Certificate-Based Signcryption Scheme without Pairing: Directly Verifying Signcrypted Messages Using a Public Key
2016; Electronics and Telecommunications Research Institute; Linguagem: Inglês
10.4218/etrij.16.0115.0983
ISSN2233-7326
Autores Tópico(s)Cryptographic Implementations and Security
ResumoETRI JournalVolume 38, Issue 4 p. 724-734 ArticleFree Access Certificate-Based Signcryption Scheme without Pairing: Directly Verifying Signcrypted Messages Using a Public Key Minh-Ha Le, Minh-Ha Le [email protected] Search for more papers by this authorSeong Oun Hwang, Corresponding Author Seong Oun Hwang [email protected] Corresponding Author[email protected]Search for more papers by this author Minh-Ha Le, Minh-Ha Le [email protected] Search for more papers by this authorSeong Oun Hwang, Corresponding Author Seong Oun Hwang [email protected] Corresponding Author[email protected]Search for more papers by this author First published: 01 August 2016 https://doi.org/10.4218/etrij.16.0115.0983Citations: 6 Minh-Ha Le ([email protected]) is with the Department of Electronics and Computer Engineering, Hongik University, Sejong, Rep. of Korea. Seong Oun Hwang (corresponding author, [email protected]) is with the Department of Computer and Information Communications Engineering, Hongik University, Sejong, Rep. of Korea. It was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (2014R1A1A2054174). It was also supported by the MSIP (Ministry of Science, ICT and Future Planning), Korea, under the Global IT Talent support program (IITP-2016-H0905-15-1004) supervised by the IITP (Institute for Information and Communication Technology Promotion). AboutSectionsPDF ToolsRequest permissionExport citationAdd to favoritesTrack citation ShareShare Give accessShare full text accessShare full-text accessPlease review our Terms and Conditions of Use and check box below to share full-text version of article.I have read and accept the Wiley Online Library Terms and Conditions of UseShareable LinkUse the link below to share a full-text version of this article with your friends and colleagues. Learn more.Copy URL Abstract To achieve confidentiality, integrity, authentication, and non-repudiation simultaneously, the concept of signcryption was introduced by combining encryption and a signature in a single scheme. Certificate-based encryption schemes are designed to resolve the key escrow problem of identity-based encryption, as well as to simplify the certificate management problem in traditional public key cryptosystems. In this paper, we propose a new certificate-based signcryption scheme that has been proved to be secure against adaptive chosen ciphertext attacks and existentially unforgeable against chosen-message attacks in the random oracle model. Our scheme is not based on pairing and thus is efficient and practical. Furthermore, it allows a signcrypted message to be immediately verified by the public key of the sender. This means that verification and decryption of the signcrypted message are decoupled. To the best of our knowledge, this is the first signcryption scheme without pairing to have this feature. I. Introduction Authentication is a fundamental block of a secure system. Basically, it is a process for verifying that the identity of an entity belongs to a human or a device. For example, in the authentication process, a certificate in traditional public key cryptography (PKC) is usually used to prove that a public key belongs to a specific user. However, a public key infrastructure (PKI) that supports a traditional PKC has issues, such as complex installation and maintenance processes, issuance, distribution, and a revocation of the certificates. Although the authentication process seems to be irreplaceable, some public key cryptography models have been proposed in which the certificate is eliminated. In 1984, Shamir proposed the first concept of identity-based public key cryptography (ID-PKC) [1]. This scheme shows a great improvement, that is, it does not require PKI because the public key is an identity (for example, email, ID number, driver license number, and so on). In ID-PKC, a private key generator (PKG) uses a master secret key to generate all private keys for its users. The PKG requires secure channels to deliver the private keys to users securely. Although the improvement in ID-PKC is significant, some architectural issues still remain: (1) A secure channel to deliver the private keys is significantly costly to implement. (2) The PKG can impersonate any user at any time because it knows the private keys of all users, which is called the key escrow problem. This issue is unacceptable in certain cases such as legal applications because the PKG cannot guarantee non-repudiation. (3) Finally, the security of the whole system depends on the secrecy of the master secret key. If the PKG is compromised and the master key is revealed, the whole system is affected. To overcome the drawbacks of the traditional PKC and ID-PKC, the first concept of certificateless public key cryptography (CL-PKC) was proposed by Al-Riyami and Paterson [2]. As the name implies, CL-PKC inherits the advantages of ID-PKC in the sense that it does not require a certificate for a public key. Furthermore, it also eliminates the key escrow problem owing to the fact that it allows users to create their own public key and private key pairs; the private key is kept secret so that even a trusted authority, called the key generation center (KGC), cannot decrypt the user messages. To decrypt a ciphertext, it requires both a partial private key generated by the KGC and a private key generated by the user. Unfortunately, there are no certificates protecting the public keys, and thus they can be replaced by an attacker who wants to prevent a receiver from decrypting a ciphertext. In CL-PKC, secure channels are still needed to distribute the partial private keys to users. In addition, if the KGC is compromised, we cannot prevent an attacker from changing the public key to impersonate any user in the system. In 2003, Gentry proposed the notion of certificate-based cryptography (CB-PKC) [3], which uses the PKI in a more efficient manner. Compared with the previous models, CB-PKC seems to be a promising solution for the key escrow problem and enhances the PKI. As in PKC, each user generates their own public and private key pair, and requests a certificate to the CA. The crucial difference is that the CA uses an identity-based encryption (IBE) scheme to generate the certificate: The CA treats the user's public key as their identity, and generates its corresponding private key, called a certificate, which serves as a partial private key. Eventually, CB-PKC preserves all of the features of traditional PKCs, while simplifying the PKIs, and has none of the key escrow problem found in ID-PKC. In 1997, Zheng [4] defined a new cryptographic concept of signcryption, which is a combination of both functions of encryption and signature simultaneously. This method is more efficient when compared to the sign-then-encrypt approach because the combination of encryption and signature reduces both computational cost and communication overhead. Following this method, we can achieve confidentiality, integrity, authentication, and non-repudiation concurrently. 1. Related Work Since the concept of PKC was first proposed by Diffie and Hellman in 1976 [5], it has attracted the attention of many cryptographers, and has quickly became the main topic of modern cryptography. To improve the efficiency of traditional PKC, Shamir proposed the first concept of ID-PKC [1]. Boneh and Franklin proposed the first concrete construction of an IBE scheme [6]. Since then, a number of IBE schemes have been proposed [7]–[10]. By combining a public key encryption scheme and a public key signature scheme into a single scheme, Zheng proposed the first signcryption scheme in 1997 [4]. Bao proposed another signcryption scheme in which the signature is directly verifiable through a public key [11]. We note that, in this scheme, the signcrypted message still needs to be decrypted before it can be verified. In 2000, two more signcryption schemes were proposed with their own applications: one scheme, proposed by Seo and Kim [12], called a domain-verifiable signcryption scheme, is applied to electronic funds, and the other, proposed by Mu and Varadharajan [13], is a distributed signcryption scheme. The distributed signcryption scheme was improved by Kwak and Moon in 2003 [14]. In the same year, Boyen [15] proposed a multi-purpose signcryption scheme together with a comprehensive security model for a multi-purpose identity-based signcryption cryptosystem. After that, many identity-based signcryption schemes were proposed [16]–[21]. In 2008, Selvi and others [22] also proposed the first concept of certificateless signcryption. Gentry proposed the first notion of CB-PKC [3]. It turned out that a CBE scheme can be constructed from certificateless public key encryption (CL-PKE) [23]. Wu and others proposed another generic construction of CBE from CL-PKE [24]. Many other CBE schemes have been proposed [25]–[29]. In 2006, Morillo and others proposed the first CBE scheme without random oracles [30]. After that, Liu and Zhou proposed an efficient CBE scheme in the standard model [31], which Galindo and others improved in [32]. In parallel with CB-PKC, Al-riyami and Paterson introduced the concept of CL-PKC, and proposed the first concrete scheme in 2003 [2]. Some other CL-PKC schemes have also been proposed [33]–[36]. Although the concept of CB-PKC was proposed in 2003, the first certificate-based signcryption (CBSC) was first introduced in 2008 by Li and others [25]. Lou and colleagues [37] proposed another CBSC scheme with a security proof, which turned out to be unsecure under two concrete attacks, described in [38] and [39]. In [39], the CBSC scheme was claimed to be secure against public key replacement and insider attacks. Recently, Lu and Li [40] proposed a new CBSC without pairing, and proved it to be secure using the random oracle model. II. Preliminaries 1. Computational Diffie-Hellman Problem (CDH) Let p1 and p2 be prime numbers such that . Let g be a generator of . The CDH problem in is given (g, ga, gb) for a uniformly chosen to compute gab. The advantage of any polynomial-time algorithm ACDH in solving the CDH problem in is defined as The CDH assumption is that, for any polynomial-time algorithm ACDH, the advantage ACDH is negligible. 2. Discrete Logarithm (DL) Problem Let p be a prime number, and g be a generator of ℤp. The DL problem in ℤp is, given a tuple (g, ga) for unknown , to compute a. The advantage of any polynomial-time algorithm ADL in solving the DL problem in G is defined as The DL assumption is that, for any polynomial-time algorithm ADL, the advantage Adv(ADL) is negligible. 3. Certificate-Based Signcryption Scheme In this subsection, we provide an outline of the certificate-based signcryption scheme. The scheme is defined by five algorithms as follows: Setup: This algorithm is run at the CA side. Given security parameter 1k, it returns the master secret key msk and system parameters params of the CA. SetKeyPair: This algorithm is run at the user side. Given params, it returns a public key pk and secret key sk for a user. Certification: This algorithm is run at the CA side. Given the user identity ID, the system parameters params, and the user public key pk, it returns a certificate Cert, which will be sent to the user over an open channel. In particular, in our scheme, pk will be updated with the help of CA after the certification step. Signcryption: This algorithm is run by a sender. Given a message m, the identities of the sender and receiver IDS and IDR, the certificate CertS and secret key skS of the sender, public keys of the sender and receiver pkS and pkR, and the system parameters params, it returns a signcrypted message (M, IDS, IDR, CertS, skS, pkS, pkR, params). Designcryption: Given a signcrypted message C, the identities of the sender and receiver IDS and IDR, the certificate CertR and secret key skR of the receiver, the public keys of the sender and receiver (pkS and pkR), and the system parameters params, it returns a message (C, IDS, IDR, CertR, pkS, pkR, skR, params), which is equal to M, or the symbol ⊥, indicating that C is an invalid signcryption between IDS and IDR. Correctness: If C is the result of applying the Signcryption algorithm with inputs (M, IDS, IDR, CertS, skS, pkS, pkR, params), then M′, which is the result of the designcryption algorithm, must be equal to M. We write this as Designcryption (C, IDS, IDR, CertR, pkS, pkR, skR, params) . 4. Security models of CBSC CBSC schemes have to be secure in terms of both confidentiality and unforgeability. A. Confidentiality: As mentioned above, there are two kinds of adversary: A Type I adversary corresponds to indistinguishability under adaptive chosen ciphertext attacks, (IND-CBSC-CCA2) game I, from a normal client or an uncertified client who is not given the master secret key msk of the CA. A Type II adversary corresponds to the indistinguishability under adaptive chosen ciphertext attacks, (IND-CBSC-CCA2) game II, from a certified client who has the master secret key msk of the CA. Compared to IND-CBSC-CCA2 game I, the difference is that a Type II adversary is given the master secret key and the adversary does not have to query a OCertification because it can generate the certificate itself using the master secret key. Note that the simulation of an attack from a Type II adversary is necessary because a certificate-based cryptographic scheme is aimed at resolving the key escrow problem. Because these two games have the same structure, we describe the models of both games as a single model and note the differences as below: IND-CBSC-CCA2 games I and II: A CBSC scheme is IND-CBSC-CCA2 secure against Types I and II adversaries if neither probabilistic polynomial-time adversary 𝒜I or 𝒜II has a non-negligible advantage in the following game: Setup: Challenger ℬ is given the security parameter 1k. It runs the setup algorithm and returns public parameters params and master secret key msk. In IND-CBSC-CCA2 game I, the params are given to 𝒜I and the challenger keeps the msk for itself. In IND-CBSC-CCA2 game II, both params and msk are given to 𝒜II. Phase I: In phase I, adversary 𝒜I (𝒜II) makes queries and ℬ answers them as follows: OCreateUser: Upon receiving an identity ID, the challenger generates a secret key sk, public key pk, and certificate Cert, and then responds to the ID with a public key pk. ORequestPrivateKey: Upon receiving an identity ID, the challenger responds to the ID with a private key sk. OCertification: Upon receiving a tuple (ID, pk), the challenger responds to the ID with Cert. Note that this oracle is used only by adversary 𝒜I. The adversary 𝒜II does not have to query this oracle because it can generate the certificate by itself using the master secret key of the CA. OSigncryption: Upn receiving a tuple (IDS, IDR, pkS, skS, CertS, pkR, M), the challenger responds with a corresponding signcrypted message C. ODesigncryption: Upon receiving a tuple (IDS, IDR, pkS, pkR, skR, CertS, C), the challenger responds with a corresponding plaintext message M. Challenge: In this phase, 𝒜I (𝒜II) outputs two equal-length messages M0 and M1, and the identities of the sender and receiver . The challenger chooses a bit at random and computes the signcrypted message C* from params, ; the public keys of the sender and receiver ; the secret key of the sender ; the certificate of the sender ; and Mγ. Phase II: 𝒜I (𝒜II) continuously queries the oracles as in phase I, with two restrictions: (1) a query with cannot be submitted to the OCertification oracle, and (2) decryption query with cannot be submitted to the ODesigncryption oracle. Guess: Finally, 𝒜I (𝒜II) terminates the game by outputting a guess γ′ for γ. The advantage of 𝒜I in the game is defined as follows: In addition, the advantage of 𝒜II is defined as below: B. Unforgeability Similarly to the confidentiality models, there are two kinds of adversaries: Types I and II adversaries. EUF-CBSC-CMA games I and II: The challenger ℬ is given security parameter 1k. It runs the setup algorithm and returns public parameters params and master secret key msk. In EUF-CBSC-CMA game I, params are given to 𝒜I and the challenger keeps msk for itself. In EUF-CBSC-CMA game II, both params and msk are given to 𝒜II. Adversary 𝒜I (𝒜II) makes queries, and ℬ answers them as follows: OCreateUser: Upon receiving the identity ID, the challenger generates secret key sk, public key pk, and certificate Cert, and then responds to the ID with public key pk. ORequestPrivateKey: Upon receiving an identity ID, the challenger responds to the ID with private key sk. OCertification: Upon receiving a tuple (ID, pk), the challenger responds to the ID with Cert. This oracle is used only by adversary 𝒜I. In EUF-CBSC-CMA game II, adversary 𝒜II has the master secret key of the CA, and thus it can generate the certificate by itself. OSigncryption: Upon receiving a tuple (IDS, IDR, pkS, skS, CertS, pkR, M), the challenger responds with the signcrypted message C. ODesigncryption: Upon receiving a tuple (IDS, IDR, pkS, pkR, skR, CertR, C), the challenger responds with a plaintext message M. Forge: Finally, 𝒜I (𝒜II) outputs a forged signcrypted message , which is not produced by the signcrypt query OSigncryption, and is not submitted to the certification query OCertification. Here, 𝒜I (𝒜II) wins if the result of the designcryption with is not a ⊥ symbol. Let Pr[𝒜I] (Pr[𝒜II]) be the probability that adversary 𝒜I (𝒜II) successfully generates a forged message. We define the advantage of 𝒜I in the above game as follows: In addition, the advantage of 𝒜II is defined as follows: III. Proposed Scheme 1. Construction Let p1 and p2 be two large prime integers such that . Setup: The CA picks a generator g of and random . It sets . Four hash functions will be chosen: and The public parameters params and master key msk are as follows: , . SetKeyPair: Given identity and params, this algorithm is run at the user side. A random element is chosen, and this value is set as the user's private key . The user's public key value is . The key pair will be . Certification: To generate a certificate for an identity from inputs , UID (received from the user) and params, the CA chooses a random value . It computes . The CA updates the public key of the user corresponding to the identity ID: . The CA then computes the certificate, . Signcryption: Let , , and CertS be the private key, public key, and certificate of the sender, respectively. Here, , , and CertR are the private key, public key, and certificate of the receiver, respectively. To generate a signcrypted message of message with (IDS, IDR), that is, the identities of the sender and receiver, respectively, the sender selects a random value and computes the following: a) (mod p1) b) (mod p1) c) d) The sender outputs . Designcryption: To designcrypt the signcrypted message , the receiver can execute the following steps separately: a) Check whether If this equation holds, move to the next step. Otherwise, return ⊥ and terminate the algorithm. b) and return the result, M. 2. Correctness The correctness of our scheme is confirmed as follows: a) We have where . Therefore, b) We then have 3. Security Proofs The main idea of the security proofs for Theorem 1 is to have the CDH attacker ℬ simulate the "environment" of the Type I and II attackers 𝒜I and 𝒜II, respectively, until it can compute a Diffie-Hellman key, gab of ga and gb, using the abilities of 𝒜I and 𝒜II. As described in Section II, 𝒜I and 𝒜II will issue various queries to the random oracles, the OCreateUser oracle, the ORequestPrivateKey oracle, the OCertification oracle, the OSigncryption oracle, and the ODesigncryption oracle. ℬ will respond to these queries with answers distributed identically as those in a real attack. To answer to adversary 𝒜I, ℬ sets ga as a part of the challenge ciphertext and gb () as the public key of the CA. On the other hand, to answer adversary 𝒜II, ℬ sets ga as a part of the challenge ciphertext, but uses gb to generate a public key associated with the challenger identity (in this case, it is the public key of IDθ, which will be described in the security proof), and the public key of the CA is set up as ga, where ℬ knows random , and gives the master key of the CA to 𝒜II. To prove the confidentiality of the proposed scheme, we prove the following theorem. Theorem 1: Suppose that the CDH is intractable. The CBSC scheme above is IND-CBSC-CCA secure in the random oracle model. This theorem can be proved by the following lemmas: Lemma 1 for the Type I adversary, and Lemma 2 for the Type II adversary. Lemma 1: Suppose that H1, H2, H3, H4 are random oracles and 𝒜I is an IND-CBSC-CCA2 Type I adversary that has advantage ϵ and running time τ against the CBSC scheme above. Here, 𝒜I is allowed to make at most qcu queries to the oracle OCreateUSer, qpri queries to the oracle ORequestPrivateKey, qcer queries to the oracle OCertification, qsc queries to the oracle OSigncryption, qdsc queries to the oracle ODesigncryption, and qi queries to the random oracle Hi (). An algorithm ACDH exists to solve the CDH problem with the following advantage: and the running time , where texp denotes the time for an exponentiation. Proof: We construct an algorithm ℬ that solves the CDH problem by using 𝒜I. Here, ℬ is given an instance of the CDH problem: p, q, g, ga, gb. To answer to adversary 𝒜I, ℬ will set ga as a part of the challenge ciphertext and gb () as the public key of the CA. Here, ℬ simulates a challenger and answers queries from 𝒜I as below: Setup: ℬ randomly chooses (where qcu is the number of queries to the OCreateUSer oracle), and sets . The params are set as (p1, p2, g, g1, H1, H2, H3, H4). Then, the params are given to 𝒜I, which can query all oracles below at any time during its attack. Then, ℬ answers the queries as follows: H1-queries: ℬ maintains a list, H1List, of the tuples < IDi, , C1,i, C0,i, h1,i >. Upon receiving the query (IDi, , C1,i, C0,i), if H1List contains < IDi, , C1,i, C0,i, h1,i > then ℬ returns h1,i to 𝒜I. Otherwise, it randomly picks , returns h1,i to 𝒜I, and adds < IDi, , C1,i, C0,i, h1,i > to H1List. H2-queries: ℬ maintains a list, H2List, of tuples < IDi, , , h2,i >. Upon receiving the query (IDi, , ), if H2List contains < IDi, , , h2,i >, then ℬ returns h2,i to 𝒜I. Otherwise, it randomly picks , returns h2,i to 𝒜I, and adds < IDi, , , h2,i > to H2List. H3-queries: ℬ maintains a list, H3List, of tuples . Upon receiving query (ki), if H3List contains ., then ℬ returns h3,i to 𝒜I. Otherwise, it randomly picks , returns h3,i to 𝒜I and adds . to H3List. H4-queries: ℬ maintains a list, H4List, of tuples < , , C1,i, C0,i, h4,i >. Upon receiving query (, , C1,i, C0,i), if H4List contains < , , C1,i, C0,i, h4,i >, then ℬ returns h4,i to 𝒜I. Otherwise, it randomly picks , returns h4,i to 𝒜I, and adds < , , C1,i, C0,i, h4,i > to H4List. Phase I: OCreateUser: ℬ maintains a user list, UserList: < IDi, ski, pki, Certi >. Upon receiving the IDi the following occurs: If , then ℬ randomly chooses and sets . It computes , inserts < , xθ, (Uθ, Pθ), ⊥> into UserList and responds with (Uθ, Pθ) to 𝒜I. Otherwise, ℬ generates ski, pki, Certi as normal. ORequestPrivateKey: Upon the input of identity IDi, if aborts the game. Otherwise, ℬ searches for ski in the UserList and responds with the ski to 𝒜I if ski exists. OCertification: Upon the input of identity IDi, if aborts the game. Otherwise, ℬ searches for Certi on the UserList and responds with the entry to 𝒜I if Certi exists. OSigncryption: 𝒜I gives ℬ a tuple . There are two cases: If randomly chooses and , and randomly chooses h1, h2, and h4 from . ℬ runs the simulation for OCreateUser to obtain Uθ, and computes After that, ℬ updates H1List with a new tuple , H2List with a new tuple , and H4List with a tuple . Finally, ℬ sends to 𝒜I the signcrypted message of ,). Otherwise, ℬ makes a signcrypted message as normal. ODesigncryption: 𝒜I gives ℬ a tuple <(C0, C1, C2), IDS, IDR>. If runs H1-queries to obtain a tuple . ℬ randomly chooses . If (k, h3) is on H3List, (US, PS, C1, C0) is on H4List, and (IDS, PS, C1, C0) is on H1List such that and , then ℬ outputs M as an answer for query 𝒜I. Otherwise, ℬ operates as normal. Challenge: 𝒜I outputs two messages (M0, M1) together with If ℬ aborts the game. Otherwise, ℬ runs OCreateUser for and to obtain two tuples and (IDθ, xθ, (Uθ, Pθ), ⊥). ℬ randomly chooses the values and , sets , and runs H2-queries with input to obtain It then computes and Finally, ℬ outputs Phase II: 𝒜I continues to query as in Phase I but with certain restrictions: (1) A query with cannot be submitted to the OCertification oracle and (2) a decryption query with cannot be submitted to the ODesigncryption oracle. Guess: 𝒜I outputs guess for γ and sends it to ℬ. The challenger searches in H3List and outputs a guess In the security proof, challenger ℬ does not directly use guess γ′, which is returned by adversary 𝒜I, but can compute the value gab. This event only happens if ℬ chooses the correct tuple from H3List, where . Indeed, by replacing k with k*, we have Security analysis The simulation will be successful if any of the following events occur: E1: 𝒜I chooses This event will occur with the following probability: 1/qcu. E2: 𝒜I does not query ORequestPrivateKey on identity IDθ. This event will occur with the following probability: . E3: 𝒜I does not query OCertification for identity IDθ. This event will happen with the following probability: . E4: ℬ does not abort answer 𝒜I in a OSigncryption query because of collisions in H1, H2, H4. This event will happen with the following probability: (). E5: ℬ does not reject any valid ciphertext at certain points of the game. This event will occur with the following probability: (). We define E as the probability that the simulation will be successful. We know that E1 implies E2 and E3. Therefore, we have the following: Because ℬ selects the correct tuple from H3List with probability (1/q3), the advantage of ℬ in solving the CDH problem is In addition, the running time is , where texp denotes the time for an exponentiation. ■ Lemma 2: Suppose that H1, H2, H3, H4 are random oracles and 𝒜II is an IND-CBSC-CCA2 Type II adversary that has advantage ϵ and running time τ against the CBSC scheme above. Here, 𝒜II is allowed to make at most qcu queries to oracle OCreateUser, qpri queries to oracle ORequestPrivateKey, qsc queries to oracle OSigncryption, qdsc queries to oracle ODesigncryption, and qi queries to the random oracle Hi (). Algorithm ACDH exists to solve the CDH problem with the following advantage: and the running time , where texp denotes the time for an exponentiation. Proof: We construct an algorithm ℬ that solves the CDH problem by using 𝒜II. Here, ℬ is given an instance of the CDH problem, p, q, g, ga, gb and will set ga as a part of the challenge ciphertext and use gb to generate a public key associated with the challenger identity. ℬ simulates a challenger and answers queries from 𝒜II as below: Setup: ℬ randomly chooses and , and sets . The params are set as (p1, p2, g, g1, H1, H2, H3, H4). Then, params and are given to 𝒜II. Here, 𝒜II can query the oracles H1-queries, H2-queries, H3-queries, and H4-queries, which are described in the proof of Lemma 1 at any time during the attack. Phase I OCreateUser: ℬ maintains a user list UserList : . Upon receiving IDi, the following occurs: If , then ℬ randomly chooses and sets , computes , inserts < , xβ, (Uβ, Pβ), ⊥> into the UserList, and responds to 𝒜II with (Uθ, Pθ). Otherwise, ℬ generates ski, pki as normal. ORequestPrivateKey: Upon inputting identity IDi, if aborts the game. Otherwise, ℬ searches for ski in the UserList and responds to 𝒜II with ski. OSigncryption: 𝒜II gives ℬ a tuple . There are two cases: If randomly chooses , and . A simulation is run for OCreateUser to obtain Uθ, and is computed. Next, ℬ updates H1List with a new tuple , H2List with a new tuple , and H4List with a tuple . Finally, ℬ sends the signcryption result ) to 𝒜II. Otherwise, ℬ makes a signcrypted message as normal. ODesigncryption: 𝒜II gives ℬ a tuple <(C0, C1, C2), IDS, IDR>. If runs H1-queries to obtain a tuple . ℬ randomly chooses . If (k, h3) is in H3List, (US, PS, C1, C0) is in H4List, and (IDS, PS, C1, C0) is in H1List such that and then ℬ outputs M as an answer to the 𝒜II query. Otherwise, ℬ operates normally. Challenge: 𝒜I outputs two messages (M0, M1) together with . If , ℬ aborts the game. Otherwise, ℬ runs OCreateUser for to obtain two tuples and (IDθ, xθ, (Uθ, Pθ), ⊥). Here, ℬ picks the values and ) randomly, sets and runs H2-queries with input to obtain . It computes and . Finally, ℬ outputs Phase II 𝒜II continues to query as in Phase I but with some restrictions: (1) A query with cannot be submitted to OCertification oracle, and (2) a decryption query with cannot be submitted to ODesigncryption oracle. Guess: 𝒜II outputs guess for γ and sends it to ℬ. The challenger searches H3List and outputs a guess If challenger ℬ chooses the correct tuple from H3List, then . In this case, we have the following: . Security analysis The simulation will be successful if any of the following events
Referência(s)