Abstract
This article proposes a hybrid certificateless signcryption scheme that is secure against adaptive chosen ciphertext adversary in the random oracle model. The scheme combines an asymmetric encryption which is one way against chosen plaintext attack and any One-Time secure symmetric encryption scheme, combined using Fujisaki–Okamoto transformation. Uncommon to many Fujisaki–Okamoto based constructions which ensure message integrity alone, this scheme provides entity authentication in addition. By the choice of a hash function that utilizes the advantage of sponge based construction, the scheme enables the user to incorporate any One-Time secure symmetric encryption by re-configuring the input/output parameters. Fujisaki–Okamoto transformation, which is currently a standard in hybrid constructions, guarantees the indistinguishability against adaptive chosen ciphertext attack. The provision for choosing symmetric encryption in the scheme enables it to be implemented in all sort of cryptographic requirements including those in wireless communication.
Similar content being viewed by others
Data availability
Data sharing is not applicable to this article as no datasets were generated or analysed during the current study.
Code availability
Not applicable.
References
Abe, M., Gennaro, R., & Kurosawa, K. (2008). Tag-kem/dem: A new framework for hybrid encryption. Journal of Cryptology, 21(1), 97–130.
Abe, M., Gennaro, R., Kurosawa, K., & Shoup, V. (2005). Tag-kem/dem: A new framework for hybrid encryption and a new analysis of kurosawa-desmedt kem. In Annual international conference on the theory and applications of cryptographic techniques (pp. 128–146). Springer.
Al-Riyami, S. S., & Paterson, K. G. (2003). Certificateless public key cryptography. In International conference on the theory and application of cryptology and information security (pp. 452–473). Springer.
Barbosa, M., & Farshim, P. (2008). Certificateless signcryption. In Proceedings of the 2008 ACM symposium on information, computer and communications security (pp. 369–372).
Bertoni, G., Daemen, J., Peeters, M., & Van Assche, G. (2007). Sponge functions. In ECRYPT hash workshop (Vol. 2007). Citeseer.
Cramer, R., & Shoup, V. (2003). Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1), 167–226.
Fujisaki, E., & Okamoto, T. (2013). Secure integration of asymmetric and symmetric encryption schemes. Journal of Cryptology, 26(1), 80–101.
Galbraith, S. D., & Verheul, E. R. (2008). An analysis of the vector decomposition problem. In International workshop on public key cryptography (pp. 308–327). Springer.
Gao, G., Peng, X., & Jin, L. (2019). Efficient access control scheme with certificateless signcryption for wireless body area networks. IJ Network Security, 21(3), 428–437.
Gopinath, P. A., & Praveen, I. (2020). Secure mobile-server communications using vector decomposition problem. In Intelligent system design (pp. 219–227). Springer.
Hövelmanns, K., Kiltz, E., Schäge, S., & Unruh, D. (2020). Generic authenticated key exchange in the quantum random oracle model. In IACR international conference on public-key cryptography (pp. 389–422). Springer.
Kasyoka, P., Kimwele, M., & Angolo, S. M. (2020). Towards an efficient certificateless access control scheme for wireless body area networks. Wireless Personal Communications, 115(2), 1257–1275.
Li, F., Han, Y., & Jin, C. (2017). Certificateless online/offline signcryption for the internet of things. Wireless Networks, 23(1), 145–158.
Li, F., Hong, J., & Omala, A. A. (2017). Efficient certificateless access control for industrial internet of things. Future Generation Computer Systems, 76, 285–292.
Li, F., Shirase, M., & Takagi, T. (2009). Certificateless hybrid signcryption. In International conference on information security practice and experience (pp. 112–123). Springer.
Li, F., Shirase, M., & Takagi, T. (2013). Certificateless hybrid signcryption. Mathematical and Computer Modelling, 57(3–4), 324–343.
Luo, M., & Wan, Y. (2018). An enhanced certificateless signcryption in the standard model. Wireless Personal Communications, 98(3), 2693–2709.
Mandal, S., Bera, B., Sutrala, A. K., Das, A. K., Choo, K. K. R., & Park, Y. (2020). Certificateless-signcryption-based three-factor user access control scheme for iot environment. IEEE Internet of Things Journal, 7(4), 3184–3197.
Miller, V. S. (2004). The weil pairing, and its efficient calculation. Journal of Cryptology, 17(4), 235–261.
Mukundan, P. M., Manayankath, S., Srinivasan, C., & Sethumadhavan, M. (2016). Hash-one: A lightweight cryptographic hash function. IET Information Security, 10(5), 225–231.
Okamoto, T., & Takashima, K. (2008). Homomorphic encryption and signatures from vector decomposition. In International conference on pairing-based cryptography (pp. 57–74). Springer.
Praveen, I., Rajeev, K., & Sethumadhavan, M. (2016). An authenticated key agreement scheme using vector decomposition. Defence Science Journal, 66(6), 594–599.
Rackoff, C., & Simon, D. R. (1991). Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In Annual international cryptology conference (pp. 433–444). Springer.
Selvi, S. S. D., Vivek, S. S., & Rangan, C. P. (2010). Certificateless kem and hybrid signcryption schemes revisited. In International conference on information security practice and experience (pp. 294–307). Springer.
Swanson, C., & Jao, D. (2009). A study of two-party certificateless authenticated key-agreement protocols. In International conference on cryptology in India (pp. 57–71). Springer.
Yoshida, M. (2002). Inseparable multiplex transmission scheme using the pairing on elliptic curves. In ISEC (Vol. 2002).
Yoshida, M. (2003). Inseparable multiplex transmission using the pairing on elliptic curves and its application to watermarking. In Fifth conference on algebraic geometry, number theory, coding theory and cryptography, University of Tokyo, 2003.
Yu, J., Liu, S., Wang, S., Xiao, Y., & Yan, B. (2020). Lh-absc: A lightweight hybrid attribute-based signcryption scheme for cloud-fog-assisted iot. IEEE Internet of Things Journal, 7(9), 7949–7966.
Zheng, Y. (1997). Digital signcryption or how to achieve cost (signature & encryption) \(\ll\) cost (signature)+ cost (encryption). In Annual international cryptology conference (pp. 165–179). Springer.
Acknowledgements
The first author acknowledges Council of Scientific and Industrial Research for financial support. (09/942(0015)/2017-EMR-I).
Author information
Authors and Affiliations
Contributions
Have made a substantial contribution to the concept of the article.
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix
Appendix
Lemma 3
Let \(A_1,A_2,B_1,B_2\) be events defined on the same probability space. Let \(\text{Pr}[B_1]= \text{Pr}[B_2]\) and \(\text{Pr}[A_1\wedge \lnot B_1]= \text{Pr}[A_2\wedge \lnot B_2]\). Then \(\text{Pr}[A_1]- \text{Pr}[A_2]\le \text{Pr}[B_2]=\text{Pr}[B_1]\).
Proof
We have \(A_1=A_1\wedge (B_1\vee \lnot B_1)\implies \text{Pr}[A_1]=\text{Pr}[A_1\wedge (B_1\vee \lnot B_1)]=\text{Pr}[(A_1\wedge B_1)\vee (A_1\wedge \lnot B_1)]=\text{Pr}[A_1\wedge B_1]+\text{Pr}[A_1\wedge \lnot B_1]\).
Similarly \(\text{Pr}[A_2]= \text{Pr}[A_2\wedge B_2]+\text{Pr}[A_2\wedge \lnot B_2]\implies \text{Pr}[A_1]-\text{Pr}[A_2]=\text{Pr}[A_1\wedge B_1]-\text{Pr}[A_2\wedge B_2]\).
Now since \(\text{Pr}[A_1\wedge B_1]\le \text{Pr}[B_1]\) and \(\text{Pr}[A_2\wedge B_2]\ge 0\), we have \(\text{Pr}[A_1]-\text{Pr}[A_2]\le \text{Pr}[B_1]=\text{Pr}[B_2]\).
Lemma 4
Let \(\Pi ^\text{asy}\) be \((t^\text{asy},\epsilon ^\text{asy})\)-OWE, where \(t^\text{asy}\ge t^\text{hy}+q_dT^\text{asy}(k)+q_h O(k)\). Then \(\text{Pr}[Ask\, \sigma ^*_4]\le q_h\epsilon ^\text{asy}\).
Proof
Suppose \(\mathbb{A}^\text{asy}\) is a \(t^\text{asy}\)-time adversary attacking \(\Pi ^\text{asy}\) in the sense of OWE with advantage \(\epsilon ^\text{asy}\), where \(t^\text{asy}= t^\text{hy}+q_dT^\text{asy}(k)+q_h O(k)\). The advantage of \(\mathbb{A}^\text{asy}= \text{Pr}[(pk,sk)\leftarrow \mathcal{K}^\text{asy}(1^k);x\leftarrow \mathcal{P}^\text{asy};y\leftarrow \mathcal{E}^\text{asy}_{pk}(x): \mathbb{A}^\text{asy}(pk,y)=\mathcal{D}^\text{asy}_{sk}(y)]\). We construct \(\mathbb{A}^\text{asy}\) by using \(\mathbb{A}^\text{hy}=(\mathbb{A}_1^\text{hy},\mathbb{A}^\text{hy}_2)\) in game \(Hybrid_4\) as follows.
-
1.
Let y be the challenge ciphertext. \(\mathbb{A}^\text{asy}\) takes (pk, y) as input.
-
2.
\(\mathbb{A}^\text{asy}\) chooses \(a^*\in _R \mathcal{K}^\text{sy}\) and runs \(\mathbb{A}_1^\text{hy}\) on input pk.
-
3.
When \(\mathbb{A}_1^\text{hy}\) submits queries to the oracles \(H_1,H_2,H_3\) and \(\mathcal{D}^\text{hy}_{sk}\), \(\mathbb{A}^\text{asy}\) simulates them as in game \(Hybrid_4\) and collects the tuple \((m_0,m_1,s)\) output by \(\mathbb{A}_1^\text{hy}\).
-
4.
\(\mathbb{A}^\text{asy}\) choose \(b\in _R\{0,1\}\) and sets \((C_1^*,C_2^*)=(y, \mathcal{E}_{a^*}^\text{sy}(m_b))\). \(\mathbb{A}^\text{asy}\) runs \(\mathbb{A}_2^\text{hy}\) on input \((C_1^*,C_2^*,s)\).
-
5.
When \(\mathbb{A}_2^\text{hy}\) submits queries to the oracles \(H_1,H_2,H_3\) and \(\mathcal{D}^\text{hy}_{sk}\), \(\mathbb{A}^\text{asy}\) simulates them as in game \(Hybrid_4\).
-
6.
Upon the halt of \(\mathbb{A}_2^\text{hy}\), \(\mathbb{A}^\text{asy}\) selects \(i\in _R\{1,2,\ldots ,q_h\}\) and outputs \(\sigma\) in the ith query to the random oracles.
It is seen that, conditioned on the event that \(\mathbb{A}^\text{hy}\) submits \(\sigma ^*\) to the different oracles in the respective input format wherever \(\sigma ^*\) comes into play, \(\mathbb{A}^\text{asy}\) outputs \(\sigma ^*\) with probability \(\frac{1}{q_h}\). The simulation of all the oracles altogether makes \(\mathbb{A}^\text{asy}\) select \(q_h\) random values in total costing \(q_hO(k)\). Hence the running time of \(\mathbb{A}^\text{asy}\) is \(t^\text{hy}+q_dT^\text{asy}(k)+q_hO(k)\). By construction, it is clear that the views of \(\mathbb{A}^\text{hy}\) and \(Hybrid_4\) are identical, if
By our assumption of the \((t^\text{asy},\epsilon ^\text{asy})\)-OWE \(\Pi ^\text{asy}\), the probability that \(\mathbb{A}^\text{asy}\) outputs \(\mathcal{D}^\text{asy}_{sk}(C_1^*:=\sigma ^*)\) is bounded by \(\epsilon ^\text{asy}\). Since \(Ask\, \sigma ^*_4\implies \mathbb{A}^\text{hy}\) sybmits \(\sigma ^*\) to \(H_1\) of \((\sigma ^*,\cdot )\) to \(H_2\) in game \(Hybrid_4\). Hence \(\text{Pr}[Ask\,\sigma ^*_4]\le q_h\epsilon ^\text{asy}\).
Lemma 5
Let \(\Pi ^\text{sy}\) be \((t^\text{sy},\epsilon ^\text{sy})\)-OT, where \(t^\text{sy}\ge t^\text{hy}+(q_d+1)T^\text{asy}(k)+q_h O(k)\). Then \(\text{Pr}[S_4]\le \text{Pr}[Succ \mathbb{A}^\text{sy}]\) and hence \(2\text{Pr}[S_4]-1\le \epsilon ^\text{sy}\).
Proof
Suppose \(\mathbb{A}^\text{sy}\) is a \(t^\text{sy}\)-time adversary attacking \(\Pi ^\text{sy}\) in the sense of OT with advantage \(\epsilon ^\text{sy}\), where \(t^\text{sy}= t^\text{hy}+(q_d+1)T^\text{asy}(k)+q_h O(k)\). The advantage of \(\mathbb{A}^\text{sy}= 2\cdot \text{Pr}[\kappa \leftarrow \mathcal{K}^\text{sy};(m_0,m_1,s)\leftarrow \mathbb{A}_1^\text{sy}(1^k);b\in _R\{0,1\};C_2\leftarrow \mathcal{E}^\text{sy}_\kappa (m_b): \mathbb{A}^\text{sy}(C_2,s)=b]-1=2\cdot \text{Pr}[Succ\mathbb{A}^\text{sy}]-1\). We construct \(\mathbb{A}^\text{sy}\) by using \(\mathbb{A}^\text{hy}=(\mathbb{A}_1^\text{hy},\mathbb{A}^\text{hy}_2)\) in game \(Hybrid_4\) as follows.
-
1.
\(\mathbb{A}_1^\text{sy}\) is given \(1^k\).
-
2.
\(\mathbb{A}_1^\text{sy}\) runs \(\mathcal{K}^\text{asy}\) on input \(1^k\) to take \((pk,sk )\). \(\mathbb{A}_1^\text{sy}\) then runs \(\mathbb{A}_1^\text{hy}\) on pk.
-
3.
When \(\mathbb{A}_1^\text{hy}\) submits queries to the oracles \(H_1,H_2,H_3\) and \(\mathcal{D}^\text{hy}_{sk}\), \(\mathbb{A}^\text{sy}\) simulates them as in game \(Hybrid_4\) and collects the tuple \((m_0,m_1,s)\) output by \(\mathbb{A}_1^\text{hy}\).
-
4.
\(\mathbb{A}_2^\text{sy}\) then takes the challenge ciphertext \(C_2^*=\mathcal{E}^\text{sy}_{\kappa ^*}\) and state s where \(b\in _R\{0,1\}\).
-
5.
\(\mathbb{A}_2^\text{sy}\) selects \(\sigma ^*\in _R\mathcal{P}^\text{asy}, h^*,g^*\in _R \mathcal{R}^\text{asy}\) and sets \(C_1^*=(\sigma ^*,\mu ^*)+H_2(\sigma ^*,h^*)\mathcal{B}_2+H_3(g^*)\mathcal{B}_3\). \(\mathbb{A}_2^\text{sy}\) runs \(\mathbb{A}_2^\text{hy}\) on input \((C_1^*,C_2^*,s)\)
-
6.
When \(\mathbb{A}_2^\text{hy}\) submits queries to the oracles \(H_1,H_2,H_3\) and \(\mathcal{D}^\text{hy}_{sk}\), \(\mathbb{A}_2^\text{hy}\) simulates them as in game \(Hybrid_4\).
-
7.
Upon the halt of \(\mathbb{A}^\text{hy}\), \(\mathbb{A}_2^\text{sy}\) outputs the same \(b'\) output by \(\mathbb{A}^\text{hy}\).
By construction, it is clear that the views of \(\mathbb{A}^\text{hy}\) and \(Hybrid_4\) are identical, if
Thus \(\text{Pr}[S_4]=\text{Pr}[Succ \mathbb{A}^\text{sy}]\)
Rights and permissions
About this article
Cite this article
Aravind Vishnu, S.S., Praveen, I. & Sethumadhavan, M. An IND-CCA2 Secure Certificateless Hybrid Signcryption. Wireless Pers Commun 119, 3589–3608 (2021). https://doi.org/10.1007/s11277-021-08422-2
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-021-08422-2