Identity based threshold proxy signcryption scheme

Page 1

Identity Based Threshold Proxy Signcryption Scheme
Meng Wang, and Zhijing Liu
School of Computer Science and Technology
Xidian University, Xi’an 710071, China
wangmeng@xidian.edu.cn,liuprofessor@163.com
Abstract
An identity based cryptosystem is a novel type of
public cryptographic scheme in which the public keys
of the users are their identities or strings derived from
their identities. In a ( nt, ) proxy signature scheme, the
original signer can delegate his/her signing capability
to n proxy signers such that any t or more proxy
signers can sign messages on behalf of the former, but
1
−
t
or less of them cannot do the same thing.
However, in many situations we want to enjoy
confidentiality, authenticity and non-repudiation of
message simultaneously. In this paper we propose an
identity based threshold proxy signcryption scheme
using bilinear pairings. The security of the scheme is
also analyzed.
1. Introduction
The idea of an identity-based encryption (IBE)
scheme is that an arbitrary string can serve as a public
key [1]. The main advantage of this approach is to
largely reduce the need for public key certificates and
certificate authorities, because a public key is
associated with identity information such as a user’s
email address. For such a system to work there are
Trusted Authorities (or Private Key Generators) that
generate user’s private key from their identity
information. Signcryption, first proposed by Zheng [2],
is a new cryptographic primitive which simultaneously
fulfill both the functions of signature and encryption in
a single logical step, and with a computational cost
significantly lower than that required by the tradi-
tional signature-then-encryption approach. Identity
based signcryption scheme is rapidly emerging in
recent years ([3], [4], [5]).
A proxy signature scheme allows one user Alice,
called original signer, to delegate her signing capability
to another user Bob, called proxy signer. After that, the
proxy signer Bob can sign messages on behalf of the
original signer Alice. Upon receiving a proxy signature
on some message, a verifier can validate its correctness
by the given verification procedure, and then is
convinced of the original signer’s agreement on the
signed message. In other words, proxy signatures can
be distinguished from standard signatures signed by
either the original signer or the proxy signer. Proxy
signature schemes have been suggested for use in a
number of applications, particularly in distributed
computing where delegation of rights is quite common,
such as e-cash systems, mobile agents for electronic
commerce, mobile communications, grid computing,
global distribution networks, and distributed shared
object systems.
The basic idea of ID-Based proxy-signcryption
schemes is as follows. The original signcrypter Alice
sends a specific message with its signature to the proxy
signcrypter Bob, who then uses this information to
construct a proxy private key. With the proxy private
key, Bob can generate proxy signcryption by
employing a specified standard ID-Based signcryption
scheme. When a proxy signcryption is given, a verifier
first computes the proxy public key from some public
information, and then checks its validity according to
the corresponding standard ID-Based signcryption
verification procedure.
Recently, Xu et al proposed an identity based
threshold proxy signature scheme [6]. A ( n
signature scheme is a variant of the proxy signature
scheme in which the proxy signature key is shared by a
group of n proxy signers in such a way that any t or
more proxy signers can cooperatively employ the
proxy signature keys to sign messages on behalf of an
original signer, but
1
−
t
or fewer proxy signers cannot.
This technology not only allows the original signer to
delegate the proxy signing power to a group of proxy
signers instead of one single proxy signer, but also lets
the original signer to set the threshold value t freely
(
nt ≤≤
1
). Therefore, the threshold proxy signature
approach is more practical, flexible and secure than
standard proxy signature schemes.
t,
) proxy
Proceedings of the 2005 The Fifth International Conference on Computer and Information Technology (CIT’05)
0-7695-2432-X/05 $20.00 © 2005 IEEE

Page 2

However, in many situations we want to enjoy
confidentiality, authenticity and non-repudiation of
message simultaneously. Thus, we propose an identity
based threshold proxy signcryption scheme. Following
the definitions from [7] and [8], a strong ID-based
threshold proxy signcryption scheme should satisfy the
following properties:
1) Strong unforgeability: A designated proxy signer
can create a valid proxy signature for the original
signer. But the original signer and other third parties
who are not designated as a proxy signer cannot create
a valid proxy signature.
2) Verifiability: The original signer’s delegation on
the signed message is verifiable using publicly
available parameters.
3) Strong identifiability: Anyone can determine the
identity of the corresponding proxy signer from a
proxy signature.
4) Strong undeniability: Once a proxy signer creates
a valid proxy signature for an original signer, he cannot
repudiate his signature creation against anyone else.
5) Prevention of misuse: The proxy cannot use the
proxy key for other purposes than generating a valid
proxy signature. That is the proxy cannot sign
messages that have not been authorized by the original
signer.
The rest of this paper is organized as follows.
Section 2 contains some formal definitions bilinear
Diffie-Hellman problems. Section 3 gives the general
identity based signcryption scheme. Our scheme is
presented in Section 4. We analyze the security of our
scheme in Section 5?Section 6 concludes the paper?
2. Preliminaries
Let (
+ ,
1G ) and (
⋅ ,
2 G ) be two cyclic groups of prime
orderq. The bilinear pairing is given as
which satisfy the following properties:
1) Bilinear: For
,,
RQP
211
^
e
:
GGG
→×
,
1
G
∈
, there exists
),(),(),(
^
e
^
e
^
e
2) Non-degenerate: There exists
RQRPRQP
=+
and
),(),
such that
(),(
^
e
^
e
^
eRPQPRQP
=
∈
+
.
1
,
GQP
1),(
^
e
≠
QP
3) Computable: There exists an efficient algorithm
^
,),(
GQPQPe
∈∀
Now we specify some versions of Diffie-Hellman
problems. The security of our scheme described here
relies on the hardness of the following problems.
1) Decisional Diffie-Hellman problem (DDHP) in
.
to compute
1
.
(
^
e
21
,,
GG
) is to decide whether
abc
P
.
Peh
),(
^
=
or not,
given (
cP bPaPP
,,,
) and an element
2
Gh∈
2) Computational Diffie-Hellman problem (CDHP)
in (
^
e
2
,
1
,
,,
GG
) is to compute
abc
PPeh
),(
^
=
,
given(
3) Discrete Logarithm Problem (DLP): Given two
group elements P and Q find an integer n, such that
Q =
whenever such an integer exists.
4) Gap Diffie-Hellman groups: Groups where the
CDHP is hard but the DDHP is easy.
No algorithm is known to be able to solve any of
them so far
cPbP aPP
,
).
nP
3. General ID-Based Signcryption Scheme
Generally, identity based signcryption schemes are
made of four algorithms which are the following.
[Setup]
The PKG picks a security parameter k and
generates the system’s public parameters and the
master-key.
[Extraction]
This algorithm is performed by the PKG when a
user requests a secret key corresponding to his identity.
The secret key is given to the user in a secure way.
This step is done only once for every identity and uses
the same Setup data for many different identities.
[Signcryption]
To send a message m to B, A computes
Signcrypt(
BA
ID
dm
,,
IDQ
) to obtain the ciphertext σ .
[Unsigncryption]
On receiving the ciphertext σ , B computes
Unsigncrypt(
IDA
d
,
σ
)and obtains the plaintext
m or the symbol ⊥ if σ was an invalid ciphertext
between the two identities.
Of course we require for consistency that if
σ = Signcrypt(
IDQ
B,
BA
IDIDQdm
,,
)
holds then m = Unsigncrypt(
IDAIDQd
B,,
σ
).
4. Our Proposed Scheme
Our scheme is based on LQ-IBS (Libert-Quisquater
Identity based signcryption scheme) [3]. It consists of
the following five phases:
[Setup]
Proceedings of the 2005 The Fifth International Conference on Computer and Information Technology (CIT’05)
0-7695-2432-X/05 $20.00 © 2005 IEEE

Page 3

Given a security parameter k , the PKG chooses
groups
1
Gand
2
G of prime order q, a generator P of
1
G ,
a bilinear map
^
e :
2
H
11
G
,
GG
→×
and hash functions:
→
,
→
s∈
and computes
q Z
→
H
→
*} 1 , 0 { :
1
*
1
,
} 1 , 0 { :
G
*
q
*
2
} 1 , 0 { :
ZH
n
GH
} 1 , 0 {:
23
.
It chooses master key
*
q
Z
sPPpub=
(
E,
. It also chooses a secure symmetric cipher
D
). The PKG publishes system’s public parameters
{
DEHHHHPPeqknGG
pub
,,,,,,,,,,,,,
321
^
21
}
and keeps the master key s secret. Let
QUAL=
group of n proxy signcrypters. Each user
di∈
.
0 P be the
be the proxy
original signer and
} ,...,,{
21
n PPP
iP owns a
secret key
1
G
[Extraction]
Given an identity, the PKG computes
d =
)(
1IDHQID=
,
and the private key
ID ID
sQ
.
[Generation of the proxy share]
Let
w
m be the warrant consisting the identity of the
original signcrypter and the proxy signcrypters, the
threshold parameter t and the valid delegation time.
Every proxy signcrypter
iP calculates its own proxy
signcrypting key share as follows:
Step1: The original signer
0P first chooses
. Then he computes
*
qw
Zx ∈
randomly and computes
+=
0
m and
=<
w
PxU
ww=
H =
wwW
HxdV
in which
),,(
02
wwW
UmIDH
and sends
w
>
wwV
,
U
to each
QUALPi∈
.
Step2: The proxy signcrypter
iP first takes
∈
?
1010
)(
GID HQ
∈=
He accepts the signature if
and
),,(
02
www
UmIDHH =
1
G
),(),(),(
^
e
0
^
e
^
e
wwpubw
HUQPVP
=
holds and rejects it otherwise?
Finally
iP computes
wii
V
n
ds
1
+=
as his own
proxy signcryption share.
Step3:
iP chooses a (
1
− t
)-degree polynomial
i
t
l
l
ili
sxaxg
+=?
−
=
1
1
)(
with random coefficients
1
Gail∈
and
publishes
),(
^
e
il il
aPA =
for
1...2 , 1
=−
tl
.
0 iA can be calculated as
)
1
,()
1
,())(,(),(
^
e
0
^
e
1
^
e
^
e
ww pubipubi
H
n
UQ
n
PIDHPsP
=
Then
iP sends
)(jgi
to
jP via a secure channel for
every
ij≠.
Step4: On receiving
)(igj
,
iP check the equality
∏
=
0
k
−
=
1
^
e
))(,(
t
i
jkj
k
AigP
If it holds
iP computes his proxy signcrypting key
share
?
k
=
=
n
ki
igdp
1
)(
.
[Proxy Signcryption]
Step1: Each
QUAL Pi∈
randomly chooses a (
1
−
t
)-
degree polynomial
0
1
1
)(
i
t
l
l
ili
bxbxf
+=?
−
=
with random coefficients
*
qil Zb ∈ and publishes
to
PbB
ilil=
.
Furthermore,
j ≠ . On receiving
iP sends
)( jfi
jPvia a secure channel
for
i
)( jfi
,
jP validates
ik
t
k
k
i
BjPjf
•=?
−
=
1
0
)(
If it holds, each
iP computes his secret share
)(
1
ifr
n
k
ki ?
=
=
.
Step2: Let
},...,
Pi∈
{
21
tPPPD=
be the actual proxy
signcrypters. Each
D
applies the Lagrange
x η=
, in which
j
interpolation formula to compute
i i
r
i
∏
∈
≠
−
=
} ,...,2 , 1{
tj
ij
i
ij
η
Then he computes
)(
1
BID
IDHQ
B=

ix
pubi
PPek
),(
^
1=

i
B
) to a designated
x
ID pubi
QPek
),(
^
2=
sends (Finally each
DPi∈
iikk
21,
trusted third party via a secure channel.
Proceedings of the 2005 The Fifth International Conference on Computer and Information Technology (CIT’05)
0-7695-2432-X/05 $20.00 © 2005 IEEE

Page 4

Step3: To signcrypt a message
trusted third party computes
*} 1 , 0 {
∈
m
, the designated
∏
=
i
=
t
i
kk
1
11
∏
=
i
=
t
i
kHk
1
232
)(

)(
2m
(
2
H
Pi∈
Ec
k
=
r=
),
1
.
kc
Then he sends r to each
D
Step4: Each
DPi∈
calculates
ipub
P
ii
rdprS
−=
and
sends it to the designated trusted third party via a
secure channel.
Step5: The third party computes
?
i
=
=
t
iiSS
1
η
in
which
∏
∈
2 , 1 {
j
≠
−
=
},...,
t
ij
i
ij
j
η
and sends (
SrcU
,
m
w
, , ,
w
) to the
receiver Bob.
[Unsigncryption]
When receiving (
=
He then computes
Sr
H =
cUmw
,,,,
), the verifier Bob first
takes
11
)(
GIDHQ
ii
∈
and
),,(
02
www
Um IDH
.
r
ww
n
i
r
i pub
HU
(
eQPeSPek
),),(),(
0
^^^
'
1
?
=
=
=
'
2 k
)),(),(),((
^
e
0
^
e
^
e
3
r
ww
r
ID
n
i
i ID
UHdQQSH
BB
?
=
)(
'
2cDm
k
=
If
),(
'
12
kcHr ≠
return ⊥ else accepts m .
5. Security Analysis
Consistency: The consistency can be easily verified
by the following equations:
n
QPeSPek
,(),(
1
?
=
n
t
PeSPe
,(),(
??
==
??
==
? ??
===
??
==
r
ww
i
r
ipub
HU
(
e
),)
0
^^^
'
=
r
ww
r
i
ipub
i
ii
HU
(
eQ
),)
^
0
^
1
^
=
η
r
ww
r
n
i
ipub
r
t
i
ii
t
i
pubii
HU
(
eQPedpPePrPe
),),(),(),(
^
0
?
^
11
^^
?
=
−
=
ηη
r
ww
r
n
i
ipub
r
n
k
t
i
ki
t
i
pubii
HU
(
eQPeigPePrPe
),),() ) (,(),(
^
0
^
111
^^
=
−
=
ηη
r
ww
r
n
i
ipub
r
n
k
kw
t
i
pubii
HU
(
eQPedV
,
PePrPe
),),()(),(
^
0
^
11
^^
?
=
−
+=
η
r
ww
r
n
i
ipub
P
(
r
ww
r
n
i
ipub
P
(
t
i
pub
P
ii
HU
(
eQeHU
(
eQerP
(
e
),),),),),
^
0
^^
01
^^
?
=
?
=
?
=
−−
=
η
1
1
1
^
e
1
),(
kkPP
t
i
i
x
pub
t
i
i
==
?
=
∏
=
=
)),(),(),((
^
e
0
^
e
^
e
3
'
2
r
ww
r
ID
n
i
iID
UHdQQSHk
BB
?
=
=
)),(),(),((
^
e
0
^
e
1
^
e
3
r
ww
r
ID
n
i
iID
t
i
ii
HUdQQSH
BB
??
==
=
η
) )
w
H
,(),(),(),((
^
e
0
?
=
n
?
=
^
e
11
^
e
^
e
3
r
w
r
ID
n
i
i
r
ID
t
i
ii
t
i
IDpub
P
ii
UdQQdpQrH
BBB
?
=
?
=
n
??
= =
?
=
t
?
=
?
=
t
?
=
−
=
ηη
) )
w
H
,(),(), ) (
k
ig
η
(), ( (
3
eH
^
e
0
^
e
1 1
i
1
^
e
^
r
w
r
n
i
IDi
r
ID
k
t
i
i
IDpub
Pr
η
ii
UdQQQ
BBB
−
=
) )
w
H
,(),(),(),((
^
e
0
?
=
^
e
11
^
e
^
e
3
r
w
r
ID
i
i
r
n
k
IDkw
t
i
IDpub
Pr
η
ii
UdQQdVQH
BBB
?
−
=
+=
) )
w
H
,(),(),(),(),( (
3
eH
=
^
e
0
^
e
^
e
01
^
e
^
r
w
r
ID
n
i
i
r
ww
r
n
i
IDi
i
IDpub
Pr
η
i i
UdQHUdQQ
BBB
?
=
−−
2
1
233
)()),((
1
kkHQPeH
t
i
i
x
IDpub
t
i
i
B
==
?
=
∏
=
∧
=
Strong unforgeability: Because
wii
V
n
ds
1
+=
contains
private key
id of the proxy agent
iP in the identity
based threshold signcryption phase, without private
key information of the proxy agents the original proxy
signcrypter cannot generate a valid ID-based threshold
signcryption scheme by himself.
Strong identifiability: Because the verifier has to
compute
)(
1
ii
IDHQ =
in the unsigncryption phase, any
verifier can determine which proxy agents participate
in the identity based threshold proxy signcryption.
Strong nonrepudiation: The valid signcryption
contains the warrant
w
m , which must be verified in the
process of the unsigncryption. It cannot be modified by
the proxy signcrypters. Thus once the proxy agents
creates a valid proxy signcryption for the original, they
cannot repudiate the signcryption creation.
Prevention of misuse: Obviously, our proposed
scheme satisfies the properties of verifiability and
prevention of misuse.
6. Conclusions
In this paper we proposed an identity based
threshold proxy signcryption scheme from bilinear
pairings. Completeness security analysis of the scheme
Proceedings of the 2005 The Fifth International Conference on Computer and Information Technology (CIT’05)
0-7695-2432-X/05 $20.00 © 2005 IEEE

Page 5

is presented. To the best of authors’ knowledge, our
scheme is the first identity based threshold proxy
signcryption scheme. Future research involves pro-
posing more efficient schemes than the current one.
References
[1] Shamir, A., “Identity-base Cryptosystems and Signature
Schemes”. Proc. of Crypto'84, Lecture Notes in Computer
Science, Vol. 196, Springer-Verlag, (1984) pp.47-53.
[2] Y.Zheng, “Digital Signcryption or How to Achieve Cost
(Signature & Encryption)
Cost(Encryption)”. CRYPTO 1997, vol.1294 of LNCS,
Springer-Verlag, 1997, pp.165-179.
[3] B.Libert and J-J.Quisquater, “New Identity Based
Signcryption Schemes from Pairings”. In IEEE Information
Theory Workshop, pages 155-158, 2003.
[4] X.Li, K.Chen, “Identity Based Proxy-Signcryption
Scheme from Pairings”. In Proceedings of the 2004 IEEE
International Conference on Services Computing (SCC’04).
[5] X.Boyen, “Multipurpose ID-Based Signcryption : A
Swiss Army Knife for Identity-Based Cryptography”.
CRYPTO 2003, volume 2729 of LNCS, Springer Verlag,
2003, pp.382-398.
[6] J.Xu, Z.F.Zhang, and D.G.Feng, “Identity Based
Threshold Proxy Signature”. Cryptology ePrint Archive,
Report 2004/250, 2004. Available at http://eprint.iacr.org.
[7] B.Lee, H.Kim, K.Kim, “Strong Proxy Signature and its
Applications”, SCIS2001, Jan.23 26, 2001, vol 2/2 pp 603-
608.
[8] Sherman S.M. Chow, S.M. Yiu, Lucas C.K. Hui, and K.P.
Chow, “Efficient Forward and Provably Secure ID-Based
Signcryption Scheme with Public Verifiability and Public
Ciphertext Authenticity”. ICISC 2003, November 27-28,
2003, Revised Papers, vol.2971 of LNCS, Springer, 2003,
pp.352–369.
<< Cost(Signature) +
Proceedings of the 2005 The Fifth International Conference on Computer and Information Technology (CIT’05)
0-7695-2432-X/05 $20.00 © 2005 IEEE