Identity-Based Combined Public Key Schemes for Signature, Encryption, and Signcryption

Abstract

Signature, encryption, and signcryption are three basic cryptographic primitives in the public key cryptography. In this paper, we discuss identity-based combined public key schemes in three cryptographic primitives environment, signature, encryption, and signcryption. The advantage of using combined public key scheme is to reduce the task of key management, where the same key pair is applied for signature, encryption, and signcryption. We give an identity-based combined signature and encryption (IBCSE) method based on Cha and Cheon’s signature and Boneh and Franklin’s encryption. In addition, we point out that the security notions for combined signature, encryption and signcryption defined by Paterson et al. in ASIACRYPT 2011 are too strong. We define relatively weak but more reasonable security notions for identity-based combined signature, encryption and signcryption (IBCSESC). We give a weakly secure IBCSESC scheme that satisfies our weak security notions and a strongly secure IBCSESC scheme that satisfies strong security notions.

Appendices

Appendix

1   Proof of Theorem 2

Proof

If an adversary \(\mathcal {F}\) can break the strong EUF-ID-CMA of the signature component of \(\mathcal {IBCSESC}\), then one can construct an adversary \(\mathcal {F}'\) that can break EUF-ID-CMA of the signature component of \(\mathcal {IBCSE}\).

• Initial: \(\mathcal {F}'\) is given the system public parameters par that it passes to \(\mathcal {F}\).

• Attack: \(\mathcal {F}'\) answers \(\mathcal {F}\)’s queries below.

  • For a key extraction query on ID, \(\mathcal {F}'\) submits ID to its key extraction oracle and returns the result to \(\mathcal {F}\).

  • For a signature query on (m, ID), \(\mathcal {F}'\) submits (0||m, ID) to its signature oracle and passes the result to \(\mathcal {F}\).

  • For a decryption query on (c, ID), \(\mathcal {F}'\) submits (c, ID) to its decryption oracle to get \(m'\). If \(m'=\bot \), \(\mathcal {F}'\) returns \(\bot \). Otherwise, \(\mathcal {F}'\) parses \(m'\) as tag||m. Then, \(\mathcal {F}'\) sets \(tag=0\) and returns m to \(\mathcal {F}\).

  • For a signcryption query on \((m,\textit{ID}_s,\textit{ID}_r)\), \(\mathcal {F}'\) first submits \((1||\textit{ID}_r||m,\textit{ID}_s)\) to its signature oracle and gets the signature \(\sigma \). Then, \(\mathcal {F}'\) sets \(tag=1||\textit{ID}_s\) and computes \(c=\)  \(\mathcal {IBCSE}\).Encrypt\((par,tag||m||\sigma ,\textit{ID}_r)\). Finally, \(\mathcal {F}'\) returns c to \(\mathcal {F}\).

  • For an unsigncryption query on \((c,\textit{ID}_s,\textit{ID}_r)\), \(\mathcal {F}'\) submits \((c,\textit{ID}_r)\) to its decryption oracle to get \(m'\). If \(m'=\bot \), \(\mathcal {F}'\) returns \(\bot \). Otherwise, \(\mathcal {F}'\) parses \(m'\) as \(tag||m||\sigma \) and \(tag=1||\textit{ID}_s\). \(\mathcal {F}'\) checks if

    $$\top =\mathcal {IBCSE}.\mathbf{Verify}(par,\sigma ,1||\textit{ID}_r||m,\textit{ID}_s)$$

    holds. If yes, \(\mathcal {F}'\) returns m to \(\mathcal {F}\). Otherwise, it returns \(\bot \) to \(\mathcal {F}\).

• Forgery: \(\mathcal {F}\) finally outputs a message \(m^*\), an identity \(\textit{ID}^*\), and a signature \(\sigma ^*\). If \(\mathcal {F}\)’s forgery is valid, then we have \(\top \,=\,\) \(\mathcal {IBCSE}\).Verify\((par,\sigma ^*,0||m^*,\textit{ID}^*)\). In addition, \(\mathcal {F}\) has not asked a key extraction query on \(\textit{ID}^*\) and a signature query on \((m^*,\textit{ID}^*)\). Therefore, \(\mathcal {F}'\) has not queried \(\textit{ID}^*\) to its key extraction oracle and \((0||m^*,\textit{ID}^*)\) to its signature oracle. \(\mathcal {F}'\) outputs a message \(0||m^*\), an identity \(\textit{ID}^*\), and a signature \(\sigma ^*\). It is obvious that \(\mathcal {F}'\) succeeds with the same probability as \(\mathcal {F}\).

Note that \(\mathcal {F}\) can make a signcryption query on \((m^*,\textit{ID}^*,\textit{ID}_r)\). However, the result is not useful since the returned \(\sigma \,\,=\,\) \(\mathcal {IBCSE}\).Sign\((par,1||\textit{ID}_r||m^*,\textit{ID}^*,S_{\textit{ID}^*})\). The signature verification equation \(\mathcal {IBCSE}\).Verify\((par,\sigma ,0||m^*,\textit{ID}^*)\) must output the \(\bot \) symbol.\(\square \)

2   Proof of Theorem 3

Proof

If an adversary \(\mathcal {A}\) can break strong IND-ID-CCA2 of the encryption component of \(\mathcal {IBCSESC}\), then one can construct an adversary \(\mathcal {A}'\) that can break IND-ID-CCA2 of the encryption component of \(\mathcal {IBCSE}\).

• Initial: \(\mathcal {A}'\) is given system public parameters par that it passes to \(\mathcal {A}\).

• Phase 1: \(\mathcal {A}'\) answers \(\mathcal {A}\)’s queries as the proof of Theorem 2.

• Challenge: \(\mathcal {A}\) generates two challenged messages \((m_0,m_1)\) with the same length and an identity \(\textit{ID}^*\). \(\textit{ID}^*\) has not been submitted to a key extraction query in Phase 1. So, \(\mathcal {A}'\) has not queried \(\textit{ID}^*\) to its key extraction oracle. \(\mathcal {A}'\) sets \(tag=0\) and submits two messages \(tag||m_0\), \(tag||m_1\) and identity \(\textit{ID}^*\) as its challenge. Finally, \(\mathcal {A}'\) gets the challenged ciphertext \(c^*\) which it passes to \(\mathcal {A}\).

• Phase 2: \(\mathcal {A}\) can adaptively ask a polynomially bounded number of queries again as in Phase 1. \(\mathcal {A}'\) answers \(\mathcal {A}\)’s queries as Phase 1. Since \(\mathcal {A}\) cannot ask a key extraction query on \(\textit{ID}^*\) and cannot ask a decryption query on \((c^*,\textit{ID}^*)\), \(\mathcal {A}'\) does not submit \(ID^*\) to its key extraction oracle and does not submit \((c^*,ID^*)\) to its decryption oracle.

• Guess: \(\mathcal {A}\) finally outputs a guess \(\gamma '\) which \(\mathcal {A}'\) outputs the same guess. It is obvious that \(\mathcal {A}'\) succeeds with the same probability as \(\mathcal {A}\).

\(\mathcal {A}\) can ask an unsigncryption query on \((c^*(\mathrm{or\,\, variations\,\, of\,\,} c^*),\textit{ID}_s,\textit{ID}^*)\). However, the result is not useful since we used different tags. In \(\mathcal {IBCSESC}\).Encrypt, we encrypt tag||m with \(tag=0\). In \(\mathcal {IBCSESC}\).Signcrypt, we encrypt \(tag||m||\sigma \) with \(tag=1||\textit{ID}_s\). \(\mathcal {A}\) must receive the \(\bot \) symbol if it makes such a query.\(\square \)

3   Proof of Theorem 4

Proof

If an adversary \(\mathcal {F}\) can break strong EUF-ID-CMA of the signcryption component of \(\mathcal {IBCSESC}\), then one can construct an adversary \(\mathcal {F}'\) that can break EUF-ID-CMA of the signature component of \(\mathcal {IBCSE}\).

• Initial: \(\mathcal {F}'\) is given system public parameters par which it passes to \(\mathcal {F}\).

• Attack: \(\mathcal {F}'\) answers \(\mathcal {F}\)’s queries as the proof of Theorem 2.

• Forgery: \(\mathcal {F}\) produces a ciphertext \(c^*\), a sender’s identity \(\textit{ID}_s^*\), and a receiver’s identity \(\textit{ID}_r^*\). \(\mathcal {F}'\) first asks a key extraction query on \(\textit{ID}_r^*\) to get \(S_{\textit{ID}_r^*}\). Then, \(\mathcal {F}'\) computes \(m'=\) \(\mathcal {IBCSE}\).Decrypt\((par,c^*,\textit{ID}_r^*,S_{\textit{ID}_r^*})\). If \(\mathcal {F}\)’s forgery is valid, then we have \(m'=tag||m^*||\sigma ^*\) and \(tag=1||\textit{ID}_s^*\) such that \(\top =\) \(\mathcal {IBCSE}\).Verify\((par,\sigma ^*,1||\textit{ID}_r^*||m^*,\textit{ID}_s^*)\). In addition, \(\mathcal {F}\) has not asked a key extraction query on \(\textit{ID}_s^*\) and a signcryption query on \((m^*,\textit{ID}_s^*,\textit{ID}_r^*)\). So, \(\mathcal {F}'\) has not queried \(\textit{ID}_s^*\) to its key extraction oracle and \((1||\textit{ID}_r^*||m^*,\textit{ID}_s^*)\) to its signature oracle. \(\mathcal {F}'\) outputs a message \(1||\textit{ID}_r^*||m^*\), an identity \(\textit{ID}_s^*\), and a signature \(\sigma ^*\). It is obvious that \(\mathcal {F}'\) succeeds with the same probability as \(\mathcal {F}\).

Note that \(\mathcal {F}\) can ask a signature query on \((m^*,\textit{ID}_s^*)\). However, the result is not useful for \(\mathcal {F}\) since the returned \(\sigma =\)  \(\mathcal {IBCSE}\).Sign\((par,0||m^*,\textit{ID}_s^*,S_{\textit{ID}_s^*})\). In unsigncryption algorithm, the verification \(\mathcal {IBCSE}\).Verify\((par,\sigma ,1||\textit{ID}_r||m^*,\textit{ID}_s^*)\) must output the \(\bot \) symbol. \(\square \)

4   Proof of Theorem 5

Proof

If an adversary \(\mathcal {A}\) can break the strong IND-ID-CCA2 of the signcryption component of \(\mathcal {IBCSESC}\), then one can construct an adversary \(\mathcal {A}'\) that can break IND-ID-CCA2 of the encryption component of \(\mathcal {IBCSE}\).

• Initial: \(\mathcal {A}'\) is given system public parameters par which it passes to \(\mathcal {A}\).

• Phase 1: \(\mathcal {A}'\) answers \(\mathcal {A}\)’s queries as the proof of Theorem 2.

• Challenge: \(\mathcal {A}\) generates two challenged plaintexts \((m_0,m_1)\) with the same length, a sender’s identity \(\textit{ID}_s^*\), and a receiver’s identity \(\textit{ID}_r^*\). \(\textit{ID}_r^*\) has not been submitted to a key extraction query in Phase 1. So, \(\mathcal {A}'\) has not queried \(\textit{ID}_r^*\) to its key extraction oracle. \(\mathcal {A}'\) first submits \(1||\textit{ID}_r^*||m_0\) and \(1||\textit{ID}_r^*||m_1\) to its signature oracle and gets signature \(\sigma _0^*\) and \(\sigma _1^*\), respectively. Then, \(\mathcal {A}'\) sets \(tag=1||\textit{ID}_s^*\) and submits two messages \(tag||m_0||\sigma _0^*\), \(tag||m_1||\sigma _1^*\) and identity \(\textit{ID}_r^*\) as its challenge. Finally, \(\mathcal {A}'\) gets the challenged ciphertext \(c^*\) which it passes to \(\mathcal {A}\).

• Phase 2: \(\mathcal {A}\) can adaptively ask a polynomially bounded number of queries again as in Phase 1. \(\mathcal {A}'\) answers \(\mathcal {A}\)’s queries as Phase 1. Since \(\mathcal {A}\) cannot ask a key extraction query on \(\textit{ID}_r^*\) and cannot ask an unsigncryption query on \((c^*,\textit{ID}_s^*,\textit{ID}_r^*)\), \(\mathcal {A}'\) does not submit \(\textit{ID}_r^*\) to its key extraction oracle and does not submit \((c^*,\textit{ID}_r^*)\) to its decryption oracle.

• Guess: \(\mathcal {A}\) finally outputs a guess \(\gamma '\) which \(\mathcal {A}'\) outputs the same guess. It is obvious that \(\mathcal {A}'\) succeeds with the same probability as \(\mathcal {A}\).

Note that \(\mathcal {A}\) cannot make an decryption query on \((c^*(\mathrm{or\,\, variations\,\, of\,\,} c^*),\textit{ID}_r^*)\). Similarly, the result is not useful since we use different tags in \(\mathcal {IBCSESC}\).Encrypt and \(\mathcal {IBCSESC}\).Signcrypt. \(\mathcal {A}\) must receive the \(\bot \) symbol if it makes such a query. \(\square \)