Generalized Hierarchical Identity-Based Signcryption

1078 JOURNAL OF COMPUTERS, VOL. 5, NO. 7, JULY 2010

Hao Wang School of computer science and technology, Shandong University, Jinan, China Email: [email protected]

Qiuliang Xu1 and Xiufeng Zhao1,2 1 School of computer science and technology, Shandong University, Jinan, China 2 Institute of Electronic Technology, Information Engineering University, Zhengzhou, China Email: [email protected], [email protected]

Abstract—In this paper, we propose a generic method to allows delegation as above is called Hierarchical Identity- construct Hierarchical Identity-Based Signcryption scheme. Based Encryption (HIBE). In HIBE, messages are Using this method, a Hierarchical Identity-Based Sign- encrypted for identity-vectors, representing nodes in the cryption scheme can be converted from any Hierarchical identity hierarchy. This concept was introduced by Identity-Based Encryption scheme. Then, we give a concrete Horwitz and Lynn [9], who also described a partial instantiation, which is the first constant-size fully secure solution to it, and the first fully functional HIBE system hierarchical identity-based signcryption scheme in the standard model. Furthermore, our scheme can achieve was described by Gentry and Silverberg [10]. CCA2 security level without using any additional crypto- In many situations we want to enjoy confidentiality, graphy primitive. authenticity and non-repudiation of message simulta- neously. The general IBE (HIBE) can not guarantee the Index Terms—hierarchical identity-based signcryption, fully authenticity and non-repudiation. A traditional method to secure, constant-size ciphertext, composite order bilinear solve this problem is to digitally sign a message then group followed by an encryption (signature-then-encryption) that can have two problems: low efficiency and high cost of such summation, and the case that any arbitrary I. INTRODUCTION scheme cannot guarantee the security. Signcryption is a Identity-Based Encryption (IBE) is a public-key relatively cryptographic technique that is supposed to encryption scheme where one’s public key can be freely fulfill the functionalities of digital signature and set to any value (such as one’s identity): An authority that encryption in a single logical step and can effectively holds a master secret key can take any arbitrary identifier decrease the computational costs and communication and extract a secret key corresponding to this identifier. overheads in comparison with the traditional signature- Anyone can then encrypt messages using the identifier as then-encryption schemes. The first signcryption scheme a public encryption key, and only the holder of the was introduced by Yuliang Zheng in 1997 [18]. Zheng corresponding secret key can decrypt these messages. also proposed an elliptic curve-based signcryption This concept was introduced by Shamir [13], a partial scheme that saves 58% of computational and 40% of solution was proposed by Maurer and Yacobi [14], and communication costs when it is compared with the the first fully functional IBE systems were described by traditional elliptic curve-based signature-then-encryption Boneh and Franklin [1] and Cocks [4]. schemes [19]. There are also many other signcryption IBE system can greatly simplify the public-key schemes that are proposed throughout the years, each of infrastructure for encryption solutions, but they are still them having its own problems and limitations, while they not as general as one would like. Many organizations are offering different level of security services and have a hierarchical structure, perhaps with one central computational costs. authority, several sub-authorities and sub-sub-authorities By combining identity-based cryptology and sign- and many individual users, each belonging to a small part cryption, Malone-Lee [20] proposed the first identity- of the organization tree. We would like to have a solution based signcryption (IBSC) scheme along with a security where each authority can delegate keys to its sub- model. But Libert and Quisquater [21] pointed out that authorities, who in turn can keep delegating keys further Malone-Lee’s scheme is not semantically secure. Then, down the hierarchy to the users. An IBE system that Chow et al. [22] proposed an identity-based signcryption scheme that can provide both public verifiability and forward security. In 2003, Boyen [23] proposed an Manuscript received Dec. 30, 2009; accepted Mar. 1, 2010. anonymity identity-based signcryption scheme in the Corresponding author: Qiuliang Xu, [email protected] random oracle model. Then, Chen and Malone-Lee improved Boyen’s scheme in efficient [24]. In 2009, Yu

r et al. [25] proposed the first identity-based signcryption ciphertext was an encryption to an identity vector I and scheme without random oracles. Similar to IBSC, Chow the secret key is for the same identity vector. et al. [7] proposed the concept of hierarchical identity- Notice that the decryption algorithm is only required to based signcryption (HIBSC) by combining HIBS and work when the identity vector for the ciphertext matches HIBE. Then, Yuen and Wei proposed the first constant- the secret key exactly. However, someone who has a size HIBSC without random oracles [17], but they used secret key for a prefix of this identity vector can delegate an interactive intractability assumption and selective-id to themselves the required secret key and also decrypt. model in their reductionist security proof. It is an open problem to avoid these assumption and model. B. Hierarchical Identity Based Signcryption Our contribution In this paper, we give a generic A Hierarchical Identity Based Encryption scheme has method to construct HIBSC scheme. Using this method, a five algorithms: Setup, KeyGen, Delegate, Signcrypt, HIBSC scheme can be converted from any HIBE scheme. and Unsigncrypt. Then, we give a concrete instantiation from the constant- The Setup, KeyGen and Delegate algorithms are same size fully secure HIBE scheme introduced by Lewko et al. as those in the HIBE system. We describe the Signcrypt [11]. Our HIBSC scheme is the first constant-size fully and Unsigncrypt algorithms as follow: r r secure hierarchical identity-based signcryption scheme in Signcrypt(,,,,)PK I I SK M→ SCT The signcryption the standard model. Furthermore, our scheme can achieve SR S algorithm takes the public parameters PK , a message CCA2 security level without using any additional crypto- M , the identity and secret key of sender, the identity of graphy primitive. receiver as input and outputs a ciphertext SCT = (,C σ ). Organization In Section 2, we formally define the r HIBE system and the HIBSC system, give the complete Unsigncrypt(,PK SCT ,,) ISR SK→ M The unsigncrypt security definition, and give an introduction of composite algorithm takes the public parameters PK , a ciphertext order bilinear groups. In Section 3, we present our SCT , the identity of sender, the secret key of receiver as method for converting a HIBE scheme into HIBSC input and outputs M if σ is valid corresponding to M . scheme, and prove the security of the HIBSC scheme in Otherwise, it outputs the symbol ⊥ . Section 4. In Section 5, we give a concrete instantiation which is fully secure with constant-size ciphertexts. In C. Security Definition for HIBSC Section 6, we show how to enhance the security of our The security definition of HIBSC includes two HIBSC, and give a modified HIBSC scheme which can properties: indistinguishability and existential unforge- achieve CCA2 security level without using additional ability. Then, we introduce a stronger property, strong cryptography primitive. In Section 7, we conclude and existential unforgeability discuss open directions for further research. 1) Indistinguishability We define the indistinguishability against adaptive II. BACKGROUND chosen identity and adaptive chosen ciphertext/plaintext attack for HIBSC (IND-ID-CCA2/CPA), as in the A. Hierarchical Identity Based Encryption following game: A Hierarchical Identity Based Encryption scheme has Setup. The challenger will run the Setup algorithm and five algorithms: Setup, KeyGen, Delegate, Encrypt, and gives the public parameters PK to the adversary. Decrypt. The challenger will also initialize a set S = φ , which Setup()λ → PK , MSK The setup algorithm takes a will be the set of private keys it has created, but not given security parameter λ as input and output the public out. parameters PK and a master secret key MSK. Phase 1. The adversary makes repeated queries of one of r five types: KeyGen(,)MSK I→ SK r The key generation algorithm I Create The attacker gives the challenger an identity- r r takes the master secret key and an identity vector I as vector I . The challenger creates a key for the vector, but r input and outputs a private key SKI . does net give it to the adversary. It instead adds the key to

rr the set S and gives the attacker a reference to it. Delegate(,PK SKI ,) I→ SKII: The delegation algorithm r r Delegate The attacker specifies a key SKI in the set takes a secret key for the identity vector I of depth d r and an identity I as input and outputs a secret key for the S for an identity I . Then it gives the challenger an r identity I ' . The challenger runs the Deleagte(,PK SK r , depth d +1 identity vector I : I formed by concatenating I

r r I onto the end of I . I ') algorithm to get a new secret key SK I :'I and adds this r Encrypt(,,)PK M I→ CT The encryption algorithm to the set S . takes the public parameters PK , a message M , and an Reveal The attacker specifies an element of the set S r for a secret key SK . The challenger removes the item identity vector I as input and outputs a ciphertext CT . from the set S and gives the attacker the secret key. We Decrypt(,,)PK CT SK→ M The decryption algorithm note at this point there is no need for the challenger to takes the public parameters PK , a ciphertext CT , and a allow more delegate queries on the key since the attacker secret key SK as input and output the message M , if the can run them itself.

r Strong existential unforgeability against adaptive Signcrypt The attacker specifies sender identity IS , r chosen identity and adaptive chosen plaintext attack receiver identity IR and message M . The challenger (SUF-ID-CPA) is defined using the following game: rr Setup, Queries and Forgery: Same as in the existential runs Signcrypt(,PK ISR,,,I SK S M ), gives the attacker the rr unforgeability game. valid ciphertext SCT corresponding to (,I IM,). SR The adversary A wins if the following holds: r Unsigncrypt The attacker specifies a sender identity I , **r** S M ← Unsigncrypt(,PK SCT ,, ISR SK ), each identity r r a receiver identity IR , and a ciphertext SCT = (,C σ ). vector I given out in the key phase must not be a prefix The challenger will output a message M for a valid σ r* ** of IS and (,M σ ) is not generated during the Signcrypt or will output ⊥ otherwise. query phase. A ’s advantage is the probability that he Challenge. The adversary submits two equal length * * wins. messages M 0 and M1 and challenge identity vectors Definition 3 A hierarchical identity-based Signcryption rr** r scheme is SUF-ID-CPA secure if all polynomial time (,ISRI ) with the restriction that each identity vector I r adversaries have at most a negligible advantage in the given out in the key phase must not be a prefix of I * . R above game. The challenger then flips a random coin β , and rr D. Composite Order Bilinear Groups signcrypts M * under (,I **I ). The resulting ciphertext β SR Composite order bilinear groups were first introduced SCT * is given to the adversary. in [8]. We define them by using a group generator G , an Phase 2. Phase 1 is repeated with the restriction that any algorithm which takes a security parameter λ as input r r* G revealed identity vector I is not a prefix of IR , and and outputs a description of a bilinear group . In our * G SCT is not sent to the Unsigncrypt oracle. case, outputs (,pppGGe123 , ,,T ,) where pp12,,p3

Guess. The adversary output a guess β ' of β . are distinct primes, G and GT are cyclic groups of order 2 The advantage of an adversary A in this game is np= 12p p3, and eG: → GT is map such that: defined as Pr[β '=−β ] 1 2 . We note that the model can ab ab 1.(Bilinear) ∀ g,hG∈ , ab, ∈ Zn , eg(,) h= egh (,) be easily converted to handle chosen-plaintext attacks by 2.(Non-degenerate) ∃ g ∈G such that egg(,) has disallowing the Unsigncrypt queries in Phase 1 and Phase order n in G . 2. T Definition 1 A hierarchical identity-based Signcryption We further require that the group operations in G and scheme is IND-ID-CCA2/CPA secure if all polynomial GT as well as the bilinear map e are computable in time adversary have at most a negligible advantage in the polynomial time with respect to λ . Also, we assume the above game. group descriptions of G and G include generators of 2) Existential Unforgeability T the respective cyclic groups. We let G , G , and G We define the existential unforgeability against p1 p2 p3 adaptive chosen identity and adaptive chosen plaintext denote the subgroups of order p1 , p2 , and p3 in G attack for HIBSC (UF-ID-CPA), as in the following game: respectively. We note that when hG∈ and h∈G Setup. The challenger runs Setup algorithm. It gives the ipi j p j adversary the resulting public key PK and keeps the for ij≠ , eh(,ij h ) is the identity element in GT . To see master secret key MSK to itself. this, suppose hG∈ and hG∈ . We let g denote a Queries. The adversary makes repeated queries of one of 1 p1 2 p2 four types: Create query, Delegate query, Reveal query, generator of G . Then, g pp12 generates G , g p1p3 p3 and Signcrypt query. All the queries are same as those in generates G , and g p23p generates G . Hence, for some the indistinguishability game. p2 p1 ** pp23 α1 pp13 α2 Forgery. The adversary outputs a tuple ((SCT= C , α1 , α2 , hg1 = () and hg2 = (). We note: ***rr I I A pp231αα pp 132 α1 p32α ppp 123 σ ),SR , ) . The adversary wins if the following eh(,12 h )= eg ( , g )== eg ( , g ) 1 **r**This orthogonality property of G , G , G will be a holds: M ← Unsigncrypt(,PK SCT, ISR,)SK , each p1 p2 p3 r identity vector I given out in the key phase must not be principal tool in our constructions. r a prefix of I * and M * is not queried during the S III. CONVERT HIBE INTO HIBSC Signcrypt query phase. A ’s advantage is the probability that he wins. As noted by Boneh [1, Section 6] and formalized in [5], Definition 2 A hierarchical identity-based Signcryption the key derivation of an identity-based encryption scheme scheme is UF-ID-CPA secure if all polynomial time immediately gives rise to a standard signature scheme. adversaries have at most a negligible advantage in the Similarly, Gentry and Silverberg [10] observed that any above game. two-level hierarchical identity-based encryption scheme 3) Strong Existential Unforgeability can be transformed into an IBS scheme. In this section, we gave a similar method for converting any Hierarchical

Identity-Based Encryption scheme into a Hierarchical attack. Relating the success probabilities of these Identity-Based Signcryption. adversaries gives the desired result. We now define First of all, we should choose a hash function, which adversary A ' as follows: can map any element in the message space SPACEM into Setup(λ) outputs (,PK MSK) and A ' is given PK . the identity space SPACEID , H : SPACEM → SPAC EID . Adversary A ' , in turn, run A on input λ and PK . Using this hash function, we can transform a HIBE Phase 1 The adversary A makes repeated queries of one scheme into a HIBSC scheme as follow: of five types: A Hierarchical Identity Based Signcryption scheme Create Once A makes the Create query for an r has five algorithms: Setup, KeyGen, Delegate, identity-vector I , A ' makes the same query. Then the Signcrypt, and Unsigncrypt. r The Setup, KeyGen, Delegate algorithms are same as key for the vector I is created, but isn’t given to A ' . those in the HIBE system (Section 2), and the public Instead the key is added to the set S and a reference to it parameters PK include the hash function H is given to A ' . Then A ' transfers this reference to A . additionally. Delegate A specifies a key SK r in the set S for an rr I Signcrypt(,,,,)PK M I I K→ SCT The signcryption r SR S identity I . Then it makes a Delegate query for an algorithm takes the public parameters PK , a message identity I ' . Then A ' makes the oracle query

M , the identity and secret key of sender, the identity of r r Deleagte(,PK S KI , I ') to add a new secret key SK I :'I to r receiver as input and calculate σ = Delegat e(,PK SKI , S the set S . r r HM())= SKr , C= Encrypt(,PKMI, ). Then, it Reveal A specifies an element I of the set S for a IS :(HM ) R secret key SK r . Then A ' makes the oracle query outputs a ciphertext SCT= (,) C σ , where the Delegate I r r and Encrypt are the delegation and encryption Reveal( I ) to get the secret key SK I , and gives it to A . algorithms of the HIBE scheme. r Signcrypt A specifies sender identity I , receiver Notice that this method for making a signature may S r cause an attack, anybody who knows this signature can identity IR and message M . Then A ' makes the oracle r r r personate the identity IS :()HM . In fact, this attack can r query Reveal(IS )to get SKI (We suppose that IS is be ignored easily. The elements of identity mark with S already in the set S ), calculates σ = Delegate(,PK Tag , and H ()M marks with Tag . Both of these tags ID M r SK rr,(HKM ))= S , C= Encrypt(,PKMI,), and are public verifiability. If and only if all the elements of ISSIHM:( ) R an identity marked with TagID , it is a valid identity. gives the ciphertext SCT = (,C σ ) to A . r Unsigncrypt(,PK SCT ,,) ISR SK→ M The unsigncrypt Unsigncrypt A specifies a ciphertext SCT= (,) C σ , r algorithm takes the public parameters PK , a ciphertext and receiver identity I . Then A ' makes the oracle r R SCT , the identity of sender I , and the secret key of S query Decrypt(,PK C) to get a message M . If the receiver SK as input, and computes M = Decrypt(,PK R signature σ is valid , A ' gives A the message M ,

SCT,) SKR . Then, it verifies whether this equation otherwise a symbol ⊥ . r Challenge. A submits two equal length messages M * , Decrypt(,PK Encrypt (,,:( PK r IS H M )),σ )= r holds, 0 * rr** where rSPACE∈R M , the Decrypt and Encrypt are the M1 and challenge identity vectors (,ISRI ) with the r decryption and encryption algorithms of the HIBE restriction that each identity vector I given out in the scheme. It outputs the symbol ⊥ if the verification fails. r* key phase must not be a prefix of I . A ' makes the Otherwise, it outputs M . R **r* oracle query Challenge(,, M01 M IR) to get a ciphertext IV. SECURITY OF OUR HIBSC C* . Then, A ' makes the oracle queries Deleagte(,PK We prove the security of our HIBSC scheme from * r* SK r* ,(H M ))→ σ and Reveal(: IS HM()) in turn to following two aspects: IS get σ * . A ' gives SCT***= (,) C σ to A . A. Indistinguishability Phase 2. Phase 1 is repeated with the restriction that any Theorem 1 Our HIBSC scheme is IND-sID/ID-CPA r r revealed identity vector I is not a prefix of I * , and C* /CCA security, iff it is converted from a HIBE scheme, R which is secure in the same security model, using our is not sent to the Unsigncrypt oracle. method. Guess. The adversary A outputs a guess β ' of β , then Proof. Without loss of generality, we just proof this gives it to A ' for the guess of A ' . theorem in the IND-ID-CCA2 model. Given any PPT If A has a non-negligible advantage to win the above adversary A attacking our HIBSC in an adaptive game, A ' has a same advantage to win the corresponding chosen-ciphertext attack, we construct a PPT adversary security game. A ' attacking the HIBE in an adaptive chosen-ciphertext

B. Existential Unforgeability r Signcrypt(PK , M , ISS== ( I1' ,..., Ii ' ), SK ( KSSSi,1 , K ,2 , E ,+ 1 , Theorem 2 Our HIBSC system is Existential r ....,EE , ), I= ( I ,..., I )) : The sender randomly Unforgeability security, iff it is converted from an IND- Sl,, Sm R 1 j sID-CPA secure HIBE, using our method. ˆˆ' chooses s,'sZ∈ N and RR33, ∈ Gp . It sets: We omit the proof of this theorem, because it can be 3 s ' ˆ proved using the method introduced in [1, 16, 12]. σ1,1=⋅KS gR3

I1' Ii ' sHMsHM'()'()⋅ ˆ ' σ 2,21''=⋅⋅⋅⋅KSim()()uuhEvR3, and V. CONCRETE INSTANTIATION I CMegg=⋅(,)α ⋅s , Cu=⋅⋅⋅()I1 uhj s , Cg= s . In this section, we gave a concrete instance of HIBSC. 0 11 j 2 This scheme is transformed from an IND-ID-CPA secure The sender sends the tuple SCT= (,,,,) C01212 C C σ σ HIBE [11], using our generic method introduced in to the receiver. Section 3. r Unsigncrypt(,PK SCT , ISR== (,...,),( I1' IiR ' SK K,1 , KR ,2 ,

A. Our Construntion EEERj,1+ ,...., Rl , , Rm , )) : Received a tuple SCT= (,, C01 C A Hierarchical Identity Based Encryption scheme has C212,,σ σ ), the receiver decrypts the ciphertext as five algorithms: Setup, KeyGen, Delegate, Encrypt, and follows: Decrypt. eK(,) C Setup : The setup algorithm chooses a bilinear group G ω = R,2 2 eK(,)R,1 C 1 of order Nppp= 123. We let l denote the maximum I rr depth of the HIBSC. The setup algorithm chooses eg((α uI1 ⋅⋅⋅ uj h )I R' ,) gs ==13j egg(,)α ⋅s , rr I I s g,,hu1 ,...,ulp v∈ G , X 3 ∈Gp , α ∈ Z N , and a hash I 1 j 1 3 eg(,()) R31 u⋅⋅⋅ uj h function H : G→ Z. The public parameters are TN MC= 0 /ω α PK= { g,h , u13 ,... ul , v , X ,(,)e g g , H} , and the master Then, it verifies: secret key is MSK = α . eg(,)σ ? 2 =egg(,)α r I1' Ii ' HM() KeyGen(,PK MSK , I= (,...,)) I1 I j : The key generation eu(,(σ11'⋅⋅⋅ uhvi ' ⋅ ⋅ )) algorithm chooses rZr ∈ randomly and also chooses The receiver accepts the message if and only if the I N above equation holds. random elements R , R' , R ,…, R , RG∈ . It 3 3 j+1 l mp3 Correctness:

r eg(,)σ outputs SKI = ( K12 , K , Ej+ 1 ,...., El , Em) , where 2 I1' Ii ' HM() rr I eu(,(σ11'⋅⋅⋅ uhvi ' ⋅ ⋅ )) K13= gR, α I IrHM()+s' HM () ' I rr 1' iS' ˆ α I1 j I ' eg(( u1'⋅⋅⋅ uim ' ⋅ hv ⋅ ) R R3 ,) g K21=⋅⋅⋅gu() uhRj 3, = rsSi+ ' ˆ I1' I' HM() r eg(,( R u⋅⋅⋅ u ⋅ hv ⋅ )) rI 31'i ' EuRj++11= jj+1, = egg(,)α …… r rI EuRll= l, B. Security of HIBSC rr I Theorem 3 The HIBSC scheme is IND-ID-CPA and UF- EvRmm= . ''' ' r ID-CPA security. Delegate : Given a key K12,KE ,j+ 1 ,..., El for I = (,I1 Proof. This HIBSC scheme is converted from an IND-ID-

...,I j ) , the delegation algorithm creates a key for CPA secure HIBE scheme, using our method introduced r in the Section 3. According to Theorem 2, the above I '(,...= I1,)Ij+1 as follow. It chooses a random element HIBSC scheme is IND-ID-CPA and UF-ID-CPA security. ' r rZI ' ∈ N and random elements R%3 ,,R%3 R% j+2 ,…, R%l , VI. FROM CPA TO CCA2 RG% ∈ . The new key is set as: mp3

r The above HIBSC scheme is IND-ID-CPA and UF-ID- ' rI ' KKgR11= % 3, CPA security. We can use the method introduced by IIrr rr ⋅I K =⋅⋅⋅Ku''()()I1' uhjjI E++11 uI ' j R% ', Canetti et al. in [6] to modify this scheme to get IND-ID- 221 jjj++1 13 CCA2 security, but the efficiency must be reduced. In rr EEuR= ' I ' % , fact, we only need make a small modification, jjjj++++2222 ...... exchanging the order of “sign” and “encrypt”, and make a transformation from weak unforgeability into strong r ' rI ' EEuRllll= % , unforgeability using the method introduced by Boneh et rr EEvR= ' I ' % . al. in [3]. After the modification and transformation, we mmm get a new HIBSC scheme, which is IND-ID-CCA2 and We note that this new key is fully randomized: its only SUF-ID-CPA security. tie to the previous key is in the values II1,..., j .

A. Modified HIBSC scheme describe the modified Setupnew, Signcryptnew and Before introducing how to enhance the security, we Unsigncryptnew algorithms as follow: give a modified hierarchical identity-based signcryption Setupnew : To generate the public key, select random scheme mHIBSC, in which we only exchange the order * generators g%,hG% ∈ T and a hash function H% :{0,1} → of “sign” and “encrypt”. The mHIBSC scheme also has Z . Next run Setup to obtain a master secret key five algorithms: Setup, KeyGen, Delegate, Signcrypt, N and Unsigncrypt. The Setup, KeyGen, Delegate MSK and public key PK . The public and master secret algorithms are same as those in our HIBSC scheme keys for the new system are: PK '(= PK,,,)g% h% H% and introduced in the section 5. We describe the modified MSK'(= MSK). Signcrypt and Unsigncrypt algorithms as follow: r r Signcryptnew (PK , M , ISS== ( I1' ,..., Ii ' ), SK ( KS,1 , K S ,2 , E S , i+ 1 ,...., Signcrypt(PK , M , ISS== ( I1' ,..., Ii ' ), SK ( KSSSi,1 , K ,2 , E ,+ 1 , r r EESl,,, Sm ), IR = ( I 1 ,..., Ij )) : The sender chooses random ....,EESl,, , Sm ), IR = ( I 1 ,..., Ij )) : The sender randomly ' ' elements s,,xy∈ Z and RRˆˆ, ∈ G. It sets: chooses s,'sZ∈ and RRˆˆ, ∈ G. It sets: N 33 p3 N 33 p3 α ⋅s α ⋅s CMegg0 =⋅(,) , CMegg0 =⋅(,) , I I j s I 1 I1 j s Cu11=⋅⋅⋅() uhj , Cu11=() ⋅⋅⋅ uhj , s s Cg2 = , Cg2 = , x ˆ()rxS + ˆ s ' ˆ σ1,13=⋅KS gR = g RR 33, then computes σ1,1=⋅KS gR3, tHC← % (||)σ , I1' IHi '0s ''()Cs '()⋅HC0ˆ 01 σ 2,21''=KSim ⋅()()uuhEv ⋅⋅⋅ R3. ty cgh0 ← % % , The sender sends the tuple SCT= (,,,,) C01212 C C σ σ I1' IHi'00x ()cx⋅H ()cˆ ' to the receiver. σ 2,21''=⋅⋅⋅⋅KSim()()uuhEvR3 r Unsigncrypt(PK , SCT , I== ( I ,..., I ), SK ( K , K , α I1' IHcrxHciS'0() (+ ) ()0ˆ ' SR1'iR ' ,1R ,2 =g ()uuvhRRR1' ⋅⋅⋅im ' ⋅ ⋅ 3 3 .

EEERj,1+ ,...., Rl , , Rm , )) : Received a tuple SCT= (,, C01 C The sender sends the tuple SCT= (,,,,, C01212 C C σ σ

C212,,σ σ ), the receiver verifies: y) to the receiver. ? r eg(,)σ α Unsigncrypt (,PK SCT , I== (,...,),( I I K K , K , 2 =egg(,) new SR1'i ' RR,1 ,2 eu(,(σ I1' ⋅⋅⋅ uhvIHCi'0 ⋅ ⋅ ())) 11'i ' EEERj,1+ ,...., Rl , , Rm , )) : Received a tuple SCT= (,, C01 C It outputs the symbol ⊥ if the verification fails. Cy,,,)σ σ , the receiver computes tHC) ← % (||)σ , Otherwise, it decrypts the ciphertext as follows: 212 01 ty) I rr α I1 j I ' s % eK(,) C eg(( u⋅⋅⋅ u h ) R ,) g cgh0 ← % , then checks ω ==R,2 2 13j =egg(,)α ⋅s , rr I ? I I1 j s eg(,)σ 2 α eK(,)R,1 C 1 eg(,()) R31 u⋅⋅⋅ uj h =egg(,). eu(,(σ I1' ⋅⋅⋅ uhvIHci '0 ⋅ ⋅ ())) MC= /ω , and outputs M . 11'i ' 0 It outputs the symbol ⊥ if the verification fails. Correctness: Otherwise, it decrypts the ciphertext as follows: eg(,)σ 2 eK(,)R,2 C 2 I1' IHCi'0() ω = eu(,(σ11'⋅⋅⋅ uhvi ' ⋅ ⋅ )) eK(,)R,1 C 1 α I1' IHCrsHCiS'0()+ ' () 0' eg(( u1'⋅⋅⋅ uim ' ⋅ hv ⋅ ) R R3 ,) g I rr = eg((α uI1 ⋅⋅⋅ uj h )I R' ,) gs eg(,(rsSi+ '( R uI1' ⋅⋅⋅ uI'0 ⋅ hv ⋅ HC))) ==13j egg(,)α ⋅s , 31'i ' rr I eg(,())I R uI1 ⋅⋅⋅ uj hs = egg(,)α 31 j MC= 0 /ω , and outputs M . B. From Weak Unforgeability to Strong Unforgeability Correctness: The famous results of Canetti et al. [6], further eg(,)σ 2 improved upon by Boneh and Katz [2], show how to I IHc() eu(,(σ 1' ⋅⋅⋅ uhvi '0 ⋅ ⋅ )) build a CCA2-secure Identity-Based encryption scheme 11'i ' from a 2-level HIBE scheme. We can use this method to eg((α uI1' ⋅⋅⋅ uIHcrxHciS'0 ⋅ hv ⋅ ())+ RR() 0 Rˆ ' ,) g ==1'im ' 3 3 egg(,)α build IND-ID-CCA2 secure HIBSC based our modified eg(,(rxSi+ RRˆ uI1' ⋅⋅⋅ uI'0 ⋅ hv ⋅ Hc() )) scheme. First of all, we will convert this scheme from 33 1'i '

UF-ID-CPA secure into SUF-ID-CPA, using the general C. Security of HIBSCnew transformation introduced by Boneh et al. [3]. Theorem 4 The mHIBSC scheme is IND-ID-CPA and We build a new strongly unforgeable system HIBSCnew UF-ID-CPA security. also included five algorithms: Setupnew, KeyGennew, We omit the proof of this theorem, because it is easy to Delegatenew, Signcryptnew, and Unsigncryptnew. The see that the security level of the modified scheme KeyGennew, Delegatenew algorithms are same as those in mHIBSC and the original scheme HIBSC are same. the HIBSC scheme introduced in the section 5. We

ω Theorem 5 The HIBSCnew scheme is IND-ID-CCA2 and cg0 ← % . SUF-ID-CPA security. 2. Ask B ’s challenger for a signature on c0 , and Lemma 1 HIBSCnew system is SUF-ID-CPA security.

Our proof is based on the technology used by Boneh et obtain a signature (,σ12σ ) on c0 . r al. in [3]. 3. Compute (,,)CCC ← Encrypt (PKMI ,,). Proof. Suppose A is a forger that (,tq,)ε - breaks strong 012 R 4. Compute tHC← % (||)01σ . unforgeability of HIBSCnew. Forger A is first given a 5. Set yt← ()/ω − a. public key (,PKg%,, h% H% ). rr 6. Return SCT← (,,,,,) C01212 C Cσ σ y to A . Forger A asks for signcryption on (,,I IM ),…, S1 R1 1 ω ay⋅+ t t y rr Indeed, cgg0 ←=%% = gh %% and y is uniform in (,ISqIM Rq ,q ) and is given signcryption SCTii= (, C ,0 Z N as required. Hence, SCT is a valid signcryption on CCii,1,, ,2 σ i,1 ,,σ ii,2 y)for i= 1,...,q on these tuples. Let r r triple (,ISRIM,). tiyi tHii= % (|C,0 |σ i,1) and cgi,0 ← % h% for iq= 1,..., . Let ) ) Output. Finally, algorithm A outputs a forgery (,,CC ) ) )) ) 01 (,,C01σσ2,y) be the forgery produced by A , let t = ) ) )) C21,,σσ2,)y. Algorithm B produces a weak forgery on ) ty) ) HC(||σ) ), and let cgh) ← % . We distinguish among % 01 0 % the underlying scheme as follow. ) three types of forgeries: 1. Compute tHC) = % (||)σ) . Type I. A forgery where cc) = and tt) = for some 01 0,i 0 i ) ty) ) 2. Compute cgh0 ← % % . iq∈{1,..., }. ) )) ) ) 3. Output (,(,c012σ σ )). Type II. A forgery where cc0= i,0 and tt≠ i for Note that ccc) ∉{ ,... } because if cc) = for some some iq∈{1,..., }. 01q 0i,0 ) Type III. Any other forger ( cc) ≠ for iq∈{1,..., }). i∈{1, . . . , q} then, either tt= i (a Type I forgery) or 0i,0 ) A successful forgery must output a forgery of Type I, tt≠ i (a Type II forgery). Therefore B produces a Type II, or Type III. We show that a Type I forgery can ) forgery on some new c0 for the underlying scheme be used to break the collision-resistance of H% , a Type II whenever A produces a Type III forgery, as required. forgery can be used to solve discrete log in GT , and a As space is limited, we omit showing how to use a Type III forgery can be used to break existential Type I or Type II forgery. The method of making these unforgeability of the underlying signcryption scheme forgery types can be found in [3]. mHIBSC. Our simulator can flip a coin at the beginning In summary, we showed how to use all three forgery of the simulation to guess which type of forgery the types to break existential unforgeability of the underlying adversary will produce and set up the simulation signcrypt scheme, collision-resistance of H% , or discrete appropriately. In all three cases the simulation is perfect. log. This completes the proof of Lemma 1.

We start by describing how to use a Type III forgery Lemma 2 HIBSCnew system is IND-ID-CCA2 security. which is the more interesting case. The results of Canetti et al. [6], further improved upon Type III forger : Suppose algorithm A is a Type III by Boneh and Katz [2], show how to build a CCA-secure forger that (,tq,)ε - breaks strong unforgeability of identity-based encryption scheme from a 2-level HIBE scheme. This result is easily extended to n-level HIBE. HIBSC . We construct a simulator B that (,tq ,ε )- new An n-level IND-ID-CCA secure HIBE can be built form breaks existential unforgeability of mHIBSC. B is given an n+1-level IND-sID-CPA HIBE and a strongly a public key PK . B ’s goal is to produce a pair (,c0 σ ) unforgeable one-time signature scheme. Our mHIBSC where σ = (,σσ) is a valid signature on c and c is system is IND-ID-CPA secure (Theorem 4), and our 12 0 0 HIBSC system is SUF-ID-CPA security (Lemma 1), not among B ’s chosen queries. B runs A as follow. new so our HIBSCnew system is IND-ID-CCA2 security. Setup. Algorithm B generates the public key PK ' as follow. Based Lemma 1 and Lemma 2, we can statement that 1. Select a random generator g ∈G . % T our HIBSCnew scheme is IND-ID-CCA2 and SUF-ID- * a CPA security. 2. Select random exponents aZ∈ N and set hg% ← . 3. Select a hash function: H% :{0,1}* → Z . N VII. CONCLUSIONS 4. Provide the public key PK'(= PK ,,,) g h% H% to . % A We have introduced a generic method to construct Signcrypt Queries. Algorithm A issues up q signcrypt HIBSC scheme. Using our method, a HIBSC scheme can queries. Algorithm B responds to a query on a triple be easily converted form any HIBE scheme. But we note rr (,I IM , ) as follow. that, the efficiency of the HIBSC scheme relies on the SR delegation algorithm of the HIBE scheme seriously. So 1. Select a random exponent ω ∈ Z N and set we should choose these HIBE schemes, which have efficient delegation algorithm as far as possible. Then, we

proposed a concrete instantiation, which is the first [16] Brent Waters: Efficient Identity-Based Encryption Without constant-size fully secure hierarchical identity-based Random Oracles. EUROCRYPT 2005: 114-127. signcryption scheme in the standard model. Furthermore, [17] Tsz Hon Yuen, Victor K. Wei: Constant-Size Hierarchical our scheme can achieve CCA2 security level without Identity-Based Signature/Signcryption without Random Oracles. Cryptology ePrint Archive, Report 2005/412, using additional cryptography primitive, but it needs 2005. exchange the order of “sign” and “encrypt”. Since this [18] Yuliang Zheng: Digital Signcryption or How to Achieve form is a little different from the usual signcryption Cost(Signature & Encryption) << Cost(Signature) + schemes, it remains an open problem to construct a Cost(Encryption). CRYPTO 1997: 165-179. constant-size fully secure HIBSC scheme as usual form [19] Yuliang Zheng, Hideki Imai: How to Construct Efficient in the IND-ID-CCA2 security model without using Signcryption Schemes on Elliptic Curves. Inf. Process. Lett. additional cryptography primitive. 68(5): 227-233 (1998). [20] John Malone-Lee. Identity Based Signcryption. Cryptology ePrint Archive, Report 2002/098, 2002. ACKNOWLEDGMENT [21] Benoît Libert and Jean-Jacques Quisquater: A new identity The authors wish to thank anonymous reviewers for based signcryption scheme from pairings. Proceedings of giving helpful suggestions. This work is supported by the the IEEE Information Theory Workshop 2003: 155-158. National Nature Science Foundation of China under [22] Sherman S. M. Chow, Siu-Ming Yiu, Lucas Chi Kwong Grant No. 60873232, the National Nature Science Hui, K. P. Chow: Efficient Forward and Provably Secure ID-Based Signcryption Scheme with Public Verifiability Foundation of Shandong Province under Grant No. and Public Ciphertext Authenticity. ICISC 2003: 352-369. Y2007G37, and Graduate Independent Innovation [23] Xavier Boyen: Multipurpose Identity-Based Signcryption Foundation of Shandong University under Grant No. (A Swiss Army Knife for Identity-Based Cryptography). yzc09043. CRYPTO 2003: 383-399. [24] Liqun Chen, John Malone-Lee: Improved Identity-Based Signcryption. Public Key Cryptography 2005: 362-379. REFERENCES [25] Yong Yu, Bo Yang, Ying Sun, Shenglin Zhu: Identity based signcryption scheme without random oracles. [1] Dan Boneh, Matthew K. Franklin: Identity-Based Computer Standards & Interfaces 31(1): 56-62 (2009). Encryption from the Weil Pairing. CRYPTO 2001: 213- 229. [2] Dan Boneh, Jonathan Katz: Improved Efficiency for CCA- Secure Cryptosystems Built Using Identity-Based Encryption. CT-RSA 2005: 87-103. Hao Wang was born in Shandong, China in 1984. He has [3] Dan Boneh, Emily Shen, Brent Waters: Strongly completed his Bachelor of Science in Computational Unforgeable Signatures Based on Computational Diffie- Mathematics in Qufu Normal University, China in 2007. He is a Hellman. Public Key Cryptography 2006: 229-240. Ph.D. candidate of Shandong University, interested in the [4] C. Cocks: An Identity Based Encryption Scheme Based on research on public key cryptography including identity based Quadratic Residues. IMA Int. Conf. 2001: 360-363. cryptography, encryption, key agreement etc. [5] Yang Cui, Eiichiro Fujisaki, Goichiro Hanaoka, Hideki Imai, Rui Zhang: Formal Security Treatments for Signatures from Identity-Based Encryption. ProvSec 2007: Qiuliang Xu was born in Shandong, China in 1960. He has a 218-227. Ph.D. in Applied Mathematics (1999) and an M.S. in [6] Ran Canetti, Shai Halevi, Jonathan Katz: Chosen- Computational Mathematics (1985) from Shandong University, Ciphertext Security from Identity-Based Encryption. Jinan, China. EUROCRYPT 2004: 207-222. He is a Professor of Computer Science in Shandong [7] Sherman S. M. Chow, Tsz Hon Yuen, Lucas Chi Kwong University, where he has been since 1985. His main interest is Hui, Siu-Ming Yiu: Signcryption in Hierarchical Identity public key cryptography including encryption, digital signature, Based Cryptosystem. SEC 2005: 443-457 . crypto-graphic protocol etc. [8] Dan Boneh, Eu-Jin Goh, Kobbi Nissim: Evaluating 2-DNF Formulas on Ciphertexts. TCC 2005: 325-341. [9] Jeremy Horwitz, Ben Lynn: Toward Hierarchical Identity- Xiufeng Zhao was born in Shandong, China in 1977. She Based Encryption. EUROCRYPT 2002: 466-481. has completed her Bachelor of Science in Applied Mathematics [10] Craig Gentry, Alice Silverberg: Hierarchical ID-Based in Qufu Normal University, China in 2000, and has her M.S in Cryptography. ASIACRYPT 2002: 548-566. Applied Mathematics from Northwestern Polytechnical [11] Allison Lewko, Brent Waters: Fully Secure HIBE with University. She is a Ph.D. candidate of Shandong University, Short Ciphertexts. Cryptology ePrint Archive, Report interested in the research on cryptographic protocol, key 2009/482, 2009. agreement, etc. [12] Kenneth G. Paterson, Jacob C. N. Schuldt: Efficient Identity-Based Signatures Secure in the Standard Model. ACISP 2006: 207-222. [13] Adi Shamir: Identity-Based Cryptosystems and Signature Schemes. CRYPTO 1984: 47-53. [14] Ueli M. Maurer, Yacov Yacobi: Non-interactive Public- Key Cryptography. EUROCRYPT 1991: 498-507. [15] Elaine Shi, Brent Waters: Delegating Capabilities in Predicate Encryption Systems. ICALP (2) 2008: 560-578.