A secure anonymous proxy signcryption scheme

1.1 Applications

Signcryption soon found its way in almost every application where public key cryptography was used to provide both authentication and confidentiality. Today, it is used in a broad range of applications [8] including authenticated key recovery [29], multicast key distribution protocol [28], secure message transmission [14], encrypted e-mail authentication by firewalls [15], secure routing in mobile ad hoc networks [31], secure networking and routing [16, 20], mobile grid web services [32], secure asynchronous transfer mode (ATM) networks [46], improved secure electronic transaction (SET) [50, 51, 17], and Electronic Fund Transfer (EFT) [36].

1.2 Anonymous signcryption

With digital communication and transactions becoming an essential part of the daily lives, the collection of information by various agents about users gives rise to a plethora of privacy concerns. The privacy of users can be guarded by providing them anonymity in their online activities. The notion of anonymous encryption was formalized in [3] towards providing the anonymity of the recipient while the notion of anonymous signatures was introduced in [39] and formalized in [35] towards providing the anonymity of the sender. Boyen [4] introduced the concept of anonymity in signcryption to provide the anonymity for the sender and the receiver to an outsider, that is, an adversary other than the receiver or the sender.

But in their setting, the sender was not anonymous to the receiver. In the real world communication, many times we come up with the condition where the sender anonymity is required even from the receiver. To achieve such a goal, Huang et al. [19] introduced “anonymous signcryption” using ring signature [33] which allows a user to form a ring of members (including themselves) arbitrarily without collaboration of any of those ring members and then sends confidential information to a recipient so that the message can be authenticated to have been signed by a member of the ring without revealing exactly which member of the ring is the actual signer. The receiver in an anonymous signcryption scheme only knows that the message is produced by one member of a designated group but cannot know more information about actual signcrypter’s identity.

1.3 Proxy signcryption

Many widely used personal communication devices such as digital assistants, hand-held computers, pagers and mobile phones come with constrained computational capacity. The lack of hardware features in these devices is a constraint towards efficiently carrying out the heavy mathematical computations required by cryptographic primitives such as digital signature. Therefore, proxy signature schemes [27] have emerged to allow off-loading of heavy computational work from a low power device to a more powerful server. Extending this primitive to signcryption, proxy signcryption [14] was introduced so that an original user/sender could authorize a proxy agent to send confidential messages to a recipient on its behalf.

A proxy signcryption scheme enables a sender, 𝒪, also called the designator or delegator, to delegate its signing rights (without transferring the private key) to another user 𝒫, called the proxy sender, to produce, on the delegator’s behalf, signcryptions that can be verified by a receiver ℛ under the delegator 𝒪’s public key. For example, the director of a company may authorize the deputy director to signcrypt certain messages on his behalf and send to the employees during a certain period of his absence. The signcryptions can be “unsigncrypted” by the recipient employees with their respective secret keys and they can be convinced of the concurrence of the director of the company.

1.4 Anonymous proxy signcryption

In the proxy signcryption setting, the proxy sender is not anonymous to the receiver and it can know the identity of the proxy as soon as it decrypts the received ciphertext. But the role of the proxy sender is that of an intermediary between the original sender and the recipient, and in an ideal proxy signcryption setting, the proxy signer should be almost invisible to the recipient and the proxy sender’s identity should not to be revealed to the recipient.

Let us consider a situation where the CEO of an office wants to issue some signcrypted memos to the employees when he is away of the office. To handle the issue, he authorizes one of his subordinates the right to create signcrypted memos on his behalf such that all the employees can be convinced by the memos that the memos have been actually authorized by the CEO but no employee can figure out which subordinate has been pet to the CEO (who has created the memos on behalf of the CEO).

Though the anonymity of the original sender and the recipient in a signcryption scheme has been widely discussed, to the best of our knowledge, there is no proxy signcryption scheme which provides anonymity to the proxy from the receiver or a solution to the above and similar issues. To achieve this objective, we introduce the notion of an anonymous proxy signcryption and propose a simple and efficient algorithm to provide anonymity to the proxy sender from the recipient.

1.5 Motivation

The application of anonymous proxy signcryption can be realized in various real world scenarios, as mentioned above, where the proxy sender needs to authenticate himself/herself as a sender of an encrypted data.

Figure 1

e-Voting.

For example, consider the case of end-to-end voting (Figure 1) through an electronic voting machine (EVM). To satisfy the requirements of fairness, robustness, verifiability, confidentiality and privacy, various cryptographic means are used including a combination of blind signatures and proxy signcryption. The voter acts as a user who authorizes the EVM as his/her proxy agent who proxy signcrypts for the user and then sends the signcrypted votes to the central server for counting. The EVM protocol is designed to protect the privacy of the voters so that no one is able to figure out who cast a vote for whom. But in these protocols, the identity of the EVM is not hidden and the voting distribution from a particular EVM can be found out. This information can then lead to figure out the identity of a group of users who were registered to vote at this EVM, using geographical correlation or similar means. Such analysis has led to abuse in past [53, 49, 48] where the candidate party has threatened the voters with dire consequences mentioning this drawback of the EVM protocol which they would be able to use to find out if the majority of the voters of a particular area voted for this party or not. Knowledge of such information could be gained due to non-anonymity of the EVMs and to prevent such rampant threats and scams, the identity of the EVM itself must also be hidden, which can be achieved by using an anonymous proxy signcryption scheme in addition to the usual tools, like TOR [11], to avoid network analysis.

1.6 Related work

Since the introduction of the idea of signcryption in 1997 [45], several new schemes and improvements have been proposed. Baek et al. [1] introduced a security model for signcryption in random oracle that admits formal proofs for the confidentiality and unforgeability of signcryption. Malone-Lee [26] constructed the first identity-based signcryption scheme. Boyen [4] presented an identity-based scheme with the idea of sign-then-encrypt and provided ciphertext anonymity. The scheme in [4] is provably secure in random oracle. In 2004, Libert and Quisquater [25] modified Boyen’s security model to the non-identity based signcryption setting and proposed a signcryption scheme. Unfortunately, Tan [7] showed that the scheme did not satisfy the property of ciphertext anonymity. Further using the definition proposed by Boyen [4], Chen and Lee [6] presented an improved construction of identity-based signcryption but the scheme of Barreto et al. [2], proposed in the same year, turned out to be more efficient than all the previous schemes [4, 6, 26].

To achieve sender’s anonymity to the recipient in the signcryption scheme, Huang et al. [19] introduced the idea of ring signcryption based on the work of Herranz and Sáez [18]. Following the idea of ring signature for anonymity, many other identity-based ring signcryption schemes [22, 40, 43, 47, 42, 21, 41, 30] were proposed but Selvi et al. [37] have shown that almost all the proposed ring signcryption schemes (except the one by Huang et al. [19]) and in particular [40, 22, 47] are not secure. Further, Zhang et al. [44] have shown that the scheme proposed in [42] is not anonymous from the receiver’s view, and further, it is not verifiable for a third party. In 2009, Lal et al. [21] introduced the idea of anonymous identity-based signcryption for multiple receivers, the scheme was proved secure in the random oracle model. Zhang and Xu [41] formalized a security model for such schemes in the standard model. Recently, Deng et al. [10] have proposed an efficient improvement on the ID-based ring signcryption scheme.

Further, to delegate the signcryption rights to an authorized agent, Gamage et al. [14] introduced the idea of proxy signcryption by combining the concepts of proxy signature and signcryption together. But their scheme does not support a provable security. Li and Chen [23] proposed the first identity-based proxy signcryption scheme which is just a proxy variant of the Libert and Quisquater’s identity-based signcryption scheme [24], the scheme proposed in [23] is not proxy protected [38]. Moreover, security of the scheme rests directly on the security of the underlying identity-based signcryption scheme [24], and no security issue of proxy delegation is considered. In 2005, Duan et al. [12] proposed the first formal model of security for the identity-based proxy signcryption schemes with delegation by warrant. In 2008, Elkamchouchi and Yasmine [13] proposed an identity-based proxy signcryption with partial delegation [27], following the construction of [24]. The scheme [13] is also not proxy protected, as due to partial delegation it is indistinguishable that the signcryption is created by either the original sender or by the proxy sender, hence their scheme cannot be considered for practical applications.

We can see that several signcryption schemes have been proposed providing anonymity to the sender, but all the available schemes rely on the ring signature [33]. It has been well studied that, due to the ring structure, computational complexity (or communication overhead) of a ring signature scheme increases unexpectedly with the large group, so it is of great interest to achieve anonymity without applying the ring signature.

1.7 Our contribution

To the best of our knowledge, there is no proxy signcryption scheme which provides anonymity to the proxy from the receiver. To achieve this objective, we introduce the notion of an anonymous proxy signcryption and propose a simple and efficient algorithm to provide anonymity to the proxy sender from the recipient.

We introduce a formal model for an identity-based anonymous proxy signcryption (IBAPS) scheme and also formalize a security model for an IBAPS scheme. We give a concrete instantiation of an IBAPS scheme and prove the security of the scheme based on the hardness of the discrete logarithm problem, the computational Diffie–Hellman problem and the bilinear Diffie–Hellman problem. In our definition, we also provide a mechanism to the original sender to expose the identity of the proxy sender in case of misuse of its authorization. The delegator needs to have enough trust on the proxy sender to authorize it to sign on its behalf but in reality, trust is broken quite regularly. We build on the technique of pseudonym used in a recently proposed anonymous proxy signature scheme [34] to provide the required functionality – the identity of the proxy signer is hidden but in case of misuse of the delegated rights, the original signer can reveal the proxy signer’s identity.

Further we compare the efficiency of our scheme with the existing identity-based signcryption schemes and anonymous signcryption schemes and show that our scheme is much more efficient than those schemes, we also compare the efficiency of our scheme with the available proxy signcryption schemes and show that our scheme provides anonymity to the proxy sender at cost less than those of existing proxy signcryption schemes.

1.8 Outline of the paper

The rest of this paper is organized as follows. In Section 2, we introduce some related mathematical definitions, problems and assumptions. In Section 3, we present the formal definition of an IBAPS scheme and a security model for it. We present the new primitive of IBAPS scheme in Section 4. In Section 5, we analyze the security of our scheme. In Section 6, we compare the efficiency of our scheme with the other available schemes and show that our scheme is more efficient than the existing schemes. Finally, Section 7 gives a brief conclusion.

3.1 Formal model for IBAPS

An IBAPS scheme comprises of six algorithms: Setup, Extract, ProxyGen, AnonProxySigncrypt, Unsigncrypt and ProxyReveal.

1. (𝑝𝑎𝑟𝑎𝑚𝑠,s)←𝖲𝖾𝗍𝗎𝗉⁢(1k): This is the system initialization algorithm run by a private key generator (PKG) which takes as input a security parameter 1k and outputs the public (system) parameters params, a master secret key msk of the PKG and a corresponding system wide public key Pub. (We will include Pub in the params for brevity.)

2. (𝑝𝑘ID,𝑠𝑘ID)←𝖤𝗑𝗍𝗋𝖺𝖼𝗍⁢(ID,s): This is the key-generation algorithm run by the PKG which takes as input a user’s identity ID, the public parameters params and the master secret key msk and outputs a secret key 𝑠𝑘ID associated to the identity ID. (The public key 𝑝𝑘ID associated to the identity ID can be computed by anyone using the public parameters params.)

3. (w,σw,H𝒬,S𝒬)←𝖯𝗋𝗈𝗑𝗒𝖦𝖾𝗇⁢(ID𝒪,ID𝒫,𝑠𝑘𝒪,𝑠𝑘𝒫): This is an interactive protocol between the original sender 𝒪 and the proxy sender 𝒫 which takes as input their identities ID𝒪 and ID𝒫, their private keys 𝑠𝑘𝒪 and 𝑠𝑘𝒫, the public parameters params, and outputs

   1. the pseudonymH𝒬 which anonymizes the identity of the proxy sender,

   2. a signed warrant w which includes the nature of message to be delegated, period of delegation, identity information of original sender, the pseudonym for the proxy sender and other relevant information,

   3. a delegation σw, and

   4. the proxy signing key S𝒬.

4. σ←𝖠𝗇𝗈𝗇𝖯𝗋𝗈𝗑𝗒𝖲𝗂𝗀𝗇𝖼𝗋𝗒𝗉𝗍⁢(𝑝𝑘𝒪,𝑝𝑘ℛ,H𝒬,S𝒬,m): This is a probabilistic algorithm to produce an anonymous proxy signcryption run by the proxy sender 𝒫 which takes as input the original sender’s public key 𝑝𝑘𝒪, the receiver’s public key 𝑝𝑘ℛ, the pseudonym H𝒬, the proxy signing key S𝒬, and the message m that needs to be signcrypted, the public parameters params and outputs a ciphertext σ.

5. m or ⊥←𝖴𝗇𝗌𝗂𝗀𝗇𝖼𝗋𝗒𝗉𝗍(𝑠𝑘ℛ,𝑝𝑘𝒪,σ): This is a deterministic algorithm for decryption and verification run by the receiver ℛ which takes as input a ciphertext σ, the recipient’s secret key 𝑠𝑘ℛ and the original sender’s public key 𝑝𝑘𝒪, the public parameters params and outputs a message m or an invalid symbol ⊥.

6. ‘true’ or ‘false’ ←𝖯𝗋𝗈𝗑𝗒𝖱𝖾𝗏𝖾𝖺𝗅⁢(H𝒬,ID𝒫): This algorithm is run by the original sender 𝒪 to reveal the identity of the proxy sender 𝒫. It takes as input the pseudonym H𝒬 and an identity ID𝒫 and outputs ‘true’ or ‘false’.

3.2 Security model for IBAPS

An anonymous proxy signcryption scheme has four security requirements: message confidentiality, ciphertext unforgeability, proxy anonymity and accountability. We consider the strongest possible notions of confidentiality, unforgeability, anonymity and accountability for the security model of an identity based anonymous proxy signcryption scheme.

4.1 Setup

For a given security parameter 1k, the PKG defines the message space ℳ:={0,1}n and selects an additive cyclic group G1 of prime order q≈2n with generator P, a multiplicative cyclic group G2 of the same prime order q, and a cryptographic bilinear map e:G1×G1→G2 as defined above. The PKG then selects five cryptographic hash functions:

1. H0:{0,1}*→G1,

2. H1:{0,1}n×{0,1}n→ℤq*,

3. H2:{0,1}*×G1→ℤq*,

4. H3:G2→{0,1}n,

5. H4:{0,1}n→{0,1}n.

The PKG randomly selects s∈ℤq* and computes the system wide public key, 𝑃𝑢𝑏=s⁢P. Finally, the PKG publishes system’s public parameter

and keeps the master secret s confidential to itself.

4.2 Key extraction

Given an identity ID, the PKG computes the hash value HID:=H0⁢(ID)∈G1 and returns the public and private keys for ID as follows:

1. Public key: 𝑝𝑘ID:=HID∈G1.

2. Private key: 𝑠𝑘ID:=s⁢HID∈G1.

Thus, for any user, say for the original sender 𝒪, the private key is 𝑠𝑘𝒪 while anyone can compute the corresponding public key 𝑝𝑘𝒪.

4.3 Proxy generation

To delegate the signing capability to the proxy sender 𝒫, the original sender does the following jobs to make a signed warrant w. The warrant includes the nature of message to be delegated, period of delegation, identity information of the original sender, the public-key of the pseudonym for the proxy sender, etc. In successfully completion of the protocol, the proxy sender 𝒫 gets a proxy signing key S𝒬.

1. Delegation generation: (a) Pseudonym generation: The proxy sender 𝒫

   1. selects a nonce, η,

   2. selects a random ρη∈ℤq*,

   3. computes Uη=ρη⁢P∈G1,

   4. computes hη=H2⁢(η,Uη)∈ℤq*,

   5. computes Vη=hη⁢𝑠𝑘𝒫+ρη⁢𝑃𝑢𝑏∈G1,

   and sends the nonce η and its signature ση=(Uη,Vη) to the original sender 𝒪 through a secure anonymous channel.

   The original sender 𝒪 accepts (η,ση) if

   e⁢(P,Vη)=e⁢(𝑃𝑢𝑏,hη⁢𝑝𝑘𝒫+Uη)

   and rejects otherwise. The original sender 𝒪 then computes the proxy sender’s pseudonym

   H𝒬=H𝒫+Uη where ⁢H𝒫=H0⁢(ID𝒫),

   and sets the corresponding public key 𝑝𝑘𝒬=H𝒬 which will be included in the warrant w and will be used as the signature verification key. The original sender 𝒪 keeps (η,ση) securely with him to use in case it wants to reveal the identity of the proxy sender 𝒫.

   (b) Delegation generation: The original sender 𝒪

   1. selects a random ρw∈ℤq*,

   2. computes Uw=ρw⁢P∈G1,

   3. computes hw=H2⁢(w,Uw)∈ℤq*,

   4. computes Vw=hw⁢𝑠𝑘𝒪+ρw⁢𝑃𝑢𝑏∈G1,

   and sends the warrant w and its delegation σw=(Uw,Vw) to the proxy sender 𝒫.

2. Delegation verification: The proxy sender 𝒫 accepts the delegation σw if

   e⁢(P,Vw)=e⁢(𝑃𝑢𝑏,hw⁢𝑝𝑘𝒪+Uw)

   and rejects otherwise.

3. Proxy signing key generation: After accepting delegation σw, 𝒫 computes

   𝑠𝑘𝒬=𝑠𝑘𝒫+ρη⁢𝑃𝑢𝑏

   and sets the proxy signing key S𝒬 as

   S𝒬=Vw+hw⁢𝑠𝑘𝒬.

4.4 Anonymous proxy signcryption

To signcrypt a message m∈{0,1}n anonymously on behalf of the original sender 𝒪 for a receiver ℛ, the proxy sender 𝒫 selects a random τ∈{0,1}n, computes t=H1⁢(τ,m)∈ℤq*, and proceeds as below:

1. 𝒫 computes

   1. T=t⁢P∈G1,

   2. x=e⁢(𝑃𝑢𝑏,t⁢Hℛ)∈G2, where Hℛ=H0⁢(IDℛ) is the public key of ℛ,

   3. c1=τ⊕H3⁢(x)∈{0,1}n and

   4. c2=m⊕H4⁢(τ)∈{0,1}n.

2. 𝒫 computes

   1. a random r∈$ℤq,

   2. U=r⁢P∈G1,

   3. h=H2⁢(t,U) (considering the binary string representation of t∈ℤq*) and

   4. V=h⁢S𝒬+r⁢𝑃𝑢𝑏∈G1.

The anonymous proxy signcryption of the message m under the warrant w by 𝒫 on behalf of the original sender 𝒪 for the receiver ℛ is

4.5 Unsigncryption

On receiving an anonymous proxy signcryption σ=(w,c,T,U,V,Uw) under a warrant w, the receiver ℛ unsigncrypts as follows:

1. ℛ checks whether or not the pseudonymH𝒬 is authorized by the original sender in the warrant w. If not, return ⊥. Continue otherwise.

2. ℛ computes

   x′=e⁢(T,𝑠𝑘ℛ)=e⁢(t⁢P,s⁢Hℛ)=e⁢(s⁢P,t⁢Hℛ)=e⁢(𝑃𝑢𝑏,t⁢Hℛ)=x,

   τ′=c1⊕H3⁢(x′)=c1⊕H3⁢(x)=τ,

   m′=c2⊕H4⁢(τ′)=c2⊕H4⁢(τ)=m,

   t′=H1⁢(τ′,m′)=H1⁢(τ,m)=t.

3. ℛ checks whether or not T=t⁢P. If not, return ⊥. Continue otherwise.

4. ℛ checks whether or not the message m conforms to the warrant w. If not, return ⊥. Continue otherwise.

5. ℛ computes h=H2⁢(t,U), hw=H2⁢(w,Uw) and verifies if the following equality holds:

   e⁢(P,V)=e⁢(𝑃𝑢𝑏,h⁢(hw⁢(H𝒪+H𝒬)+Uw)+U).

   If yes, return the message m, otherwise return ⊥.

4.6 Proxy revelation

To reveal the identity of the proxy sender, the original sender 𝒪 can reveal the nonce η and its signature ση=(Uη,Vη) and show that

That Uη was indeed sent by 𝒫 is proved by verifying that (η,ση) is a valid (message, signature)-pair from 𝒫.

4.7 Correctness of the proposed IBAPS scheme