A Provably Secure ID-Based Signcryption Protocol for Secure and Authentic Energy Efﬁcient Communication

Singcryption was ﬁrst proposed by Yuliang Zheng in 1997, based on the construction of a shortened ElGamal-based signature scheme in parallel to authenticated encryption in a symmetric environment. Signcryption is a cryptographic primitive that enables the conventional two-step method of secure and authenticated message transmission or storage (sign-then-encrypt or encrypt-then-sign) to be done in a single step at a much lower computational cost than the traditional two-step approach. This article concentrates on designing a provably secure identity-based signcryption (IBSC) scheme. The user performs pairing-free computation during encryption in the proposed scheme, making it user-side effective. In addition, the IBSC structure is shown to be secure when dealing with modiﬁed bilinear Difﬁe-Hellman inversion (MBDHI) and modiﬁed bilinear strong Difﬁe-Hellman (MBSDH) problems. The proposed framework supports efﬁcient communication, protection against chosen cipher attack, and existential unforgeability against chosen message attack, according to the performance review of IBSC with related schemes.


Introduction
Achieving secure and authenticated message transmission or storage has been one of the major interests of computer and communication fortified research. Between the beginning of public key infrastructure (PKI) and 1997, the standard notion for obtaining this objective had been to adopt the two-step approach namely signature then encryption or encryption then signature under a randomly chosen key. Then in 1997 presence of a redundant (in the sense not explicitly contained in a signature) parameter in a shortened El-Gamal based signature scheme motivates Zheng [1] to introduce a new cryptographic primitive so-called "signcryption", for the authentic message delivery or storage. The main aim of signcryption is to provide authentication and non-repudiation of signature and confidentiality of message in a single step with less computation cost, compared to the traditional two-step approach. This makes the scheme more useful in numerous real-time applications such as communication between unmanned vehicles, secure e-mailing, broadcast communication with multiple recipients, and electronic commerce. In addition, Steinfeld et al. [2] and Malone-Lee et al. [3] introduced efficient signcryption scheme using the factorization problem and RSA trapdoor one-way function, respectively.
In 1984, Shamir introduced the concept of identity-based cryptography (IBC). The main motivation behind IBC was to simplify many practical problems regarding certificate management system in public key infrastructure like verification of the authenticity of receiver's public key, revocation of certificates by the Certifying Authority (CA) and user credential management (before the existence of SSL and TLS protocols).The idea behind an IBC is that the public key can be any string ∈ {0, 1} * such as an e-mail address or phone number, without the need for a CA. In order to work such a system, a trusted authority known as Private Key Generator (PKG) generates a private key using the user's identity and own master key, and then sends it to the user through a secure channel. In such a system sender can impose a set of rules for the receiver before the transfer of the receiver's secure key by the PKG. Thus, in an IBC, PKG works as a policy enforcer and this mitigates, a lot of practical problems inherent with the CA system. In 2001, Boneh et al. [5] introduced the first ID-based cryptographic primitive. Since then numerous identity-based cryptosystems using viewpoint of [5] have been designed [6][7][8][9].
In 2002, Malone-Lee [10] proposed the first IDbased signcryption scheme. Libert et al. [11], found that this scheme is not secure against semantic attack and introduced a new three IBSC scheme, capturing the insider security model, with public verifiability. Since then numerous efficient IBSC schemes [12][13][14][15][16] have been proposed. All of the above schemes' security proofs have been formulated (or rely upon) using Bellare and Rogaway's random Oracle model [17]. Even though the model is useful but it has been criticized [18] as proofs in random Oracle model only establish working correctness of the scheme as real-world hash functions and random oracles are not at all the same things. Canettie et al. [19] and Bellare et al. [20] also have shown various security threats of using random oracle model. So designing identity-based signcryption without a random oracle model has been an important and interesting work for the researcher. In 2009 using concept of Paterson et al. scheme [21] and Waters' IBE scheme [22], Yu et al. [18] introduced the initial IBSC in standard (ST) model. But in the subsequent years (2010) their scheme was shown insecure under CPA in [23][24][25]. Meantime Ren et al. [26] proposed an IBSC scheme based on Gentry's [27] approach. Wang et el. [28] identified the weakness in [26] against confidentiality and existential unforgeability. Then, based on Waters IBE, Jin et al. [29] provided an improved semantically secure scheme, but it was not resistant to the IND-CCA2 property and the EUF-CMA property, as discussed in [30]. Another new scheme was proposed by Zhang [25]. But we find that [25] is not IND-CCA2 secure as in challenged ciphertext σ * an adversary can guess in advance that it is encryption of m 0 . Then the adversary can check the validity of signature equation by computingR= σ * 1 .m −1 0 ,t = H 1 (m 0 ||R) andm = H 2 (gth σ * 6 ), and can conclude whether m 0 or m 1 is a plaintext corresponding to the challenged ciphertext [31]. Thereafter in 2016, Ming and Wang [32] demonstrated that the scheme proposed by Li et al. [33] is insecure under the IND-CCA2 property using concrete attacks. In 2020 Dharminder et al. [34] proposed a new scheme, but here also the scheme is not secure against IND-CCA2 property. Thus in conclusion to the best of our knowledge, the majority of ID-based signcryptions proposed thus far are not provably secure. This motivates us to create a new signcryption that can be proven to be provably secure.

Our contribution
We have proposed a provably secure identity-based signcryption without the use of a random oracle model in this article. Our scheme alleviates the problem of IND-CCA2 (indistinguishable against chosen cipher attack) property. Apart from this, our scheme is computationally efficient due to pairing-free computation on the user side and the use of symmetric key encryption. The proposed work presents that the implementation of the scheme can ensure the confidentiality and authenticity of the data transmitted.

Paper Organisation:
Section 2 of the remaining paper deals with preliminary work. In section 3, we introduced a formal IBSC model, and in section 4, we define the scheme. Section 5 introduces the most critical work of security-proof. Section 6 compares the performance of the signcryption to that of other similar ones, followed by a discussion in section 7.

Preliminaries
This section covers the fundamental tools and definitions of bilinear pairings, as well as some computationally hard problems, which we used to construct our scheme. [5,11,12,16,21,22].

Bilinear Pairings
Let G 1 and G 2 be two well known groups under multiplicative of prime order q and a map Φ : Then we say Φ is bilinear pairing under following three properties.

Hard Assumption
In this subsection, we will describe some hard problems admissible to the proposed scheme.

Formal Model of IBSC
This section is pertaining to the basic definition and security notion for our proposed IBSC scheme.

Generic model
An IBSC essentially is consisting of the four algorithms.
-Setup:The private key generator (PKG) executes the setup algorithm and produces the system's public parameters paramts and a master key MK under security parameter 1 k . The PKG then publishes the paramts and stores MK in a secure location. -Extract: In this phase PKG runs key generation algorithm using his master key MK and identity ID A ∈ {0, 1} * of user A, and creates private key The schematic representation of an IBSC model is illustrated in Figure 1.

Security Notions
Our proposed scheme satisfies two main IBSC security concepts.  Initial: C executes the setup phase under security parameter 1 k and obtains paramts and a master key MK. He sends paramts to A and keep MK secretly with himself. Phase-1: A polynomial bounded queries are executed between A and C. In fact these queries are performed by A and may be made adaptively as follows.
1. Key-generation: A chooses ID A and submits to C, then C computes SK A = Extract(ID A ) and sends SK A to A. Challenge: Finally, after completing phase-1 (as determined by A), A chooses m 0 , m 1 ∈ {0, 1} k and two identities, ID * A and ID * B , for which it wishes to receive a challenge, and sends them to C. In this case, A should not have asked SK * B in phase-1. C selects a random bit b ∈ {0, 1} and executes c * = Signcryption(m b , SK * A , ID * B ). Now, as a challenge, C now sends c * to A. Phase-2: A receives cipher c * , and as in phase-1, adaptively performs polynomial bounded queries. But now he is not allowed to ask for SK * B and Unsigncryption(c * , ID * A , SK * B ). Guess: A guesses a bit b at the end of phase-2 and wins the game if b = b.

Definition 6
In the EUF-CMA phase defined below, an IBSC is EUF-CMA if adversary A gains a nonnegligible advantage.
EUF-CMA-phase: The game is played in the same way as in phase-1, C runs setup(1 k ) and generates parameters, which he sends to A, who then executes queries in the same way as in phase-1. At last, A produces a triplet (c , ID A , ID B ) as a forgery, where private key i.e. SK A never extracted during the process of attack. If Unsigncryption(c , ID A , SK B ) returns a value other than the ⊥ symbol, A wins the game.

Proposed provable secure signcryption scheme
We have described the signcryption in the four phases namely, (1) setup, (2) key-extraction, (3) signcryption, and (4) unsigncryption. The setup is responsible to generate the essential parameter for the corresponding PKG. And private key of the corresponding user or receiver is generated by key extraction. The scheme possesses the architecture as Setup (1 κ ): PKG executes the setup algorithm under security parameter κ, and generates two groups (G 1 , G 2 ) of order "q", where q is an arbitrary large prime number, g ∈ G 1 is a generator of the group, Φ : G 1 × G 1 → G 2 is a bilinear map, E, D symmetric encryption, decryption and H : {0, 1} * → Z * q is a collision resistant hash function. Now, it chooses arbitrary random g, ∈ G 1 and s, k ∈ Z * q and computes necessarily the values 1 = ks , 2 = k , 3 = s , Z = Φ(g, g) The receiver "B" obtains the encrypted text c = (c 1 , c 2 , c 3 , ϑ), and follows the decryption of "c" as follows:

Security and correctness analysis
We have analyzed the signcryption under the MBDHI and MBSDH assumptions, where C and A play a game. C uses A as a subroutine to break down security and, under hard assumptions, solves an arbitrary instance of the given problem. However, theorem (4.1) ensures the correctness of the scheme, theorem (4.2) and theorem (4.3) ensures confidentiality and unforgeability of the scheme respectively. Theorem 4.1. Proposed signcryption follows the mathematical correctness i.e. if sender "A" follows the given signcryption algorithm, the message is always recovered correctly by receiver "B" with the correct secret key.
Proof. The receiver "B" gets SK B = (w 1 , w 2 ), where w 1 = g 1 k(s+ID B ) , w 2 = w s 1 , and computes "c 2 " as Now, "B" uses the equation (1) and computes Therefore, "B" uses the equation (2) and computes m = d −1 .c 3 and gets the correct message. Now, "B" confirms the verification with the help of the equations (1) and (2) (5) and (6) with an arbitrarily however small advantage via executing polynomial times private key extractions at most q e in time t, where q 1 and q 2 are signcryption unsigncryption queries. Then, one can design a subroutine or distinguisher B who can solve a problem instance in time t + O((6q e + 5q 1 + 4q 2 )T e + q 1 T p ), where T e exponentiation time, T p pairing time respectively.
Proof. If A breaks down the security of proposed scheme, then one can easily model a subroutine algorithm B, who solves decision version of the q-MBDHI assumption by using subroutine A. In general, B has to distinguish Φ(g, g) 1 x 2 from an arbitrary instance Φ(g, g) z , where < g, g x , g x 2 , . . . , g x q > given and x ← Z * q is a random number respectively. For simplicity, one can assume that I i = g xi , where i ∈ Z q . Now, a challenger in the game C chooses a random b ∈ {0, 1} and if b = 0, then sets Z = Φ(g, g) 1 x 2 , otherwise sets Z = Φ(g, g) z , where z ← Z * q is random and it sends (Z , T, H) to B.
Phase 1: A asks polynomial times any of the query "q i " as discussed above.
Extraction Queries: If A submits a query on secret key related to an identity ID i , then B chooses polynomials of (q − 4) degree as F ω1,IDi (y) = P (y) + 1 y(y + ID i ) (x+ID i ) and sends back sk i = (w 1 , w 2 ) as a reply to A related to the query of ID i .
Signcryption Queries: If A submits a polynomial times queries for (m i , ID A i , ID B i ), and then B generates corresponding to the secret key SK B under extraction phase and returns (1) B chooses an arbitrary r ← Z * q and computes r k 2 )) and then computes Now, B sends a challenge c * to A, under the assumption k = xβ, 1 = kx , 2 = k , 3 = x , κ = H(Φ(g , g ) Time analysis: In extractions, signcryptions and unsigncryptions phases, Oracle requires 3q e T e , 5q 1 T e and (5T e + T p )q 2 operations respectively. Therefore, B costs t = t + O(6q e + 5q 1 + 4q 2 )T e + q 1 T p to be successful in the game.
Proof. If A can break down the security of the proposed signcryption, then one can develop an algorithm B under q-MBSDH problem using subroutine A. Let T =< g, g x , g x 2 , . . . , g x q > for an arbitrary random x ← Z * q be a random instance sent by challenger C. Now, B tries to estimate correct ρ = Φ(g, g) k 1 +x k 2 +x for some arbitrary random k 1 , k 2 ← Z * q . Now, C publishes all parameters (p, G 1 , G 2 , Φ, T, H) same as in theorem (2), and I i = g xi , where i ∈ Z q .
Setup: B uses the setup phase as in theorem (2), and publishes the values paramts = (g , , 1 , 2 , 3 , Φ, Z, H), where master key is secret M K = β. Now, A will ask at most q s queries, but one at a time to C respectively.
Extraction queries: B follows the theorem (2), and generates w 1 and w 2 as w 1 = and w 2 = w 2 w = g 1 (x+ID i ) , then it will return Sk i = (w 1 , w 2 ) to A relative to ID i respectively.
. In order to output a correct signcryptext corresponding to the challenge (m * , c * , ID * A , ID * B ), B requires 3q e T e , 5q 1 T e and (4T e + T p )q 2 times queries during signcryption and unsigncryption respectively. Therefore, B takes time t = t + O((2q e + 4q 1 + 4q 2 )T e + q 2 T p ) to breach q-MBSDH assumption, which is not possible, hence no such B exists.

Performance analysis
This scheme uses the public parameters as groups G 1 and G 2 , a bilinear map Φ and a collision resistant hashing, where the scheme is being efficient due to pairingfree computation on sender-side during signcryption. The signcryptext c is 3-tuple with size in terms of group elements is |c| = 2|G 1 | + 1|AES| + 1|Hash| where hashing-160 bits, Z * q -1024 bits, E sym -128 bits, message m-128 bits, G 2 -1024 bits and G 1 -160 bits, where total cost of [18,29,33,34,36,37] is given in Figure 4. Moreover, various cryptographic operations [34] such as, bilinear costs t p ≈ 2.485 ms, one exponentiation costs t e ≈ 0.311 ms in G 1 , 0.058 ms in G 2 point-add arithmetic t a ≈ 0.001 ms, point-mul t m ≈ 0.317 ms for multiplications, inversion group costs t i ≈ 0.009 ms, symmetric-encryption costs t sym ≈ 0.0817 ms and hashing t h ≈ 0.004 ms in the proposed scheme, where cryptographic operations costs taken via experiment Sony − i 5 -personal computer with processor i5-2310M CPU@2.10 GHzs and 2-GB-RAM on 14.04 Ubuntu.

Conclusion
This article demonstrates an efficient and secure signcryption technique based on MBDHI and MBSDH hard problems.This scheme ensures that confidentiality is indistinguishable from the chosen cipher, and that authenticity is existentially unforgeable from the chosen message. This scheme attains efficiency on the user end as it is being paired free. In terms of computing and communication costs, the proposed scheme has been compared to other similar schemes. Therefore, it becomes very useful where both confidentiality and authenticity required in one step. In the future, it can be used in E-mails, e-transactions, and ecommerce respectively.