

To increase security levels and reduce computing costs, researchers have proposed many CLE schemes. However, two problems remain in these schemes.

• Security proofs for most known CLE schemes are given in ROM

As we all know, the cryptography scheme provided with the security proofs in the ROM may be unsafe in a real situation. Therefore, these CLE schemes with provable security in ROM may be insecure in actual scenarios.

• High computation and storage costs

In the last ten years, scholars have proposed several concrete CLE schemes [15, 16, 17, 19], and tried to prove that they are secure in SM. However, there is only one scheme [19] that has been proven to be secure in SM. In these schemes [15, 16, 19], the size of the storage space required by the system is linearly related to the size of the user's identity information, and the times of addition operations on the elliptic curve group increases linearly with the size of the user's identity information. These increase the storage burden and computation cost for the users and the key generation center.

It is attractive to design an efficient CLE scheme and provide the security proofs in SM. We summarized the contributions as follows.

• We introduce the system model and security requirements of a CLE scheme in SM.

• We bring forward a new CLE scheme and offer the security proofs in SM. In order to get the hash function value, the adversary does not need to query the challenger, but directly calculates the hash function.

• We give a comparison of the efficiency between three CLE schemes. In the new scheme, it was constant that the size of the storage space required by the system. It was constant that the number of three kinds of operations (addition, scalar multiplication, and pairing), so the computational cost is lower than other CLE schemes.

1.3. Organization

We introduce mathematical tools, system model and security requirements in Section 2, Section 3, and Section 4, respectively. We give a new CLE scheme and the security proofs in Section 5 and Section 6, respectively. We demonstrate an efficiency analysis of three CLE schemes in Section 7. We present some conclusions in Section 8.

2. Preliminaries

In this section, we introduce two mathematical tools: bilinear pairing and decisional bilinear Diffie-Hellman problem. Table 1 lists the notations used in the paper.

Table 1. Notations

Bilinear pairing 

Let \(\hat{e}\) :\(G_{1} \times G_{1} \rightarrow G_{2}\)  be a mapping with the following attributes, where \(G_{1}=(P)\) and \(G_{2}\) are the additive and multiplicative groups of the q order, respectively

• Bilinearity: \(\hat{e}\left(a P_{1}, b P_{2}\right)=\hat{e}\left(P_{1}, P_{2}\right)^{a b}\) for all \(P_{1}, P_{2} \in G_{1}\)and \(a, b \in Z_{q}^{*}\)

• Non-degeneracy: There exist \(P_{1}, P_{2} \in G_{1}\) such that \(\hat{e}\left(P_{1}, P_{2}\right) \neq 1_{C_{2}}\)

• Computability: It is not difficult to compute \(\hat{e}\left(P_{1}, P_{2}\right)\) for all \(P_{1}, P_{2} \in G_{1}\)

Definition 1. Decisional bilinear Diffie-Hellman (DBDH) problem. Let \(\hat{e}: G_{1} \times G_{1} \rightarrow G_{2}\) be a bilinear pairing. For \(P \in G_{1}, \quad X \in G_{2},\) input a tuple \((P, a P, b P, c P, X),\) decide whether \(X=\hat{e}(P, P)^{\mathrm{abc}}\).

3. System Model

A CLE scheme involves three distinct entities: key generation center (KGC), encryptor and decryptor, as shown in Fig. 1.

• KGC: It generates and publishes the system parameters. In addition, it yields a partial private key for the user.

• Encryptor: He encrypts a message to be a ciphertext by using the receiver’s public key, then forwards that to the receiver.

• Decryptor: He obtains a message by decrypting the ciphertext with own private key.

Fig. 1. Certificateless encryption

A CLE scheme is constituted with the following six algorithms:

• Setup: Inputs a parameter v , KGC yields the msk (master secret key) and the params (system parameters).

• PPK-Extract: Inputs an identity \(I D_{i} \in\{0,1\}^{*}\), KGC yields a partial private key \(D_{i}\)and dispatches it to the user through a reliable channel.

• SV-Set: The user \(ID_{i}\) picks a secret value\(t_{i}\).

• UPK-Generate: The user \(ID_{i}\) outputs his public key \(PK_{i}\)

• Encrypt: Inputs a tuple \((m,ID_{i},PK_{i})\) , the encryptor outputs a ciphertext \(σ .\)

• Decrypt: Inputs a tuple\((σ,ID_{i},PK_{i})\)  , the decryptor outputs a message _mor the symbol “0”.

4. Security Requirements

We described the security requirements in this section.

Definition 2. If the adversary's ascendency is insignificant in the coming two games, then the CLE scheme is indistinguishable (IND-CLE)

Game I. A challenger \(\mathfrak{C}\) and a Type I adversary \(A_{1}\) play this game together.

Initialization. ℭ gets msk and params by implementing the Setup algorithm, maintains msk secret and forwards paramsto \(A_{1}\)

Phase 1. A₁ performs multiple types of queries.

• UPK-Query: ℭ outputs a user public key PK_i when A₁ inputs an identity \(ID_{i}\) .

• UPK-Replacement: ℭ replaces \(PK_{i}\)  with \(P K_{i}^{\prime}\)  when \(A_{1}\) inputs a tuple \((ID_{i},PK_{i}^{\prime})\)

• PPK-Query: ℭ outputs a partial public key \(D_{i}\)  when \(A_{1}\) submits an identity \(ID_{i}\). ℭ refuses to answer if the value Ri has been replaced.

• SV-Query: ℭ outputs a secret value \(t_{i}\) when A₁ inputs an identity \(ID_{i}\)  . ℭ refuses to answer if the value T_i has been replaced.

• ENC-Query: ℭ outputs a ciphertext σ when A₁ submits a tuple \((m,ID_{i},PK_{i})\).

• DEC-Query: ℭ returns a message m or the symbol “0” when A₁ submits a tuple \((σ,ID_{i},PK_{i})\)

Challenge. A₁ submits a tuple \(\left(m_{0}, m_{1}, I D^{*}, P K^{*}\right)\) ℭ randomly selects a bit \(\mu \in\{0,1\}\) and offers A₁ with \(\sigma^{*}\) \(=Encrypt\left(m_{\mu}, I D^{*}, P K^{*}\right) \) That fulfills the following conditions:

1. m₀ and m₁ are two equal length messages.

2. A₁ did not make the PPK-Query for ID^∗ .

Phase 2. A₁ executes various queries again, which fulfills the following requirements.

1. A₁ did not make the PPK-Query for ID^∗ .

2. A₁ did not make the DEC-Query for σ^∗ .

Response. A₁ returns a bit µ' and wins if µ µ ' = .

The advantage of A₁ is defined as: \(Adv_{A_{1}}^{IND-CLE}=\left|\operatorname{Pr}\left[\mu^{\prime}=\mu\right]-\frac{1}{2}\right|\)

Game II. A challenger ℭ and a Type II adversary A₂ play this game together.

Initialization. ℭ gets msk and params by implementing the Setup algorithm, then forwards them to A₂ .

Phase 1. A₂ makes a series of queries as those in Game I.

Challenge. A₂ submits a tuple (m₀ ,m₁ ,ID^* ,PK^*  )  , ℭ randomly selects a bit µ ∈{0 1, } , provides A₂

withσ^∗ = Encrypt(m_u ,ID_^* ,PK^* )  , which satisfy the following requirements.

1. m₀ and m₁ are two equal length messages.

2. A2 did not perform SV-Query for ID^∗ .

3. A₂ did not perform UPK-Replacement for T^∗ .

Phase 2. A₂ executes various queries again, which satisfy the following requirements.

1. A₂ did not make SV-Query for ID^∗ .

2. A₂ did not perform UPK-Replacement for T^∗ .

3. A₂ did not make the DEC-Query for σ^∗ .

Response. A₂ returns a bit µ' and wins if µ µ ' = .

The advantage of A₂ is defined as: \(A d v_{A_{2}}^{I N D-C L E}=\left|\operatorname{Pr}\left[\mu^{\prime}=\mu\right]-\frac{1}{2}\right|\)

5. New scheme 

We constructed a new CLE scheme in this section. In the three schemes [15, 16, 19], the private key is generated based on each bit of the user's identity information. In our scheme, the identity information of the user is a whole, and the private key is generated based on the identity information, rather than directly related to each bit of the identity information. Our scheme is constituted with the following algorithms.

• Setup: Inputs a security parameter v , KGC does as follows.

1. Chooses two groups G₁ and G₂ with prime order q>2v , a generator _P of G₁ and a bilinear pairingê : G₁ x G₁ → G_2.

2. Selects three hash functions H₁ ,H₂ : {0 1}* → Z^*_q , H₃ : {0,1}^* + {0,1}^l1+l2.

3. Sets the message space M = {0,1}^l1

4. Chooses a number x∈Z^*_q , computes P_pub = xPand sets msk ={x} .

5. Publish params = {G₁, G₂, q, ê, P, P_pub, H₁, H₂, H₃}.