1. Introduction
In 1984, Shamir [
1] introduced the concept of Identity Based Cryptography (IBC) for the first time, where an identity is used as a public key and the corresponding private key is generated by a trusted third party entitled PKG. The objective of identity based cryptography is to simplify public key certificate management in public key cryptography. It was later on improved by Boneh and Franklin [
2].
To overcome the drawbacks of the traditional cryptographic approaches, Zheng proposed a novel cryptographic primitive called signcryption [
3], which is an alternative to the signature then encryption approach with significantly less computation and communication cost. In 2002, Malone-Lee [
4] merged identity-based cryptography with signcryption and designed a new ID based signcryption (IBSC) scheme. This IBSC scheme [
4] provides foundation for some other identity based signcryption and its variant [
5,
6,
7,
8,
9,
10,
11,
12,
13,
14].
In big data security, we need the data confidentiality and data authentication separately and in some cases we use both simultaneously. Likewise, authentication security approach is used by government sectors to authenticate statistical data. And different companies use two security attributes like confidentiality and authentication to both authenticate and keep confidential sales related data. This type of operations require generalized signcryption (GSC) approach proposed by Han et al. [
15].
GSC works in three different modes such as; pure encryption mode, pure signature mode and signcryption mode and can be used for data confidentiality, data authenticity or both respectively. For the requirement of a single security parameter either data confidentiality or data authentication, signcryption is not feasible due to greater computational cost and algorithmic complexities. Thus, in this case, signcryption scheme is not suitable for big data and other resources constraint environment.
Now, to fulfill the multi option security requirements of big data we refer the use of generalized signcryption a flavor of simple signcryption suitable for big data and other resources constraints environment instead of signcryption. Wang et al. [
16] improved Han et al. [
15] scheme and presented a new security model for generalized signcryption. In 2008, Lal and Kushwah [
17] contributed the first ID based generalized signcryption (IBGSC) scheme with a new security model. Later on Yu et al. [
18] proved that Lal and Kushwah’s security model was not fulfilling the basic security needs, and improved the existing security model with minimal computational cost. In 2011, Kushwah and Lal [
19] also simplified same Yu et al. [
18] security model and proposed a new efficient IBGSC scheme. In 2019, Waheed et al. [
20] analyzed the Zhou et al. [
21] certificateless generalized scheme and proposed improved scheme comparatively more secure with the same cost.
Wei et al. [
22] proposed a novel IBGSC scheme for pure encryption or pure signature to ensure the confidentiality and authenticity as per requirements in big data with the claim that this scheme is provably secure in standard model. However, in this paper, we analyze Wei’s authentication scheme and prove that Wei’s scheme is prone to attacks and neither IND-CCA nor EUF-CMA secure in the standard model. Therefore we use cryptanalysis approach to analyze and check the Wei’s authentication scheme security and vulnerabilities.
Cryptanalysis approach uses mathematical formulas to search vulnerabilities of an algorithm to prove security limitations or it decrypts ciphertext without knowing session’s key or key related information.
Figure 1 reflects the cryptanalysis approach over a simple signcryption.
2. Preliminaries
This section of the paper describe definitions used in Wei’s authentication scheme IBGSC [
22]. Let us assume that
and
be the two cyclic multiplicative groups of order
q.
Definition 1. A bilinear map such as: , where a bilinear map satisfies the following properties as:
Bi-linearity: For all and , and , where .
Computability: The is efficiently computeable.
Non-degeneracy:.
Definition 2. Computational Diffie-Hellman (CDH) Problem: Let g be a generator of multiplicative group of prime order q and it is intractable to compute if input is given.
Definition 3. Computational Diffie-Hellman (CDH) Assumption: We can say CDH is hard in if any t-time algorithm can not solve CDH with at least ζ probability.
Definition 4. Decisional Bi-linear Diffie-Hellman (DBDH) Problem: Let and have two groups, a bilinear map , having generator g of group , such that input ( is given and , it is also difficult to define .
Definition 5. Decisional Bi-linear Diffie-Hellman (DBDH) assumption: We can say DBDH is hard in if any t-time algorithm can not solve DBDH with at least ζ probability.
2.1. IBGSC Formal Framework
IBGSC scheme consists of three Probabilistic Polynomial Time (PPT) algorithms titled as; Setup; Ext; IBGSC and IBGUSC a Deterministic Polynomial Time (DPT) algorithm.
Setup :- A PPT algorithm takes security parameter k and returns the master key and public parameters .
Ext :- It takes to generate identity u and private key .
IBGSC :- Sender or receiver absence denoted by , sender’s and receiver identities denoted by respectively, message denoted by and signcrypted text denoted by .
Further three situations are as:
In pure encryption mode, the IBGSC takes as input and produces as output in the absence of sender private key.
In pure signature mode, the IBGSC collects and produces the signature as output in the absence of receiver private key.
In signcryption mode , the IBGSC collects ) and produces signcrypted text .
IBGUSC :- Output of this algorithm depends on three different situations:
In pure encryption mode, on receiver end IBGUSC collects input , , , and generates m as output.
In pure signature mode, on receiver end IBGUSC collects input , , and checks validity, generates ⊤; else generates ⊥ as output.
In signcryption mode , on receiver end IBGUSC collects input ), and then checks validity of , it produces message m, else ⊥.
2.2. The CCA Security Model
This section of the paper defines CCA security model to check the data confidentiality. Adversary A and Challenger C played a game that guarantee the confidentiality of the message.
Setup:- In this stage challenger C runs setup algorithm with and send to A to generate system’s parameters.
Phase 01:- A asked following queries adaptively;
Ext :- After receiving identity u , challenger C calculate private key and returns back to A.
IBGSC :- A gives a chosen message m and identities to C and in response C returns value to A.
IBGUSC :- A sends to C and C first checks validity , and returns valid message to A or returns error symbol ⊥.
Challenge:- A chooses two messages () with same size and , (except to ask for input previously), and forward to C. C generates a challenge using flips a coin for and finally gives it to A back.
Phase 02:- A asks queries as practiced in phase 1st using input (), except .
Guess:- A produces output of and compares if then A wins the game. The wining probability of A in this game is and thus the scheme is to be CCA secured against all efficient adversaries A, and advantages will be considered negligible.
2.3. The - Security Model
This section of the paper define security model to authenticate message contents. Using following game between challenger C and adversary A make sure the existential unforgeability of message signature.
Setup:- This step same as CCA security game.
Phase 01:- Like CCA security game.
Forgery:- On a message , A produces a forgery , where A has never asked for input and for input before. A wins game if is valid and verified. The scheme will be EUF-CMA secure if the wining probability of A in the game is negligible.
3. Review of Wei’s IBGSC Scheme
This section, presents review of Wei’s IBGSC scheme for big data, which consists of three PPT algorithms such as: Setup; Ext; IBGSC and one DPT algorithm is IBGUSC.
Setup:- Let and be two groups, is a bilinear map, SIG be a one time signature, used to generate a signature and verification key pair . Let be a function, if then , otherwise . The PKG chooses a secret value randomly and then computes . It also randomly chooses , vector of length and respectively. Let be security parameter, and be two hash functions. It keeps the master key secret and publishes system parameters .
Ext:- Let u be the length of , where be the i-th bit of u. Let us define , which is a subset such that . To construct an identity private key , the PKG chooses an randomly and computes . The identities and private keys are: .
IBGSC:- Let message , sender and the receiver’s identities ( and ) securely communicated. Sender runs the algorithm to generate signature and verification key pair , and then chooses two integers randomly.
At the end sender sends to the receiver.
If then and is a ciphertext.
If then and is a signature.
If and and is a signcrypted text.
IBGUSC:- After collecting , receiver of message goes through the following stages:
If mean message comprises upon signature contents of the pure signature mode. The message receiver computes then verifies and accepts signature if ; otherwise, the receiver go through the following algorithmic steps.
If , or returns error ⊥; otherwise computes and .
If , mean is a ciphertext of pure encryption mode. The receiver accepts the message contents, otherwise.
is a signcrypted text of the signcryption mode , in this case the message receiver checks message m authenticity with the encryption additionally. The receiver also computes , accepts message if .
4. Cryptanalysis of Wei’s Authentication Scheme
In this section of the paper, we disprove the Wei’s authentication scheme [
22], after launching following three concrete attacks.
4.1. PKG Compromise Attack
We launch an attack on Wei’s authentication scheme such that given generated by the sender, A can derive the PKG master secret key, leading to compromise PKG and thus the whole system is compromised.
Setup:- The C runs setup to generate systems parameters and then forward to A.
Phase 01:- A put a signcryption query by submitting a messages
m and
with
, and set
and
(except asking the
for input
previously). C generates
and send to A. A can compute PKG master secret key
as:
With PKG master key , A can certainly computes the sender and the receiver’s private keys and can signcrypt on behalf of the sender and unsigncrypt on the behalf of the receiver and thus can always win IND-CCA and EUF-CMA games.
4.2. Attack on Semantic Security
Wei et al. [
22] claim that the scheme is also secure semantically in standard model. But there exists a polynomial time adversary A which has always high probability to win the game as:
Setup:- C runs the setup (1) to generate systems parameters and then forwards to A.
Phase 01:- A does not need to issue any query.
Challenge:- A first launches attack on PKG and obtain master secret key . A randomly chooses two numbers r and computes private keys of user having identities as: ,
A chooses two messages of same size with identities (except asking the for input previously), and send ) to C. Challenger C flips coin and for generates a challenge using following steps and then forward to A. Recall that A’s goal is to correctly guess the value b. C runs SIG. ) to compute for sign and verification keys pair, chooses two integers randomly and then computes .
At the end C sends to A.
Phase 02:- A has private keys of the sender and the receiver, hence computes . Further A, computes the underlying message and knows the value b, and thus wins the game. After above computation it has proved that existing scheme is semantically insecure against chosen-ciphertext attack.
4.3. Attack against Existential Unforgeability
We disprove Wei’s authentication scheme and proved that A can certainly generate a valid generalized signcrypted text and there exists an PPT Adversary can always win the following EUF-CMA game between C and A as:
Setup:- Like CCA security game.
Phase 01:- Like CCA security game.
Forgery:- A first launches attack on PKG , and obtains master secret key of PKG and choose two random numbers with identities respectively as:
,
On a message , A certainly produces a forgery ), as A has private keys of the sender and the receiver, and never asked before from for input and for input before. A computes ( if verified and valid, thus always wins the game.