An Efficient Heterogeneous Signcryption Scheme from Certificateless to Identity-based Cryptosystem

The heterogeneous signcryption can not only realize the confidentiality and un-forgeability of the information transmission between different public key cryptography environments, but also reduce the communication cost. The proposed scheme uses bilin-ear pairings between certificateless cryptography and identity-based cryptography to construct a heterogeneous signcryption scheme. In addition, two cryptography systems use different secret master keys. Furthermore, the proposed scheme has the indistinguishability against adaptive chosen ciphertext attacks and existential unforgeability against adaptive chosen-message attacks in the random oracle model. Through the data analysis, this scheme is more effective than other similar types of scheme.


Introduction
Data confidentiality and authentication should be ensured when transmitting data in public networks.The traditional approach, signature then encryption involves numerous calculations, costly communication, and low computational efficiency.To improve the computational efficiency, Zheng [1] proposed the notion of signcryption in 1997.Signcryption can simultaneously perform signature and encryption, which enhances the efficiency of communication systems.
In the future, heterogeneous network technology is crucial to secure communication.Generally, different cryptosystems should be used in heterogeneous networks.Heterogeneous Signcryption (HSC) should be explored to ensure the confidentiality and authentication of messages in a heterogeneous network.
In 2010, Sun [2].proposed the HSC scheme that communicates from Traditional Public Key Instruction (TPKC) to Identity-based Public Key Cryptography (IDPKC) [3].However, the scheme only addresses external security threats [4].In 2011, Huang et al. [5] proposed a HSC scheme with key privacy, which satisfies internal security [4].In 2013, Fu et al. [6] proposed an IDPKC-to-TPKC construction of a multireceiver signcryption scheme.In the same year, Li et al. [7] proposed a two-way HSC scheme.However, these HSC schemes only consider the signcryption problem between IDPKC and TPKC.Although these schemes use different public key cryptosystems, the sender and the receiver use the same system parameters.In 2016, Zhang et al. [8] proposed a HSC scheme that communicates from Certificateless Public Key Cryptography (CLPKC) [9,10] to TPKC.To the best of our knowledge, only four HSC schemes have been developed, and the signcryption problem between IDPKC and CLPKC has not been addressed in the literature.
Existing heterogeneous signcryption schemes use similar master secret keys.In 2016, Li et al. [11] proposed a multi-receiver signcryption scheme for heterogeneous systems.Their work provided inspiration for the current study.
Based on Li [12], the proposed scheme develops a scheme from CLPKC [13] to IDPKC.The present paper introduces a formal security model called Efficient CLPKC-to-IDPKC Heterogeneous Signcryption Scheme and proves the model's semantic security and existential unforgeability in the random oracle model [14].Our scheme is more secure and efficient than other existing schemes.The proposed scheme has the following features.
• This scheme uses different master secret keys in different cryptosystem systems, and improve the security of the system.• Compared with existing heterogeneous schemes, this scheme is reduced system uptime through reducing the number of bilinear pairs.This scheme is more secure and efficient.
• In the random oracle model, this scheme ensures the confidentiality and un forge ability of data in the context of the Variants Decisional Bilinear Dif-fie-Hellman Problem (VDBDHP) ,Variants Computational Bilinear Dif-fie-Hellman Problem (VCBDHP) and Discrete Logarithm Problem (DLP).
The rest of this paper is organized as follows.Related knowledge are reviewed in Section 2.The formal definition and security model of the proposed scheme are described in Section 3. The heterogeneous signcryption scheme is presented in Section 4. The security analysis of the scheme is discussed in Section 5.The performance analysis is discussed in Section 6.Finally, Section 7 concludes the paper.

Related knowledge
This section briefly describe bilinear maps and hard problems.
Let 1 G be a cyclic additive group generated by P , with a prime order q , and 2 G be a multiplicative group of the same order.The bilinear pairing is a map G with the following properties.
•Bilinearity: ( , )= ( , ) ab e aP bQ e P Q for all 1 , P Q G and , q a b Z .
• Non-degeneracy: , P Q G .The hard problems involved in the security of the proposed scheme are described as follows.

Hard Problems
• Variants Decisional Bilinear Diffie-Hellman (VDBDH) problem Given • Discrete Logarithm Problem (DLP) Given a cyclic additive group G and generator P , the DLP is defined that given ( , ) P aP , compute * q a Z .According to the existing schemes [15,16], it is easy to known that both VDBDHP and VCBDHP are hard.Obviously, Discrete Logarithm Problem (DLP) is hard.

Semantic security
A CLC IBC heterogeneous signcryption scheme generally includes the following algorithm: • Setup.Choose a security parameter l to input.The PKG and KGC generate their own master key, and outputs the system's parameters params .
• CLPKC-KG.The algorithm runs by the KGC of the CLPKC system.Submit the identity U ID and a secret value U x , the corresponding s sk is generated as the private key of the CLPKC user.
• IDPKC-KG.The algorithm runs by the PKG of the IDPKC system.By inputting a user's identity U ID , the corresponding private key U S is generated.• Signcryption.Given the sender's identity s ID , the receiver's identity r ID , the private key U S and the message m, the sender runs the signcryption algorithm to generate a ciphertext .• Unsigncryption.Given the sender's identity s ID , the private key U S of the receiver and a ciphertext , the receiver computes and outputs the plaintext m , or the symbol .

Confidentiality
A heterogeneous signcryption scheme has the IND-CCA2 property if no probabilistic polynomial time adversary A has a non-negligible advantage in the following game: Setup.Challenger C runs the setup algorithm with a security parameter l and send system parameters and public keys to the A , while the master key is kept secret.
Phase 1.A can ask several kinds of queries to the following random oracles.
• Key generation query.A submits an identity U ID , C runs the IDPKC-KG algorithm to generate the private key U S and send it to A .• Unsigncryption query.A submits a signcrypted message and an identity s ID .C computes the private key U S .If is a valid ciphertext, C returns a message ( , , ) U m Unsigncrypt params S ; otherwise, an error symbol is returned.Challenge.A decides when Phase 1 ends.A selects two plaintexts 0 m and 1 m of the same length, a sender's identity A ID , and a receiver's identity * B ID , which it wants to challenge.A is not allowed to ask for the private key to B ID in the first stage.C then selects {0,1} b and runs the corresponding algorithms to obtain the ciphertext . is transmitted to A .
Phase 2. A can perform the queries similar to those in Phase 1.A cannot query the key extraction for the target identities.A should not query the Unsigncryption for . Guess.
,where Pr[b'=b] denotes the probability that ' b b .

Unforgeability I
A CLPKC→IDPKC heterogeneous signcryption scheme is referred to as EUF-CMA-I .The game is defined between a challenger C and an adversary I F The advantage of I F is defined as the probability that I F wins the EUF-CMA-I game.

Unforgeability II
A CLPKC→IDPKC heterogeneous signcryption scheme is referred to as EUF-CMA-II was not produced by any signcrypt query.
The advantage of II F is defined as the probability that II F wins the EUF-CMA-II game.

Describe the scheme
The heterogeneous signcryption scheme is described in this section.It can be allowed as the sender in the CLPKC system and as the receiver in the IDPKC system.The proposed scheme is described as follows.
Setup.In the heterogeneous system, let 1 G be a cyclic additive group of prime order q and 2 G be a cyclic multiplicative group of the same order.Let P be the generator of 1 G .A bilinear map is defined as G .Three cryptographic hash functions are chosen,namely, 1 H : where m l is the length of a message.
The KGC selects s Z as the master secret key and sets 1 1 P s P as the public key of the CLPKC system .
The PKG selects s Z as the master secret key and sets 2 2 P s P as the public key of the IDPKC system .The global public parameters are param , , , , , , , , G G e P P P H H H and the master secret key are 1 s and 2 s .CLPKC-KG.As a sender in the CLPKC system, it uses an identity A ID and com putes the private key using the following algorithm.
• Compute 1 ( ) • Choose a random secret value x Z .

• Compute the public key
A A pk x P and the private key = IDPKC-KG.The PKG computes the private key of an identity B ID as The system parameters, namely, the message m of length m l , the receiver's identities B ID are given, Then the sender uses the following algorithm: • Choose a random number * q r Z and compute ( , , , ) c U U V .Unsigncryption.When the system receives a ciphertext 1 2 ( , , , ) c U U V and the system parameters, the receiver with an identity B ID unsigncrypts the ciphertext as follows: •Accept the message if and only if the equation holds: A A e P V e pk U hQ .Correctness.The following equations show the correctness of the scheme.
When receiving the ciphertext, the receiver can decrypt the ciphertext as follows:  ,( ) ) A e s P r h D =

( ,( ) )
A A e s P r h x S =

( ,( ) )
A A e x P r h s S = ( ,( ) ) A A e pk r h Q = ( , ) e pk rQ hQ =

( , )
A A e pk U hQ The scheme can be modified into environments with different systems parameters.For example, the PKG has system parameters

, , , , , G G P H H H
and the KGC has the system parameters 1 2 , , , , , G G P H H H .The scheme will secure.

Security Analysis
This section will show the scheme's security analysis, including confidentiality and unforgeability.

Confidentiality
Theorem 1.In the random oracle, if an IND-CCA2 adversary C can attack our proposed scheme, then there exists an algorithm C that can solves the VDBDH problem.
Proof. , , L L L to store the answers.Setup.At the beginning of the game, C runs the setup algorithm and set b P cP and provides the system parameters to attacker A .Phase 1.A can request several queries.To respond to these queries, 1  , H H -queries.When A asks queries on these hash values, C checks the list.If an entry for the query is found, it will be return to A .Otherwise, a random value is chosen to send to A , and the answer will then be stored in the list. • and send it to A .Phase 2. A performs new queries that are treated the same way as in Phase 1.
Guess.A produces a bit ' b as its guess.At the moment,

Unforgeability I
Theorem 2. In random oracle model, if an EUF-CMA-I adversary I F can attack our proposed scheme, then there exists an algorithm C that can solve the VCBDH problem.
Proof.If an EUF-CMA-I adversary I F exists, then we construct a simulator C that uses I F to compute 1 ( , ) abd e P P from an instance ( , , , , , , ) P aP bP cP dP c P d P of the VCBDHP.
Setup.The challenger C runs the setup algorithm.It sets 1 P dP , and sends the system parameters Otherwise, C does as follows: (1) If Z at random, then compute 1 ( ) ( When C receives a query, if the corresponding query exists in ( 2,3) i L i , C returns it to I F .Otherwise, C randomly chooses an number as the query answer and return to I F .Meanwhile, C puts the query result into i L .• Public key query.When C receives a query ( , , ) ID x pk exists in the public key- list, then j pk is returned to I F , Otherwise, C chooses * j q x Z at random, computes j j pk x P , then puts ( , , ) ID x pk into the public key-list and return j pk as answer.
• Extract secret key query.When C receives a query j ID .If C replaces the public key of j ID , then it returns .Otherwise, ( , , ) ID x pk exists in the key- list, and C returns j x as answer.• Extract partial private key query.When C receives a query ( , , ) j j j ID x D , C does as follows: (1) If ID be the identies of the sender and receiver, respectively, m be the plaintext, C will do as follows: (1) If

Unforgeability II
Theorem 3. In the random oracle model, if an EUF-CMA-II adversary II F can attack our proposed, then there exists an algorithm C that can solve the Discrete Logarithm Problem (DLP).
Proof.If an EUF-CMA-II adversary II F exists, then we construct a simulator C that uses II F to compute * q a Z from an instance , P aP of the DLP.Setup.C first runs the setup algorithm to generate x Z at random, computes j j pk x P , then puts ( , , ) j j j ID x pk into the public key-list and returns j pk as answer.
Attack.II F adaptively performs a polynomially bounded number of queries to the various oracles in this phase.
Forge.Hence, C successfully solves the DLP.

Performance analysis
We compare the proposed scheme with other existing signcryption schemes [2], [7], [18].The Table 1 shows the efficiency and distinction of the schemes.We denote Pa as the total number of pairing computations required, mark the Mu as the total number of point multiplications required and denote the Ex as the total number of exponentiations required.We compare our scheme with scheme [2], [7], [18] even though these schemes are all in the same cryptosystems.The results are shown in Table 1 and Table 2.As shown in Table 1 and Table 2, our scheme has a lower computation cost than other schemes.In the simulation, we show the time by measuring the performance of the Signcryption and Unsigncryption.Our program is written in with the PBC library [17], and we run on a personal computer with 3.10GHz CPU and 2GB of RAM, using Linux operating system.In order to the effect of comparison, we will adopt Y Li et al [11].Both schemes are set up in heterogeneous system, and both the schemes use different system parameters.We can get the result as

Conclusion
We have developed an efficient signcryption scheme for the CLPKC→IDPKC heterogeneous system.Compared with the existing signcryption schemes, the proposed scheme chooses different master secret keys in different systems.The security models are provided, and the proposed scheme ensures the confidentiality and unforgeability of data in the random oracle model.The proposed is more secure because it uses different master keys.Furthermore, the proposed scheme can be used in environments with different system parameters.
s Q = ( , )r B e P Q Simultaneously, the receiver can verify the following equalities to show: e aP c bP e P P as a solution of the VDBDHP.Otherwise, C stops and outputs "failure".
Fig 1, which SC means signcryption operation and USC means unsigncryption operation.In the performance of the Signcryption and Unsigncryption, our scheme has been improved in terms of efficiency.
. If no probabilistic polynomial time adversary I F a non- negligible advantage against a challenger in the following game:Setup.The challenger C runs the setup algorithm.It sends public parameters params to the adversary I F , while the master keys are kept secret.When I F receives When I F receives a public key extraction query for an identity i ID , C runs the CLPKC-KG algorithm to the public key * ID .i ID , C computes the se cret key i x , and transmits it to I F .• Request public key query.• Replace public key query.For any identity i ID and a valid public key ' i pk , C replaces i pk with a value ' i pk .• Signcrypt query.I F produces a message m , a sender's identity s ID , and a re ceiver's identity r ID , C C always answers A that ' is invalid.If ' is valid from 'A s viewpoint, C will fail.
B R e U S ( C When C receives a query, if the corresponding query exists in i H -list, C returns it to II F .Otherwise, C randomly chooses an integer as the query result and returns it to II F .Meanwhile, C puts the query result into the i H -list. *ID. • (1, 2,3) i H -query. j pk .Otherwise, C chooses * j q

Table 1 .
Comparison with existing scheme for signcryption.

Table 2 .
Comparison with existing scheme for unsigncryption.