An Identity-based Broadcast
Signcryption Scheme and Its Application
to Medical Images Sharing
Dang Thu Hien
Faculty of Information Technology
University of Engineering and Technology
Vietnam National University, Hanoi
Supervised by
Associate Professor Trinh Nhat Tien
A thesis submitted in fulfillment of the requirements for the degree of
Master of Computer Science
May, 2010
Table of Contents
Abstract ii
Acknowledgement Ul
List of Figures V
List of Tables vi
Abbreviations vii
1 Introduction 1
1.1 Overview and Motivation
1
1.2 Related w o rk 4
1.3 Our contributions
6
1.4 Thesis organization


6
2 Preliminaries 7
2.1 Bilinear pairings 7
2.2 Computational assumptions 8

2.3 General model of identity-based broadcast sigucryption

9
2.4 Requirements of IB B S
10
2.5 Security notions for IBBS 11
2.5.1 Message confidentiality 11
2.5.2 Existential unforgeability 13
2.6 Forking le m m a 13
3 Identity-Based Broadcast Signcryption Scheme 15
3.1 Description of the sch e m e 15
3.1.1 Setup 15
TA B LE OF CONTENTS
3.1.2 Extract 16
3.1.3 Signcryption
16
3.1.4 บ nsigncryption 17
3.2 Analysis 17
3.2.1 Consistency 18
3.2.2 Public ciphertext a u th e n tic ity 18
3.2.3 Public verifiability 19
3.3 Security p ro o fs 19
3.3.1 Message confidentiality 19
3.3.2 Existential unforgeability 25
3.4 Efficiency evaluation and comparison 30
4 Experimentation and Application 33
4.1 IBBS Experiments 33
4.1.1 Experimental setup 33
4.1.2 Results and comparison 34
4.2 Signcryption - Watermarking Model for Medical Image Sharing . . . 3b

5 Conclusions and Future W ork 39
Publications list 41
Bibliography 42
List of Figures
4.1 Broadcast Signcryption - Watermarking Model
List of Tables
3.1 Computation costs comparison 31
3.2 Communication costs com parison 32
4.1 Experimental results comparison 35
vii
Abbreviations
BE
EHR
EUF-sIBBS-CMA
ex
GDHE
1BBS
ID
IND-sIBBS-CCA
MSIC
mu
pa
V K
PKG
PKI
q-SDH
SC
UN
Broadcast Encryption
Electronic Health Record

Existential Unforgeability of identity-based broad
cast signcryption scheme against selective identity
chosen message attacks
exponentiation
General Diffie-Hellman Exponent
Identity-Based Broadcast Signcryption
Identity
Indistinguishability of identity-based broadcast
signcryption scheme against selective identity cho
sen ciphertext attacks
Master Secret Key
multiplication
pairing evaluation
Public Key
Private Key Generator
Public Key Infrastructure
q - Strong Diffie-Hellman
Signciyption
บ nsigncryption
Chapter 1
Introduction
1.1 Overview and M otivation
Information is probably one of the most valuable possessions of mankind. The
loss, illegitimate disclosure and modification of information, especially sensitive one,
could cause bad consequences and seriously affect oil related people. On the other
hand, the recent growth of digital technologies and computer networks have radi
cally change the way we work and exchange ideas. By providing low-cost, fast and
accurate ways to access data in digital form, communication over networks is now
becoming easier and increasingly popular. However 1 the advantages of digital infor
mation and networked environment have also brought new challenges because they

always contain vulnerability attacking weakness like eavesdropping, forgery, alter
ation. Therefore, the need of secure and authenticated data transmission is more
and more important and critical.
Since the birth of public key cryptography in 1970s, the requirements of confi
dentiality and authenticity are satisfied by using encryption and digital signature
schemes respectively. With public/private key pairs, two entities can share informa
tion in a secure manner. Public key cryptography has created a great evolution in
cryptography but it cannot work efficiently without the support of certificate based
public key infrastructures (PKI). Certificate binds a public key to its owner and PKI
manages, distributes and revokes certificates.
In order to get rid of public key certificates，in 1984, Adi Shamir introduced
Identity-based cryptosystems [Sha84]. In this new paradigm, he suggested idea to
use the user's unique and undeniable information as his/her public key whereas the
1
1.1. O verview and M otivation 2
corresponding private key can only be derived by a trusted Private Key Generator
(PKG). These public keys can come from the u s e r ，ร name, email address or what
ever convenient data so that it refers unambiguously and undeniably only to one
user. This kind of information is denoted by Digital Identity. Useťs identity must
be acknowledged by everyone, so this removes the need to authenticate or prove the
relationship between the identity and the owner or wasting time in looking up public
key before sending out a secret message. Consequently, identity-based cryptogra-
phy promisingly provides a more convenient alternative to PKI. Several practical
identity-based cryptographic schemes have been devised but until 2001, there was
only one satisfactory scheme [BFOlj. Some others using parings were proposed after
that [Pat02, CC02, Hes02].
Traditional encryption just provides security for one-to-one communication. Nowa
days, there are many applications in which communication activities are one-to-
many, where a user is not only able to send/receive data to/from another but also
a group of users simultaneously. Actually, senders (called broadcasters) may need

methods to distribute securely a message to a target set of receivers and ensure that
all members in the set. get the correct message while non-members cannot eaves
drop, forge or modify it. With conventional public key cryptography techniques，the
broadcaster has to encrypt and sign messages then transmit individual encrypted
message to every each receiver. Advantage of this solution is high security level be
cause every user gets a different ciphertext and uses his own private key to decrypt.
However, this solution is really inefficient. If there are
I
receivers, the broadcaster
has to process
I
times on a same message to create
I
different ciphertexts. It needs
a lot of time，storage and transmission costs.
Thus, traditional public key cryptography is not a suitable approach for this
problem. To handle the requirement of privacy in information broadcasting, a cryp
tography topic called Broadcast Encryption (BE) was introduced by Fiat and Naor
in [АМ94]. BE schemes allow senders to broadcast an encrypted message over an
open channel to a target set of receivers. In a secure BE system, any legitimate
receiver can use his private key to decrypt the broadcast but illegitimate users (who
are not in target set) can obtain nothing about the messages.
Today, because of its significant applications，broadcast encryption has gained
considerable attention and deployed broadly. For example, distribution of copy
righted materials, access control in encrypted file systems [Refb], satellite TV sub
scription services, etc. Recent research indicates that broadcast encryption has wide
1.1. Overview and M otivation 3
application prospect ill securing electronic health records (EHR) [SW06，НТН09].
With the development of e-health, nowadays, the medial information are digital
ized and stored for different purposes such as tele-medicine, cutting down the health

care, long time storage, clinical research and epidemiological studies. Consider a sit
uation that is ill order to discuss and obtain second opinions or professional advices,
an EHR is distributed online to physicians, researchers, students or other external
users. In medical field, the security of medical data is very important. They should
he kept intact in every circumstance because any manipulation and perversion could
lead to wrong diagnostic. On the other hand, EHRs contain sensitive patient infor
mation which can influence on the patient’s health and even their lives so that they
should be protected from unauthorized access and modification.
When a broadcast system such as a electronic health system consists of multiple
broadcasters, each user can produce ciphertexts and deliver to others. In that case, it
opens an issue of authentication and non-repudiation. Hence, along with information
privacy, data origin authenticity is also a vital aspect.
For keeping message confidential and unforged, an already known approach
named signature-then-encryption has been followed. However, it has a main draw
back: the cost of distributing a message is essentially the sum of the cost for digital
signature and that for encryption. In 1997, Zheng [Zhe97] addressed a question on
reducing the cost of secure and authenticated message delivery and proposed a new
cryptographic paradigm, called signcryption which “simultaneously fulfils both the
functions of digital signature and public key encryption in a logically single step, and
with a cost significantly lower than that required by the traditional signature fol
lowed by encryption technique” . The efficiency of signcryption technique has been
pointed out in several proposed schemes [ZY98，MB04，M102, LQ03] which costs
much less in average computation time and message expansion than signature-then-
encryption does.
Since proposed, signcryption has been adapted to broadcast encryption to suffice
the requirements of confidentiality and authenticity. However, to date, the research
oil broadcast signcryption is still very limited. Most of proposed schemes need
a particular component in ciphertext that corresponds to a designated receiver.
Thus, their ciphertext size is equivalent to the number of receivers. In several
other constructions with constant ciphertext size, the broadcaster has to negotiate a

common secret value with all receivers beforehand. Prom some point of view, these
constructions are not more efficient and convenient than one-toone signcryption.
1.2. Related work
4
Realizing that almost, current broadcast signcryption schemes do not meet all
of these properties, we aim to construct an efficient scheme which fulfils both se
curity and efficiency. Additionally, the question on how to incorporate broadcast
signcryption in securing
EHRs
inspires us to bring it to a specific application named
medial image sharing. Since medical image is a special type of data in EHR, we con
centrate on designing a model that combines the proposed broadcast signcryption
scheme and watermarking technique to secure medical images sharing.
1.2 Related work
There are many proposals of broadcast encryption systems. In [KD98], Kurosawa
and Desmedt presented a scheme in which public and private key are derived from
secret polynomial of order
k.
The security of this algorithm is determined by the
order of polynomial
k.
Each user learns a piece of information about the secret
polynomial
f( x )
from his private key. Hence，a set of more than
к
users can collude
to recover the polynomial and break the system.
Another scheme based on ID-based encryption algorithm of Boneh-Franklin
[BF01] was introduced and analyzed in [YWCR07]. In [BSNS05], Joonsang et.al

built a scheme based 011 binary scheme of Canetti et al. [CHкоз]. The best known
fully collusion is the scheme of Dan Boneh, Gentry and Water [BGW05]. However,
all these schemes result in a long size ciphertext. In 2007，Celile [Del07] proposed the
first ID-based broadcast signcryption scheme with constant size ciphertext and pri
vate key. This construction is based on the intractability of intractability of General
Diffie-Hellman Exponent problem and its security is proved under random oracle
model.
In signcryption domain, the first scheme was proposed by Zheng [Zhe97]. After
that, a lot of identity-based constructions have been introduced [M102, CML05,
LQ03, МВ04]. Until now，the most secure schemes are [CML05] and [МВ04].
Although a lot of identity-based sigiicryption and broadcast encryption schemes
lmve been devised，there were not many research ill broadcast signcryption. In 2000，
Y.Mu et al. [MVOO] presented the first distributed signcryption scheme in which
any user can signcrypt a message and deliver to a designated group of recipients.
After that, Li et al. [LHL06] proposed a multi-receivers signcryption scheme based
on
bilinear parings. Another scheme based on bilinear pairing is also presented by
1.2. Related work
5
Ma Chun-bo et al. [bMAhL07]. However, in all schemes [bMAhL07, LHLOG, MVOOj,
the algorithms are based on traditional public key, not identity.based.
In [Boy03], the author built an identity-based signcryption scheme and extended
it for multi-recipient case. The idea in this construction is carrying out the sign
operation once while encrypt operation is performed independently for each recip
ient. Another ID-based broadcast signcryption scheme was proposed by Bohio et
al. in 2004 [BM04]. However, this scheme is inconvenient because it needs a pre-
agreement. to establish a common secret key before signcrypting. Once this common
value is out, the system will break. In addition, the weakness of forgery in this
scheme was pointed out by Selvi et al. [SVK4-08]. Despite the authors gave a fix for
this weakness, it still suffers from a major shortcoming: if a user leaves the group,

the broadcast parameters must be changed and sent back to every remaining user.
In 2006, Duan
к
Cao [DC06] proposed a multi-receiver ID-based signcryption
scheme by extending broadcast encryption scheme in [BbNS05]. Recently, Tan
[Tan08] pointed out that theiťs scheme is not secure under chosen ciphertext at
tacks. In 2007, Yu et. al. [YYHZ07] introduced a new scheme and claim that it is
secure in the random oracle model. However, it is shown to be insecure to forgery
attack in [ХХ09].
Recently, F.Li et al’ [LXH08] also proposed another scheme of ID-based broad
cast signcryption based on Chen and Malone-Lee's signcryption algorithm [CML05]
and proved its security under random oracle model. Nonetheless, the size of cipher
text is linear to the number of receivers and each receiver must share a common
secret value with the broadcaster.
Note that all above proposals do not have public ciphertext authenticity prop
erty. In 2009，another scheme was introduced by [ЕА09]. This scheme was based on
the signcryption scheme in [LQ03] and provided a noticeable property called public
ciphertext authenticity which allows any third party can verify the ciphertext origin.
This property is very useful for applications that need firewall or gateway authenti
cation before passing the message. However, the ciphertext size of this scheme has
a similar form with others，means that it needs a particular component for each
receiver. In [SVSR09]，an effective scheme was proposed basing on the construction
of broadcast encryption scheme in [Del07]. Although this scheme has constant size
ciphertext but it does not meet the public ciphertext authenticity requirement.
1.3. Our contributions 6
1.3 Our contributions
In scope of a Master thesis, this work tries to design an efficient identity-based
broadcast signcryption scheme whose ciphertext size does not depend on the quan
tity of receivers and the size of system public key is linear with the maximal size
of the set of receivers. In this scheme, the total number of possible users does not

have to be fixed from the beginning. The algorithm only requires pairings compu
tation in unsigncryption phase while does not in signcryption phase. Moreover, it
achieves desirable security attributes of broadcast signcryption while most of current
constructions do not.
We analyze and prove the security (message confidentiality and existential un-
forgeability) of proposed scheme in random oracle models. Evaluation and compari
son with several existing schemes in term of performance are also made theoretically
and experimentally.
At last, we construct a model that combines broadcast signcryption and wa-
tennarkiag for secure medical image sharing. Implementation of this construction
shows experimental results and its potential for practical uses.
1.4 Thesis organization
The
rest of this thesis is organized
as
follows:
Chapter 2 presents some preliminary definitions that are involved. The issues in
this chapter include of bilinear parings and related computational assumptions, the
general model, requirements and formal security notions of identity-based broadcast
signcryption that we associate to. We also recall forking lemma which states the
general security level of signature schemes.
Chapter 3 describes the proposed identity-based broadcast signcryption scheme.
Analysis and security proofs of proposed scheme are provided here. We also make
some summaries and comparisons to evaluate its efficiency.
C h a p te r 4 presents numerical experiments and discusses their practical imple
mentations. The model construction of incorporating the proposed scheme for secure
medical image is also introduced in this chapter. Implementation and experimental
results of this model are also developed and evaluated.
Chapter 5 concludes our work and gives the future research directions based
oil the obtained results so far.

Chapter 2
Preliminaries
In this chapter, the background on the research of thesis is introduced. Basing
on these definitions and assumptions, our scheme is constructed and proved to be
secure.
2.1 Bilinear pairings
Let Gi, Ơ2 be two cyclic additive groups of prime
multiplicative group of same order
p.
Denote
g
and
h

G
2 respectively. A bilinear pairings is a map e : Ơ1 X
properties:
order
p
and
Gt
be a cyclic
are the generators of
G\
and
Ơ2 —►
G t
with the following
1. Bilinearity: For any arbitrary elements a,
b

of Zp,
e(ga,hๆ = e(g,h)ab = e(9\ h ๆ
2. Non-degeneracy：
e(g} h) Ф \c r
where 1
qt
is the identity element of
G t-
3. Computability: There is an efficient algorithm to compute
e(g, h)
for all
g Ç. G\

and
h
€ c?2.
Actually,
Gl
and Ơ2 could be equal for simplicity. The map e derived from modifying
either Weil or Tate pairing [BF01] is permissible for this kind of map.
7
2.2. Com putational assum ptions 8
2.2 Com putational assum ptions
The complexity assumptions for the security of our scheme rely on the hardness of
computational problems that were previously formalized in [BB04a, BB04b, BBG05].
We now recall these problems.
Definition 1 .
The q-Strong Diffie-Heilman problem (q-SDH)
Given bilinear map groups
(Gb Ơ2,

G t) of the same order p and generators g
6
Gl
and h
6
Chi the q-Strong D iffie -H e llm a n problem (q-S Đ H ) consists in,

given a tuple (h, ha, ha2, ha4)y finding a pair
(c，/ i士 ) e Zp X Ơ2-
The advantage of an algorithm
Л
in solving the q-SDH problem is:
AdvsADH
=
P r ịA{h, hn,ha\ ,h a4) ะ= (c ,h ^ )
I ce z ;，с
Ф -a
We say that the Í/-SDH assumption holds in (GbƠ2) if for any probabilistic poly
nomial time algorithm
Л,
the advantage
Adv^DH
in solving the Ợ-SDH problem is
negligibly small.
Definition 2.
The General Điffie-Heilman Exponent problem (GDHE)
Let p be a prime integer and let
s} ท
be two positive integers. Let
G

and
G f

be two cyclic groups of order
p
with an efficient, non-degenerate bilinear mapping:
e : G
X
G U r-
Let 5 is a generator of
G
and set
gT
=
e(g, g)
€
GT. Let P,Q e

Рѵ[Х і,Х 2у
МЛЛП]Я be two s-tuples of n-variate polynomials over field
Fpy
means
p
- (РьР2，…，rO and
Q
= (ỢbỢ2, ,9s) where
pi,Qj
are multi-variate polynomials
(1 <
i , j

<
ร).
We impose that the first Pi = 91 = 1.
Let
P (xi^X
2
y
denote (P i(X i,巧 ，…，欠n)，…，Pe(하 ，め ，…，疋n)). For any func
tion
h : Fp ÇI
and a vector (X1,X2, x n) € i 주1, we write:
h^Pị^Xị
,
X2ì
•••J ^n)) *ᅳ (/l(pi (^lì ^2»
•'•ì
*^n))î *^2í *»M *^n))) ^ ^
We use similar notation for
Q.
Let / e FpfXi,Х г , XnỊ. The (P ,Q ,/)-
General Diffie-Hellm an Exponent problem ((Л Q ,/)-G D H E ) is defined as
follows:
Given the vector:
H (x l }

xn) = (gp^
, ，
네
1’•••，Xn)) €G9x
Gf,

œmpute g
요
x
レ，1시
ç. QTt
The advantage of an algorithm
Л
in solving the GDHE problem is:
2.3. General model of identity-based broadcast signcryption 9
AdvGADHE = P r \a {P ,Q J )
=
g ị
(Xi…In)
We say that the
(P, Q,
/)-GDHE assumption holds if for anv probabilistic poly
nomial time algorithm v4, the advantage
Adv^DHE
is negligibly small.
D e finitio n 3.
Dependent and Independent Polynomials
With /.
p, Q
defined as in Definition 3, we say / and (P,
Q)
are dependent,
denoted by / e (P,
Q),
if there exists a tuple of
(ร

2
+ ร)
components {a냐},
{b ị}
with
1 <
ty j < ร
such that:
/ = 5
그
ij= i aij.Pi Pj + 2^k=ì
We say that / and (P,
Q)
are independent if / and (P,
Q)
are not dependent and
denoted by
f ị
(P,Ọ).
In [BBG05Ị, it was pointed out that when
J Ệ
(P,(ฐ), the (p,(ฐ，/) - GDHE
problem is intractable.
2.3 General m odel of identity-based broadcast sign-
cryption
Broadcast signcryption schemes serve scenarios in which one person can distribute
information to
I
other people confidentially and authentically. An identity-based
broadcast signcryption scheme (IBBS) consists of four algorithms: Setup, Extract,

Signcryption and Unsigncryption. Setup creates general public parameters and mas
ter secret key basing on security level parameters. Extract generates private key for
every user depending on the userไร identity. Signcryption produces the signcrypted
ciphertext from a broadcaster to an intended set of receivers. บnsigncryption recov
ers the original plaintext and verifies its integrity and authenticity.
Let
В
is the broadcaster and
R
= {я ь
R
2
,
Я/} is the set of receivers. The
detailed functions of these algorithms are described as follows:
• Setup: Given security parameter A and the maximal size
ไท
of the set of
receivers, PKG generates a master secret key
M S K
and a public key
VfC.

M S K
is kept secret and
V K
is made public.
• Extract: Given an identity
ID
、the PKG computes the corresponding private

key
S jD
and transfers it to the owner in a secure way.
2.4. Requirem ents of IBBS 10
• Signcryption: On input of public key
V K
and a set of designated identities
R
=ะ {/jD i
，
JZ)2
，
•••
，
I Dị }
with
I <
m, the broadcaster в computes
ơ
= Signcrypt(A/,
R, Sịd b)
and obtains
Ơ
as the signcrypted text the
plaintext
M .
• Unsigncrytion: When receiving <71 a receiver with identity
ỉD ị,
1
< i < I


and corresponding private key
SỉDi
computes Unsigncrypt(cr, 5/D,, 人D ß/P だ)
to obtain a valid plaintext Л/ or a symbol 丄 if a was an invalid signcrypted
text.
For the correctness constraint of identity-based broadcast signcryption，we require
that:
M
=
บ nsigncrypt(Signcrypt(M , VIC, R, Sn)Bh S jd ^ ID b 、VIC)
2.4 Requirem ents of IBBS
According to [ENI09], a broadcast signcryption scheme basically should have the
following properties:
1.
Consistency:
The signcrypted text formed properly by the signcryption al
gorithm must be extracted and verified successfully by corresponding unsign-
cryption algorithm.
2.
Confidentiality:
It is impossible to obtain the content of the signcrypted mes
sage without the knowledge of target receivers’ private key.
3.
บทforgeability:
Without the knowledge of sender's private key, an attacker is
infeasible to masquerade and create a signcrypted text which will be design-
crypted and verified successfully by unsigncryption algorithm.
4.
Public ciphertext authenticity:

Any third party can verify the validity and
the origin of the ciphertext without knowing the content of the message and
getting any help from designated receivers.
5.
Public verifiability:
The receiver has ability to prove to a third party that the
signcrypted ciphertext is a valid signature on the message without revealing his
private key. This property ensures that the sender cannot deny his signature.
2.5. Security notions for IBBS
11
6.
Efficiency:
The communication load (size of signcrypted text) and computa
tion cost (time to signcrypt and unsigncrypt) should be smaller than those
of the best known signature-then-encryption schemes with the same provided
functionalities and comparable parameters.
2.5 Security notions for IBBS
There are two types of the security in any IBBS scheme: message confidentiality
and unforgeability. Formal security definitions for signcryption schemes are defined
by Malone-Lee [M102], consisting of indistingiiishability against adaptive chosen ci
phertext attacks (for message confidentiality) and unforgeabiiity against adaptive
chosen message attacks (for existential unforgeability). For broadcast signcryption,
a widely accepted security definition is selective identity attack.
Selective identity attack was firstly proposed by Canetti et al. [CHK03] in which
the adversary must choose from the beginning the identity he wants to attack on.
This idea is then modified and adapted to prove the security of broadcast encryption
and signcryption schemes [ĐC06，Del07]. In this work, we inherit it and present two
notions called indistingiiishability of identity-based broadcast signcryption against
selective identity chosen ciphertext attacks (IND-sIBBS-CCA) and existential un-
forgeability of identity-based broadcast signcryption scheme against selective iden

tity chosen message attacks (EUF-sIBBS-CMA). The detail of these notions is de
scribed as below.
2.5.1 Message confidentiality
Let
A
denote an adversary and
в
denote a challenger. The message confidentiality is
defined by considering the following game between
A
and
ß.
Basically, we improve
the definition of [Del07] by adding some queries on signcryption and unsigncryption.
In it: Both adversary and challenger are given
771
as the maximal size of receivers.
Л
outputs a set of identities, denoted by
R*
ะ=
{ID \, ID ịy
…,
I D ị} (I < m)
that he
wishes to attack on.
Setup: The challenger runs the setup algorithm to obtain master secret key
M SK.
and public key
VIC.

The challenger sends
VK
to
A
while keeps
M SÌC
secret
from
Л.
Phase 1: Adversary
A
starts to probe by issuing series of queries:
2.5. Security notions for IBBS
12
• Extraction queries:
A
produces an arbitrary identity
ID
with a constraint
that
ID Ệ Ré
and requests the corresponding private key. The challenger
runs extraction algorithm to obtain
Sị [)
and returns it to the adversary.
• Signcryption queries:
A
produces a message M , a broadcaster
ID ß }
a set

R
of
I
receivers with identities
ID fi{
and requests the signcrypted
ciphertext of Signcrypt(M
，VKy Ry
5ß).
The challenger returns the corresponding
Ơ.
參 Unsigncryption queries:
A
produces a broadcaster
ID A
and signcrypted text
Ơ

and request the result of operation Unsigncrypt(<j，
SfD ，ID Ay V K )
with
ID *
G
R \
The challenger returns the valid plaintext
M
if successfully Iinsigncrypt
or the symbol 丄 otherwise.
Challenge:
A

produces two plaintexts
Mo
and M l of equal length and a broadcaster
identity
ID a.
The challenger randomly selects a bit 6 € {0，1} and then computes
the signcrypted text
a
=
Singcrypt(Mb, VICy
Я*,
Sỉ Da)'
The challenger returns
a
to
A
Phase 2:
Л
continues to issue queries
as
follows:
• Extraction and signcryption queries as in phase 1.
• Unsigncryption queries as in phase 1 but with the restriction that it can not
request the unsigncryption of the challenge
Ơ.
Guess: Finally, the adversary
Л
outputs a guess
Ư
and wins the game if

Ư
=ะ
b.

The advantages of
Л
is defined as:
^ / ВБ5 в/вВ5" ССЛ(^ ) = 2 X
Pr[bf
= 6] - 1
where
Pr[bf
=
b]
is the probability that
tí
ะ=
b.
D e fin itio n 4.
An identity-based broadcast signcryption scheme (IBBS) satisfies the

indistinguishability aqainst selective IDy chosen ciphertext attacks property (INĐ-

slBDb-ССл) if no probabilistic polynomial time adversary has a non-negligible ad
vantage in above confidentiality game.
2.6. Forking lemma
13
2.5.2 Existential unforgeability
For the unforgeability requirement, we consider the game between adversary
A

and
challenger
в
as follows:
In itะ Both adversary and challenger are given m as the maximal size of receivers.
A
outputs an identity
ID *
that he wishes to attack on.
Setup: The challenger runs the setup algorithm to obtain master secret key
MSK.
and public key
VIC.
The challenger sends
VIC
to
Л
while keeps
M S K
secret
from
Л.
Attack: The adversary
A
performs a number of queries 011 extraction7 signcryp-
tion and unsigncryption as in the previous game of confidentiality with a restriction
that he can not request the private key extraction for the target identity
ID *.
Forgeryะ The adversary
A

produces a signcrypted text
Ơ.
and
I
arbitrary re-
cipients，identities
ID rx)ID r2) yI
where
Юл- Ф ID *. A
wins the game if the
result of บnsigncrypt(a*,
Sid r .
,
VÌC),
with 1 < г < Zt is a valid message
M

such that ๙• was not the output of a previous sigiicryption query.
The advantage of
A
is defined as the probability that he wins the game.
D e finition 5.
An identity-based broadcast signcryption scheme (IBBS) satisfies

the existential unforgeability against chosen message attacks property (EUF-sIBBS-

CMA) if no probabilistic polynomial time forger has a non-negligible advantage in

above forgeability game.
2.6 Forking lemma

The “forking lemma” concept was first suggested by David Pointcheval and Jacques
Stern in [PSOO]. This lemma is used to prove the unforgeability of signature schemes
ill random oracle model. Recently, it has been employed widely to prove the secu
rity of not only digital signature algorithms but also other random-oracle based
cryptographic constructions.
This lemma is adaptable to signature scheme that produces signature in form of a
triplet (ơi,
h,
(J2) by using hash function. The idea here is: assuming that there is an
efficient attacker who can break the scheme in random oracle model, th e n ，b y replay
attack, it can produce two different random signatures (ơị, /ì,
Ơ
2
)
and
of the same message
M
such that
ơ\
ะะะ
ơ[y
but
h Ф h \
where
h
=
f (My ơ ị).
If
the probability of obtaining two forgeries on an identical message but w ith different
2.6. Forking lemma

14
random oracle outputs is noil-negligible, then there exists an algorithm that can solve
some underlying hard problem with noil-negligible probability. Applying forking
lemma allows us to prove that if the underlying hard problem is indeed intractable,
then no adversary can forge the signature.
The essential forking lemma in [PSOO] is reconvened here in theorem 1 below.
Theorem 1.
Let A be a probabilistic polynomial time Turing machine whose input

only consists of public data. We denote respectively by Q and R the number of queries

that A can ask to the random oracle and the number of queries that A can ask to the

signer. Assume that, within a time bound T ，A produces, with probability e
> 10(л+
l)(fí+ Q )/2 k, a valid signature
(M,
ơ\yh, ơ2). I f the triple
(ơi, /i, СГ2)
can be simulated

witJwut. knowing the secret key, with an indistinguishable distribution probability,

then there is another machine which has control over the machine obtained from Л

replacing interaction with the signer by simulation and produces two valid signatures

(M, G\
1
h, Ơ

2
) and
(M,
ơ \
,
h \
ơ!
2
)
such that h Ф h! in expected time T f
< 120686ỌT/6,
The usage of this lemma w ill be more clear in the proof of existential unforge-
ability property of our scheme in next chapter.
Chapter 3
Identity-Based Broadcast
Signcryption Scheme
In this chapter, we describe an efficient identity-based broadcast signcryption scheme
which is motivated by [MB04] and [Del07]. Our scheme achieves general require
ments of an signcryption scheme as defined in previous chapter. Analysis on consis
tency, security and efficiency are also presented.
3.1 Description of the scheme
The proposed 1BBS scheme consists of four phases: Setup, Extract, Signcryption
and Unsigncryption.
3.1.1 Setup
Given security parameter A and an integer m
(ไท
implies the maximal number of
receivers in the scheme). The Private Key Generator (PKG) chooses bilinear map
groups (ơ b
Ơ2,

Gt)
of prime order
p
where ІРІ > A，two generators
g y h
of Gl, Ơ2
respectively, a bilinear map e ะ G l X Ơ2 —♦ G r and three hash functions:
Я і {0,1}*
야
;
я 2
Gt
~ ►
{0 ,1}п
Я з
{0.1}*
X G t X G*1 X G l
ᅳ
► Z*
15
ЗЛ. Description of th e scheme
16
PKG randomly chooses a secret value 7 € Zp. The master secret key is
MSÌC
=
{g, ๆ).
PKG computes:
lơ = Ợ7 and
V
=

e(g 1 h)
(พ
=
g \ v
= e(ฐ, /i), /i, /i7t /172,
h ^ )
PKG chooses a secure symmetric encryp
tion/decryption algorithm
(E } D)
with
ท
is the length of symmetric encryption key.
The system’s public key is:
VIC = ( w ,v ,h , h \h ^ t ,h^m)
and the system’s public parameters are:
V
=
(Gu G2, Gr,
e，
PK,
Яь
H2)
//3，
E, D)
3.1.2 E xtract
With master secret key
MSỈCy
for an identity
ID }
PKG computes:

Q jp
ะ=
H i(ID )
and
Sịd
=
g ^ ỉ D .
It returns
Qid
and
Sjd
es public and private key associated with the identity
ID . Sid
is transmitted in a secure way to its owner.
3.1.3 Signcry p t ion
Assume a broadcaster в wants to signcrypt. a message
M
to a set
R
consists of
I

receivers with identities
ID \,
/z?2í
ỈDị.
For simplicity, we denote
R = {ID i
}li=z1
with

I Dị
is the identity of
ith
receiver.
Given a message M, system’s public key
VIC
and a set of receivers fí, the broad
caster with
I Db
follows the steps below:
1. Pick a num ber
X E Zp
random ly.
2. Compute
к = E G r-
г.
Set
К
=ะ
H2{k)
G {0 ，l } n
4. Compute
с
=
Ek (M)
G {о, 1}*
5. Compute
ร
=
e(Wị h)x

€
Gt
3.2. Analysis
17
6. Compute
T
= たầ n L ih 나Q/D,) ç
Q2
7. Compute z = ^ *
8. Compute
r
= Яз(С, 5,
т\ Z)
€ z*
9. Compute
Y
=
s xf r
e G!
The signcrypted text is Ơ = (C,
s
、
T\
z, y ，L) where
L
is the label that contains the
list of receivers who can unsigncrypt to get the plaintext.
3.1.4 บ nsigncry p t ion
When receiving
Ơ

from the broadcaster with identity
ID b }
the receiver w ith iden
tity / Д and corresponding secret key
Sjd
=
g 1+QĩD*
follows the steps below to
unsigncrypt. Ơ：
1. Check whether
I D ị
is in the label L, if yes: ĐẠI HỌC Q UỎ C Gl A HA NOI
TRUNG ĨÂ M THÔNG TIN THU VIỆN
2. Recover
r =ะ H
0 (С,
ร, т\ Z)
G Zp
3. Compute
ìp = e(Y, hy
2
^ ĩQB).e(w}h)r
4. Compute
к ะ= (e(Zy ЬРія(^).e(S/p., T ) ) ^ l^ íQlDj
with
5. Compute
К
=
Ỉ Ỉ
2

(k)
G. Recover л/ =
Dfị(C)
7. Accept the message if and only if ^ = 5 t return 丄 otherwise.
3.2 Analysis
We now assess the consistency, public ciphertext authenticity and public verifiability
requirements of proposed scheme. Confidentiality, unforgeability and efficiency will
be analyzed in next sections.
3.2. Analysis 18
3.2.1 Consistency
The consistency of the proposed scheme is easily verified, stemming from the bi
linearity of the map • If Ơ is a valid signcrypted text to an identity
I Di
then
r
is
correct and we have:
Ф
=
e{Y, ^ 2+^ в).е(гѵ, h)r

ᄄ
e (
产 늉
, h ^ +Ql3)^ .e{g\h)r

= e (g \ h Ỵ -r.e(g \h Ỵ

= e(tư, h)x
=

ร
Moreover, according to the signcryption phase，replace
z
=
พ ^^Xy
г = /i
움
nj=i(7+Q/D7!^
Pi,»h)
=
ị
( r ß = ij쇠 (7 +
Qidj) -
n ^ i j /і
Qỉd})
’
Sid,
= 5 7+0fDS we derive:
k'
=
(e(Z, hP'^).e{S
1
D,,T))
= (e (uT1/1, hp'•^). e /
냐
п и ы •
뼈
) ) ) n'-'-^ iQ/^
= (、 ( パ ’ 빠 w ) .
e(g, h )：ĨT^ ^ nl}=!ib+Q'Di)^ niQl^

=r ịc { g / i ) (T-bQ/Dj)-n>*ij^ìQ ỉDj)
우人
q QíDj
ะ= Í fij ** QiDj ^ QtDj
= I.ÍĨ
Thus，
к/
=
к
and the message
M
is recovered as in steps 5 and 6 of unsigncryption
phase.
3.2.2 P ublic ciph e rte xt a u th e n ticity
Anyone can be convinced of the signcrypted ciphertext’s origin by recover r =
//3 (c ，5，
T\ Z)
and
Ф
as in step 2 and 3 of Unsigncryption phase and check whether
the condition
Ф ะ= s
holds. Since this verification procedure only requires compo-
3.3. Security proofs
19
Iients in signcrypted ciphertext and neither involves the knowledge of plaintext nor
needs support from the recipient, then it provides public ciphertext authenticity.
3.2.3 Public ve rifia b ility
A recipient can convince a third party that the sender is the author of a plaintext
M

by forwarding the signcrypted ciphertext
ơy M
and ephemeral key
к
to him.
To checking whether the ciphertext is a signcrvpted version of
M
and made by
the broadcaster, the third party firstly checks the origin of ciphertext as in public
ciphertext authenticity section. If this requirement is met, he accepts the message
authenticity if and only if
M
=
Dfc(C).
Hence, this scheme satisfies the requirement of public verifiability.
3.3 Security proofs
In this section, security proofs of confidentiality and unforgeability linder security
notions as defined in Chapter 2 are provided. The message confidentiality property
provably relies on the hardness of
(P,Q, f у Generai
Diffie-Hellman Exponent as
sumption. The unforgeability property is proved under the Ç-Strong Diffie-Hellman
Problem. Hash functions
Hi
are now considered as random oracle models.
3.3.1 Message co n fide n tiality
In order to prove the security based on the intractability of (P,
Q,
/)-G D H E problem,
we must define (p,

Q} f)
such that they not only satisfy the independence condition
( /
ậ
(P, Q)) but also are appropriate for the simulation of this scheme.
We now define an intermediate problem which determines
(P) Qy f)
for a GDHE
problem.
D e fin itio n 6*
Given a bilinear map group system
(p，G b Ơ2，G r，e)
and let f and g

be two copnme polynomials with pairwise distinct rootsf of order t and m respectively.

Let go be a generator of Gl and ho be a generator
0
} G
2
- Given:
, h ịgb)
Compute
e(ợo?
ho)y^^\