Cryptology ePrint Archive: Report 2008/238

On the Provable Security of Multi-Receiver Signcryption Schemes

S.Sharmila Deva Selvi and S.Sree Vivek and Ragavendran Gopalakrishnan and Naga Naresh Karuturi and C.Pandu Rangan

Abstract: In ATC 2007, an identity based signcryption scheme for multiple receivers was proposed by Yu et al. In this paper, we first show that Yu et al.'s signcryption scheme is insecure by demonstrating an universal forgeability attack - anyone can generate a valid signcryption on any message on behalf of any legal user for any set of legal receivers without knowing the secret keys of the legal users. Also, we point out a subtle flaw in the proof of confidentiality given by Yu et al. and show that the scheme does not provide confidentiality. Further, we propose a corrected version of Yu et al.'s scheme and formally prove its security (confidentiality and unforgeability) under the existing security model for signcryption.\\

In another direction, Fagen Li et al. have proposed a pairing based multi-recipient signcryption scheme which works in public key infrastructure (PKI). We show that, the scheme proposed by Fagen Li et al. is not adaptive chosen ciphertext secure. We propose a new PKI based multi-receiver signcryption scheme and formally prove confidentiality and unforgeability of the scheme. Since all the previously reported schemes are shown to have flaws either in this paper or else where, the schemes reported in this paper are the only correct and efficient ones (both identity based and PKI based) for multi-receiver signcryption.

Category / Keywords: Signcryption, Cryptanalysis, Identity Based Cryptography, PKI, Multi-Receiver Signcryption, Bilinear Pairing

Publication Info: Nil

Date: received 18 May 2008, last revised 27 Apr 2009

Contact author: ssreevivek at gmail com,sharmioshin@gmail com

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Note: This submission was revised because cryptanalysis of one more multi-receiver signcryption scheme was added.

Version: 20090427:074330 (All versions of this report)

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]