An identity-based broadcast signcryption scheme and its application to medical images sharing

exponentiationGeneral Diffie-Hellman Exponent Identity-Based Broadcast Signcryption IdentityIndistinguishability of identity-based broadcast signcryption scheme against selective identit

An Identity-based Broadcast

Signcryption Scheme and Its A pplication

to M edical Images Sharing

Dang Thu Hien

Faculty of Information Technology University of Engineering and Technology Vietnam National University, Hanoi

Supervised by Associate Professor Trinh Nhat Tien

A thesis submitted in fulfillm ent o f the requirements for the degree of

Master o f Computer Science

May, 2010

Table of C ontents

1.1 Overview and M o tivation 1

1.2 Related w o r k 4

1.3 Our contributions 6

1.4 Thesis organization 6

2 P re lim in a rie s 7 2.1 Bilinear pairings 7

2.2 Computational assum ptions 8

2.3 General model of identity-based broadcast sigucryption 9

2.4 Requirements of I B B S 10

2.5 Security notions for IBBS 11

2.5.1 Message confidentiality 11

2.5.2 Existential unforgeability 13

2.6 Forking le m m a 13

3 Identity-B a sed Broadcast S ig n cryp tio n Scheme 15 3.1 Description o f the s c h e m e 15

3.1.1 Setup 15

T A B L E OF C O N T E N T S

3.1.2 Extract 16

3.1.3 Signcryption 16

3.1.4 บ n sig ncryp tion 17

3.2 A n a ly s is 17

3.2.1 Consistency 18

3.2.2 P ublic ciphertext a u th e n tic ity 18

3.2.3 Public verifiability 19

3.3 Security p r o o f s 19

3.3.1 Message confidentiality 19

3.3.2 Existential unforgeability 25

3.4 Efficiency evaluation and com parison 30

4 E x p e rim e n ta tio n and A p p lic a tio n 33 4.1 IBBS E xp e rim e n ts 33

4.1.1 Experimental s e tu p 33

4.1.2 Results and comparison 34 4.2 Signcryption - Watermarking Model for Medical Image Sharing 3b

List o f Figures

4.1 Broadcast Signcryption - Watermarking Model

exponentiationGeneral Diffie-Hellman Exponent Identity-Based Broadcast Signcryption Identity

Indistinguishability of identity-based broadcast signcryption scheme against selective identity cho­sen ciphertext attacks

Master Secret Key multiplication pairing evaluation Public Key

Private Key Generator Public Key Infrastructure

q - Strong Diffie-Hellman Signciyption

บ nsigncryption

C hapter 1

Introd uction

Information is probably one of the most valuable possessions of mankind The loss, illegitimate disclosure and modification of information, especially sensitive one, could cause bad consequences and seriously affect oil related people On the other hand, the recent growth of digital technologies and computer networks have radi­cally change the way we work and exchange ideas By providing low-cost, fast and accurate ways to access data in digital form, communication over networks is now becoming easier and increasingly popular However 1 the advantages of digital infor­mation and networked environment have also brought new challenges because they always contain vulnerability attacking weakness like eavesdropping, forgery, alter­ation Therefore, the need of secure and authenticated data transmission is more and more important and critical

Since the birth of public key cryptography in 1970s, the requirements of confi­dentiality and authenticity are satisfied by using encryption and digital signature schemes respectively W ith public/private key pairs, two entities can share informa­tion in a secure manner Public key cryptography has created a great evolution in cryptography but it cannot work efficiently without the support of certificate based public key infrastructures (PKI) Certificate binds a public key to its owner and PKI manages, distributes and revokes certificates

In order to get rid of public key certificates，in 1984, Adi Shamir introduced Identity-based cryptosystems [Sha84] In this new paradigm, he suggested idea to use the user's unique and undeniable information as his/her public key whereas the

1

1.1 O verview an d M otivation 2

corresponding private key can only be derived by a trusted Private Key Generator (PKG) These public keys can come from the user，ร name, email address or what­ever convenient data so that it refers unambiguously and undeniably only to one user This kind of information is denoted by Digital Identity Useťs identity must

be acknowledged by everyone, so this removes the need to authenticate or prove the relationship between the identity and the owner or wasting time in looking up public key before sending out a secret message Consequently, identity-based cryptogra- phy promisingly provides a more convenient alternative to PKI Several practical identity-based cryptographic schemes have been devised but until 2001, there was only one satisfactory scheme [BFOlj Some others using parings were proposed after that [Pat02, CC02, Hes02]

Traditional encryption just provides security for one-to-one communication Nowa­days, there are many applications in which communication activities are one-to- many, where a user is not only able to send/receive data to/from another but also

a group of users simultaneously Actually, senders (called broadcasters) may need methods to distribute securely a message to a target set of receivers and ensure that all members in the set get the correct message while non-members cannot eaves­drop, forge or modify it W ith conventional public key cryptography techniques，the broadcaster has to encrypt and sign messages then transmit individual encrypted message to every each receiver Advantage of this solution is high security level be­cause every user gets a different ciphertext and uses his own private key to decrypt However, this solution is really inefficient If there are I receivers, the broadcaster

has to process I times on a same message to create I different ciphertexts It needs

a lot of time，storage and transmission costs

Thus, traditional public key cryptography is not a suitable approach for this problem To handle the requirement of privacy in information broadcasting, a cryp­tography topic called Broadcast Encryption (BE) was introduced by Fiat and Naor

in [АМ94] BE schemes allow senders to broadcast an encrypted message over an open channel to a target set of receivers In a secure BE system, any legitimate receiver can use his private key to decrypt the broadcast but illegitimate users (who are not in target set) can obtain nothing about the messages

Today, because of its significant applications，broadcast encryption has gained considerable attention and deployed broadly For example, distribution of copy­righted materials, access control in encrypted file systems [Refb], satellite TV sub­scription services, etc Recent research indicates that broadcast encryption has wide

1.1 Overview and M otivation 3

application prospect ill securing electronic health records (EHR) [SW06，НТН09]

W ith the development of e-health, nowadays, the medial information are digital­ized and stored for different purposes such as tele-medicine, cutting down the health care, long time storage, clinical research and epidemiological studies Consider a sit­uation that is ill order to discuss and obtain second opinions or professional advices,

an EHR is distributed online to physicians, researchers, students or other external users In medical field, the security of medical data is very important They should

he kept intact in every circumstance because any manipulation and perversion could lead to wrong diagnostic On the other hand, EHRs contain sensitive patient infor­mation which can influence on the patient’s health and even their lives so that they should be protected from unauthorized access and modification

When a broadcast system such as a electronic health system consists of multiple broadcasters, each user can produce ciphertexts and deliver to others In that case, it opens an issue of authentication and non-repudiation Hence, along with information privacy, data origin authenticity is also a vital aspect

For keeping message confidential and unforged, an already known approach named signature-then-encryption has been followed However, it has a main draw­back: the cost of distributing a message is essentially the sum of the cost for digital signature and that for encryption In 1997, Zheng [Zhe97] addressed a question on reducing the cost of secure and authenticated message delivery and proposed a new cryptographic paradigm, called signcryption which “simultaneously fulfils both the functions of digital signature and public key encryption in a logically single step, and with a cost significantly lower than that required by the traditional signature fol­lowed by encryption technique” The efficiency of signcryption technique has been pointed out in several proposed schemes [ZY98，MB04，M102, LQ03] which costs much less in average computation time and message expansion than signature-then- encryption does

Since proposed, signcryption has been adapted to broadcast encryption to suffice the requirements of confidentiality and authenticity However, to date, the research oil broadcast signcryption is still very limited Most of proposed schemes need

a particular component in ciphertext that corresponds to a designated receiver Thus, their ciphertext size is equivalent to the number of receivers In several other constructions with constant ciphertext size, the broadcaster has to negotiate a common secret value with all receivers beforehand Prom some point of view, these constructions are not more efficient and convenient than one-toone signcryption

1.2 R elated work 4

Realizing that almost, current broadcast signcryption schemes do not meet all

of these properties, we aim to construct an efficient scheme which fulfils both se­curity and efficiency Additionally, the question on how to incorporate broadcast signcryption in securing EHRs inspires us to bring it to a specific application named

medial image sharing Since medical image is a special type of data in EHR, we con­centrate on designing a model that combines the proposed broadcast signcryption scheme and watermarking technique to secure medical images sharing

There are many proposals of broadcast encryption systems In [KD98], Kurosawa and Desmedt presented a scheme in which public and private key are derived from secret polynomial of order k The security of this algorithm is determined by the

order of polynomial k Each user learns a piece of information about the secret

polynomial f( x ) from his private key Hence，a set of more than к users can collude

to recover the polynomial and break the system

Another scheme based on ID-based encryption algorithm of Boneh-Franklin [BF01] was introduced and analyzed in [YWCR07] In [BSNS05], Joonsang et.al built a scheme based 011 binary scheme of Canetti et al [CHкоз] The best known fully collusion is the scheme of Dan Boneh, Gentry and Water [BGW05] However, all these schemes result in a long size ciphertext In 2007，Celile [Del07] proposed the first ID-based broadcast signcryption scheme with constant size ciphertext and pri­vate key This construction is based on the intractability of intractability of General Diffie-Hellman Exponent problem and its security is proved under random oracle model

In signcryption domain, the first scheme was proposed by Zheng [Zhe97] After that, a lot of identity-based constructions have been introduced [M102, CML05, LQ03, МВ04] Until now，the most secure schemes are [CML05] and [МВ04]

Although a lot of identity-based sigiicryption and broadcast encryption schemes lmve been devised，there were not many research ill broadcast signcryption In 2000，Y.Mu et al [MVOO] presented the first distributed signcryption scheme in which any user can signcrypt a message and deliver to a designated group of recipients After that, Li et al [LHL06] proposed a multi-receivers signcryption scheme based

on bilinear parings Another scheme based on bilinear pairing is also presented by

1.2 R elated work 5

Ma Chun-bo et al [bMAhL07] However, in all schemes [bMAhL07, LHLOG, MVOOj, the algorithms are based on traditional public key, not identity.based

In [Boy03], the author built an identity-based signcryption scheme and extended

it for multi-recipient case The idea in this construction is carrying out the sign operation once while encrypt operation is performed independently for each recip­ient Another ID-based broadcast signcryption scheme was proposed by Bohio et

al in 2004 [BM04] However, this scheme is inconvenient because it needs a pre- agreement to establish a common secret key before signcrypting Once this common value is out, the system will break In addition, the weakness of forgery in this scheme was pointed out by Selvi et al [SVK4-08] Despite the authors gave a fix for this weakness, it still suffers from a major shortcoming: if a user leaves the group, the broadcast parameters must be changed and sent back to every remaining user

In 2006, Duan к Cao [DC06] proposed a multi-receiver ID-based signcryption

scheme by extending broadcast encryption scheme in [BbNS05] Recently, Tan [Tan08] pointed out that theiťs scheme is not secure under chosen ciphertext at­tacks In 2007, Yu et al [YYHZ07] introduced a new scheme and claim that it is secure in the random oracle model However, it is shown to be insecure to forgery attack in [ХХ09]

Recently, F.Li et al’ [LXH08] also proposed another scheme of ID-based broad­cast signcryption based on Chen and Malone-Lee's signcryption algorithm [CML05] and proved its security under random oracle model Nonetheless, the size of cipher­text is linear to the number of receivers and each receiver must share a common secret value with the broadcaster

Note that all above proposals do not have public ciphertext authenticity prop­erty In 2009，another scheme was introduced by [ЕА09] This scheme was based on the signcryption scheme in [LQ03] and provided a noticeable property called public ciphertext authenticity which allows any third party can verify the ciphertext origin This property is very useful for applications that need firewall or gateway authenti­cation before passing the message However, the ciphertext size of this scheme has

a similar form with others，means that it needs a particular component for each receiver In [SVSR09]，an effective scheme was proposed basing on the construction

of broadcast encryption scheme in [Del07] Although this scheme has constant size ciphertext but it does not meet the public ciphertext authenticity requirement

1.3 O ur contributions 6

In scope of a Master thesis, this work tries to design an efficient identity-based broadcast signcryption scheme whose ciphertext size does not depend on the quan­tity of receivers and the size of system public key is linear with the maximal size

of the set of receivers In this scheme, the total number of possible users does not have to be fixed from the beginning The algorithm only requires pairings compu­tation in unsigncryption phase while does not in signcryption phase Moreover, it achieves desirable security attributes of broadcast signcryption while most of current constructions do not

We analyze and prove the security (message confidentiality and existential un- forgeability) of proposed scheme in random oracle models Evaluation and compari­son with several existing schemes in term of performance are also made theoretically and experimentally

At last, we construct a model that combines broadcast signcryption and wa- tennarkiag for secure medical image sharing Implementation of this construction shows experimental results and its potential for practical uses

The rest of this thesis is organized as follows:

C h a p te r 2 presents some preliminary definitions that are involved The issues in this chapter include of bilinear parings and related computational assumptions, the general model, requirements and formal security notions of identity-based broadcast signcryption that we associate to We also recall forking lemma which states the general security level of signature schemes

C h a p te r 3 describes the proposed identity-based broadcast signcryption scheme Analysis and security proofs of proposed scheme are provided here We also make some summaries and comparisons to evaluate its efficiency

C h a p te r 4 presents numerical experiments and discusses th e ir practical im ple­mentations The model construction o f incorporating the proposed scheme for secure medical image is also introduced in this chapter Implementation and experimental results of this model are also developed and evaluated

C h a p te r 5 concludes our work and gives the future research directions basedoil the obtained results so far

Chapter 2

Prelim inaries

In this chapter, the background on the research of thesis is introduced Basing

on these definitions and assumptions, our scheme is constructed and proved to be secure

Let G i, Ơ2 be two cyclic additive groups of prime

multiplicative group of same order p Denote g and h

G 2 respectively A bilinear pairings is a map e : Ơ1 X

properties:

order p and G t be a cyclic are the generators of G\ and

Ơ2 —► G t with the following

1 Bilinearity: For any arbitrary elements a, b of Zp,

e(ga,h ๆ = e(g,h)ab = e(9\ h ๆ

2 Non-degeneracy：e(g} h) Ф \c r where 1 qt is the identity element of G

t-3 Computability: There is an efficient algorithm to compute e(g, h) for all g Ç G\

and h € c?2

Actually, Gl and Ơ2 could be equal for simplicity The map e derived from modifying either Weil or Tate pairing [BF01] is permissible for this kind of map

7

2.2 C om putational assum ptions 8

The complexity assumptions for the security of our scheme rely on the hardness of computational problems that were previously formalized in [BB04a, BB04b, BBG05]

We now recall these problems

D e fin itio n 1 The q-Strong Diffie-Heilman problem (q-SDH)

Given bilinear map groups (Gb Ơ2, G t) of the same order p and generators g 6

Gl and h 6 Chi the q-S trong D iffie -H e llm a n problem (q -S Đ H ) consists in,

given a tuple (h, ha, ha2, ha4)y fin d in g a p a ir (c，/ i 士 ) e Zp X Ơ2

-The advantage of an algorithm Л in solving the q-SDH problem is:

Advs ADH = P r ịA{h, hn,ha\ , h a4) ะ= ( c , h ^ ) I ce z ;， с Ф - a

We say that the Í/-SDH assumption holds in (G bƠ2) if for any probabilistic poly­nomial time algorithm Л, the advantage Adv^DH in solving the Ợ-SDH problem is

negligibly small

D e fin itio n 2 The General Điffie-Heilman Exponent problem (GDHE)

Let p be a prime integer and let s} ท be two positive integers Let G and G f

be two cyclic groups of order p with an efficient, non-degenerate bilinear mapping:

e : G X G U r- Let 5 is a generator of G and set gT = e(g, g) € GT Let P,Q e Рѵ[Х і,Х 2у МЛЛП]Я be two s-tuples of n-variate polynomials over field Fpy means

p - (РьР2，…，rO and Q = (ỢbỢ2, ,9s) where pi,Qj are multi-variate polynomials

(1 < i , j < ร) We impose that the first Pi = 91 = 1

Let P (x i^ X 2y denote (P i(X i,巧 ，…，欠n)，…，Pe(하 ，め ，…，疋n)) For any func­tion h : Fp ÇI and a vector (X1,X2, x n) € i 주1, we write:

h^Pị^Xị, X2ì •••J ^n)) *ᅳ (/l(pi (^lì ^2» •'•ì *^n))î *^2í *»M *^n))) ^ ^

We use similar notation for Q Let / e FpfXi,Х г , X nỊ The (P ,Q ,/)-

General D iffie -H e llm a n E xpon en t proble m ((Л Q ,/)-G D H E ) is defined as follows:

Given the vector:

H (x l } xn) = (gp^ , ，네 1’•••， Xn)) € G 9 x G f, œmpute g요xレ， 1시 ç QTt

The advantage of an algorithm Л in solving the GDHE problem is:

2.3 G eneral m odel of identity-based broadcast signcryption 9

AdvG ADHE = P r \ a {P ,Q J ) = g ị(Xi…In)

We say that the (P, Q, /)-G D H E assumption holds if for anv probabilistic poly­

nomial time algorithm v4, the advantage A dv^DHE is negligibly small.

D e fin itio n 3 Dependent and Independent Polynomials

W ith / p, Q defined as in Definition 3, we say / and (P, Q) are dependent,

denoted by / e (P, Q), if there exists a tuple of (ร 2 + ร) components {a냐}, {b ị} with

Let В is the broadcaster and R = { я ь R 2 , Я/} is the set of receivers The detailed functions of these algorithms are described as follows:

• Setup: Given security parameter A and the maximal size ไท of the set of

receivers, PKG generates a master secret key M S K and a public key VfC

M S K is kept secret and V K is made public.

• Extract: Given an identity I D 、the PKG computes the corresponding private

key S jD and transfers it to the owner in a secure way.

2.4 R equirem ents of IBBS 10

• Signcryption: On input of public key V K and a set of designated identities

R =ะ {/jD i，JZ)2，•••，I D ị } with I < m, the broadcaster в computes

ơ = Signcrypt(A/, R, S ịd b) and obtains Ơ as the signcrypted text the

plaintext M

• Unsigncrytion: When receiving <71 a receiver with identity ỉD ị, 1 < i < I

and corresponding private key SỉDi computes Unsigncrypt(cr, 5/D,, 人D ß /P だ)

to obtain a valid plaintext Л/ or a symbol 丄 if a was an invalid signcrypted text

For the correctness constraint of identity-based broadcast signcryption，we require that:

M = บ n s ig n c ry p t(S ig n c ry p t(M , VIC, R, S n )Bh S jd ^ I D b 、 VIC)

2.4 R equirem ents o f IB B S

According to [ENI09], a broadcast signcryption scheme basically should have the following properties:

1 Consistency: The signcrypted te x t formed properly by the signcryption al­

g o rith m must be extracted and verified successfully by corresponding unsign- cryption algorithm

2 Confidentiality: I t is impossible to obtain the content of the signcrypted mes­

sage w ith o u t the knowledge of target receivers’ private key

3 บทforgeability: W ithout the knowledge of sender's private key, an attacker is

infeasible to masquerade and create a signcrypted text which w ill be design- crypted and verified successfully by unsigncryption algorithm

4 Public ciphertext authenticity: Any third party can verify the validity and

the origin of the ciphertext without knowing the content of the message and getting any help from designated receivers

5 Public verifiability: The receiver has ability to prove to a third party that the

signcrypted ciphertext is a valid signature on the message without revealing his private key This property ensures that the sender cannot deny his signature

2.5 Security notions for IBBS 11

6 Efficiency: The communication load (size of signcrypted text) and computa­

tion cost (time to signcrypt and unsigncrypt) should be smaller than those

of the best known signature-then-encryption schemes with the same provided functionalities and comparable parameters

There are two types of the security in any IBBS scheme: message confidentiality and unforgeability Formal security definitions for signcryption schemes are defined

by Malone-Lee [M102], consisting of indistingiiishability against adaptive chosen ci­phertext attacks (for message confidentiality) and unforgeabiiity against adaptive chosen message attacks (for existential unforgeability) For broadcast signcryption,

a widely accepted security definition is selective identity attack

Selective identity attack was firstly proposed by Canetti et al [CHK03] in which the adversary must choose from the beginning the identity he wants to attack on This idea is then modified and adapted to prove the security of broadcast encryption and signcryption schemes [ĐC06，Del07] In this work, we inherit it and present two notions called indistingiiishability of identity-based broadcast signcryption against selective identity chosen ciphertext attacks (IND-sIBBS-CCA) and existential un- forgeability of identity-based broadcast signcryption scheme against selective iden­tity chosen message attacks (EUF-sIBBS-CMA) The detail of these notions is de­scribed as below

2.5.1 Message co n fid e n tia lity

Let A denote an adversary and в denote a challenger The message confid entiality is

defined by considering the following game between A and ß Basically, we improve

the definition of [Del07] by adding some queries on signcryption and unsigncryption

In it: Both adversary and challenger are given 771 as the maximal size of receivers

Л outputs a set of identities, denoted by R* ะ= {ID \, ID ịy …, I D ị} (I < m ) that he

wishes to attack on

Setup: The challenger runs the setup algorithm to obtain master secret key

M SK and public key VIC The challenger sends V K to A while keeps M SÌC secret

from Л.

P h ase 1: Adversary A starts to probe by issuing series o f queries:

2.5 Security notions for IBBS 12

• E xtraction queries: A produces an arb itra ry id e n tity I D w ith a constraint

that ID Ệ Ré and requests the corresponding private key The challenger

runs extraction alg o rith m to obtain S ị [) and returns it to the adversary.

• Signcryption queries: A produces a message M , a broadcaster I D ß } a set R

of I receivers with identities ID fi{ and requests the signcrypted

ciphertext of Signcrypt(M， VKy Ry 5ß).

The challenger returns the corresponding Ơ.

參 Unsigncryption queries: A produces a broadcaster ID A and signcrypted text Ơ

and request the result o f operation Unsigncrypt(<j，S fD ， I D Ay V K ) w ith I D * G

R \ The challenger returns the valid plaintext M if successfully Iinsigncrypt

or the symbol 丄 otherwise

Challenge: A produces two plaintexts Mo and M l of equal length and a broadcaster

identity ID a The challenger randomly selects a bit 6 € {0，1} and then computes the signcrypted text a = Singcrypt(M b, VICy Я*, S ỉ D a )' The challenger returns a to

A

Phase 2: Л continues to issue queries as follows:

• Extraction and signcryption queries as in phase 1

• Unsigncryption queries as in phase 1 but with the restriction that it can not request the unsigncryption of the challenge Ơ.

Guess: Finally, the adversary Л outputs a guess Ư and wins the game if Ư =ะ b

The advantages of Л is defined as:

^ / ВБ5в/вВ5" ССЛ( ^ ) = 2 X Pr[bf = 6] - 1 where Pr[bf = b] is the probability that tí ะ= b.

D e fin it io n 4 A n identity-based broadcast signcryption scheme (IB B S ) satisfies the indistinguishability aqainst selective IDy chosen ciphertext attacks property (IN Đ - slB D b -С С л ) i f no probabilistic polynom ial time adversary has a non-negligible ad­ vantage in above confidentiality game.

2.6 Forking lemma 13

2.5.2 E xistentia l unforgeability

For the unforgeability requirement, we consider the game between adversary A and

challenger в as follows:

I n i t ะ Both adversary and challenger are given m as the maximal size of receivers

A outputs an identity ID * that he wishes to attack on.

S e tu p : The challenger runs the setup algorithm to obtain master secret key

M SK and public key VIC The challenger sends VIC to Л while keeps M S K secret

from Л.

A tta c k : The adversary A performs a number of queries 011 extraction7 signcryp- tion and unsigncryption as in the previous game of confidentiality with a restriction that he can not request the private key extraction for the target identity ID *.

F o rg e ryะ The adversary A produces a signcrypted text Ơ and I arbitrary re-

cipients，identities ID rx )ID r 2) yI where Ю л- Ф ID * A wins the game if the

result of บ nsigncrypt(a*, S id r , VÌC), with 1 < г < Zt is a valid message M

such that ๙• was not the output of a previous sigiicryption query

The advantage of A is defined as the probability that he wins the game.

D e fin itio n 5 A n identity-based broadcast signcryption scheme (IB B S ) satisfies the existential unforgeability against chosen message attacks property (E U F -sIB B S -

C M A ) i f no probabilistic polynom ial time forger has a non-negligible advantage in above forgeability game.

The “forking lemma” concept was first suggested by David Pointcheval and Jacques Stern in [PSOO] This lemma is used to prove the unforgeability of signature schemes ill random oracle model Recently, it has been employed widely to prove the secu­rity of not only digital signature algorithms but also other random-oracle based cryptographic constructions

This lemma is adaptable to signature scheme that produces signature in form of a triplet (ơi, h, (J2) by using hash function The idea here is: assuming that there is an

efficient attacker who can break the scheme in random oracle model, then，by replay attack, it can produce two different random signatures (ơị, /ì, Ơ 2 ) and

of the same message M such that ơ\ ะะะ ơ[y but h Ф h \ where h = f (My ơ ị) If

the p ro b a b ility o f obtaining two forgeries on an identical message b u t w ith different

2.6 Forking lemma 14

random oracle outputs is noil-negligible, then there exists an a lg orithm that can solve some underlying hard problem w ith noil-negligible proba bility A p p ly in g forking lemma allows us to prove th a t if the underlying hard problem is indeed intractable, then no adversary can forge the signature

The essential forking lemma in [PSOO] is reconvened here in theorem 1 below

Theorem 1 Let A be a probabilistic polynomial time Turing machine whose input only consists of public data We denote respectively by Q and R the number of queries

that A can ask to the random oracle and the number o f queries that A can ask to the

signer Assume that, w ithin a time bound T ，A produces, with probability e > 10(л+ l)(fí+ Q )/2 k, a valid signature (M , ơ \ yh, ơ2) I f the triple (ơi, /i, СГ2 can be simulated

witJwut knowing the secret key, w ith an indistinguishable d istrib u tio n probability, then there is another machine which has control over the machine obtained fro m Л

replacing interaction with the signer by simulation and produces two valid signatures (M , G\ 1h, Ơ 2 ) and (M, ơ \, h \ ơ ! 2 ) such that h Ф h! in expected time T f < 120686ỌT/6,

The usage of this lemma w ill be more clear in the p ro o f o f existential unforge-

a b ility property o f our scheme in next chapter

T he proposed 1BBS scheme consists o f four phases: Setup, E xtra ct, Signcryption and Unsigncryption.

Given security parameter A and an integer m (ไท implies the m axim al number of

receivers in the scheme) The Private Key Generator (P K G ) chooses bilin e a r map groups ( ơ b Ơ2, G t) o f prim e order p where ІРІ > A，two generators g y h o f G l, Ơ2

respectively, a bilinear map e ะ G l X Ơ2 —♦ G r and three hash functions:

Я і {0 ,1 }* 야 ;

я 2 Gt ~ ► { 0 , 1}п

Я з {0 1 }* X G t X G*1 X G l ᅳ ► Z*

15

ЗЛ D escription of th e schem e 16

PKG randomly chooses a secret value 7 € Zp The master secret key is

MSÌC = {g, ๆ).

PKG computes:

lơ = Ợ7 and V = e(g 1 h)

(พ = g \ v = e(ฐ, /i), /i, /i7t /172, h ^ ) PKG chooses a secure sym m etric encryp­

tio n /d e cryp tio n algorithm ( E } D ) w ith ท is the length o f sym metric encryption key

The system’s public key is:

It returns Qid and Sjd es public and private key associated with the identity

I D S id is transm itted in a secure way to its owner

3.1.3 S igncry p t ion

Assume a broadcaster в wants to signcrypt a message M to a set R consists of I

receivers with identities ID \, /z?2í ỈD ị For simplicity, we denote R = { I D i } li=z1

with I Dị is the identity of i th receiver.

Given a message M , system’s public key VIC and a set of receivers fí, the broad­

caster with I D b follows the steps below:

The signcrypted text is Ơ = (C, s、T\ z, y，L) where L is the label that contains the

list of receivers who can unsigncrypt to get the plaintext

3.1.4 บ nsigncry p t ion

W hen receiving Ơ from the broadcaster w ith identity I D b } the receiver w ith iden­

t it y / Д and corresponding secret key S jd = g 1+QĩD* follows the steps below to

unsigncrypt Ơ：

1 Check whether I D ị is in the label L, if yes: ĐẠI H Ọ C Q U Ỏ C Gl A HA NOI

TRUNG ĨÂ M THÔNG TIN THU VIỆN

2 Recover r =ะ H 0 (С, ร, т \ Z) G Zp

3 Compute ìp = e(Y, h y 2 ^ ĩQB).e(w}h)r

4 Compute к ะ= (e(Zy ЬРія(^).e(S/p., T ) ) ^ l^ íQlDj

3.2 A nalysis 18

The consistency of the proposed scheme is easily verified, stemming from the bi­linearity of the map • If Ơ is a valid signcrypted text to an identity I Di then r is correct and we have:

Moreover, according to the signcryption phase，replace z = พ ^ ^Xyг = /i움nj=i(7+Q/D7!^

Pi,»h) = ị ( r ß = i j쇠(7 + Q id j) - n ^ i j / і Qỉd}) ’ Sid, = 57+0fDS we derive:

3.2.2 P u b lic cip h e rte x t a u th e n tic ity

Anyone can be convinced o f the signcrypted ciphertext’s origin by recover r = //3 ( c，5，T\ Z) and Ф as in step 2 and 3 of Unsigncryption phase and check whether the condition Ф ะ= s holds Since this verification procedure only requires compo-

3.3 Security proofs 19

Iients in signcrypted ciphertext and neither involves the knowledge of plaintext nor needs support from the recipient, then it provides public ciphertext authenticity

3.2.3 P u b lic v e rifia b ility

A recipient can convince a third party that the sender is the author of a plaintext

M by forwarding the signcrypted ciphertext ơy M and ephemeral key к to him

To checking whether the ciphertext is a signcrvpted version of M and made by

the broadcaster, the third party firstly checks the origin of ciphertext as in public ciphertext authenticity section If this requirement is met, he accepts the message authen ticity if and only i f M = D fc(C ).

Hence, this scheme satisfies the requirement of public verifiability

In this section, security proofs of confidentiality and unforgeability linder security notions as defined in Chapter 2 are provided The message confidentiality property provably relies on the hardness of (P,Q, f у Generai Diffie-Hellman Exponent as­

sumption The unforgeability property is proved under the Ç-Strong Diffie-Hellman Problem Hash functions Hi are now considered as random oracle models.

3.3.1 Message c o n fid e n tia lity

In order to prove the security based on the in tra c ta b ility o f (P, Q, /)-G D H E problem,

we must define (p, Q } f ) such that they not only satisfy the independence condition

( / ậ (P, Q)) but also are appropriate for the simulation of this scheme.

We now define an intermediate problem which determines (P) Q y f ) for a GDHE

problem

D e fin it io n 6* Given a bilinear map group system (p，G b Ơ2，G r ，e) and let f and g

be two copnme polynomials w ith pairwise distinct rootsf o f order t and m respectively Let go be a generator o f G l and ho be a generator 0} G 2- Given:

, h ị gb)

Compute e(ợo? h o )y ^ ^ \

3.3 Security proofs 20

Consider the weakest case for adversary，when G \ ᄄ G 2 in which there always

exists ß such as /lo = 9 o- This problem can be represented in the form of (P ,Ọ，F)- GDHE problem where:

p = ( 1 , 7，7 2, ，7*- 1， 7 - / ( 7 ) , J 7 / ( 7)，

ị.p g b ))

Q = l

F = I ß m

We refer to [Del07] for a proof that F is independent on (P,Q) Therefore, if

there is any polynomial time algorithm to solve above problem means that it can break the the GDHE assumption Thus, as long as (PyQ, F)-GDHE assumption

holds, the security of our schcmc is claimed by following theorem:

T h e o re m 2 Assume that an IN D -sIB B S -C C A adversary A has an advantage 6 against our scheme and makes t key extraction queries，qsc signcryption queries, qựN unsigncryption queries and qn queries to oracles H i (fo r г ะ= 1，2，3人 then there exists a polynom ial-tim e algorithm в that solves the general D iffie-H eilm an exponent problem (G D H E ) w ith advantage ef > — (1 — q u ^ /2 x)

Proof We show how to build an algorithm в that solves the general Diffie-

Heilman exponent problem by running Л as a subroutine, в acts as ร challenger

in IND-sIBBS-CCA game

Both adversary and challenger are given as input the maximal size m of receiver

set Ry t total niimber of key extraction queries that can be issued by the adversary

On given input a group system (p, Ơ1,Ơ2, G t, e), generators go of Gl and ho of G 2 ,

two coprime polynomials w ith pairwise distinct roots f and g of orders t and m

respectively, a tuple:

9 o ,9 o ,- ,9 o ~ l , 9оЯу\ ฐ0 т / ы

ß 1s goal is to extra ct e(5o, れ0)습.パ7) from its interaction w ith Л

We use below notations:

• f ( z) = U L i ^ + Q i d ,)

• Ф ) = ư iL T + i^ + QiDi)

• f i (노) = ■■潜 〉- for i G [г, 사, is a polynomial of order í — 1

• 9 i( z) = for г e [í •+* 1，í + m], is a polynomial of order m — 1