Heterogeneous hybrid signcryption for multi-message and multi-receiver

Shufen Niu; Ling Niu; Xiyan Yang; Caifen Wang; Xiangdong Jia

doi:10.1371/journal.pone.0184407

Abstract

To achieve secure communication in heterogeneous cryptography systems, we present a heterogeneous hybrid signcryption scheme. The proposed scheme allows a sender in an identity-based cryptography system to send multi-message to multi-receiver in a certificateless cryptography system with different master keys. At the same time, all users are mapped to a distinct pseudo-identity for conditional identity privacy preservation. A trusted authority could trace the real identity when necessary. Compared with existing schemes, the proposed scheme is more practical for actual applications. In addition, the proposed scheme has indistinguishability against adaptive chosen ciphertext attacks and existential unforgeability against adaptive chosen message attacks under the random oracle model.

Citation: Niu S, Niu L, Yang X, Wang C, Jia X (2017) Heterogeneous hybrid signcryption for multi-message and multi-receiver. PLoS ONE 12(9): e0184407. https://doi.org/10.1371/journal.pone.0184407

Editor: Yeng-Tseng Wang, Kaohsiung Medical University, TAIWAN

Received: May 12, 2017; Accepted: August 23, 2017; Published: September 8, 2017

Copyright: © 2017 Niu et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper.

Funding: This work was supported by National Natural Science Foundation of China under grant 61562077, 61462077, 61662071, 61662069.

Competing interests: The authors have declared that no competing interests exist.

Introduction

Diverse network systems have appeared with the development of technology. These systems utilize different cryptography techniques, such as public key infrastructure (PKI), identity-based cryptography (IBC), and certificateless cryptography (CLC). A cryptographic scheme should be constructed for secure communication in heterogeneous systems. Zheng [1] firstly proposed signcryption, a novel cryptographic primitive that functions as both digital signature and public key encryption in a single logical step that significantly costs lower than the traditional signature-then-encryption approach. Signcryption schemes are used to simultaneously achieve confidentiality, integrity, authentication, and non-repudiation for resource-constrained devices over low-bandwidth communication channels. Given those advantageous characteristics, heterogeneous signcryption is investigated. There are two types of heterogeneous signcryption between PKI and IBC: in type I, a sender in the PKI setting transmits a message to a receiver in the IBC setting; in type II, a sender in the IBC setting transmits a message to a receiver in the PKI setting. To achieve secure communication, Sun et al. [2] proposed type I schemes; these schemes, however, can only achieve outsider security. In 2011, Huang et al. [3] proposed a type II signcryption scheme with internal security. In 2013, Li et al. [4] proposed types I and II schemes that meet internal security requirements. Related heterogeneous signcryption paradigms have received considerable attention in recent years [5–8].

It is a practical way for large messages to use hybrid encryption perform secure communication. Hybrid encryption separates encryption into two parts: one part uses public key techniques to encrypt a one-time symmetric key, and the other part uses the symmetric key to encrypt the actual message. The public key encryption part of the algorithm is the key encapsulation mechanism (KEM), whereas the symmetric key encryption part is the data encapsulation mechanism (DEM). In 2003, a formal treatment of this paradigm originated in the work of Cramer and Shoup [9]. Dent [10, 11] studied the use of hybrid techniques to build signcryption schemes. He generalized KEM to signcryption KEM, which includes authentication. However, he only considered insider security for authenticity. In 2008, Tan [12] proposed full insider secure signcryption KEM in the standard model. Tan’s schemes are insider-secure for both authenticity and confidentiality. In 2005, Smart [13] provided an efficient key encapsulation for multiple parties. Sun et al. [14] proposed an IBC signcryption KEM for multiple recipients. Related hybrid signcryption or hybrid multiple receivers signcryption schemes can be found in [15–18].

Considering all the above literature, it is known that none of the existing multi-recipient heterogeneous hybrid signcryption schemes for IBC to CLC. However, in today’s complex network and application environment, the information security situation is also complicated and grim. The production and collection of the mass data results in information explosion lead the network communication become more complex and low effective due to diverse system [19, 20]and mathematical models [21, 22] of equipment environment. Then there need a scheme to achieve better communication between user with strong computing power and user who has weak computing power in heterogeneous system, the scheme also should handle large messages for sender to improve the efficiency of signcryption to multi-receiver.

Motivated by the above, considering with multi-PKG signcryption [23] and conditional privacy-preserving schemes [24], we propose a heterogeneous hybrid signcryption scheme for IBC to CLC which meets: (1) The private key generator (PKG) and key generation center (KGC) can produce different master keys and system parameters for different cryptography environments, which are more practical for heterogeneous systems. (2) The scheme is insider-secure for both authenticity and confidentiality, and the formal definitions and security models for heterogeneous hybrid signcryption scheme are also given. (3) Each user maps a distinct pseudo-identity to achieve conditional identity privacy preservation. A trusted authority could trace the real identity when necessary. (4) Use hybrid signcryption to implement a sender signcrypt multi-message to multi-receiver in once signcryption.

The rest of this paper is organized as follows: preliminary information is given in section 2. The framework and security model are presented in section 3. The heterogeneous hybrid signcryption for multi-message and multi-receiver (MHHSC) scheme is proposed in section 4. The security proof is presented in section 5. The performance evaluation of the proposed scheme is discussed in section 6. Finally, the conclusion is provided in section 7.

Preliminary

In this section, we describe bilinear maps and hard problems. Let consider two cyclic groups G₁ and G₂ with the same prime order q, and let P is a generator of G₁. A bilinear map e: G₁ × G₁ → G₂ need satisfy the following properties:

Bilinearity: For all P, Q, R ∈ G₁, and , e(P + R, Q) = e(P, Q)e(R, Q). Also e(aP, bQ) = e(P, Q)^ab.
Non-degeneracy: There exists P, Q ∈ G₁, such that e(P, Q)≠1.
Computability: e(P, Q) can be computed for P, Q ∈ G₁.

Definition 1. Given two groups G₁ and G₂ of the same prime order q, a bilinear map e: G₁ × G₁ → G₂, and a generator P of G₁, the decisional bilinear Diffie-Hellman(DBDH) problem is to decide whether T = e(P, P)^abc for given (P, aP, bP, cP) and T ∈ G₂.

Definition 2. Variants decisional bilinear Diffie-Hellman(VDBDH) problem is to decide whether T = e(P, P)^abc⁻¹ for given (P, aP, bP, cP, c⁻¹ P) and T ∈ G₂.

Definition 3. Variants computational bilinear Diffie-Hellman(VCBDH) problem is to compute T = e(P, P)^abd⁻¹ for given (P, aP, bP, dP, d⁻¹ P).

Framework and security model for MHHSC

MHHSC KEM

MHHSC KEM consists of five algorithms:

Setup: With a security parameter ℓ as the input, the PKG and KGC generate their own master key and output the system parameters params.
Anony-IBC-KG: The algorithm runs by the PKG of the IBC system. With a user’s real identity RID_A and ID_A,1 as the input, the algorithm generates the corresponding private key sk_A and pseudo-identity ID_A.
Anony-CLC-KG: The algorithm runs by the KGC of the CLC system. With a user’s real identity RID_{B_i} and ID_{B_i,1} as the input, the algorithm generates the corresponding partial private key D_{B_i}, secret key sk_{B_i}, public key pk_{B_i} and pseudo-identity ID_{B_i}.
Encap: Give the sender’s identity (Q_A, ID_A), and private key sk_A, receiver identity (pk_{B_i}, ID_{B_i}, Q_{B_i}(i = 1, 2, ⋯, n)), the algorithm outputs the encapsulation key K and encapsulation φ.
Decap: Give the sender’s identity (Q_A, ID_A), receiver secret key, and public key (D_{B_i}, sk_{B_i}), (pk_{B_i}, ID_{B_i}), the algorithm outputs the encapsulation key K or the symbol ⊥.

DEM

DEM is a symmetric encryption scheme that requires security for confidentiality and unforgeability. DEM consists of the following two algorithms:

Enc: Take message M and encapsulation key K as input, the ciphertext C is then output. We denote this as C ← DEM.Enc(K, M).
Dec: Take a key K and the ciphertext C as input, the message M or error symbol ⊥ is output.

MHHSC HSC

The proposed MHHSC scheme consists of MHHSC KEM and DEM as follows:

Setup, Anony-IBC-KG, and Anony-CLC-KG: Same as 3.1 MHHSC KEM.
Signcrypt: Use Encap in 3.1 MHHSC KEM to obtain (K, ϕ), use Enc in 3.2 DEM to obtain a ciphertext C, output σ ← (C, ϕ).
Unsigncrypt: Use Decap in 3.1 MHHSC KEM to obtain K, use Dec in 3.2 DEM to obtain message M, then check the equation. If it holds, receive M. Otherwise, output the symbol ⊥.

Security notions

In the proposed scheme, the confidentiality property is defined based on the concept of indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2), which considers two types of adversaries with different capabilities. A type I adversary acts as a dishonest user, whereas a type II adversary acts as a malicious KGC that can obtain the master secret key of KGC. The authenticity property is defined basis on existential unforgeability against adaptive chosen message attacks (EUF-CMA).

Definition 4. (Confidentiality) A heterogeneous hybrid signcryption scheme is said achieved IND-CCA2, if no probabilistic polynomial time adversary A₁ has a non-negligible advantage in the following game:

Setup: The challenger C runs the Setup algorithm and sends system parameters and public keys to A₁, whereas the KGC’s master key is kept secret. is the target identity.

Phase 1. A₁ can ask several kinds of queries to the following random oracles:

Partial private key query: Submit a query on ID_{B_j}. If (i = 1, 2, ⋯, n), then return D_{B_j}. Otherwise, C aborts.
Unsigncrypt query: Submit an unsigncrypt query under ID_A, ID_{B_j} and ciphertext σ. If , then C runs the formal unsigncrypt algorithm and returns the answer. Otherwise, C searches the list and computes M. Then, check the equation. If holds, M is returned. Otherwise, ⊥ is output.

Challenge: C decides when the Phase 1 ends. A₁ selects two plaintexts M₀, M₁ of the same length, and ID_A, ID_{B_j}(j = 1, 2, ⋯, n) to C, which wants to challenge. If , C fails and aborts. A₁ is not allowed to ask the partial private key of . Then, C selects b ∈ {0, 1} and runs the corresponding algorithms to obtain the ciphertext σ* transmits to A₁.

Phase 2. A₁ can perform queries as in Phase 1. A₁ cannot query the key extraction for the target identities and should not query the unsigncrypt of σ*.

Guess: Finally, A₁ produces a bit b′, A₁ wins the game if b′ = b.

Definition 5. (Confidentiality) A heterogeneous hybrid signcryption scheme is said achieved IND-CCA2, if no probabilistic polynomial time adversary A₂ has a non-negligible advantage in the following game:

Setup: The challenger C runs the Setup algorithm that sends system parameters and public keys to A₂. is the target identity.

Phase 1. A₂ can ask several queries to the following random oracles:

Public key query: Submit a public key query on ID_{B_j}. If (i = 1, 2, ⋯, n), update PK-list with (ID_{B_j}, ⊥, cP), and return pk_{B_j}.
Unsigncrypt query: Submit an unsigncrypt query under ID_A, ID_{B_j} and ciphertext σ. If , C runs the formal unsigncrypt algorithm and returns the answer. Otherwise, C searches the list and computes M. Then, check the equation. If the equation holds, return M. Otherwise, ⊥ is output.

Challenge: C decides when Phase 1 ends. A₂ selects two plaintexts m₀, m₁ of the same length, and ID_A, ID_{B_j}(j = 1, 2, ⋯, n) to C, which wants to challenge. If , C fails and aborts. A₂ is not allowed to query for the secret key of . Then C selects b ∈ {0, 1} and runs the corresponding algorithms to obtain the ciphertext σ* transmits to A₂.

Phase 2. A₂ can perform queries as Phase 1. A₂ cannot query the key extraction for the target identities and should not query the unsigncrypt of σ*.

Guess: Finally, A₂ produces a bit b′, and A₂ wins the game if b′ = b.

Definition 6. (Unforgeability) A heterogeneous hybrid signcryption scheme is said achieved EUF-CMA, if no probabilistic polynomial time forger F has a non-negligible advantage in the following game:

Setup: The challenger C runs the Setup algorithm and sends system parameters and public keys to F, whereas the PKG’s master key is kept secret. is the target identity.

Attack: F issues several kinds of queries.

Private key query: Submit a query on ID_A. If . Then return sk_A. Otherwise, C aborts.
Signcrypt query: Submit a signcrypt query under ID_A, . If , runs the formal signcrypt algorithm and returns ciphertext σ. Otherwise, C computes σ to satisfy the equation and returns σ to F.

Forgery: Finally, F outputs σ* under , cannot query the private key, F wins if Unsigncrypt does not return ⊥.

Heterogeneous hybrid signcryption for multi-message and multi-receiver

The MHHSC scheme will be discussed in this section. The proposed scheme involves four parties: PKG, KGC, sender ID_A, and n receivers , allowing ID_A to send m messages to n receivers . KDF in scheme denotes a key extract function in G₁. Moreover, PKG and KGC can calculate pseudo-identities for users in their system, key pairs or partial private keys of all users are generated by PKG or KGC via the pseudo-identities.

Setup: Let G₁ and G₂ be two cyclic groups with prime order q, where G₁ is additive and G₂ is multiplicative, and P is the generator of G₁. Let e: G₁ × G₁ → G₂ be an admissible bilinear map, a key extract function KDF: (l_m is the length of a key).
1. PKG randomly selects and two hash functions: H₀: G₁ → {0, 1}*, H₁: {0, 1}* → G₁ computes P₁ = s₁ P, where s₁ is a master secret key that only the PKG knows.
2. KGC randomly selects and four hash functions: H₂: G₁ → {0, 1}*, H₃: {0, 1}* → G₁, , calculates P₂ = s₂ P, where s₂ is a master secret key that only the KGC known.
Public params = <e, P, P₁, P₂, G₁, G₂, H₀, H₁, H₂, H₃, H₄, H₅, KDF> and keep s₁, s₂ secret respectively.
Anony-IBC-KG: Users in IBC obtain their private key as follows:
1. Sender A randomly selects calculates ID_A,1 = k_A P and transmits (RID_A, ID_A,1) to PKG, where RID_A is the real identity of sender A. PKG calculates ID_A,2 = RID_A ⊕ H₀(s₁ ID_A,1, T), where T denotes the valid period of this pseudo-identity. Finally, the identity os sender A is ID_A = (ID_A,1, ID_A,2, T).
2. PKG generates a private key for IBC users as , where Q_A = H₁(ID_A). (sk_A, Q_A, ID_A) is sent to A via a secure path.
Anony-CLC-KG: Users in CLC obtain their partial private key as follows:
1. Receiver B_i(i ∈ {1, 2, ⋯, n}) randomly selects calculates ID_{B_i,1} = k_{B_i} P and transmits (RID_{B_i}, ID_{B_i,1}) to KGC, where RID_{B_i} is the real identity of receiver B_i. KGC calculates ID_{B_i,2} = RID_{B_i} ⊕ H₂(s₂ ID_{B_i,1}, T_i), where T_i denotes the valid period of this pseudo-identity. Finally, the identity of receiver B_i is ID_{B_i} = (ID_{B_i,1}, ID_{B_i,2}, T_i).
2. KGC generates the partial private key for CLC users as , where Q_{B_i} = H₃(ID_{B_i}). (D_{B_i}, Q_{B_i}, ID_{B_i}) is sent to B_i via a secure path.
3. B_i randomly selects the secret value to compute sk_{B_i} = x_{B_i} D_{B_i}, pk_{B_i} = x_{B_i} P.
Signcrypt: A sender A signcrypts n messages m_i(i = 1, 2, ⋯, n) to n receiver B_i(i = 1, 2, ⋯, n) as follows:
1. Randomly selects , and computes U₁ = r₁ P₂, U₂ = r₁Q_A.
2. Compute , , φ_i = r₂ ⊕ H₄(V_i) and let φ = (φ₁, φ₂, ⋯, φ_n).
3. Compute C = DEM.Enc(K, M) where K = KDF(r₂) and M = (m₁ ⊕ R₁‖m₂ ⊕ R₂‖⋯‖m_n ⊕ R_n).
4. Compute h_i = H₅(U₁, U₂, M, R_i, V_i, ID_A, ID_{B_i}).
5. Compute S_i = (r₁ + h_i)sk_A and let S = (S₁, S₂, ⋯, S_n).
Return ciphertext σ = (C, ϕ ← (U₁, U₂, S, φ)).
Unsigncrypt: After receiving a ciphertext σ = (C, ϕ ← (U₁, U₂, S, φ)), the receiver B_i(i ∈ {1, 2, ⋯, n}) decrypts σ as follows:
1. Compute V_i = e(U₁, D_{B_i}), R_i = e(U₁, sk_{B_i}) and obtain r₂ = φ_i ⊕ H₄(V_i).
2. Recover M = DEM.Dec(K, C) where K = KDF(r₂). Receiver B_i recovers own message m_i = (m_i ⊕ R_i) ⊕ R_i.
3. Compute h_i = H₅(U₁, U₂, M, R_i, V_i, ID_A, ID_{B_i}).
4. Accept the message if and only if the following equation holds:

Note that conditional privacy preservation for each user is mapped to a distinct pseudo-identity ID_U = (ID_U,1, ID_U,2, T). PKG or KGC can retrieve the real identity from any pseudo-identity by RID_U = ID_U,2 ⊕ H_i(sID_U,1, T) for any disputed event. In addition, the pseudo-identity ID_U is generated by both users and PKG or KGC. Hence, only the PKG or KGC that knows the master secret s can retrieve the real identity RID_U from ID_U.

Security proof

In this section, we prove that the proposed IBC to CLC hybrid scheme achieves the security requirements of confidentiality and unforgeability. To demonstrate the security of our scheme, we assume that the adversary asks q_{H_i} queries to H_i for i = 1, 2, 3, 4, 5, q_u queries to unsigncryption; q_s queries to the signcryption; q_ppk queries to the partial private key; q_sk queries to the secret key; q_pk queries to the public key extraction; and q_pkr queries to the public key replacement.

Confidentiality

Theorem 1. The above MHHSC scheme is secure against adaptive chosen ciphertext attacks in the standard model assuming that the VDBDH and DBDH problems are difficult.

This theorem follows lemmas 1 and 2. Lemma 1 reveals that adversary A₁ can not distinguish M. Lemma 2 proves that although adversary A₂ can obtain M, it cannot distinguish message m_j for ID_{B_j}.

Lemma 1. In the random oracle, if there is an IND-CCA2 adversary A₁ has an advantage ϵ against MHHSC, then there is an algorithm C that solves the VDBDH problem with an advantage .

Proof. We construct a simulator C that use A₁ to decide whether T = e(P, P)^abc⁻¹ by providing a random instance (P, aP, bP, cP, c⁻¹ P, T) as the VDBDH problem. This proof consider the indistinguishability of M.

Setup: At the beginning, C sets P₂ = cP and proves the system parameters to the attacker A₁. The target identity is .

Phase 1. A₁ requests a number of queries. C keeps the H_i-list (i = 1, 2, 3, 4, 5) and PK-list which are used to record answers to the corresponding H_i query and public key query.

H₃ query: Input an identity ID_{B_j}. If , randomly select , calculate Q_{B_j} = t_j P. Otherwise, calculate Q_{B_j} = bP place (ID_{B_j}, t_j, Q_{B_j}) in the H₃-list, and return Q_{B_j}.
H₄ query: If (V_j, h₄) exists in the H₄-list, return h₄. Otherwise, check if VDBDH oracle returns 1 when queried with the tuple (aP, bP, c⁻¹ P, V_j). If this is the case, C returns V_j = e(P, P)^abc⁻¹ and stops. Otherwise, randomly select update the H₄-list, and return h₄.
H_i(i = 0, 1, 2, 5) query: Upon receiving an H_i query, if the corresponding query exists in the H_i-list, return it to A₁. Otherwise, C randomly selects an integer as the query result and returns it to A₁. Meanwhile, C places the query result into the H_i-list.
Partial private key query: Upon receiving a partial private key query on ID_{B_j}. If , retrieves the corresponding (ID_{B_j}, t_j, Q_{B_j}) from the H₃-list and sets D_{B_j} = t_jc⁻¹ P return D_{B_j}. Otherwise, C aborts.
Public key query: When C receives a public key query on ID_{B_j}, if there exists (ID_{B_j}, x_{B_j}, pk_{B_j}) in the PK-list, then C returns pk_{B_j}; otherwise, C randomly selects , computes pk_{B_j} = x_{B_j} P, places (ID_{B_j}, x_{B_j}, pk_{B_j}) into the PK-list, and returns pk_{B_j} as the answer.
Replace public key: When C receives a replace public key query on ID_{B_j}, C first finds (ID_{B_j}, x_{B_j}, pk_{B_j}) on the PK-list, then C updates the PK-list with tuple and sets x_{B_j} = ⊥, .
Secret key query: When C receives a secret key query on ID_{B_j}, if C replaces public key of ID_{B_j}, then C returns ⊥. Otherwise, there exists (ID_{B_j}, x_{B_j}, pk_{B_j}) in the PK-list and returns x_{B_j} as answer.
Unsigncrypt query: When receiving an unsigncrypt query under ID_A, ID_{B_j} and ciphertext σ, if , C runs the formal unsigncrypt algorithm and return the answer. Otherwise, C goes through the H₄-list with (V_j, h₄) to find a value such that h₄ meets the VDBDH oracle returns 1 when queried on the tuple (bP, c⁻¹ P, U₁, V_j). If such a tuple exists, return h₄ and computer r₂ = φ_j ⊕ h₄, K = KDF(r₂). Recover M = DEM.Dec(K, C), use H₅ query to obtain h_j, then check equation e(P₁, S_j) = e(P, U₂ + h_jQ_A). If holds, return M. Otherwise, output ⊥.

Challenge: After the first stage, A₁ outputs two plaintexts M₀, M₁ and ID_A, ID_{B_j}(j = 1, 2, ⋯, n) to C. If , then C fails and aborts. Otherwise, C randomly chooses , , obtains from H₅ query, sets , and computes . Obtain (where T is C candidate for the VDBDH obtained from H₄ query), . Then, C randomly selects K₀ ∈ K_MHHSC and b ∈ {0, 1} computes C* = DEM.Enc(K_b, M_b), . Finally, C provides the ciphertext to A₁.

Phase 2. A₁ request a second series of queries as before.

Guess: At the end of the simulation, A₁ outputs a bit b′ for which the relation σ* = Signcrypt(M_b, sk_A, ID_{B_j}) holds. If b′ = b, C outputs T = e(U₁, D_{B_j}) = e(aP, bc⁻¹ P) = (P, P)^abc⁻¹ as a solution of the VDBDH problem.

Then, we assess probability. The probability to fail in signcryption queries is at most (q_H₄ + q_s)q_s/2^k, and the probability to fail in unsigncryption queries is at most q_u/2^k. Note that the probability for C to not to fail in first stage is (q_H₃ − q_ppk)/q_H₃. Furthermore, with a probability exactly 1/(q_H₃ − q_ppk), A₁ chooses to be challenged on . Thus, the advantage of C is .

Lemma 2. In the random oracle, if there is an IND-CCA2 adversary A₂ has an advantage ϵ against MHHSC. Then an algorithm C that solves the DBDH problem with an advantage .

Proof. We construct a simulator C uses A₂ to decide whether T = e(P, P)^abc by providing a random instance (P, aP, bP, cP, T) as the DBDH problem. This proof considers the indistinguishability of m_j.

Setup: At the beginning, C sets P₂ = s₂ P and proves the system parameters to the attacker A₂. The target identity is .

Phase 1. A₂ requests a number of queries. C keeps the H_i-list (i = 1, 2, 3, 4, 5) and PK-list, which are used to record answers to the corresponding H_i query and public key query.

H₃ query: Input an identity ID_{B_j}. If , randomly choose , calculates Q_{B_j} = t_j P. Otherwise, calculates Q_{B_j} = bP put (ID_{B_j}, t_j, Q_{B_j}) in H₃-list return Q_{B_j}.
H_i(i = 0, 1, 2, 4, 5) query: Upon receiving an H_i query, if the corresponding query exists in the H_i-list, then return it to A₂. Otherwise, C randomly selects an integer as the query result and returns it to A₂. Meanwhile, C places the query result into the H_i-list.
Public key query: Upon receiving a public key query on ID_{B_j}. If , randomly selects computes pk_{B_j} = x_{B_j} P and updates the PK-list. If , set pk_{B_j} = cP update the PK-list with (ID_{B_j}, ⊥, cP) and return pk_{B_j}.
Secret key query: When C receives a secret key query on ID_{B_j}, if returns ⊥. Otherwise, there exists (ID_{B_j}, x_{B_j}, pk_{B_j}) in PK-list returns x_{B_j}.
Unsigncrypt query: When receiving an unsigncrypt query under ID_A, ID_{B_j} and ciphertext σ, C can compute V_j = e(U₁, D_{B_j}), obtains r₂ = φ_j ⊕ H₄(V_j), K = KDF(r₂), recovers M = DEM.Dec(K, C). Then, if , C fails and stops(C cannot compute R_j for sk_{B_j} is only ID_{B_j} can compute). Otherwise, ID_{B_j} recovers its own message m_j = (m_j ⊕ R_j) ⊕ R_j. Submitting H₅ query to obtain h_j. Then, equation e(P₁, S_j) = e(P, U₂ + h_j Q_A) is checked. If holds, m_j is returned. Otherwise, output ⊥.

Challenge: After the first stage, A₂ outputs two plaintexts m₀, m₁ and ID_A, ID_{B_j}(j = 1, 2, ⋯, n) to C, if , C fails and abort. Otherwise, C randomly chooses , , obtains from H₅ query, sets , computes , . Gets , . computes , C* = DEM.Enc(K*, M*), where M* = m_b ⊕ T(T is C candidate for the DBDH). Finally, C provides the ciphertext to A₂.

Phase 2. A₂ then requests a second series of queries as before.

Guess: At the end of the simulation, A₂ outputs a bit b′ for which believes the relation σ* = Signcrypt(M*, sk_A, ID_{B_j}) holds. If b′ = b, C outputs = e(cP, bP)^a = (P, P)^abc as a solution of DBDH problem.

Then, we assess probability. The probability to fail in signcryption queries is at most q_s/2^k, and the probability to fail in unsigncryption queries is at most q_u/2^k. Note that the probability for C to not to fail in first stage is (q_H₃ − q_sk)/q_H₃. Furthermore, with a probability exactly 1/(q_H₃ − q_sk), A₂ chooses to be challenged on . Thus, the advantage of C is .

Unforgeability

Theorem 2. In the random oracle model, if an EUF-CMA adversary F has the advantage ϵ against MHHSC, then exists an algorithm C that solves the VCBDH problem with the advantage .

Proof. We construct a simulator C that uses F to decide whether e(P, P)^abd⁻¹ by providing a random instance (P, aP, bP, dP, d⁻¹) as the VCBDH problem.

Setup: At the beginning, C sets P₁ = dP and provides the system parameters to the attacker F. The target identity is

Attack: F requests a number of queries. C keeps the H_i-lists (i = 1, 2, 3, 4, 5) which are used to record answers to the corresponding H_i query.

H₁ query: Input an identity ID_A. If , is randomly selected, Q_A = tP is calculated. Otherwise, calculate Q_A = bP place (ID_A, t, Q_A) into the H₁-list, and return Q_A.
H_i(i = 0, 2, 3, 4, 5) query: Upon receiving a H_i query, if the corresponding query exists in the H_i-list, return it to A₂. Otherwise, C randomly selects an integer as the query result and returns it to A₂. Meanwhile, C places the query result into the H_i-list.
Private key query: When C receives a partial private key query on ID_A, if retrieves the corresponding (ID_A, t, Q_A) from the H₁-list and sets sk_A = td⁻¹ P, return sk_A. Otherwise, C aborts.
Signcrypt query: When receiving a signcrypt query under ID_A, and n messages m_i(i = 1, 2, ⋯, n). If , the formal signcrypt algorithm runs and returns ciphertext σ. Otherwise, C randomly selects , computes U₁ = xP₂, V_i = e(U₁, D_{B_i}), R_i = e(U₁, sk_{B_i}), φ_i = r₂ ⊕ H₄(V_i) and let φ = (φ₁, φ₂, ⋯, φ_n). Compute C = DEM.Enc(K, M) where K = KDF(r₂) and M = (m₁ ⊕ R₁‖m₂ ⊕ R₂‖⋯‖m_n ⊕ R_n). Obtain h_i from the H₅ query, compute U₂ = −h_iQ_A + xP₁, S_i = xP, and return ciphertext σ = (C, ϕ ← (U₁, U₂, S, φ)).

Equation e(P₁, S_i) = e(P, U₂ + h_iQ_A) holds.

Forge: Finally, F outputs σ* and ID_A, ID_{B_i} to C. If , C fails and aborts. Otherwise, by forking lemma [25], C selects a different hash function h_i and interacts with F with the same random tape, then the adversary F can provide a different forger σ′*. We know that σ* and σ′* should satisfy the equation and . , is obtained, then C derives the value of e(P, P)^abd⁻¹ as e(aP, bd⁻¹ P). Hence, C successfully solves the VCBDH problem.

The probability of failing in signcryption queries is at most (q_H₄ + q_s)q_s/2^k. With a probability of exactly 1/(q_H₁ − q_sk), F chooses to be challenged on . Then, the advantage of C is .

Performance evaluation

Functionality comparison

To our knowledge, no hybrid signcryption schemes have achieved heterogeneity. Therefore, we compare our scheme with existing heterogeneous signcryption schemes [6] [8] in terms of supporting multi-message, multi-recipient, identity privacy-preservation, heterogeneous system, and different master keys. Table 1 illustrates that our scheme has many excellent features. First, the scheme takes advantages of pseudo-identity to ensure the anonymity of senders and receivers. Second, the scheme supports heterogeneous systems with different master keys. Our scheme has more advantages from the functionality and system setup perspective.

Download:

Table 1. Functionality comparison.

https://doi.org/10.1371/journal.pone.0184407.t001

Then, we compare the computational costs of scheme [8] with that of our scheme. In scheme [8], numerous additions and multiplications must be executed to computing p_i(x) and F_i. If the steps of computing p_i(x) and F_i are not considered, Table 2 shows that scheme [8] still requires 7P, 6M and 3E, thus indicating that it is less efficient than our scheme. Here P, M, and E denote pairing, multiplication, and exponentiation operations, respectively.

Download:

Table 2. Computational cost.

https://doi.org/10.1371/journal.pone.0184407.t002

Computational overhead comparison

To provide numerical results, we implement IBC-CLC MHHSC to measure the performance of signcryption and unsigncryption operations. Our implementation is written in C using the Pairing-Based Cryptography Library (Libpbc) [26]. For the computations, we use the curve groups that are implemented in the Libpbc library. The computations are run on a PC with 3.10 GHz CPU frequency, 4 GB of RAM, and Linux operating system. In the experiment, we used elliptical curves with a base field size of 512 bits and an embedding degree of 2. The security levels are selects as |p| = 512.

The performing consequence of our scheme is provided in Fig 1. Including total operation, signcryption, and unsigncryption operation time of our scheme when the number of the receiver is set as n = 1, 10, 50, 100, 200, 500, 1000. From the figure, we can indicate that signcryption time increases with the number of recipients. However, when unsigncryption, each receiver only operates on its own message, the unsigncryption operation time is not related to the increase of the receiver. So compared with the signcryption and total operation time of the receiver for 1000, the unsigncryption operation time is 0.018, near the bottom of the axis. Therefore, we can see that our scheme can achieve more efficient communication between two systems, which have greater difference in computing power. Users in IBC can handle big data, while users in CLC only need deal with a few data, such as infrastructure-to-vehicle (I2V) communication in vehicular ad hoc networks (VANETs). Trusted authorities or road side units can be the users in IBC system, which have much more capability, and hundreds of on board units can be the users in CLC system, which ability is limited.

Download:

Fig 1. Operation time(s).

(Unsigncryption time near the bottom of the coordinate axis).

https://doi.org/10.1371/journal.pone.0184407.g001

Conclusion

We propose a novel conditional privacy-preserving heterogeneous hybrid signcryption scheme for IBC to CLC (MHHSC), which allows to send multi-message to multi-receiver. The proposed scheme selects different master secret keys in different systems and maps a distinct pseudo-identity for each user, only the trusted authority could trace the real identity for any disputed event when necessary, which ensures conditional privacy preservation for all users in heterogeneous systems. It is definitely more practical for actual applications, such as VANETs. Moreover, we provide the formal definition and security models for the heterogeneous hybrid signcryption scheme. Proof shows that our scheme is indistinguishability against adaptive chosen ciphertext attacks and existential unforgeability against adaptive chosen message attacks, which is satisfied confidentiality and unforgeability in the random oracle model. Owing to today’s diverse and complex network system and application environment, our follow-up work could be propose a bidirectional heterogeneous signcryption scheme between IBC and CLC for multi-party user.

Acknowledgments

The authors would like to thank the anonymous reviewers of this paper for his/her objective comments and helpful suggestions while at the same time helping us to improve the English spelling and grammar throughout the manuscript.

References

1. Zheng Y. Digital signcryption or how to achieve cost (signature & encryption) ≪ cost (signature) + cost(encryption). In: Advances in Cryptology-CRYPTO’97, LNCS 1294. Springer-Verlag; 1997. p. 165–179.
2. Sun Y, Li H. Efficient signcryption between TPKC and IDPKC and its multi-receiver construction. Science China Information Sciences. 2010; 53(3):557–566.
- View Article
- Google Scholar
3. Huang Q, Wong DS, Yang G. Heterogeneous signcryption with key privacy. Computer Journal. 2011; 54(4):525–536.
- View Article
- Google Scholar
4. Li F, Zhang H, Takagi T. Efficient signcryption for heterogeneous systems. IEEE Systems Journal. 2013; 7(3):420–429.
- View Article
- Google Scholar
5. Zhang Y, Zhang L, Zhang Y, Wang H, Wang C. CLPKC-to-TPKI heterogeneous signcryption scheme with anonymity. Acta Electronica Sinica. 2016; 44(10):2432–2439.
- View Article
- Google Scholar
6. Li F, Han Y, Jin C. Practical access control for sensor networks in the context of the Internet of Things. Computer Communications. 2016; 89(90):154–164.
- View Article
- Google Scholar
7. Li F, Han Y, Jin C. Practical signcryption for secure communication of wireless sensor networks. Wireless Personal Communications. 2016; 89(4):1391–1412.
- View Article
- Google Scholar
8. Li Y, Wang C, Zhang Y, Niu S. Privacy-preserving multi-receiver signcryption scheme for heterogeneous systems. Security and Commnication Networks. 2016; 9(17):4574–4584.
- View Article
- Google Scholar
9. Cramer R, Shoup V. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing. 2003; 33(1):167–226.
- View Article
- Google Scholar
10. Dent AW. Hybrid signcryption schemes with outsider security. In: Information Security-ISC 2005, LNCS 3650. Springer-Verlag; 2005. p. 203–217.
11. Dent AW. Hybrid signcryption schemes with insider security. In: Information Security and Privacy-ACISP 2005, LNCS 3574. Springer-Verlag; 2005. p. 253–266.
12. Tan CH. Insider-secure signcryption KEM/tag-KEM schemes without random oracles. In: The Third International Conference on Availability, Reliability and Security-ARES; 2008. p. 1275–1281.
13. Smart NP. Efficient key encapsulation to multiple parties. In: proceedings of the 4th International Conference on Secuity in Communication Networks; 2005. p. 208–219.
14. Sun Y, Li H. ID-based signcryption KEM to multiple recipients. Chinese Journal of Clectronics. 2011; 20(2):317–322.
- View Article
- Google Scholar
15. Li F, Shirase M, Takagi T. Identity-based hybrid signcryption. In: The Fourth International Conference on Availability, Reliability and Security(ARES 2009), IEEE Computer Society; 2009. p. 534–539.
16. Li F, Shirase M, Takagi T. Certificateless hybrid signcryption. In: The 5th Information Security Practice and Experience Conference (ISPEC 2009), LNCS 5451. Springer-Verlag; 2009. p. 112–123.
17. Yu H, Yang B. Provably secure certificateless hybrid signcryption. Chinese Journal of Computers. 2015; 38(4):804–813.
- View Article
- Google Scholar
18. Wang C, Jiang H, Yang X, Zhang Y, Niu S. Multi-message and multi-receiver hybrid signcryption scheme based on discrete logarithm. Computer Engineering. 2016; 42(1):150–155. Available from: http://www.ecice06.com/EN/Y2016/V42/I1/150.
- View Article
- Google Scholar
19. Tonguz O, Wisitpongphan N, Bai F, Mudalige P, Sadekar V. Broadcasting in VANET. In: IEEE; 2007. p.7–12.
20. Li L. Bifurcation and chaos in a discrete physiological control system. Applied Mathematics and Computation. 2015; 252(252):397–404.
- View Article
- Google Scholar
21. Sun G, Wang C, Wu Z. Pattern dynamics of a Gierer-Meinhardt model with spatial effects. Nonlinear Dynamics. 2017; 88(2):1–12.
- View Article
- Google Scholar
22. Li M, Jin Z, Sun G, Zhang J. Modeling direct and indirect disease transmission using multi-group model. Journal of Mathematical Analysis and Applications. 2017; 446(2):1292–1309.
- View Article
- Google Scholar
23. Li F, Shirase M, Takagi T. Efficient multi-pkg id-based signcryption for ad hoc networks. In: Inscrypt 2008, LNCS 5487. Springer-Verlag; 2009. p. 289–304.
24. Horng SJ, Tzeng SF, Huang PH, Wang X, Li T, Muhammad KK. An efficient certificateless aggregate signature with conditional privacy-preserving for vehicular sensor networks. Information Sciences. 2015; 317(C):48–66.
- View Article
- Google Scholar
25. Pointcheval D, Stern J. Security arguments for digital signatures and blind signatures. Journal of Cryptology. 2000; 13(3):361–396.
- View Article
- Google Scholar
26. The pairing-based cryptography library. Available from: http://crypto.stanford.edu/pbc/.

[ref1] 1. Zheng Y. Digital signcryption or how to achieve cost (signature & encryption) ≪ cost (signature) + cost(encryption). In: Advances in Cryptology-CRYPTO’97, LNCS 1294. Springer-Verlag; 1997. p. 165–179.

[ref2] 2. Sun Y, Li H. Efficient signcryption between TPKC and IDPKC and its multi-receiver construction. Science China Information Sciences. 2010; 53(3):557–566.
View Article
Google Scholar

[3] View Article

[4] Google Scholar

[ref3] 3. Huang Q, Wong DS, Yang G. Heterogeneous signcryption with key privacy. Computer Journal. 2011; 54(4):525–536.
View Article
Google Scholar

[6] View Article

[7] Google Scholar

[ref4] 4. Li F, Zhang H, Takagi T. Efficient signcryption for heterogeneous systems. IEEE Systems Journal. 2013; 7(3):420–429.
View Article
Google Scholar

[9] View Article

[10] Google Scholar

[ref5] 5. Zhang Y, Zhang L, Zhang Y, Wang H, Wang C. CLPKC-to-TPKI heterogeneous signcryption scheme with anonymity. Acta Electronica Sinica. 2016; 44(10):2432–2439.
View Article
Google Scholar

[12] View Article

[13] Google Scholar

[ref6] 6. Li F, Han Y, Jin C. Practical access control for sensor networks in the context of the Internet of Things. Computer Communications. 2016; 89(90):154–164.
View Article
Google Scholar

[15] View Article

[16] Google Scholar

[ref7] 7. Li F, Han Y, Jin C. Practical signcryption for secure communication of wireless sensor networks. Wireless Personal Communications. 2016; 89(4):1391–1412.
View Article
Google Scholar

[18] View Article

[19] Google Scholar

[ref8] 8. Li Y, Wang C, Zhang Y, Niu S. Privacy-preserving multi-receiver signcryption scheme for heterogeneous systems. Security and Commnication Networks. 2016; 9(17):4574–4584.
View Article
Google Scholar

[21] View Article

[22] Google Scholar

[ref9] 9. Cramer R, Shoup V. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing. 2003; 33(1):167–226.
View Article
Google Scholar

[24] View Article

[25] Google Scholar

[ref10] 10. Dent AW. Hybrid signcryption schemes with outsider security. In: Information Security-ISC 2005, LNCS 3650. Springer-Verlag; 2005. p. 203–217.

[ref11] 11. Dent AW. Hybrid signcryption schemes with insider security. In: Information Security and Privacy-ACISP 2005, LNCS 3574. Springer-Verlag; 2005. p. 253–266.

[ref12] 12. Tan CH. Insider-secure signcryption KEM/tag-KEM schemes without random oracles. In: The Third International Conference on Availability, Reliability and Security-ARES; 2008. p. 1275–1281.

[ref13] 13. Smart NP. Efficient key encapsulation to multiple parties. In: proceedings of the 4th International Conference on Secuity in Communication Networks; 2005. p. 208–219.

[ref14] 14. Sun Y, Li H. ID-based signcryption KEM to multiple recipients. Chinese Journal of Clectronics. 2011; 20(2):317–322.
View Article
Google Scholar

[31] View Article

[32] Google Scholar

[ref15] 15. Li F, Shirase M, Takagi T. Identity-based hybrid signcryption. In: The Fourth International Conference on Availability, Reliability and Security(ARES 2009), IEEE Computer Society; 2009. p. 534–539.

[ref16] 16. Li F, Shirase M, Takagi T. Certificateless hybrid signcryption. In: The 5th Information Security Practice and Experience Conference (ISPEC 2009), LNCS 5451. Springer-Verlag; 2009. p. 112–123.

[ref17] 17. Yu H, Yang B. Provably secure certificateless hybrid signcryption. Chinese Journal of Computers. 2015; 38(4):804–813.
View Article
Google Scholar

[36] View Article

[37] Google Scholar

[ref18] 18. Wang C, Jiang H, Yang X, Zhang Y, Niu S. Multi-message and multi-receiver hybrid signcryption scheme based on discrete logarithm. Computer Engineering. 2016; 42(1):150–155. Available from: http://www.ecice06.com/EN/Y2016/V42/I1/150.
View Article
Google Scholar

[39] View Article

[40] Google Scholar

[ref19] 19. Tonguz O, Wisitpongphan N, Bai F, Mudalige P, Sadekar V. Broadcasting in VANET. In: IEEE; 2007. p.7–12.

[ref20] 20. Li L. Bifurcation and chaos in a discrete physiological control system. Applied Mathematics and Computation. 2015; 252(252):397–404.
View Article
Google Scholar

[43] View Article

[44] Google Scholar

[ref21] 21. Sun G, Wang C, Wu Z. Pattern dynamics of a Gierer-Meinhardt model with spatial effects. Nonlinear Dynamics. 2017; 88(2):1–12.
View Article
Google Scholar

[46] View Article

[47] Google Scholar

[ref22] 22. Li M, Jin Z, Sun G, Zhang J. Modeling direct and indirect disease transmission using multi-group model. Journal of Mathematical Analysis and Applications. 2017; 446(2):1292–1309.
View Article
Google Scholar

[49] View Article

[50] Google Scholar

[ref23] 23. Li F, Shirase M, Takagi T. Efficient multi-pkg id-based signcryption for ad hoc networks. In: Inscrypt 2008, LNCS 5487. Springer-Verlag; 2009. p. 289–304.

[ref24] 24. Horng SJ, Tzeng SF, Huang PH, Wang X, Li T, Muhammad KK. An efficient certificateless aggregate signature with conditional privacy-preserving for vehicular sensor networks. Information Sciences. 2015; 317(C):48–66.
View Article
Google Scholar

[53] View Article

[54] Google Scholar

[ref25] 25. Pointcheval D, Stern J. Security arguments for digital signatures and blind signatures. Journal of Cryptology. 2000; 13(3):361–396.
View Article
Google Scholar

[56] View Article

[57] Google Scholar

[ref26] 26. The pairing-based cryptography library. Available from: http://crypto.stanford.edu/pbc/.

Figures

Abstract

Introduction

Preliminary

Framework and security model for MHHSC

MHHSC KEM

DEM

MHHSC HSC

Security notions

Heterogeneous hybrid signcryption for multi-message and multi-receiver

Security proof

Confidentiality

Unforgeability

Performance evaluation

Functionality comparison

Computational overhead comparison

Conclusion

Acknowledgments

References