A PROVABLY SECURE MULTI-RECEIVER IDENTITY-BASED
SIGNCRYPTION USING BILINEAR MAPS
Shivaramakrishnan Narayan and Parampalli Udaya
Department of Computer Science and Software Engineering
University of Melbourne, Victoria - 3010, Australia
Keywords:
Identity based Cryptography, Bilinear Maps, Signcryption, Multi-Receiver, Existential Unforgeability, Adap-
tive Chosen Ciphertext Attack.
Abstract:
In this paper, we present a new, efficient multi-receiver identity (Id) based signcryption scheme. Our signcryp-
tion construction involves no pairing operations for sign-encrypt unlike other schemes which require at least
one pairing. The scheme provides confidentiality, authenticity, non-repudiation and facilitates public verifia-
bility. We provide the security result of our scheme in the random oracle model for message confidentiality
and signature unforgeability properties under the multi-receiver security notion.
1 INTRODUCTION
Practical applications demand confidentiality, authen-
ticity and non-repudiation simultaneously at low cost,
signcryption is a public key primitive which perfectly
meet such requirements. The idea of signcryption
was first proposed by Zheng in 1997. Signcryption
has always been defined for a single sender/receiver
scenarios. Evolving applications using multi-casting
present the need of cryptographic primitive such as
signcryption to achieve confidentiality and authenti-
cation at a low cost/time. For example, in an orga-
nizational set up we might need to send a common
message to multiple employees. This leads to a multi
receiver scenario where the sender and the multiple
receivers require both confidentiality and authentica-
tion. This can be addressed using a multi-receiver
signcryption. But as in case of a conventional sign-
cryption, it should be computationally infeasible for
any unauthorized user to recover the encrypted mes-
sage and also computationally infeasible to forge the
signature.
The idea of a multi-receiver based setting was
first proposed by Bellare et al. (Bellare et al., 2000)
for public key encryption. Later in 2002, Kurosawa
(Kurosawa, 2002) presented a multi-receiver public
key encryption scheme using randomness re-use ap-
proach.
In this paper we are concerned with multi-receiver
signcryption in Identity (Id) based cryptography using
bilinear maps. The main difference between tradi-
tional cryptography and Id-based cryptography is in
the way a public key is defined. In Id-based cryp-
tography, a public key is a function of user’s identity
unlike in traditional cryptography where user’s public
key is a random string. Shamir proposed the concept
of Id-based signature scheme in (Shamir, 1984). It
was only after Joux presented the tripartite key agree-
ment protocol (Joux, 2000), Boneh-Franklin (Boneh
and Franklin, 2001) and Sakai et al. (Sakai et al.,
2001) in 2001, independently proposed a practical Id-
based encryption scheme using bilinear pairing on el-
liptic curves.
1.1 Our Contributions
In this paper, we present a new, efficient and provably
secure multi-receiver Id-based signcryption scheme
which provides confidentiality and authenticity. The
public parameters of our scheme uses pre-computed
pairing values and hence, the signcrypt function does
not require any pairing computations thereby improv-
ing the efficiency.
We present a semantically secure scheme with
public verifiability and present the security results for
message confidentiality and signature unforgeability
305
Narayan S. and Udaya P. (2007).
A PROVABLY SECURE MULTI-RECEIVER IDENTITY-BASED SIGNCRYPTION USING BILINEAR MAPS.
In Proceedings of the Second International Conference on Security and Cryptography, pages 305-308
DOI: 10.5220/0002130103050308
Copyright
c
SciTePress
properties. Public verifiability is defined as follows:
given a signature, and possibly some additional in-
formation provided by the recipient, any third party
would effectively be able to verify the authenticity of
the signature. We present a slightly modified security
model addressing the presence of multiple receivers,
where we assume one sender and multiple receivers.
The security notion followed in this paper for message
confidentiality and signature unforgeability is given in
Section 3. The security results are based on the in-
tractability of collision attack assumption (CAA) and
bilinear collision attack assumption (BCAA). These
problems are equivalent to well known hard problems
in cryptography: the CAA is equivalent to inverse
computational Diffie-Hellman (Mitsunari et al., 2002)
and the BCAA is equivalent to inverse bilinear Diffie-
hellman assumptions (Chen and Cheng, 2005).
The paper is organized as follows: Section 2 gives
the mathematical preliminaries required for Id-based
cryptography, followed by the security model of the
scheme in Section 3. We describe our scheme in
Section 4. In Section 5, we discuss the security of
our signcryption scheme. Section 6 describes the ef-
ficiency of our scheme in comparison to other sign-
cryption schemes. Finally, we present our conclusion
in Section 7.
2 BACKGROUND
Our scheme is defined using bilinear maps on ellip-
tic curves. Consider two groups G
1
and G
2
, additive
and multiplicative in nature respectively of the same
prime order q. Let Z
∗
q
denote the set of all non-zero
integers modulo prime q. A bilinear map is a map
ˆe : G
1
×G
1
→ G
2
, satisfying the following properties.
Bilinearity: ∀P,Q ∈ G
1
, ∀a, b ∈ Z
∗
q
, we have
ˆe(aP,bQ) = ˆe(P,Q)
ab
.
Non-degeneracy: Given a point P ∈ G
1
,
ˆe(P,Q) = 1, ∀Q ∈ G
1
, iff P =
O .
Computable: There exists an efficient algorithm
to compute ˆe(P,Q).
We discuss the important Diffie-Hellman assump-
tions used in our scheme. A detailed explanation
of other related Diffie-Hellman assumptions and its
equivalence is presented in the extended paper
1
.
Definition 2.0.1 Given a group G
1
of prime or-
der q, a generator P ∈ G
1
, an integer k, x ∈
R
Z
∗
q
and
P,h
1
,.....,h
k
∈ Z
∗
q
,
1
h
1
+x
P,.......,
1
h
k
+x
P
, the
collision attack assumption is to compute
1
h+x
1
The extended paper will appear in eprint and is also
available at http://www.csse.unimelb.edu.au/∼udaya
for some h 6∈ {h
1
,.....h
k
}. An algorithm
A
k−CAA
solves k-CAA problem with the probability ε if
Pr[
A
k−CAA
(P,xP,
1
h
1
+x
P,.......,
1
h
k
+x
P) =
1
h+x
P] ≥ ε,
where the probability is over the random choice of
generator P ∈ G
1
, x ∈ Z
∗
q
, h
1
,.....,h
k
∈ Z
∗
q
and h 6∈
{h
1
,.....h
k
}.
Definition 2.0.2 Given a group G
1
of prime or-
der q, a generator P ∈ G
1
, an integer k, x ∈
R
Z
∗
q
and
P,h
1
,.....,h
k
∈ Z
∗
q
,
1
h
1
+x
P,.......,
1
h
k
+x
P
, the
bilinear collision attack assumption is to compute
ˆe(P,P)
1
h+x
for some h 6∈ {h
1
,.....h
k
}. An algorithm
A
k−BCAA
solves k-BCAA problem with the prob-
ability ε if Pr[
A
k−CAA
(P,xP,
1
h
1
+x
P,.......,
1
h
k
+x
P) =
ˆe(P,P)
1
h+x
] ≥ ε, where the probability is over the ran-
dom choice of generator P ∈ G
1
, x ∈ Z
∗
q
, h
1
,.....,h
k
∈
Z
∗
q
and h 6∈ {h
1
,.....h
k
}.
3 SECURITY NOTIONS
In this section, we provide the security definitions of
the signcryption scheme for message confidentiality
and signature non-repudiation properties in the multi-
receiver model.
Definition 3.0.3 We say that a multi-receiver Id-
based signcryption scheme (MIDSC) has the indis-
tinguishability against adaptive chosen ciphertext at-
tack property (IND-MIDSC-CCA2), if no polynomi-
ally bounded adversary
A has a non-negligible ad-
vantage in the following attack game.
Start-up: The challenger runs the Setup algo-
rithm of the scheme and sends the global system pa-
rameter to the adversary
A .
Phase 1:
A performs polynomially bounded num-
ber of queries to the following oracles:
Extract: The adversary submits an identity
ID
i
to the challenger. The challenger responds with
the secret key S
ID
i
for that identity.
Signcrypt: The adversary submits a sender
identity, the receiver’s identity (ID
1
,.....ID
N
) and a
message M to the challenger. The challenger responds
with the signcryption of the message processed with
private key of the sender and public key of the re-
ceivers.
Decrypt/Verify: The adversary submits a ci-
phertext and identities of the receivers to the chal-
lenger. The challenger decrypts the ciphertext under
the secret key of the receivers. It then verifies the
message and signature pair under the public key of
the decrypted identity. If the verifcation succeeds, the
challenger returns the message, the signature and the
identity of the signer, otherwise ⊥.
SECRYPT 2007 - International Conference on Security and Cryptography
306
At the end of Phase 1, the adversary outputs
sender’s identity ID
A
, the identities of the receivers
(ID
∗
1
,....ID
∗
N
) as the challenge identities, and two
messages M
0
,M
1
. The challenge identities that the
adversary submits must satisfy the criteria: ID
∗
i
6∈
{ID
1
,......ID
q
0
} for 1 ≤ i ≤ N, where N denotes
the number of receivers. No extraction query on
(ID
∗
1
,....ID
∗
N
) is allowed to be made by the adversary.
Challenge: The challenger chooses a random bit
b and computes the signature and encryption of the
message and sends the ciphertext to the adversary.
Phase 2: The adversary continues to probe the
challenger with the same type of queries that it made
in Phase 1. It is not allowed to, extract the private
key corresponding to any identity in (ID
∗
1
,....ID
∗
N
)
and to make a decrypt/verify query for the cipher-
text under sender ID
A
and any receiver’s identity in
(ID
∗
1
,....ID
∗
N
).
Response: The adversary outputs a bit b
′
and wins
the game if b
′
= b. The adversary’s advantage is de-
fined to be Adv(
A ) = |Pr[b
′
= b]−1/2|
2
.
Definition 3.0.4 We say that a multi-receiver Id-
based signcryption scheme (MIDSC) has existen-
tial unforgeability property against chosen-message
attack or (EUF-MIDSC-CMA), if no polynomially
bounded adversary
A has a non-negligible advantage
in the following attack game.
The Start-up and Phase 1 follows from the CCA2
game detailed above. After Phase 1, the adversary
outputs a sender identity ID
A
and recipients identity
(ID
∗
1
,.....ID
∗
N
) as challenge identities. After issuing
the challenge identities, the adversary can make addi-
tional queries as given in Phase 1. But the adversary
cannot make an extraction query on ID
A
.
Forge: The adversary returns the recipients iden-
tities (ID
∗
1
,.....ID
∗
N
) and a ciphertext. Let (M,ID
A
)
be the resulting message under the secret key corre-
sponding to ID
∗
i
, where (1 ≤ i ≤ N).
Response: The adversary wins if ID
A
6= ID
∗
i
, for
all 1 ≤ i ≤ N. The ciphertext should not result from a
signcrypt query Signcrypt(M, ID
A
, (ID
∗
1
,.....ID
∗
N
)).
The adversary’s advantage is defined to be Adv(
A ) =
Pr[
A wins].
4 OUR SCHEME
Let k
1
,k
2
,k
3
,n denote the number of bits required to
represent an identity, an element in G
2
, an element in
G
1
and the message respectively. We define the hash
functions (H
0
, H
1
, H
2
) such that, H
0
: {0,1}
k
1
→
2
Pr[] denotes probability of an event occurring.
Z
∗
q
, H
1
: {0,1}
k
2
+n
→ Z
∗
q
, H
2
: G
2
→ {0,1}
k
1
+k
3
+n
.
Let N denote the number of receivers.
Setup: params = [P,P
pub
= sP,P
′
pub
= s
2
P,g =
ˆe(P,P),g
1
= ˆe(P,P
pub
),H
0
: {0,1}
k
1
→ Z
∗
q
,H
1
:
{0,1}
k
2
+n
→ Z
∗
q
,H
2
: G
2
→ {0,1}
k
1
+k
3
+n
], where P ∈
E[q] and s ∈ Z
∗
q
is the master secret of the private key
generator .
Extract: Given a public Id of a user with
“identity” ∈ {0,1}
k
1
, the private key generator does
the following:
(1) ID = H
0
(“identity”).
(2) Secret key S
ID
= (s+ ID)
−1
P.
(3) Return (S
ID
).
Signcrypt (M,ID
sender
,(ID
1
,....ID
N
))−
(1) Choose r ∈
R
Z
∗
q
and Compute, Y = g
r
1
.
(2) Compute, V = g
r
, M
′
= H
1
(M||V), w = H
2
(Y).
(3) Z = (r + M
′
)S
sender
.
(4) C = (M||Z||ID
sender
) ⊕ w.
For i = 1 to N do, choose t
i
∈
R
Z
∗
q
and compute,
U
i
= ((r+ t
i
)P
′
pub
+ (r +t
i
)ID
i
P
pub
,t
i
P).
The ciphertext is (C,U
1
.....U
N
,V).
Decrypt/Verify: Obtain the secret key S
ID
i
from
the private key generator and compute:
(1) (M||Z||ID
sender
) = C⊕ H
2
(
ˆe(U
i
[1],S
ID
i
)
ˆe(U
i
[2],P
pub
)
).
(2) M
′
= H
1
(M||V).
Accept the message if,
ˆe(P
pub
+ ID
sender
P,Z) = g
M
′
V.
5 SECURITY RESULTS
In this section, we briefly state the security results for
the attack models explained in Section 3. The detailed
proof will appear in the extended paper in eprint or
can be obtained from the second author’s webpage
3
.
All our results are based on the intractability of k-
BCAA problem and k-CAA problem. Whilst proving
our scheme, we assume that the adversary
A makes q
i
queries to the hash oracle H
i
for i = 0,1, 2. The num-
ber of signcrypt and decrypt/verify queries made by
the adversary is denoted as q
s
and q
d
respectively.
Theorem 5.0.1 If there exists an EUF-MIDSC-CMA
adversary
A that succeeds against chosen message
attack game with a probability ε, then there is a chal-
lenger
B running in polynomial time that solves the
q
0
-CAA problem with probability ε
′
of at least
ε.
1−
q
s
(q
1
+q
s
)
q
.
1
q
0
+1
2
.
1
4(q
1
)
2
.
3
http://www.csse.unimelb.edu.au/∼udaya
A PROVABLY SECURE MULTI-RECEIVER IDENTITY-BASED SIGNCRYPTION USING BILINEAR MAPS
307
Theorem 5.0.2 If there exists an IND-MIDSC-CCA2
adversary
A that succeeds against the indistinguisha-
bility of chosen ciphertexts attack game with a proba-
bility ε, then there is a challenger B running in poly-
nomial time that solves the q
0
-BCAA problem in G
2
with probability ε
′
of at least
ε
(q
0
+N)q
2
(1−
q
d
q
).
6 EFFICIENCY OF OUR SCHEME
In Table 1, we compare the efficiency of our scheme
with known multi-receiver based signcryption con-
structions.
Table 1: Comparison of Signcryption Schemes.
Mult = Multiplication Exp = Exponentiations
Schemes G
1
Mult. Pairing G
2
Exp.
(Duan and Cao, 2006) 4+N
receivers
5 0
(Boyen, 2003) 5 4+N
receivers
1
Ours 2+N
receivers
3 3
The scheme presented by Boyen (Boyen, 2003)
is based on performing signature once for all the re-
ceivers and encrypting for each user. This increases
the computational cost because a sender has to per-
form N
receivers
pairing operations, where N
receivers
de-
notes total number of receivers. Further, the cipher-
text size also increases since it includes the encryption
for each receiver which is 2N
receivers
|G
1
|+|ID|+|M|,
where M denotes the message and ID denotes the
user identity. The most recent multi-receiver based
signcryption presented by S. Duan and Z. Cao (Duan
and Cao, 2006) in 2005 uses one pairing operation
for signcryption and the message is signcrypted only
once for all receivers but the randomness is calculated
for each receiver in blinded form. Overall, the scheme
uses five pairing operations (four for Decrypt/Verify
operation). The ciphertext size of their scheme is
(N
receivers
+2)|G
1
|+|M|+|ID|. In any multi-receiver
based schemes, the size of the ciphertext necessarily
is linear in number of receivers.
The computational efficiency of our scheme (in
single receiver scenario) can be compared to (Barreto
et al., 2005). The main computational cost involved in
Id-based cryptography using bilinear maps is the cost
of performing a pairing operation. In our scheme, the
signcryption does not involve any pairing operation,
thus the computations from a signer’s perspective is
minimal. The scheme presented in Section 4 can also
be defined over Co-gap groups which offer reduced
public parameters size and increased computational
efficiency.
7 CONCLUSION
In this paper, we presented a public verifiable, seman-
tically secure multi-receiver signcryption scheme us-
ing bilinear pairings. The scheme is efficient in terms
of computational complexity and also is provably se-
cure under chosen message and chosen ciphertext at-
tack. We believe our scheme is more efficient than all
others proposed so far.
REFERENCES
Barreto, P., Libert, B., McCullagh, N., and Quisquater,
J. (2005). Efficient and provably-secure identity-
based signatures and signcryption from bilinear maps.
In ASIACRYPT 2005, volume 3788, pages 515–532.
Lecture notes in computer science, Springer, Berlin,.
Bellare, M., Boldyreva, A., and Micali, S. (2000). Public-
key encryption in a multi-user setting: Security proofs
and improvements. In B. Preneel (Ed.), Advances in
Cryptology EUROCRYPT, 2000, volume 1807, pages
259–274. LNCS, Springer- Verlag, Berlin Germany.
Boneh, D. and Franklin, M. (2001). Identity based encryp-
tion from weil pairing. In J. Kilian, editor, CRYPTO
2001, volume 2139, pages 213–229. LNCS, Springer-
Verlag, Berlin.
Boyen, X. (2003). Multipurpose identity-based signcryp-
tion: A swiss army knife for identity-based cryptog-
raphy. In Proceedings of Crypto-2003, volume 2729,
pages 383–399. LNCS, Springer- Verlag, Berlin.
Chen, L. and Cheng, Z. (2005). Security proof of
sakai-kasahara’s identity-based encryption scheme.
In Cryptography and coding (10th IMA Intl Conf.,
Cirencester, UK, December 19-21, 2005), volume
3796, pages 442–459. Lecture notes in computer sci-
ence, Springer, Berlin, ALLEMAGNE.
Duan, S. and Cao, Z. (2006). Efficient and provably secure
multi-receiver identity-based signcryption. In ACISP
2006, volume 4058, pages 195–206. LNCS, Springer-
Verlag, Berlin.
Joux, A. (2000). A one round protocol for tripartite die-
hellman. In Proc. 4th Alg. Numb. Th. Symp., volume
1838, pages 385–294. Lecture notes in computer sci-
ence, Springer, Berlin.
Kurosawa, K. (2002). Multi-recipient public-key encryp-
tion with shortened ciphertext. Proceedings of the
Fifth International Workshop on practice and theory
in Public Key Cryptography (PKC’02), pages 48–63.
Mitsunari, S., Sakai, R., and Kasahara, M. (2002). A new
traitor tracing. pages 481–484. IEICE Transactions
Fundamentals, E85-A(2).
Sakai, R., Ohgishi, K., and Kasahara, M. (2001). Cryp-
tosystems based on pairing over elliptic curve. The
2001 Symposium on Cryptography and Information
Security.
Shamir, A. (1984). Identity-based cryptosystems and sig-
nature schemes. Lecture Notes in Computer Science,
196:47–53.
SECRYPT 2007 - International Conference on Security and Cryptography
308
