INFORMATICAInformatica1822-88440868-49520868-4952Vilnius UniversityINFO113710.15388/Informatica.2017.126Research ArticleSIBSC: Separable Identity-Based Signcryption for Resource-Constrained DevicesTsaiTung-Tso
T.-T. Tsai received the BS degree from the Department of Applied Mathematics, Chinese Culture University, Taiwan, in 2006. He received the MS degree from the Department of Applied Mathematics, National Hsinchu University of Education, Taiwan, in 2009. He received the PhD degree from the Department of Mathematics, National Changhua University of Education, Taiwan, in 2014. His research interests include applied cryptography and pairing-based cryptography.
HuangSen-Shan
S.-S. Huang is currently a professor in the Department of Mathematics, National Changhua University of Education, Taiwan. His research interests include number theory, cryptography, and network security. He received his PhD from the University of Illinois at Urbana-Champaign in 1997 under the supervision of Professor Bruce C. Berndt.
TsengYuh-Min∗
Y.-M. Tseng is currently a professor in the Department of Mathematics, National Changhua University of Education, Taiwan. He is a member of IEEE Computer Society, IEEE Communications Society and the Chinese Cryptology and Information Security Association (CCISA). In 2006, his paper received the Wilkes Award from The British Computer Society. He has published over one hundred scientific journal and conference papers on various research areas of cryptography, security and computer network. His research interests include cryptography, network security, computer network and mobile communications. He serves as an editor of several international journals.
To provide better overall performance, identity (ID)-based signcryption (IBSC) has been constructed by combining ID-based signature (IBS) and ID-based encryption (IBE) in a secure manner. Undoubtedly, the IBSC fulfills the authentication and the confidentiality by signature and encryption, respectively. All the previously proposed IBSC schemes are inseparable in the sense that the two-layer sign-then-encrypt procedure must be performed only by the same entity. However, the entities, such as wireless sensors and smart cards, are resource-constrained and become time consuming in executing the two-layer sign-then-encrypt procedure. Nowadays, the usage of mobile cloud computing is gaining expanding interest which provides scalable and virtualized services over the Internet or wireless networks while users with resource-constrained devices can enjoy the advantages of mobile cloud computing environments. Hence, we aim to reduce the computational cost for resource-constrained devices by employing a third party. In this article, we present the first separable ID-based signcryption (SIBSC) scheme in which the signing and encrypting layers are performed by the device and a third party, respectively. Under the computation Diffie–Hellman (CDH) and bilinear Diffie–Hellman (BDH) assumptions, we demonstrate that the proposed SIBSC scheme offers the provable security of authentication and confidentiality while retaining communication performance.
In conventional public key systems, encryption and signature are respectively used to offer the confidentiality and the authentication which are two of the most important security issues. In addition, for both encryption and signature schemes in conventional public key systems, certificates are needed to provide an unforgeable and trusted link between identities and public keys. In 1984, Shamir (1984) introduced the concept of identity (ID)-based cryptography to eliminate the need of certificates by which Shamir replaced the public keys of users with their identity information. Hence, ID-based cryptography provides a convenient alternative equipped with no public key infrastructure (PKI). A practical ID-based construction was not constructed until 2001 when Boneh and Franklin (2001) presented the very first one based on bilinear pairings. Boneh and Franklin’s construction was an important breakthrough and offered a pathway to build other ID-based cryptographic mechanisms such as ID-based key agreement protocols (Chen et al., 2007; Wu and Tseng, 2010; Tseng et al., 2016), ID-based encryption (IBE) schemes (Boneh and Boyen, 2004; Waters, 2005; Boyen and Waters, 2006; Libert and Vergnaud, 2009; Tsai et al., 2012) and ID-based signature (IBS) schemes (Cha and Cheon, 2003; Paterson and Schuldt, 2006; Boneh et al., 2006; Narayan and Parampalli, 2008; Tsai et al., 2013, 2014).
A signcryption scheme provides an efficient solution to fulfill both the functions of signature and encryption simultaneously. The performance of a signcryption scheme is better than that of performing a signature and a public-key encryption schemes apart. Hence, signcryption is useful in many applications, such as mobile communications and smart cards. The first ID-based signcryption (IBSC) scheme was constructed by Malone-Lee (2002). Further research on IBSC (Libert and Quisquater, 2003; Boyen, 2003; Chow et al., 2004; Chen and Malone-Lee, 2005) has been done to improve both the security and performance. The environment of IBSC includes three roles, namely, a trusted private key generator (PKG), senders and receivers. The PKG is responsible to generate the private keys of both senders and receivers by using their identities. A sender, by using her/his private key and a designated receiver’s identity, performs a two-layer sign-then-encrypt procedure on a message to generate a ciphertext. Upon receiving the ciphertext, the designated receiver is able to decrypt it to obtain the signature and message, while verifying the signature using the sender’s identity.
Related Work
Zheng (1997) presented the notion of public key signcryption by which signature and encryption are performed simultaneously to reduce computational cost or communication size, compared with those performing signature and encryption separately. Zheng presented two signcryption schemes based on the discrete logarithm problem. Indeed, a signcryption scheme fulfills the authentication and the confidentiality offered by signature and encryption, respectively.
Following Boneh and Franklin (2001), Malone-Lee (2002) proposed the first ID-based signcryption (IBSC) scheme by combining IBS and IBE schemes. Later, Libert and Quisquater (2003) pointed out a security drawback on Malone-Lee’s scheme, namely, semantically insecure. Libert and Quisquater also presented three improved IBSC schemes, but these schemes lack public verifiability and forward security. In 2004, Chow et al. (2004) proposed an IBSC scheme to resolve the weakness in Libert and Quisquater (2003). In order to provide ciphertext unlinkability and anonymity, Boyen (2003) proposed a multi-purpose IBSC scheme. A couple of years later, Chen and Malone-Lee (2005) modified Boyen’s scheme to improve efficiency. All the IBSC schemes mentioned above are proved to be secure in the random oracle model (Bellare and Rogaway, 1993; Canetti et al., 2004). In order to provide more robust security, several researchers (Jin et al., 2010; Zhang, 2010; Li et al., 2011; Li and Takagi, 2013) eliminated the use of random oracles to create several IBSC schemes in the standard models. Indeed, these schemes enhance the security, but degrade the performance.
Motivation and Contribution
Nowadays, the usage of cloud computing is gaining expanding interest. Cloud computing environment, defined by the National Institute of Standards and Technology (NIST) (Mell and Grance, 2009), provides scalable and virtualized services over the Internet or wireless networks. To enjoy the advantages of cloud computing environments, encryption and signature schemes (Fahl et al., 2012) are generally demanded to achieve authentication and confidentiality, respectively. With the popularity of Internet and wireless networks, many clients employ mobile devices (e.g. smart phone or pad) or computers (notebook or PC) to access cloud computing services through open channels (Suo et al., 2013; Tysowski and Hasan, 2013; Ma et al., 2015). If clients use mobile devices or computers to store the private keys (credentials) while performing some operations, it is dangerous and not secure because the stored private keys (credentials) could be stolen by embedding virus or hacker software on these mobile devices or computers. Therefore, it is the most accredited way to store the private keys in smart cards while some cryptographic computations using the private keys are also performed by smart cards. However, smart cards are resource-constrained and possess limited computing capability, so the heaviest computations of applications must be executed by mobile devices or computers instead, except some cryptographic computations such as encryption and signature because of security consideration.
When smart cards are involved in ID-based cryptography, they become time consuming in executing cryptographic computations such as pairing operations in Boneh and Franklin’s IBE scheme (2001). Undoubtedly, based on Boneh and Franklin’s ID-based public-key setting, the existing IBE, IBS, and IBSC schemes still require pairing operations, which are heavy computation load for resource-constrained devices. For achieving both authentication and confidentiality simultaneously, as mentioned earlier, the performance of an IBSC scheme is better than that of performing an IBS scheme and an IBE scheme separately.
In an IBSC scheme, the same ephemeral secrets, parameters and keys are used in the two-layer sign-then-encrypt procedure, which includes a signing layer and an encryption layer. We observe that all the previously proposed IBSC schemes are inseparable in the sense that the two-layer sign-then-encrypt procedure must be performed only by the same entity. The reason is that if the encryption layer were performed by a third party, the private key of the sender could be revealed by the third party because the same ephemeral secrets are involved in both the signing and encryption layers. In this article, to reduce the computational cost of resource-constrained devices (e.g. smart cards) in IBSC schemes, we will employ a third party to assist with expensive pairing computations without endangering the private keys of senders. Indeed, we will propose a novel separable ID-based signcryption (SIBSC) scheme in which the signing and encryption layers are performed by a resource-constrained device and a third party, respectively. Under the computation Diffie–Hellman (CDH) and bilinear Diffie–Hellman (BDH) assumptions (Boneh and Franklin, 2001; Cha and Cheon, 2003), we demonstrate that our proposed SIBSC scheme offers the provable security of authentication and confidentiality in the random oracle model (Bellare and Rogaway, 1993; Canetti et al., 2004).
Here, we present a usage scenario of the proposed SIBSC scheme which is depicted in Fig. 1. In a client-server environment, a client with smart card would like to have access to multiple (m) remote service servers via open channels (e.g. Internet). The client may use a third party (smart phone or PC with a card reader) to perform the proposed SIBSC scheme to achieve authentication and confidentiality for remote service servers. In which, the client’s private key is involved in the signing layer which is performed by the smart card. Meanwhile, the public-key encryption layer is performed by a smart phone or a PC with a card reader due to it does not require the client’s private key to involve in the computation. It is notable that the smartcard directly connects to a smart phone with a transmission-line-connected card reader or a PC with an embedded card reader. If the smart card connects to the third party using wireless communication, it will incur extra communication cost.
The usage scenario of the SIBSC scheme.
Merits of Our SIBSC Scheme
Here, we demonstrate the merits of our SIBSC scheme which is suitable to provide both authentication and confidentiality for many applications with resource-constrained devices. For example, a smart card with limited computing capability could not efficiently execute heavy computations (such as pairing operations) and, in such a case, it needs to rely on a third party to perform these heavy computations. In order to achieve both authentication and confidentiality, we observe four solutions (combinations) according to running entities (smart card and third party) and the employed schemes (IBS + IBE, IBSC and SIBSC) as follows.
Solution 1: an intuitive solution is that the smart card performs both IBS and IBE schemes as depicted in Fig. 2(a). In this case, the smart card takes all computational loads.
Solution 2: the IBS scheme is performed by the smart card, while the IBE scheme is executed by a third party as shown in Fig. 2(b). This solution aims at reducing the computational cost of the smart card. Note that running an IBE scheme does not need the sender’s private key.
Four solutions to achieve authentication and confidentiality.
Comparisons between the SIBSC scheme and other schemes.
Solution 1
Solution 2
Solution 3
Our solution
Hired scheme
CC’s IBS
CC’s IBS
CM’s IBSC
Our SIBSC
(2003)
(2003)
(2005)
+ BF’s IBE
+ BF’s IBE
(2001)
(2001)
Computational cost of
Signing + Encryption
Signing
Signcryption
Signing layer
smart card
(High)
(Low)
(High)
(Low)
Computational cost for
–
Encryption
–
Encryption layer
third party
(Low)
(Low)
Communication size
High
High
Low
Low
Solution 3: the smart card performs the two-layer sign-then-encrypt procedure in the IBSC scheme as shown in Fig. 2(c). This solution is more efficient than Solutions 1 and 2, in particular, in communication size.
Our solution: By our SIBSC scheme, the signing and encryption layers are performed by the smart card and a third party, respectively, as shown in Fig. 2(d). Our solution aims at reducing not only the computational cost of the smart card but also the communication size.
Table 1 lists the comparisons between the proposed SIBSC scheme (our solution) and the other three solutions in terms of computational costs of smart card and third party, and communication size. Here, we adopt, respectively, the Cha and Cheon’s IBS (for short, CC’s IBS) and Boneh and Franklin’s IBE (for short, BF’s IBE) schemes in Cha and Cheon (2003) and Boneh and Franklin (2001). In the meantime, we employ the most efficient IBSC (CM’s IBSC) scheme constructed by Chen and Malone-Lee (2005). By Table 1, it is clear that our solution possesses the merits of both Solutions 2 and 3. The detailed comparisons regarding communication and computational costs will be discussed in Section 6.
Outline of the Paper
The rest of this paper is organized as follows. Preliminaries are given in Section 2. Then, in Section 3, we give framework and security notions. In Section 4, a concrete SIBSC scheme is proposed. Section 5 gives the security analysis of the proposed scheme. Finally, we demonstrate performance analysis in Section 6 before making conclusions in Section 7.
Preliminaries
Before presenting our construction, we briefly review the concept of bilinear pairings and two mathematical assumptions on which our construction is based. We first define the following notations.
q is a large prime.
G1 is an additive cyclic group of order q.
G2 is a multiplicative cyclic group of order q.
P is a generator of G1.
Bilinear Map
We say that eˆ:G1×G1→G2 is an admissible bilinear map if it satisfies three properties as follows.
Non-degeneracy: eˆ(P,P)≠1.
Bilinearity: for all Q,R∈G1 and a,b∈Zq∗, eˆ(aQ,bR)=eˆ(Q,R)ab.
Computability: for Q,R∈G1, there exists an efficient algorithm to compute eˆ(Q,R).
For full descriptions of groups, maps and other parameters, the reader can refer to Boneh and Franklin (2001).
Related Mathematical Assumptions
The computational Diffie–Hellman (CDH) and the bilinear Diffie–Hellman (BDH) assumptions in G1 and G2, respectively, are defined as below. (CDH assumption).
Given P,aP,bP∈G1 with unknown a,b∈Zq∗, we assume that there exists no probabilistic polynomial-time (PPT) adversary A with non-negligible probability who can compute abP. The successful probability (advantage) of the adversary A is presented as
AdvA=Pr[A(P,aP,bP)=abP].
(BDH assumption).
Given P,aP,bP,cP∈G1 with unknown a,b,c∈Zq∗, we assume that there exists no PPT adversary A with non-negligible probability who can compute eˆ(P,P)abc. The successful probability of the adversary A is presented as
AdvA=Pr[A(P,aP,bP,cP)=eˆ(P,P)abc].
Framework and Security Notions
Here, we informally describe our separable ID-based signcryption (SIBSC). The proposed SIBSC consists of four roles, namely, a trusted private key generator (PKG), a semi-trusted third party (e.g. smart phone), senders (with resourced-constrained devices) and receivers. The work of the PKG is to generate the secret key and public parameters of the system, and produce private keys of users (senders and receivers). A sender (signer) A with identity IDA first chooses an ephemeral secret value rA, and generates a signature σA on a message M by using her/his private key SIDA. For a designated receiver B with identity IDB, the sender A first transmits (σA,M,IDA,rA,IDB) to the third party via a secure channel. Then, the third party is responsible to generate a ciphertext CTB using (σA,M,IDA,rA,IDB), and transmit CTB to the receiver B. Finally, the ciphertext CTB can be decrypted and verified by B. Here, we emphasize that the semi-trusted third party is unable to reveal the private key of the sender A by appealing to the message (σA,M,IDA,rA,IDB).
Framework
In IBSC schemes of Boyen (2003), Chen and Malone-Lee (2005), the framework consists of six algorithms, namely, the system setup, the key extract, the signing, the encryption, the decryption and the verification. Here, our framework for SIBSC schemes is identical to that of the above IBSC schemes, except that our encryption algorithm does not require the input of the sender’s secret key. The details of six algorithms are described below.
System setup: on input of a security parameter l, this algorithm produces a secret key SK and public parameters PK of the system. PK is publicly known and available for all other algorithms.
Key extract: on input of SK and the identity IDU of a user U, this algorithm computes the corresponding secret key SIDU and then returns it to U via a secure channel.
Signing: on input of the identity IDA, the secret key SIDA of a user A, and a message M, this algorithm produces a pair (σA,rA), where σA is a signature and rA is an ephemeral data.
Encryption: on input of the identity IDB of a user B, a message M and a pair (σA,rA), this algorithm produces a ciphertext CTB.
Decryption: on input of the secret key SIDB of a user B and the ciphertext CTB, this algorithm produces the message M and the signature σA.
Verification: on input of the identity IDA of a user A, the message M and the signature σA, the algorithm outputs either “accept” or “reject”.
Security Notions
In a SIBSC scheme, both security properties of authentication (unforgeability) and confidentiality must be fulfilled. It is obvious that the attacking ability of the semi-trusted third party is stronger than that of any outsider because it possesses more information (i.e. ephemeral secret and signature) sent by a sender. Hence, for unforgeability, it suffices to demonstrate that the third party cannot violate the authentication of the proposed SIBSC scheme, which will be done in Section 5. In the following, we introduce two kinds of adversaries to address the two security properties.
Type I adversary: this adversary is the semi-trusted third party, which assists the sender with heavy computation and attempts to forge a signature on behalf of the sender.
Type II adversary: upon capturing a ciphertext, a Type II adversary attempts to decrypt it to obtain the plaintext message. This adversary excludes the designated receiver.
(Unforgeability for Type I adversary).
We say that a SIBSC scheme is existential unforgeability against adaptive chosen message attack (SIBSC-UF-ACMA) if no Type I adversary A has a non-negligible advantage in the following SIBSC-UF-ACMA game played between a challenger C and the adversary A.
Initial: the challenger C runs the system setup algorithm to generate a secret key SK and public parameters PK of the system. C then gives PK to the adversary A while keeping SK secret.
Phase 1: the adversary A may make a number of different queries to the challenger C in an adaptive manner as follows:
Key extract query: the adversary A submits this query along with identity IDU. The challenger C runs the key extract algorithm to generate the private key SIDU of IDU and returns it to A.
Signing query: the adversary A submits this query along with a message M and an identity IDU. The challenger C runs the signing algorithm to generate a signature σU and then returns it to A.
Forge: the adversary A returns a tuple (M∗,σU∗,IDU∗), and we say that A wins this game if the following conditions are satisfied:
The response of verification algorithm on (M∗,σU∗,IDU∗) is “accept”.
σU∗ has not been returned during signing queries on the input (M∗,IDU∗).
IDU∗ did not appear in key extract queries.
(Confidentiality for Type II adversary).
We say that a SIBSC scheme is semantically secure against an adaptive chosen plaintext attack (IND-SIBSC-CPA) if no Type II adversary A has a non-negligible advantage in the following IND-SIBSC-CPA game played between a challenger C and the adversary A.
Initial: same as the Initial in Definition3.
Phase 1: the adversary A may make a number of key extract queries, as described in Phase 1 of Definition3, to the challenger C in an adaptive manner.
Challenge: the adversary A outputs an identity IDU∗ and a target plaintext pair (M0,M1). After receiving them, C randomly selects a value b∈{0,1} and runs the encryption algorithm on Mb to generate a ciphertext CTU∗ encrypted under the identity IDU∗. Then C returns the ciphertext CTU∗ to A. Here, we impose the restriction that IDU∗ has not appeared in the key extract queries.
Phase 2: the adversary A may make further queries as in Phase 1. The restriction is that IDU∗ has not appeared in the key extract queries.
Guess: the adversary A returns its guess b′∈{0,1}. We say that A wins the IND-SIBSC-CPA game if b′=b.
A separable ID-based signcryption scheme against an adaptive chosen plaintext attack (IND-SIBSC-CPA) is weaker than that against an adaptive chosen ciphertext attack (IND-SIBSC-CCA). The IND-SIBSC-CCA game is identical to the IND-SIBSC-CPA game except by adding the decryption queries in Phases 1 and 2. Indeed, Kitagawa et al. (2006) have proposed a simple conversion from a weak scheme (IND-ID-CPA) to a strong one (IND-ID-CCA) in the random oracle model (Bellare and Rogaway, 1993; Canetti et al., 2004). The only restriction is that the hash functions used in the weak scheme must be random oracles (Kitagawa et al., 2006). Hence, following this conversion, one can also construct a strong ID-based signcryption scheme from our proposed scheme in the random oracle model.
Our SIBSC Scheme
Our SIBSC scheme consists of six algorithms: the system setup, the key extract, the signing, the encryption, the decryption and the verification.
System setup: given a security parameter l, a trusted private key generator (PKG) chooses two groups G1 and G2 of prime order q>2l{2^{l}}$]]> such that an admissible bilinear map eˆ:G1×G1→G2 can be constructed. Let P be a generator of G1. The PKG randomly selects a value s∈Zq∗ as the system secret key, computes Ppub=s·P and picks five hash functions f1,f2:{0,1}∗×G1→Zq∗, H1:{0,1}∗×G1→G1, H2:{0,1}∗→G1 and H3:G2→{0,1}k, where k denotes the output length of H3. Finally, the secret key SK and public parameters PK of the system are set, respectively, as
SK=s
and
PK=(G1,G2,q,eˆ,P,Ppub,f1,f2,H1,H2,H3).
Key extract: to generate the private key of a user (sender or receiver) U with identity IDU, the PKG selects a random value lU∈Zq∗, sets QIDU(1)=lU·P and computes DIDU(1)=lU+hU(1)·s, where hU(1)=f1(IDU,QIDU(1)). Finally, the PKG sets QIDU(2)=H2(IDU) and computes DIDU(2)=s·QIDU(2)=s·H2(IDU). The private key SIDU of the user U with identity IDU is
SIDU=(QIDU(1),DIDU(1),DIDU(2)).
Note that QIDU(1) will be a component of each signature signed by the user U with identity IDU, so it can be viewed as a part of the user’s public key.
Signing: the sender A with identity IDA generates a signature σA on a message M∈{0,1}n for the designated receiver B with identity IDB by the following steps.
Choose an ephemeral secret value rA∈Zq∗.
Compute RA=rA·P.
Compute HIDA = H1(M||IDA,RA) and hA(2) = f2(M||IDA,RA).
Use the private key SIDA obtained in Key extract to generate VA by
VA=(rA+DIDA(1))·HIDA+hA(2)·DIDA(2).
Output the signature σA=(QIDA(1),RA,VA) to the third party with the message M, the identity IDA, the ephemeral secret value rA and the identity IDB.
Encryption: after receiving the output (σA,M,IDA,rA,IDB) from the sender A, the third party computes WB=H3(eˆ(rA·Ppub,QIDB(2)))⊕(VA||QIDA(1)||IDA||M), sets the ciphertext CTB=(RA,WB) and transmits it to the receiver B.
Decryption: given the ciphertext CTB=(RA,WB), the receiver B computes WB⊕H3(eˆ(RA,DIDB(2))) to obtain (VA||QIDA(1)||IDA||M). Then B forwards the signature σA, the identity IDA and the message M to the verification phase.
Verification: a signature σA on the message M for the identity IDA is verified by the receiver B in the following manners.
Compute HIDA=H1(M,IDA,RA) and QIDA(2)=H2(IDA).
Compute hA(1)=f1(IDA,QIDA(1)) and hA(2)=f2(M,IDA,RA).
The relationships of signing, encryption, decryption and verification phases.
Check the equality eˆ(P,VA)=eˆ(RA+QIDA(1),HIDA)·eˆ(Ppub,hA(1)·HIDA+hA(2)·QIDA(2)).
Then the receiver B outputs “accept” if the last equality holds, and “reject” otherwise.
The signing, encryption, decryption and verification procedures are depicted in Fig. 3. Meanwhile, we present the validity of the equality in (3) above as follows. Since VA=(rA+DIDA(1))·HIDA+hA(2)·DIDA(2) with DIDA(1)=lA+hA(1)·s and DIDA(2)=s·QIDA(2), we have
eˆ(P,VA)=eˆ(P,(rA+DIDA(1))·HIDA)·eˆ(P,hA(2)·DIDA(2))=eˆ(rA·P+lA·P,HIDA)eˆ(s·P,hA(1)·HIDA)·eˆ(s·P,hA(2)·QIDA(2))=eˆ(RA+QIDA(1),HIDA)·eˆ(Ppub,hA(1)·HIDA+hA(2)·QIDA(2)),
where the last equality follows directly from RA=rA·P, QIDA(1)=lA·P, and Ppub=s·P.
Security Analysis
As in Definitions 3 and 4, there are Type I and Type II adversaries in the SIBSC-UF-ACMA and IND-SIBSC-CPA games respectively. In the following, we prove that the proposed SIBSC scheme is secure against Type I and Type II adversaries, respectively, in Theorems 1 and 2. Hence, our SIBSC scheme offers existential unforgeability against adaptive chosen message attacks and is semantically secure against adaptive chosen plaintext attacks.
In the random oracle model, the proposed SIBSC scheme is secure against Type I adversary under the CDH assumption. Concretely, suppose that there exists a Type I adversaryAthat can break the proposed scheme with a non-negligible advantage ϵ within a running time t. Assume that the hash functionsf1,f2,H1,H2andH3are random oracles, andAcan makeqfiqueries to the random oraclesfi(i=1,2),qHiqueries to the random oraclesHi(i=1,2,3),qEqueries to the key extract oracle andqSqueries to the signing oracle, respectively. Then, we can construct an algorithmCto solve the CDH problem with an advantageϵ′⩾1/9within a running timet′⩽23qf2qH2qt/(ϵ(q−1)).
We will employ Lemma 1 in Cha and Cheon (2003) to simplify the security analysis of the proposed scheme. This lemma states that if there is an algorithm with a non-negligible advantage ϵ within a running time t to perform ID attacks to an ID-based signature scheme, then there is another algorithm with a non-negligible advantage ϵ″⩾ϵ(1−1/q)/qH2 within a running time t″⩽t to perform a fixed ID attack to the ID-based signature scheme. Suppose that A is of Type I adversary that could break the proposed scheme with a non-negligible advantage ϵ within a running time t. By Lemma 1 in Cha and Cheon (2003), there exists another algorithm B with the advantage ϵ″⩾ϵ(1−1/q)/qH2 within a running time t″⩽t to perform a fixed attack to the same scheme. Without loss of generality, we choose a fixed identity IDU∗ as our target.
Using the algorithm B, an algorithm C will be constructed below to solve the CDH problem. Assume that the algorithm C is given a group G1 of order q with a generator P, and two elements aP,bP∈G1, where a and b are unknown to C. In order to use B to compute abP, the algorithm C plays a challenger in the following game.
Initial: the challenger C runs the system setup algorithm and sets Ppub=aP to create the public parameters PK=(G1,G2,q,eˆ,P,Ppub,f1,f2,H1,H2,H3) of the proposed scheme. Here f1, f2, H1, H2 and H3 are random oracles controlled by C. The challenger C also answers queries of random oracles issued by B as below.
f1queries: at any time, B can issue queries along with (IDU,QIDU(1)) to the random oracle f1. To respond to these queries, C maintains a list Lf1 containing tuples of the form (IDU,QIDU(1),αU). Initially Lf1 is empty. When B queries the oracle f1 with a pair (IDU,QIDU(1)), C responds as follows.
If the pair (IDU,QIDU(1)) is already in Lf1, the challenger C responds with the corresponding αU to B.
Otherwise, the challenger C randomly selects a value αU∈Zq∗, adds the tuple (IDU,QIDU(1),αU) in Lf1, and responds to B with αU.
f2queries: at any time, B can issue queries along with (M,IDU,RU) to the random oracle f2. To respond to these queries, C maintains a list Lf2 containing tuples of the form (M,IDU,RU,βU). Initially the list Lf2 is empty. When B queries the oracle f2 with a tuple (M,IDU,RU), C responds as follows.
If the tuple (M,IDU,RU) is already in Lf2, the challenger C responds with the corresponding βU to B.
Otherwise, the challenger C randomly selects a value βU∈Zq∗, adds the tuple (M,IDU,RU,βU) in Lf2 and responds to B with βU.
H1queries: at any time, B can issue queries along with (M,IDU,RU) to the random oracle H1. To respond to these queries, C maintains a list LH1 containing tuples of the form (M,IDU,RU,ζU,ζU·bP). Initially the list is empty. When B queries the oracle H1 with a pair (M,IDU,RU), C responds as follows.
If the tuple (M,IDU,RU) is already in LH1, the challenger C responds with the corresponding ζU·bP to B.
Otherwise, the challenger C randomly selects a value ζU∈Zq∗, computes ζU·bP, adds the tuple (M,IDU,RU,ζU,ζU·bP) in LH1, and responds to B with ζU·bP.
H2queries: at any time, B can issue queries with IDU to the random oracle H2. To respond to these queries, C maintains a list LH2 containing tuples of the form (IDU,QIDU(2),ηU). Initially the list is empty. When B queries the oracle H2 with IDU, C responds to as follows.
If IDU≠IDU∗, the challenger C selects a value ηU∈Zq∗, returns QIDU(2)=H2(IDU)=ηU·P and stores (IDU,QIDU(2),ηU) in the list LH2.
If IDU=IDU∗, the challenger C selects a value ηU∈Zq∗, returns QIDU(2)=H2(IDU)=ηU·P−bP and stores (IDU,QIDU(2),ηU) in the list LH2.
H3queries: at any time, B can issue queries along with S to the random oracle H3. To respond to these queries, the challenger C maintains a list LH3 containing pairs of the form (S,T). Initially the list is empty. When B queries the oracle H3 with S, C responds as follows.
If S already appears in the list LH3, the challenger C responds with the corresponding T to B.
Otherwise, C randomly selects a string T∈{0,1}k, adds the tuples (S,T) to the list LH3, and responds to B with T.
Phase 1: the adversary B may make a number of different queries to the challenger C in an adaptive manner as follows:
Key extract queries: to respond to these queries, C maintains a list LK containing tuples of the form (IDU,SIDU), where SIDU=(QIDU(1),DIDU(1),DIDU(2)). Initially the list is empty. Upon receiving the query along with IDU, if IDU already appears in the list LK, the challenger C responds with the associated SIDU to B. If IDU does not appear in LK, we discuss two cases as follows. If IDU=IDU∗, C returns nothing because it is forbidden to query the fixed identity IDU∗. If IDU≠IDU∗, the challenger C first accesses to the corresponding tuple (IDU,QIDU(2),ηU) in the list LH2. Then, C chooses two random values αU,v∈Zq∗ and sets SIDU=(vP−αUPpub,v,ηUPpub). However, if the tuple (IDU,vP−αUPpub,αU) already appears in the list Lf1, C resets the SIDU by choosing another two random values. Immediately, the challenger C returns SIDU, and stores (IDU,vP−αUPpub,αU) and (IDU,vP−αUPpub,v,ηUPpub) in the lists Lf1 and LK, respectively.
Signing queries: considering such a query for a message M and an identity IDU, the challenger C will perform either one of the following two cases.
Case 1. If IDU≠IDU∗, the challenger C first accesses to the tuple (IDU,QIDU(1),DIDU(1),DIDU(2)) in the list LK. Then, C chooses a random number rU∈Zq∗ and computes RU=rU·P and VU=(rU+DIDU(1))·HIDU+hU(2)·DIDU(2), where HID and hU(2) are obtained by querying H1(M,IDU,RU) and f2(M,IDU,RU), respectively. The signature on the message M is σU=(QIDU(1),RU,VU). It is evident that (M,IDU,σU) is valid because it is generated using the real private key SIDU=(QIDU(1),DIDU(1),DIDU(2)). The challenger C then returns σU and the ephemeral secret value rU to B.
Case 2. If IDU=IDU∗, the challenger C chooses two values lU,αU∈Zq∗, sets QIDU(1)=lU·P, hU(1)=f1(IDU,QIDU(1))=αU and stores in the list Lf1. Immediately, C accesses to the corresponding tuple (IDU,QIDU(2),ηU) in the list LH2, and selects two random values xU,ζU∈Zq∗ to compute RU=ζU−1·xU·P−lU·P=(ζU−1·xU−lU)·P and VU=xU·bP+αU·ζU·ηU·Ppub. It is obvious that the ephemeral secret key rU = ζU−1·xU−lU. The challenger C then attaches HIDU=H1(M,IDU,RU)=ζU·bP and hU(2)=f2(M,IDU,RU)=αU·ζU to their associated tuples in the lists LH1 and Lf2, respectively. If neither H1(M,IDU,RU) nor f2(M,IDU,RU) is previously stored in the lists LH1 and Lf2, respectively, then C returns αU and the ephemeral secret value rU to B. Otherwise, C reselects two random values xU,ζU∈Zq∗ and repeats the procedure above.
Forge: assume that the algorithm B generates a valid signature tuple (M∗,IDU∗,σU∗), where σU∗=(QIDU∗(1),RU∗,VU∗), with non-negligible probability ϵ″. Following the Forking Lemma in Pointcheval and Stern (1996, 2000), B can output another valid signature tuple (M∗,IDU∗,σU′), where σU′=(QIDU∗(1),RU∗,VU′), with the probability at least ϵ″/2. Hence,
eˆ(P,VU∗)=eˆ(QIDU∗(1)+RU∗,HIDU∗)·eˆ(Ppub,hU∗(1)HIDU∗+hU∗(2)QIDU∗(2))
and
eˆ(P,VU′)=eˆ(QIDU∗(1)+RU∗,HIDU∗)·eˆ(Ppub,hU∗(1)HIDU∗+hU′(2)QIDU∗(2)),
where hU∗(2) and hU′(2) are different hash values from hash queries. Since Ppub=aP, QIDU∗(2)=ηU·P−bP and HIDU∗=ζU·bP , we have
eˆ(P,VU∗)=eˆ(QIDU∗(1)+RU∗,ζU·bP)·eˆ(aP,hU∗(1)ζU·bP+hU∗(2)(ηU·P−bP))=eˆ(P,ζUb(QIDU∗(1)+RU∗)+a(hU∗(1)ζU·bP+hU∗(2)(ηU·P−bP)))
and
eˆ(P,VU′)=eˆ(QIDU∗(1)+RU∗,ζU·bP)·eˆ(aP,hU∗(1)ζU·bP+hU′(2)(ηU·P−bP))=eˆ(P,ζUb(QIDU∗(1)+RU∗)+a(hU∗(1)ζU·bP+hU′(2)(ηU·P−bP))).
Therefore, we have
VU∗=ζUb(QIDU∗(1)+RU∗)+a(hU∗(1)ζU·bP+hU∗(2)(ηU·P−bP))
and
VU′=ζUb(QIDU∗(1)+RU∗)+a(hU∗(1)ζU·bP+hU′(2)(ηU·P−bP)).
Thus, we arrive at
abP=(VU∗−VU′+(hU∗(2)ηU−hU′(2)ηU)·Ppub)(hU∗(1)ζU−hU∗(2)−hU∗(1)ζU+hU′(2)).
Remember that, at the beginning of the proof, we assume A is of Type I adversary that can break the proposed scheme with a non-negligible advantage ϵ within a running time t. And then by Lemma 1 in Cha and Cheon (2003), there exists another algorithm B with the advantage ϵ″⩾ϵ(1−1/q)/qH2 within a running time t″⩽t to perform a fixed ID attack to the ID-based signature scheme. Then, by the same probability analysis utilized in Pointcheval and Stern (1996, 2000), we can conclude that the challenger C is able to solve the CDH problem with the probability ϵ′⩾1/9 and within the running time t′⩽23qf2qH2qt/(ϵ(q−1)). □
In the random oracle model, the proposed SIBSC scheme is secure against Type II adversary under the BDH assumption. Concretely, suppose that there exists a Type II adversaryAthat can break the proposed scheme with a non-negligible advantage ϵ. Assume that the hash functionsf1,f2,H1,H2andH3are random oracles, andAcan makeqfiqueries to the random oraclesfi(i=1,2),qHiqueries to the random oraclesHi(i=1,2,3)andqEqueries to the key extract oracle, respectively. Then, we can construct an algorithmCto solve the BDH problem with an advantageϵ′⩾2ϵe(1+qE)qH3, where e is Euler’s constant, the base of the natural logarithm.
Assume that the algorithm C is given a group G1 of order q with a generator P, and three elements aP,bP,cP∈G1, where a, b and c are unknown to C. In order to compute D=eˆ(P,P)abc, the algorithm C plays a challenger of the adversary A in the following game.
Initial: the challenger C runs the system setup algorithm and sets Ppub=aP to create the public parameters PK=(G1,G2,q,eˆ,P,Ppub,f1,f2,H1,H2,H3) of the proposed scheme. Here f1, f2, H1, H2 and H3 are random oracles controlled by C. The challenger C also answers queries of random oracles issued by A as below.
f1queries: at any time, A can issue queries along with (IDU,QIDU(1)) to the random oracle f1. To respond to these queries, C maintains a list of tuples denoted by Lf1, in which each tuple is of the form (IDU,QIDU(1),αU). Initially Lf1 is empty. When A queries the oracle f1 with a pair (IDU,QIDU(1)), C responds as follows.
If the pair (IDU,QIDU(1)) is already in the list Lf1, the challenger C responds with the corresponding αU to A.
Otherwise, the challenger C randomly selects a value αU∈Zq∗, adds the tuple (IDU,QIDU(1),αU) in Lf1, and responds to A with αU.
f2queries: at any time, A can issue queries along with (M,IDU,RU) to the random oracle f2. To respond to these queries, C maintains a list Lf2 containing tuples of the form (M,IDU,RU,βU). Initially the list is empty. When A queries the oracle f2 with a tuple (M,IDU,RU), C responds as follows.
If the tuple (M,IDU,RU) is already in Lf2, the challenger C responds with the corresponding βU to A.
Otherwise, the challenger C randomly selects a value βU∈Zq∗, adds the tuple (M,IDU,RU,βU) in Lf2 and responds to A with βU.
H1queries: at any time, A can issue queries along with (M,IDU,RU) to the random oracle H1. To respond to these queries, C maintains a list LH1 containing tuples of the form (M,IDU,RU,ζU,ζU·bP). Initially the list is empty. When A queries the oracle H1 with a pair (M,IDU,RU), C responds as follows.
If the tuple (M,IDU,RU) already appears in LH1, the challenger C responds with the corresponding ζU·bP to A.
Otherwise, the challenger C randomly selects a value ζU∈Zq∗, computes ζU·bP and adds the tuple (M,IDU,RU,ζU,ζU·bP) to the list LH1. It responds to A with ζU·bP.
H2queries: at any time, A can issue queries along with IDU to the random oracle H2. To respond to these queries, C maintains a list LH2 containing tuples of the form (IDU,QIDU(2),ηU,coin). Initially the list is empty. When A queries the oracle H2 with IDU, C responds as follows.
If IDU already appears in the list LH2, the challenger C responds with the corresponding QIDU(2) to A.
Otherwise, the challenger C generates a coin∈{0,1} with Pr[coin=0]=δ for some δ that will be determined later. Then C selects a value ηU∈Zq∗. If coin=0, C computes QIDU(2)=H2(IDU)=ηU·P. If coin=1, C computes QIDU(2)=H2(IDU)=ηU·bP. Finally, C returns QIDU(2) to A.
H3queries: at any time, A can issue queries along with S to the random oracle H3. To respond to these queries, C maintains a list LH3 containing pairs of the form (S,T). Initially the list is empty. When A queries the oracle H3 with S, C responds as follows.
If S already appears in the list LH3, the challenger C responds with the corresponding T to A.
Otherwise, C randomly selects a string T∈{0,1}k, adds the tuples (S,T) to the list LH3, and responds to A with T.
Phase 1: the adversary A may make a number of different queries to the challenger C in an adaptive manner as follows:
Key extract queries: to respond to these queries, C maintains a list LK containing tuples of the form (IDU,SIDU), where SIDU=(QIDU(1),DIDU(1),DIDU(2)). Initially the list is empty. Upon receiving the query along with IDU, if IDU already appears in the list LK, the challenger C responds with the associated SIDU to B. If not, the challenger C first accesses to the corresponding tuple (IDU,QIDU(2),ηU,coin) in the list LH2. In case coin=0, C chooses two random values αU,v∈Zq∗ and sets SIDU=(vP−αUPpub,v,ηUPpub). However, if the tuple (IDU,vP−αUPpub,αU) already appears in the list Lf1, C resets the SIDU by choosing another two random values. Immediately, the challenger C returns SIDU and stores (IDU,vP−αUPpub,αU) and (IDU,vP−αUPpub,v,ηUPpub) in the lists Lf1 and LK, respectively. If coin=1, C reports failure and terminates.
Challenge: the adversary A outputs (M0,M1) and IDU∗ to the challenger C. Upon receiving them, C picks a random string Z∈{0,1}k and defines CTU∗=(cP,Z). The challenger C then returns CTU∗ to the adversary A. Observe that the decryption of CTU∗ is indeed Z⊕H3(eˆ(cP,DIDU∗(2))).
Phase 2: the challenger C responds to key extract queries as in Phase 1. Here IDU∗ is forbidden to appear in the key extract queries.
Guess: the adversary A outputs the guess b′∈{0,1}. Immediately, the challenger C randomly picks a pair (S,T) in the list LH3 and outputs (S)ηU−1 as the solution to the given instance of the BDH problem.
In the following, we discuss the probability that the challenger C does not abort.
In Phase 1 or 2: suppose that the adversary A makes a total of qE key extract queries. Then the probability that the challenger C does not abort is δqE.
In Challenge: the probability that the challenger C does not abort is 1−δ.
By (1) and (2), the probability that the challenger C does not abort is δqE(1−δ). Moreover, the maximum value of δqE(1−δ) occurs when δ=1−1/(qE+1). By similar techniques of Coron’s analysis of the Full Domain Hash (2000), we can obtain the probability that the challenger C does not abort is at least 1/e(1+qE), where e is Euler’s constant. In addition, in the phase of Guess, the probability that the challenger C outputs the correct solution of the BDH problem is at least 2ϵ/qH3 (Boneh and Franklin, 2001). Hence, the challenger C resolves the BDH problem with advantage at least ϵ′⩾2ϵe(1+qE)qH3. □
Performance Analysis
To analyse the computational cost and the communication size of the proposed SIBSC scheme, we consider three time consuming operations TGe, TGmul and TGH, which, respectively, denote the time of executing a bilinear pairing operation eˆ:G1×G1→G2, the time of executing a scalar multiplication in G1 and the time of executing a map-to-point hash function.
In our proposed SIBSC scheme, the sender requires 3TGmul+TGH to generate a signature. For the encryption procedures, the third party requires TGe+TGmul+TGH to generate a ciphertext. Indeed, the execution time of operations TGe, TGmul and TGH on the pairing system has been implemented in Scott et al. (2006), Liu et al. (2014). In Scott et al. (2006), the Philips HiPersmart card (smart card) with an 36 MHz processor was used to execute those operations, while in Liu et al. (2014) an Inter(R) Pentium IV 3.0 GHz processor (third party) was used to execute those operations. The execution time of operations on smart card and third party was listed in Table 2. Full descriptions of the security level on the pairing system were discussed in Scott et al. (2006), Liu et al. (2014). According to Table 2, the sender requires less than 490 ms to generate a signature and the third party requires 29.46 ms to generate a ciphertext in our scheme.
On the other hand, in the Encryption algorithm, a ciphertext is defined by (RA,WB), where RA is some element in G1 and WB is bounded to the hash function H3:G2→{0,1}k. Hence, the bit length of a ciphertext is bounded by |G1|+k in our scheme. Moreover, according to Wander et al. (2005), the total message size of the ciphertext is 64+20 bytes. Assume that a packet size is 41 bytes which includes 32 bytes for the payload and 9 bytes for the header. Each packet needs additional 8-byte preamble. Therefore, the ciphertext should be (32+9)∗2+(20+9)∗1+8∗3=135 bytes for transmission. Here, transmitting one byte needs 59.2 μ J (Wander et al., 2005) so that the ciphertext needs 135∗59.2=7.992mJ for transmission.
Computational cost on the smart card and the third party.
TGe
TGmul
TGH
Smart card
380 ms
130 ms
<100 ms
Third party
20.04 ms
6.38 ms
3.04 ms
Comparisons between the proposed scheme and other schemes.
Solution 1
Solution 2
Solution 3
Our solution
Hired scheme
CC’s IBS
CC’s IBS
CM’s IBSC
Our SIBSC
(2003)
(2003)
(2005)
+ BF’s IBE
+ BF’s IBE
+ (2001)
+ (2001)
Computational cost for
TGe
TGe
smart card
+ 3TGmul
2TGmul
+ 3TGmul
3TGmul
+ 2TGH
+ 2TGH
+ TGH
Execution time of smart card
< 970 ms
260 ms
< 970 ms
< 490 ms
Computational cost for
TGe
TGe
third party
–
+ TGmul
–
+ TGmul
+ TGH
+ TGH
Execution time of third party
–
29.46 ms
–
29.46 ms
Communication size (the ciphertext)
2(|G1|+k)
2(|G1|+k)
|G1|+k
|G1|+k
Energy consumption for transmitting the ciphertext
15.984 mJ
15.984 mJ
7.992 mJ
7.992 mJ
Following Table 1 in the Introduction, the precise comparisons are presented in Table 3. In Solution 1, a smart card takes all computational loads of the hired IBS and IBE schemes to offer authentication and confidentiality. In Solution 2, the IBE scheme is executed by a third party instead of the smart card since it does not require the sender’s private key. It is obvious that Solution 2 aims at reducing the computational cost of the smart card, but not for communication size. On the other hand, Solution 3 employing an IBSC scheme aims at reducing the communication size. As mentioned earlier, since the existing IBSC schemes are inseparable, the smart card takes all computational loads. Table 3 demonstrates that our solution not only reduces the computational cost required by the smart card but also efficiently decreases the total communication size.
Conclusions
In this article, the first separable ID-based signcryption (SIBSC) scheme was constructed. In the proposed SIBSC scheme, we aim to employ a semi-trusted third party to assist with expensive pairing computations without endangering the private keys of senders, while retaining communication performance as in IBSC schemes. For security analysis, we demonstrated that our scheme is provably secure to fulfill both authentication and confidentiality by withstanding Type I and Type II adversaries under the computation Diffie–Hellman (CDH) and bilinear Diffie–Hellman (BDH) assumptions, respectively. Indeed, the security analysis was achieved by using random oracles. We believe that to construct a SIBSC scheme without random oracles (in the standard model) is worth studying. It would be an interesting topic for the future work.
Acknowledgements
This research was partially supported by Ministry of Science and Technology, Taiwan, R.O.C., under contract no. MOST103-2221-E-018-022-MY2.
ReferencesBellare, M., Rogaway, P. (1993). Random oracles are practical: a paradigm for designing efficient protocols. In: , pp. 62–73.Boneh, D., Boyen, X. (2004). Secure identity based encryption without random oracles. In Lecture Notes in Computer Science: Vol.3152. , pp. 443–459.Boneh, D., Franklin, M. (2001). Identity-based encryption from the Weil pairing. In: , Lecture Notes in Computer Science, Vol. 2139. pp. 213–229.Boneh, D., Shen, E., Waters, B. (2006). Strongly unforgeable signatures based on computational Diffie–Hellman. In: , Lecture Notes in Computer Science, Vol. 3958, pp. 229–240.Boyen, X. (2003). Multipurpose identity-based signcryption: a swiss army knife for identity-based cryptography. In: , Lecture Notes in Computer Science, Vol. 2729. pp. 383–399.Boyen, X., Waters, B. (2006). Anonymous hierarchical identity-based encryption (without random oracles). In: , Lecture Notes in Computer Science, Vol. 4117. pp. 290–307.Canetti, R., Goldreich, O., Halevi, S. (2004). The random oracle methodology, revisited. , 51(4), 557–594.Cha, J.C., Cheon, J.H. (2003). An identity-based signature from gap Diffie-Hellman groups. In: , Lecture Notes in Computer Science, Vol. 2567. pp. 18–30.Chen, L., Malone-Lee, J. (2005). Improved identity-based signcryption. In: , Lecture Notes in Computer Science, Vol. 3386, pp. 362–379.Chen, L., Cheng, Z., Smart, N.P. (2007). Identity-based key agreement protocols from pairings. , 6(4), 213–241.Chow, S.S.M., Yiu, S.M., Hui, L.C.K., Chow, K.P. (2004). Efficient forward and provably secure ID-based signcryption scheme with public verifiability and public ciphertext authenticity. In: , Lecture Notes in Computer Science, Vol. 2971, pp. 352–369.Coron, J.S. (2000). On the exact security of full domain hash. In: , Lecture Notes in Computer Science, Vol. 1880, pp. 229–235.Fahl, S., Harbach, M., Muders, T., Smith, M. (2012). Confidentiality as a service – usable security for the cloud. In: , pp. 153–162.Jin, Z., Wen, Q., Du, H. (2010). An improved semantically-secure identity-based signcryption scheme in the standard model. , 36(3), 545–552.Kitagawa, T., Yang, P., Hanaoka, G., Zhang, R., Matsuura, K., Imai, H. (2006). Generic transforms to acquire CCA-security for identity based encryption: the cases of FOPKC and REACT. In: , Lecture Notes in Computer Science, Vol. 4058. pp. 348–359.Li, F., Takagi, T. (2013). Secure identity-based signcryption in the standard model. , 57(11–12), 2685–2694.Li, F., Liao, Y., Qin, Z. (2011). Analysis of an identity-based signcryption scheme in the standard model. , 94–A(1), 268–269.Libert, B., Quisquater, J.J. (2003). A new identity based signcryption schemes from pairings. In: , pp. 155–158.Libert, B., Vergnaud, D. (2009). Adaptive-ID secure revocable identity-based encryption. In: , Lecture Notes in Computer Science, Vol. 5473. pp. 1–15.Liu, L., Zhang, Z., Chen, X., Kwak, K.S. (2014). Certificateless remote anonymous authentication schemes for wireless body area networks. , 25(2), 332–342.Ma, R., Li, J., Guan, H., Xia, M., Liu, X. (2015). EnDAS: efficient encrypted data search as a mobile cloud service. , 3(3), 372–383.Malone-Lee, J. (2002). Identity-based signcryption. Cryptology ePrint Archive, Report 2002/098. http://eprint.iacr.org/.Mell, P., Grance, T. (2009). . National Institute of Standards and Technology.Narayan, S., Parampalli, U. (2008). Efficient identity-based signatures secure in the standard model. , 2(4), 108–118.Paterson, K.G., Schuldt, J.C.N. (2006). Efficient identity-based signatures secure in the standard model. In: , Lecture Notes in Computer Science, Vol. 4058, pp. 207–222.Pointcheval, D., Stern, J. (1996). Security proofs for signature schemes. In: , Lecture Notes in Computer Science, Vol. 1070. pp. 387–398.Pointcheval, D., Stern, J. (2000). Security arguments for digital signatures and blind signatures. , 13(3), 361–396.Scott, M., Costigan, N., Abdulwahab, W. (2006). Implementing cryptographic pairings on smartcards. In: , Lecture Notes in Computer Science, Vol. 4249, pp. 134–147.Shamir, A. (1984). Identity-based cryptosystems and signature schemes. In: , Lecture Notes in Computer Science, Vol. 196, pp. 47–53.Suo, H., Liu, Z., Wan, J., Zhou, K. (2013). Security and privacy in mobile cloud computing. In: , pp. 655–659.Tsai, T.T., Tseng, Y.M., Wu, T.Y. (2012). A fully secure revocable ID-based encryption in the standard model. , 23(3), 481–499.Tsai, T.T., Tseng, Y.M., Wu, T.Y. (2013). Provably secure revocable ID-based signature in the standard model. , 6(10), 1250–1260.Tsai, T.T., Tseng, Y.M., Huang, S.S. (2014). Efficient strongly unforgeable ID-based signature without random oracles. , 25(3), 505–521.Tseng, Y.M., Huang, S.S., Tsai, T.T., Ke, J.H. (2016). List-free ID-based mutual authentication and key agreement protocol for multiserver architectures. , 4(1), 102–112.Tysowski, P.K., Hasan, M.A. (2013). Hybrid attribute- and re-encryption-based key management for secure and scalable mobile applications in clouds. , 1(2), 172–186.Wander, A., Gura, N., Eberle, H., Gupta, V., Shantz, S. (2005). Energy analysis of public-key cryptography for wireless sensor networks. In: , pp. 324–328.Waters, B. (2005). Efficient identity-based encryption without random oracles. In: , Lecture Notes in Computer Science, Vol. 3494. pp. 1–33.Wu, T.Y., Tseng, Y.M. (2010). An ID-based mutual authentication and key exchange protocol for low-power mobile devices. , 53(7), 1062–1070.Zhang, B. (2010). Cryptanalysis of an identity based signcryption scheme without random oracles. , 6(6), 1923–1931.Zheng, Y. (1997). Digital signcryption or how to achieve cost (signature & encryption) ≪ cost (signature) + cost (encryption). In: , Lecture Notes in Computer Science, Vol. 1294, pp. 165–179.