Cryptanalysis of an Authentication Scheme Using an Identity Based Generalized Signcryption

Abstract

Secure data transmission is a challenging issue in modern data communication. ID based generalized signcryption is a cost effective security primitive which provides authentication or confidentiality, or jointly confidentiality and authentication. Wei’s proposed an ID based generalized signcryption scheme for authentication and confidentiality of big data in a standard model, claiming that their scheme holds the security of indistinguishability against adaptive chosen-ciphertext attacks and existential unforgeability against adaptive chosen message attacks. In this paper, we analyzed Wei’s scheme by launching security attacks on the scheme to check its validity. As a result, it became clear and proved that the master secret key generated in the scheme is compromisable. Similarly, the mentioned scheme does not hold the security of indistinguishability against adaptive chosen-ciphertext attacks and existential unforgeability against adaptive chosen message attacks. Consequently, Wei’s schemes is prone to attacks and is insecure.

1. Introduction

In 1984, Shamir [1] introduced the concept of Identity Based Cryptography (IBC) for the first time, where an identity is used as a public key and the corresponding private key is generated by a trusted third party entitled PKG. The objective of identity based cryptography is to simplify public key certificate management in public key cryptography. It was later on improved by Boneh and Franklin [2].

To overcome the drawbacks of the traditional cryptographic approaches, Zheng proposed a novel cryptographic primitive called signcryption [3], which is an alternative to the signature then encryption approach with significantly less computation and communication cost. In 2002, Malone-Lee [4] merged identity-based cryptography with signcryption and designed a new ID based signcryption (IBSC) scheme. This IBSC scheme [4] provides foundation for some other identity based signcryption and its variant [5,6,7,8,9,10,11,12,13,14].

In big data security, we need the data confidentiality and data authentication separately and in some cases we use both simultaneously. Likewise, authentication security approach is used by government sectors to authenticate statistical data. And different companies use two security attributes like confidentiality and authentication to both authenticate and keep confidential sales related data. This type of operations require generalized signcryption (GSC) approach proposed by Han et al. [15].

GSC works in three different modes such as; pure encryption mode, pure signature mode and signcryption mode and can be used for data confidentiality, data authenticity or both respectively. For the requirement of a single security parameter either data confidentiality or data authentication, signcryption is not feasible due to greater computational cost and algorithmic complexities. Thus, in this case, signcryption scheme is not suitable for big data and other resources constraint environment.

Now, to fulfill the multi option security requirements of big data we refer the use of generalized signcryption a flavor of simple signcryption suitable for big data and other resources constraints environment instead of signcryption. Wang et al. [16] improved Han et al. [15] scheme and presented a new security model for generalized signcryption. In 2008, Lal and Kushwah [17] contributed the first ID based generalized signcryption (IBGSC) scheme with a new security model. Later on Yu et al. [18] proved that Lal and Kushwah’s security model was not fulfilling the basic security needs, and improved the existing security model with minimal computational cost. In 2011, Kushwah and Lal [19] also simplified same Yu et al. [18] security model and proposed a new efficient IBGSC scheme. In 2019, Waheed et al. [20] analyzed the Zhou et al. [21] certificateless generalized scheme and proposed improved scheme comparatively more secure with the same cost.

Wei et al. [22] proposed a novel IBGSC scheme for pure encryption or pure signature to ensure the confidentiality and authenticity as per requirements in big data with the claim that this scheme is provably secure in standard model. However, in this paper, we analyze Wei’s authentication scheme and prove that Wei’s scheme is prone to attacks and neither IND-CCA nor EUF-CMA secure in the standard model. Therefore we use cryptanalysis approach to analyze and check the Wei’s authentication scheme security and vulnerabilities.

Cryptanalysis approach uses mathematical formulas to search vulnerabilities of an algorithm to prove security limitations or it decrypts ciphertext without knowing session’s key or key related information. Figure 1 reflects the cryptanalysis approach over a simple signcryption.

2. Preliminaries

This section of the paper describe definitions used in Wei’s authentication scheme IBGSC [22]. Let us assume that $\mathbb{G}$ and ${\mathbb{G}}_T$ be the two cyclic multiplicative groups of order q.

Definition 1.

A bilinear map such as: $\widehat{e}:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$, where a bilinear map satisfies the following properties as:

• Bi-linearity: For all $g_1$ and $g_2\in \mathbb{G}$, and $x,y\in {\mathbb{G}}_T$, where $\widehat{e}(g_1^x,g_2^y)=\widehat{e}{(g_1,g_2)}^{xy}$.
• Computability: The $\widehat{e}(g_1,g_2)$ is efficiently computeable.
• Non-degeneracy:$\widehat{e}(g_1,g_2)=1$.

Definition 2.

Computational Diffie-Hellman (CDH) Problem: Let g be a generator of multiplicative group $\mathbb{G}$ of prime order q and it is intractable to compute $g^{xy}$ if input $(g,g^x,g^y)$ is given.

Definition 3.

Computational Diffie-Hellman (CDH) Assumption: We can say CDH is $(t,\zeta )$ hard in $\mathbb{G}$ if any t-time algorithm can not solve CDH with at least ζ probability.

Definition 4.

Decisional Bi-linear Diffie-Hellman (DBDH) Problem: Let $\mathbb{G}$ and ${\mathbb{G}}_T$ have two groups, a bilinear map $\widehat{e}:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$, having generator g of group $\mathbb{G}$, such that input ($g,g^x,g^y,g^z)$ is given and $T\in {\mathbb{G}}_T$, it is also difficult to define $T=\widehat{e}{(g,g)}^{xyz}$.

Definition 5.

Decisional Bi-linear Diffie-Hellman (DBDH) assumption: We can say DBDH is $(t,\zeta )$ hard in $\mathbb{G}$ if any t-time algorithm can not solve DBDH with at least ζ probability.

2.1. IBGSC Formal Framework

IBGSC scheme consists of three Probabilistic Polynomial Time (PPT) algorithms titled as; Setup; Ext; IBGSC and IBGUSC a Deterministic Polynomial Time (DPT) algorithm.

• Setup $\left(1^{\lambda }\right)\mapsto (params;msk)$:- A PPT algorithm takes security parameter k and returns the master key $\left(msk\right)$ and public parameters $\left(params\right)$.
• Ext $(msk;u)\mapsto d_u$:- It takes $(msk;u)$ to generate identity u and private key $d_u$.
• IBGSC $(m;u_a;u_b)\mapsto \sigma$:- Sender or receiver absence denoted by $u_{\varphi }$, sender’s and receiver identities denoted by $u_a,u_b$ respectively, message denoted by $m\in \mathcal{M}$ and signcrypted text denoted by $\sigma \in c$.
  Further three situations are as:
  • In pure encryption mode, the IBGSC takes $(m,u_{\varphi },u_b)$ as input and produces $\sigma$ as output in the absence of sender private key.
  • In pure signature mode, the IBGSC collects $(m,u_a,u_{\varphi })$ and produces the signature $\sigma$ as output in the absence of receiver private key.
  • In signcryption mode $(sign+enc)$, the IBGSC collects $(m,u_a,u_b$) and produces signcrypted text $\sigma$.
• IBGUSC $(\sigma ,u_a,u_b)\mapsto (m,\top ,\perp )$:- Output of this algorithm depends on three different situations:
  • In pure encryption mode, on receiver end IBGUSC collects input $(m$, $u_{\varphi }$, $u_b)$, and generates m as output.
  • In pure signature mode, on receiver end IBGUSC collects input $(m,u_a$, $u_{\varphi })$, and checks $\sigma$ validity, generates ⊤; else generates ⊥ as output.
  • In signcryption mode $(sign+enc)$, on receiver end IBGUSC collects input $(m,u_a,u_b$), and then checks validity of $\sigma$, it produces message m, else ⊥.

2.2. The CCA Security Model

This section of the paper defines CCA security model to check the data confidentiality. Adversary A and Challenger C played a game that guarantee the confidentiality of the message.

Setup:- In this stage challenger C runs setup algorithm with $\left(1^{\lambda }\right)$ and send to A to generate system’s parameters.

Phase 01:- A asked following queries adaptively;

• Ext ${\mathcal{O}}_{ext}$ :- After receiving identity u , challenger C calculate private key $d_u$ and returns back to A.
• IBGSC ${\mathcal{O}}_{ibgsc}$ :- A gives a chosen message m and identities $u_a,u_b$ to C and in response C returns value $\sigma$ to A.
• IBGUSC ${\mathcal{O}}_{ibgusc}$ :- A sends $(\sigma ,u_a,u_b)$ to C and C first checks $\sigma$ validity , and returns valid message to A or returns error symbol ⊥.

Challenge:- A chooses two messages ($m_0,m_1$) with same size and $u_a^{*},u_b^{*}(\ne u_{\phi })$, (except to ask ${\mathcal{O}}_{ext}$ for input $u_b^{*}$ previously), and $(m_0,m_1,u_a^{*},u_b^{*})$ forward to C. C generates a challenge ${\sigma }^{*}$ using flips a coin $b\in \{1,0\}$ for $m_b^{*}$ and finally gives it to A back.

Phase 02:- A asks queries as practiced in phase 1st using input (${\sigma }^{*},u_a^{*},u_b^{*}$), ${\mathcal{O}}_{ext},u_b^{*}$ except ${\mathcal{O}}_{ibgsc}$.

Guess:- A produces output ${\rho }^{\prime }$ of $\rho$ and compares if ${\rho }^{\prime }=\rho$ then A wins the game. The wining probability of A in this game is $Ad{v}_{\mathrm{A}}^{\mathrm{CCA}}\left(1^{\lambda }\right)=|Pr[{\rho }^{\prime }=\rho ]-\frac{1}{2}|$ and thus the scheme is to be CCA secured against all efficient adversaries A, and advantages $Ad{v}_{\mathrm{A}}^{\mathrm{CCA}}\left(1^{\lambda }\right)$ will be considered negligible.

2.3. The $EUF$-$CMA$ Security Model

This section of the paper define security model to authenticate message contents. Using following game between challenger C and adversary A make sure the existential unforgeability of message signature.

Setup:- This step same as CCA security game.

Phase 01:- Like CCA security game.

Forgery:- On a message $m^{*}$, A produces a forgery $({\sigma }^{*},u_a^{*}(\ne u_{\phi }),u_b^{*})$, where A has never asked ${\mathcal{O}}_{ibgsc}$ for input $(m^{*},u_a^{*}(\ne u_{\phi }),u_b^{*})$ and ${\mathcal{O}}_{ext}$ for input $u_a$ before. A wins game if $({\sigma }^{*},u_a^{*}(\ne u_{\phi }),u_b^{*})$ is valid and verified. The scheme will be EUF-CMA secure if the wining probability $Ad{v}_{\mathrm{A}}^{\mathrm{CCA}}\left(1^{\lambda }\right)$ of A in the game is negligible.

3. Review of Wei’s IBGSC Scheme

This section, presents review of Wei’s IBGSC scheme for big data, which consists of three PPT algorithms such as: Setup; Ext; IBGSC and one DPT algorithm is IBGUSC.

Setup:- Let $\mathbb{G}$ and ${\mathbb{G}}_T$ be two groups, $\widehat{e}:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ is a bilinear map, SIG $=(\mathbb{G},Sign,Vrfy)$ be a one time signature, $\mathrm{SIG}·\mathbb{G}\left(1^{\lambda }\right)$ used to generate a signature and verification key pair $(ssk;svk)$. Let $f\left(u\right)$ be a function, if $u=u_{\varphi }$ then $f\left(u\right)=0$, otherwise $f\left(u\right)=1$. The PKG chooses a secret value $\alpha \in Z_q$ randomly and then computes $g_1=g^{\alpha }$. It also randomly chooses $g_2{u}^{\prime },{\tilde{m}}^{\prime },v^{\prime }\in \mathbb{G}$, vector $U=u_i,M={\tilde{m}}_j,V=sv{k}_k$ of length $n_u,n_m$ and $n_v$ respectively. Let $\lambda$ be security parameter, $H_1:{\mathbb{G}}_T\to {(0;1)}^{n_m}$ and $H_2:{(0;1)}^{*}\to {(0;1)}^{n_m}$ be two hash functions. It keeps the master key $g_2^{\alpha }$ secret and publishes system parameters $(\mathbb{G},{\mathbb{G}}_T,e,g,g_1,g_2,u^{\prime },{\tilde{m}}^{\prime },v^{\prime },U,M,V,H_1,H_2,f(·))$.

Ext:- Let u be the length of $n_u$, where $u\left[i\right]$ be the i-th bit of u. Let us define $\mathcal{U}$, which is a subset $\{1,2,...,n_u\}$ such that $u\left[i\right]=1$. To construct an identity $u^{\prime }s$ private key $d_u$, the PKG chooses an $r_u\in Z_q$ randomly and computes $d_u=(d_{u1},d_{u2})=(g_2^{\alpha }{\left(u^{\prime }{\mathrm{\Pi }}_{i\in u}{u}_i\right)}^{ru},g^{r_u})$. The identities $u_a$ and $u_b$ private keys are: $d_a=(d_{a1},d_{a2})=(g_2^{\alpha }{(u^{\prime }{\mathrm{\Pi }}_i\in u_a{u}_i)}^{r_a},g^{r_a})$ $d_b=(d_{b1},d_{b2})=(g_2^{\alpha }{(u^{\prime }{\mathrm{\Pi }}_i\in u_b{u}_i)}^{r_b},g^{r_b})$.

IBGSC:- Let message $m\in {\{0,1\}}^{n_m}$, sender and the receiver’s identities ($u_a$ and $u_b$) securely communicated. Sender runs the algorithm $\mathrm{SIG}·\mathbb{G}\left(1^{\lambda }\right)$ to generate signature and verification key pair $(ssk;svk)$, and then chooses two integers $r\in Z_q;r^{\prime }\in Z_q$ randomly.

• ${\sigma }_1=g^r$
• $w=e{(g_1,g_2)}^{r}f\left(u_b\right)$
• ${\sigma }_2=m\oplus H_1\left(w\right)f\left(u_b\right)$
• ${\sigma }_3={\left(u^{\prime }{\mathrm{\Pi }}_{i\in ub}{u}_i\right)}^r·f\left(u_b\right)$
• $\tilde{m}=H_2\left(m\right|\left|svk\right)$
• ${\sigma }_4=d_{a1}({\tilde{m}}^{\prime }{\mathrm{\Pi }}_{j\in \mathcal{M}}{\tilde{m}}_j^r{d}_{a1}{\left(u^{\prime }{\mathrm{\Pi }}_{j\in ua}{u}_i\right)}^r·f\left(u_a\right)$
• ${\sigma }_5=d_{a2}{g}^{\acute{r}}·f\left(u_a\right)$
• ${\sigma }_6={\left(\tilde{v}{\mathrm{\Pi }}_{k\in v}sv{k}_k\right)}^r·f\left(u_b\right)$
• ${\sigma }_7=\mathrm{SIG}·Sign(({\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4,{\sigma }_5,{\sigma }_6),ssk)·f\left(u_b\right)$
• ${\sigma }_8=svk$
  At the end sender sends $\sigma =({\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4,{\sigma }_5,{\sigma }_6,{\sigma }_7,{\sigma }_8)$ to the receiver.
  • If $u_a=u_{\phi }$ then $f\left(u_a\right)=0$ and $\sigma =({\sigma }_1,{\sigma }_2,{\sigma }_3,0,0,{\sigma }_6,{\sigma }_7,{\sigma }_8)$ is a ciphertext.
  • If $u_b=u_{\phi }$ then $f\left(u_b\right)=0$ and $\sigma =({\sigma }_1,{\sigma }_2,0,{\sigma }_4,{\sigma }_5,0,0,{\sigma }_8)$ is a signature.
  • If $u_a\ne u_{\phi }$ and $u_b\ne u_{\phi }$ and $\sigma =({\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4,{\sigma }_5,{\sigma }_6,{\sigma }_7,{\sigma }_8)$ is a signcrypted text.
  IBGUSC:- After collecting $\sigma$, receiver of message goes through the following stages:
  • If ${\sigma }_3={\sigma }_6={\sigma }_7=0$ mean message $\sigma$ comprises upon signature contents of the pure signature mode. The message receiver computes $\tilde{m}=H_2({\sigma }_2\left|\right|{\sigma }_8)$ then verifies and accepts signature if $\widehat{e}({\sigma }_4,g)=\widehat{e}(g_1,g_2)\widehat{e}(u^{\prime }{\mathrm{\Pi }}_{j\in \mathcal{M}}{u}_i,{\sigma }_5)\widehat{e}({\tilde{m}}^{\prime }{\mathrm{\Pi }}_{j\in \mathcal{M}}{\tilde{m}}_j,{\sigma }_1)$; otherwise, the receiver go through the following algorithmic steps.
  • If $\mathrm{SIG}·Verfy({\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4,{\sigma }_5,{\sigma }_6,{\sigma }_7,{\sigma }_8)=1$, $\widehat{e}({\sigma }_1,u^{\prime }{\mathrm{\Pi }}_{i\in u_b}{u}_i)$$\ne \widehat{e}(g,{\sigma }_3)$ or $\widehat{e}({\sigma }_3,v^{\prime }{\mathrm{\Pi }}_{k\in v}sv{k}_k)\ne \widehat{e}(g,{\sigma }_6)$ returns error ⊥; otherwise computes $w=\frac{e(d_{b1},{\sigma }_1)}{e(d_{b2},}{\sigma }_3$ and $m={\sigma }_1\oplus H_1\left(w\right)$.
  • If ${\sigma }_4={\sigma }_5=0$, mean $\sigma$ is a ciphertext of pure encryption mode. The receiver accepts the message contents, otherwise.
  • $\sigma$ is a signcrypted text of the signcryption mode $(sign+enc)$, in this case the message receiver checks message m authenticity with the encryption additionally. The receiver also computes $\tilde{m}=H_2\left(m\right|\left|{\sigma }_8\right)$, accepts message if $\widehat{e}({\sigma }_4,g)=\widehat{e}(g_1,g_2)\widehat{e}(u^{\prime }{\mathrm{\Pi }}_{j\in \mathcal{M}}{u}_i,{\sigma }_5)\widehat{e}({\tilde{m}}^{\prime }{\mathrm{\Pi }}_{j\in \mathcal{M}}{\tilde{m}}_j,{\sigma }_1)$.

4. Cryptanalysis of Wei’s Authentication Scheme

In this section of the paper, we disprove the Wei’s authentication scheme [22], after launching following three concrete attacks.

4.1. PKG Compromise Attack

We launch an attack on Wei’s authentication scheme such that given $\sigma$ generated by the sender, A can derive the PKG master secret key, leading to compromise PKG and thus the whole system is compromised.

Setup:- The C runs setup $\left(1^{\lambda }\right)$ to generate systems parameters $(\mathbb{G},{\mathbb{G}}_T,e,g,g_1,g_2,u^{\prime }{\tilde{m}}^{\prime },v^{\prime },U,M,V,H_1,H_2,f(·))$ and then forward to A.

Phase 01:- A put a signcryption query by submitting a messages m and $u_a,u_b$ with $u_a\ne u_{\phi }$, and set ${\tilde{m}}^{\prime }=g^{\tilde{m}},{\tilde{m}}_j=g^{{\tilde{m}}_j\prime },u^{\prime }=g_j^u$ and $u_i=g^{u_i\prime }$ (except asking the ${\mathcal{O}}_{ext}$ for input $u_a$ previously). C generates $\sigma =({\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4,{\sigma }_5,{\sigma }_6,{\sigma }_7,{\sigma }_8)$ and send to A. A can compute PKG master secret key $g_2^{\alpha }$ as:

$$\begin{array}{cc}& \frac{{\sigma }_4}{{\left({\sigma }_1{)}^{(\tilde{m}+{\sum }_{j\in \mathcal{M}}{\tilde{m}}_j^{\prime })}\right({\sigma }_5)}^{(u+{\sum }_{{}_{j\in ua}}{u}_i^{\prime })}}\hfill \\ =& \frac{d_{a1}{\left({\tilde{m}}_{j\in M}^{\prime }{\tilde{m}}_j\right)}^r{\left(u_{j\in ua}^{\prime }{u}_i\right)}^{{}^{r\prime }}f\left(u_a\right)}{{\left(g^r{)}^{(\tilde{m}+{\sum }_{j\in \mathcal{M}}{\tilde{m}}_j^{\prime })}\right(d_{a2}{g}^{\acute{r}}f\left(u_a\right))}^{(u+{\sum }_{{}_{j\in ua}}{u}_i^{\prime })}}\hfill \\ =& \frac{d_{a1}{\left({\tilde{m}}_{j\in M}^{\prime }{\tilde{m}}_j\right)}^r{\left(u_{j\in ua}^{\prime }{u}_i\right)}^{{}^{r\prime }}f\left(u_a\right)}{{\left(g^r{)}^{(\tilde{m}+{\sum }_{j\in \mathcal{M}}{\tilde{m}}_j^{\prime })}\right(g^{r_a}{g}^{\acute{r}}f\left(u_a\right))}^{(u+{\sum }_{{}_{j\in ua}}{u}_i^{\prime })}}\hfill \\ =& \frac{d_{a1}{\left({\tilde{m}}_{j\in M}^{\prime }{\tilde{m}}_j\right)}^r{\left(u_{j\in ua}^{\prime }{u}_i\right)}^{{}^{r\prime }}}{{\left(g^r{)}^{(\tilde{m}+{\sum }_{j\in \mathcal{M}}{\tilde{m}}_j^{\prime })}\right(g^{r_a}{g}^{\acute{r}})}^{(u+{\sum }_{{}_{j\in ua}}{u}_i^{\prime })}}\hfill \\ =& \frac{d_{a1}{\left({\tilde{m}}_{j\in M}^{\prime }{\tilde{m}}_j\right)}^r{\left(u_{j\in ua}^{\prime }{u}_i\right)}^{{}^{r\prime }}}{g^r{}^{(\tilde{m}+{\sum }_{j\in \mathcal{M}}{\tilde{m}}_j^{\prime })}{\left(g^{ra+\acute{r}}\right)}^{(u+{\sum }_{{}_{j\in ua}}{u}_i^{\prime })}}\hfill \\ =& \frac{d_{a1}{\left({\tilde{m}}_{j\in \mathcal{M}}^{\prime }{\tilde{m}}_j\right)}^r{\left(u_{j\in ua}^{\prime }{u}_i\right)}^{r\prime }}{{\left(g\right)}^{{(\tilde{m}+{\sum }_{j\in \mathcal{M}}{\tilde{m}}_j^{\prime })}^r}·{\left(g\right)}^{{(u+{\sum }_{{}_{j\in ua}}{u}_i^{\prime })}^{(ra+\acute{r})}}}\hfill \\ =& \frac{d_{a1}{\left({\tilde{m}}_{j\in \mathcal{M}}^{\prime }{\tilde{m}}_j\right)}^r{\left(u_{j\in ua}^{\prime }{u}_i\right)}^{r\prime }}{{\left(g\right)}^{\tilde{m}}{\mathrm{\Pi }}_{j\in M}{\left(g\right)}^{{\tilde{m}}_j\prime }{)}^r·({\left(g\right)}^u{\mathrm{\Pi }}_{j\in ua}{\left(g\right)}^{u_i\prime }{)}^{(ra+\acute{r})}}\hfill \\ =& \frac{d_{a1}{\left({\tilde{m}}_{j\in \mathcal{M}}^{\prime }{\tilde{m}}_j\right)}^r{\left(u_{j\in ua}^{\prime }{u}_i\right)}^{r\prime }}{{\left({\tilde{m}}^{\prime }{\mathrm{\Pi }}_{j\in \mathcal{M}}{\tilde{m}}_j\right)}^r{(u^{\prime }·{\mathrm{\Pi }}_{j\in ua}{u}_i)}^{(ra+\acute{r})}}\hfill \\ =& \frac{d_{a1}{\left({\tilde{m}}_{j\in \mathcal{M}}^{\prime }{\tilde{m}}_j\right)}^r{\left(u_{j\in ua}^{\prime }{u}_i\right)}^{r\prime }}{{\left({\tilde{m}}^{\prime }{\mathrm{\Pi }}_{j\in \mathcal{M}}{\tilde{m}}_j\right)}^r{(u^{\prime }·{\mathrm{\Pi }}_{j\in ua}{u}_i)}^{\acute{r}}{(u^{\prime }·{\mathrm{\Pi }}_{j\in ua}{u}_i)}^{ra}}\hfill \\ =& \frac{d_{a1}}{{(u^{\prime }·{\mathrm{\Pi }}_{j\in ua}{u}_i)}^{ra}}\hfill \\ =& \frac{g_2^{\alpha }{\left(u^{\prime }\mathrm{\Pi }{}_{i\in u_a}{u}_i\right)}^{ra}}{{(u^{\prime }·{\mathrm{\Pi }}_{j\in ua}{u}_i)}^{ra}}\hfill \\ =& g_2^{\alpha }.\hfill \end{array}$$

With PKG master key $g_2^{\alpha }$, A can certainly computes the sender and the receiver’s private keys $(d_a,d_b)$ and can signcrypt on behalf of the sender and unsigncrypt on the behalf of the receiver and thus can always win IND-CCA and EUF-CMA games.

4.2. Attack on Semantic Security

Wei et al. [22] claim that the scheme is also secure semantically in standard model. But there exists a polynomial time adversary A which has always high probability to win the game as:

Setup:- C runs the setup (1${}^{\lambda }$) to generate systems parameters $(\mathbb{G},{\mathbb{G}}_T,e,g,g_1,g_2,u^{\prime },{\tilde{m}}^{\prime },v^{\prime },U,M,V,H_1,H_2,f(·))$ and then forwards to A.

Phase 01:- A does not need to issue any query.

Challenge:- A first launches attack on PKG and obtain master secret key $g_2^{\alpha }$. A randomly chooses two numbers $r_{a^{*}}$ r${}_{b^{*}}\in Z_q$ and computes private keys of user having identities $u_a^{*},u_b^{*}$ as: $d_{a^{*}}=(d_{a^{*}1},d_{a^{*}2})=(g_2^{\alpha }{\left(u^{\prime }{\mathrm{\Pi }}_{i\in u_a}{u}_i\right)}^{r_{a^{*}}},g^{r_{a^{*}}})$, $d_{b^{*}}=(d_{b^{*}1},d_{b^{*}2})=(g_2^{\alpha }{\left(u^{\prime }{\mathrm{\Pi }}_{i\in u_b}{u}_i\right)}^{r_{b^{*}}},g^{r_{b^{*}}})$

A chooses two messages of same size $m_0,m_1$ with identities $u_a^{*},u_b^{*}(\ne u_{\phi }),$ (except asking the ${\mathcal{O}}_{ext}$ for input $u_b^{*}$ previously), and send $(m_0,m_1,u_a^{*},u_b^{*}$) to C. Challenger C flips coin $b\in \{1,0\}$ and for $m_b^{*}$ generates a challenge ${\sigma }^{*}$ using following steps and then forward ${\sigma }^{*}$ to A. Recall that A’s goal is to correctly guess the value b. C runs SIG. $\mathbb{G}(1^{\lambda }$) to compute $(ssk;svk)$ for sign and verification keys pair, chooses two integers $r\in Z_q,r^{\prime }\in Z_q$ randomly and then computes ${\sigma }^{*}$.

• ${\sigma }_1^{*}=g^{r*}$
• $w^{*}=e{(g_1,g_2)}^{r*}·f\left(u_b^{*}\right)$
• ${\sigma }_2^{*}=m_b^{*}\oplus H_1\left(w\right)·f\left(u_b^{*}\right)$
• ${\sigma }_3^{*}={\left(\acute{u}{\mathrm{\Pi }}_{i\in ub}{u}_i\right)}^{r*}·f\left(u_b^{*}\right)$
• ${\tilde{m}}^{*}=H_2(m_b^{*}\left|\right|svk)$
• ${\sigma }_4^{*}=d_a^{*}1{\left({\tilde{m}}^{*\prime }{\mathrm{\Pi }}_{j\in \mathcal{M}}{\tilde{m}}_j^{*}\right)}^r{d}_{a_1}{\left(u^{\prime }{\mathrm{\Pi }}_{j\in u_a}{u}_i\right)}^{r*\prime }·f\left(u_{b^{*}}\right)$
• ${\sigma }_5^{*}=d_{a^{*}2}{\left(g\right)}^{r{*}^{\prime }}·f\left(u_b^{*}\right)$
• ${\sigma }_6^{*}={\left(\acute{v}{\mathrm{\Pi }}_{k\in v}sv{k}_k\right)}^{r*}·f\left(u_b^{*}\right)$
• ${\sigma }_7^{*}=\mathrm{SIG}·Sign({\sigma }_1^{*},{\sigma }_2^{*},{\sigma }_3^{*},{\sigma }_4^{*},{\sigma }_5^{*},{\sigma }_6^{*}),ssk)·f\left(u_{b^{*}}\right)$
• ${\sigma }_8^{*}=svk$

At the end C sends ${\sigma }^{*}=({\sigma }_1^{*},{\sigma }_2^{*},{\sigma }_3^{*},{\sigma }_4^{*},{\sigma }_5^{*},{\sigma }_6^{*},{\sigma }_7^{*},{\sigma }_8^{*})$ to A.

Phase 02:- A has private keys of the sender and the receiver, hence computes $w=\frac{e(d_{b1},{\sigma }_1)}{e(d_{b2},{\sigma }_3)}$. Further A, computes the underlying message $m_b^{*}={\sigma }_1\oplus H_1\left(w\right)$ and knows the value b, and thus wins the game. After above computation it has proved that existing scheme is semantically insecure against chosen-ciphertext attack.

4.3. Attack against Existential Unforgeability

We disprove Wei’s authentication scheme and proved that A can certainly generate a valid generalized signcrypted text and there exists an PPT Adversary can always win the following EUF-CMA game between C and A as:

Setup:- Like CCA security game.

Phase 01:- Like CCA security game.

Forgery:- A first launches attack on PKG , and obtains master secret key of PKG and choose two random numbers $r_{a^{*}},r_{b^{*}}\in Z_q$ with identities $u_a^{*},u_b^{*}$ respectively as:

$d_{a^{*}}=(d_{a^{*}1},d_{a^{*}2})=(g_2^{\alpha }{\left(u^{\prime }{\mathrm{\Pi }}_{i\in u_a}{u}_i\right)}^{r_{a^{*}}},g^{r_{a^{*}}})$, $d_{b^{*}}=(d_{b^{*}1},d_{b^{*}2})=(g_2^{\alpha }{\left(u^{\prime }{\mathrm{\Pi }}_{i\in u_b}{u}_i\right)}^{r_{b^{*}}},g^{r_{b^{*}}})$

On a message $m^{*}$, A certainly produces a forgery $({\sigma }^{*},u_a^{*}(\ne u_{\phi }),u_b^{*}$ ), as A has private keys of the sender and the receiver, and never asked before from ${\mathcal{O}}_{ibgsc}$ for input $(m^{*},u_a^{*}(\ne u_{\phi }),u_b^{*})$ and ${\mathcal{O}}_{ext}$ for input $u_a$ before. A computes (${\sigma }^{*},u_a^{*}(\ne u_{\phi }),u_b^{*})$ if verified and valid, thus always wins the game.

5. Conclusions

Wei et al. presented an authenticated identity based generalized signcryption scheme for big data. In this paper, we have analyzed the mentioned scheme using a formal model and security model. Security attacks were launched on the Wei’s scheme to check whether the scheme is secure or not. In first attack, it is proved that master secret key is compromised. The subsequent attacks proved that the scheme is neither IND-CCA secure nor EUF-CMA secure in the standard model. Thus, Wei’s scheme is susceptible and insecure.