An Efficient Generic Insider Secure Signcryption with Non-Interactive Non-Repudiation

Abstract

We present a generic construction of an insider secure signcryption scheme with non-interactive non-repudiation. Our construction uses as building blocks a signature scheme, a key encapsulation mechanism (KEM), a keyed hash function, a symmetric encryption scheme, and a pseudo-random function. We show that our construction is insider secure in the dynamic multi-user model, without resorting the random oracle or the key registration model. Our generic scheme provides also non-interactive non-repudiation.

A Proof of Lemma 1

Let \(\mathcal {A}\) be an adversary playing Game 1. We build an adversary \(\mathcal {B}\) against the collision (with identical prefix) resistance of \(\textsf{H}\) a follows.

1. 1)

   \(\mathcal {B}\) receives from its challenger and sends \(\tau _0\) to \(\mathcal {A}\).

2. 2)

   When \(\mathcal {B}\) receives \((p_0, m_0, s_0)\) from \(\mathcal {A}\), it chooses and computes \(\tau ''_0\leftarrow \textsf{Prf}(\tau ', m_0)\), \(\hat{m}_0\leftarrow \textsf{H}(\tau _0, (p_0, \tau , \tau ', \tau '', s_0))\) and sends \(\hat{m}_0\) to \(\mathcal {A}\).

3. 3)

   When \(\mathcal {A}\) outputs \((\tau ^*, \tau '^*)\) such that \(\hat{m}_0=\hat{m}^*_0\leftarrow \textsf{H}(\tau _0, (p_0, \tau ^*, \tau '^*, \tau ''^*, s_0))\) wherein \(\tau ''^*\leftarrow \textsf{Prf}(\tau '^*, m_0)\), if \((\tau , \tau ')\ne (\tau ^*, \tau '^*)\) then \(\mathcal {B}\) outputs \((s, s')\) wherein \(s=(p_0, \tau , \tau ', \tau '', s_0)\) and \(s'=(p_0, \tau ^*, \tau '^*, \tau ''^*, s_0)\) as messages with identical prefix \(p_0\) and colliding hashes under \(\tau _0\).

Let \(\textsf{bad}\) be the event: the chosen pair \((\tau , \tau ')\) is such that for all \((\bar{\tau }, \bar{\tau }')\ne (\tau , \tau ')\), \(\hat{m}_0\ne \textsf{H}(\tau _0, (p_0, \bar{\tau }, \bar{\tau }', \bar{\tau }'', s_0))\), i. e. there is no other pair \((\bar{\tau }, \bar{\tau }')\in \textbf{K}^2\) such that \(\textsf{H}(\tau _0, (p_0, \bar{\tau }, \bar{\tau }', \bar{\tau }'', s_0)) =\textsf{H}(\tau _0, (p_0, \tau , \tau ', \tau '', s_0))\). It holds that

$$\Pr (\textsf{bad})\leqslant |\textbf{T}|/|\textbf{K}|^2.$$

If \(\textsf{Succ}_{\mathcal {A}, \textsf{H}}\) denotes the event \(\mathcal {A}\) succeeds in Game 1,

$$ \begin{array}{lcl} \Pr (\textsf{Succ}_{\mathcal {A}, \textsf{H}}) &{} = &{} \Pr (\textsf{Succ}_{\mathcal {A}, \textsf{H}}\wedge \textsf{bad}) + \Pr (\textsf{Succ}_{\mathcal {A}, \textsf{H}}\wedge \lnot \textsf{bad}) \\ &{} \leqslant &{} \Pr (\textsf{bad})+ \Pr (\textsf{Succ}_{\mathcal {A}, \textsf{H}}\wedge \lnot \textsf{bad}). \end{array} $$

Now let \(\textsf{Eq}\) be the event \((\tau , \tau ')=(\tau ^*, \tau '^*)\).

$$\Pr (\textsf{Succ}_{\mathcal {A}, \textsf{H}}\wedge \lnot \textsf{bad}) = \Pr (\textsf{Succ}_{\mathcal {A}, \textsf{H}}\wedge \lnot \textsf{bad}\wedge \textsf{Eq}) + \Pr (\textsf{Succ}_{\mathcal {A}, \textsf{H}}\wedge \lnot \textsf{bad}\wedge \lnot \textsf{Eq}).$$

Now, as if \(\textsf{Succ}_{\mathcal {A}, \textsf{H}}\wedge \lnot \textsf{bad}\) occurs, there at least one \((\tau ^*, \tau '^*)\ne (\tau , \tau ')\) such that \(\hat{m}_0=\hat{m}^*_0\leftarrow \textsf{H}(\tau _0, (p_0, \tau ^*, \tau '^*, \tau ''^*, s_0))\), and \(\mathcal {A}\) has no information about \((\tau , \tau ')\) besides \(\hat{m}_0\), it holds that

$$\Pr (\textsf{Succ}_{\mathcal {A}, \textsf{H}}\wedge \lnot \textsf{bad}\wedge \textsf{Eq}) \leqslant \Pr (\textsf{Succ}_{\mathcal {A}, \textsf{H}}\wedge \lnot \textsf{bad}\wedge \lnot \textsf{Eq}).$$

Hence

$$\Pr (\textsf{Succ}_{\mathcal {A}, \textsf{H}})\leqslant |\textbf{T}|/|\textbf{K}|^2 + 2 \Pr (\textsf{Succ}_{\mathcal {A}, \textsf{H}}\wedge \lnot \textsf{bad}\wedge \lnot \textsf{Eq}).$$

And, whenever \(\textsf{Succ}_{\mathcal {A}, \textsf{H}}\wedge \lnot \textsf{bad}\wedge \lnot \textsf{Eq}\) occurs \(\mathcal {B}\) outputs \(s, s'\) with identical prefix such that \(\textsf{H}(\tau _0,s)=\textsf{H}(\tau _0, s')\).   \(\square \)