Abstract
Signature, encryption, and signcryption are three basic cryptographic primitives in the public key cryptography. In this paper, we discuss identity-based combined public key schemes in three cryptographic primitives environment, signature, encryption, and signcryption. The advantage of using combined public key scheme is to reduce the task of key management, where the same key pair is applied for signature, encryption, and signcryption. We give an identity-based combined signature and encryption (IBCSE) method based on Cha and Cheon’s signature and Boneh and Franklin’s encryption. In addition, we point out that the security notions for combined signature, encryption and signcryption defined by Paterson et al. in ASIACRYPT 2011 are too strong. We define relatively weak but more reasonable security notions for identity-based combined signature, encryption and signcryption (IBCSESC). We give a weakly secure IBCSESC scheme that satisfies our weak security notions and a strongly secure IBCSESC scheme that satisfies strong security notions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Zheng, Y.: Digital signcryption or how to achieve cost (signature & encryption) \(\ll \) cost (signature) + cost(encryption). In: Kaliski Jr., B.S. (ed.) CRYPTO’97. LNCS, vol. 1294, pp. 165–179. Springer, Heidelberg (1997)
An, J.H., Dodis, Y., Rabin, T.: On the security of joint signature and encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 83–107. Springer, Heidelberg (2002)
Baek, J., Steinfeld, R., Zheng, Y.: Formal proofs for the security of signcryption. J. Cryptol. 20(2), 203–235 (2007)
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO’84. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1984)
Hess, F.: Efficient identity based signature schemes based on pairings. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 310–324. Springer, Heidelberg (2003)
Cha, J.C., Cheon, J.H.: An identity-based signature from gap Diffie-Hellman groups. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 18–30. Springer, Heidelberg (2003)
Paterson, K.G., Schuldt, J.C.N.: Efficient identity-based signatures secure in the standard model. In: Batten, L., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 207–222. Springer, Heidelberg (2006)
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)
Boyen, X.: Multipurpose identity-based signcryption: a swiss army knife for identity-based cryptography. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 383–399. Springer, Heidelberg (2003)
Chen, L., Malone-Lee, J.: Improved identity-based signcryption. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 362–379. Springer, Heidelberg (2005)
Barreto, P.S.L.M., Libert, B., McCullagh, N., Quisquater, J.J.: Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 515–532. Springer, Heidelberg (2005)
Haber, S., Pinkas, B.: Securely combining public-key cryptosystems. In: 8th ACM Conference on Computer and Communications Security (CCS 2001), Philadelphia, Pennsylvania, USA, pp. 215–224 (2001)
EMV Specifications, Version 4.2, Books 1–4 (June 2008). http://www.emvco.com/
Fan, J., Zheng, Y., Tang, X.: A single key pair is adequate for the Zheng signcryption. In: Parampalli, U., Hawkes, P. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 371–388. Springer, Heidelberg (2011)
Paterson, K.G., Schuldt, J.C.N., Stam, M., Thomson, S.: On the joint security of encryption and signature, revisited. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 161–178. Springer, Heidelberg (2011)
Chen, C., Chen, J., Lim, H.W., Feng, D.G.: Combined public-key schemes: the case of ABE and ABS. In: Takagi, T., Wang, G., Qin, Z., Jiang, S., Yu, Y. (eds.) ProvSec 2012. LNCS, vol. 7496, pp. 53–69. Springer, Heidelberg (2012)
Degabriele, J.P., Lehmann, A., Paterson, K.G., Smart, N.P., Strefler, M.: On the joint security of encryption and signature in EMV. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 116–135. Springer, Heidelberg (2012)
Vasco, M.I.G., Hess, F., Steinwandt, R.: Combined schemes for signature and encryption: the public-key and the identity-based setting. Inf. Comput. 247, 1–10 (2016)
Acknowledgements
We would like to thank the anonymous reviewers for their valuable comments and suggestions. This work is supported by the National Natural Science Foundation of China (Grant No 61272525) and the Fundamental Research Funds for the Central Universities (Grant No ZYGX2016J081).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
1Â Â Â Proof of Theorem 2
Proof
If an adversary \(\mathcal {F}\) can break the strong EUF-ID-CMA of the signature component of \(\mathcal {IBCSESC}\), then one can construct an adversary \(\mathcal {F}'\) that can break EUF-ID-CMA of the signature component of \(\mathcal {IBCSE}\).
-
Initial: \(\mathcal {F}'\) is given the system public parameters par that it passes to \(\mathcal {F}\).
-
Attack: \(\mathcal {F}'\) answers \(\mathcal {F}\)’s queries below.
-
For a key extraction query on ID, \(\mathcal {F}'\) submits ID to its key extraction oracle and returns the result to \(\mathcal {F}\).
-
For a signature query on (m, ID), \(\mathcal {F}'\) submits (0||m, ID) to its signature oracle and passes the result to \(\mathcal {F}\).
-
For a decryption query on (c, ID), \(\mathcal {F}'\) submits (c, ID) to its decryption oracle to get \(m'\). If \(m'=\bot \), \(\mathcal {F}'\) returns \(\bot \). Otherwise, \(\mathcal {F}'\) parses \(m'\) as tag||m. Then, \(\mathcal {F}'\) sets \(tag=0\) and returns m to \(\mathcal {F}\).
-
For a signcryption query on \((m,\textit{ID}_s,\textit{ID}_r)\), \(\mathcal {F}'\) first submits \((1||\textit{ID}_r||m,\textit{ID}_s)\) to its signature oracle and gets the signature \(\sigma \). Then, \(\mathcal {F}'\) sets \(tag=1||\textit{ID}_s\) and computes \(c=\)Â Â \(\mathcal {IBCSE}\).Encrypt\((par,tag||m||\sigma ,\textit{ID}_r)\). Finally, \(\mathcal {F}'\) returns c to \(\mathcal {F}\).
-
For an unsigncryption query on \((c,\textit{ID}_s,\textit{ID}_r)\), \(\mathcal {F}'\) submits \((c,\textit{ID}_r)\) to its decryption oracle to get \(m'\). If \(m'=\bot \), \(\mathcal {F}'\) returns \(\bot \). Otherwise, \(\mathcal {F}'\) parses \(m'\) as \(tag||m||\sigma \) and \(tag=1||\textit{ID}_s\). \(\mathcal {F}'\) checks if
$$\top =\mathcal {IBCSE}.\mathbf{Verify}(par,\sigma ,1||\textit{ID}_r||m,\textit{ID}_s)$$holds. If yes, \(\mathcal {F}'\) returns m to \(\mathcal {F}\). Otherwise, it returns \(\bot \) to \(\mathcal {F}\).
-
-
Forgery: \(\mathcal {F}\) finally outputs a message \(m^*\), an identity \(\textit{ID}^*\), and a signature \(\sigma ^*\). If \(\mathcal {F}\)’s forgery is valid, then we have \(\top \,=\,\) \(\mathcal {IBCSE}\).Verify\((par,\sigma ^*,0||m^*,\textit{ID}^*)\). In addition, \(\mathcal {F}\) has not asked a key extraction query on \(\textit{ID}^*\) and a signature query on \((m^*,\textit{ID}^*)\). Therefore, \(\mathcal {F}'\) has not queried \(\textit{ID}^*\) to its key extraction oracle and \((0||m^*,\textit{ID}^*)\) to its signature oracle. \(\mathcal {F}'\) outputs a message \(0||m^*\), an identity \(\textit{ID}^*\), and a signature \(\sigma ^*\). It is obvious that \(\mathcal {F}'\) succeeds with the same probability as \(\mathcal {F}\).
Note that \(\mathcal {F}\) can make a signcryption query on \((m^*,\textit{ID}^*,\textit{ID}_r)\). However, the result is not useful since the returned \(\sigma \,\,=\,\)Â \(\mathcal {IBCSE}\).Sign\((par,1||\textit{ID}_r||m^*,\textit{ID}^*,S_{\textit{ID}^*})\). The signature verification equation \(\mathcal {IBCSE}\).Verify\((par,\sigma ,0||m^*,\textit{ID}^*)\) must output the \(\bot \) symbol.\(\square \)
2   Proof of Theorem 3
Proof
If an adversary \(\mathcal {A}\) can break strong IND-ID-CCA2 of the encryption component of \(\mathcal {IBCSESC}\), then one can construct an adversary \(\mathcal {A}'\) that can break IND-ID-CCA2 of the encryption component of \(\mathcal {IBCSE}\).
-
Initial: \(\mathcal {A}'\) is given system public parameters par that it passes to \(\mathcal {A}\).
-
Phase 1: \(\mathcal {A}'\) answers \(\mathcal {A}\)’s queries as the proof of Theorem 2.
-
Challenge: \(\mathcal {A}\) generates two challenged messages \((m_0,m_1)\) with the same length and an identity \(\textit{ID}^*\). \(\textit{ID}^*\) has not been submitted to a key extraction query in Phase 1. So, \(\mathcal {A}'\) has not queried \(\textit{ID}^*\) to its key extraction oracle. \(\mathcal {A}'\) sets \(tag=0\) and submits two messages \(tag||m_0\), \(tag||m_1\) and identity \(\textit{ID}^*\) as its challenge. Finally, \(\mathcal {A}'\) gets the challenged ciphertext \(c^*\) which it passes to \(\mathcal {A}\).
-
Phase 2: \(\mathcal {A}\) can adaptively ask a polynomially bounded number of queries again as in Phase 1. \(\mathcal {A}'\) answers \(\mathcal {A}\)’s queries as Phase 1. Since \(\mathcal {A}\) cannot ask a key extraction query on \(\textit{ID}^*\) and cannot ask a decryption query on \((c^*,\textit{ID}^*)\), \(\mathcal {A}'\) does not submit \(ID^*\) to its key extraction oracle and does not submit \((c^*,ID^*)\) to its decryption oracle.
-
Guess: \(\mathcal {A}\) finally outputs a guess \(\gamma '\) which \(\mathcal {A}'\) outputs the same guess. It is obvious that \(\mathcal {A}'\) succeeds with the same probability as \(\mathcal {A}\).
\(\mathcal {A}\) can ask an unsigncryption query on \((c^*(\mathrm{or\,\, variations\,\, of\,\,} c^*),\textit{ID}_s,\textit{ID}^*)\). However, the result is not useful since we used different tags. In \(\mathcal {IBCSESC}\).Encrypt, we encrypt tag||m with \(tag=0\). In \(\mathcal {IBCSESC}\).Signcrypt, we encrypt \(tag||m||\sigma \) with \(tag=1||\textit{ID}_s\). \(\mathcal {A}\) must receive the \(\bot \) symbol if it makes such a query.\(\square \)
3   Proof of Theorem 4
Proof
If an adversary \(\mathcal {F}\) can break strong EUF-ID-CMA of the signcryption component of \(\mathcal {IBCSESC}\), then one can construct an adversary \(\mathcal {F}'\) that can break EUF-ID-CMA of the signature component of \(\mathcal {IBCSE}\).
-
Initial: \(\mathcal {F}'\) is given system public parameters par which it passes to \(\mathcal {F}\).
-
Attack: \(\mathcal {F}'\) answers \(\mathcal {F}\)’s queries as the proof of Theorem 2.
-
Forgery: \(\mathcal {F}\) produces a ciphertext \(c^*\), a sender’s identity \(\textit{ID}_s^*\), and a receiver’s identity \(\textit{ID}_r^*\). \(\mathcal {F}'\) first asks a key extraction query on \(\textit{ID}_r^*\) to get \(S_{\textit{ID}_r^*}\). Then, \(\mathcal {F}'\) computes \(m'=\) \(\mathcal {IBCSE}\).Decrypt\((par,c^*,\textit{ID}_r^*,S_{\textit{ID}_r^*})\). If \(\mathcal {F}\)’s forgery is valid, then we have \(m'=tag||m^*||\sigma ^*\) and \(tag=1||\textit{ID}_s^*\) such that \(\top =\) \(\mathcal {IBCSE}\).Verify\((par,\sigma ^*,1||\textit{ID}_r^*||m^*,\textit{ID}_s^*)\). In addition, \(\mathcal {F}\) has not asked a key extraction query on \(\textit{ID}_s^*\) and a signcryption query on \((m^*,\textit{ID}_s^*,\textit{ID}_r^*)\). So, \(\mathcal {F}'\) has not queried \(\textit{ID}_s^*\) to its key extraction oracle and \((1||\textit{ID}_r^*||m^*,\textit{ID}_s^*)\) to its signature oracle. \(\mathcal {F}'\) outputs a message \(1||\textit{ID}_r^*||m^*\), an identity \(\textit{ID}_s^*\), and a signature \(\sigma ^*\). It is obvious that \(\mathcal {F}'\) succeeds with the same probability as \(\mathcal {F}\).
Note that \(\mathcal {F}\) can ask a signature query on \((m^*,\textit{ID}_s^*)\). However, the result is not useful for \(\mathcal {F}\) since the returned \(\sigma =\)Â Â \(\mathcal {IBCSE}\).Sign\((par,0||m^*,\textit{ID}_s^*,S_{\textit{ID}_s^*})\). In unsigncryption algorithm, the verification \(\mathcal {IBCSE}\).Verify\((par,\sigma ,1||\textit{ID}_r||m^*,\textit{ID}_s^*)\) must output the \(\bot \) symbol. \(\square \)
4   Proof of Theorem 5
Proof
If an adversary \(\mathcal {A}\) can break the strong IND-ID-CCA2 of the signcryption component of \(\mathcal {IBCSESC}\), then one can construct an adversary \(\mathcal {A}'\) that can break IND-ID-CCA2 of the encryption component of \(\mathcal {IBCSE}\).
-
Initial: \(\mathcal {A}'\) is given system public parameters par which it passes to \(\mathcal {A}\).
-
Phase 1: \(\mathcal {A}'\) answers \(\mathcal {A}\)’s queries as the proof of Theorem 2.
-
Challenge: \(\mathcal {A}\) generates two challenged plaintexts \((m_0,m_1)\) with the same length, a sender’s identity \(\textit{ID}_s^*\), and a receiver’s identity \(\textit{ID}_r^*\). \(\textit{ID}_r^*\) has not been submitted to a key extraction query in Phase 1. So, \(\mathcal {A}'\) has not queried \(\textit{ID}_r^*\) to its key extraction oracle. \(\mathcal {A}'\) first submits \(1||\textit{ID}_r^*||m_0\) and \(1||\textit{ID}_r^*||m_1\) to its signature oracle and gets signature \(\sigma _0^*\) and \(\sigma _1^*\), respectively. Then, \(\mathcal {A}'\) sets \(tag=1||\textit{ID}_s^*\) and submits two messages \(tag||m_0||\sigma _0^*\), \(tag||m_1||\sigma _1^*\) and identity \(\textit{ID}_r^*\) as its challenge. Finally, \(\mathcal {A}'\) gets the challenged ciphertext \(c^*\) which it passes to \(\mathcal {A}\).
-
Phase 2: \(\mathcal {A}\) can adaptively ask a polynomially bounded number of queries again as in Phase 1. \(\mathcal {A}'\) answers \(\mathcal {A}\)’s queries as Phase 1. Since \(\mathcal {A}\) cannot ask a key extraction query on \(\textit{ID}_r^*\) and cannot ask an unsigncryption query on \((c^*,\textit{ID}_s^*,\textit{ID}_r^*)\), \(\mathcal {A}'\) does not submit \(\textit{ID}_r^*\) to its key extraction oracle and does not submit \((c^*,\textit{ID}_r^*)\) to its decryption oracle.
-
Guess: \(\mathcal {A}\) finally outputs a guess \(\gamma '\) which \(\mathcal {A}'\) outputs the same guess. It is obvious that \(\mathcal {A}'\) succeeds with the same probability as \(\mathcal {A}\).
Note that \(\mathcal {A}\) cannot make an decryption query on \((c^*(\mathrm{or\,\, variations\,\, of\,\,} c^*),\textit{ID}_r^*)\). Similarly, the result is not useful since we use different tags in \(\mathcal {IBCSESC}\).Encrypt and \(\mathcal {IBCSESC}\).Signcrypt. \(\mathcal {A}\) must receive the \(\bot \) symbol if it makes such a query. \(\square \)
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Zhou, Y., Li, Z., Hu, F., Li, F. (2019). Identity-Based Combined Public Key Schemes for Signature, Encryption, and Signcryption. In: Chandra, P., Giri, D., Li, F., Kar, S., Jana, D. (eds) Information Technology and Applied Mathematics. Advances in Intelligent Systems and Computing, vol 699. Springer, Singapore. https://doi.org/10.1007/978-981-10-7590-2_1
Download citation
DOI: https://doi.org/10.1007/978-981-10-7590-2_1
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-7589-6
Online ISBN: 978-981-10-7590-2
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)