Access to this full-text is provided by Springer Nature.
Content available from Wireless Networks
This content is subject to copyright. Terms and conditions apply.
Certificateless online/offline signcryption for the Internet
of Things
Fagen Li
1
•Yanan Han
1
•Chunhua Jin
1
Published online: 12 December 2015
The Author(s) 2015. This article is published with open access at Springerlink.com
Abstract The Internet of Things (IoT) is an emerging
network paradigm that aims to obtain the interactions
among pervasive things through heterogeneous networks.
Security is an important task in the IoT. Luo et al. (Secur
Commun Netw 7(10): 1560–1569, 2014) proposed a cer-
tificateless online/offline signcryption (COOSC)
scheme for the IoT (hereafter called LTX). Unfortunately,
Shi et al. showed that LTX is not secure. An adversary can
easily obtain the private key of a user by a ciphertext.
Recently, Li et al. proposed a new COOSC scheme (here-
after called LZZ). However, both LTX and LZZ need a
point multiplication operation in the online phase, which is
not suitable for resource-constrained devices. To overcome
this weakness, we propose a new COOSC scheme and
prove its security in the random oracle model. In addition,
we analyze the performance of our scheme and show its
application in the IoT.
Keywords Internet of Things Security Signcryption
Certificateless cryptosystem
1 Introduction
The Internet of Things (IoT) is an emerging network
paradigm that aims to get the interactions among pervasive
things through heterogeneous networks [1,2]. The perva-
sive things (e.g. human beings, computers, appliances and
cars) can communicate with each other at any time, any
place, and in any way. Many information technologies
serve as the building blocks of the IoT, such as radio fre-
quency identification (RFID), wireless sensor networks
(WSNs), machine-to-machine interfaces (M2M), cloud
computing, and so on [3]. The IoT has been widely applied
in the smart grid, intelligent transportation, and smart city.
The security task to the IoT is challenging because of the
scalability, heterogeneity, open nature of wireless com-
munication and limited resources of WSNs and RFID [4].
Luo et al. [5] proposed a certificateless online/offline
signcryption (COOSC) scheme (hereafter called LTX) and
designed a secure communication model using the COOSC
scheme. The COOSC has the following two advantages:
(1) it simultaneously achieves confidentiality and authen-
tication at a low cost; (2) it has neither public key certifi-
cates nor key escrow problem. Unfortunately, Shi et al. [6]
showed that LTX is not secure. An adversary can easily
obtain the private key of a user by a ciphertext. Recently,
Li et al. [7] gave a new COOSC scheme (hereafter called
LZZ). However, both LTX and LZZ need a point multi-
plication operation in the online phase, which is not suit-
able for resource-constrained devices.
1.1 Motivation and contribution
To overcome the weakness that needs a point multiplica-
tion operation in the online phase of LTX and LZZ, we
propose a new COOSC scheme. Using the random oracle
model, we prove that our scheme has the indistinguisha-
bility against adaptive chosen ciphertext attack (IND-
CCA2) under q-bilinear Diffie–Hellman inversion (q-
BDHI) and modified bilinear inverse Diffie–Hellman
(mBIDH) problems and has the existential unforgeability
against adaptive chosen messages attack (EUF-CMA)
&Fagen Li
fagenli@uestc.edu.cn
1
School of Computer Science and Engineering, University of
Electronic Science and Technology of China,
Chengdu 611731, China
123
Wireless Netw (2017) 23:145–158
DOI 10.1007/s11276-015-1145-3
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
under q-strong Diffie–Hellman (q-SDH) and modified
inverse computational Diffie–Hellman (mICDH) problems.
Compared with LTX and LZZ, our scheme has no point
multiplication operation in the online phase. In the
unsigncryption phase, our scheme has less computational
cost than LTX and LZZ. For the ciphertext size and private
key size, our scheme is also shorter than LTX and LZZ. We
analyze the performance of our scheme and show its
application in the IoT.
1.2 Related work
Signcryption [8] is a cryptographic primitive that performs
both the functions of digital signature and public key
encryption in a logical single step, at a cost significantly
lower than that required by the traditional signature-then-
encryption method. Signcryption is very suitable for
resource-constrained devices since it simultaneously
achieves confidentiality, authentication, integrity and non-
repudiation at a lower cost.
In a public key cryptosystem, there exist three methods
for the authenticity of a public key, public key infras-
tructure (PKI), identity-based cryptosystem (IBC) and
certificateless cryptosystem (CLC). According to the three
public key authentication methods, signcryption can be
divided into three types: PKI-based signcryption, identity-
based signcryption (IBSC) and certificateless signcryption
(CLSC). In the PKI, a certificate authority (CA) issues a
certificate that binds a public key and the identity of a user
by the signature of the CA. The expired certificates are
issued by a certificate revocation list (CRL). The PKI has
been widely used in the Internet security. Some famous
signcryption schemes in the PKI have been proposed [8,
9]. However, the PKI may not be a good choice for
resource-constrained devices since the certificates man-
agement is heavy, including distribution, verification,
storage and revocation. To reduce the burden of the cer-
tificates management, some IBSC schemes were proposed
[10–13]. Compared with the PKI, the main advantage of
the IBC is the elimination of public key certificates. In the
IBC, a user’s public key is derived directly from its
identity information, such as telephone numbers, email
addresses and IP addresses. There is a trusted third party
called private key generator (PKG) who takes charge of
generating a private key for each user using a master secret
key. Authenticity of a public key is explicitly verified
without requiring a public key certificate. However, the
IBC has a weakness called key escrow problem since the
PKG holds all the users’ private keys. To overcome this
problem, some CLSC schemes were proposed [14–16].
The CLC uses a trusted third party called the key gener-
ating center (KGC) who takes charge of generating a
partial private key for each user using a master secret key.
Then the user generates a secret value and combines the
secret value with the partial private key to form a full
private key. Note that the KGC does not know the full
private key since it does not know the secret value.
Therefore, the CLC has neither public key certificates nor
key escrow problem.
In 2002, An et al. introduced a new notion called online/
offline signcryption (OOSC) by combining the concepts of
online/offline signature and signcryption together [17].
A OOSC scheme splits the signcryption into two phases:
offline phase and online phase. In the offline phase, most
heavy operations are done without the knowledge of a
message. In the online phase, only light operations are done
when the message is available. OOSC is very suitable to
supply the security solution for resource-constrained
devices such as sensor nodes, RFID, smart cards and
mobile phones. A resource-constrained device is charac-
terized by low computational power and limited battery
lifetime and capacity. It can be loaded with the precom-
puted result of the offline phase from a more powerful
device. The entire signcryption process can be finished
quickly using the precomputed result. Some PKI-based
OOSC schemes are proposed [18–20]. Sun et al. [21]
proposed an identity-based online/offline signcryption
(IBOOSC) scheme. However, this scheme needs a recei-
ver’s identity in the offline phase. To overcome this
weakness, Liu et al. [22] proposed a new IBOOSC
scheme that does not need a receiver’s identity in the off-
line stage. Li et al. [23] gave a new IBOOSC that has the
great advantage in the offline storage and ciphertext length.
Li and Xiong [24] proposed a heterogeneous OOSC to
secure the communication of the IoT. In the heterogeneous
OOSC, the sender belongs to the IBC and the receiver
belongs to the PKI. Senthil kumaran and Ilango [25] used
the heterogeneous OOSC to design a secure routing in the
WSNs.
Recently, the COOSC is considered in [5–7]. However,
these schemes need a point multiplication operation in the
online phase. We know that the aim of online/offline
technique is to shift the heavy operations to the offline
phase. Therefore, [5–7] violate this object. In this paper, we
give a new COOSC scheme that removes all heavy oper-
ations in the online phase.
1.3 Organization
The rest of the paper is organized as follows. The bilinear
pairings and security assumptions are introduced in Sect. 2.
The formal model of COOSC is given in Sect. 3.We
describe a new COOSC scheme in Sect. 4. We give the
security and performance of our scheme in Sect. 5. The
application of our scheme in the IoT is described in Sect. 6.
Finally, the conclusions are given in Sect. 7.
146 Wireless Netw (2017) 23:145–158
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
2 Preliminaries
In this section, we describe the bilinear pairings and
security assumptions.
Let G1and G2be two cyclic groups with same prime
order p.G1is an additive group and G2is a multiplicative
group. Let Pbe a generator of G1. A bilinear pairing is a
map ^
e:G1G1!G2that satisfies the following
properties:
1. Bilinearity ^
eðaP;bQÞ¼^
eðP;QÞab for all P;Q2G1,
a;b2Z
p.
2. Non-degeneracy there are P;Q2G1such that
^
eðP;QÞ 6¼ 1, where 1 is the identity element of group
G2.
3. Computability ^
eðP;QÞcan be efficiently computed for
all P,Q2G1.
The modified Weil pairing and Tate pairing provide
admissible maps of this kind. Please refer to [26] for
details. The security of our scheme depends on the hard-
ness of the following assumptions.
Definition 1 Given groups G1and G2of the same prime
order p, a generator Pof G1and a bilinear map
^
e:G1G1!G2,q-bilinear Diffie–Hellman inversion (q-
BDHI) problem in ðG1;G2;^
eÞis to compute ^
eðP;PÞ1=a
given ðP;aP;a2P;...;aqPÞ. Here a2Z
p.
Definition 2 Given groups G1and G2of the same prime
order p, a generator Pof G1and a bilinear map
^
e:G1G1!G2, the modified bilinear inverse Diffie–
Hellman (mBIDH) problem in ðG1;G2;^
eÞis to compute
^
eðP;PÞ1=ðaþcÞgiven ðP;aP;cÞ. Here a;c2Z
p.
Definition 3 Given groups G1and G2of the same prime
order p, a generator Pof G1and a bilinear map
^
e:G1G1!G2, the q-strong Diffie–Hellman (q-SDH)
problem in ðG1;G2;^
eÞis to find a pair ðw;1
aþwPÞ2Z
p
G1given ðP;aP;a2P;...;aqPÞ. Here a2Z
p.
Definition 4 Given a group G1of prime order pand a
generator Pof G1, the modified inverse computational
Diffie–Hellman (mICDH) problem in G1is to compute
ðaþcÞ1Pgiven ðP;aP;cÞ. Here a;c2Z
p.
3 Certificateless online/offline signcryption
COOSC is an online/offline signcryption scheme in the
certificateless cryptosystem. In such a scheme, the sign-
cryption process is split into two phases: offline phase and
online phase. In the offline phase, most heavy crypto-
graphic operations are done without the knowledge of a
message. In the online phase, only light cryptographic
operations are done when the message is available. Now
we give the formal definition and security notions of the
COOSC.
3.1 Syntax
A generic COOSC scheme consists of the following seven
algorithms [5,7].
Setup is a probabilistic algorithm run by a KGC that
takes as input a security parameter k, and outputs a master
secret key sand the system parameters params that con-
tains a master public key Ppub. For simplicity, we omit
params in the other algorithms in the following content.
PPKE is a partial private key extraction algorithm run
by the KGC that takes as input a user’s identity ID and a
master secret key s, and outputs a partial private key DID .
UKG is a user key generation algorithm run by a user
that takes as input an identity ID, and outputs a secret value
xID and a public key PKID. The public key can be published
without a certificate.
FPKS is a full private key setup algorithm run by a user
that takes as input a partial private key DID and a secret
value xID, and outputs a full private key SID.
OffSC is a probabilistic offline signcryption algorithm
run by a sender that takes as input a sender’s private key SA
and a receiver’s identity IDBand public key PKB, and
outputs an offline signcryption result d. Note that a mes-
sage is not required in this phase.
OnSC is an online signcryption algorithm run by a
sender that takes as input a message m, an offline sign-
cryption dand a sender’s identity IDAand public key PKA,
and outputs a ciphertext r.
USC is a deterministic unsigncryption algorithm run by
a receiver that takes as input a ciphertext r, a sender’s
identity IDAand public key PKA, and a receiver’s private
key SB, and outputs a message mor a failure symbol ?if r
is not a valid ciphertext between the sender and the
receiver.
The above algorithms should satisfy the consistency
constraint of the COOSC, i.e. if
d¼OffSCðSA;IDB;PKBÞ;r¼OnSCðm;d;IDA;PKAÞ
then we have
m¼USCðr;IDA;PKA;SBÞ:
3.2 Security notions
In the CLC, we need consider two types of adversaries
[26], Type I and Type II. A Type I adversary models an
attacker that is a common user and does not have the
Wireless Netw (2017) 23:145–158 147
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
KGC’s master secret key. But it can adaptively replace a
user’ public key with a selected valid public key. A Type II
adversary models an honest-but-curious KGC who knows
the master secret key. But it can not replace a user’s public
key. In addition, a signcryption scheme should satisfy
confidentiality [i.e. indistinguishability against adaptive
chosen ciphertext attack (IND-CCA2)] and unforgeability
[i.e. existential unforgeability against adaptive chosen
messages attack (EUF-CMA)] [14]. So, in the CLSC, we
should consider four security notions, IND-CCA2-I for a
Type I adversary, IND-CCA2-II for a Type II adversary,
EUF-CMA-I for a Type I adversary and EUF-CMA-II for a
Type II adversary. The four games for the four security
notions are described as follows [5,7].
The first game (Game-I) is a confidentiality game played
between a Type I adversary AIand a challenger C.
Initial Cruns Setup algorithm with a security parameter
kand gives the system parameters params to AI.
Phase 1 AIperforms a polynomially bounded number of
queries in an adaptive manner (i.e., each query may depend
on the answer to the previous queries).
•Partial private key extraction queries AIsubmits an
identity ID to C.Cruns PPKE algorithm and sends a
partial private key DID to AI.
•Private key queries AIsubmits an identity ID to C.Cruns
FPKS algorithm and gives a full private key SID to AI(C
may first run PPKE and UKG algorithms if necessary).
•Public key queries AImay ask a public key query by
submitting an identity ID.Cruns UKG algorithm and
sends a public key PKID to AI.
•Public key replacement queries AIcan replace a public
key PKID with a selected value.
•Signcryption queries AImay ask a signcryption query
by submitting a message m, a sender’s identity IDiand
a receiver’s identity IDj.Cfirst runs FPKS algorithm to
get the sender’s private key Siand UKG algorithm to
get the sender’s public key PKiand the receiver’s
public key PKj. Then Cruns OffSCðSi;IDj;PKjÞto
obtain the offline signcryption d. Finally, Csends the
result of algorithm OnSCðm;d;IDi;PKiÞto AI. If the
public key associated with IDihas been replaced, C
does not know the sender’s secret value. In this case,
we require AIto supply it.
•Unsigncryption queries AImay ask an unsigncryption
query by submitting a ciphertext r, a sender’s identity
IDiand a receiver’s identity IDj.Cfirst runs FPKS
algorithm to get the receiver’s private key Sjand UKG
algorithm to get the sender’s public key PKi. Then C
sends the result of algorithm USC ðr;IDi;PKi;SjÞto
AI. If the public key associated with IDjhas been
replaced, Cdoes not know the receiver’s secret value.
In this case, we require AIto supply it.
Challenge AIdecides when phase 1 ends. AIoutputs two
equal length messages ðm0;m1Þ, a sender’s identity IDA
and a receiver’s identity IDBon which it wishes to be
challenged. Note that IDBcan not be submitted to a private
key query in phase 1. IDBalso can not be submitted to both
a partial private key extraction query and a public key
replacement query. Cchooses a random bit b2f0;1g,
computes d¼OffSCðSA;IDB;PKBÞand the challenge
ciphertext r¼OnSCðmb;d;IDA;PKAÞwhich is sent to
AI. If the public key associated with IDAhas been
replaced, Cmay not know the sender’s secret value. In this
case, we require AIto supply it.
Phase 2 AImay ask a polynomially bounded number of
queries adaptively again as in the phase 1. This time, AI
can not ask a private key query on IDB.AIalso can not ask
a partial private key extraction query on IDBif the public
key of this identity has been replaced before the challenge
phase. In addition, it can not ask an unsigncryption query
on ðr;IDA;IDBÞto obtain the corresponding message
unless the public key PKAor PKBhas been replaced after
the challenge phase.
Guess AIoutputs a bit b0and wins the game if b0¼b.
The advantage of AIis defined as AdvðAÞ ¼ j2Pr½b0¼
b1j, where Pr½b0¼bis the probability that b0¼b.
Definition 5 A COOSC scheme is ð; t;qppk;qsk ;
qpk;qpkr ;qs;quÞ-IND-CCA2-I secure if there does not exist
a probabilistic t-polynomial time adversary AIthat has
advantage at least after at most qppk partial private key
extraction queries, qsk private key queries, qpk public key
queries, qpkr public key replacement queries, qssigncryp-
tion queries and quunsigncryption queries in the Game-I.
The second game (Game-II) is a confidentiality game
played between a Type II adversary AII and a challenger C.
Initial Cruns Setup algorithm with a security parameter
kand gives a master secret key sand the system parameters
params to AII .
Phase 1 AII makes a polynomially bounded number of
private key queries, public key queries, signcryption
queries and unsigncryption queries just like in the Game-I.
Note that the partial private key extraction queries is not
needed since AII can do it by itself.
Challenge AII decides when phase 1 ends. AII outputs
two equal length messages ðm0;m1Þ, a sender’s identity
IDAand a receiver’s identity IDBon which it wishes to be
challenged. Note that IDBcan not be submitted to a private
key query in phase 1. Cchooses a random bit b2f0;1g,
computes d¼OffSCðSA;IDB;PKBÞand r¼OnSCðmb;
d;IDA;PKAÞ, and sends rto AII .
Phase 2 AII may ask a polynomially bounded number of
queries adaptively again as in the phase 1. This time, AII
can not ask a private key query on IDB. In addition, it can
148 Wireless Netw (2017) 23:145–158
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
not make an unsigncryption query on ðr;IDA;IDBÞto
obtain the corresponding message.
Guess AII outputs a bit b0and wins the game if b0¼b.
The advantage of AII is defined as AdvðAÞ ¼
j2Pr½b0¼b1j, where Pr½b0¼bis the probability that
b0¼b.
Definition 6 A COOSC scheme is ð; t;qsk ;qpk ;qs;quÞ-
IND-CCA2-II secure if there does not exist a probabilistic
t-polynomial time adversary AII that has advantage at least
after at most qsk private key queries, qpk public key
queries, qssigncryption queries and quunsigncryption
queries in the Game-II.
Definition 7 A COOSC scheme is said to be IND-CCA2
secure if it is both IND-CCA2-I secure and IND-CCA2-II
secure.
The Game-I and Game-II catch the insider security for
confidentiality since the adversary knows all senders’ pri-
vate keys [17]. The insider security ensures the forward
security of a signcryption scheme. That is, the confiden-
tiality is still kept if the sender’s private key is disclosed.
The third game (Game-III) is an unforgeability game
played between a Type I adversary FIand a challenger C.
Initial Cruns Setup algorithm with a security parameter
kand gives the system parameters params to FI.
Attack FIperforms a polynomially bounded number of
queries just like in the Game-I.
Forgery FIoutputs a ciphertext r, a sender’s identity
IDAand a receiver’s identity IDB.FIwins this game if the
following conditions hold:
1. USC ðr;IDA;PKA;SBÞ¼m.
2. FIhas not asked a private key query for IDA.
3. FIhas not asked both a public key replacement query
for IDAand a partial private key extraction query for
IDA.
4. FIhas not asked a signcryption query on
ðm;IDA;IDBÞ.
The advantage of FIis defined as the probability that it
wins.
Definition 8 A COOSC scheme is ð; t;qppk;qsk;qpk ;
qpkr;qs;quÞ-EUF-CMA-I secure if there does not exist a
probabilistic t-polynomial time adversary FIthat has
advantage at least after at most qppk partial private key
extraction queries, qsk private key queries, qpk public
key queries, qpkr public key replacement queries, qssign-
cryption queries and quunsigncryption queries in the
Game-III.
The fourth game (Game-IV) is an unforgeability game
played between a Type II adversary FII and a challenger C.
Initial Cruns Setup algorithm with a security parameter
kand gives a master secret key sand the system parameters
params to FII .
Attack FII performs a polynomially bounded number of
queries just like in the Game-II.
Forgery FII outputs a ciphertext r, a sender’s identity
IDAand a receiver’s identity IDB.FII wins this game if the
following conditions hold:
1. USC ðr;IDA;PKA;SBÞ¼m.
2. FII has not asked a private key query for IDA.
3. FII has not asked a signcryption query on
ðm;IDA;IDBÞ.
The advantage of FII is defined as the probability that it
succeeds.
Definition 9 A COOSC scheme is ð; t;qsk ;qpk ;qs;quÞ-
EUF-CMA-II secure if there does not exist a probabilistic
t-polynomial time adversary FII that has advantage at least
after at most qsk private key queries, qpk public key
queries, qssigncryption queries and quunsigncryption
queries in the Game-IV.
Definition 10 A COOSC scheme is EUF-CMA secure if
it is both EUF-CMA-I secure and EUF-CMA-II secure.
In the Game-III and Game-IV, the adversary is allowed
to know the receiver’s private key SB. The insider security
for unforgeability is obtained [17].
4 An efficient COOSC scheme
In this section, we propose an efficient COOSC scheme.
Here we assume that the sender’s identity is IDAand the
receiver’s identity is IDB.
Setup given a security parameter k, the KGC chooses an
additive group G1and a multiplicative G2of the same prime
order p, a generator Pof G1, a bilinear map ^
e:G1
G1!G2, and four hash functions H1:f0;1g!Z
p,
H2:G1!Z
p,H3:G2!f0;1gnand H4:f0;1gn
f0;1gG1G2G1!Z
p. Here nis the number of bits
of a message to be sent. The KGC randomly selects a master
secret key s2Z
pand computes the master public key
Ppub ¼sP. The KGC publishes the system parameters
fG1;G2;p;^
e;n;P;Ppub;g;H1;H2;H3;H4g
and keeps ssecret. Here g¼^
eðP;PÞ.
PPKE a user sends its identity IDUto the KGC. The
KGC computes a partial private key
DU¼1
H1ðIDUÞþsP
Wireless Netw (2017) 23:145–158 149
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
and returns DUto the user.
UKG A user with identity IDUrandomly selects xU2Z
p
as the secret value and sets
PKU¼xUðH1ðIDUÞPþPpubÞ
as the public key. The public key can be published without
certification.
FPKS Given a partial private key DUand a secret value
xU, the user sets a full private key
SU¼1
xUþH2ðPKUÞDU:
OffSC Given a sender’s private key SAand a receiver’s
identity IDBand public key PKB, this algorithm works as
follows.
1. Choose x;afrom Z
prandomly.
2. Compute r¼gx.
3. Compute S0¼aSA.
4. Compute T¼xðPKBþH2ðPKBÞðH1ðIDBÞPþPpub ÞÞ.
5. Output a offline signcryption d¼ðx;a1;r;S0;TÞ.
OnSC given a message m, a offline signcryption dand a
sender’s identity IDAand public key PKA, this algorithm
works as follows.
1. Compute c¼mH3ðrÞ.
2. Compute h¼H4ðm;IDA;PKA;r;S0Þ.
3. Compute h¼ðxþhÞa1mod p.
4. Output a ciphertext r¼ðc;h;S0;TÞ.
USC given a ciphertext r, a sender’s identity IDAand
public key PKA, and a receiver’s private key SB, this
algorithm works as follows.
1. Compute r¼^
eðT;SBÞ.
2. Recover m¼cH3ðrÞ.
3. Compute h¼H4ðm;IDA;PKA;r;S0Þ.
4. Compute S¼hS0.
5. Accept the message if and only if
r¼^
eðS;PKAþH2ðPKAÞðH1ðIDAÞPþPpubÞÞgh;
return ?otherwise.
We summarize the communication process in Fig 1.
Now we check the consistency of our scheme. First,
because
T¼xðPKBþH2ðPKBÞðH1ðIDBÞPþPpubÞÞ;
we have Eq. (1).
^
eðT;SBÞ¼^
eðxðPKBþH2ðPKBÞðH1ðIDBÞPþPpubÞÞ;SBÞ
¼^
exðxBþH2ðPKBÞÞðH1ðIDBÞþsÞð
P;1
xBþH2ðPKBÞ
1
H1ðIDBÞþsPÞ¼^
eðP;PÞx
¼gx
¼r
ð1Þ
Second, since
S¼hS0¼ðxþhÞa1aSA¼ðxþhÞSA;
we have Eq. (2).
^
eðS;PKAþH2ðPKAÞðH1ðIDAÞPþPpubÞÞgh
¼^
eððxþhÞSA;ðxAþH2ðPKAÞÞðH1ðIDAÞþsÞPÞgh
¼^
eððxþhÞ1
xAþH2ðPKAÞ
1
H1ðIDAÞþs
P;ðxAþH2ðPKAÞÞðH1ðIDAÞþsÞPÞgh
¼^
eððxþhÞP;PÞgh
¼^
eðP;PÞðxþhÞgh
¼gðxþhÞgh
¼gx
¼rð2Þ
revieceRredneS
c=m⊕H3(r)
h=H4(m, ID A,PK
A,r,S )
θ=(x+h)α−1mod p
σ=(c, θ , S ,T)
σ,I DA,P KA
r=ˆe(T,SB)
m=c⊕H3(r)
h=H4(m, ID A,PK
A,r,S )
S=θS
r?
=ˆe(S, P KA+H2(PK
A)(H1(IDA)P+Ppub))g−h
Fig. 1 Certificateless online/
offline signcryption
communication
150 Wireless Netw (2017) 23:145–158
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
5 Analysis of the scheme
In this section, we analyze the security and performance of
our scheme.
5.1 Security
Theorem 1 In the random oracle model, our scheme is
IND-CCA2 secure under the q-BDHI and mBIDH
assumptions.
Proof This theorem follows from the following Lemmas
1and 2.h
Lemma 1 In the random oracle model, if there is an
adversary AIthat has a non-negligible advantage against
the IND-CCA2-I security of our scheme when running in a
time tand performing qppk partial private key extraction
queries, qsk private key queries, qpk public key queries, qpkr
public key replacement queries, qssigncryption queries, qu
unsigncryption queries and qHiqueries to oracles Hi
(i¼1;2;3;4), then we can construct an algorithm Cthat
can solve the q-BDHI problem for q¼qH1with an
advantage
0
qH1ðqH3þ2qH4Þ1qsðqsþqH4Þ
2k
1qu
2k
in a time t0tþOðqsþquÞtpþOðq2
H1ÞtmþOðquqH4Þte,
where tpis the cost for one pairing operation, tmis the cost
for a point multiplication operation in G1and teis the cost
for an exponentiation operation in G2.
Proof We show how Ccan use AIas a subroutine to solve
a random instance ðP;aP;a2P;...;aqPÞof the q-BDHI
problem.
Initial in a preparation phase, Cchooses ‘2f1;...;
qH1g, elements e‘2Z
pand w1;...;w‘1;w‘þ1;wq2Z
p
randomly. For i¼1;...;‘1;‘þ1;...;q,Csets
ei¼e‘wi. Then Cuses its input to set a generator Q2
G1and an element X¼aQ2G1such that it knows q1
pairs ðwi;Vi¼1
aþwiQÞfor i2f1;...;qgnf‘gas in [27]. To
do so, Cexpands the polynomial
fðzÞ¼ Y
q
i¼1;i6¼‘
ðzþwiÞ¼X
q1
j¼0
cjzj:
A generator Qand an element Xcan be obtained as
Q¼X
q1
j¼0
cjðajPÞ¼fðaÞP
and
X¼X
q
j¼1
cj1ðajPÞ¼afðaÞP¼aQ:
As in [27], the pairs ðwi;ViÞfor i2f1;...;qgnf‘gcan be
gotten by expanding
fiðzÞ¼ fðzÞ
zþwi
¼X
q2
j¼0
djzj
and setting
Vi¼X
q2
j¼0
djðajPÞ¼fiðaÞP¼fðaÞ
aþwi
P¼1
aþwi
Q:
The master public key of the KGC is set as Qpub ¼
Xe‘Q¼ðae‘ÞQand its corresponding master
secret key is implicitly set to s¼ae‘2Z
p. For all
i2f1;...;qgnf‘g, we have ðei;ViÞ¼ðei;1
eiþsQÞ.Cgives
AIthe system parameters with Q,Qpub ¼ðae‘ÞQand
g¼^
eðQ;QÞ.
Phase 1 Csimulates AI’s challenger in the Game-I. C
keeps four lists L1,L2,L3and L4to simulate oracles H1,
H2,H3and H4, respectively. Cshould maintain the
consistency and avoid collision for these answers. In
addition, Cmaintains a list Lkthat is initially empty to keep
the public key information. We assume that H1queries are
different, that AIwill ask H1ðIDÞbefore ID is used in the
other queries and that the target identity IDBis submitted to
H1at some point. In addition, we suppose that the sender’s
identity is different to the receiver’s identity by irreflexivity
assumption [10].
•H1queries: These queries are indexed by a counter m
that is initially set to 1. For a H1ðIDmÞquery, Creturns
emas the answer, inserts ðIDm;emÞinto the list L1and
increments m.
•H2queries: For a H2ðPKiÞquery, Cchecks if the value
of H2has been defined for the PKi. If yes, Creturns
previously defined value. Otherwise, Creturns a
random h2;i2Z
pto AIand inserts ðPKi;h2;iÞinto the
list L2.
•H3queries: For a H3ðriÞquery, Cchecks if the value of
H3has been defined for the same input. If yes, Creturns
previously defined value. Otherwise, Creturns a
random h3;i2f0;1gnto AIand inserts ðri;h3;iÞinto
the list L3.
•H4queries: For a H4ðmi;IDi;PKi;ri;S0
iÞquery, Cchecks
if the value of H4has been defined for the same input. If
yes, Creturns the previously defined value. Otherwise,
Creturns a random h4;i2Z
pto AI. In addition, to
answer the following queries, Csimulates H3oracle to
Wireless Netw (2017) 23:145–158 151
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
get h3;i¼H3ðriÞ2f0;1gnand sets ci¼mih3;iand
ni¼ri^
eðQ;QÞh4;i. Finally, Cinserts the tuple
ðmi;IDi;PKi;ri;S0
i;h4;i;ci;niÞinto the list L4.
•Partial private key extraction queries AIcan ask a
partial private key extraction query by submitting an
identity IDi.Ifi¼‘, then Cfails and stops. Otherwise,
Cknows that H1ðIDiÞ¼eiand returns Vi¼1
eiþsQto
AI.
•Private key queries AIcan ask a private key query by
submitting an identity IDi.Ifi¼‘, then Cfails and
stops. Otherwise, Cknows the partial private key
Vi¼1
eiþsQ. Then Csearches the list Lkfor the entry
ðIDi;PKi;xiÞ(Cgenerates a new key pair information if
this entry does not exist) and returns Si¼ 1
xiþh2;iVi.
•Public key queries AIchooses an identity IDiand sends
it to C. If the list Lkhas a tuple ðIDi;PKi;xiÞ, then C
gives PKito AI. Otherwise, Cselects a random number
xi2Z
p, sets PKi¼xiðeiQþQpubÞ, inserts
ðIDi;PKi;xiÞinto the list Lk, and gives PKito AI.
•Public key replacement queries for a public key
replacement query for ðIDi;PKiÞ,Cupdates the list Lk
with tuple ðIDi;PKi;?Þ. Here ?denotes an unknown
value.
•Signcryption queries AIcan ask a signcryption query
by submitting a message m, a sender’s identity IDiand
a receiver’s identity IDj.Ifi6¼ ‘,Cknows the sender’s
private key Siand can answer this query according to
the steps of OffSC and OnSC algorithms. If i¼‘but
j6¼ ‘by the irreflexivity assumption [10], Cknows the
receiver’s private key Sj. To answer this query, Cfirst
randomly chooses h;g;h2Z
p, computes S0¼h1gSj,
T¼gðPK‘þh2;‘ðe‘QþQpub ÞÞhðPKjþh2;jðejQþQpubÞÞ
and r¼^
eðT;SjÞ. Then Cdefines the hash value
H4ðm;ID‘;PK‘;r;S0Þto h. Finally, Ccomputes c¼m
H3ðrÞand returns r¼ðc;h;S0;TÞto AI.Cfails if H4is
already defined but this only happens with probability
ðqsþqH4Þ=2k.
•Unsigncryption queries AIcan ask an unsigncryption
query by submitting a ciphertext r¼ðc;h;S0;TÞ,a
sender’s identity IDiand a receiver’s identity IDj.If
j6¼ ‘,Cknows the receiver’s private key Sjand can
answer this query according to the steps of USC
algorithm. If j¼‘,Cknows the sender’s private key Si
since i6¼ ‘by the irreflexivity assumption [10]. For all
valid ciphertexts, we have
logSiðhS0hSiÞ¼logPK‘þh2;‘ðe‘QþQpub ÞT;
where h¼H4ðm;IDi;PKi;r;S0Þ. So the following
equation
^
eðT;SiÞ¼^
eðPK‘þh2;‘ðe‘QþQpub Þ;hS0hSiÞ
holds. Cfirst computes n¼^
eðhS0;PKiþh2;iðeiQþ
QpubÞÞ and then searches the list L4for the entries of the
form ðmi;IDi;PKi;ri;S0
i;h4;i;c;nÞindexed by
i2f1;...;qH4g. If there is no such an entry, ris
rejected. Otherwise, Cfurther checks whether the fol-
lowing equation holds for the corresponding indexes
^
eðT;SiÞ
^
eðPK‘þh2;‘ðe‘QþQpub Þ;hS0Þ
¼^
eðPK‘þh2;‘ðe‘QþQpub Þ;SiÞh4;i:
If the unique i2f1;...;qH4gthat satisfies this above
equation is found, Creturns the matching message mi.
Otherwise, ris also rejected. For all unsigncryption
queries, the probability to reject a valid ciphertext is
less than or equal to qu
2k.
Challenge AIgenerates two equal length messages
ðm0;m1Þ, a sender’s identity IDAand a receiver’s identity
IDBon which it hopes to be challenged. If IDB6¼ ID‘,C
fails. Otherwise, Cchooses c2f0;1gn,k;h2Z
p,S0 2
G1randomly and sets T¼kxBQkh2;BQ.Creturns a
ciphertext r¼ðc;h;S0;TÞto AI. If we define q¼k=a
and since s¼ae‘, we have
T¼kxBQkh2;BQ
¼qaxBQqah2;BQ
¼ðeBþsÞqxBQþðeBþsÞqh2;BQ
¼qxBðeBQþQpubÞþqh2;BðeBQþQpub Þ
¼qPKBþqh2;BðeBQþQpubÞ
¼qðPKBþh2;BðeBQþQpubÞÞ:
AIcannot identify that ris not a valid ciphertext unless it
asks a H3or H4query on ^
eðQ;QÞq.
Phase 2 AIcan ask a polynomially bounded number of
queries adaptively again as in the phase 1 with the
following limitation: (1) it can not ask a private key query
on IDB; (2) it can not ask a partial private key extraction
query on IDBif the public key of IDBhas been replaced
before the challenge phase; (3) it can not ask an unsign-
cryption query on ðr;IDA;IDBÞto obtain the correspond-
ing message unless the public key PKAor PKBhas been
replaced after the challenge phase. Canswer AI’s queries
according to the same method as in the phase 1.
Guess AIoutputs a guess bit b0which is ignored by C.
Cfetches a random entry ðri;h3;iÞfrom the list L3or
ðmi;IDi;PKi;ri;S0
i;h4;i;ci;niÞfrom the list L4. Since L3
contains no more than qH3þqH4records, the selected entry
will contain the correct element ri¼^
eðQ;QÞq¼
^
eðP;PÞfðaÞ2k=awith probability 1=ðqH3þ2qH4Þ.Asin[12],
the q-BDHI problem can be solved by noting that, if
n¼^
eðP;PÞ1=a, then
152 Wireless Netw (2017) 23:145–158
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
^
eðQ;QÞ1=a¼nðc2
0Þ
^
eðX
q2
j¼0
cjþ1ðajPÞ;c0PÞ^
eðQ;X
q2
j¼0
cjþ1ðajÞPÞ:
This finishes the description of the whole simulation. Now
we analyze C’s advantage. Define the events E1,E2,E3,E4
and E5as
E1:AIhas not chosen ID‘as the receiver’s identity in
the challenge phase.
E2:AIhas asked a private key query on ID‘.
E3:AIhas asked a partial private key extraction query
on ID‘and the public key of ID‘has been replaced before
the challenge phase.
E4:Caborts in a signcryption query because of a
collision on H4.
E5:Caborts in an unsigncryption query because of
rejecting a valid ciphertext.
According to above analysis, we know that the proba-
bility of Cnot aborting is
Pr½:abort¼Pr½:E1^:E2^:E3^:E4^:E5:
We know that Pr½:E1¼1=qH1,Pr½E4qsðqsþqH4Þ=2k
and Pr½E5qu=2k. In addition, we know that :E1implies
:E2and :E3. So we have
Pr½:abort 1
qH1
1qsðqsþqH4Þ
2k
1qu
2k
:
In addition, Cchooses the correct element from the list L3
or L4with probability 1=ðqH3þ2qH4Þ. Therefore, we have
0
qH1ðqH3þ2qH4Þ1qsðqsþqH4Þ
2k
1qu
2k
:
The bound on C’s computation time is obtained from the
fact that Cneeds Oðq2
H1Þpoint multiplication operations in
G1in the preparation phase, OðqsþquÞpairing operations
and OðquqH4Þexponentiation operations in G2in the
signcryption and unsigncryption queries. h
Lemma 2 In the random oracle model, if there is an
adversary AII that has a non-negligible advantage against
the IND-CCA2-II security of our scheme when running in a
time tand performing qsk private key queries, qpk public
key queries, qssigncryption queries, quunsigncryption
queries and qHiqueries to oracles Hi(i¼1;2;3;4), then
we can construct an algorithm Cthat can solve the mBIDH
problem with an advantage
0
qH1ðqH3þ2qH4Þ1qsðqsþqH4Þ
2k
1qu
2k
in a time t0tþOðqsþquÞtpþOðquqH4Þte, where tpis the
cost for one pairing operation and teis the cost for an
exponentiation operation in G2.
Proof We show how Ccan use AII as a subroutine to
solve a random instance ðP;aP;cÞof the mBIDH problem.
Initial Cgives AII a master secret key sand the system
parameters params with Ppub ¼sP. Here sis randomly
chosen by C.
Phase 1 Csimulates AII ’s challenger in the Game-II. C
maintains four lists L1,L2,L3and L4to simulate oracles
H1,H2,H3and H4, respectively. Cshould keep the
consistency and avoid collision for these answers. In
addition, Ckeeps a list Lkthat is initially empty to maintain
the public key information. We suppose that H1queries are
different and that AII will ask H1ðIDÞbefore ID is used in
the other queries. In addition, we suppose that the sender’s
identity is different to the receiver’s identity by irreflexivity
assumption [10]. Cchooses a random number ‘2
f1;2;...;qH1gand answers AII ’s queries as follows.
•H1queries For each new IDi,Crandomly selects
ei2Z
p, inserts ðIDi;eiÞinto the list L1and answers
H1ðIDiÞ¼ei.
•H2queries For a H2ðPKiÞquery, Cchecks if the value of
H2has been defined for the same input. If yes, Creturns
previously defined value. Otherwise, Cchecks if PKi¼
eiaPþsaP(i.e., i¼‘). If yes, Creturns h2;‘ ¼cand
inserts ðPK‘;cÞinto the list L2. If no, Cselects a random
h2;ifrom Z
p, returns h2;ias an answer and inserts
ðPKi;h2;iÞinto the list L2.
•H3queries: For a H3ðriÞquery, Cchecks if the value of
H3has been defined for the same input. If yes, Creturns
previously defined value. Otherwise, Cselects a random
h3;ifrom f0;1gn, returns h3;ias an answer and inserts
ðri;h3;iÞinto the list L3.
•H4queries: For a H4ðmi;IDi;PKi;ri;S0
iÞquery, Cchecks
if the value of H4has been defined for the same input. If
yes, Cgives the previously defined value. Otherwise, C
returns a random h4;i2Z
pas the answer. In addition, to
answer the following queries, Csimulates H3oracle on
its own to get h3;i¼H3ðriÞ2f0;1gnand computes
ci¼mih3;iand ni¼ri^
eðP;PÞh4;i. Lastly, Cinserts
the tuple ðmi;IDi;PKi;ri;S0
i;h4;i;ci;niÞinto the list L4.
•Private key queries AII can ask a private key query by
submitting an identity IDi.Ifi¼‘, then Cfails and
stops. Otherwise, Cruns H1oracle to get ðIDi;eiÞ. Then
Csearches the list Lkfor the entry ðIDi;PKi;xiÞ(C
generates a new key pair information if this entry does
not exist) and returns
Si¼1
xiþh2;i
1
eiþsP:
Here h2;i¼H2ðPKiÞ.
•Public key queries AII can ask a public key query by
submitting an identity IDi.Ifi6¼ ‘,Cselects a random
Wireless Netw (2017) 23:145–158 153
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
xi2Z
p, sets a public key PKi¼xiðeiPþPpubÞ, inserts
ðIDi;PKi;xiÞinto the list Lkand returns PKito AII .
Otherwise, Creturns PK‘¼e‘aPþsaPand inserts
ðID‘;PK‘;?Þ into the list Lk.
•Signcryption queries AII can ask a signcryption query
by submitting a message m, a sender’s identity IDiand
a receiver’s identity IDj.Ifi6¼ ‘,Cknows the sender’s
private key Siand can answer this query according to
the steps of OffSC and OnSC algorithms. If i¼‘but
j6¼ ‘by the irreflexivity assumption, Cknows the
receiver’s private key Sj. To answer this query, Cfirst
randomly chooses h;g;h2Z
pand computes
S0¼h1gSj,T¼gðPK‘þh2;‘ðe‘PþPpub ÞÞ hðPKjþ
h2;jðejPþPpubÞÞ and r¼^
eðT;SjÞ. Then Cdefines the
hash value H4ðm;ID‘;PK‘;r;S0Þto h. Finally, C
computes c¼mH3ðrÞand returns r¼ðc;h;S0;TÞ
to AII .Cfails if H4is already defined but this only
happens with probability ðqsþqH4Þ=2k.
•Unsigncryption queries AII can make an unsigncryp-
tion query about a ciphertext r¼ðc;h;S0;TÞ,a
sender’s identity IDiand a receiver’s identity IDj.If
j6¼ ‘, then Cknows the receiver’s private key Sjand
can answer this query according to the steps of USC
algorithm. If j¼‘,Cknows the sender’s private key Si
since i6¼ ‘by the irreflexivity assumption. For all valid
ciphertexts, we have
logSiðhS0hSiÞ¼logPK‘þh2;‘ðe‘PþPpub ÞT;
where h¼H4ðm;IDi;PKi;r;S0Þ. Therefore, we have
^
eðT;SiÞ¼^
eðPK‘þh2;‘ðe‘PþPpub Þ;hS0hSiÞ:
Cfirst computes n¼^
eðhS0;PKiþh2;iðeiPþPpubÞÞ
and then searches the list L4for the entries of
the form ðmi;IDi;PKi;ri;S0
i;h4;i;c;nÞindexed by
i2f1;...;qH4g. If there is no such an entry, ris
rejected. Otherwise, Cfurther checks whether the fol-
lowing equation holds for the corresponding indexes
^
eðT;SiÞ
^
eðPK‘þh2;‘ðe‘PþPpub Þ;hS0Þ
¼^
eðPK‘þh2;‘ðe‘PþPpub Þ;SiÞh4;i
If the unique i2f1;...;qH4gthat satisfies this above
equation is found, then Creturns the matching message
mi. Otherwise, ris also rejected. For all unsigncryption
queries, the probability to reject a valid ciphertext is
less than or equal to qu
2k.
Challenge AII generates two equal length messages
ðm0;m1Þ, a sender’s identity IDAand a receiver’s identity
IDBon which it hopes to be challenged. If IDB6¼ ID‘,C
fails. Otherwise Crandomly chooses c2f0;1gn,
k;h2Z
p,S0 2G1and sets T¼kP.Creturns the
ciphertext r¼ðc;h;S0;TÞto AII .AII cannot identify
that ris not a valid ciphertext unless it makes a H3or H4
query on ^
eðT;SBÞ.
Phase 2 AII can ask a polynomially bounded number of
queries adaptively again as in the phase 1 with the
limitation: (1) it can not ask a private key query on IDB; (2)
it can not ask an unsigncryption query on ðr;IDA;IDBÞto
obtain the corresponding message. Canswer AII ’s queries
according to the same method as in the phase 1.
Guess AII produces a bit b0which is ignored by C.
Cfetches a random entry ðri;h3;iÞfrom the list L3or
ðmi;IDi;PKi;ri;S0
i;h4;i;ci;niÞfrom the list L4. Since the list
L3includes no more than qH3þqH4records, the chosen
entry will contain the right element ri¼^
eðT;SBÞwith
probability 1=ðqH3þ2qH4Þ. The mBIDH problem can be
solved by noting that, if
^
eðT;SBÞ¼^
eðkP;1
aþc
1
eiþsPÞ;
we have
^
eðP;PÞ1
aþc¼r
eiþs
k
i:
This finishes the description of the whole simulation. Now
we analyze C’s advantage. Define the events E1,E2,E3and
E4as
E1:AII does not select ID‘as the receiver’s identity in
the challenge phase.
E2:AII has asked a private key query on the identity
ID‘.
E3:Caborts in a signcryption query because of a
collision on H4.
E4:Caborts in an unsigncryption query because of
rejecting a valid ciphertext.
According to above analysis, we know that the proba-
bility of Cnot aborting is
Pr½:abort¼Pr½:E1^:E2^:E3^:E4:
From the above analysis, we know that Pr½:E1¼1=qH1,
Pr½E3qsðqsþqH4Þ=2kand Pr½E4qu=2k. In addition,
we know that :E1implies :E2. So we have
Pr½:abort 1
qH1
1qsðqsþqH4Þ
2k
1qu
2k
:
In addition, Cchooses the correct element from the list L3
or L4with probability 1=ðqH3þ2qH4Þ. Therefore, we have
0
qH1ðqH3þ2qH4Þ1qsðqsþqH4Þ
2k
1qu
2k
:
The bound on C’s computation time can be obtained from
the fact that Cneeds OðqsþquÞpairing operations and
OðquqH4Þexponentiation operations in G2in the sign-
cryption and unsigncryption queries. h
154 Wireless Netw (2017) 23:145–158
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Theorem 2 In the random oracle model, our scheme is
EUF-CMA secure under the q-SDH and mICDH
assumptions.
Proof This proof is similar to the proof of Theorem 1.We
can show that a forger in the EUF-CMA game implies a
forger in a chosen messages and given identity attacks. By
using the forking lemma [28] and the relationship between
given identity attack and chosen identity attack [29], we
can easily finish this proof. h
5.2 Performance
In this section, we compare the computational cost, offline
storage, ciphertext size, private key size and security of our
scheme with those of LTX [5] and LZZ [7] in Table 1.We
denote by M the point multiplication in G1, E the expo-
nentiation in G2and P the pairing computation. The other
operations are ignored in Table 1since these operations
take the most running time of the whole algorithm. |x|
denotes the number of bits of x. From Table 1, we know
that both LTX and LZZ need one point multiplication in
the OnSC algorithm. However, our scheme does not need
any point multiplication, exponentiation or pairing opera-
tion in the OnSC algorithm. In addition, our scheme has
less computational cost than LTX and LZZ in the USC
algorithm. For the OffSC algorithm, the computational cost
of our scheme is slightly higher than LTX and is lower than
LZZ. For the offline storage, our scheme is slightly larger
than LTX and is smaller than LZZ. For the ciphertext size
and private key size, our scheme is shortest among the
three schemes. Note that LTX was showed insecure in [6].
We give a quantitative analysis for offline storage,
ciphertext size and private key size. We use PBC Type A
pairing [30] in this analysis. The Type A pairing is con-
structed on the curve
y2ðx3þxÞmod q
for some prime q3 mod 4, where the embedding degree
is 2 and the order of G1is p. In this analysis, we use three
kinds of parameters that represents 80-bit, 112-bit and
128-bit AES [31] key size security level, respectively.
Table 2gives the specification for different security level
of this analysis.
We assume that the size of a message is jmj¼160 bits.
When we adopt the 80-bit security level, the size of qis
512 bits. So the size of an element in group G1is 1024 bits
using an elliptic curve with 160 bits p. By standard com-
pression technique [32], the size of an element in group G1
can be reduced to 65 bytes. The size of an element in G2is
1024 bits. So, the offline storage of LTX, LZZ and
our scheme are jZ
pjþ2jG1jþjG2jbits ¼20 þ265þ
128 bytes ¼278 bytes, 3jZ
pjþ4jG1jþjG2jbits ¼3
20 þ465 þ128 bytes ¼448 bytes and 2jZ
pjþ2jG1jþ
jG2jbits ¼220 þ265 þ128 bytes ¼298 bytes,
respectively. The ciphertext size of LTX, LZZ and our
scheme are 2jZ
pjþ2jG1jþjmjbits ¼220 þ265þ
20 bytes ¼190 bytes, 2jZ
pjþ4jG1jþjmjbits ¼220 þ
465þ20 bytes ¼320 bytes, and jZ
pjþ2jG1jþjmj
bits ¼20 þ265 þ20 bytes ¼170 bytes, respectively.
The private key size of LTX, LZZ and our scheme are
jZ
pjþjG1jbits ¼20 þ65 bytes ¼85 bytes, jZ
pjþ
jG1jbits ¼20 þ65 bytes ¼85 bytes, and jG1jbits ¼65
bytes, respectively. We can use the same method to com-
pute the offline storage, ciphertext size and private key size
at the 112-bit security level and 128-bit security level.
We summarize the offline storage, ciphertext size and
private key size of the three schemes at different security
level in Figs. 2,3and 4, respectively.
6 Application
In this section, we give an application of our scheme in the
IoT. Wireless sensor networks (WSNs) are an important
part of the IoT since the WSNs takes charge of collecting
environmental data for the IoT. The WSNs are composed
of a large number of tiny sensor nodes and one or more
Table 2 Specification for different security level of this analysis
(bits)
Security level Size of qSize of p
80-bit 512 160
112-bit 1024 224
128-bit 1536 256
Table 1 Comparison of existing schemes
Schemes OffSC OnSC USC Offline storage Ciphertext size Private
key
Security
M E P M E P M E P size
LTX [5]2 101 004 03jZ
pjþ2jG1jþjG2j2jZ
pjþ2jG1jþjmjjZ
pjþjG1jNo
LZZ [7]5 101 005 153jZ
pjþ4jG1jþjG2j2jZ
pjþ4jG1jþjmjjZ
pjþjG1jYes
Ours 4 1 0 0 0 0 3 1 2 2jZ
pjþ2jG1jþjG2jjZ
pjþ2jG1jþjmjjG1jYes
Wireless Netw (2017) 23:145–158 155
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
base stations [33,34]. The base station acts as a gateway
between sensor nodes and users since it typically forwards
data from the WSNs to an Internet server. This commu-
nication from the WSNs to the server should satisfy con-
fidentiality, authentication, integrity, and non-repudiation.
Without confidentiality, the data may be disclosed to an
adversary. Without authentication, the server can not use
the data since the data may be unbelievable. An adversary
can send wrong data to the server. Without integrity check,
an adversary can modify the transmitted data. Without non-
repudiation, the WSNs may deny the transmitted data when
a dispute happens. Fig. 5shows a secure communication
model for the IoT using our scheme. This model consists of
three main entities, the WSNs, a service provider (SP) and
an Internet server. The SP acts as the KGC in the CLC.
That is, the SP first runs Setup algorithm to setup the
system parameters. Then the SP runs PPKE algorithm to
generate the partial private keys for the base station and the
SP. The base station and the server run UKG algorithm to
generate their secret values and public keys. In addition,
the base station and the server run FPKS algorithm to
obtain their full private keys. The base station is loaded
with the precomputed result dfrom OffSC algorithm. When
the WSNs is required to send data to the server, the base
station runs OnSC algorithm and sends the ciphertext r¼
ðc;h;S0;TÞto the server. When receiving the r, the server
runs USC algorithm to recover the data mand verify the
validity. In this communication, the confidentiality,
authentication, integrity, and non-repudiation are simulta-
neously achieved. The computational cost of base station is
very small since there is no any point multiplication,
exponentiation or pairing operation in the OnSC algorithm.
If the data are large, we also can used hybrid encryption
method [16]. That is, we compute c¼EH3ðrÞðmÞinstead of
c¼mH3ðrÞ. Here Eis the encryption algorithm for a
symmetric cipher (such as AES [31]) and H3ðrÞis the
session key. Such modification does not affect the security
and efficiency of our scheme.
7 Conclusion
In this paper, we proposed a new certificateless online/
offline signcryption scheme and proved its security in the
random oracle model. As compared with two existing
80−bit 112−bit 128−bit
0
200
400
600
800
1000
1200
1400
Offline storage (bytes)
LTX
LZZ
Ours
Fig. 2 The offline storage of the three schemes
80−bit 112−bit 128−bit
0
100
200
300
400
500
600
700
800
900
Ciphertext size (bytes)
LTX
LZZ
Ours
Fig. 3 The ciphertext size of the three schemes
80−bit 112−bit 128−bit
0
50
100
150
200
250
Private key size (bytes)
LTX
LZZ
Ours
Fig. 4 The private key size of the three schemes
Fig. 5 A secure communication model for the IoT
156 Wireless Netw (2017) 23:145–158
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
certificateless online/offline signcryption schemes, our
scheme does not require any point multiplication operation
in the online phase. This characteristic makes our
scheme very suitable for resource-constrained devices. We
gave an application of our scheme in the Internet of Things.
A weakness of our scheme is that a receiver’s identity is
required in the offline phase. An interesting work is to find
a certificateless online/offline signcryption scheme that
does not need a receiver’s identity in the offline phase and
does not need any point multiplication operation in the
online phase.
Acknowledgments This work is supported by the National Natural
Science Foundation of China (Grant Nos. 61073176, 61272525,
61302161 and 61462048) and the Fundamental Research Funds for
the Central Universities (Grant No. ZYGX2013J069).
Open Access This article is distributed under the terms of the
Creative Commons Attribution 4.0 International License (http://crea
tivecommons.org/licenses/by/4.0/), which permits unrestricted use,
distribution, and reproduction in any medium, provided you give
appropriate credit to the original author(s) and the source, provide a
link to the Creative Commons license, and indicate if changes were
made.
References
1. Tsai, C. W., Lai, C. F., & Vasilakos, A. V. (2014). Future Internet
of Things: Open issues and challenges. Wireless Networks,20(8),
2201–2217.
2. Ning, H. S., & Liu, H. (2015). Cyber-physical-social-thinking
space based science and technology framework for the Internet of
Things. Science China Information Sciences,58(3), 031102(19).
3. Roman, R., Zhou, J., & Lopez, J. (2013). On the features and
challenges of security and privacy in distributed Internet of
Things. Computer Networks,57(10), 2266–2279.
4. Jing, Q., Vasilakos, A. V., Wan, J., Lu, J., & Qiu, D. (2014).
Security of the Internet of Things: Perspectives and challenges.
Wireless Networks,20(8), 2481–2501.
5. Luo, M., Tu, M., & Xu, J. (2014). A security communication
model based on certificateless online/offline signcryption for
Internet of Things. Security and Communication Networks,7(10),
1560–1569.
6. Shi, W., Kumar, N., Gong, P., Chilamkurti, N., & Chang, H.
(2015). On the security of a certificateless online/offline sign-
cryption for Internet of Things. Peer-to-Peer Networking and
Applications,8(5), 881–885.
7. Li, J., Zhao, J., & Zhang, Y. (2015). Certificateless online/offline
signcryption scheme. Security and Communication Networks,
8(11), 1979–1990.
8. Zheng, Y. (1997). Digital signcryption or how to achieve cost
(signature & encryption) cost (signature) ?cost(encryption).
In Advances in Cryptology-CRYPTO’97, LNCS 1294 (pp.
165–179). Springer.
9. Malone-Lee, J., & Mao, W. (2003). Two birds one stone: Sign-
cryption using RSA. In Topics in Cryptology-CT-RSA 2003,
LNCS 2612 (pp. 211–225). Springer.
10. Boyen, X. (2003). Multipurpose identity-based signcryption: A
swiss army knife for identity-based cryptography. In Advances in
Cryptology-CRYPTO 2003, LNCS 2729 (pp. 383–399). Springer.
11. Chen L., & Malone-Lee, J. (2005). Improved identity-based
signcryption. In Public Key Cryptography-PKC 2005, LNCS
3386 (pp. 362–379). Springer.
12. Barreto, P.S.L.M., Libert, B., McCullagh, N., & Quisquater, J.J.
(2005). Efficient and provably-secure identity-based signatures
and signcryption from bilinear maps. In Advances in Cryptology-
ASIACRYPT 2005, LNCS 3788 (pp. 515–532). Springer.
13. Jo, H. J., Paik, J. H., & Lee, D. H. (2014). Efficient privacy-
preserving authentication in wireless mobile networks. IEEE
Transactions on Mobile Computing,13(7), 1469–1481.
14. Barbosa, M., & Farshim, P. (2008). Certificateless signcryption.
ACM Symposium on Information, Computer and Communications
Security-ASIACCS 2008 (pp. 369–372). Japan: Tokyo.
15. Li, F., Shirase, M., & Takagi, T. (2013). Certificateless hybrid
signcryption. Mathematical and Computer Modelling,57(3–4),
324–343.
16. Yin, A., & Liang, H. (2015). Certificateless hybrid signcryption
scheme for secure communication ofwireless sensor networks.
Wireless Personal Communications,80(3), 1049–1062.
17. An, J.H., Dodis, Y., & Rabin, T. (2002). On the security of joint
signature and encryption. In Advances in Cryptology-EURO-
CRYPT 2002, LNCS 2332 (pp. 83–107). Springer.
18. Zhang, F., Mu, Y., & Susilo, W. (2005). Reducing security
overhead for mobile networks. Advanced Information Networking
and Applications-AINA 2005 (pp. 398–403). Taiwan: Taipei.
19. Xu, Z., Dai, G., & Yang, D. (2007). An efficient online/offline
signcryption scheme for MANET. Advanced Information Net-
working and Applications Workshops-AINAW 2007 (pp.
171–176). Canada: Niagara Falls.
20. Yan, F., Chen, X., & Zhang, Y. (2013). Efficient online/offline
signcryption without key exposure. International Journal of Grid
and Utility Computing,4(1), 85–93.
21. Sun, D., Huang, X., Mu, Y., & Susilo, W. (2008). Identity-based
on-line/off-line signcryption. IFIP International Conference on
Network and Parallel Computing (pp. 34–41). China: Shanghai.
22. Liu, J.K., Baek, J., & Zhou, J. (2011). Online/offline identity-
based signcryption re-visited. In Information Security and
Cryptology-Inscrypt 2010, LNCS 6584 (pp. 36–51). Springer.
23. Li, F., Khan, M. K., Alghathbar, K., & Takagi, T. (2012). Iden-
tity-based online/offline signcryption for low power devices.
Journal of Network and Computer Applications,35(1), 340–347.
24. Li, F., & Xiong, P. (2013). Practical secure communication for
integrating wireless sensor networks into the Internet of Things.
IEEE Sensors Journal,13(10), 3677–3684.
25. Senthil kumaran, U., & Ilango, P. (2015). Secure authentication
and integrity techniques for randomized secured routing in WSN.
Wireless Networks,21(2), 443–451.
26. Al-Riyami, S.S., & Paterson, K.G. (2003). Certificateless public
key cryptography. In Advances in Cryptology-ASIACRYPT 2003,
LNCS 2894 (pp. 452–474). Springer.
27. Boneh, D., & Boyen, X. (2004). Short signatures without random
oracles. In Advances in Cryptology-EUROCRYPT 2004, LNCS
3027 (pp. 56–73). Springer.
28. Pointcheval, D., & Stern, J. (2000). Security arguments for digital
signatures and blind signatures. Journal of Cryptology,13(3),
361–396.
29. Cha, J.C., & Cheon, J.H. (2003). An identity-based signature
from gap Diffie–Hellman groups. In Public Key Cryptography-
PKC 2003, LNCS 2567 (pp. 18–30). Springer.
30. PBC Library. http://crypto.stanford.edu/pbc/
31. Daemen, J., & Rijmen, V. (2002). The design of Rijndael: AES-
the advanced encryption standard. Berlin: Springer.
32. Shim, K. A. (2012). CPAS: An efficient conditional privacy-
preserving authentication scheme for vehicular sensor networks.
IEEE Transactions on Vehicular Technology,61(4), 1874–1883.
Wireless Netw (2017) 23:145–158 157
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
33. Ferng, H. W., Nurhakim, J., & Horng, S. J. (2014). Key man-
agement protocol with end-to-end data security and key revoca-
tion for a multi-BS wireless sensor network. Wireless Networks,
20(4), 625–637.
34. Chatterjee, P., Ghosh, U., Sengupta, I., & Ghosh, S. K. (2014). A
trust enhanced secure clustering framework for wireless ad hoc
networks. Wireless Networks,20(7), 1669–1684.
Fagen Li is an associate pro-
fessor in the School of Com-
puter Science and Engineering,
University of Electronic Science
and Technology of China
(UESTC), Chengdu, P.R. China.
He received his Ph.D. degree in
Cryptography from Xidian
University, Xi’an, P.R. China in
2007. From 2008 to 2009, he
was a postdoctoral fellow in
Future University-Hakodate,
Hokkaido, Japan, which is sup-
ported by the Japan Society for
the Promotion of Science
(JSPS). He worked as a research fellow in the Institute of Mathe-
matics for Industry, Kyushu University, Fukuoka, Japan from 2010 to
2012. His recent research interests include cryptography and network
security. He has published more than 70 papers in the international
journals and conferences. He is a member of the IEEE.
Yanan Han received her B.S.
degree from Henan Agricultural
University, Zhengzhou, P.R.
China in 2013. She is now a
master student in the School of
Computer Science and Engi-
neering, University of Elec-
tronic Science and Technology
of China (UESTC), Chengdu,
P.R. China. Her research inter-
ests include cryptography and
information security.
Chunhua Jin is now a Ph.D.
student in the School of Com-
puter Science and Engineering,
University of Electronic Science
and Technology of China
(UESTC), Chengdu, P.R. China.
Her research interests include
cryptography and network
security.
158 Wireless Netw (2017) 23:145–158
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
1.
2.
3.
4.
5.
6.
Terms and Conditions
Springer Nature journal content, brought to you courtesy of Springer Nature Customer Service Center GmbH (“Springer Nature”).
Springer Nature supports a reasonable amount of sharing of research papers by authors, subscribers and authorised users (“Users”), for small-
scale personal, non-commercial use provided that all copyright, trade and service marks and other proprietary notices are maintained. By
accessing, sharing, receiving or otherwise using the Springer Nature journal content you agree to these terms of use (“Terms”). For these
purposes, Springer Nature considers academic use (by researchers and students) to be non-commercial.
These Terms are supplementary and will apply in addition to any applicable website terms and conditions, a relevant site licence or a personal
subscription. These Terms will prevail over any conflict or ambiguity with regards to the relevant terms, a site licence or a personal subscription
(to the extent of the conflict or ambiguity only). For Creative Commons-licensed articles, the terms of the Creative Commons license used will
apply.
We collect and use personal data to provide access to the Springer Nature journal content. We may also use these personal data internally within
ResearchGate and Springer Nature and as agreed share it, in an anonymised way, for purposes of tracking, analysis and reporting. We will not
otherwise disclose your personal data outside the ResearchGate or the Springer Nature group of companies unless we have your permission as
detailed in the Privacy Policy.
While Users may use the Springer Nature journal content for small scale, personal non-commercial use, it is important to note that Users may
not:
use such content for the purpose of providing other users with access on a regular or large scale basis or as a means to circumvent access
control;
use such content where to do so would be considered a criminal or statutory offence in any jurisdiction, or gives rise to civil liability, or is
otherwise unlawful;
falsely or misleadingly imply or suggest endorsement, approval , sponsorship, or association unless explicitly agreed to by Springer Nature in
writing;
use bots or other automated methods to access the content or redirect messages
override any security feature or exclusionary protocol; or
share the content in order to create substitute for Springer Nature products or services or a systematic database of Springer Nature journal
content.
In line with the restriction against commercial use, Springer Nature does not permit the creation of a product or service that creates revenue,
royalties, rent or income from our content or its inclusion as part of a paid for service or for other commercial gain. Springer Nature journal
content cannot be used for inter-library loans and librarians may not upload Springer Nature journal content on a large scale into their, or any
other, institutional repository.
These terms of use are reviewed regularly and may be amended at any time. Springer Nature is not obligated to publish any information or
content on this website and may remove it or features or functionality at our sole discretion, at any time with or without notice. Springer Nature
may revoke this licence to you at any time and remove access to any copies of the Springer Nature journal content which have been saved.
To the fullest extent permitted by law, Springer Nature makes no warranties, representations or guarantees to Users, either express or implied
with respect to the Springer nature journal content and all parties disclaim and waive any implied warranties or warranties imposed by law,
including merchantability or fitness for any particular purpose.
Please note that these rights do not automatically extend to content, data or other material published by Springer Nature that may be licensed
from third parties.
If you would like to use or distribute our Springer Nature journal content to a wider audience or on a regular basis or in any other manner not
expressly permitted by these Terms, please contact Springer Nature at
onlineservice@springernature.com
Available via license: CC BY 4.0
Content may be subject to copyright.
