• Open Access

Attribute-based ring signcryption scheme

Authors


Correspondence: Zhenzhou Guo, School of Computer, Shenyang Aerospace University, Shenyang 110136, China.

E-mail: asdgzz@gmail.com

ABSTRACT

In this paper, we present attribute-based ring signcryption scheme, which realizes the concept of ring signcryption in the attribute-based encryption frame firstly. In our system, it allows a user to signcrypt a message by a set of attributes that are chosen without revealing its identity. In additional, we propose the security models and prove the confidentiality and unforgeability of our schemes. We also present the efficiency of our scheme by comparisons. Copyright © 2012 John Wiley & Sons, Ltd.

1 INTRODUCTION

Signcryption is an effective method in cryptography that enables authentication and confidentiality at same time. Signcryption was first proposed by Zheng [1], which provides authenticity and confidentiality with a lower computational cost when a message needs to be both signed and encrypted. The concept of ring signcryption comes from the ring signature, so we review the concept of ring signature firstly. Ring signature was first introduced by Revest [2]; it makes use of the construction of a “ring” when a message is signed, avoiding revealing the signer's identity. After the scheme was proposed, the researchers pay much attention to it. The first identity-based ring signature scheme with by line parings was proposed by Zhang [3] in 2002. The threshold ring signature was proposed by Bresson [4] and was applied in the ad hoc network. Awasthi [5] proposed an efficient identity-based ring signature scheme and proxy ring signature scheme in 2004. Chen [6] proposed a method that can be applied in the P2P networks.

Ring signcryption is a combination means of aforementioned two methods; it allows a user to signcrypt a message with a set of attributes (including his or her partial attributes that are arbitrarily chosen) and protects his or her sensitive attributes. Many efficient signcryption schemes [7-9] were proposed after the notion of signcryption was proposed. Beak [10] proposed the formal security proof of signcryption scheme in 2007. Qin [11] proposed a signcryption scheme that can be applied in identity-based system with multireceiver. The first identity-based ring signcryption scheme was proposed by Huang [12] in 2005, which enables user to signcrypt a message anonymously. Li [13] first proposed the ring signature scheme in attribute-based encryption (ABE) system in 2008.

Sahai and Waters [14] first proposed the concept of ABE in 2005. In ABE system, user's identities are described with a set of attributes; a user with attribute ω can decrypt ciphertext encrypted with attribute ω′ if and only if ω and ω′ are satisfied by the condition that the number of elements in set ω ∩ ω′ is attained the threshold. Key-policy ABE and ciphertext-policy ABE are two forms of ABE scheme extending from fuzzy ABE recently. In key-policy ABE schemes [15-17], attribute policies are associated with private keys, and ciphertext is labeled with a set of attributes. A user is able to decrypt the ciphertext if and only if the ciphertext attributes set satisfies the policy on the user's private keys. In ciphertext-policy ABE schemes [18-20], the situation is reversed, attribute policies are associated with the ciphertext, and private keys are labeled with attributes. A user is able to decrypt the ciphertext if and only if attributes of user's private keys match the policy of the ciphertext. Chase [21] proposed an ABE scheme that supports multiauthority environment.

In this paper, we first realize ring signcryption in ABE. In our system, a sender can signcrypt messages with his or her partial attributes and construct a “ring” with these attributes to protect the legitimacy of the sender without exposing his or her particular identity. In additional, we propose the corresponding security models and prove our scheme confidentiality and unforgeability in the random oracle models. We also present the efficiency of our scheme by comparisons.

We can consider following scenario: Bob is a clerk in a department of a company with attributes as Company A, Employee, Department B, Driver License. Bob wants to suggest or complain to the leader of his department, and at the same time, he wants to be kept anonymous. In addition, the leader assures that the suggestions or complaints are really from a member of the company. To do this, Bob can take advantage of our method to encrypt his suggests or complaints with attributes such as “Company A,” “Employee,” and “Department B.” The leader can verify and decrypt the ciphertext and be convinced that it is really from someone of Company A, without knowing the particular identity of its sender.

The rest of this paper is organized as follows. Section 2 gives some mathematical background and presents the framework and security notion of attribute-based ring signcryption scheme (ABRSS). In Section 3, we introduce ABRSS. The formal security proof of our scheme is in Section 4. We analyze our scheme by comparisons in Section 5. Finally, the conclusion of this paper is given in Section 6.

2 PRELIMINARIES

In this paper, the bilinear pairings on elliptic curves are used. We give background information on pairings and some hard problems from pairings that will be used later.

2.1 Bilinear pairing

Definition 1. ((Bilinear pairing)) Let G1, G2 be cyclic group with prime order p, and let g be a generator of G1. A bilinear pairing is a map e : G1 × G1 → G2 satisfying the following properties:

  1. Bilinearity: for all math formula, we have e(ga, gb) = e(g, g)ab.
  2. Nondegeneracy: e(g, g) ≠ 1.
  3. Computability: there exists an efficient algorithm to compute e(ga, gb), where math formula.

Definition 2. ((Decisional bilinear Diffie–Hellman problem assumption)) Given two groups G1 and G2 of the same prime order p, a bilinear map: e : G1 × G1 → G2 and a generator g of G1, the decisional bilinear Diffie–Hellman (DBDH) problem is, given a tuple of points (g, ga, gb, gc) and a element Z ∈ G2, to decide whether math formula holds. The advantage of a distinguisher against the DBDH problem is defined as follows.

display math

Definition 3. ((Computational Diffie–Hellman problem assumption)) Let a, b be chosen at random from math formula and g be a generator of G1. The CDHP assumption is that no polynomial time adversary is to compute the gab from the (A = ga, B = gb) with more than a negligible advantage.

2.2 Syntax

The ABRSS consists of four algorithms named Setup, Key Extract, Signcryption and Unsigncryption, which are defined as the following.

  • Setup(κ): given a security parameter κ, the trust private generator (PKG) chooses α randomly, generates the master secret key MK, and outputs public parameters PK.
  • Key Extract(MK, ω): the algorithm takes the master key MK and an attribute set ω as inputs. It outputs the private key for ω.
  • Signcryption(m, ωS, ωR): the algorithm takes as input a message m for signcryption, the sender's attributes ωS, and the message receiver's attributes ωR. It outputs the ciphertext CT.
  • Unsigncryption(CT): the algorithm takes the ciphertext CT as input and verifies the ring signcryption. If the CT is a valid ring signcryption, then it outputs the plaintext. else outputs “Invalid.”

2.3 Security notation

Definition 4. ((Confidentiality)) An ABRSS is indistinguishable against adaptive chosen ciphertext attacks if there exists no polynomial-bounded adversary having nonnegligible advantage in the following games.

  1. Setup Phase: the challenger math formula runs the Setup algorithm with a security parameter κ and sends the PK to the adversary math formula.
  2. First Phase: math formula runs polynomial time bounded number of queries to the oracles provided by math formula. These queries are described as the following.
  3. Key Query: math formula chooses a set of attributes: math formula and queries the private key Di corresponding to each ai.
  4. Signcryption Query: math formula chooses a receiver math formula and a message m. math formula sends ωR and m to the challenger math formula; the set ωR is the attribute of math formula. math formula runs the Signcryption algorithm and returns the ciphertext CT.
  5. Unsigncryption Query: math formula chooses a receiver math formula and a ring signcryption CT. The challenger math formula generates the private key of math formula by querying the Key Extraction. math formula runs Unsigncryption algorithm. If CT is a valid ring signcryption, then math formula returns m, else math formula outputs “Invalid”.
  6. Challenge Phase: the adversary math formula chooses two equal length messages {m0, m1} and a receiver math formula and sends them to math formula. The challenger math formula chooses a bit δ ∈ {0, 1}, runs Signcryption algorithm, and returns the ciphertext CT of the message mδ.
  7. Second Phase: the operations in the first phase are repeated.
  8. Guess: math formula outputs a guess δ′ of δ. If δ′ = δ, we say that math formula wins the game. The success probability is defined by
display math

Here, ε is the advantage of adversary math formula in the game.

Definition 5. ((Unforgeability)) An attribute-based ring signcryption is called to be existentially unforgeability against adaptive chosen messages attacks (EUF-ABRSS-CMA) if there exists no polynomial time bounded adversary with a nonnegligible advantage in the following game:

  1. Setup Phase: the challenger math formula runs the Setup algorithm with a security parameter κ and sends the PK to the adversary math formula.
  2. Training Phase: math formula runs polynomial time number of queries as described in First Phase in Definition 2.4. These queries may be adaptive, and the previous query response may affect the current query.
  3. Existential Phase: math formula outputs a new forged ciphertext CT′, where the private key of the attribute set is not queried in the training phase. math formula wins the game if the result of the Unsigncryption(CT′) is not “Invalid.”

3 ATTRIBUTE-BASED RING SIGNCRYPTION

In this section, we introduce the construction of our scheme and prove the correctness of the verification in the Unsigncryption algorithm.

3.1 Our construction

We define the Lagrange coefficient Δi,S, for math formula; let S be a d-element set in math formula.

display math
  • Setup(κ): given a security parameter κ, a trust private key generator chooses two groups G1 and G2 with prime order p > 2κ, a bilinear map: e : G1 × G1 → G2, and a generator g of G1. First, let math formula be the set of universal attributes, and let math formula. In addition, a d − 1 default attribute set is given as Ω = {Ω1, ⋯, Ωd − 1}. Now, choose t1, …, tl, tl + 1, …, tl + d − 1 at random from math formula, and let math formula. Next, pick α randomly from math formula, and let Y = e(g, g)α. Then, select three cryptographic hash functions:
    • math formula, math formula, and math formula. Here, the |M| is the length of the ciphertext. The published public parameter PK is
      display math
    • The master key MK is math formula.
  • Key Extract(MK, ω): a user with attribute set ω; the algorithm generates the private key for ω as follows:
    • – A d − 1 degree polynomial q(x) is randomly chosen such that q(0) = α.
    • – Let math formula, and compute math formula.
    • – Outputs the private key Di for each math formula.
  • Signcryption(m, ωS, ωR): to signcrypt a message m to a receiver math formula, the algorithm is performed by the sender math formula and proceeds as follows:
    • – Chooses a subset math formula from ωS, with d elements (the attributes {i1, …, if} ∈ ωS are chosen to signcrypt message, and d–f attributes are chosen from Ω).
    • – The sender math formula randomly chooses math formula, and let s = H3(m, r), U = gs, and X = Ys = e(g, g)α ⋅ s. Then, compute math formula for each math formula and for each j ∈ ωR.
    • – Let math formula, and choose math formula at random. We take advantage of the element in set math formula to construct a ring. The construction is represented as follows: If l ≠ k, for each math formula, choose randomly math formula and math formula.

      Else, l = k, rk is a random number from math formula,

      display math
      display math
      display math
    • – Compute y = (mrV) ⊕ H1(X).
    • – Finally, the ciphertext CT is
    • math formula
  • Unsigncryption(CT): the receiver math formula obtains the ciphertext CT and runs this algorithm.
    • math formula; choose a d-element subset math formula from attribute set ωR.
    • – Compute
      display math
      retrieve m′, r′, V′ as (m′‖r′‖V′) ⊕ H1(X′).
    • – Let s′ = H3(m′, r′), and verify math formula.
    • – For l =1 to nR + d, computemath formula and verify
      display math

    If all the aforementioned verifications hold, the receiver math formula accepts CT as the valid ring signcryption and the message m′ as the valid message; else, the receiver math formula returns “Invalid.”

  • Correctness: here, we show the correctness of the second verification in the unsigncryption. From the definition of Uk given in the signcryption algorithm, we have the following.

    Proof. This is because

    display math

    and

    display math

    We have

    display math(1)

    and

    display math(2)

    From ((1)) and ((2)), we have shown the correctness of the verification.

4 PROOF OF SECURITY

In this section, we prove the security of our scheme, indistinguishable under chosen ciphertext attack (IND-ABRSS-CCA2) and existentially unforgeable under chosen message attack (EUF-ABRSS-CMA) in random oracle model.

Theorem 1. If an IND-ABRSS-CCA2 adversary math formula has an advantage ε against ABRSS scheme, asking math formula hash queries to random oracles math formula, then there exists an algorithm math formula that solves DBDH problem with advantage

display math

Proof. Suppose there exists a polynomial time adversary math formula, which can break our scheme with nonnegligible advantage ε. We build a simulator math formula that can solve an instance (g, ga, gb, gc) of DBDH problem with nonnegligible advantage ε. math formula makes use of math formula and challenger math formula to solve the DBDH problem instance. math formula simulates the system with many oracles math formula, and math formula is able to make polynomial time queries, adaptively to these oracles. math formula proceeds as follows:

  • Setup Phase: the challenger math formula runs the Setup algorithm. math formula proceeds as the following:
    • – Set the groups G1 and G2 with an effective bilinear map e and G1 generator g.
    • – Define the default attribute set Ω.
    • – Model three hash functions: H1, H2, H3.
    • – Let Y = e(A = ga, B = gb) = e(g, g)ab.
    • – If i ∈ ωR, choose a random number math formula, and set math formula; otherwise, it chooses a random math formula, and sets math formula;
  • First Phase: to deal with the oracle queries, math formula maintains three lists Li, (i = 1, 2, 3) that keeps the records of the responses given by math formula to the corresponding oracle math formula queries. In this phase, math formula adaptively queries the oracles, which are described as the following.
  • math formulaOracle Query: to respond these queries, math formula maintains the list L1 of tuples 〈X, l(1)〉. When math formula queries to this oracle with Xi as input, math formula first searches a tuple math formula in list L1. If such a tuple is found, math formula returns math formula. Otherwise, it returns a random binary sequence math formula such that no entry math formula appears in L1 (to avoid collision on H1) and stores the tuple math formula in L1.
  • math formulaOracle Query: to respond to these queries, math formula maintains the list L2 of tuples math formula. When math formula queries to this oracle with math formula as input, math formula first searches a tuple math formula in list L2. If such a tuple is found, math formula returns math formula. Otherwise, it returns a random binary sequence math formula such that no entry math formula appears in and stores the tuple math formula in L2.
  • math formulaOracle Query: to respond these queries, math formula maintains the list L3 of tuples 〈m, r, s〉. When math formula queries to this oracle with (mi, ri) as input, math formula first searches a tuple 〈mi, ri, si〉 in list L3. If such a tuple is found, math formula returns si. Otherwise, it returns a random si such that no entry 〈∗, si〉 appears in and stores the tuple 〈mi, ri, si〉 in L3.
  • Key Extract Query: math formula can ask a polynomial time queries of key extraction of its choice at any time. To respond these queries, math formula maintains the List L of tulpes 〈ωi, Di〉. Let 1 < j < qE be chosen at random. math formula sets ωj = ωR, and the private key of math formula is ωR and stores in the list L. If math formula, math formula aborts, otherwise, lets math formula and stores in the List L.
  • Signcryption Query: math formula chooses a message m and receiver math formula with attribute set ωR and sends them to the challenger math formula. math formula does as following:
    • – Chooses a d-element subset math formula from ωS (the sender wants to signcrypt the message with the attributes {i1, …, if}, and d–f default attribute elements are chosen from Ω).
    • math formula randomly chooses math formula, and let s = H3(m, r), U = gs, and X = Ys = e(g, g)α ⋅ s. Then, computes math formula for each j ∈ ωR.
    • – Let math formula, and choose math formula at random. We take advantage of the element in set math formula to construct a ring. The construction is presented as follows:
      • If math formula, for each math formula, chooses randomly math formula and math formula;
      • Else, l = k, rk is a random number from math formula.
        display math
        display math
        and math formula
    • – Compute y = (mrV) ⊕ H1(X).
    • – Finally, the ciphertext CT is
      display math
  • Unsigncryption Query: the math formula receives the ciphertext, and runs this algorithm.
    • math formula; choose a d-element subset math formula from ωR. Compute
      display math
      retrieve m′, r′, V′ as (m′‖r′‖V′) ⊕ H1(X′).
    • – Verify math formula.
    • – For l = 1 to nR + d, compute math formula and verify math formula

      If all the aforementioned verifications hold, the receiver math formula accepts CT as the valid ring signcryption and the message m′ as the valid message; else, the receiver math formula returns “Invalid.”

  • Challenge Phase: after a polynomial time number of queries, math formula chooses two messages m0, m1 with the same length, a sender attribute set ωS, and a receiver attributes set ωR and sends them to math formula. If ωR ≠ ωj, math formula aborts. Else, math formula chooses a bit δ ∈ {0, 1} and computes the challenge ring signcryption CT of mδ as follows:
    • Lets s = c and sets U = gc, and then math formula signcrypts the message mδ as described in the signcryption query and returns the ciphertext CT to math formula.
  • Second Phase: math formula asks again a polynomial time queries just like in the first phase.
  • Guess: at the end, math formula produces a bit δ′, which he or she believes the relation math formula holds and sends to math formula. At this moment, if b′ = b, math formula then answers 1 as the result because his or her selection Z allows him or her to produce a ciphertext CT that appeared to math formula as a valid signcrypted text of mδ. If b′ ≠ b, math formula answers 0.

    We now consider math formula's probability of success. We find that the probability that math formula passes the Key Extraction query is obvious 1/qE, where qE is the number of key extraction queries. Therefore, the probability that math formula does not fail during the simulation is 1/qE. The probability that math formula gave a false answer during the Unsigncryption process is no more than qU/2k. Let

    display math

    for i = 0, 1, and we obtain

    display math

Theorem 2. If an EUF-ABRSS-CMA attacker forger math formula exists against our ABRSS scheme, then there exists an algorithm math formula that solves the CDHP.

Proof. The challenger math formula attempts to solve an instance of the CDHP. math formula interacts with an adversary math formula, which can break our scheme with the EUF-ABRSS-CMA security model, to solve the CDHP instance. math formula takes the instance 〈g, ga, gb〉 as input and runs the algorithm to obtain the value gab.

    • Setup Phase: the challenger math formula initials the system by setting up the system parameters as follows:
      • – Sets the groups G1 and G1 with an effective bilinear map e : G1 × G1 → G2 and G1 generator g.
      • – Defines the default attribute sets Ω.
      • – Chooses at1, …, atl, atl + 1, …, atl + d − 1 at random from math formula and lets math formula.
      • – Picks α randomly from math formula and lets Y = e(g, g)α.
      • – Models three hash functions:math formula math formula and math formula
      • – Publishes public parameters PK. The master key MK is math formula.
    • Training Phase: math formula adaptively runs polynomial time number of queries to the various oracles in this phase.
    • Forgery: At the end, math formula produces a forged ciphertext of the message m:
      display math
      • If the forged ciphertext passes the verification in the unsigncryption algorithm, then math formula will be able to generate one more valid ring signcryption: math formula. According to the lemma in [22], clearly, math formula with the ability of generating a valid ring signcryption will be able to generate new valid ring signcryption again by using the same randomness. When it obtains two valid ring signcryptions of message m, math formula will have gab as explained in the following:
        • – Compute
          display math
          retrieve V′ and V ∗ as (m′‖r′‖V′) ⊕ H1(X′).
        • – Here,
          display math
          and
          display math
        • – Thus,
          display math
          and
          display math

5 COMPARISONS

Now, we present the efficiency of our scheme. In a such condition that in a ABE system there a message m that needs to be encrypted and with a ring signature, we compare the cost of our scheme with the cost of scheme [14] + scheme [13]. In the comparison table (Table 1), Pairing is the bilinear paring, and G1M is the scalar point multiplication in group G1. It is straightforward to estimate that our scheme is better in the G1M computations, and the Pairing computation is same with scheme [14] + scheme [13].

Table 1. Performance comparisons.
OperationOur schemeScheme [14]Scheme [13]
Pairing541
G1M3n + 35n + 13n

6 CONCLUSIONS

The ABRSS scheme is an effective method and can be applied in an ABE system when a message needs to be both encrypted and signed. In additional our scheme can keep the identity of signcryption secret. It allows the user to encrypt with attributes chosen from its attributes and keep its anonymity by the attribute ring. In this paper, we propose the security models of our scheme and prove confidentiality and unforgeability in random oracle models. We also illustrate our scheme's efficiency by comparisons.

ACKNOWLEDGEMENTS

This research is supported by the Nature Science Foundation of China under Grant Nos 60673046 and 90715037, the University Doctor Subject Fund of Education Ministry of China under Grant No. 200801410028, and the National 973 Plan of China under Grant No. 2007CB7142057.

Ancillary