Improved Cryptanalysis of Provable Certificateless Generalized Signcryption

Certificateless generalized signcryption adaptively work as certificateless signcryption, signature or encryption scheme having single algorithm for suitable storage-constrained environments. Recently, Zhou et al. proposed a novel Certificates generalized scheme, and proved its ciphertext indistinguishability under adaptive chosen ciphertext attacks (IND-CCA2) using Gap Bi-linear Diffie-Hellman and Computational Diffie-Hellman assumption as well as proved existential unforgeability against chosen message attacks (EUF-CMA) using the Gap Bi-linear Diffie-Hellman and Computational Diffie-Hellman assumption in random oracle model. In this paper, we analyzed Zhou et al. scheme and unfortunately proved IND-CCA2 insecure in encryption and signcryption modes in defined security model. We also present a practical and improved scheme, provable secure in random oracle model. Keywords—Digital signature; certificateless encryption; certificateless generalized signcryption; malicious-but-passive KGC; random oracle model


I. INTRODUCTION
Diffie-Hellman [2] introduced the concept of trapdoor one way function, while the concept of encryption and digital signature using public key approach were realized by Rivest, Shamir and Adleman [3], within Public Key Infrastructure (P KI).P KI has centralized and hierarchical infrastructure, consists of trusted third party provides solution for proving public keys authenticity.It most commonly use in scalable communication environment, but having limitations such as high cost, storage cost, difficult to verify, revoke of certificates and its distribution.To make certificate management more simple for public key in P KI Shamir [4] introduced notion of Identity Based Encryption (IBE), later on Boneh Franklin [5] realized in 2001 using Weil pairing.IBE has limitations having lacking of scalability and compromising Private Key Generator (P KG), which lead to compromise whole system and over authority of P KG.Riyami and Paterson [6] first time gave Certificateless Public Key Cryptography (CL − P KC) concept, a more flexible infrastructure in-between P KI and IBE.The role of P KG split between user and Key Generation Center (KGC).User identity and associated public key used for composition of key pair.It does not require pricey infrastructure like P KI and cope the limitations of IBE.An alternative to sign-then-encrypt approach, Zheng [7] first proposed a novel and efficient crypto primitive named signcryption in P KI, while Barbosa and Farshim [8] first coined the concept of certificateless signcryption.
Signcryption is efficient when combined authenticity and confidentiality are required.However, in scenario where one or both of authenticity and confidentiality is required separately or simultaneously a signature or encryption or signcryption will be used, which is optimal in memory constrained environments like smart card, sensor networks, etc.This problem was addressed by Han [9] and proposed generalized signcryption (GSC) adaptively works as a signature (if authentication mandatory), encryption scheme (if confidentiality mandatory), or signcryption (if authentication+confidentiality mandatory) scheme within one algorithm.Kushwah and Lal [10] proposed ID Based generalized signcryption (GSC) scheme within a security model for the first time.Huifang et al. [11] first proposed certificateless generalized signcryption (CLGSC) scheme,and introduced CLGSC formal definition and security model.But Kushwah and Lal [12] proved scheme [11] Type I insecurity and introduced new efficient and secure CLGSC scheme.Ji et al. [13] introduced new CLGSC scheme based on [8], and later on [14] proved scheme [8] insecure against IN D − CCA2 and EU F − CM A, and thus scheme [13] insecurity also proved indirectly.Au et al. [15] introduced T ype − II adversary a novel approach known as "Malicious-but-Passive Key Generation Center" (M P − KGC).Hwang et al. [16] proposed certificateless scheme only for encryption purpose but Xiong et al. [17] proposed certificateless scheme for the purpose of only signature and Weng et al. [18] proposed certificateless signcryption scheme secured against M P − KGC.Zhou et al. [1] introduced a formal security model for new CLGSC (N − CLGSC) scheme and claimed its security against MP-KGC attacks.
In 2013 [19] the concept of heterogeneous signcryption firstly adopted which provided inter-operable environment for communications between sender and receiver and thus in 2016 [20] Li et al. introduced heterogeneous signcryption two way communication for P KI and Identity Based Cryptography(IBC) environment but faced heavy cost in the form of pairing.After that IBC to Certificatless (CLC) scheme also presented in 2017 [21] and that same year Wang et al. [22] introduced ID based to P KI in standard model scheme.These above few heterogeneous schemes found in literature but the generalized form still missing.
We analyzed Zhou et al. [ Remaining sections of this paper is organizes as: Section 2 gives preliminaries overview and security model.Section 3 presents of Zhou et al. scheme review.Section 4 presents attacks on stated scheme.Section 5 presents attacks over improved scheme.Security and cost analysis are presented in Section 6 and at the end Section 7 conclude paper.

II. PRELIMINARIES
Definitions evoke in following are used in proposed scheme [1].
Let (G 1 , +) and (G 2 , +) be two additive cyclic group having P 1 and P 2 elliptic curve points generator defined over finite field of order n.Let G T (G 1 , * ) be a multiplicative cyclic subgroup of finite field.

A bilinear group description
able to compute efficient group laws and non degeneracy of bilinear mapping.
Let a bilinear group plan Γ, such that GBDH assumption is hold if advantages of probabilistic polynomial time(PPT ) intruder defined is considered negligible as below.
By O Γ point to the Decisional Bilinear Diffie Hellman oracle is used for tuple ( xP, yP, zP, T ).The result is 1, if the statement T := ê(P, P ) xyz hold else 0 otherwise, and q DBDH represents number of queries in eq (1).
Let a bilinear group plan Γ such that in presence of Decisional Bilinear Diffie Hellman oracle assumption if the advantage of PPT attacker defined under below probability is consider negligible.
O Γ and q DBDH define as above.
Let a bilinear group plan Γ, such that the assumption of Computational Diffie Hellman (CDH) is hold if the advantage of any PPT attacker defined under below probability is negligible.

A. Framework of N-CLGSC
The N − CLGSC defined using five Probabilistic Polynomial Time (PPT ) and one Deterministic Polynomial Time (DPT ) algorithms.

Confidentiality
The N − CLGSC notion is captured here to represent two games between challenger (C) and adversary (A).First for adversary-I (A-I) and second for adversary-II (A-II).• Initialization: Challenger C start this algorithm and take security parameters k as input and returns params as output to adversary A-I.
• Find stage: At this level adversary A-I makes few oracles adaptively.3) Unforgeability: For EU F − CM A the CLGSC security notion is captured here using following two games between challenger (C) and adversary (A).• Initialization: This phase is similar to game 01.
• Queries: Adversary A-I makes polynomial time above phases oracles adaptively.
• Forgery: A-I produces (ID A , ID B , σ) without exposed private key ID A where ID A = ID φ for unforgeability game.If final results of UGSC (σ, ID B , S B , P K B , ID A , P K A ) is not ⊥ A-I succeed to win game.The advantage of A-I defines from the probability of their wining.

Note:
In above game, we consider CLGSC signature only mode and signcryption only mode.If in forgery phase the sender ID * B vacant then algorithm runs in signature only mode else runs in signcryption only mode and that is why we consider similar game for both modes.
A CLGSC scheme EU F − CLGSC − CM A − I is to be declared secure in signature only mode or in signcryption only mode if it secure against all types of PPT adversary A-I and consider negligible to win the game.

5) GAME 04 (EU F − CLGSC − CM A − II):
1) This phase is similar to game 02. 2) challenger C again invokes A-II on 1 k with tag forge.
A-II makes above oracles polynomial time adaptively.

3) At final stage A-II produces output (ID
without exposed private key ID A where ID A = ID φ for unforgeability game.4) If result of UGSC (σ, ID B , S B , P K B , ID A , P K A ) is not ⊥ then A-II succeed to win the game.A-II advantage defines from the probability of victory.
Note: At step 2 of above algorithm, if sender ID * B vacant then it will be run in signature only mode else it runs in signcryption only mode and we consider same game for both type modes.
The scheme N − CLGSC will be EU F − CLGSC − CM A − II secured in signature only mode or in signcryption only mode if it is secure for all type of PPT adversary A-II and consider it negligible to win this game.

III. REVIEW OF ZHOU ET AL. N-CLGSC
In this section of paper, we review Zhou et al. scheme, which has the following algorithms: • Setup (1 k ):-Given (1 k ), the Key Generation Center chooses two groups (G 1 , +) and (G 2 , * ) having generator P of prime order n, using a bilinear map such that ê : and computes P P ub = sP and then defines function like f e, q, f (.), P, P P ub ,H 1 , H 2 , H 3 , H 4 } as system parameters.
Note: At initial stage it is also possible that KGC be malicious.
• Extract partial private key: For the given ith user identity ID i , KGC computes partial private key as • Generate user keys: The ith user chooses random integer x i ∈ z * q and computes public key as P K i = x i P • Set private key: The ith user sets SK i = x i , D i as a private key.
2) Chooses random number r ∈ z * q and then computes U = rP 3) Computes w := ê(P P ub , QB) rf N − CLGSC work adaptively and impeccably switches on user inputs to three different modes according to the applications need without any other additional operation.
• Signature only mode: When ID A = ϕ, and f (ID A ) = 1 as well as f • Encryption only mode: When ID A = ϕ, and ID B = ϕ then f (ID A ) = 1 as well as f (ID B ) = 0, W = rH, and c = (U, V, W ).
• Signcryption only mode: When ID A = ϕ, and

IV. CRYPTANALYSIS OF N-CLGSC
In this section of the paper, we presented attack and proved Zhou et al. scheme (N − CLGSC) insecure against IN D − CCA2 under encryption and signcryption only modes and working securely in signature only mode.

• Encryption only Mode
Setup:-Let k represent security parameter and C represents a simulator and executes A-II using 1 k and a master-keygenerator.A-II generates a master key pair (M SK , M P K ) and params and atedthcalA−IIandM SK to C without making any query to oracle.
to A. On the receiving challenged ciphertext c * = (U * , V * , W * ), In above generalized signcryption process

V. IMPROVED N-CLGSC
This section represents improved scheme, we proposed an Improved scheme (IN − CLGSC) scheme, comprises on the following algorithms: • Setup (1 k ): Given (1 k ), two groups (G 1 , +) using generator P and (G 2 , * ) respectively to be chosen by KGC using prime order n, a bilinear map , and 4 hash functions such that; , KGC selects a random integer s ∈ Z * q as a master key and computes P P ub = sP and then defines like function 1. KGC publishes following system parameters as G 1 , G 2 , q, f (.), P P ub P, e, H 1 , H 2 , H 3 , H 4 .
• Note: At the initial stage it is also possible that KGC be malicious.
• Extract partial private key: Given the ith user identity ID i , KGC computes partial private key as • Generate user keys: Given ith user partial private key D i and identity ID i chooses random integer x i ∈ z * q and thus computes public key P K i = x i P.
• Set private key: The ith user sets SK i = x i , D i as a private key.

VI. ANALYSIS OF IN-CLGSC
This section of paper provides detail analysis.First part is correctness then security and cost analysis of our IN − CLGSC scheme.

D. Cost Analysis
In public key cryptography, the standard notion of computational cost is the number of major operations like the elliptic curve scalar point multiplication (ECP M ) in G 1 , the modular exponentiation computation (M − Exp) in G 2 and the pairing computation (P C).The communication overhead is the ciphertext size in bits.
The security and cost comparison of proposed and existing schemes (only four CLGSC schemes are there in existing literature up-to date) are presented in the following Tables 1  and 2.

1 ]
CLGSC scheme and unfortunately proved IN D − CCA − II insecure in encryption and signcryption modes in their defined security model.We provided a fix to Zhou et al.N − CLGSC and proposed an improved N − CLGSC(IN − CLGLSC) scheme.The improved scheme is efficient and secure compare with Zhou et al.N − CLGSC and few others found in literature.

. 5 )
GSC(m,S A , ID s ,D B , ID B ): This PPT algorithm executed by the user and run in three modes: signature, encryption and signcryption.• Signature only mode: If sender sign message m ∈ M without definite receiver, it takes inputs (S A , m, ID φ ), with null receiver identity ID φ , and returns σ = GSC(m, S A , ID φ ) = sign(m, S A ). • Encryption only mode: If Alice confidentially sends message m to receiver Bob, it takes inputs (m, S φ , D B , ID B ), with null sender identity S φ , and returns σ = GSC(S φ , m, D B , ID B ) = encrypt (m, D B , ID B ). • Signcryption only mode: If Alice transmits a message m in an authenticated and confidential way to receiver, it takes inputs (m, S A , ID B ), and returns σ = GSC(m, S A , ID A , D B , ID B ) = signcrypt (m, S A , ID A , D B , ID B ) 6) UGSC(σ): This DPT algorithm runs by receiver it takes received σ as input and validate if it is true then decrypts or unsigncrypts and returns message (m), otherwise return false ⊥.

1 )
GAME 01: (IN D − CLGSC − CCA2 − I) : Advantage of adversary A-I define as; Adv IN D−CLGSC−CCA2−I A−I := 2P r λ := λ − 1 Note: In above game, we consider only encryption mode of CLGSC where sender private key ID * A is equal to zero therefore in challenge phase algorithm runs in only encryption mode.For encryption and signcryption only modes use same confidentiality game.A N ew − CLGSC scheme is secure against IN D − CLGSC −CCA2−I in encryption only mode or signcryption only mode if it is secure for all Probabilistic Polynomial Time PPT adversary A-I and game winning consider negligible.

2 )
GAME 02 (IN D CLGSC − CCA2 − II): Here in this game k represents security parameters and C represents simulator.Simulator C executes A-II using input 1 k and master key gen.A master key pair (M SK , M P K ) set params generated by adversary A-II provides M SK and set params to C without making query to any oracle.C executes A-II on 1 k again with different tag makes above query adaptively and A-II select two equal length messages (m 0 ,m 1 ) and ID * A , ID * B on which makes challenges.For the purpose of extraction query on ID * B A-II must has no choice to make private key.C selects a bit λ ∈ {0, 1} randomly, and also runs A-II using challenged ciphertext σ * with guess.where;σ * ← GSC(mλ,ID * A , ID * B ) Like step 2 A-II makes queries again adaptively.Extraction and UGSC query on ciphertext σ * not allowed.Eventually, A-II wins the game after output a bit λ and if λ := λ.Advantages of A-II's is define as;Adv IN D−CLGSC−CCA2−II A−II = 2P r[λ = λ] − 1Note: At step second in above algorithm, if sender ID * A vacant, it will be run in encryption only mode else it will be run in signcryption only mode, for both modes share similar confidentiality game.CLGSC scheme is to be secured against IN D − CLGSC − CCA2 − II in encryption only mode or signcryption only mode if it is secure for all Probabilistic Polynomial Time PPT adversary A-II, and consider it negligible to win game.

Phase 1 :
Not to ask any queries.Phase 2: A-II selects (m 0 and m 1 ) two equal length messages and ID * A and ID * B to make challenges.For the purpose of extraction query on ID * B := ID * A A-II must has no choice to make private key.C randomly chooses a bit λ ∈ {0, 1} and A-II runs a challenge where ciphertext σ * and a tag guess where; guess the β and wins the game.Hence it is proved that N −CLGSC insecure against IN D − CCA2 in encryption only mode.• Signcryption only Mode In this section of the paper, we presented an attack and proved that Zhou et al. provable certificateless generalized signcryption scheme (N − CLGSC) is not IN D − CCA2 secure in signcryption mode also.Setup: Same as in encryption mode.Phase 01:Same as in encryption mode.Phase 02: A-II provides (m 0 , m 1 )two equal length messages and sender's identity ID * A and receiver's identity ID * B use for challenge.A-II not to be allowed for private key extraction query on ID * B , as ID * B = ID using for confidentiality game.The challenger C picks a bit β ∈ {0, 1} randomly and runs A-II takes a challenged ciphertext σ * as input a challenged ciphertext σ * ← GSC(m β , ID * A , ID * B ). 1) Computes U * = r * P 2) Computes w * = ê(P P ub , QB) r * f guess the β and wins the game.Hence here also proved insecurity of N − CLGSC under IN D − CCA2 in signcryption only mode.

••
A. Variation IN − CLGSC works adaptively and impeccably switches on inputs of users, to three different modes according to the applications need without any other additional operation.• Signature only mode: when ID A = ϕ, and ID B = ϕ then the value of f (ID A ) = 1, and f (ID B ) = 0, V = mh = m, c = (U, m, W ). Encryption only mode: when ID A = ϕ, and ID B = ϕ then the value of f (ID A ) = 1, and f (ID B ) = 0, W = r.H, and c = (U, V, W ). Signcryption only mode: when ID A = ϕ, and ID B = ϕ then the value of f (ID A ) = 1 and f (ID B ) = 1, W = D A + r.H + x A H, and c = (U, V, W ).
VII. CONCLUSION Zhou et al. recently proposed a new certificateless generalized signcryption scheme and proved its security against IN D − CCA2 and EU F − CM A in presence of Maliciousbut-Passive Key Generation Center in random oracle model.We analyzed Zhou et al. scheme and unfortunately proved IN D − CCA2 insecure in encryption and signcryption modes in their defined security model.We also presented an improved scheme, provable secure in presence of Malicious-but-Passive Key Generation Center in random oracle model.The improved scheme is same cost as Zhou et al. scheme and feasible for scarce resource environment.

1 )
Setup (1 k ): Its is a PPT algorithm executed by KGC, which takes security parameter (1 k security parameter key and public key pair (m pk , m sk ), with global parameters params.2) Extract-partial-private-key (ID, m sk , , params): This PPT algorithm executed by KGC, which takes user identity ID i ∈ {0, 1} * , params (m sk , params) as input, and returns partial-private-key D i .3) Generates user keys (ID, params): This PPT algorithm executed by user, which takes (ID i , params) as input and returns a secret key and public key pairs(x i , P ).4) Set-private-key (D, x, params): This PPT algorithm executed by the user, takes (ID i , x i , params) as input and returns full private key S i ID using which he/she makes challenges.Adversary A-I must have no private key for extraction query on ID * B , and also ID * B = ID φ for confidentiality game.Challenger C selects a bit λ ∈ {0, 1} randomly, and runs GSC algorithm with message m λ using ID * A and ID * B and returns output (σ * ) as a ciphertext to A-I.
• Challenge: A-I selects m 0 and m 1 equal length two distinct messages, ID * A is sender's ID and ID * B receiver's