Identity Based Generalized Signcryption Scheme in the Standard Model

Abstract

Generalized signcryption (GSC) can adaptively work as an encryption scheme, a signature scheme or a signcryption scheme with only one algorithm. It is more suitable for the storage constrained setting. In this paper, motivated by Paterson–Schuldt’s scheme, based on bilinear pairing, we first proposed an identity based generalized signcryption (IDGSC) scheme in the standard model. To the best of our knowledge, it is the first scheme that is proven secure in the standard model.

1. Introduction

Confidentiality, integrity, non-repudiation and authentication are the important requirements for many cryptographic applications. A traditional approach to achieve these requirements simultaneously is to sign-then-encrypt or encrypt-then-sign. To enhance efficiency, Zheng [1] proposed the concept of signcryption in 1997. The main idea of this primitive is to perform signature and encryption simultaneously in a logical step. Compared with traditional methods [2], signcryption reduces the computational costs and communication overheads. Since then, many public key signcryption schemes have been proposed [3,4,5].

In 1984, Shamir [6] first proposed the idea of identity-based (ID-based) public key cryptography (ID-PKC) to simplify key management procedures of traditional certificate-based public key cryptography. The main idea of ID-PKC is that the user’s public key can be calculated directly from his/her identity such as email addresses rather than being extracted from a certificate issued by a certificate authority (CA). Private keys are generated for the users by a trusted third party, called a Private Key Generator (PKG) using some master key related to the global parameters for the system. The direct derivation of public keys in ID-PKC eliminates the need for certificates and some of the problems associated with them. The first identity based signature scheme was given by Shamir [6], but the first identity based encryption scheme was presented by Boneh and Fanklin [7] in 2001. The first identity based signcryption scheme was proposed by Malone Lee [8] in 2002, and they also gave the security model for signcryption in identity based settings. Since then, many identity based signcryption schemes have been proposed [9,10,11,12,13,14,15,16,17].

The signcryption scheme was used in these application environments, which need simultaneous confidentiality and authenticity. However, it is not all application environments requiring both confidentiality and authenticity. If only one of the two functionalities is required, then the signcryption scheme is not efficient. To achieve this, we can use an encryption/signature scheme. However, in the low bandwidth environment, we have to afford to use three different cryptographic algorithms—encryption, signature and signcryption—to achieve confidentiality and authenticity separately or simultaneously. In 2006, to decrease implementation complexity, Han et al. [18] proposed the concept of generalized signcryption, which can work as an encryption scheme or a signature scheme or a signcryption scheme as required. They also proposed a concert construction based on the Elliptic Curve Digital Signature Algorithm (ECDSA) . Wang et al. [19] gave the security model of a generalized signcryption scheme and modified the scheme proposed in [18]. In 2008, Lal et al. [20] presented the first identity based generalized signcryption (IDGSC) scheme. However, Yu et al. [21] showed that the security model in [20] is not complete. They modified the security model and gave a new scheme that is secure in this model. In 2011, Kushwah et al. [22] simplified the security model for IDGSC and proposed an efficient scheme.

Provable security is the basic requirement for ID-based generalized signcryption schemes. The security of all of the schemes [20,21,22] described above was only proven secure in the random oracle model. The random oracle model was introduced by Bellare and Rogaway in [23]. The model is a formal model in analyzing cryptographic schemes, where a hash function is considered as a black box that contains a random function. Although the model is efficient and useful, it has received a lot of criticism that the proofs in the random oracle model are not proven. Canetti et al. [24] have shown that security in the random oracle model does not imply security in the real world, in that a scheme can be secure in the random oracle model and yet be broken without violating any particular intractability assumption, and without breaking the underlying hash functions.

Therefore, to design a provable secure ID-based generalized signcryption scheme in the standard model (without random oracles) remains an open and interesting research problem.

In this paper, we first proposed an ID-based generalized signcryption scheme in the standard model. Using the Paterson–Schuldt scheme [25], we give a concrete scheme. We also prove its semantic security under the hardness of the Decisional Bilinear Diffie–Hellman problem and its unforgeability under the computational Diffie–Hellman assumption.

2. Preliminaries

In this section, we briefly review the basic concepts on bilinear pairings and some related complexity assumptions.

2.1. Bilinear Pairings

Let ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ be two multiplicative cyclic groups of prime order q and let g be a generator of ${\mathbb{G}}_1$. The map $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$ is said to be an admissible bilinear pairing with the following properties:

• Bilinearity: For all $u,v\in {\mathbb{G}}_1$, and $a,b\in {\mathbb{Z}}_q$, $e(u^a,v^b)=e{(u,v)}^{ab}$.
• Non-degeneracy: $e(g,g)\ne 1$.
• Computability: There exists an efficient algorithm to compute $e(u,v)$ for all $u,v\in {\mathbb{G}}_1$.

We note that the modified Weil and Tate pairings associated with supersingular elliptic curves are examples of such admissible pairings.

2.2. Complexity Assumptions

2.2.1. Decisional Bilinear Diffie–Hellman (DBDH) Problem

Given $g,g^a,g^b,g^c\in {\mathbb{G}}_1$, for unknown $a,b,c\in {\mathbb{Z}}_q^{*}$ and $Z\in {\mathbb{G}}_2$, decide whether $Z=e{(g,g)}^{abc}$.

Defining the advantage ε of a polynomial algorithm $\mathcal{A}$ against the DBDH problem is

$$|Pr[\mathcal{A}(g,g^a,g^b,g^c,e{(g,g)}^{abc})=1]-Pr[\mathcal{A}(g,g^a,g^b,g^c,Z)=1]|\ge \epsilon ,$$

where the probability is over the randomly chosen $a,b,c$ and the random bits consumed by $\mathcal{A}$.

Definition 1.

The $(t,\epsilon )$ DBDH assumption holds if no t-time adversary has at least ε advantage in solving the DBDH problem.

2.2.2. Computational Diffie–Hellman (CDH) Problem

Given $g,g^a,g^b\in {\mathbb{G}}_1$, for unknown $a,b\in {\mathbb{Z}}_q^{*}$, compute $g^{ab}$.

The success probability δ of a polynomial algorithm $\mathcal{A}$ in solving the CDH problem is denoted as

$$Suc{c}_{\mathcal{A}}^{CDH}=Pr[\mathcal{A}(g,g^a,g^b)=g^{ab},]\ge \delta$$

where the probability is over the randomly chosen $a,b$ and the random bits consumed by $\mathcal{A}$.

Definition 2.

The $(t,\delta )$ CDH assumption holds if no t-time adversary has at least δ in solving the CDH problem.

3. Formal Model of Identity-Based Generalized Signcryption Schemes

3.1. Generic Scheme

An identity based generalized signcryption scheme consists of the following four algorithms:

• Setup: Given a security parameter k, the private key generator (PKG) generates system parameters $params$ and a master key s. $params$ is made public while s is kept secret.
• Extract: Given an identity $ID$, the PKG computes the corresponding private key $d_{ID}$ and transmits it to the $ID$ via a secure channel.
• Generalized Signcrypt: Given the sender’s identity $I{D}_A$ and private key $d_A$, the receiver’s identity $I{D}_B$ and a message m, the sender outputs the ciphertext σ.
• Generalized Unsigncrypt: Given the sender’s identity $I{D}_A$, the receiver’s identity $I{D}_B$ and private key $d_B$ and the ciphertext σ, the receiver with identity $I{D}_B$ outputs m or the symbol ⊥ if σ is an invalid ciphertext under $I{D}_A$ and $I{D}_B$.

There is no special sender (or receiver) when we encrypt (or sign) a message using IDGSC. We denote the absence of sender (or receiver) by $I{D}_{\Phi }$. If $I{D}_B=I{D}_{\Phi }$, the IDGSC scheme becomes a signature scheme and output of the IDGSC is a signature of sender $I{D}_A$ on the message m. If $I{D}_A=I{D}_{\Phi }$, the IDGSC scheme becomes an encryption scheme and output of the IDGSC is merely an encryption of message m for receiver $I{D}_B$. If $I{D}_A\ne I{D}_{\Phi }$ and $I{D}_B\ne I{D}_{\Phi }$, then IDGSC works as the signcryption scheme and output of IDGSC is the signcryption of message m for sender $I{D}_A$ and receiver $I{D}_B$. Thus, the IDGSC scheme works in three models via signcryption mode, encryption mode and signature mode.

3.2. Security Model

According to Yu et al.’s scheme [21], the abilities of an adversary are formally modeled by queries issued by adversities. Each adversary may issue the following queries:

• Private-Key-Extract: The adversary submits an identity, and the challenger responds with the private key of that identity.
• Sign: The adversary submits a sender’s identity and a message, and the challenger responds with the signature of the signer on the message.
• Verify: The adversary submits a signer’s identity and a message/signature pair, and the challenger responds with 1 if the signature is accepted and 0 otherwise.
• Encrypt: The adversary submits a receiver’s identity and a message, and the challenger responds with the ciphertext on this message for the receiver.
• Decrypt: The adversary submits a receiver’s identity and a ciphertext, and the challenger decrypts the ciphertext under the private key of the receiver and returns the corresponding plaintext.
• Signcrypt: The adversary submits a sender’s and receiver’s identities and a message, and the challenger responds with the ciphertext under the sender’s private key and the receiver’s public key.
• Unsigncrypt: The adversary submits a ciphertext and a receiver’s identity, and the challenger decrypts the ciphertext under the private key of the receiver and verifies that the resulting decryption is a valid message/signature pair under the public key of the decrypted identity. Then, the challenger returns the message.

The identity based generalized signcryption can work in three modes: encryption mode, signature mode and signcryption mode, denoted IDGSC-EN, IDGSC-SG and IDGSC-SC, respectively.

For the confidentiality, we define the following two games (Game 1 and Game 2) under IDGSC-EN and IDGSC-SC, respectively.

Game 1. Indistinguishability (IND)-(IDGSC-EN)-CCA2 Secure

Consider the following game played between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$.

• Initial: The challenger $\mathcal{C}$ takes security parameters k and runs the Setup algorithm to generate system parameters $params$ and the master key s. $\mathcal{C}$ sends $params$ to $\mathcal{A}$ and keeps s secret.
• Phase 1: The adversary $\mathcal{A}$ can perform a polynomially bounded number of seven above types of queries. These queries may be made adaptively, i.e., each query may depend on the answers to the previous queries.
• Challenge: The adversary $\mathcal{A}$ decides when Phase 1 ends, and chooses two equal length plaintexts $m_0$, $m_1$ and two identities $I{D}_A=I{D}_{\Phi },I{D}_B\ne I{D}_{\Phi }$ on which to be challenged. The identity $I{D}_B$ should not appear in any private key extract queries in Phase 1. $\mathcal{C}$ chooses randomly a bit b, encrypts $m_b$ and then sends the ciphertext σ to $\mathcal{A}$.
• Phase 2: The adversary $\mathcal{A}$ makes a polynomial number of queries adaptively again as in Phase 1 with the restriction that it cannot make private key extract queries on $I{D}_B$ and cannot make an unsigncrypt query on σ.
• Guess: The adversary $\mathcal{A}$ produces a bit $b^{\prime }$ and wins the game if $b^{\prime }=b$.

The advantage of $\mathcal{A}$ is defined as $Ad{v}_{IDGSC-EN}^{IND-CCA2}(A)=|2Pr[b^{\prime }=b]-1|$, where $Pr[b^{\prime }=b]$ denotes the probability that $b^{\prime }=b$.

Definition 3 (Confidentiality-IDGSC-EN).

An IDGSC scheme is said to have the indistinguishability against chosen adaptive ciphertext attacks (IND-(IDGSC-EN)-CCA2) or semantic security if no polynomially bounded adversary has a non-negligible advantage in Game 1.

Game 2. IND-(IDGSC-SC)-CCA2 Secure

Consider the following game played between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$.

• Initial: The challenger $\mathcal{C}$ takes security parameters k and runs the Setup algorithm to generate system parameters $params$ and the master key s. $\mathcal{C}$ sends $params$ to $\mathcal{A}$ and keeps s secret.
• Phase 1: The adversary $\mathcal{A}$ can perform a polynomially bounded number of the seven types of queries above. These queries may be made adaptively, i.e., each query may depend on the answers to the previous queries.
• Challenge: The adversary $\mathcal{A}$ decides when phase 1 ends, chooses two equal length plaintexts $m_0$, $m_1$ and two identities $I{D}_A\ne I{D}_{\Phi },I{D}_B\ne I{D}_{\Phi }$ on which to be challenged. The identity $I{D}_B$ should not appear in any private key extract queries in Phase 1. $\mathcal{C}$ chooses randomly a bit b, encrypts $m_b$ and then sends the ciphertext σ to $\mathcal{A}$.
• Phase 2: The adversary $\mathcal{A}$ makes a polynomial number of queries adaptively again as in Phase 1 with the restriction that it cannot make private key extract queries on $I{D}_B$ and cannot make an unsigncrypt query on σ.
• Guess: The adversary $\mathcal{A}$ produces a bit $b^{\prime }$ and wins the game if $b^{\prime }=b$.

The advantage of $\mathcal{A}$ is defined as $Ad{v}_{IDGSC-SC}^{IND-CCA2}(A)=|2Pr[b^{\prime }=b]-1|$, where $Pr[b^{\prime }=b]$ denotes the probability that $b^{\prime }=b$.

Definition 4 (Confidentiality-IDGSC-SC).

An IDGSC scheme is said to have the indistinguishability against adaptive chosen ciphertext attacks (IND-(IDGSC-SC)-CCA2) or semantic security if no polynomially bounded adversary has a non-negligible advantage in Game 2.

For the unforgeability, we define the following two games (Game 3 and Game 4) under IDGSC-SG and IDGSC-SC, respectively.

Game 3. EF-(IBGSC-SG)-Adaptive Chosen Message Attack (ACMA) Secure

Consider the following game played between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$.

• Initial: The challenger $\mathcal{C}$ runs the Setup algorithm with a security parameter k and obtains system parameters $params$ and the master secret key s. $\mathcal{C}$ sends $params$ to $\mathcal{A}$.
• Queries: The adversary $\mathcal{A}$ performs a polynomially bounded number of queries adaptively just like in Game 1.
• Forgery: Finally, the adversary $\mathcal{A}$ produces two identities $I{D}_A\ne I{D}_{\Phi },I{D}_B=I{D}_{\Phi }$ and a ciphertext (signature) σ. The adversary wins the game if $I{D}_A\ne I{D}_{\Phi }$; σ was a valid ciphertext (signature) on $m,I{D}_A$; no private key extract query was made on $I{D}_A$; σ did not result from signature query on $m,I{D}_A$.

The advantage of $\mathcal{A}$ is defined as $Ad{v}_{IDGSC-SG}^{EF-ACMA}(A)=Pr[Awins]$.

Definition 5 (Unforgeability-IDGSC-SG).

An IDGSC scheme is said to have the existential unforgeability against chosen adaptive message attacks (EF-(IDGSC-SG)-ACMA) if no polynomially bounded adversary has a non-negligible advantage in Game 3.

Game 4. EF-(IDGSC-SC)-ACMA Secure

Consider the following game played between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$.

• Initial: The challenger $\mathcal{C}$ runs the Setup algorithm with a security parameter k and obtains system parameters $params$ and the master secret key s. $\mathcal{C}$ sends $params$ to $\mathcal{A}$.
• Queries: The adversary $\mathcal{A}$ performs a polynomially bounded number of queries adaptively just like in Game 1.
• Forgery: Finally, the adversary $\mathcal{A}$ produces a new tuple $(\sigma ,I{D}_A,I{D}_B)$. Let m be the result of unsigncryption σ under the private key of $I{D}_B$. The adversary wins the game if $I{D}_A\ne I{D}_{\Phi },I{D}_B\ne I{D}_{\Phi }$; no private key extract query was made on $I{D}_A$; σ is a valid signature under $m,I{D}_A$; $(\sigma ,I{D}_A,I{D}_B)$ was not output by a signcrypt query.

The advantage of $\mathcal{A}$ is defined as $Ad{v}_{IDGSC-SC}^{EF-ACMA}(A)=Pr[Awins]$.

Definition 6 (Unforgeability-IDGSC-SC).

An IDGSC scheme is said to have the existential unforgeability against chosen adaptive message attacks (EF-(IDGSC-SC)-ACMA) if no polynomially bounded adversary has a non-negligible advantage in Game 4.

4. The Proposed Scheme

Our IDGSC scheme is described as the following algorithms.

• Setup: Given a security parameter k, the PKG chooses groups ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ of prime order q, a generator g of ${\mathbb{G}}_1$, a admissible bilinear pairing $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$, and hash functions $H:{\{0,1\}}^{*}\to {\{0,1\}}^l$ and $H_m:{\{0,1\}}^{*}\to {\{0,1\}}^{n_m}$. The PKG chooses a random value $\alpha \in {\mathbb{Z}}_q^{*}$, computes $g_1=g^{\alpha }$ and selects $g_2\in {\mathbb{G}}_1$. Furthermore, the PKG computes $z=e(g_1,g_2)$ and picks $u^{\prime },m^{\prime }\in {\mathbb{G}}_1$ and vectors $\mathrm{u}=\{u_i\}$, $\mathrm{m}=\{m_i\}$ of length $n_u$ and $n_m$, respectively, whose entries are random elements from ${\mathbb{G}}_1$. The system parameters are $params=\{G_1,G_2,e,p,g,g_1,g_2,H,H_m,z,u^{\prime },m^{\prime },\mathrm{u},\mathrm{m}\}$ and the master secret key $g_2^{\alpha }$.
  Let $f(ID)$ be a special function, where $ID\in {\{0,1\}}^{n_u}$. If identity is vacant, that is $ID=I{D}_{\Phi }$, $f(ID)=0$, otherwise $f(ID)=1$.
• Extract: Let $ID$ be a bit string of length $n_u$, representing an identity and let $ID[i]$ be the i-th bit of $ID$. Define $U_{ID}\subset \{1,2,···,n_u\}$ to be the set of indices i such that $ID[i]=1$. A private key $d_{ID}$ for identity $ID$ is generated as follows. The PKG picks $r_{ID}\in {\mathbb{Z}}_q^{*}$ and computes

  $$d_{ID}=(d_{ID1},d_{ID2})=\left(g_2^{\alpha }{(u^{\prime }{\displaystyle \prod _{i\in U_{ID}}}{u}_i)}^{r_{ID}},g^{r_{ID}}\right).$$
  Therefore, the sender with identity $I{D}_A$ and the receiver with identity $I{D}_B$ private keys are

  $$d_A=(d_{A1},d_{A2})=\left(g_2^{\alpha }{(u^{\prime }{\displaystyle \prod _{i\in U_A}}{u}_i)}^{r_A},g^{r_A}\right),$$

  $$d_B=(d_{B1},d_{B2})=\left(g_2^{\alpha }{(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i)}^{r_B},g^{r_B}\right).$$
• Generalized Signcrypt: Suppose the sender A with identity $I{D}_A$ wants to send a message $m\in {\{0,1\}}^l$ to the receiver B with identity $I{D}_B$, A picks randomly $r\in {\mathbb{Z}}_q^{*}$ and does the following:

  • Compute ${\sigma }_1=g^r$.
  • Compute $w=z^{rf(I{D}_B)}$.
  • Compute $c=m\oplus H(w)$.
  • Compute ${\sigma }_2={(d_{A2})}^{f(I{D}_A)}$.
  • Compute ${\sigma }_3={(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i)}^{rf(I{D}_B)}$.
  • Compute $\pi =H_m(m,{\sigma }_1,{\sigma }_2,{\sigma }_3,w)$. Here π is an $n_m$ bit string and $\pi [j]$ denotes the j-th bit of π, and $M\subset \{1,2,···,n_m\}$ denotes the set of j for which $\pi [j]=1$.
  • Compute ${\sigma }_4={(d_{A1})}^{f(I{D}_A)}·{\sigma }_3·{(m^{\prime }{\displaystyle \prod _{j\in M}}{m}_j)}^r$.
  The ciphertext is $\sigma =({\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4,c)$.
• Generalized Unsigncrypt: When receiving σ, the receiver with identity $I{D}_B$ follows the steps below:

  • Compute $f(I{D}_B)$.
  • Compute $w=e(d_{B1},{\sigma }_1^{f(I{D}_B)})·e{(d_{B2},{\sigma }_3)}^{-1}$.
  • Compute $m=c\oplus H(w)$.
  • Compute $\pi =H_m(m,{\sigma }_1,{\sigma }_2,{\sigma }_3,w)$ and generate the corresponding set M, the set of all j for which $\pi [j]=1$.
  • Accepted the message if and only if the following equality holds:

    $$e({\sigma }_4,g)=e{(g_2,g_1)}^{f(I{D}_A)}e(u^{\prime }{\displaystyle \prod _{i\in U_A}}{u}_i,{\sigma }_2)e{(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i,{\sigma }_1)}^{f(I{D}_B)}e(m^{\prime }{\displaystyle \prod _{j\in M}}{m}_j,{\sigma }_1).$$

Remark 1.

Our Setup, Extract algorithm in our scheme is from the existing work, i.e., Paterson–Schuldt’s scheme [25]. However, our Setup algorithm has some differences from [25], and we added some parameters: H and $H_m$. Other algorithms such as Generalized Signcrypt and Generalized Unsigncrypt are new designs.

5. Analysis

5.1. Correctness

$$\begin{array}{c}\frac{e\left(d_{B1},{\sigma }_1^{f(I{D}_B)}\right)}{e\left(d_{B2},{\sigma }_3\right)}=\frac{e\left(g_2^{\alpha }{(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i)}^{r_B},g^{rf(I{D}_B)}\right)}{e\left(g^{r_B},{(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i)}^{rf(I{D}_B)}\right)}=\frac{e\left(g_2^{\alpha },g^{rf(I{D}_B)}\right)e\left({(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i)}^{r_B},g^{rf(I{D}_B)}\right)}{e\left(g^{r_B},{(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i)}^{rf(I{D}_B)}\right)}=e{(g_1,g_2)}^{rf(I{D}_B)}\hfill \end{array}$$

$$\begin{array}{cc}e({\sigma }_4,g)\hfill & =e((g_2^{\alpha f(I{D}_A)}·{(u^{\prime }{\displaystyle \prod _{i\in U_A}}{u}_i)}^{r_{A}f(I{D}_A)}·{(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i)}^{rf(I{D}_B)}·{(m^{\prime }{\displaystyle \prod _{j\in M}}{m}_j)}^r,g))\hfill \\ & =e(g_2^{\alpha f(I{D}_A)},g)e((u^{\prime }{\displaystyle \prod _{i\in {\mathrm{U}}_A}}{u}_i{)}^{r_{A}f(I{D}_A)},g))e(({(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i)}^{rf(I{D}_B)},g))e(({(m^{\prime }{\displaystyle \prod _{j\in M}}{m}_j)}^r,g))\hfill \\ & =e{(g_2,g_1)}^{f(I{D}_A)}e(u^{\prime }{\displaystyle \prod _{i\in U_A}}{u}_i,g^{r_{A}f(I{D}_A)})e(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i,g^{rf(I{D}_B)})e(m^{\prime }{\displaystyle \prod _{j\in M}}{m}_j,g^r)\hfill \\ & =e{(g_2,g_1)}^{f(I{D}_A)}e(u^{\prime }{\displaystyle \prod _{i\in U_A}}{u}_i,{\sigma }_2)e{(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i,{\sigma }_1)}^{f(I{D}_B)}e(m^{\prime }{\displaystyle \prod _{j\in M}}{m}_j,{\sigma }_1).\hfill \end{array}$$

There are three cases to be considered.

Case 1. In the IDGSC-SC Model

In this case, there is $I{D}_A\ne I{D}_{\Phi },I{D}_B\ne I{D}_{\Phi }$, so $f(I{D}_A)=f(I{D}_B)=1$. The generalized signcryption scheme in signcryption model is as follows:

• Signcrypt:

  • Compute ${\sigma }_1=g^r$.
  • Compute $w=z^r$.
  • Compute $c=m\oplus H(w)$.
  • Compute ${\sigma }_2=d_{A2}$.
  • Compute ${\sigma }_3={(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i)}^r$.
  • Compute $\pi =H_m(m,{\sigma }_1,{\sigma }_2,{\sigma }_3,w)$. Here π is an $n_m$ bit string and $\pi [j]$ denotes the j-th bit of π, and $M\subset \{1,2,···,n_m\}$ denotes the set of j for which $\pi [j]=1$.
  • Compute ${\sigma }_4=d_{A1}·{\sigma }_3·{(m^{\prime }{\displaystyle \prod _{j\in M}}{m}_j)}^r$.
  The ciphertext is $\sigma =({\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4,c)$.
• Unsigncrypt:

  • Compute $w=e(d_{B1},{\sigma }_1)·e{(d_{B2},{\sigma }_3)}^{-1}$.
  • Compute $m=c\oplus H(w)$.
  • Compute $\pi =H_m(m,{\sigma }_1,{\sigma }_2,{\sigma }_3,w)$ and generate the corresponding set M, the set of all j for which $\pi [j]=1$.
  • Accepted the message if and only if the following equality holds:

    $$e({\sigma }_4,g)=e(g_2,g_1)e(u^{\prime }\prod _{i\in U_A}{u}_i,{\sigma }_2)e(u^{\prime }\prod _{i\in U_B}{u}_i,{\sigma }_1)e(m^{\prime }\prod _{j\in M}{m}_j,{\sigma }_1).$$

Case 2. In the IDGSC-SG Model

In this case, there is $I{D}_A\ne I{D}_{\Phi },I{D}_B=I{D}_{\Phi }$, so $f(I{D}_A)=1,f(I{D}_B)=0$. The generalized signcryption scheme in the signature model is as follows:

• Sign:

  • Compute ${\sigma }_1=g^r$.
  • Compute $w=z^{rf(I{D}_B)}=1$.
  • Compute $c=m\oplus H(w)$.
  • Compute ${\sigma }_2={(d_{A2})}^{f(I{D}_A)}=d_{A2}$.
  • Compute ${\sigma }_3={(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i)}^{rf(I{D}_B)}=1$.
  • Compute $\pi =H_m(m,{\sigma }_1,{\sigma }_2,{\sigma }_3,w)$. Here π is an $n_m$ bit string and $\pi [j]$ denotes the j-th bit of π , and $M\subset \{1,2,···,n_m\}$ denotes the set of j for which $\pi [j]=1$.
  • Compute ${\sigma }_4=d_{A1}·{\sigma }_3·{(m^{\prime }{\displaystyle \prod _{j\in M}}{m}_j)}^r$.
  The signature is $\sigma =({\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4,c\oplus H(w))=({\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4,m)$.
• Verify:

  • Compute $\pi =H_m(m,{\sigma }_1,{\sigma }_2,{\sigma }_3,w)$ and generate the corresponding set M, the set of all j for which $\pi [j]=1$.
  • Accepted the signature if and only if the following equality holds:

    $$e({\sigma }_4,g)=e(g_2,g_1)e(u^{\prime }\prod _{i\in U_A}{u}_i,{\sigma }_2)e(u^{\prime }\prod _{i\in U_B}{u}_i,{\sigma }_1)e(m^{\prime }\prod _{j\in M}{m}_j,{\sigma }_1).$$

Case 3. In the IDGSC-EN Model

In this case, there is $I{D}_A=I{D}_{\Phi },I{D}_B\ne I{D}_{\Phi }$, so $f(I{D}_A)=0,f(I{D}_B)=1$. The generalized signcryption scheme in the encryption model as follows:

• Encrypt:

  • Compute ${\sigma }_1=g^r$.
  • Compute $w=z^{rf(I{D}_B)}=z^r$.
  • Compute $c=m\oplus H(w)$.
  • Compute ${\sigma }_2={(d_{A2})}^{f(I{D}_A)}=1$.
  • Compute ${\sigma }_3={(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i)}^{rf(I{D}_B)}={(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i)}^r$.
  • Compute $\pi =H_m(m,{\sigma }_1,{\sigma }_2,{\sigma }_3,w)$. Here π is an $n_m$ bit string and $\pi [j]$ denotes the j-th bit of $\pi [j]$, and $M\subset \{1,2,···,n_m\}$ denotes the set of j for which $\pi [j]=1$.
  • Compute ${\sigma }_4={(d_{A1})}^{f(I{D}_A)}·{\sigma }_3·{(m^{\prime }{\displaystyle \prod _{j\in M}}{m}_j)}^r={(u^{\prime }{\displaystyle \prod _{i\in U_B}}{u}_i)}^r·{(m^{\prime }{\displaystyle \prod _{j\in M}}{m}_j)}^r$.
  The ciphertext is $\sigma =({\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4,c)$.
• Decrypt:

  • Compute $w=e(d_{B1},{\sigma }_1)·e{(d_{B2},{\sigma }_3)}^{-1}$.
  • Compute $m=c\oplus H(w)$.
  • Compute $\pi =H_m(M,{\sigma }_1,{\sigma }_2,{\sigma }_3,w)$ and generate the corresponding set M, the set of all j for which $\pi [j]=1$.
  • Accepted the message if and only if the following equality holds:

    $$e({\sigma }_4,g)=e(u^{\prime }\prod _{i\in U_B}{u}_i,{\sigma }_1)e(m^{\prime }\prod _{j\in M}{m}_j,{\sigma }_1).$$

5.2. Security Proof

Theorem 1.

(Confidentiality in the IDGSC-EN model) Assume there is an adversary IND (IBGSC-EN) CCA2 $\mathcal{A}$ that is able to distinguish two valid ciphertexts during the defined in Game 1 with an advantage ε when running in a time t, then there exists an algorithm $\mathcal{D}$ that can break Waters’ identity based encryption scheme in a time $t^{\prime }=t$ with an advantage ${\epsilon }^{\prime }=\epsilon$.

Proof. 

When the IDGSC scheme works as an encryption scheme, it is a actually the identity based encryption proposed by Waters [26] and one-time signature. Owing to the theorem proposed by Canetti et al. [27], this scheme is secure against the normal adaptive chosen-ciphertext attack. Considering the signcrypt/unsigncrypt query, the adversary cannot transform the target encryption ciphertext into a valid signcryption ciphertext. This conclusion is based on the EF-ACMA security of PS. So IDGSC scheme in encryption model is IND-CCA2 secure. Thus, the theorem follows. ☐

Theorem 2.

(Confidentiality in the IDGSC-SC model). Assume there is an adversary IND (IDGSC-SC) CCA2 $\mathcal{A}$ that is able to distinguish two valid ciphertexts during the defined in Game 2 with an advantage ε when running in a time t and making at most $q_k$ private key extract queries, $q_s$ sign queries, $q_v$ verify queries, $q_e$ encrypt queries, $q_d$ decrypt queries, $q_{sc}$ signcrypt queries and $q_{us}$ unsigncrypt queries. Then, there exists a distinguisher that can solve an instance of the DBDH problem in a time $t^{\prime }=t+(5q_k+2q_s+4q_e+4q_{sc})t_e+(4q_d+7q_{us}+4q_v)t_p$ with an advantage ${\epsilon }^{\prime }=\frac{\epsilon }{8(q_k+q_d+q_s+q_{sc}+q_{us})(n_u+1)q_{sc}(n_m+1)}$, where $t_e$ denotes the time of an exponentiation in ${\mathbb{G}}_1$ and $t_p$ denotes the time of a pairing in $(G_1,G_2)$.

Proof. 

Assume that there is a polynomially bounded adversary $\mathcal{A}$ that is able to break the semantic security of our scheme. Then, there exists a distinguisher $\mathcal{D}$ that can decide whether $Z=e{(g,g)}^{abc}$ or not with a non-negligible advantage when receiving a random instance $g,g^a,g^b,g^c,Z$. $\mathcal{D}$ runs $\mathcal{A}$ as the subroutine and acts as the challenger in Game 2 and interacts with $\mathcal{A}$ as described below. ☐

• Initial. $\mathcal{D}$ chooses randomly as follows:

  • Two integers $0⩽l_u⩽q$ and $0⩽l_m⩽q$.
  • Two integers $0⩽k_u⩽n_u$ and $0⩽k_m⩽n_m$ ($l_u(n_u+1)<q$, $l_m(n_m+1)<q$).
  • An integer $x^{\prime }\in {\mathbb{Z}}_{l_u}$ and $n_u$-dimensional vector $(x_1,···,x_{n_u})\in {\mathbb{Z}}_{l_u}$.
  • An integer $y^{\prime }\in {\mathbb{Z}}_{l_m}$ and $n_m$-dimensional vector $(y_1,···,y_{n_m})\in {\mathbb{Z}}_{l_m}$.
  • An integer $z^{\prime }\in {\mathbb{Z}}_q$ and $n_u$-dimensional vector $(z_1,···,z_{n_u})\in {\mathbb{Z}}_q$.
  • An integer ${\omega }^{\prime }\in {\mathbb{Z}}_q$ and $n_m$-dimensional vector $({\omega }_1,···,{\omega }_{n_m})\in {\mathbb{Z}}_q$.
  To make the notation easy to follow, we define four functions:

  $$F(ID)=x^{\prime }+\sum _{i\in \mathrm{U}}{x}_i-l_u{k}_u, J(ID)=z^{\prime }+\sum _{i\in \mathrm{U}}{z}_i,$$

  $$K(M)=y^{\prime }+\sum _{i\in \mathrm{M}}{y}_i-l_m{k}_m, L(M)={\omega }^{\prime }+\sum _{i\in \mathrm{M}}{\omega }_i.$$
  $\mathcal{D}$ sets system parameters as follows:

  • $g_1=g^a$ and $g_2=g^b$.
  • $u^{\prime }=g_2^{-l_u{k}_u+x^{\prime }}{g}^{z^{\prime }}$ and $u_i=g_2^{x_i}{g}^{z_i}$ ($1⩽i⩽n_u$), which means that, for any identity $ID$, we have $u^{\prime }{\displaystyle \prod _{i\in U_{ID}}}{u}_i=g_2^{F(ID)}{g}^{J(ID)}$.
  • $m^{\prime }=g_2^{-l_m{k}_m+y^{\prime }}{g}^{{\omega }^{\prime }}$ and $m_i=g_2^{y_i}{g}^{{\omega }_i}$ ($1⩽i⩽n_m$), which means that, for any π, we have $m^{\prime }{\displaystyle \prod _{i\in M}}{m}_i=g_2^{K(\pi )}{g}^{L(\pi )}$.

  Finally, $\mathcal{D}$ returns all parameters to $\mathcal{A}$. We can see that all distributions are identical to that in the real world.
• Phase 1. $\mathcal{D}$ answers the queries as follows:

  –

  Private key extract queries: When the adversary $\mathcal{A}$ issues a private key extract query on an identity $ID$, $\mathcal{D}$ acts as follows:

  • If $F(ID)=0mod{l}_u$, $\mathcal{D}$ aborts and reports failure.
  • If $F(ID)\ne 0mod{l}_u$, $\mathcal{D}$ can construct a private key by picking a random $r_{ID}\in {\mathbb{Z}}_q^{*}$ and computing:

    $$d_{ID}=(d_{ID1},d_{ID2})=(g_1^{-\frac{J(ID)}{F(ID)}}{(g_2^{F(ID)}{g}^{J(ID)})}^{r_{ID}},g_1^{-\frac{1}{F(ID)}}{g}^{r_{ID}}).$$

  –

  Encrypt queries: At any time, the adversary $\mathcal{A}$ can perform an encrypt query on a plaintext m for the receiver $I{D}_B$, and $\mathcal{D}$ runs the encrypt algorithm in the encryption model to answer $\mathcal{A}$’s query.

  –

  Decrypt queries: At any time, the adversary $\mathcal{A}$ can perform a decrypt query on a ciphertext σ for the receiver $I{D}_B$, and $\mathcal{D}$ acts as follows:

  • If $F(I{D}_B)=0mod{l}_u$, $\mathcal{D}$ aborts and reports failure.
  • If $F(I{D}_B)\ne 0mod{l}_u$, $\mathcal{D}$ first obtains the private key for $I{D}_B$ as he does in response to the private key extract query, and then runs a decrypt algorithm in the encryption model to answer $\mathcal{A}$’s query.

  –

  Sign queries: At any time, the adversary $\mathcal{A}$ can perform a sign query on a message m for the sender $I{D}_A$, $\mathcal{D}$ acts as follows:

  • If $F(I{D}_A)=0mod{l}_u$, $\mathcal{D}$ aborts and reports failure.
  • If $F(I{D}_A)\ne 0mod{l}_u$, $\mathcal{D}$ first obtains the private key for $I{D}_A$ as he does in response to the private key extract query, and then runs a sign algorithm in the signature model to answer $\mathcal{A}$’s query.

  –

  Verify queries: At any time, the adversary $\mathcal{A}$ can perform a verify query on a message/signature pair $(m,\sigma )$ for the sender $I{D}_A$, and $\mathcal{D}$ runs a verify algorithm in the signature model to answer $\mathcal{A}$’s query.

  –

  Signcrypt queries: At any time, the adversary $\mathcal{A}$ can perform a signcrypt query on a plaintext m for the sender identity $I{D}_A$ and the receiver identity $I{D}_B$, and $\mathcal{D}$ acts as follows:

  • If $F(I{D}_A)=0mod{l}_u$, $\mathcal{D}$ aborts and reports failure.
  • If $F(I{D}_A)\ne 0mod{l}_u$, $\mathcal{D}$ first obtains the private key for $I{D}_A$ as he does in response to the private key extract query, and then runs the signcrypt algorithm in the signcryption model to answer $\mathcal{A}$’s query.

  –

  Unsigncrypt queries: At any time, the adversary $\mathcal{A}$ can perform an unsigncrypt query on a ciphertext σ for the sender identity $I{D}_A$ and the receiver identity $I{D}_B$, and $\mathcal{D}$ acts as follows:

  • If $F(I{D}_B)=0mod{l}_u$, $\mathcal{D}$ aborts and reports failure.
  • If $F(I{D}_B)\ne 0mod{l}_u$, $\mathcal{D}$ first obtains the private key for $I{D}_B$ as he does in response to the private key extract query, and then runs the unsigncrypt algorithm in the signcryption model to answer $\mathcal{A}$’s query.

• Challenge. After a polynomially bounded number of queries, the adversary $\mathcal{A}I{D}_A^{*},I{D}_B^{*}$ on which he wishes to be challenged. Note that $\mathcal{D}$ fails if $\mathcal{A}$ has made a private key extract query on $I{D}_B^{*}$ during Phase 1. Then, $\mathcal{A}$ submits two messages $m_0,m_1\in {\{0,1\}}^l$ and $I{D}_A^{*},I{D}_B^{*}$ to $\mathcal{D}$. $\mathcal{D}$ will abort if $F(I{D}_B^{*})\ne 0mod{l}_u$. Otherwise, $\mathcal{D}$ flips a fair binary coin $\gamma \in \{0,1\}$ and constructs ciphertext $m_{\gamma }$ as follows.
  $\mathcal{D}$ randomly chooses a number $r^{*}\in {\mathbb{Z}}_q^{*}$ and computes

  $${\pi }_{\gamma }^{*}=H(m_{\gamma },g^c,g_1^{-\frac{1}{F(I{D}_A^{*})}}{g}^{I{D}_A^{*}},{(g^c)}^{J(I{D}_B^{*})},m_{\gamma }\oplus H(Z)).$$
  $M_{\gamma }^{*}$ denoted the set of 1 for which ${\pi }_{\gamma }^{*}[j]=1$. If $K(M_{\gamma }^{*})\ne 0modq$, $\mathcal{D}$ aborts. Otherwise, $\mathcal{D}$ sets the ciphertext as:

  $${\sigma }^{*}=\left(g^c,g_1^{-\frac{1}{F(I{D}_A^{*})}}{g}^{I{D}_A^{*}},{(g^c)}^{J(I{D}_B^{*})},g_1^{-\frac{J(I{D}_A^{*})}{F(I{D}_A^{*})}}{(g_2^{F(I{D}_A^{*})}{g}^{J(I{D}_A^{*})})}^{r^{*}}{(g^c)}^{J(I{D}_B^{*})}{(g^c)}^{L({\pi }_{\gamma }^{*})}\right).$$
• Phase 2. The adversary $\mathcal{A}$ then performs a second series of queries which are treated in the same as Phase 1. It is not allowed to make the private key extract query on $I{D}_B^{*}$ and an unsigncrypt query on ${\sigma }^{*}$ under $I{D}_B^{*}$.
• Guess. At the end of the simulations, the adversary $\mathcal{A}$ outputs a guess ${\gamma }^{\prime }$. If ${\gamma }^{\prime }=\gamma$, $\mathcal{D}$ answers 1, indicating that $Z=e{(g,g)}^{abc}$; otherwise, $\mathcal{D}$ answers 0 to the DBDH problem.

This completes the description of simulation. Analyzing the probability of $\mathcal{D}$ not aborting still needs to be analyzed. $\mathcal{D}$ will not abort if all the following conditions are fulfilled:

• $F(ID)\ne 0mod{l}_u$ during the private key extract queries.
• $F(I{D}_B)\ne 0mod{l}_u$ during the decrypt queries.
• $F(I{D}_A)\ne 0mod{l}_u$ during the sign queries.
• $F(I{D}_A)\ne 0mod{l}_u$ during the signcrypt queries.
• $F(I{D}_B)\ne 0mod{l}_u$ during the unsigncrypt queries.
• $F(I{D}_B^{*})=0modq$ and $K(M_{\gamma }^{*})=0modq$ during the challenge phase.

Let $I{D}_1,···,I{D}_{q_{ID}}$ be the identity appearing in all queries not involving the challenge identity. Clearly, we will have $q_{ID}⩽q_k+q_d+q_s+q_{sc}+q_{us}$. Define the following events:

• ${\mathrm{A}}_i$ : $F(I{D}_i)\ne 0mod{l}_u$ where $i=1,···,q_{ID}$.
• $\mathrm{B}$ : $F(I{D}_B^{*})=0modq$.
• $\mathrm{C}$ : $K(M_{\gamma }^{*})=0modq$.

The success probability of $\mathcal{D}$ is $Pr[\neg abort]=Pr[\underset{i=1}{\overset{q_{ID}}{\Lambda }}{\mathrm{A}}_i\wedge \mathrm{B}\wedge \mathrm{C}]$.

The functions F and K are selected independently; therefore, the events $(\underset{i=1}{\overset{q_{ID}}{\wedge }}{\mathrm{A}}_i\wedge \mathrm{B})$ and $\mathrm{C}$ are independent. According to $l_u(n_u+1)<q$, it is easy to see that $F(u)=0modq\Rightarrow F(u)=0mod{l}_u$. Furthermore, this implies that, if $F(u)=0mod{l}_u$, there will be a unique $k_u$ with $0⩽k_u⩽n_u,$ such that $F(u)=0modq$. For the randomness of $k_u,x^{\prime },x_1,···,x_{n_u}$, we have

$$\begin{array}{cc}Pr[\mathrm{B}]\hfill & =Pr[F(I{D}_B^{*})=0modq]\hfill \\ & =Pr[F(I{D}_B^{*})=0mod{l}_u]Pr[F(I{D}_B^{*})=0modq|F(I{D}_B^{*})=0mod{l}_u]\hfill \\ & =(\frac{1}{l_u}\frac{1}{n_u+1}).\hfill \end{array}$$

On the other hand, for any i, the event ${\mathrm{A}}_i$ and $\mathrm{B}$ are independent, so we have

$$\begin{array}{cc}Pr[\underset{i=1}{\overset{q_{ID}}{\wedge }}{\mathrm{A}}_i\wedge \mathrm{B}]\hfill & =Pr[\mathrm{B}]Pr[\underset{i=1}{\overset{q_{ID}}{\wedge }}{\mathrm{A}}_i|\mathrm{B}]=Pr[\mathrm{B}]\left(1-Pr[\underset{i=1}{\overset{q_{ID}}{\vee }}\neg {\mathrm{A}}_i|\mathrm{B}]\right)\hfill \\ & ⩾Pr[\mathrm{B}]\left(1-{\displaystyle \sum _{i=1}^{q_{ID}}}Pr[\neg {\mathrm{A}}_i|\mathrm{B}]\right)=\left(\frac{1}{l_u(n_u+1)}\right)\left(1-\frac{q_{ID}}{l_u}\right).\hfill \end{array}$$

Similarly, we have $Pr[\mathrm{C}]=Pr[K(M_{\gamma }^{*})=0modq]=\frac{1}{l_m}\frac{1}{n_m+1}$.

Let $l_u=2(q_k+q_d+q_s+q_{sc}+q_{us})$ and $l_m=2q_{sc}$. Then, we have

$$\begin{array}{cc}Pr[\neg abort]\hfill & =Pr[\underset{i=1}{\overset{q_{ID}}{\wedge }}{\mathrm{A}}_i\wedge \mathrm{B}\wedge \mathrm{C}]=\left(\frac{1}{l_u(n_u+1)}\right)\left(1-\frac{q_{ID}}{l_u}\right)\left(\frac{1}{l_m}\frac{1}{n_m+1}\right)\hfill \\ & =\frac{1}{8(q_k+q_d+q_s+q_{sc}+q_{us})(n_u+1)q_{sc}(n_m+1).}\hfill \end{array}$$

If the simulation does not abort, the adversary $\mathcal{A}$ will win Game 2 with the advantage at least ε. Thus, $\mathcal{D}$ can solve for the DBDH problem instance with the advantage ${\epsilon }^{\prime }=\frac{\epsilon }{8(q_k+q_d+q_s+q_{sc}+q_{us})(n_u+1)q_{sc}(n_m+1)}$.

Algorithm $\mathcal{D}$’s running time is the same as $\mathcal{A}$’s running time plus the time it takes to respond to $q_k$ private key extract queries, $q_s$ sign queries, $q_v$ verify queries, $q_e$ encrypt queries, $q_d$ decrypt queries, $q_{sc}$ signcrypt queries and $q_{us}$ unsigncrypt queries. Each private key extract query requires five exponentiation operations in ${\mathbb{G}}_1$. Each sign query needs two exponentiation operations in ${\mathbb{G}}_1$. Each verify query needs four pairing operations in $({\mathbb{G}}_1,{\mathbb{G}}_2)$. Each encrypt query needs four exponentiation operations in ${\mathbb{G}}_1$. Each decrypt query needs four pairing operations in $({\mathbb{G}}_1,{\mathbb{G}}_2)$. Each signcrypt query requires four exponentiation operations in ${\mathbb{G}}_1$. Each unsigncrypt query requires seven pairing operations in $({\mathbb{G}}_1,{\mathbb{G}}_2)$. If we assume each that exponentiation takes time $t_e$ and each pairing takes time $t_p$, the total running time is at most $t+(5q_k+2q_s+4q_e+4q_{sc})t_e+(4q_d+7q_{us}+4q_v)t_p$. Thus, the theorem follows.

Theorem 3.

(Unforgeability in the IDGSC-SG Model) Assuming that there is an adversary EF (IDGSC-SG) ACMA $\mathcal{A}$ that breaks our scheme with the probability δ when running in a time t, then there exists an algorithm $\mathcal{B}$ that can forge a valid signature of Paterson–Schuldt in a time $t^{\prime }=t$ with the probability ${\delta }^{\prime }=\delta$.

Proof. 

When the IDGSC scheme works as a signature scheme, it is actually the identity based signature proposed by Paterson and Schuldt [25]. This signature scheme itself is EF-ACMA secure. Considering the signcrypt/unsigncrypt query that is absent in the normal signature scheme, these queries are useless to the adversary of EF-(IDGSC-SG)-ACMA. The identities of sender and receiver are included in the signature. Hence, an adversary can break the Paterson and Schuldt scheme if he can break our scheme in the signature model. Then, the theorem follows. ☐

Theorem 4.

(Unforgeability in the IDGSC-SC Model) Assume that there is an adversary EF (IDGSC-SC) ACMA $\mathcal{A}$ that breaks our scheme with the probability δ when running in a time t and making at most $q_k$ private key extract queries, $q_s$ sign queries, $q_v$ verify queries, $q_e$ encrypt queries, $q_d$ decrypt queries, $q_{sc}$ signcrypt queries and $q_{uc}$ unsigncrypt queries. Then, there exists a algorithm $\mathcal{B}$ that can solve an instance of the CDH problem in a time $t^{\prime }=t+(5q_k+2q_s+4q_e+4q_{sc})t_e+(4q_d+7q_{us}+4q_v)t_p$ with the probability ${\delta }^{\prime }=\frac{\delta }{16{(q_k+q_d+q_s+q_{sc}+q_{us})}^2{(n_u+1)}^2{q}_{sc}(n_m+1)}$, where $t_e$ denotes the time of an exponentiation in ${\mathbb{G}}_1$ and $t_p$ denotes the time of a pairing in $({\mathbb{G}}_1,{\mathbb{G}}_2)$.

Proof. 

Assume that there is a polynomially bounded adversary $\mathcal{A}$ that is able to break the unforgeability of our scheme. Then, there exists an algorithm $\mathcal{B}$ that can compute $g^{ab}$ with a non-negligible advantage when receiving a random CDH problem instance $(g,g^a,g^b)$. $\mathcal{B}$ runs $\mathcal{A}$ as the subroutine and acts as the challenger in Game 4 and interacts with $\mathcal{A}$ as described below. ☐

• Initial: $\mathcal{B}$ sets the system parameter using the initial phase described in Theorem 1. Note that $\mathcal{B}$ assigns $g_1=g^a$ and $g_2=g^b$.
• Queries: $\mathcal{A}$ can perform a polynomially bounded number of queries including private key extract queries, sign queries, verify queries, encrypt queries, decrypt queries, signcrypt queries and unsigncrypt queries. $\mathcal{B}$ answers the adversary $\mathcal{A}$ in the same way as that of Theorem 2.
• Forgery: Finally, $\mathcal{A}$ outputs a forgery ciphertext ${\sigma }^{*}=({\sigma }_1^{*},{\sigma }_2^{*},{\sigma }_3^{*},{\sigma }_4^{*},c^{*})$ on the message $m^{*}$ under the receivers $I{D}_B^{*}$ and the sender $I{D}_A^{*}$ such that

  • ${\sigma }^{*}$ is a valid ciphertext.
  • $I{D}_A^{*}$ has not been submitted as one of the private key extract queries.
  • $m^{*}$ has not been submitted as one of the signcrypt queries under the $I{D}_A^{*},I{D}_B^{*}$.

Now, $\mathcal{B}$ can unsigncrypt ${\sigma }^{*}$ and obtain $m^{*}$ under the $I{D}_A^{*},I{D}_B^{*}$. $\mathcal{B}$ computes ${\pi }^{*}=H_m(m^{*},{\sigma }_1^{*},{\sigma }_2^{*},{\sigma }_3^{*},w^{*})$ and generates $M^{*}$, the set of all i for which ${\pi }^{*}[j]=1$. If $F(I{D}_A^{*})\ne 0modq$, $F(I{D}_B^{*})\ne 0modq$ and $K({\pi }^{*})\ne 0modq$, $\mathcal{B}$ will abort. Otherwise, $F(I{D}_A^{*})=0modq$, $F(I{D}_B^{*})=0modq$ and $K({\pi }^{*})=0modq$, $\mathcal{B}$ can obtain the following case:

$$\begin{array}{c}e({\sigma }_4^{*},g)=e(g_2,g_1)e(u^{\prime }{\displaystyle \prod _{i\in U_A^{*}}}{u}_i,{\sigma }_2^{*})e(u^{\prime }{\displaystyle \prod _{i\in U_B^{*}}}{u}_i,{\sigma }_1^{*})e(m^{\prime }{\displaystyle \prod _{j\in M^{*}}}{m}_j,{\sigma }_1^{*})\hfill \\ =e(g^a,g^b)e(g^{J(I{D}_A^{*})},{\sigma }_2^{*})e(g^{J(I{D}_B^{*})},{\sigma }_1^{*})e(g^{L({\pi }^{*})},{\sigma }_1^{*}).\hfill \end{array}$$

Thus, we have $g^{ab}=\frac{{\sigma }_4^{*}}{{({\sigma }_1^{*})}^{J(I{D}_B^{*})}{({\sigma }_2^{*})}^{J(I{D}_A^{*})}{({\sigma }_1^{*})}^{L({\pi }^{*})}}$, which is the solution to the given CDH problem.

Analogous to Theorem 1, we can obtain that $\mathcal{B}$ solves for the CDH problem instance with the probability ${\delta }^{\prime }=\frac{\delta }{16{(q_k+q_d+q_s+q_{sc}+q_{us})}^2{(n_u+1)}^2{q}_{sc}(n_m+1)}$, with time being $t^{\prime }=t+(5q_k+2q_s+4q_e+4q_{sc})t_e+(4q_d+7q_{us}+4q_v)t_p$. Thus, the theorem follows.

5.3. Efficiency

We compare the efficiency and security of our scheme with those of three identity based generalized signcryption schemes, including Lal et al.’s scheme [20], Yu et al.’s scheme [21] and Kushwah et al.’s scheme [22]. We denote the modular exponentiation and the pairing computation by E, P, respectively. Other operations are omitted in the following analysis since their computation cost is trivial. We consider the pre-computation here and do not take hash function evaluations into account.

To compare the computation cost of related schemes, we compute the execution time of the cryptographic operations above using MIRACL [28], which is a famous cryptographic library and has been widely used to implement cryptographic operations in many environments. Our hardware platform consists of an Intel I7-4770 processor with 3.40 GHz clock frequency, 4 gigabytes memory and runs the Windows 7 operating system. A bilinear pairing P operation needs 4.211 milliseconds and a modular exponentiation E operation needs 1.709 milliseconds.

We summarize the comparisons of the four schemes in

Table 1. Comparison of identity based generalized signcryption schemes.

Schemes	Generalized Signcrypt	Generalized Unsigncrypt	Security Model
Lal et al. [20]	$6E+1P=14.456$ ms	$3P+1E=14.342$ ms	RO
Yu et al. [21]	$4E+1P=11.047$ ms	$3P+3E=17.76$ ms	RO
Kushwah et al. [22]	$4E=6.836$ ms	$2P+3E=13.549$ ms	RO
Ours	$6E=10.254$ ms	$5P+2E=24.473$ ms	SM

. The Generalized Signcrypt column and the Generalized Unsigncrypt column demonstrate the computational costs of each identity based generalized signcryption scheme. The Security Model column specifies the security model that the schemes rely on, where RO and SM represent Random Oracle and Standard Model, respectively.

From Table 1, in Generalized Signcrypt, the computation cost of our scheme is less than Lal et al.’s scheme [20] and Yu et al.’s scheme [21] and more than Kushwash et al.’s scheme [22]. Our scheme has slightly higher computation costs than other schemes [20,21,22] in Generalized Unsigncrypt, whereas our scheme is proven secure in the standard model. To the best of our knowledge, it is the first scheme that is proven secure in the standard model. All previous schemes mentioned above have proven their security on the random oracle model. For some special applications that require very high security, it is believed that only those schemes that can be proven in the standard model must be employed. Thus, our scheme is suitable for secure e-mail and electronic commerce, where the confidentiality and authenticity are simultaneously or separately required to enable a secure and trustable communication environment.

6. Conclusions

The main purpose of identity based generalized signcryption is to reduce implementation complexity. According to different application environments, identity based generalized signcryption can fulfill the function of identity based signature, encryption or signcryption, respectively. In this paper, we proposed a concrete, ID-based generalized signcryption scheme based on the Paterson–Schuldt scheme. To the best of our knowledge, this is the first ID-based generalized signcryption scheme that can be proven secure in the standard model.