No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Efficient Certificateless Signcryption in the Standard Model: Revisiting Luo and Wan’s Scheme from Wireless Personal Communications (2018)
Abstract
Certificateless public key cryptography (CL-PKC) promises a practical resolution in establishing practical schemes, since it addresses two fundamental issues, namely the necessity of requiring certificate managements in traditional public key infrastructure (PKI) and the key escrow problem in identity-based (ID-based) setting concurrently. Signcryption is an important primitive that provides the goals of both encryption and signature schemes as it is more efficient than encrypting and signing messages consecutively. Since the concept of certificateless signcryption (CL-SC) scheme was put forth by Barbosa and Farshim in 2008, many schemes have been proposed where most of them are provable in the random oracle model (ROM) and only a few number of them are provable in the standard model. Very recently, Luo and Wan (Wireless Personal Communication, 2018) proposed a very efficient CL-SC scheme in the standard model. Furthermore, they claimed that their scheme is not only more efficient than the previously proposed schemes in the standard model, but also it is the only scheme which benefits from known session-specific temporary information security (KSSTIS). Therefore, this scheme would indeed be very practical. The contributions of this paper are 2-fold. First, in contrast to the claim made by Luo and Wan, we show that unfortunately Luo and Wan made a significant error in the construction of their proposed scheme. While their main intention is indeed interesting and useful, the failure of their construction has indeed left a gap in the research literature. Hence, the second contribution of this paper is to fill this gap by proposing a CL-SC scheme with KSSTIS, which is provably secure in the standard model.
... Their proposed scheme aims to address these security concerns while also improving efficiency through online/offline signature and batch verification techniques. Rastegari et al. [7] revisit Luo and Wan's certificateless signcryption scheme, pointing out errors in their construction and proposing a corrected and improved CL-SC scheme that is provably secure in the standard model. This work emphasizes the importance of rigorous security analysis and the ongoing refinement of CLSC schemes to ensure their robustness and practicality. ...
... Therefore, achieving provable security in the standard model without relying on random oracles is a desirable goal. Several of the reviewed papers, including Scheme [5], Scheme [6], Scheme [7], and Scheme [8], mention security proofs in the random oracle model (ROM). Scheme [4] and Scheme [7] emphasize provable security in the standard model, highlighting the stronger security guarantees offered by standard model proofs. ...
... Several of the reviewed papers, including Scheme [5], Scheme [6], Scheme [7], and Scheme [8], mention security proofs in the random oracle model (ROM). Scheme [4] and Scheme [7] emphasize provable security in the standard model, highlighting the stronger security guarantees offered by standard model proofs. Security proofs typically rely on computational hardness assumptions, such as the elliptic curve Diffie-Hellman (ECDH) problem or the computa-tional Diffie-Hellman problem (CDHP). ...
The rapid advancement of quantum computing technology poses a significant threat to conventional public key cryptographic infrastructure. The SM2 (state key cryptography algorithm no. 2) elliptic curve public key cryptographic algorithm, which adopts elliptic curve cryptography, has demonstrated strong resistance to quantum attacks. However, existing signcryption schemes remain vulnerable due to their reliance on a single certification authority (CA) managing all keys. The cryptography fundamental logics (CFL) authentication process eliminates the need for third-party involvement, achieving decentralized authentication and reducing the burden on certificate generation centers. Therefore, a decentralized signcryption scheme based on CFL was proposed using the SM2 national cryptographic algorithm. Unlike traditional signcryption schemes, this approach does not depend on the certification authority’s private key during the public–private key generation process. This innovation helps avoid risks associated with certification authority private key leakage and ensures decentralized characteristics. The proposed scheme was rigorously verified under the random oracle model (ROM) and based on the complexity assumption of the elliptic curve Diffie–Hellman (ECDH) problem. The theoretical analysis and experimental results demonstrate that compared to traditional methods, the proposed scheme exhibits higher efficiency in communication and computation. Specifically, the proposed scheme reduces computational overheads by approximately 30% and communication overheads by approximately 20% in practical working environments. These quantitative improvements highlight the scheme’s promising application prospects and practical value.
... However, Yuan [39] pointed out that the scheme [28] failed to fulfil its purported security claims. Subsequently, Rastegari et al. [40] discovered a critical flaw in the scheme and proposed a revised CLSC scheme, but Lin [41] analyzed it and concluded that the scheme [40] was insecure. Therefore, how to propose a secure certificateless signcryption scheme under the standard model remains an open question. ...
... However, Yuan [39] pointed out that the scheme [28] failed to fulfil its purported security claims. Subsequently, Rastegari et al. [40] discovered a critical flaw in the scheme and proposed a revised CLSC scheme, but Lin [41] analyzed it and concluded that the scheme [40] was insecure. Therefore, how to propose a secure certificateless signcryption scheme under the standard model remains an open question. ...
... In this section, we delve into a comprehensive evaluation of our scheme's security properties, functionalities, computational expenses, and storage costs. Additionally, we compare its performance with the schemes presented in [28,30,32,40,46,[49][50][51]. ...
A Wireless Body Area Network (WBAN), introduced into the healthcare sector to improve patient care and enhance the efficiency of medical services, also brings the risk of the leakage of patients’ privacy. Therefore, maintaining the communication security of patients’ data has never been more important. However, WBAN faces issues such as open medium channels, resource constraints, and lack of infrastructure, which makes the task of designing a secure and economical communication scheme suitable for WBAN particularly challenging. Signcryption has garnered attention as a solution suitable for resource-constrained devices, offering a combination of authentication and confidentiality with low computational demands. Although the advantages offered by existing certificateless signcryption schemes are notable, most of them only have proven security within the random oracle model (ROM), lack public ciphertext authenticity, and have high computational overheads. To overcome these issues, we propose a certificateless anonymous signcryption (CL-ASC) scheme suitable for WBAN, featuring anonymity of the signcrypter, public verifiability, and public ciphertext authenticity. We prove its security in the standard model, including indistinguishability, unforgeability, anonymity of the signcrypter, and identity identifiability, and demonstrate its superiority over relevant schemes in terms of security, computational overheads, and storage costs.
... Based on the results in [8], [14], we set |G| ∼ = |G T | ∼ = 1024 bits and q = 160 bits. The communication overhead for the schemes [10], [11], [12], [13] relative to ours are shown in Table III. ...
... To show the efficiency of the proposed signcryption scheme relative to other related schemes, we perform computation analysis with the recent certificateless signcryption schemes: [10], [11], [12], [13]. For this purpose, we performed the experiments on Windows Operating System desktop computer with 2.0GHz, Intel Core i7, and 8GB RAM 1600 MHz DDR3 specifications. ...
... The rest of the schemes are based on bilinear pairing and therefore have high computation costs. Our scheme is 89.80%, 96.19%, 93.34% and 93.88% better than the schemes in [10], [11], [12] and [13], respectively. ...
Traditional power grids have been the major source of electricity for several households and industries for a number of years. However, with that kind of supply, every member of the grid is affected whenever there is a fault on the transmission line connecting them. With that in mind, microgrids, usually powered by numerous distributed electrical sources, were introduced to curb this problem, and as such, energy users have also become producers themselves. Nonetheless, the generation of power by distributed sources brings about unpredictability on the network and, in essence, problems in energy sharing. Peer-to-peer (P2P) energy trading has several advantages and has been introduced to mitigate energy sharing problems. With networked energy trading comes the issue of trust, as several prosumers are concerned about their privacy and security in such environments. Therefore, this work leverages the advantages of blockchain in proposing a secure energy trading platform for all parties involved. Coupled with certificateless signcryption, an immutable energy trading market is designed, and its use case is applicable in smart cities. A thorough security analysis was performed, and the efficiency of our proposed solution is backed by numerical results.
... In order to overcome the significant error in the construction of Luo and Ma [27] schemes, Rastegari et al. [28] revisited the proposed scheme in 2019. However, the schemes presented in [26][27][28] are based on the concept of elliptic curve cryptography, which incur high computational costs. ...
... In order to overcome the significant error in the construction of Luo and Ma [27] schemes, Rastegari et al. [28] revisited the proposed scheme in 2019. However, the schemes presented in [26][27][28] are based on the concept of elliptic curve cryptography, which incur high computational costs. Additionally, the schemes do not meet security requirements such as anonymity. ...
... The proposed scheme is compared, in terms of computational cost, with the relevant existing schemes proposed by Zhou [25], Cao and Ge [26], Luo and Ma [27], Rastegari et al. [28], and Karati et al. [29], as shown in Table 2. The existing schemes utilize exponential operations, pairing, and elliptic curve point multiplication, which are costlier options. ...
Internet of Vehicles (IoV) is a specialized breed of Vehicular Ad-hoc Networks (VANETs) in which each entity of the system can be connected to the internet. In the provision of potentially vital services, IoV transmits a large amount of confidential data through networks, posing various security and privacy concerns. Moreover, the possibility of cyber-attacks is comparatively higher when data transmission takes place more frequently through various nodes of IoV systems. It is a serious concern for vehicle users, which can sometimes lead to life-threatening situations. The primary security issue in the provision of secure communication services for vehicles is to ensure the credibility of the transmitted message on an open wireless channel. Then, receiver anonymity is another important issue, i.e., only the sender knows the identities of the receivers. To guarantee these security requirements, in this research work, we propose an anonymous certificateless signcryption scheme for IoV on the basis of the Hyperelliptic Curve (HEC). The proposed scheme guarantees formal security analysis under the Random Oracle Model (ROM) for confidentiality, unforgeability, and receiver anonymity. The findings show that the proposed scheme promises better security and reduces the costs of computation and communication.
... In 1997, Zheng presented the first signcryption concept that simultaneously fulfilled the functions of both the digital signature and public key encryption in a logical single step and achieved significantly lower costs than those required by "signature followed by encryption" [1]. Since then, there have been increasingly more signcryption schemes formed using either traditional public key infrastructure-(PKI-) based [1,2], identity-based [3][4][5][6][7], or certificateless-based [8][9][10][11][12][13][14][15][16][17] digital signatures. ...
... Furthermore, the KGC's public key and the signer's public key are involved in the unsigncryption phase and the authentication of the public keys is necessary. It is obvious that the certificateless signcryption schemes in Ref. [13,16,17], to name a few, cannot avoid the high maintenance cost of TTP. ...
... e total computational cost required in the proposed scheme is (5T M + 2T i + 2T H ) � 214.2 t m . Table 2 shows that the computational cost of the proposed BaaCA-based signcryption scheme is nearly 49% that of Malone-Lee [5], 57% that of Karati et al. [4], 17% that of Zhou et al. [13], 71% that of Karati et al. [16], 22% that of Rastegari et al. [17], and 88% that of ECDSA + ECC. Figure 4 shows the computational overhead during signcryption and unsigncryption among the proposed scheme and the related works. ...
Although encryption and signatures have been two fundamental technologies for cryptosystems, they still receive considerable attention in academia due to the focus on reducing computational costs and communication overhead. In the past decade, applying certificateless signcryption schemes to solve the higher cost of maintaining the certificate chain issued by a certificate authority (CA) has been studied. With the recent increase in the interest in blockchains, signcryption is being revisited as a new possibility. The concepts of a blockchain as a CA and a transaction as a certificate proposed in this paper aim to use a blockchain without CAs or a trusted third party (TTP). The proposed provably secure signcryption scheme implements a designated recipient beforehand such that a sender can cryptographically facilitate the interoperation on the blockchain information with the designated recipient. Thus, the proposed scheme benefits from the following advantages: (1) it removes the high maintenance cost from involving CAs or a TTP, (2) it seamlessly integrates with blockchains, and (3) it provides confidential transactions. This paper also presents the theoretical security analysis and assesses the performance via the simulation results. Upon evaluating the operational cost in real currency based on Ethereum, the experimental results demonstrate that the proposed scheme only requires a small cost as a fee.
... Besides, it considers the secure channel to distribute the users' partial private keys. Recently, Rastegari et al. [22] designed a novel pairing-based CLSC. Although the scheme proved its security against DBDHE-Set assumption, it considered secure channel overhead. ...
... It can be observed that the proposed Pf-CLSC scheme requires 220.08 times t m operations. Overall, the proposed scheme is approximately 85.30% of Selvi et al. [5], 36.20% of Liu et al. [6], 31.57% of Zhou et al. [14], 70.63% of Karati et al. [21], 67.14% of Yu-Yang [18], and 22% of Rastegari et al. [22]. Besides, a pictorial overview of costs incurred during the signcryption and unsigncryption processes of several schemes is mentioned in Fig. 3, where the former one shows the individual overhead for a single message, and the latter one depicts the total overhead by varying the number of messages. ...
... Operation-wise cost comparisons of related schemesZhou et al.[14] th + 2ta + 4ts + 2tH + tp ta + ts + 2tH + 5tp th + 3ta + 5ts + 4tH + 5tp ≈ 697.36 tm 2|Gq| + |Z * q | Yu and Yang[18] 2 th + t−1 + 6te + tH 2th + 2t−1 + 5te + tH 4th + 3t−1 + 11te + 2tH ≈ 327.80 tm Rastegari et al.[22] th + 4te + 2tp th + 2te + 8tp 2th + 6te + 10tp ≈ 998.00 tm 4|Gq| + |GTq| ...
Signcryption is one of the recent public key paradigms that satisfies both the requirement of authenticity and confidentiality of messages between parties. However, most of all the existing schemes use secure channel communication while distributing the partial-private-keys to the users in the network. However, it is not always efficient to establish a secure channel during the interaction between entities. To address this issue, this paper aims to present a new certificateless signcryption scheme that does not consider secure channel communication. The proposed scheme is designed without considering high computation bilinear pairing and map-to-point (MTP) hash function. The scheme can be shown secured in the random oracle model based on the infeasibility elliptic curve discrete logarithm problem (ECDLP). Performance analysis demands better acceptability than other existing ones.
... Luo et al. [9]proposed an effective CLSC scheme based on DBDH and CDH assumptions under the standard model. However, Yuan [10] indicated that the scheme [9] does not capture indistinguishability and unforgeability and in 2019, Rastegari et al. [11] pointed out that there is significant vulnerabilities in Luo et al.'s scheme and proposed a fresh CLSC scheme that could implement KSSTIS CLSC, but Lin et al. [12] pointed that the newly proposed scheme in [11] is insecure. ...
... Luo et al. [9]proposed an effective CLSC scheme based on DBDH and CDH assumptions under the standard model. However, Yuan [10] indicated that the scheme [9] does not capture indistinguishability and unforgeability and in 2019, Rastegari et al. [11] pointed out that there is significant vulnerabilities in Luo et al.'s scheme and proposed a fresh CLSC scheme that could implement KSSTIS CLSC, but Lin et al. [12] pointed that the newly proposed scheme in [11] is insecure. ...
Recently, Kasyoka et al. (Wirel Pers Commun 118:3349–3366, 2021) presented a new pairing free certificateless signcryption scheme for use in ubiquitous healthcare systems. Kasyoka et al. gave a formal security proof for indistinguishability against adaptive chosen ciphertext attack and unforgeability against adaptive chosen message attack for their scheme in random oracle model. In this paper, we give a cryptographic analysis and the results show that, in their newly proposed scheme, internal users can forge the signcryption ciphertext sent to them. The more serious is that Kasyoka et al.’s scheme can not resist public key replacement attack. Any user can forge or unsigncrypt a signcryption ciphertext by launching a public key replacement attack without knowing partial private key. Therefore, Kasyoka et al.’s scheme is not safe for use in ubiquitous healthcare systems.
... However, it was later found to be vulnerable to public key replacement attacks so that it loses both confidentiality and unforgeability [27]. In response to these attacks and limitations of the existing CLSC solutions, Rastegart et al. [28] proposed a practical scheme under the standard model that can withstand known session-specific temporary information attacks. ...
... We provide a comparison of characteristics of the proposed LR-CLSC scheme with the existing CLSC scheme [28] and two LR-CLSC schemes [36], [37]. Table 2 lists the comparisons under three situations, namely, allowing entity secret key to be leaked, allowing system secret key to be leaked and leakage model. ...
Signature can be used to verify the integrity of both a message and the identity of a signer, whereas encryption can be used to ensure the confidentiality of a message. In the past, cryptography researchers have studied and proposed numerous certificateless signcryption (CLSC) schemes to combine the benefits of both signature and encryption. However, these schemes may not be robust enough to withstand side-channel attacks. Through such attacks, an attacker can constantly retrieve a portion of a private key of the system, and could eventually recover the entire private key. Leakage-resilient certificateless signcryption (LR-CLSC) can ensure its security when the attacker launches such attacks. As far as we know, the existing LR-CLSC schemes can only guarantee the security under a bounded leakage model, where the portion of the private key that an attacker can obtain through side-channel attacks is limited. In this paper, we propose the
first
LR-CLSC scheme under a continual leakage model. Also, we demonstrate the proposed scheme is secure for the existential unforgeability and the ciphertexts indistinguishability against attackers with side-channel attacking abilities.
... In wireless and mobile networks with limited storage and computing resources, certificateless cryptography has more advantages because of its low dependence on infrastructure and short security parameters. However, while achieving low computational costs, many certificateless schemes proposed in the Internet of things environment [17][18][19][20][21][22][23] cannot simultaneously provide provable security. Kumar et al. [17] claimed that their newly proposed certificateless aggregate signature scheme is secure against both types of attackers. ...
... Zhan and Wang [24] proved that an attacker could forge a valid signature and valid aggregate signature. Lin et al. [25] pointed out that the certificateless signcryption (CL-SC) scheme proposed by Rastegari et al. [18] is insecure. Zhan et al. [26] analyzed a pairing-free CLAS scheme proposed in [20] and pointed out that the scheme is insecure. ...
In wireless and mobile networks with limited storage and computing resources, certificateless cryptography has more advantages because of its low dependence on infrastructure and short security parameters. Recently, Gong et al. and Karati et al., respectively, proposed a new certificateless scheme in the Internet of Things environment, one of which is a certificateless hybrid signcryption scheme, and the other’s basis is a certificateless encryption scheme. Gong et al. and Karati et al. gave the formal security proof for their schemes, respectively. In this article, the attack algorithms against these two schemes are presented separately, thus proving that their schemes are insecure and not suitable for the Internet of Things environment.
... The authors pointed out that the majority of signcryption methods in the base model lacked the capability to carry out this particular security feature. Recent research by Rastegari et al. [31] has uncovered a major flaw in the design of the certificateless signcryption system disclosed by Luo and Wan [30]. Given this glaring need, Luo and Wan [30] presented a CL-SC method including KSSTIS. ...
Signcryption is a highly efficient approach to simultaneously achieving message confidentiality and authentication in Human-Centered IoT (HC-IoT) systems. HCIoT is a new field of study that links various aspects of life such as smart cards, business, e-commerce, healthcare, and sensitive private data. A number of intelligent systems favor human intervention to start automated tasks. A number of smart devices have a social effect in that they should be capable of changing their functional model based on the behavior of different humans. It has boosted the development of information exchange over the IoT and enabled networks. It encompasses cellular, vehicular, and human healthcare by utilizing middleware. Currently, group signcryption schemes are gaining widespread popularity in HC-IoT environments. HC-IoT is useful in electronic cash systems, lightweight devices, multi-server networks, and more. However, most signcryption schemes use bilinear pairing that is computationally intensive, and there is a need for more efficient signcryption schemes. In order to solve this issue, this paper introduces an efficient Certificateless Group-oriented Signcryption (CGS) scheme using Quantum Chebyshev Chaotic Maps (QCCM) without employing bilinear pairing. The proposed QCCM-CGS scheme’s standout feature is that any group signcrypter can signcrypt a text/information with the group manager (GM) and then present it to the verifier for verification. By using the public conditions of the group, the verifier approves the validity of the signcrypted text and cannot connect the signcrypted text to the conforming signcrypter. However, a legitimate signcrypted text cannot be generated even by the GM or any signcrypter of that group unaccompanied. In situations where there is a legal disagreement, such as non-repudiation of the signature, the GM can reveal the identity of the signcrypter. The presented scheme is adequately secured from the indistinguishably chosen ciphertext attack. The computationally challenging problem, QCCM, is used as the foundation for the construction of traceability, unforgeability, unlinkability, and security. Lastly, the security review of the projected scheme clearly shows significant consistency, and it can be easily deployed in vulnerable security applications.
... Two types of adversaries are considered to prove the security of our scheme [31]. ese requirements on security are described via some games between adversaries (A I or A II ) and a challenger C. Adversaries can be divided into two cases: one is that the adversary A I is a malicious who does not know the system master key s, but can replace the public key of any user; the second type of adversary A II is a malicious KGC attacker, who knows the master key s but cannot replace any public key. ...
The application of digital signature technology to the Internet of vehicles (IoV) is affected by its network and communication environment. In the 5G era, the influx of a large number of intelligent devices into the mobile Internet requires a low transmission delay and power consumption as well as high-security requirements. To the best of our knowledge, a well-designed solution in which signcryption technology is used has not been proposed in the IoV research area. Motivated by the fact, a certificateless signcryption scheme based on the elliptic curve digital signature algorithm, in which pseudonym and timestamp mechanism are also considered, has been designed in this paper. We prove that the scheme proposed by us can be reduced to solving the difficulty of the computational Diffie–Hellman problem with a standard model, showing that the scheme meets requirements on both security and efficiency, which provides a comparative analysis with the state-of-the-art schemes in terms of security analysis, computational cost, and communication cost, demonstrating that the scheme proposed by us is suitable to be deployed in the IoV environment, which is of the characteristics of high-speed vehicle movement.
... Remarkably, the authors pointed out that most existing signcryption techniques in the standard model could not provide this level of security. Similarly, Rastegari et al. [22] examined the certificateless signcryption technique projected by Luo and Wan [21] and discovered a fundamental flaw in the construction of the scheme. In order to fill the gap in Luo and Wan, a CLSC scheme with KSSTIS was suggested in [21]. ...
In recent years, there has been a lot of research interest in analyzing chaotic constructions
and their associated cryptographic structures. Compared with the essential combination of encryption and
signature, the signcryption scheme has a more realistic solution for achieving message confidentiality
and authentication simultaneously. However, the security of a signcryption scheme is questionable when
deployed in modern safety-critical systems, especially as billions of sensitive user information is transmitted
over open communication channels. In order to address this problem, a lightweight, provably secure
certificateless technique that uses Fractional Chaotic Maps (FCM) for group-oriented signcryption (CGST)
is proposed. The main feature of the CGST-FCM technique is that any group signcrypter may encrypt
data/information with the group manager (GM) and have it sent to the verifier seamlessly. This implies
the legitimacy of the signcrypted information/data is verifiable using the public conditions of the group,
but they cannot link it to the conforming signcrypter. In this scenario, valid signcrypted information/data
cannot be produced by the GM or any signcrypter in that category alone. However, the GM is allowed to
reveal the identity of the signcrypter when there is a legal conflict to restrict repudiation of the signature.
Generally, the CGST-FCM technique is protected from the indistinguishably chosen ciphertext attack
(IND-CCA). Additionally, the computationally difficult Diffie-Hellman (DH) problems have been used
to build unlinkability, untraceability, unforgeability, and robustness of the projected CGST-FCM scheme.
Finally, the security investigation of the presented CGST-FCM technique shows appreciable consistency
and high efficiency when applied in real-time security applications.
... To prove the security of our scheme, two types of adversaries are considered [28]. These security requirements are described via some games between an adversary (A I or A II ) and a challenger C. Adversaries can be divided into two cases: one is that the adversary A I is a malicious user attacker. ...
The application of digital signature technology on the Internet of Vehicles (IoV) is affected by its network and communication environment, which requires low transmission delay, power consumption, and highsecurity requirement. To the best of our knowledge, a well-designed solution that uses signcryption technology has not been proposed in the IoV research area. Motivated by the fact, a certificateless signcryption scheme based on Elliptic Curve Digital Signature Algorithm, which also considers pseudonym and timestamp mechanism, has been designed in this paper. We prove that our proposed scheme can be reduced to solving the difficulty of the Computational Diffie-Hellman problem under the standard model, show that the scheme meets both security and efficiency requirements, and provides a comparative analysis with the state-of-the-art schemes in terms of security analysis, computational cost, and communication cost, demonstrating that our proposed scheme is suitable to be deployed in the IoV environment.
... In recent years, public-key cryptosystems are fast gaining widespread popularity in guaranteeing message confidentiality, non-repudiation, and more. Firstly, the message that has the private key of the sender is signed, and the message signature pair is encrypted using a temporal session key [10,11]. Consequently, the receiver's public key can be used to encrypt the session key before transmission, and the session key retrieved by the receiver recovers sent messages using his private key. ...
Signcryption schemes leveraging chaotic constructions have garnered significant research interest in recent years. These schemes have proffered practical solutions towards addressing the vast security vulnerabilities in Electronic Cash Systems (ECS). The schemes can seamlessly perform message confidentiality and authentication simultaneously. Still, their applications in emerging electronic cash platforms require a higher degree of complexity in design and robustness, especially as billions of online transactions are conducted globally. Consequently, several security issues arise from using open wireless channels for online business transactions. In order to guarantee the security of user information over these safety-limited channels, sophisticated security schemes are solely desired. However, the existing signcryption schemes cannot provide the required confidentiality and authentication for user information on these online platforms. Therefore, the need for certificateless group signcryption schemes (CGSS) becomes imperative. This paper presents an efficient electronic cash system based on CGSS using conformable chaotic maps (CCM). In our design, any group signcrypter would encrypt information/data with the group manager (GM) and send it to the verifier, who confirms the authenticity of the signcrypted information/data using the public criteria of the group. Additionally, the traceability, unforgeability, unlinkability, and robust security of the proposed CGSS-CCM ECS scheme have been built leveraging computationally difficult problems. Performance evaluation of the proposed CGSS-CCM ECS scheme shows that it is secure from the Indistinguishably Chosen Ciphertext Attack. Finally, the security analysis of the proposed technique shows high efficiency in security-vulnerable applications. Overall, the scheme gave superior security features compared to the existing methods in the preliminaries.
... Recently, Rastegari et al. [7] proposed a new CL-SC scheme in the standard model. They claimed that their scheme is the first secure CL-SC scheme with KSSTIS in the standard model. ...
Rastegari et al. recently proposed a certificateless signcryption (CL-SC) scheme. They claimed that their scheme is the first secure CL-SC scheme, which captures the known session-specific temporary information security (KSSTIS), in the standard model. In this paper, we point out that their scheme is insecure, which implies that how to construct a secure CL-SC scheme with KSSTIS in the standard model is still an open problem.
The Internet of Medical Things (IoMT) builds a bridge between patients and doctors, facilitating patients’ being diagnosed and monitored by uploading physiological indicators without visiting the hospital. However, physiological indicators are sensitive data of patients, making it a challenge to achieve verifiability of data sources while ensuring data privacy during data transmission of IoMT. Due to its ease of deployment and the ability to provide both encryption and signature, CertificateLess SignCryption (CLSC) is suitable for designing secure data-transfer protocol in IoMT. Nevertheless, internal adversaries “malicious users" and “malicious KGC", capable of launching Type I and Type II attacks, threaten the security of present CLSC schemes, making most of them insecure. In this work, after giving an example of a recent CLCS scheme suffering Type I attack, we propose an efficient pairing-free CLCS scheme suitable for secure data transmission in IoMT based on the idea of zero-knowledge proof. It not only provides confidentiality and unforgeability of transmitted data under the Type I and Type II attacks, but also achieves lower computational and communication overhead, and public verifiability. Finally, compared with the five recent CLSC schemes, theoretical analysis and experimental testing results show that the proposed scheme outperforms the other five schemes in terms of computation and communication costs as well as security. Therefore, our scheme is better suited for constructing secure data transmission in IoMT scenarios.
In healthcare wireless sensor networks(HWSNs), wireless sensors are placed on the patient, which collect the patient’s vital signs parameters and various environmental information, and send these data to the doctor, so that the doctor is able to perform real-time remote monitoring for the patient. The patient’s vital signs parameters contain a lot of private information. It is very likely to cause the leakage of patient’s private information if these parameters are transmitted through the public channel. In addition, many patients don’t want doctors to know their true identity. We designed a certificateless anonymous signcryption (CL-ASC) scheme for HWSNs in this paper. It encrypts the patient’s vital signs parameters, authenticates the legitimacy of the sensor, and realizes the anonymity of the sensor. We then showed the security proofs of new scheme in the standard model. Finally, we compared the performance of the six schemes. Since only three pairing operations are used, the new scheme enjoys higher computation efficiency and is suitable for HWSNs.
The Internet of Medical Things (IoMT), which integrates medical sensors with Internet of things, is helpful for providing remote diagnosis and real-time decision making. Massive data collected by medical and healthcare monitoring sensors in the IoMT involves sensitive patient information. It brings some security challenges to validate the legitimacy of participating entities and protect patient data privacy. A certificateless signcryption (CLSC) scheme combines encryption and signature that can offer authenticity, confidentiality and unforgeability, providing a viable solution to the data privacy issue of the IoMT. However, existing CLSC schemes fail to meet confidentiality or unforgeability, or require expensive computation overhead to perform pairing operations. The paper first presents a new CLSC scheme for secure data transmissions and better smart services in IoMT, which replaces the signature part with the Schnorr signature. We then give a thorough security proof under the random oracle model. Besides, we elaborately evaluate the performance and security of some existing solutions with our solution. Finally, the experiment results indicate that our solution can achieve a better balance between security and performance than some existing schemes. Therefore, in terms of feasibility, our scheme is more suitable for the IoMT scenario.
The emergence of edge computing makes it possible to realize new technologies such as virtual reality and augmented reality. However, a large number of devices and more messages at the edge bring more security problems. Therefore, it is an important research topic to provide users with faster network services while ensuring confidentiality and authentication of data transmission. Because signcryption can encrypt and sign messages at the same time, it has become a new cryptographic primitive. In the meantime, certificateless signcryption guarantees data confidentiality and authentication and addresses traditional single point failure problems based on the trust center and the problem of relying on a trusted third party. Therefore, certificateless signcryption has attracted great attention from academia and industry. But certificateless signcryption also faces two types of attacks. In order to more effectively resist these two types of attacks, we propose a certificateless signcryption mechanism based on blockchain. This mechanism can make good use of the nontamperable feature of blockchain, prevent illegal users from substituting public key of the user, and guarantee signature non-repudiation. And our scheme is investigated in a comparative study with eight schemes. Comparative analysis outcomes demonstrate our scheme has achieved better results in efficiency and security. The process of signcryption and unsigncryption consumes the least amount of computation, which is very suitable for the edge computing environment.
Certificateless public key cryptography (CL-PKC) overcomes the difficulties of the certificate managements in traditional public key infrastructure (PKI) and the key escrow problem in ID-Based public key cryptography (ID-PKC), concurrently. In 2018, Tseng et al. proposed a certificateless signature (CLS) scheme and claimed that their proposal is the first scheme which satisfies the security against the level-3 KGC (according to Girault’s three categorizations of the honesty level of a trusted third party (TTP) which is proposed in 1991), in the standard model. However, we will show that unfortunately their scheme is even vulnerable against a malicious KGC. Afterwards, we will improve their scheme to be robust against the proposed attack. Finally, we will propose a CLS scheme secure against the level-3 KGC in the standard model, based on Yuan and Wang’s CLS scheme. We will show that our proposal not only satisfies the level-3 security as well as the basic security requirements of a CLS scheme in the standard model, but also is more efficient than the previous works in the sense of computation and communication costs.
Signcryption is a cryptography prototype which performs message encryption and signature in a logical step. Certificateless public key cryptography successfully resolves the problem of certificate management in traditional public key cryptography and key escrow problem in identity-based public key cryptography. There are lots of efficient certificateless signcryption schemes that have been proposed, most of which are proved secure under the random oracle model. But when applied in practical situations, the random oracle model will cause many security problems due to its own defects. Nowadays, more and more people pay attention to the standard model which provides a stronger security. In this paper, we present an efficient certificateless signcryption scheme that is provably secure in the standard model. Under the Decisional Bilinear Diffie–Hellman and Computational Diffie–Hellman hard problems, our scheme satisfies the ability of indistinguishability against adaptive chosen ciphertext attack and existential unforgeability against adaptive chosen message attack. Moreover, our scheme satisfies known session-specific temporary information security that most of signcryption schemes in the standard model cannot achieve this security attribute. Compared with other signcryption schemes, our scheme achieves shorter ciphertext length, better performance efficiency and stronger security.
Signcryption can realize encryption and signature simultaneously with lower computational costs and communicational overheads than those of the traditional sign-then-encrypt approach. Certificateless cryptosystem solves the key escrow problem in the identity-based cryptosystem and simplifies the public key management in the traditional public key cryptosystem. There have been some certificateless signcryption schemes proposed in the standard model up to now, but all of them are just proposed in a weaker Type I security model, which is weaker than the original security model of Barbosa and Farshim, who proposed the first certificateless signcryption scheme. In this paper, we propose a certificateless signcryption scheme in the standard model by using bilinear pairings, which is Type I secure in the original security model of Barbosa and Farshim and can resist the malicious-but-passive key generation center Type II attack. The proposed scheme is proved confidential assuming the modified decisional bilinear Diffie–Hellman (M-DBDH) problem is hard, and unforgeable assuming the square computational Diffie–Hellman (Squ-CDH) problem is hard. At last, we evaluate its efficiency which shows it is of high efficiency.
We take a formal look at the relationship between the security of cryptographic schemes in the Random Oracle Model, and the security of the schemes which result from implementing the random oracle by so called "cryptographic hash functions". The main result of this paper is a negative one: There exist signature and encryption schemes which are secure in the Random Oracle Model, but for which any implementation of the random oracle results in insecure schemes. In the process of devising the above schemes, we consider possible definitions for the notion of a "good implementation" of a random oracle, pointing out limitations and challenges. Keywords: Cryptography (Encryption and Signature Schemes) and Complexity Theory (use of CS-Proofs). IBM Watson, P.O. Box 704, Yorktown Height, NY 10598, USA. E-mail: canetti@watson.ibm.com y Department of Computer Science, Weizmann Institute of Science, Rehovot, Israel. E-mail: oded@wisdom.weizmann.ac.il. Work done while visiting LCS, MIT. P...
The purpose of broadcast signcryption is to enable the broadcaster to perform signature and encryption on broadcast messages in a single logical step for a specifc set of users. Recently, several broadcast signcryption schemes have been proposed. However, we find the computation costs for almost all broadcast signcryption schemes that have been proposed so far depends on the number of receivers, and it is unacceptable for the broadcast system devices with low computational capabilities in a large wireless networks. Moreover, most of their schemes do not satisfy trusted authority forward secrecy and trusted authority unforgeability. In this paper, we defne the generic model and security model of certificateless broadcast signcryption, also we propose a more effcient and secure broadcast signcryption scheme using certifcateless public-key cryptography. Our scheme does not have the above shortcomings and eliminates the problems of certificate management and key escrow.
The signcryption scheme should withstand various leakage attacks in practical applications. This paper presents a new leakage-resilient certificateless signcryption (LR-CLSC) scheme without bilinear pairing. The security of this scheme is based on the computational Diffie–Hellman (CDH) assumption and discrete logarithm (DL) problem. Considering the computational costs, our proposed method is more efficient than traditional certificateless signcryptions schemes and has a short ciphertext length and high security. In the random oracle model, the proposed approach is semantically secure against adaptive posteriori chosen-ciphertext key-leakage attacks (IND-KL-CCA2) according to the hardness of the CDH assumption, and existentially unforgeable against chosen-message key-leakage attacks (EUF-KL-CMA) according to the hardness of the DL problem. Furthermore, it will maintains the original security under the condition that the adversary learns a small amount of leakage information about the secret key by the side channel attacks. The key leakage parameter and message length are subject to . Given that a dependence between and is undesirable, a new variant that also against IND-KL-CCA2 and EUF-KL-CMA is presented. With a leakage resilient length of up to , the leakage parameter has a constant size which is independent of the message length . Our proposed method is the first LR-CLSC scheme with an independent leakage parameter and it can be applied into mobile internet.
Signcryption is a cryptographic primitive which can offer simultaneously security requirements of confidentiality and authentication, and is more efficient than the traditional sign-then-encrypt way. Recently, Liu et al. proposed the first certificateless signcryption scheme in the standard model. However, their scheme is proved to have some security weaknesses. In this paper, we propose a corrected version of Liu et al.'s scheme and prove our scheme is indistinguishable against adaptive chosen ciphertext attacks and is existentially unforgeable against chosen message attacks in the standard model. Performance analysis shows the new scheme has smaller public parameter size than the previous certificateless signcryption schemes without using the random oracles.
Biometric signcryption, which enables a user using his biometric information as the identity to fulfills both the functions of encryption and digital signature simultaneously, and it provides better overall security and performance. However, almost all biometric signcryption schemes that have been proposed in the literature do not satisfy forward secrecy, known session-specific temporary information security and public verifiability with confidentiality, also have the certificate management complexity or key escrow issues which are inherent in traditional public key and identity-based cryptography respectively. In order to solve these problems, a novel biometric signcryption using certificateless public key cryptography is introduced, the formal definition and security notion of the biometric certificateless signcryption (BCSC) are presented, and a concrete BCSC scheme is also proposed in this paper. The proposed scheme eliminates the above security shortcomings and it does not have the certificate management complexity and key escrow issue by exploiting the certificateless public key cryptography. Moreover, the proposed scheme only requires one bilinear pairing operation, which makes it applicable to the resource-constrained communication devices and the communication networks with high security requirements.
Certificateless cryptography is an attractive paradigm, which combines the advantages of identity-based cryptography (without certificate) and traditional public key cryptography (no escrow). Recently, to solve the drawbacks of the existing certificateless signature (CL-S) schemes without random oracles, Yu et al. proposed a new CL-S scheme, which possesses several merits including shorter system parameters and higher computational efficiency than the previous schemes. However, in this work, we will point out that their CL-S scheme is insecure against key replacement attack and malicious-but-passive KGC attack. We further propose an improved scheme that overcomes the security flaws without affecting the merits of the original scheme. We prove that our scheme is existentially unforgeable against adaptive chosen message attacks under the computational Diffie-Hellman assumption in the standard model.
It would be interesting if a signcryption scheme in the standard model could be made certificateless. One of the interesting attempts is due to Liu et al. [Z. Liu, Y. Hu, X. Zhang, H. Ma, Certificateless signcryption scheme in the standard model, Information Sciences 180 (3) (2010) 452–464]. In this paper, we provide a cryptanalysis on this scheme by depicting two kinds of subtle public key replacement attacks against it. Our analysis reveals that it does not meet the basic requirements of confidentiality and non-repudiation.
The “hash–sign–switch” paradigm was firstly proposed by Shamir and Tauman with the aim to design an efficient on-line/off-line signature scheme. Nonetheless, all existing on-line/off-line signature schemes based on this paradigm suffer from the key exposure problem of chameleon hashing. To avoid this problem, the signer should pre-compute and store a plenty of different chameleon hash values and the corresponding signatures on the hash values in the off-line phase, and send the collision and the signature for a certain hash value in the on-line phase. Hence, the computation and storage cost for the off-line phase and the communication cost for the on-line phase in Shamir–Tauman’s signature scheme are still a little more overload. In this paper, we first introduce a special double-trapdoor hash family based on the discrete logarithm assumption and then incorporate it to construct a more efficient generic on-line/off-line signature scheme without key exposure. Furthermore, we also present the first key-exposure-free generic on-line/off-line threshold signature scheme without a trusted dealer. Additionally, we prove that the proposed schemes have achieved the desired security requirements.
Certificateless public key signcryption scheme is an important cryptographic primitive in cryptography. Barbosa and Farshim proposed a certificateless signcryption scheme. However, their construction is proven to be secure in the random oracle model but not the standard model, and the scheme is also vunlerable to the malicious-but-passive key generation center (KGC) attacks. To overcome these disadvantages, we introduce a formal security model for certificateless signcryption schemes secure against the malicious-but-passive KGC attacks and propose a novel certificateless signcryption scheme. The proposed certificateless signcryption scheme is proven to be IND-CCA2 secure under the decisional Bilinear Diffie–Hellman intractability assumption without using the random oracles. The proposed scheme is also proven to be existentially unforgeable under the computational Diffie–Hellman intractability assumptions. Furthermore, performance analysis shows that the proposed scheme is efficient and practical.
Certificateless signcryption is a useful primitive which simultaneously provides the functionalities of certificateless encryption and certificateless signature. Recently, Liu et al. [15] proposed a new certificateless signcryption scheme, and claimed that their scheme is provably secure without random oracles in a strengthened security model, where the malicious-but-passive KGC attack is considered. Unfortunately, by giving concrete attacks, we indicate that Liu et al. certificateless signcryption scheme is not secure in this strengthened security model.
An efficient certificateless signcryption scheme in the standard model
- Rastegari