DOI QR코드

DOI QR Code

Provably secure certificateless encryption scheme in the standard model

  • Deng, Lunzhi (School of Mathematical Sciences, Guizhou Normal University) ;
  • Xia, Tian (School of Mathematical Sciences, Guizhou Normal University) ;
  • He, Xiuru (School of Mathematical Sciences, Guizhou Normal University)
  • Received : 2019.08.30
  • Accepted : 2020.03.31
  • Published : 2020.06.30

Abstract

Recently, numerous certificateless encryption (CLE) schemes have been introduced. The security proofs of most schemes are given under the random oracle model (ROM). In the standard model, the adversary is able to calculate the hash function instead of asking the challenger. Currently, there is only one scheme that was proved to be secure in SM. In this paper, we constructed a new CLE scheme and gave the security proofs in SM. In the new scheme, the size of the storage space required by the system is constant. The computation cost is lower than other CLE schemes due to it needs only two pairing operations.

Keywords

1. Introduction

With the continuous advancement of communication technique, a large amount of information is transmitted through the network, which improves work efficiency and brings convenience to people’s lives. In the same way, this also leads criminals to easily steal information from others through the Internet. People enjoy the convenience brought by information technology and also bear the risk of disclosure of personal privacy information. Public key encryption technology has become an important means to achieve information security. In order to meet different needs, researchers have done much work to build specific public key encryption schemes in recent years.

In public key infrastructure (PKI), the user freely picks his/her own private key, then generates a public key and sends it to the certification authority (CA). CA generates a certificate to bind the user to his/her public key. A large amount of fees are used for the safekeeping, storage and transmission of certificates. To resolve the problem, Shamir [1] came up with identity-based cryptography. The user's sole personal information (email address, identity number, etc.) is his/her public key. Private key generator (PKG) yields the private key based on the public key and forwards it to the user. The information security of all users will be threatened if PKG is captured by an adversary. In 2003, Al-Riyami and Paterson [2] came up with certificateless cryptography. For one thing, the user picks a confidential value and yields a partial public key. For another, the user gets a partial private key, yielded by a key generation center (KGC) based on the identity information, through an authenticated channel.

1.1. Related work

Al-Riyami and Paterson [2] came up with the first CLE scheme. But, Libert and Quisquater [3] demonstrated that the scheme [2] is insecure, and put forward a means to construct CLE schemes with provably security. In 2010, Sun and Li [4] proposed a new CLE scheme with short-ciphertext, and proved it to be secure against chosen-ciphertext attacks (CCAs). In 2005, Baek et al. [5] presented a CLE scheme that does not require pairing operation. Sun et al. [6] indicated that the scheme [5] can achieve the security goals only in a weaker model, where Type I adversary is not allowed to change the user's public key. In 2013, Yan et al. [7] put forward a pairing-free CLE scheme and provided the security proofs in ROM. In same year, Guo et al. [8] brought forward a CLE scheme that does not require pairing operation. However, Deng et al. [9] pointed out that there are security flaws in scheme [8], then proposed a modified scheme. In 2018, Zhou et al. [10] came up with a CLE scheme that does not require pairing operation, and showed that it is secure against CCAs. In 2015, SK Hafizul et al. [11] put forward a certificateless multi-receiver encryption (CLMRE) scheme, and provided security proofs in ROM. In 2017, He et al. [12] proposed a pairing-free CLMRE scheme, which is efficient due to no Hash-to-Point (HTP) operation is required. In the same year, Gao et al. [13] brought forward a new CLMRE scheme, and proved that the receiver’s identity information will not be leaked.

In 2007, Huang and Wong [14] came up with a common structure of CLE, which is provably secure in SM against the KGC attacks. In 2008, Dent et al. [15] presented a new CLE scheme, and asserted that it achieved confidentiality of the message in SM. But, Hwang et al. [16] indicated that the ciphertext indistinguishability against the KGC attacks does not hold for the scheme [15], then constructed a new CLE scheme. In 2009, Zhang and Wang [17] pointed out that the ciphertext indistinguishability against the key replacement attacks does not hold for the scheme [16], then constructed a new CLE scheme. However, Shen et al. [18] indicated that the ciphertext indistinguishability against the type II adversary does not hold for the scheme [17]. In 2014, Cheng et al. [19] evidenced that the ciphertext indistinguishability against the KGC attacks does not hold for the scheme [16], then proposed an improved scheme with provably security in SM. Reza et al. [20] put forward a common means to design CLE schemes with provably security in SM against CCAs, which come from a secure identity-based encryption scheme against chosen-plaintext attacks (CPAs).

1.2. Motivations and contributions

To increase security levels and reduce computing costs, researchers have proposed many CLE schemes. However, two problems remain in these schemes.

• Security proofs for most known CLE schemes are given in ROM

As we all know, the cryptography scheme provided with the security proofs in the ROM may be unsafe in a real situation. Therefore, these CLE schemes with provable security in ROM may be insecure in actual scenarios.

• High computation and storage costs

In the last ten years, scholars have proposed several concrete CLE schemes [15, 16, 17, 19], and tried to prove that they are secure in SM. However, there is only one scheme [19] that has been proven to be secure in SM. In these schemes [15, 16, 19], the size of the storage space required by the system is linearly related to the size of the user's identity information, and the times of addition operations on the elliptic curve group increases linearly with the size of the user's identity information. These increase the storage burden and computation cost for the users and the key generation center.

It is attractive to design an efficient CLE scheme and provide the security proofs in SM. We summarized the contributions as follows.

• We introduce the system model and security requirements of a CLE scheme in SM.

• We bring forward a new CLE scheme and offer the security proofs in SM. In order to get the hash function value, the adversary does not need to query the challenger, but directly calculates the hash function.

• We give a comparison of the efficiency between three CLE schemes. In the new scheme, it was constant that the size of the storage space required by the system. It was constant that the number of three kinds of operations (addition, scalar multiplication, and pairing), so the computational cost is lower than other CLE schemes.

1.3. Organization

We introduce mathematical tools, system model and security requirements in Section 2, Section 3, and Section 4, respectively. We give a new CLE scheme and the security proofs in Section 5 and Section 6, respectively. We demonstrate an efficiency analysis of three CLE schemes in Section 7. We present some conclusions in Section 8.

2. Preliminaries

In this section, we introduce two mathematical tools: bilinear pairing and decisional bilinear Diffie-Hellman problem. Table 1 lists the notations used in the paper.

Table 1. Notations

E1KOBZ_2020_v14n6_2534_t0001.png 이미지

Bilinear pairing 

Let \(\hat{e}\) :\(G_{1} \times G_{1} \rightarrow G_{2}\)  be a mapping with the following attributes, where \(G_{1}=(P)\) and \(G_{2}\) are the additive and multiplicative groups of the q order, respectively

• Bilinearity: \(\hat{e}\left(a P_{1}, b P_{2}\right)=\hat{e}\left(P_{1}, P_{2}\right)^{a b}\) for all \(P_{1}, P_{2} \in G_{1}\)and \(a, b \in Z_{q}^{*}\)

• Non-degeneracy: There exist \(P_{1}, P_{2} \in G_{1}\) such that \(\hat{e}\left(P_{1}, P_{2}\right) \neq 1_{C_{2}}\)

• Computability: It is not difficult to compute \(\hat{e}\left(P_{1}, P_{2}\right)\) for all \(P_{1}, P_{2} \in G_{1}\)

Definition 1. Decisional bilinear Diffie-Hellman (DBDH) problem. Let \(\hat{e}: G_{1} \times G_{1} \rightarrow G_{2}\) be a bilinear pairing. For \(P \in G_{1}, \quad X \in G_{2},\) input a tuple \((P, a P, b P, c P, X),\) decide whether \(X=\hat{e}(P, P)^{\mathrm{abc}}\).

3. System Model

A CLE scheme involves three distinct entities: key generation center (KGC), encryptor and decryptor, as shown in Fig. 1.

• KGC: It generates and publishes the system parameters. In addition, it yields a partial private key for the user.

• Encryptor: He encrypts a message to be a ciphertext by using the receiver’s public key, then forwards that to the receiver.

• Decryptor: He obtains a message by decrypting the ciphertext with own private key.

E1KOBZ_2020_v14n6_2534_f0001.png 이미지

Fig. 1. Certificateless encryption

A CLE scheme is constituted with the following six algorithms:

• Setup: Inputs a parameter v , KGC yields the msk (master secret key) and the params (system parameters).

• PPK-Extract: Inputs an identity \(I D_{i} \in\{0,1\}^{*}\), KGC yields a partial private key \(D_{i}\)and dispatches it to the user through a reliable channel.

• SV-Set: The user \(ID_{i}\) picks a secret value\(t_{i}\).

• UPK-Generate: The user \(ID_{i}\) outputs his public key \(PK_{i}\)

• Encrypt: Inputs a tuple \((m,ID_{i},PK_{i})\) , the encryptor outputs a ciphertext \(σ .\)

• Decrypt: Inputs a tuple\((σ,ID_{i},PK_{i})\)  , the decryptor outputs a message mor the symbol “0”.

4. Security Requirements

We described the security requirements in this section.

Definition 2. If the adversary's ascendency is insignificant in the coming two games, then the CLE scheme is indistinguishable (IND-CLE)

Game I. A challenger \(\mathfrak{C}\) and a Type I adversary \(A_{1}\) play this game together.

Initialization. ℭ gets msk and params by implementing the Setup algorithm, maintains msk secret and forwards paramsto \(A_{1}\)

Phase 1. A1 performs multiple types of queries.

• UPK-Query: ℭ outputs a user public key PKi when A1 inputs an identity \(ID_{i}\) .

• UPK-Replacement: ℭ replaces \(PK_{i}\)  with \(P K_{i}^{\prime}\)  when \(A_{1}\) inputs a tuple \((ID_{i},PK_{i}^{\prime})\)

• PPK-Query: ℭ outputs a partial public key \(D_{i}\)  when \(A_{1}\) submits an identity \(ID_{i}\). ℭ refuses to answer if the value Ri has been replaced.

• SV-Query: ℭ outputs a secret value \(t_{i}\) when A1 inputs an identity \(ID_{i}\)  . ℭ refuses to answer if the value Ti has been replaced.

• ENC-Query: ℭ outputs a ciphertext σ when A1 submits a tuple \((m,ID_{i},PK_{i})\).

• DEC-Query: ℭ returns a message m or the symbol “0” when A1 submits a tuple \((σ,ID_{i},PK_{i})\)

Challenge. A1 submits a tuple \(\left(m_{0}, m_{1}, I D^{*}, P K^{*}\right)\) ℭ randomly selects a bit \(\mu \in\{0,1\}\) and offers Awith \(\sigma^{*}\) \(=Encrypt\left(m_{\mu}, I D^{*}, P K^{*}\right) \) That fulfills the following conditions:

1. m0 and m1 are two equal length messages.

2. A1 did not make the PPK-Query for ID .

Phase 2. A1 executes various queries again, which fulfills the following requirements.

1. A1 did not make the PPK-Query for ID .

2. A1 did not make the DEC-Query for σ .

Response. A1 returns a bit µ' and wins if µ µ ' = .

The advantage of A1 is defined as: \(Adv_{A_{1}}^{IND-CLE}=\left|\operatorname{Pr}\left[\mu^{\prime}=\mu\right]-\frac{1}{2}\right|\)

Game II. A challenger ℭ and a Type II adversary A2 play this game together.

Initialization. ℭ gets msk and params by implementing the Setup algorithm, then forwards them to A2 .

Phase 1. A2 makes a series of queries as those in Game I.

Challenge. A2 submits a tuple (m0 ,m1 ,ID* ,PK*  )  , ℭ randomly selects a bit µ ∈{0 1, } , provides A2

withσ = Encrypt(mu ,ID* ,PK* )  , which satisfy the following requirements.

1. m0 and m1 are two equal length messages.

2. A2 did not perform SV-Query for ID .

3. A2 did not perform UPK-Replacement for T .

Phase 2. A2 executes various queries again, which satisfy the following requirements.

1. A2 did not make SV-Query for ID .

2. A2 did not perform UPK-Replacement for T .

3. A2 did not make the DEC-Query for σ .

Response. A2 returns a bit µ' and wins if µ µ ' = .

The advantage of A2 is defined as: \(A d v_{A_{2}}^{I N D-C L E}=\left|\operatorname{Pr}\left[\mu^{\prime}=\mu\right]-\frac{1}{2}\right|\)

5. New scheme 

We constructed a new CLE scheme in this section. In the three schemes [15, 16, 19], the private key is generated based on each bit of the user's identity information. In our scheme, the identity information of the user is a whole, and the private key is generated based on the identity information, rather than directly related to each bit of the identity information. Our scheme is constituted with the following algorithms.

• Setup: Inputs a security parameter v , KGC does as follows.

1. Chooses two groups G1 and G2 with prime order q>2v , a generator P of G1 and a bilinear pairingê : G1 x G1 → G2.

2. Selects three hash functions H1 ,H2 : {0 1}* → Z*q , H3 : {0,1}* + {0,1}l1+l2.

3. Sets the message space M = {0,1}l1

4. Chooses a number x∈Z*q , computes Ppub = xPand sets msk ={x} .

5. Publish params = {G1, G2, q, ê, P, Ppub, H1, H2, H3}.

References

  1. Shamir, A., "Identity-based cryptosystem and signature scheme," Advances in Cryptology-Crypto, LNCS, vol.196, pp. 47-53, 1984.
  2. Al-Riyami, S.S., and Paterson, K.G., "Certificateless public key cryptography," Advances in Cryptology-Asiacrypt, LNCS, vol.2894, pp.452-473, 2003.
  3. Libert, B., and Quisquater, J., "On constructing certificateless cryptosystems from identity based encryption," in Proc. of International Workshop on Public Key Cryptography, LNCS, vol.3958, pp.474-490, 2006.
  4. Sun, Y., and Li, H., "short-ciphertext and BDH-based CCA2 secure certificateless encryption," Science China: Information Science, vol.53, pp.2005-2015, 2010. https://doi.org/10.1007/s11432-010-4076-8
  5. Baek, J., Safavi-Naini, R., and Susilo, W., "Certificateless public key encryption without pairing," in Proc. of International Conference on Information Security, LNCS, vol.3650, pp.134-148, 2005.
  6. Sun, Y., Zhang, F., and Baek, J., "Strongly secure certificateless public key encryption without pairing," in Proc. of International Conference on Cryptology and Network Security, LNCS, vol.4856, pp.194-208, 2007.
  7. Yan, X., Gong, P., Bai, Z., Wang, J., and Li, P., "New certificateless public key encryption scheme without pairing," IET Information Security, vol.7, iss.4, pp.271-276, 2013. https://doi.org/10.1049/iet-ifs.2012.0257
  8. Guo, R., Wen, Q., Shi, H., Jin, Z., and Zhang, H, "An efficient and provably secure certificateless public key encryption scheme for telecare medicine information systems," Journal of Medical Systems, vol.37, no.5, pp.9965, 2013. https://doi.org/10.1007/s10916-013-9965-0
  9. Deng, L., Zeng, J., Wang, X, "An improved certificateless encryption scheme for telecare medicine information systems," Journal of Internet Technology, vol.18, no.2, pp.223-227, 2017.
  10. Zhou, Y., and Yang, B., "Leakage-resilient CCA2-secure certificateless public-key encryption scheme without bilinear pairing," Information Processing Letters, vol.130, pp.16-24, 2018. https://doi.org/10.1016/j.ipl.2017.09.012
  11. SK Hafizul, I., Muhammad, K., and Ali M, Al., "Anonymous and provably secure certificateless multi receiver encryption without bilinear pairing," Security and Communication Networks, vol.8, pp.2214-2231, 2015. https://doi.org/10.1002/sec.1165
  12. He, D., Wang, H., Wang, L., Shen, J., and Yang, X., "Efficient certificateless anonymous multi-receiver encryption scheme for mobile devices," Soft Computing, vol.21, no.22, pp.6801-6810, 2017. https://doi.org/10.1007/s00500-016-2231-x
  13. Gao, R., Zeng, J., and Deng L., "Efficient certificateless anonymous multi-Receiver encryption scheme without bilinear parings," Mathematical Problems in Engineering, Article ID 1486437, 13 pages, 2018.
  14. Huang, Q., and Wong, D.S., "Generic certificateless encryption in the standard model," in Proc. of International Workshop on Security, LNCS, vol.4752, pp.278-291, 2007.
  15. Dent, A.W., Libert, B., and Paterson, K.G., "Certificateless encryption schemes strongly secure in the standard model," in Proc. of International Workshop on Public Key Cryptography, LNCS, vol.4939, pp.344-359, 2008.
  16. Hwang, Y.H., Liu, J.K., and Chow, S.S, "Certificateless public key encryption secure against malicious KGC attacks in the standard model," Journal of Universal Computer Science, vol.14, no.3, pp.463-480, 2008.
  17. Zhang, G., and Wang, X, "Certificateless encryption scheme secure in standard model," Tsinghua Science & Technology, vol.14, no.4, pp.452-459, 2009. https://doi.org/10.1016/S1007-0214(09)70101-4
  18. Shen, L., Zhang, F., Sun, Y., and Li, S., "Cryptanalysis of a certificateless encryption scheme in the standard model," in Proc. of International Conference on Intelligent Networking and Collaborative Systems, pp.329-333, 2012.
  19. Cheng, L., Wen, Q., Jin, Z., and Zhang, H., "Cryptanalysis and improvement of a certificateless encryption scheme in the standard model," Frontiers of Computer Science, vol.8, no.1, pp.163-173, 2014. https://doi.org/10.1007/s11704-013-3090-6
  20. Reza, S., Ron S., and Josef, Pieprzyk., "Lattice-based certificateless public-key encryption in the standard model," International Journal of Information Security, vol.13, pp.315-333, 2014. https://doi.org/10.1007/s10207-013-0215-8
  21. He, D., Zeadally, S., Kumar, N., and Wu, W., "Efficient and anonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architectures," IEEE transactions on information forensics and security, vol.11, no.9, pp.2052-2064, 2016. https://doi.org/10.1109/TIFS.2016.2573746