Pairing Free Certificate Based Signcryption Schemes Using ECQV Implicit Certificates

Abstract

Signcryption schemes offer the possibility to simultaneously sign and encrypt a message. In order to guarantee the authentication of both signer and receiver in the most efficient way during the signcryption, certificate based solutions have been proposed in literature. We first compare into detail three recently proposed certificate based signcryption systems relying on the elliptic curve discrete logarithm problem and without the usage of compute intensive pairing operations. Next, we demonstrate how the performance of these certificate based systems can be improved by using the Elliptic Curve Qu Vanstone (ECQV) implicit certificates. What is more, generalized signcryption schemes are easily derived from these schemes and the anonymity feature of sender and receiver is already inherently included or can be very efficiently obtained without a significant additional cost.

1. Introduction

 Many applications like electronic payments, supply chain management and data collection/monitoring systems require a strong level of user authentication. Authentication is typically obtained through public key infrastructure (PKI) mechanisms, managed by a certificate authority (CA). However, for small devices in an Internet of Things (IoT) context, a PKI requires too high computation, maintenance, and storage. Consequently, more efficient approaches are needed.

 We identify three different alternatives in literature to establish user authentication, being the identity (ID) based schemes [1], the certificateless [2], and certificate based [3] approaches. In the ID based schemes, a private key generator (PKG) constructs the private and public key of the user with the property that the public key is equal to a known identity of the user. Although this leads to simple key management, the ID based mechanisms are composed of computationally demanding cryptographic pairing operations, have inherent key escrow, and require a secure channel between the PKG and the user to share the private key. In the certificateless schemes, the private key of the user is generated by means of secret information coming both from the PKG and the user itself. Therefore, certificateless schemes do not have inherent key escrow, but still require a secure channel between the PKG and the user.

 Only the certificate based systems are able to address all of the above mentioned problems and in particular have no need for secure channels in the derivation of the key material. These schemes make use of a certificate authority (CA) for the generation of the certificates. In the certificate based approach, the user first generates its own key pair and requests a certificate of the CA on it. As a result of this process, the public key of the user needs to be extended with an additional parameter, derived from the CA’s certificate and responsible for the relation between identity and the first part of the public key. Note that the link between user and public key is not validated in the beginning, but the actual validation is obtained only by including this additional public key parameter in the rest of the security protocol.

 In this paper, we will focus on certificate based signcryption schemes [4]. Signcryption schemes are very interesting as they allow to perform both encryption and signature generation in one single phase. They are much more efficient than the traditional approach in which the message is first encrypted and then signed. Consequently, signcryption schemes are able to offer simultaneously confidentiality, authentication, non-repudiation, and integrity.

 In literature, there have been recently two different certificate based pairing free systems described, which are proven to be secure in the random oracle model against chosen-ciphertext attacks and existentially unforgeable against chosen-message attacks. The system in [5] is based on the discrete logarithm problem (DL) and the other system in [6] on the elliptic curve discrete logarithm problem (ECDLP). In this paper, the scheme of [5] will be explicitly translated in elliptic curve (EC) terminology, and thus compared with [6]. In addition, another scheme is proposed similar as the one of [6], but slightly more efficient since it uses additions instead of inverse operations in the field. It is based on ideas coming from the signcryption scheme described in [7]. The similarities and differences in these three schemes are discussed and the efficiency analysis, provided in [5], is questioned.

 In order to further improve the efficiency of certificate based signcryption schemes, we propose to use an alternative process for the generation and usage of the certificates, by applying the Elliptic Curve Qu Vanstone (ECQV) implicit certificates. Here, the CA generates a certificate based on the identity of the user and some random values. From this certificate, the user can derive its key pair and any other user is able to find the same public key, given the identity and the certificate of the user, relying on the authenticity of the public key of the CA. Note that the computation of the public key can be performed offline. We show how to translate the traditional certificate based signcryption schemes to signcryption schemes using the implicit ECQV certificates, which results in less cryptographic operations. In order to make the difference between the traditional certificate based approach and this proposed approach, we will use the terms of explicit and implicit certificate based schemes.

 Finally, we explain how the previous schemes can be easily adapted to a generalized signcryption (GSC) scheme, providing one single framework to either establish confidentiality, authentication, or a combination of both. We also show how anonymity of sender and receiver is already included in the schemes or can be easily added to the other schemes without a significant additional computation or communication cost.

 To summarize, the main contributions of the paper are the following:

 • Classification of the different proposed explicit certificate based signcryption schemes and proposal of a new one, which is slightly better than the other existing proposals in literature.

 • Proposal of implicit certificate based signcryption schemes, relying on ECQV implicit certificates and linked with the explicit based signcryption schemes, which are more performant than these explicit certificate based signcryption schemes from literature.

 • Classification and comparison with respect to the number of compute intensive operations and time performance of the implicit and explicit based signcryption schemes.

 • Proposal of a certificate based GSC.

 • Proposal of a certificate based signcryption scheme, providing anonymity of sender and receiver.

 The outline of the paper is as follows. In Section 2, related work is described. Section 3 discusses the preliminaries. In Section 4, the different explicit certificate based signcryption systems are presented and compared. Section 5 describes the certificate based approach with ECQV implicit certificates, the corresponding signcryption schemes based on it, and an associated performance analysis. In Section 6, the relation with a GSC scheme and the inclusion of anonymity is described. Section 7 describes the security analysis. Finally, Section 8 presents the conclusions of the the paper.

2. Related Work

 In 2002, Malone [8] introduced the first ID based signcryption scheme, together with a comprehensive security model. The classical ID based signcryption schemes make use of computationally intensive pairing operations. As shown in [9], for binary fields, pairing operations behave almost 5 times worse than EC point multiplication operations in timing and energy performance.

 In 2008, the introduction of the certificateless approach in signcryption schemes has been proposed in [10,11]. The same year, also certificate based signcryption schemes [12] have been introduced. Most of the certificate based and certificateless signcryption schemes are also based on pairing operation. However, very recently two paring free certificate based systems have been made proposed [5,6]. A performance comparison in [5] was given to compare the schemes between [5,6,13,14], showing that [5] was outperforming the others. The schemes [13,14] are making use of pairing operations. Unfortunately, we will show that wrong conclusions are made for the performance comparison between [5] and [6], probably due to a wrong translation, as [5] was expressed as a discrete logarithm problem (DLP) and [6] as an ECDLP. In addition, we add another certificate based and pairing free signature scheme, similar to the scheme of [6], following ideas of [7], where the signature scheme is based on the proposal of Schnorr [15].

 On the other hand, many pairing free signcryption schemes based on elliptic curve cryptography (ECC) without the specific condition of ID based authentication can also be found in literature, see survey [16]. In these schemes, the guarantee that a given public key belongs to a certain user is explicitly assumed, for instance by a third party who is checking the integrity of the stored public key and identity data. This is a quite strong requirement. In particular, among the most efficient proposals in literature, we distinguish [7] where an efficient EC based GSC scheme is discussed. Also an anonymous EC based signcryption scheme, called ASEC, has been described in [17].

 The newly proposed type of certificate based signcryption scheme will rely on the ECQV Implicit Certificate Scheme [18] as key management protocol, which uses elliptic curve operations and results in much more lightweight public key cryptographic (PKC) solution, compared to RSA based PKC systems [19].

 To conclude, this paper will firstly analyze three variants for pairing free signcryption schemes with traditional certificates, based on inputs of [5-7]. Next, a certificate based approach with ECQV implicit certificates will be proposed, leading to more efficient certificate based signcryption schemes. Finally, it will be shown how GSC schemes and anonymity can be obtained in the proposed schemes. In particular, the performance of ASEC [17] will be drastically improved.

3. Preliminaries

 Elliptic Curve Cryptography (ECC) is based on the algebraic structure of elliptic curves over finite fields. We denote the curve in the finite field GF(2^p) by E_p(a,b), defined by the equation y² + xy = x³ +ax+b with a and b two constants in GF(2^p). We denote by P the base point generator of E_p(a,b) of order 2^p . The EC based public key cryptography (PKC) system is based on the following two problems.

 • Elliptic Curve Discrete Logarithm Problem (ECDLP) states that given two EC points P and Q of E_p(a,b), it is computationally hard for any polynomial-time bounded algorithm to determine a parameter x in GF(2_p)^* , such that Q=xP.

 • The Computational Discrete Logarithm Problem (CDLP) states that given 3 points, P, xP, yP (x,y in GF(2_p)^* ) of E_p(a,b), it is computationally infeasible to derive the EC point xyP=yxP.

 In addition, a one-way cryptographic hash function (e.g. SHA2, SHA3) that results in a number of GF(2^p) is denoted by H(.). Given the messages M₁ and M₂, the concatenation of them is denoted by M₁| M₂ and the bitwise XOR operation by M₁⊕M₂. We assume that the length of the message is less or equal than the size of the hash function output. If not, an encryption algorithm, like e.g. AES, should be used, instead of the xor operation to encrypt the message.

4. Certificate based signcryption

 A traditional certificate based signcryption scheme, as proposed in [5,6], consists of the following 5 phases. The sender and receiver are denoted by S and R respectively.

 • Setup: In this phase, the CA generates the master secret key msk and system parameters params, based on a given security parameter. These system parameters params are published.

 • SetKeyPair: This algorithm is working at the user’s side. Given params, the private key sk_U and public key pk_U of the user with identity ID_U are generated. The public key together with the user’s identity is sent to the CA.

 • Certification: The CA generates based on the user’s identity ID_U and public key pk_U together with the system parameters params, a certificate cert_U for each user. The CA sends the certificate to the user over an open channel.

 • Signcryption S_SR (.): This function is executed by the sender S and has the goal to encrypt and sign the message m. The input of the function contains the message m, the identity ID_S, certificate cert_S and private key sk_S of the sender, the identity ID_R and public key pk_R of the receiver, together with the system parameters params. The result is called the signcrypted message, denoted by:

\(C_{S R}=S_{S R}\left(m, I D_{S}, I D_{R}, c e r t_{S}, s k_{S}, p k_{S}, p k_{R}, p a r a m s\right)\)

 • Unsigncryption URS(.): This function is executed by the receiver R, after reception of the message C_SR and has the goal to derive the original message m and to verify the corresponding signature on it. The input of the function contains the identity ID_S and public key pk_S of the sender, the identity ID_R, the certificate certR, private key sk_R and the public key pk_R of the receiver, together with the system parameters params. The output of the function

\(U_{R S}\left(C_{S R}, I D_{S}, I D_{R}, c e r t_{R}, s k_{R}, p k_{S}, p k_{R}, { params }\right)\)

 is equal to m’ if the verification of the signature is correct. If the signature is not valid, the output equals to ⊥. The signcryption algorithm is correct if m equals to m’.

 Table 1. summarizes the notations frequently used in this paper.

Table 1. Notations

 

 We now discuss the three types of signcryption algorithms. For the first three phases, they all satisfy the same steps, leading to the same notations (see [6]).

 • Setup: The CA defines the public system parameters, consisting of an EC in GF(2^p)^* , a generator P on that curve and an EC point G_CA=αP. The random value α ∈ GF(2^p)^* used in the computation of GCA corresponds with the master key. To conclude 

\( {params}=\left\{P, E C, G_{C A}\right\}\) and \(m s k=\alpha\).

 • SetKeyPair: Given the identity ID_U of the user and params, the user selects a random value d_U ∈ GF(2^p)^* as the private key, thus sk_U=d_U. The corresponding public key equals to pk_U= P_U = d_UP. The tuple (ID_U,P_U) is sent to the CA.

 • Certification: Based on the user’s input (ID_U,P_U), the CA selects a random value r_U ∈ GF(2^p)^* and computes R_U = r_UP. Next, the certificate for the user is defined as

\( {cert}_{U}=r_{U}+\alpha H\left(I D_{U}\left|P_{U}\right| R_{U}\right).\)

 Both cert_U and R_U are sent to the user. The public key of the user is the tuple (P_U, R_U).

We now discuss the signcryption and unsigncryption algorithms between S and R for the three different schemes, based on [5,6,7] respectively.

4.1 Scheme 1

 The signcryption S_SR(m,ID_S,ID_R,cert_S,sk_S,pk_S,pk_R,,params) with pk_s=(P_S, R_S) and pk_r=(P_R, R_R) consists of the following steps.

 • Choose a random value \(r \in G F\left(2^{p}\right)^{*}\), compute \(R=rP\).

 • \(k=r\left(P_{R}+R_{R}+H\left(I D_{R}\left|P_{R}\right| R_{R}\right) G_{C A}\right)\)

 • \(C_{I}=m \oplus H(k)\)

 • \(C_{2}=c e r t_{S}+d_{S} H\left(P_{S}\left|R_{S}\right| C_{1} | R\right)+r H\left(I D_{S}\left|R_{S}\right| C_{I} | R\right)\)

 The signcryption algorithm has output C_SR =(R,C₁,C₂).

 The unsigncryption process, denoted by URS (C_SR,ID_S,ID_R,cert_R,sk_R,pk_S,pk_R,,params), with pk_s=(P_S, R_S) and pk_r=(P_R, R_R) consists of the following steps.

 • The receiver first checks if 

\(C_{2} P=R_{S}+H\left(I D_{S}\left|P_{S}\right| R_{S}\right) G_{C C A}+H\left(P_{S}\left|R_{S}\right| C_{1} | R\right) P_{S}+H\left(I D_{S}\left|R_{S}\right| C_{I} | R\right) R\)

 • If this check is positive, then the key is defined by the equality:

\(k=\left(d_{R}+c e r t_{R}\right) R.\)

 and thus the final message m is derived by

\(m=C_{1} \oplus H(k)\)

 Otherwise, the output equals to ⊥. Note that the scheme is correct since

\(\begin{aligned} C_{2} P &=\left( {cert}_{S}+d_{S} H\left(P_{S}\left|R_{S}\right| C_{1} | R\right)+r H\left(I D_{S}\left|R_{S}\right| C_{1} | R\right)\right) P \\ &={cert}_{S} P+d_{S} H\left(P_{S}\left|R_{S}\right| C_{1} | R\right) P+r H\left(I D_{S}\left|R_{S}\right| C_{1} | R\right) P \\ &=\left(r_{S}+\alpha H\left(I D_{S}\left|P_{S}\right| R_{S}\right)\right) P+H\left(P_{S}\left|R_{S}\right| C_{1} | R\right) d_{s} P+H\left(I D_{S}\left|R_{S}\right| C_{1} | R\right) r P\\ &=R_{S}+H\left(I D_{S}\left|P_{S}\right| R_{S}\right) G_{C A}+H\left(P_{S}\left|R_{S}\right| C_{1} | R\right) P_{S}+H\left(I D_{S}\left|R_{S}\right| C_{I} | R\right) R \end{aligned}\)

 Also, for the key derivation, we see that

\(\begin{aligned} k &=\left(d_{R}+\operatorname{cert}_{R}\right) R \\ &=\left(d_{R}+r_{R}+\alpha H\left(I D_{R}\left|P_{R}\right| R_{R}\right)\right) R \\ &=d_{R} r P+r_{R} r P+\alpha H\left(I D_{R}\left|P_{R}\right| R_{R}\right) r P \\ &=r P_{R}+r R_{R}+r H\left(I D_{R}\left|P_{R}\right| R_{R}\right) G_{C A} \end{aligned}\)

4.2 Scheme 2

 The signcryption phase with inputs m, ID_S, ID_R, cert_S, d_S, (P_S, R_S), (P_R, R_R), params, consists of the following steps.

 • Choose a random value \(r \in G F\left(2^{p}\right)^{*}\), compute \(R=r P\).

 • \(k=r\left(P_{R}+R_{R}+H\left(I D_{R}\left|P_{R}\right| R_{R}\right) G_{C A}\right)\)

 • \(C_{1}=m \oplus H(k)\)

 • \(h=H\left(m|R| I D_{S}\left|P_{S}\right| R_{S}\right)\)

 • \(C_{2}=r\left(d_{S}+c e r t_{S}+h\right)^{-1}\)

 The signcryption algorithm has output C_SR = (h,C₁,C₂).

 For the unsigncryption process with input C_SR, ID_S, ID_R,cert_R, sk_R, (P_S, R_S), (P_R, R_R), params, the receiver first computes

\(R^{\prime}=C_{2}\left(P_{S}+R_{S}+H\left(I D_{S}\left|P_{S}\right| R_{S}\right) G_{C A}+h P\right)\)

 Next, also the key k’=(d_R + cert_R)R’ is derived in order to find m’ = C1 ⊕ H(k’).

 Finally, the signature is verified by checking the following equality

 \(h=H\left(m^{\prime}\left|R^{\prime}\right| I D_{S}\left|P_{S}\right| R_{S}\right)\).

 If so, m=m’, or otherwise the output equals to ⊥.

 The correctness of the scheme follows from the following reasoning:

\(\begin{aligned} R^{\prime} &=C_{2}\left(P_{S}+R_{S}+H\left(I D_{S}\left|P_{S}\right| R_{S}\right) G_{C A}+h P\right) \\ &=r\left(d_{S}+c e r t_{S}+h\right)^{-1}\left(d_{S} P+r_{S} P+H\left(I D_{S}\left|P_{S}\right| R_{S}\right) \alpha P+h P\right) \\ &=r\left(d_{S}+c e r t_{S}+h\right)^{-1}\left(d_{S} P+{cert}_{S} P+h P\right)=r P=R \end{aligned}\)

4.3 Scheme 3

 The signcryption phase with inputs m, ID_S, ID_R, cert_S, d_S, (P_S,R_S), (P_R, R_R), params, consists of the following steps.

 • Choose a random value \(r \in G F\left(2^{p}\right)^{*}\), compute \(R=r P\).

 • \(k=r\left(P_{R}+R_{R}+H\left(I D_{R}\left|P_{R}\right| R_{R}\right) G_{C A}\right)\)

 • \(C_{I}=m \oplus H(k)\)

 • \(h=H\left(m|R| I D_{S}\left|P_{S}\right| R_{S}\right)\)

 • \(C_{2}=r-h\left(d_{S}+c e r t_{S}\right)\)

 The signcryption algorithm has output C_SR = (h,C₁,C₂).

 For the unsigncryption process with inputs C_SR, ID_S, ID_R,cert_R, d_R, (P_S, R_S), (P_R, R_R), params, the receiver first computes

\(R^{\prime}=C_{2} P+h\left(P_{S}+R_{S}+H\left(I D_{S}\left|P_{S}\right| R_{S}\right) G_{C A}\right)\)

 Next, also the key k’=(d_R + cert_R)R’ is derived in order to find m’ = C₁ ⊕ H(k’). Finally, the signature is verified by checking the following equality

\(h=H\left(m^{\prime}\left|R^{\prime}\right| I D_{S}\left|P_{S}\right| R_{S}\right)\).

 If so, m=m’, ortherwise the output equals to ⊥.

 The correctness of the scheme for the key derivation is similar as the two other schemes. For the authentication, it follows from the fact that

\(\begin{aligned} R^{\prime} &=C_{2} P+h\left(P_{S}+R_{S}+H\left(I D_{S}\left|P_{S}\right| R_{S}\right) G_{C A}\right) \\ &=\left(r-h\left(d_{S}+c e r t_{S}\right)\right) P+h\left(P_{S}+R_{S}+H\left(I D_{S}\left|P_{S}\right| R_{S}\right) G_{C A}\right) \\ &=r P-h d_{S} P-c e r t_{S} P+h P_{S}+h R_{S}+h H\left(I D_{S}\left|P_{S}\right| R_{S}\right) G_{C A} \\ &=r P-h d_{S} P-h c e r t_{S} P+h P_{S}+h c e r t_{S} P=r P \end{aligned}\)

 

Fig. 1. Comparison of the explicit certificate based signcryption schemes 1, 2 and 3

4.4 Comparison of the Schemes

 Fig. 1 summarizes the different steps in the three different schemes. Based on that, Table 1. compares the differences in computational efforts between the three different schemes for the different types of involved operations.

Table 1. Comparison of the number of cryptographic operations in the explicit certificate based signcryption schemes

 

 From the definition of the 3 schemes, we can conclude that they all follow a similar structure. The key derivation k and the encryption of the message, corresponding to the parameter C₁, is exactly the same in the 3 schemes. The main difference is between scheme 1 versus schemes 2 and 3. For scheme 1 the EC point R is part of the signcryption message, while this is in schemes 2 and 3 only a hash value h. Consequently, with respect to communication efficiency, schemes 2 and 3 outperform scheme 1. As a result of this construction, the unsigncryption process in scheme 1 can be split into two separate processes for the decryption and the signature verification, while in schemes 2 and 3 the decryption is required before the signature verification can be finalized. This could allow to dedicate the verification in the unsigncryption to a powerful server. However, this feature comes also with a main global computational cost of one additional EC multiplication during the unsigncryption process for scheme 1.

 Finally, the difference in efficiency between schemes 2 and 3 is mainly in the computation for the signature verification, where scheme 3 slightly outperforms scheme 2 as it is only using additions in the field, instead of field multiplications. Consequently, it can be seen that the conclusion on the comparison given in [5], between the schemes [5] and [6] is not correct, as [5] was assumed to outperform [6].

5. Signcryption with ECQV Certificates

5.1 Key management

 For the certificate based signcryption schemes relying on ECQV certificates, we need to slightly adapt phases 2 (SetKeyPair) and 3(Certification). Phase 1 (Setup) is still valid. We rename the second phase to the InitializeKeyPair phase.

 • InitializeKeyPair: The input of this function consists of the identity ID_U of the user and params. The output, sent to the CA, corresponds with the tuple (ID_U,R_ID), where R_U = r_UP containing the random value r_U ∈ GF(2^p)^* chosen by the user.

 • Certification: In this function, the CA also chooses a random value r_CA ∈ GF(2^p)^* in order to compute R_CA = r_CAP. Then the certificate certU is defined by

\(c e r t_{U}=R_{C A}+R_{U}\)

 The value r = H(cert_U|ID_U) r_CA +α is computed. Both cert_U and r are sent to the user. Based on the received tuple (r, cert_U), the user is able to compute its private key by

\(d_{U}=H\left(c e r t_{U} | I D_{U}\right) r_{U}+r\)

 and the corresponding public key equals to P_U = d_UP. The key pair (d_U,P_U) is accepted by the user only if the public key P_U also satisfies the following equality

\(P_{U}=H\left(c e r t_{U} | I D_{U}\right) c e r t_{U}+G_{C A}\)

This follows from the fact that

\(\begin{aligned} P_{U} &=d_{U} P=H\left({cert}_{U} | I D_{U}\right) r_{U} P+r P \\ &=H\left({cert}_{U} | I D_{U}\right) r_{U} P+\left(H\left({cert}_{U} | I D_{U}\right) r_{C A}+\alpha\right) P \\ &=H\left({cert}_{U} | I D_{U}\right)\left(r_{U}+r_{C A}\right) P+\alpha P=P_{U} \end{aligned}\)

Consequently, based on the information (ID_U,cert_U), any other user is able to find the public

 key uniquely bounded to the user with identity ID_U.

\(P_{U}=H\left(c e r t_{U} | I D_{U}\right) c e r t_{U}+G_{C A}\),

 This computation of the public key only requires one EC addition and one EC multiplication. In addition, no separate value for the public key needs to be sent. A formal proof on the security of this ECQV scheme can be found in [20]. We now show how the three above described certificate based signcryption schemes can be considerably simplified by working with these new implicit certificate based credentials of the user.

5.2 Signcryption and unsigncryption processes

 The framework for the three implicit certificate based signcryption schemes is very similar. This framework is first discussed and then the different steps in the three schemes are further detailed in the paragraphs below.

 The signcryption algorithm S_SR(.) is defined by C_SR =S_SR (m,ID_S,ID_R,sk_S,pk_S,cert_R,params). First, the sender computes the public key of the receiver using ID_R and cert_R:

\(P_{R}=H\left(c e r t_{R} | I D_{R}\right) c e r t_{R}+G_{C A}\)

 Next, each of the three schemes perform some specific steps, explained below.

 The unsigncryption scheme U_SR(.) is defined by U_SR(C_SR,ID_S,ID_R,sk_R,cert_S,pk_R,,params). Upon arrival, the receiver first computes the public key of the sender using ID_S and certs by

\(P_{S}=H\left(c e r t_{S} | I D_{S}\right) c e r t_{S}+G_{C A}\)

 Next, each of the three schemes perform again some specific steps, explained below.

5.2.1 Scheme 1

 The signcryption S_SR(m,ID_S,ID_R,cert_S,sk_S,pk_S,pk_R,,params) with pk_s=P_S and pk_r=P_R consists of the following steps.

 • Choose a random value \(r \in G F\left(2^{p}\right)^{*}\), compute \(R=r P\).

 • \(k=r P_{R}\)

 • \(C_{I}=m \oplus H(k)\)

 • \(C_{2}=d_{S} H\left(P_{S}\left|R_{S}\right| C_{1} | R\right)+r H\left(I D_{S}\left|R_{S}\right| C_{1} | R\right)\)

 The signcryption algorithm has output C_SR =(R,C₁,C₂).

 The unsigncryption process, denoted by URS (C_SR,ID_S,ID_R,cert_R,sk_R,pk_S,pk_R,,params), with pk_s=P_S and pk_r=P_R consists of the following steps.

 • The receiver first checks if 

\(C_{2} P=H\left(P_{S}\left|R_{S}\right| C_{1} | R\right) P_{S}+H\left(I D_{S}\left|R_{S}\right| C_{1} | R\right) R\)

 • If this check is positive, then the key is defined by the equality:

\(k=d_{R} R\)

 and thus the final message m is derived by

\(m=C_{1} \oplus H(k)\)

 Otherwise, the output equals to ⊥.

5.2.2 Scheme 2

 The sender performs the following steps in the signcryption process.

 • Choose a random value \(r \in G F\left(2^{p}\right)^{*}\), compute \(R=r P\).

 • \(k=r P_{R}\)

 • \(C_{1}=m \oplus H(k)\)

 • \(h=H\left(m|R| I D_{S}\left|P_{S}\right| c e r t_{S}\right)\)

 • \(C_{2}=r\left(d_{S}+h\right)^{-1}\)

 The signcryption algorithm has output C_SR= (h,C₁,C₂).

 For the unsigncryption process, the receiver first computes

\(R^{\prime}=C_{2}\left(P_{S}+h P\right)\)

 Next, also the key k’=d_RR’ is derived, resulting in the message m’ = C₁ ⊕ H(k’).

 Finally, the signature is verified by checking the equality h = H(m’|R’|ID_S|P_S|cert_S). If so, m=m’, otherwise the output equals to ⊥.

 The correctness of the scheme follows from the following derivations

\(\begin{array}{l} R^{\prime}=C_{2}\left(P_{S}+h P\right) \\ \quad=r\left(d_{S}+h\right)^{-1}\left(P_{S}+h P\right)=r P=R \end{array}\)

5.2.2 Scheme 3

 The following steps are performed by the sender.

 • Choose a random value \(r \in G F\left(2^{p}\right)^{*}\), compute \(R=rP\).

 • \(k=r P_{R}\)

 • \(C_{1 }=m \oplus H(k)\)

 • \(h=H\left(m|R| I D_{S}\left|P_{S}\right| c e r t_{S}\right)\)

 • \(C_{2}=r-h d_{S}\)

 The signcryption algorithm has output C_SR= (h,C₁,C₂).

 For the unsigncryption process, the receiver first computes R’ = C₂P+hP_S

 Next, the key k’=d_RR’ is derived and thus m’ = C₁ ⊕ H(k’).

 Finally, the signature is verified by checking the equality h = H(m’|R’|ID_S|P_S|cert_S). If so, m=m’, otherwise the output equals to ⊥.

 The correctness of the scheme follows from the fact that

\(R^{\prime}=\left(r-h d_{S}\right) P+h P_{S}=r P=R\)

 

Fig. 2. Comparison of the implicit certificate based signcryption schemes 1, 2 and 3

5.3 Comparison of both types of certificate based signcryption schemes

 Fig 2. summarizes the different steps in the implicit certificate based signcryption schemes, where the public keys of the other entity are considered to be computed offline. A complete analysis of the operations in the three different signcryption schemes using ECQV implicit certificates is summarized in Table 2. It is reasonable to assume that the public keys are already computed in advance, as it can happen for instance through the computation by a separated and dedicated server, having strong computational capacity.

Table 2. Comparison of the number of cryptographic operations in the implicit certificate based signcryption schemes (public keys are computed offline)

 

 The main difference between the two approaches, using explicit and implicit based certificates, is that the link between the public key and the identity of the user is checked beforehand in the ECQV implicit certificates based approach, while in the traditional certificate based approach this is incorporated in the actual signcryption and unsigncryption processes. The incorporation is both at the encryption/decryption phase in the derivation of its key k and the signature definition/verification step. The length of the user’s credentials is shorter in the ECQV implicit certificates schemes as the implicit certificate is used to derive the public key, while in the traditional certificate based schemes the public key consists of one additional certificate related parameter.

 To conclude, when comparing Table 1 and 2 for the most compute intensive operations, the EC multiplication and EC addition, the difference between both approaches in the signcryption and unsigncryption phase for the three signcryption schemes is in all cases equal to two EC additions and one EC multiplication.

 When we also include the complexity of computing the public keys in the case of the ECQV implicit certificates (see Equation 2), the difference between both approaches is only one EC addition.

 Fig. 3 visualizes the difference in performance expressed in timing (µs) between the different schemes, explicit and implicit, for signcryption and unsigncryption respectively. The performance numbers are based on the results obtained from [21], where the cryptographic operations are implemented on a personal computer with a 2.50 GHz CPU and 8 GByte RAM and the Windows 7 OS. Overall, there is a 30% improvement when considering the implicit versus the explicit approach. The difference between performance of the signcryption scheme among the 3 schemes is negligible, however the unsigncryption schemes 2 and 3 are almost 25% more efficient than Scheme 1.

 

Fig. 3. Comparison of the performance (time in µs) for schemes 1, 2 and 3. The left hand side represents the signcryption (sender side) and the right side represents the unsigncryption (receiver side)

6. Extensions

 We now show how the above described schemes can be easily transformed in a GSC scheme and how the anonymity of sender and receiver is obtained in the three schemes.

6.1 Generalized signcryption

 There are 3 main scenarios in a GSC scheme. Note that due to the difference in role of the certificate for the traditional certificate based schemes and the certificate based schemes with ECQV implicit certificates, the input parameters of the signcryption and unsigncryption algorithms differ for both. Table 3 summarizes the differences for the input parameters in both types of certificate based schemes.

Table 3. Differences in input parameters for the traditional certificate based and ECQV implicit certificate based signcryption schemes

 The notations below are for the traditional certificate based schemes. Using Table 3, the conversion for the ECQV implicit certificates based schemes can be made.

 • Signcryption scenario: sender and receiver are determined and the message is encrypted and provided with a signature.

\(\begin{aligned} &C_{S R}=S_{S R}\left(m, I D_{S}, I D_{R}, c e r t_{S}, s k_{S}, p k_{S}, p k_{R}, { params }\right)\\ &m^{\prime} \text { or } \perp=U_{R S}\left(C_{S R}, I D_{S}, I D_{R}, {cert}_{R}, S k_{R}, p k_{S}, p k_{R,}, { params }\right) \end{aligned}\)

 • Signature scenario: Only the sender is determined. We denote an unknown receiver by R=Ø. The message is only provided with a signature and no encryption is performed.

\(\begin{aligned} &C_{S Ø}=S_{S Ø}\left(m, I D_{S}, 0, c e r t_{S}, s k_{S}, p k_{S}, 0, p { arams }\right)\\ &m^{\prime} \text { or } \perp=U_{ØS}\left(C_{S Ø}, I D_{S}, 0, c, 0, p k_{S}, 0, { params }\right) \end{aligned}\)

 • Encryption scenario: Only the receiver is determined. The message is encrypted and signed by an anonymous sender and thus we denote S=Ø.

\(\begin{array}{l} C_{Ø R}=S_{Ø R}\left(m, 0, I D_{R}, 0,0, p k_{R}, {params}\right) \\ m^{\prime} \text { or } \perp=U_{R Ø}\left(C_{Ø R}, 0, I D_{R}, s k_{R}, 0, p k_{R}, p { arams }\right) \end{array}\)

 Inserting 0 as indicated by the input parameters of the algorithms in the signature and encryption scenarios and assuming H(0)=0, transforms each of the 6 previous described signcryption schemes to a GSC scheme.

6.2 Anonymous signcryption

 In all of the above described schemes, the anonymity of the receiver is obtained due to the ECDLP. In Scheme 2 and 3 for both types of certificate based mechanisms, the identity of the sender is also hidden for any outsider, since the hash value to be verified in the signature includes the original message that can only be derived by the intended receiver. However, in Scheme 1, the verification is done solely based on the received message R,C₁,C₂ and the public key and identity of the sender. Consequently, in the assumption that the public keys of all users in the system are known to everybody, the verification of the signature leads to the corresponding sender. However, by multiplying C₂ with H(k), a hiding factor is included, which can only be verified by the intended receiver. Note that this operation only requires one additional field multiplication during both the signcryption and unsigncryption phase.

 As a consequence, the proposed schemes represent the most efficient anonymous signcryption schemes. In order to do a fair comparison with the most efficient one in the state of the art, ASEC [16], we consider the certificate based schemes using the ECQV implicit certificates with the assumption that the public keys are generated offline. Note that in ASEC also the assumption has been made that the validity of the public key is obtained offline, by the storage in a third party protected environment. In the ASEC scheme, 3 EC point multiplications during signcryption and 5 EC point multiplications and 2 EC additions during unsigncryption are required. Consequently, as can be seen from Table 3, the three proposed certificate based signcryption schemes drastically outperform ASEC.

7. Security analysis

 The security analysis is based on the proof by contradiction, similar like in [22]. In order to formally define the ECDLP as expressed in [23], we need to consider the following two distributions

\(\begin{aligned} &D_{ {real}}=\left\{r \in G F\left(2^{p}\right)^{*}, R=r P:(P, R, r)\right\}\\ &D_{ {rand}}=\left\{r, k \in G F\left(2^{p}\right)^{*}, R=r P:(P, R, k)\right\} \end{aligned}\)

The advantage of any probabilistic, polynomial-time, 0/1-valued distinguisher D in solving ECDLP on E_p(a,b) is defined as

\(\left.{\operatorname{Ad} v_{D, E p(a, b)}}^{E C D L P}=\left| {Pr}\left((P, R, r) \in D_{ {real}}: D(P, R, r)=1\right)-{Pr}(P, R, k) \in D_{ {rand}}: D(P, R, r)=1\right)\right|\)

where the probability Pr(.) is taken over random choices of r and k. The distinguisher D is said to be a (t,ε)- ECDLP distinguisher for E_p(a,b) if D runs at most in time t such that Adv_D,Ep(a,b)^ECDLP ≥ ε. The following assumption holds.

 ECDLP assumption: For every probabilistic, polynomial-time, 0/1-valued distinguisher D, we assume that Adv_D,Ep(a,b)^ECDLP < ε, for any sufficiently small ε > 0.

 Consequently, no (t,ε)- ECDLP distinguisher for E_p(a,b) exists. There are two types of adversaries to be considered. An adversary of type I is an outsider or certified user and an adversary of type II is assumed to possess the master key α of the CA.

 Theorem 1: The proposed explicit and implicit certificate based signcryption schemes are provably secure against both types of adversaries under the ECDLP assumption.

 Proof: We will describe the proof for the third type of signcryption scheme relying on the ECQV implicit certificates. The proof is similar for the other variants. Let us assume that an adversary is able to solve the ECDLP and thus can find the value r from the points P and R=rP of E_p(a,b). The following oracle is now defined.

 Reveal: The output of the query corresponds with the value r through the solution of ECDLP by using the points P and R=rP of E_p(a,b).

 The adversary A executes then two algorithms, Algorithm 1 (Alg1) and Algorithm 2 (Alg2), for the proposed signcryption scheme SC. We now define Succ1_SC,A ^ECDLP = Pr(Alg1 = 1)-1, similar as in [23]. Then, the advantage function for Algorithm 1 is defined as

\({A d v 1_{S C, A}}^{E C D L P}\left(t, q_{R}\right)=\max _{A}\left\{{{Succ} 1_{S C, A}}^{E C D L P}\right\}\),

where the maximum is taken over all A with execution time t and qR is the number of queries to the Reveal oracle. The proposed SC is said to provide confidentiality if Adv1_SC,A^ECDLP(t,q_R)< ε, for any sufficiently small ε>0.

 We also define Succ2_SC,A^ECDLP = Pr(Alg2 = 1)-1, similar as in [24]. Then, the advantage function for Algorithm 2 is defined as

\({A d v 2_{S C, A}}^{E C D L P}\left(t, q_{R}\right)=\max_A\ \{{S u c c 2_{S C, A}}^{E C D L P}\}\),

where the maximum is taken over all A with execution time t and q_R is the number of queries to the Reveal oracle. The proposed SC is said to provide the security features authentication, integrity, unforgeability, and forward secrecy if Adv2_SC,A^ECDLP(t,q_R)< ε, for any sufficiently small ε >0. Both algorithms are defined as follows.

Algorithm 1

Capture output of SC: \((h,C_1,C_2)\) Compute \(R = C_2P+hP_S\) Call Reveal oracle. Output \(r=Reveal(E_p(a,b),P,R) \) Use value \(r\), compute \(k=rP_R\) Retrieve message \(m=C_{1} \oplus H(k)\)

 

Algorithm 2

Capture output of SC: (\(h,C_1,C_2\)) Compute \(R = C_2P+hP_S \) Call Reveal oracle. Output \(r=Reveal(E_p(a,b),P,R) \) Use value \(r\), compute \(k=rP_R\) Retrieve message \(m = C_1 ⊕ H(k)\) Change \(m\) to \(m’\) Compute \(C_1’= m ⊕ H(k) \) Compute \( h’ = H(m’|R|ID_S|P_S|cert_S) \)      If Type I adversary: Call Reveal oracle. Output \(d_S=Reveal(E_p(a,b),P,P_S) \)      If Type II adversary: Call Reveal oracle. Output \(d_S=Reveal(E_p(a,b),P,P_S) \) Compute \(C_2’= r - h’d_S \) Send (\(h’,C_1’,C_2’\)) to verifier      Verifier computes \(R’= C_2’P+h’P_S\)      Verifier checks if \(H(m’|R’|ID_S|P_S|cert_S)=h’\)      If the verification is successful then return 1      else return 0

 

 Based on the definitions and notations described above, we now show that the proposed signcryption scheme satisfies confidentiality, authentication, unforgeability and forward secrecy.

 Confidentiality: When following the steps as defined in Algorithm 1, the value r can be computed by the adversary using the point R. As a consequence, the adversary is able to derive the secret key k and to decrypt the ciphertext.

 However, due to the computational difficulty of the ECDLP, it is impossible for the attacker to derive r and thus the Adv1_SC,A^ECDLP(t,q_R)< ε, for any sufficiently small ε >0. Consequently, the attacker will also not be able to find the key and to decrypt the ciphertext. The confidentiality of the protocol is thus guaranteed.

 Authentication: When following the steps as defined in Algorithm 2, the values r and d_S can be derived by the adversary. In this way, the values of m, C₁ and C₂ can be modified by the adversary. Again, due to the computational difficulty of the ECDLP, it is impossible for the attacker to derive r and thus the Adv2_SC,A^ECDLP(t,q_R)< ε, for any sufficiently small ε >0. Consequently, without being able to modify m, C₁ and C₂, authentication is guaranteed and attacks like man-in-the-middle and replay are avoided.

 Unforgeability: In order to forge the message (h,C₁,C₂) from the SC algorithm, the adversary need to be in possession of both the private key of the sender d_S and the random value r. Due to the computational difficulty of the ECDLP, Adv2_SC,A^ECDLP(t,q_R)< ε, for any sufficiently small ε >0, this is not possible and consequently unforgeability is guaranteed.

 Forward secrecy: In order to offer forward secrecy, the adversary should not be able to recover the messages sent in previous SC rounds, even if the adversary obtains afterwards the knowledge of the private key of the sender d_S. This feature is valid in the proposed SC scheme, as the secret key is based on the usage of a random value r, which cannot be derived without being able to solve the ECDKP.

7. Conclusion

 In case there is no secure channel between the user and the CA, only the certificate based approach is able to offer identity authentication. We focus in this paper on certificate based signcryption schemes solely using EC operations and no pairings. We show how the recently proposed traditional certificate based signcryption schemes (also called explicit certificate based) can be improved by using ECQV implicit certificates. In particular, the usage of the ECQV implicit certificates allows an improvement of the complexity of the signature schemes with one EC addition. Moreover, when the validities of the public keys of the receiver and sender are checked offline or through a separate and dedicated server, both the signcryption and unsigncryption processes even further outperform with one EC addition and one EC multiplication. Finally, we show that these schemes can also be applied as GSC schemes and that anonymity is already inherently involved in the proposed schemes or can be easily added without significant cost.

 Consequently, in many application areas where pairing based protocols are used (eg. cloud computing, voting, payment, etc.), the proposed algorithms together with their underlying identity based approaches will often lead to a significantly more efficient system. To conclude, this paper describes certificate based signcryption schemes, which can be used as building blocks in many protocols establishing privacy and authentication for constrained environments.