PROVABLE SECURE IDENTITY BASED SIGNCRYPTION SCHEMES WITHOUT RANDOM ORACLES

International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.3, May 2012
DOI : 10.5121/ijnsa.2012.4306 97
PROVABLE SECURE IDENTITY BASED
SIGNCRYPTION SCHEMES WITHOUT RANDOM
ORACLES
Prashant Kushwah1
and Sunder Lal2
1
Department of Mathematics and Statistics, Banasthali University, Rajasthan, India
pra.ibs@gmail.com
2
Vice Chancellor, Veer Bahadur Singh Purvanchal University, Jaunpur (UP), India
sunder_lal2@rediffmail.com
ABSTRACT
Signcryption is a cryptographic primitive which performs encryption and signature in a single logical
step with the cost lower than signature-then-encryption approach. Recently, Li et al. [35] proposed the
first provable secure identity based signcryption without random oracles. In their scheme sender signs the
ciphertext. However, in [11] Boyen showed that non-repudiation is easily achieved if the sender sign the
plaintext rather than ciphertext. In this paper we proposed an identity based signcryption scheme without
random oracles, which provides the non-repudiation with respect to plaintext. We also proposed an
identity based public verifiable signcryption scheme with third party verification in the standard model.
KEYWORDS
Signcryption, identity based cryptography, provable security, standard model, public verifiable
signcryption
1. INTRODUCTION
Confidentiality and authenticity of a message are achieved independently by public key
encryption and digital signature respectively. There are scenarios where both confidentiality and
authenticity are needed simultaneously (for example secure e-mailing). Earlier signature-then-
encryption approach was followed to achieve both primitives. However, this approach has a
high computational cost and communication overhead. In 1997, Zheng [1] proposed a novel
cryptographic primitive “Signcryption” which achieves both confidentiality and authenticity in a
single logical step with the cost significantly lower than ‘signature-then-encryption’ approach.
Security notions for signcryption were first formalize by Beak et al. [2] i.e. semantic security
against adaptive chosen cipher text attack and existential unforgeability against adaptive chosen
message attack. Many public key signcryption schemes have been proposed after [1]. Some of
them are [3-6].
In 1984, Shamir [7] introduced the concept of identity based cryptography. In the identity based
cryptosystem public key of users are their identities (e.g. email address, PAN number etc.).
Shamir gave an identity based signature (IBS) scheme in [7], but he cannot find any concrete
scheme for identity based encryption (IBE). The first identity based encryption (IBE) scheme
was given by Boneh and Franklin [8] in 2001. The first identity based signcryption (IBSC)
scheme was proposed by Malone Lee [9] in 2002 along with a security model for signcryption
in identity based setting. Since then, many IBSC schemes have been proposed in literature [10-
16].

98
However, most IBSC schemes were proven secure in the random oracle model [17]. Although,
in the random oracle model one can construct the efficient and provable secure schemes but a
proof in the random oracle model only provides the heuristic security. Canetti et al. [18] showed
that when random oracles are instantiated with concrete hash functions, the resulting scheme
may not be secure. Many cryptographic schemes are proposed which are provably secure
without random oracles (or in the standard model). Some of them are [19-27]. By combining
Waters’ [23] IBE scheme and Paterson and Schuldt’s IBS scheme [22], Yu et al. [24] proposed
an IBSC scheme in the standard model. Many authors proved that their scheme is not secure
[21, 28-31]. Among them Zhang [30] and Jin et al. [21] gave improvement on Yu et al. scheme.
However, Li, Liao and Qin [32] showed that Jin et al.’s [21] scheme in neither IND-CCA2
secure nor existential unforgeable and in [33], Li and Takagi showed that Zhang’s [30] scheme
does not possess IND-CPA security and proposed an improvement. In [34], Selvi et al. showed
that Li and Takagi’s [33] improvement is not IND-CCA2 secure.
Recently, Li et al. [35] proposed an efficient IBSC scheme without random oracle based on
Kiltz and Vahlis’s IBE scheme [36] and Paterson and Schuldt IBS scheme [22]. In their scheme,
sender signs the ciphertext which provides existential ciphertext unforgeability i.e. non-
repudiation for the ciphertext. In [11], Boyen noticed that this might difficult the task of
receivers who want to convince a third party of the sender’s authorship for an extracted
plaintext. In this paper we first propose a provable secure IBSC scheme without random oracles
which has existential signature unforgeability i.e. non-repudiation for the plaintext. Further, we
also propose an identity based public verifiable signcryption (IBPSC) scheme with third party
verification without random oracles. In the public verifiable signcryption scheme a third party
who is unaware of the receiver’s private key is able to verify whether a cipher text is valid or not
and in third party verifiable signcryption schemes, a third party is able to verify the integrity and
origin of the message using some additional information along with the signcryption provided
by the receiver other than his/her private key. Signcryption schemes with these additional
properties have applications in filtering out the spam in a secure email system and private
contract signing [16].
This paper is organized as follows: In section 2, we give the formal definitions of IBSC schemes
and their security model. Section 3 contains the preliminaries for the proposed schemes. In
section 4, we propose the new IBSC without random oracle and prove its security. In section 5,
we propose the identity based public verifiable signcryption scheme with third party verification
without random oracles. We conclude this paper in section 6.
2. FORMAL MODEL OF IBSC SCHEME
An identity based signcryption (IBSC) scheme consists of the following four
algorithms:
1. Setup: This algorithm takes input a security parameter k and outputs the system
parameters params and a master secret key.
2. Key Generation: Given input params, master secret key and a user’s
identity UID , it outputs a partial private key UD corresponding to UID .
3. IBSC (signcryption): To send a message m from a user A to B , this algorithm
takes input ( , , , )A A BD m ID ID and outputs a ( , , , )A A BIBSC D m ID ID  .
4. IBUSC (unsigncryption): This algorithm takes input ( , , , )B B AD ID ID and
outputs m if  is a valid signcryption of m done by A for B, otherwise outputs
“invalid”.

99
2.1. Security Model For IBSC Schemes
2.1.1. Message Confidentiality
The notion of security with respect to confidentiality is indistinguishability of
encryptions under adaptive chosen cipher text attack (IND-CCA2). For IBSC this notion
is captured by the following game played between challenger  and adversary  .
GAME 1 (IND-CCA2):
Initialization:  runs the setup algorithm on input a security parameter k, gives public
parameters params to the adversary  .  keeps the master key secret.
Queries (Find Stage): The adversary  makes the following queries adaptively.
 Key generation Queries:  submits an identity UID and  computes the private key
UD corresponding to UID and returns to  .
 IBSC Queries:  submits two identities AID , BID and a message m. Challenger 
runs the IBSC algorithm with message m and identities AID and BID and returns the
output  to the adversary  .
 IBUSC Queries:  submits two identities AID , BID along with  to the challenger
 .  runs the IBUSC algorithm with input  , AID and BID and returns the output m
and  if  is a valid signcryption of m done by A for B, otherwise outputs “invalid”.
No queries with A BID ID is allowed.
Challenge: At the end of the find stage,  submits two distinct messages 0m and 1m of
equal length, a sender’s identity *
AID and a receiver’s identity *
BID on which  wishes to be
challenged. The adversary  must have made no key generation query on *
BID .  picks
randomly a bit {0,1}b , runs the IBSC algorithm with message bm under *
AID and *
BID and
returns the output * to the adversary  .
Queries (Guess stage):  queries adaptively again as in the find stage. It is not allowed to
extract the private key corresponding to *
BID and also it is not allowed to make an IBUSC
query on * with sender *
AID and receiver *
BID .
Eventually,  outputs a bit 'b and wins the game if 'b b .
 ’s advantage is defined as 2
2Pr[ '] 1IND CCA
Adv b b
   .
Definition 1: An IBSC scheme is said to IND-CCA2 secure if no polynomially bounded
adversary  has non-negligible advantage of winning the above game.
Note that the confidentiality game described above deals with the insider security since the
adversary is given access to the private key of the sender *
AID in the challenge phase.

100
2.2.1 Signature Unforgeability
The notion of security with respect to authenticity is existential unforgeability against chosen
message attacks (EUF-CMA). For IBSC this notion is captured by the following game played
between challenger  and adversary  .
GAME 2 (EUF-CMA):
Initialization: Same as in GAME 1.
Queries: The adversary asks a polynomially bounded number of queries adaptively as in
GAME 1.
Forgery: Finally,  produces a triplet * *
( , , )A BID ID 
that was not obtained from an IBSC
query during the game and for which private key of *
AID was not exposed. The forger wins if
 
is valid signcrypted text from AID
to BID
.
The adversary  ’s advantage is its probability of winning the above game.
Definition 3: An IBSC scheme is said to EUF-CMA secure if no polynomially bounded
adversary  has non-negligible advantage of winning the above game.
Note that in the cipher text unforgeability game described above deals with the insider security
since the adversary is given access to the private key of the receiver *
BID in the forgery.
3. PRELIMINARIES
Let 1 and 2 be multiplicative groups of the prime order p and g be a generator of 1 . A
function 1 1 2:e     is called a bilinear pairing if it satisfies the following properties:
1. Bilinearity: for all , , ( , ) ( , )a b ab
pa b e g g e g g 
2. Non-degeneracy: 2
( , ) 1e g g  
3. Computability: e is efficiently computable.
Given 1, , ,a b c
g g g g  for some unknown , , pa b c and an element 2Z  , decide
whether ( , )abc
Z e g g or not is known as Decisional Bilinear Diffie-Hellman (DBDH)
Problem.
Given 1, ,a b
g g g  for some unknown , pa b to compute ab
g is known as
Computational Diffie-Hellman (CDH) Problem.
4. PROPOSED IDENTITY BASED SIGNCRYPTION (IBSC) SCHEME
WITHOUT RANDOM ORACLES
Setup: Choose two groups 1 and 2 of prime order p such that an admissible pairing
1 1 2:e     can be constructed and pick a generator g of 1 .

101
Now pick a random secret p  , compute 1g g
 and pick 2 1Rg   . Furthermore, pick
elements 1, Ru m   and vectors u

( ),iu m

( )im of length un and mn , respectively,
whose entries are random elements from 1 . Here public parameters are params =
1 2 1 2, , , , , , ,e g g g u  u

, ,m m

, 1 2,H H and the master secret key is 2g
.
Cryptographic hash functions 1H and 2H are defined as 1 2: {0,1}H  
 and
2 2 1 1:{0,1} {0,1} mn
H    
   . Here  is the length of the plaintext.
Key Generation: Let u be a bit string of length un representing an identity and let [ ]u i be the
i-th bit of u. Define {1,..., }uU n  to be the set of indices i such that [ ] 1u i  .
To construct the private key ud of the identity u, pick *
u R pr   and compute:
2( ( ) , )u ur r
u j
j U
d g u u g

  . Therefore, 1 2 2( , ) ( ( ) , )A A
A
r r
A A A j
j U
d d d g u u g

   and
1 2( , )B B Bd d d  2( ( ) , )B B
B
r r
j
j U
g u u g

  are the private keys of the sender (Alice) with
identity Au and the receiver (Bob) with identity Bu respectively.
IBSC: To send a message {0,1}m 
to Bob, Alice picks R pr   randomly and computes
1 2( , )r
e g g  , 1 1( )m H   , 2
r
g  , 3 ( )
B
r
j
j U
u u

  ,
2 2( , , , )
A
j A
j U
M H m u u d

  , 4 1( )r
A j
j M
d m m

  where {1,..., }mM n  is the set of
indices j such that [ ] 1m j  ( [ ]m j is the j-th bit of M). Next Alice sets 5 2Ad  . The cipher
text is 1 2 3 4 5( , , , , )      .
IBUSC: On receiving the cipher text 1 2 3 4 5( , , , , )      , Bob computes
1
2 3 1 2( , ) ( , )B Be d e d  
 , 1 1( )m H   , 2 5
ˆ ( , , , )
A
j
j U
M H m u u 

  . Bob
generates the corresponding set {1,..., }mM n  of indices j such that [ ] 1m j  , where [ ]m j
is the j-th bit of ˆM . Accept the message if and only if
4 1 2 5 2( , ) ( , ) ( , ) ( , )
A
j j
j U j M
e g e g g e u u e m m  
  
    .
Consistency:
1 1
2 3 1 2 2
1
2 1 2
( , ) ( , ) ( ,( ) ) ( ( ) , )
( ,( ) ) ( , ) (( ) , ) ( , )
B B
B B
B B
B B
r rr r
B B j j
j U j U
r rr r r r
j j
j U j U
e d e d e g u u e g u u g
e g u u e g g e u u g e g g


   
  

  
  
  
 
 
and

102
4 1
1
( , ) ( ( ) , )
( , ) (( ) , )
r
A j
j M
r
A j
j M
e g e d m m g
e d g e m m g







2
1 2 5 2
( ( ) , ) (( ), )
( , ) (( ), ) (( ), )
A
A
A
r r
j j
j U j M
j j
j U j M
e g u u g e m m g
e g g e u u e m m

 
  
  
 
 
 
 
4.1. Security Analysis of proposed IBSC scheme
Our proofs of the security of the proposed IBSC scheme without random oracles depends on
[22-24].
Theorem 1: (Message confidentiality) Assume that an IND-CCA2 adversary  has an
advantage  against the proposed IBSC scheme when running in time  , asking at most eq
Key generation queries, sq IBSC queries and uq IBUSC queries respectively. Then there exists
a distinguisher  that can solve an instance of the DBDH problem with probability
'
8 ( )( 1)( 1)s e s u u mq q q q n n

 
   
within a time exp p' (( ) ( ) )e s u u multi e s uO q q q n q q q           where exp , multi
and p are the time for an exponentiation, a multiplication in 1 and for a pairing computation
respectively.
Proof: Let  be an IND-CCA2 adversary against the proposed IBSC scheme with advantage
 . Further assume that the distinguisher  receives a random DBDH problem instance
( , ,a
g A g 2, , )b c
B g C g Z   , his goal is to decide whether ( , )abc
Z e g g or not.
 will run the adversary  as a subroutine and act as the  ’s challenger in the IND-CCA2
game.
Setup: The distinguisher  first sets 2( )u e s ul q q q   and 2m sl q , and chooses two
integers (0 )u u uk k n  and (0 )m m mk k n  randomly. Then the distinguisher chooses
randomly an integer
uR lx  , an un -length vector ( )iX x where ( )ui R nx   , an integer
mR nz  and an mn -length vector ( )iZ z where ( )mi R nz   . Additionally, the
distinguisher  chooses randomly two integers , R py w   , an un -length vector ( )iY y
where ( )i R py   and an mn -length vector ( )iW w where ( )i R pw   .
Let {1,..., }uU n  to be the set of indices i such that [ ] 1u i  where [ ]u i be the i-th bit of an
identity u and {1,..., }mM n  is the set of indices j such that [ ] 1m j  where [ ]m j is the j-th
bit of M. For ease of analysis, we define the functions for an identity u and a message m
respectively as in [22, 24].

103
( ) u u i
i U
F u l k x x

     and ( ) i
i U
J u y y

  
( ) m m j
j M
K M l k z z

     and ( ) j
j M
L M w w

  
Then the challenger assigns a set of public parameters as follows
1 2
2 2
2 2
,
, (1 )
, (1 )
u u i i
j jm m
a b
l k x x yy
i u
z wl k z w
j m
g g g g
u g g u g g i n
m g g m g g j n
  
  
 
    
    
Note that these public parameters will have the same distribution as in the game between the
challenger and the adversary  . Furthermore, this assignment means that for an identity u and
any bit string M, we have
( ) ( )
2
F u J u
i
i U
U u u g

  and
( ) ( )
2
K M L M
j
j M
m m g g

  .
Furthermore, the master secret key will be 2 2
a ab
g g g
  .
Find Stage:  answers the  ’s queries as follows:
Key generation queries: Suppose the adversary  submits an identity u. If ( ) 0modF u p ,
the distinguisher abort and randomly chooses its guess b of the challengers value b. Otherwise
the  chooses a random u R pr   and computes the private key corresponding to identity u as
( ) 1
( ) ( )
1 2 1 1( , ) ( ( ) , )u u
J u
r rF u F u
u u u i
i U
d d d g u u g g
 

   .
The distinguisher  returns this private key to the adversary  . As in the Waters’ proof [23]
and Paterson’s proof [22], let
( )
u u
a
r r
F u
  . Then we have
( )
( )
1 1
( )
( ) ( ) ( )
1 2
( ) ( )( ) ( ) ( )
2 2 2
( ( ))( ) ( )
2 2
2
( )
( )
( ) ( )
( )
( )
u
u
u
u
u
J u
rF u
u i
i U
J u
rF u F u J u
rF u F ua J u a F u J u
r a F uF ua J u
ra
i
i U
d g u u
g g g
g g g g g
g g g
g u u













and
1
( ) ( )
2 1
u
u u
a
r
r rF u F u
ud g g g g
 
   .

104
The simulation is perfect if and only if ( ) 0modF u p . For ease of analysis, assume
( 1)u ul n p  which implies 0 u ul k p  and 0 i
i U
x x p

   , also we have
( ) 0modF u p implies that ( ) 0mod uF u l . Hence ( ) 0mod uF u l implies
( ) 0modF u p , so the former condition will be sufficient to ensure that  will not abort in
Key generation queries.
IBSC queries: The adversary submits a plaintext m, a sender’s identity Au and a receiver’s
identity Bu . If ( ) 0modA uF u l ,  first generates a private key for Au as in Key generation
queries described above, and then runs the IBSC algorithm with input m,
Aud and Bu , to
answer the adversary’s query. Otherwise, if ( ) 0modA uF u l ,  will abort.
IBUSC queries: The adversary  submits a cipher text 1 2 3 4 5( , , , , )      , a sender’s
identity Au and a receiver’s identity Bu . If ( ) 0modB uF u l  first generates a private key
for Bu as in Key generation queries described above, and then runs the IBUSC algorithm with
input  , Au and Bud , to answer the adversary’s query. Otherwise, if ( ) 0modB uF u l 
will abort.
Challenge: After a polynomial bounded number of queries, adversary submits a sender’s
identity *
Au , a receiver’s identity *
Bu and two messages 0 1 2,m m  on which she wants to be
challenged. The distinguisher  will abort if *
( ) 0modB uF u l . Otherwise, we have
*
( ) 0modBF u p and the distinguisher flips a fair coin, b, and computes
* * *
( ) ( ) (1/ ( ))*
2 2( , , , )A A A AF u J u F u r
b bM H m Z g g g g
 . If *
( ) 0modbK M p then  will abort,
otherwise  sets the cipher text as
* * * ** * *
( ( )/ ( )) ( ) ( )( ) ( ) (1/ ( ))*
1 1 2( ( ), , , ( ) , )A A A bB A A A AJ u F u F u L MJ u J u r F u r
bm H Z C C g g g C g g  
 
Guess stage: The adversary then performs a second series of queries which are treated in the
same way as the find stage. It is not allowed to ask Key generation query for *
Bu and it is not
allowed to ask an IBUSC query for *
 under *
Bu . Finally,  outputs a guess b of b. If
b b  ,  answer’s 1 indicating that ( , )abc
Z e g g ; otherwise,  answers 0 to the DBDH
problem.
Now we have to assess  ’s probability of success. For the simulation to complete without
aborting, we require that all extraction queries on an identity u have ( ) 0mod uF u l , that all
IBSC queries with input ( , , )A Bu u m have ( ) 0modA uF u l , that all IBUSC queries with
input ( , , )A Bu u have ( ) 0modB uF u l , in the challenge *
( ) 0modA uF u l and
*
( ) 0modBF u p .

105
Let 1 2, ,..., Iqu u u be the identities appearing either in Key generation queries, in IBSC queries
or in IBUSC queries not involving the challenge identity *
Bu . Clearly, we have
I e s uq q q q   . Define the events
* *
* *
: ( ) 0mod , where 1,...,
: ( ) 0mod
: ( ) 0mod
i i u I
B
b
A F u l i q
A F u p
B K M p
 


The probability of  not aborting is * *
1Pr[ ] Pr[ ]Iq
iiabort A A B     . Since the functions
F and K are selected independently, therefore, the event *
1( )Iq
ii A A  and *
B are
independent. We have
* *
* *
* * *
Pr[ ] Pr[ ( ) 0mod ]
Pr[ ( ) 0mod ( ) 0mod ]
Pr[ ( ) 0mod ]Pr[ ( ) 0mod ( ) 0mod ]
1 1
1
B
B B u
B u B B u
u u
A F u p
F u p F u l
F u l F u p F u l
l n
 
   
   
 

|
In the same way we get
* 1 1
Pr[ ]
1m m
B
l n
 

Also for two different identities 1u and 2u , 1( ) 0mod uF u l and 2( ) 0mod uF u l will be
independent. As a special case, for any i, the event iA and *
A are independent. So we have
 
 
* * *
1 1
* *
1
* *
1
Pr[ ] Pr[ ]Pr[ ]
Pr[ ] 1 Pr[ ]
Pr[ ] 1 Pr[ ]
1
1
( 1)
1
1
2( )( 1) 2( )
1
4( )( 1)
I I
I
I
q q
i ii i
q
ii
q
ii
I
u u u
e s u
e s u u e s u
e s u u
A A A A A
A A A
A A A
q
l n l
q q q
q q q n q q q
q q q n
 


   
  
  
 
  
  
  
  
     

  

|
|
|
By combining above results and let 2m sl q , we can get

106
* *
1
* *
1
Pr[ ] Pr[ ]
Pr[ ]Pr[ ]
1
8 ( )( 1)( 1)
I
I
q
ii
q
ii
s e s u u m
abort A A B
A A B
q q q q n n


    
  

   
Also the computation time bound of  can be derives from the fact that there are ( )uO n
multiplications in each Key generation query, IBSC query and IBUSC query. There are (1)O
exponentiations in each Key generation query and IBSC query. There are (1)O pairing in each
IBUSC query.
Theorem 2: (Signature unforgeability) Assume that an EUF-CMA adversary  has an
advantage  against the proposed IBSC scheme when running in time  , asking at most eq
Key generation queries, sq IBSC queries and uq IBUSC queries respectively. Then there exists
an algorithm  that can solve an instance of the Computational Diffie-Hellman problem with
probability
'
8 ( )( 1)( 1)s e s u u mq q q q n n

 
   
within a time exp p' (( ) ( ) )e s u u multi e s uO q q q n q q q           where exp , multi
and p are the time for an exponentiation, a multiplication in 1 and for a pairing computation
respectively.
Proof: Let  be an EUF-CMA adversary against the proposed IBSC scheme with advantage
 . Further assume that the  receives a random CDH problem instance ( , ,a
g A g )b
B g ,
his goal is to compute ab
g .  will run the adversary  as a subroutine and act as the  ’s
challenger in the EUF-IBSC-CMA game.  first sets the public parameters
1 2, , , , ,a b
i jg g g g u m u m   and defines the functions ( ), ( ), ( )F u J u K M and ( )L M in
the same way as described in the proof of Theorem 1. Now  asks Key generation queries,
IBSC queries and IBUSC queries, which are answered in the same way as described in the proof
of Theorem 1 by  .
Finally, if  does not abort, the adversary  will return the forgery * * * * * *
1 2 3 4 5( , , , , )     
on the message *
m and two identities *
Au and *
Bu such that *
 is not the output of IBSC query
with the sender’s identity *
Au and receiver’s identity *
Bu .  unsigncrypts *
 to obtain *
m and
*
 .  will abort if *
( ) 0modAF u p , otherwise computes
*
( )* * * *
2 5( , , , )AJ u
M H m g 
and aborts if *
( ) 0modK M p . Thus  has *
( ) 0modAF u p and *
( ) 0modK M p .
Now  computes and outputs
* *
*
4
2
( )* * ( )
5 2( ) ( )A
a ab
J u L M
g g

 
 

107
as the solution to the given CDH problem. Now  advantage can be calculated similarly as in
theorem 1.
5. PROPOSED IDENTITY BASED PUBLIC VERIFIABLE SIGNCRYPTION
(IBPSC) SCHEME WITHOUT RANDOM ORACLES
Setup: Choose two groups 1 and 2 of prime order p such that an admissible pairing
1 1 2:e     can be constructed and pick a generator g of 1 .
Now pick a random secret R p   , compute 1g g
 and pick 2 1Rg   . Furthermore,
pick elements 1, Ru m   and vectors u

( ),iu m

( )im of length un and mn ,
respectively, whose entries are random elements from 1 . Here public parameters are params =
1 2 1 2, , , , , , ,e g g g u  u

, ,m m

, 1
1 2, , ,H H  
and the master secret key is 2g
.
Cryptographic hash functions 1H and 2H are defined as 5
1 2 1:{0,1} {0,1}k
H   
  and
2 2: {0,1} mn
H  . 2:   is a bijection while 1

is its inverse,  is a subset of
{0,1} k
with p elements. Here  is the length of the plaintext and k is the sufficiently large
integer.
Key Generation: Similar to the previous scheme. Also for the convenience we denote
A
A j
j U
U u u

  and
B
B j
j U
U u u

  .
IBSC: To send a message {0,1}m 
to Bob, Alice randomly picks pr  and computes
2
r
g  , 3 ( )
B
r
j
j U
u u

  , 1 2( , )r
e g g  , 1 2 3 2( , , , , , , )A A BR H m d U U   ,
1 ( )m R     , 2 1( )M H  , 4 1( )r
A j
j M
d m m

  where {1,..., }mM n  denotes the
set of indices j such that [ ] 1m j  ( [ ]m j is the j-th bit of M). Next Alice sets 5 2Ad  . The
cipher text is 1 2 3 4 5( , , , , )      .
IBUSC: On receiving the cipher text 1 2 3 4 5( , , , , )      , Bob
1. computes 2 1
ˆ ( )M H 
2. generates the corresponding set {1,..., }mM n  of indices j such that [ ] 1m j  , where
[ ]m j is the j-th bit of ˆM
3. if 4 1 2 5 2( , ) ( , ) ( , ) ( , )
A
j j
j U j M
  
    , returns invalid. Otherwise
4. computes 1
2 3 1 2( , ) ( , )B Be d e d  

5. computes 1 1
1( ) m R   
  

108
6. computes 1 2 3 5( , , , , , , )A BR H m U U    
7. if R R  returns “invalid”. Otherwise returns ( , , , )m R   .
TP-Verify (Third party verification): On receiving ( , , , )m R   , a sender’s identity Au
and a receiver identity Bu . Trusted third party
1. computes 2 1
ˆ ( )M H 
2. generates the corresponding set {1,..., }mM n  of indices j such that [ ] 1m j  , where
[ ]m j is the j-th bit of ˆM
3. if 4 1 2 5 2( , ) ( , ) ( , ) ( , )
A
j j
j U j M
  
    , returns invalid. Otherwise
4. computes 1 1
1
ˆˆ( ) m R   
  
5. accepts  and output valid if 1 2 3 5
ˆ ˆ( , , , , , , )A BR H m U U    and ˆR R .
It is easy to verify that the above scheme is consistent.
5.1 Security Analysis of proposed IBPSC scheme
Security analysis of the proposed IBPSC scheme is similar to the previous scheme. Due to space
restriction we omit the proof.
6. CONCLUSION
In this paper, we proposed a new identity based signcryption scheme without random oracles
which has existential signature unforgeability. In the proposed scheme non-repudiation is
directly achieved for the plaintext which help the receiver to convince a third party for the
sender’s authorship on an extracted plaintext. Further, we also proposed an identity based public
verifiable signcryption scheme with third party verification without random oracles.
REFERENCES
[1] Y. Zheng (1997) “Digital signcryption or how to achieve cost (Signature & Encryption) << Cost
(Signature) + Cost (Encryption)”, CRYPTO'97, LNCS # 1294, Springer-Verlag, pp. 165-179.
[2] J. Baek, R. Steinfeld & Y. Zheng (2002) “Formal proofs of security of signcryption”, PKC 02,
LNCS # 2274, pp. 81-98.
[3] F. Bao & R. H. Deng (1998) “A signcryption scheme with signature directly verifiable by public
key”, Proceeding of PKC’98, LNCS # 1431, Springer-Verlag pp. 55-59.
[4] R. Hwang, C. Lai & F. Su (2005) “An efficient signcryption scheme with forward secrecy based
on elliptic curve”, Applied Mathematics and Commutation 165, pp. 870-881.
[5] H. Y. Jung, K. S. Chang, D. H. Lee & J. I. Lim (2001) “Signcryption schemes with forward
secrecy”, Proceeding of WISA 2, pp. 403-233.
[6] Y. Zheng & H. Imai (1998) “How to construct efficient signcryption schemes on elliptic curves”,
Information Proceeding Letters, Vol. 68 No. 5, pp. 227-233.
[7] A. Shamir (1984) “Identity-based cryptosystems and signature schemes”, CRYPTO 84, LNCS #
196, Springer-Verlag, pp 47-53.

109
[8] D. Boneh & M. Franklin (2001) “Identity–based encryption scheme from Weil pairing”,
CRYPTO 2001, LNCS # 2139, Springer-Verlag, pp. 213-229.
[9] J. Malone-Lee (2002) “Identity-based signcryption”, Cryptology ePrint Archive Report
2002/098.
[10] P. S. L. M. Barreto, B. Libert, N. McCullagh & J. J. Quisquater “Efficient and provably-secure
identity-based signatures and signcryption from bilinear maps”, ASICRYPT'05, LNCS 3788,
Springer-Verlag, pp. 515-532.
[11] X. Boyen (2003) “Multipurpose Identity based signcryption: A Swiss army knife for identity
based cryptography”, CRYPTO 2003, LNCS # 2729, Springer-Verlag, pp. 389-399.
[12] L. Chen & J. Malone-Lee (2005) “Improved identity-based signcryption”, PKC 2005, LNCS #
3386, Springer-Verlag, pp. 362-379.
[13] S. S. M. Chow, S. M. Yiu, L. C. K. Hui & K. P. Chow (2003) “Efficient forward and provably
secure ID based signcryption scheme with public verifiability and public cipher text
authenticity”, ICISC’2003, LNCS # 2971, Springer-Verlag, pp. 352-369.
[14] B. Libert & J. J. Quisquater (2003) “New identity based signcryption schemes from pairings”,
IEEE Information Theory Workshop, Paris, France, Avalable at http://eprint.iacr.org/2003/023,
2003.
[15] N. McCullagh & P.S.L.M. Baarreto (2004) “Efficient and forward secure identity based
signcryption”, Cryptology ePrint Archive Report 2004/117.
[16] S. S. D. Selvi, S. S. Vivek & C. P. Rangan (2010) “Identity based public verifiable signcryption
scheme”, Proc. ProvSec 2010, LNCS # 6402, Springer-Verlag, pp. 244-260.
[17] M. Bellare & P. Rogaway (1993) “Random oracles are practical: a paradigm for designing
efficient protocols”, D. Denning et al. (Eds.), Proceedings of the First ACM Conference on
Computer and Communications Security ACM Press, pp. 62-73.
[18] R. Canetti, O. Goldreich & S. Halevi (2004) “The random oracle methodology revisited”,
Journal of the ACM 51 (4) pp. 557-594.
[19] D. Boneh & X. Boyen (2004) “Efficient selective-ID secure identity based encryption without
random oracles”, In Eurocrypt’04, LNCS # 3027, Springer, pp. 223-238.
[20] R. Canetti, S. Halevi & J. Katz (2003) “A forward secure public key encryption scheme.
Advances in Cryptology”, EUROCRYPT 2003, LNCS # 2656, Springer-Verlag, Berlin, pp. 225-
271.
[21] Z. Jin, Q. Wen & H. Du (2010) “An improved semantically secure identity based signcryption
scheme in the standard model”, Comput Electr Eng.
[22] K. G. Paterson & J. C. Schuldt (2006) “Efficient identity based signatures secure in the standard
model”, Proceedings of the 11th
Australasian Conference Information Security and Privacy,
LNCS # 4058, Springer-Verlag, pp. 207-222.
[23] B. Waters (2005) “Efficient identity based encryption without random oracles. Advances in
Cryptology”, EUROCRYPT 2005, LNCS # 3494, Springer-Verlag, Berlin, pp. 114-127.
[24] Y. Yu, B. Yang, Y. Sun & S. L. Zhu (2009) “Identity based signcryption scheme without
random oracles”, Computer Standard and Interfaces, 31 (1) pp. 56-62.
[25] T. H. Yuen & V. K. Wei (2005) “Constant size hierarchical identity based signature/signcryption
without random oracles”, Cryptology ePrint Archive, http:eprint.iacr.org/2005/412.pdf.
[26] B. Zhang & Q. Xu (2010) “An ID-based anonymous signcryption scheme for multiple
receivers”, International Journal of Advanced Science and Technology, Vol. 20, pp. 9-24.
[27] B. Zhang & Q. Xu (2010) “Identity based multi-signcryption scheme without random oracles”,
Chinese Journal of Computers, Issue No. 1, pp. 103-110.

110
[28] X. Wang & H. Qian (2010) “Attacks against two identity based signcryption schemes”, 2nd
International Conference NSWCTC’2010, Wuhan, Hubei, Vol. 1 pp. 24-27.
[29] Q. Xia & C. Xu (2009) “Cryptanalysis of identity based signcryption schemes”. 8th
IEEE
International Conference, DASC’09, pp. 292-294.
[30] B. Zhang (2010) “Cryptanalysis of an identity based signcryption scheme without random
oracles”, Journal of Computational Information Systems 6:6 (2010) pp. 1923-1931.
[31] M. Zhang, P. Li, B. Yang H. Wang & T. Takagi (2010) ‘Towards confidentiality of ID-based
signcryption scheme under without random oracle model”, PAISI’2010, LNCS # 6122, Springer-
Verlag, pp. 98-104.
[32] F. Li, Y. Liao & Z. Qin (2011) “Analysis of an identity based signcryption scheme in the
standard model”, IEICE Transaction on Fundamentals of Electronics, Communications and
Computer Science E94-A (1), pp. 268-269.
[33] F. Li & T. Takagi (2011) “Secure identity based signcryption in the standard model”,
Mathematical and Computer Modelling, 2011.
[34] S. S. D. Selvi, S. S. Vivek, D. Vinayagamurthy & C. P. Rangan (2011) “On the security of ID
based signcryption schemes”, Cryptology ePrint Archive Report 2011/664.
[35] F. Li, F. B. Muhaya, M. Zhang & T. Takagi (2011) “Efficient identity based signcryption in the
standard model”, In X. Boyen and X. Chen (Eds.) ProSec 2011, LNCS # 6980, Springer-Verlag,
pp. 120-137.
[36] E. Kiltz & Y. Vahlis (2008) “CCA2 Secure IBE: Standard model efficiency through
authenticated symmetric encryption”. In: Malkin, T. (Ed.) CT-RSA 2008, LNCS # 4964,
Springer, Heidelberg, pp. 221-238.
BIOGRAPHY
Prashant Kushwah is an assistant professor in the department of Mathematics and
Statistics at Banasthali University, Rajasthan, India. He obtained his M. Phil. degree
from Dr. B. R. A. (Agra) University, India in 2007 and the candidate of Ph.D. from
the same. His main research interest includes identity based cryptography mainly
signcryption.
Sunder Lal is an ex-professor in the department of mathematics at Dr. B. R. A.
(Agra) University in Agra, India. Now he is the Vice Chancellor of VBS
Purvanchal University, Jaunpur, India. He obtained his Ph.D. degree in
Mathematics from Meerut University in 1974. He is working in Cryptography past
20 years. His main research interest includes secret sharing, digital signature, access
control, secret handshake, identity based cryptography.

PROVABLE SECURE IDENTITY BASED SIGNCRYPTION SCHEMES WITHOUT RANDOM ORACLES

More Related Content

What's hot (18)

Similar to PROVABLE SECURE IDENTITY BASED SIGNCRYPTION SCHEMES WITHOUT RANDOM ORACLES (20)

Recently uploaded (20)

PROVABLE SECURE IDENTITY BASED SIGNCRYPTION SCHEMES WITHOUT RANDOM ORACLES