An IND-CCA2 Secure Certificateless Hybrid Signcryption

Abstract

This article proposes a hybrid certificateless signcryption scheme that is secure against adaptive chosen ciphertext adversary in the random oracle model. The scheme combines an asymmetric encryption which is one way against chosen plaintext attack and any One-Time secure symmetric encryption scheme, combined using Fujisaki–Okamoto transformation. Uncommon to many Fujisaki–Okamoto based constructions which ensure message integrity alone, this scheme provides entity authentication in addition. By the choice of a hash function that utilizes the advantage of sponge based construction, the scheme enables the user to incorporate any One-Time secure symmetric encryption by re-configuring the input/output parameters. Fujisaki–Okamoto transformation, which is currently a standard in hybrid constructions, guarantees the indistinguishability against adaptive chosen ciphertext attack. The provision for choosing symmetric encryption in the scheme enables it to be implemented in all sort of cryptographic requirements including those in wireless communication.

Appendix

Lemma 3

Let \(A_1,A_2,B_1,B_2\) be events defined on the same probability space. Let \(\text{Pr}[B_1]= \text{Pr}[B_2]\) and \(\text{Pr}[A_1\wedge \lnot B_1]= \text{Pr}[A_2\wedge \lnot B_2]\). Then \(\text{Pr}[A_1]- \text{Pr}[A_2]\le \text{Pr}[B_2]=\text{Pr}[B_1]\).

Proof

We have \(A_1=A_1\wedge (B_1\vee \lnot B_1)\implies \text{Pr}[A_1]=\text{Pr}[A_1\wedge (B_1\vee \lnot B_1)]=\text{Pr}[(A_1\wedge B_1)\vee (A_1\wedge \lnot B_1)]=\text{Pr}[A_1\wedge B_1]+\text{Pr}[A_1\wedge \lnot B_1]\).

Similarly \(\text{Pr}[A_2]= \text{Pr}[A_2\wedge B_2]+\text{Pr}[A_2\wedge \lnot B_2]\implies \text{Pr}[A_1]-\text{Pr}[A_2]=\text{Pr}[A_1\wedge B_1]-\text{Pr}[A_2\wedge B_2]\).

Now since \(\text{Pr}[A_1\wedge B_1]\le \text{Pr}[B_1]\) and \(\text{Pr}[A_2\wedge B_2]\ge 0\), we have \(\text{Pr}[A_1]-\text{Pr}[A_2]\le \text{Pr}[B_1]=\text{Pr}[B_2]\).

Lemma 4

Let \(\Pi ^\text{asy}\) be \((t^\text{asy},\epsilon ^\text{asy})\)-OWE, where \(t^\text{asy}\ge t^\text{hy}+q_dT^\text{asy}(k)+q_h O(k)\). Then \(\text{Pr}[Ask\, \sigma ^*_4]\le q_h\epsilon ^\text{asy}\).

Proof

Suppose \(\mathbb{A}^\text{asy}\) is a \(t^\text{asy}\)-time adversary attacking \(\Pi ^\text{asy}\) in the sense of OWE with advantage \(\epsilon ^\text{asy}\), where \(t^\text{asy}= t^\text{hy}+q_dT^\text{asy}(k)+q_h O(k)\). The advantage of \(\mathbb{A}^\text{asy}= \text{Pr}[(pk,sk)\leftarrow \mathcal{K}^\text{asy}(1^k);x\leftarrow \mathcal{P}^\text{asy};y\leftarrow \mathcal{E}^\text{asy}_{pk}(x): \mathbb{A}^\text{asy}(pk,y)=\mathcal{D}^\text{asy}_{sk}(y)]\). We construct \(\mathbb{A}^\text{asy}\) by using \(\mathbb{A}^\text{hy}=(\mathbb{A}_1^\text{hy},\mathbb{A}^\text{hy}_2)\) in game \(Hybrid_4\) as follows.

1. 1.

   Let y be the challenge ciphertext. \(\mathbb{A}^\text{asy}\) takes (pk, y) as input.

2. 2.

   \(\mathbb{A}^\text{asy}\) chooses \(a^*\in _R \mathcal{K}^\text{sy}\) and runs \(\mathbb{A}_1^\text{hy}\) on input pk.

3. 3.

   When \(\mathbb{A}_1^\text{hy}\) submits queries to the oracles \(H_1,H_2,H_3\) and \(\mathcal{D}^\text{hy}_{sk}\), \(\mathbb{A}^\text{asy}\) simulates them as in game \(Hybrid_4\) and collects the tuple \((m_0,m_1,s)\) output by \(\mathbb{A}_1^\text{hy}\).

4. 4.

   \(\mathbb{A}^\text{asy}\) choose \(b\in _R\{0,1\}\) and sets \((C_1^*,C_2^*)=(y, \mathcal{E}_{a^*}^\text{sy}(m_b))\). \(\mathbb{A}^\text{asy}\) runs \(\mathbb{A}_2^\text{hy}\) on input \((C_1^*,C_2^*,s)\).

5. 5.

   When \(\mathbb{A}_2^\text{hy}\) submits queries to the oracles \(H_1,H_2,H_3\) and \(\mathcal{D}^\text{hy}_{sk}\), \(\mathbb{A}^\text{asy}\) simulates them as in game \(Hybrid_4\).

6. 6.

   Upon the halt of \(\mathbb{A}_2^\text{hy}\), \(\mathbb{A}^\text{asy}\) selects \(i\in _R\{1,2,\ldots ,q_h\}\) and outputs \(\sigma\) in the ith query to the random oracles.

It is seen that, conditioned on the event that \(\mathbb{A}^\text{hy}\) submits \(\sigma ^*\) to the different oracles in the respective input format wherever \(\sigma ^*\) comes into play, \(\mathbb{A}^\text{asy}\) outputs \(\sigma ^*\) with probability \(\frac{1}{q_h}\). The simulation of all the oracles altogether makes \(\mathbb{A}^\text{asy}\) select \(q_h\) random values in total costing \(q_hO(k)\). Hence the running time of \(\mathbb{A}^\text{asy}\) is \(t^\text{hy}+q_dT^\text{asy}(k)+q_hO(k)\). By construction, it is clear that the views of \(\mathbb{A}^\text{hy}\) and \(Hybrid_4\) are identical, if

$$t^\text{asy}\geq t^{\text{hy}}+q_dT^\text{asy}(k)+q_hO(k).$$

(10)

By our assumption of the \((t^\text{asy},\epsilon ^\text{asy})\)-OWE \(\Pi ^\text{asy}\), the probability that \(\mathbb{A}^\text{asy}\) outputs \(\mathcal{D}^\text{asy}_{sk}(C_1^*:=\sigma ^*)\) is bounded by \(\epsilon ^\text{asy}\). Since \(Ask\, \sigma ^*_4\implies \mathbb{A}^\text{hy}\) sybmits \(\sigma ^*\) to \(H_1\) of \((\sigma ^*,\cdot )\) to \(H_2\) in game \(Hybrid_4\). Hence \(\text{Pr}[Ask\,\sigma ^*_4]\le q_h\epsilon ^\text{asy}\).

Lemma 5

Let \(\Pi ^\text{sy}\) be \((t^\text{sy},\epsilon ^\text{sy})\)-OT, where \(t^\text{sy}\ge t^\text{hy}+(q_d+1)T^\text{asy}(k)+q_h O(k)\). Then \(\text{Pr}[S_4]\le \text{Pr}[Succ \mathbb{A}^\text{sy}]\) and hence \(2\text{Pr}[S_4]-1\le \epsilon ^\text{sy}\).

Proof

Suppose \(\mathbb{A}^\text{sy}\) is a \(t^\text{sy}\)-time adversary attacking \(\Pi ^\text{sy}\) in the sense of OT with advantage \(\epsilon ^\text{sy}\), where \(t^\text{sy}= t^\text{hy}+(q_d+1)T^\text{asy}(k)+q_h O(k)\). The advantage of \(\mathbb{A}^\text{sy}= 2\cdot \text{Pr}[\kappa \leftarrow \mathcal{K}^\text{sy};(m_0,m_1,s)\leftarrow \mathbb{A}_1^\text{sy}(1^k);b\in _R\{0,1\};C_2\leftarrow \mathcal{E}^\text{sy}_\kappa (m_b): \mathbb{A}^\text{sy}(C_2,s)=b]-1=2\cdot \text{Pr}[Succ\mathbb{A}^\text{sy}]-1\). We construct \(\mathbb{A}^\text{sy}\) by using \(\mathbb{A}^\text{hy}=(\mathbb{A}_1^\text{hy},\mathbb{A}^\text{hy}_2)\) in game \(Hybrid_4\) as follows.

1. 1.

   \(\mathbb{A}_1^\text{sy}\) is given \(1^k\).

2. 2.

   \(\mathbb{A}_1^\text{sy}\) runs \(\mathcal{K}^\text{asy}\) on input \(1^k\) to take \((pk,sk )\). \(\mathbb{A}_1^\text{sy}\) then runs \(\mathbb{A}_1^\text{hy}\) on pk.

3. 3.

   When \(\mathbb{A}_1^\text{hy}\) submits queries to the oracles \(H_1,H_2,H_3\) and \(\mathcal{D}^\text{hy}_{sk}\), \(\mathbb{A}^\text{sy}\) simulates them as in game \(Hybrid_4\) and collects the tuple \((m_0,m_1,s)\) output by \(\mathbb{A}_1^\text{hy}\).

4. 4.

   \(\mathbb{A}_2^\text{sy}\) then takes the challenge ciphertext \(C_2^*=\mathcal{E}^\text{sy}_{\kappa ^*}\) and state s where \(b\in _R\{0,1\}\).

5. 5.

   \(\mathbb{A}_2^\text{sy}\) selects \(\sigma ^*\in _R\mathcal{P}^\text{asy}, h^*,g^*\in _R \mathcal{R}^\text{asy}\) and sets \(C_1^*=(\sigma ^*,\mu ^*)+H_2(\sigma ^*,h^*)\mathcal{B}_2+H_3(g^*)\mathcal{B}_3\). \(\mathbb{A}_2^\text{sy}\) runs \(\mathbb{A}_2^\text{hy}\) on input \((C_1^*,C_2^*,s)\)

6. 6.

   When \(\mathbb{A}_2^\text{hy}\) submits queries to the oracles \(H_1,H_2,H_3\) and \(\mathcal{D}^\text{hy}_{sk}\), \(\mathbb{A}_2^\text{hy}\) simulates them as in game \(Hybrid_4\).

7. 7.

   Upon the halt of \(\mathbb{A}^\text{hy}\), \(\mathbb{A}_2^\text{sy}\) outputs the same \(b'\) output by \(\mathbb{A}^\text{hy}\).

By construction, it is clear that the views of \(\mathbb{A}^\text{hy}\) and \(Hybrid_4\) are identical, if

$$t^{\text{sy}} \geq t^{\text{hy}}+(q_d+1)T^{\text{asy}}(k)+q_hO(k)$$

(11)

Thus \(\text{Pr}[S_4]=\text{Pr}[Succ \mathbb{A}^\text{sy}]\)