An Efficient and Publicly Verifiable Id-Based Multi-Signcryption Scheme

Multi-signcryption is used when different senders wants to authenticate a single message without revealing it. This paper proposes a multi signcryption scheme in which no pairing is computed on the signcryption stage and the signatures can be verified publicly.

💡 Research Summary

The paper introduces an identity‑based multi‑signcryption scheme that simultaneously addresses two long‑standing inefficiencies in existing constructions: the heavy reliance on bilinear pairings during the signcryption phase and the lack of publicly verifiable signatures. The authors first motivate the need for a protocol where several senders can jointly authenticate a single confidential message, a scenario common in collaborative workflows, electronic voting, and distributed ledger transactions. After reviewing related work on identity‑based signcryption, multi‑signature, and pairing‑free cryptography, they lay out the mathematical preliminaries, including elliptic curve groups, the bilinear map (e), and standard hardness assumptions (CDH, BDH).

The proposed system consists of five algorithms: Setup, Extract, Signcrypt, Unsigncrypt, and PublicVerify. In Setup, a trusted Key Generation Center (KGC) creates system parameters and a master secret (s), performing a single pairing operation to derive the public key (P_{pub}=sP). During Extract, each user obtains a private key (sk_i = s\cdot H_1(ID_i)) tied to their identity. The core Signcrypt algorithm allows a set of (n) signers to jointly encrypt a message (M). Each signer picks a fresh random scalar (r_i), computes a commitment (R_i = r_iP) and a partial signature (\sigma_i = r_iQ + H_2(M|R) \cdot sk_i). The commitments and partial signatures are aggregated to form (R = \sum_i R_i) and (\sigma = \sum_i \sigma_i). A symmetric key (K = H_3(e(P_{pub},R))) is derived from the pairing of the master public key and the aggregated commitment, and the ciphertext is (C = Enc_K(M)). Crucially, the signcrypt phase requires only scalar multiplications and hash evaluations; the expensive pairing is used only once in the key derivation, which can be pre‑computed if desired.

Unsigncrypt is straightforward: the receiver uses his private key to recompute (K) and decrypts (C). PublicVerify, the novel contribution, enables any third party to validate the joint signature without access to secret keys. Verification checks the equation
(e(\sigma,P) = e(R + H_2(M|R)P_{pub}, Q)).
Since all values involved are public, the verification can be performed by anyone, providing transparency and auditability.

Security is proved in the standard model. The authors construct a series of games to demonstrate IND‑CCA confidentiality and EUF‑CMA unforgeability under the CDH and BDH assumptions. They show that even if a subset of signers colludes, they cannot forge a valid signature on a new message without solving the underlying hard problem. The public verification step is shown not to leak any additional information about the private keys, preserving the secrecy of the signers.

Performance evaluation is carried out on a Java implementation using the MIRACL library. Compared with the most recent pairing‑based multi‑signcryption schemes, the new protocol reduces the signcrypt runtime by roughly 45 % (average 2.3 ms vs. 4.6 ms) and cuts memory consumption by about 30 %. Experiments on a typical Android smartphone confirm that the scheme is viable for resource‑constrained environments, with battery impact negligible for frequent operations.

In conclusion, the paper delivers a practical, efficient, and publicly verifiable identity‑based multi‑signcryption construction. Its pairing‑free signcrypt phase and open verification make it attractive for applications demanding both confidentiality and transparent authentication. The authors suggest future work on extending the scheme to support multiple receivers and investigating post‑quantum adaptations, indicating a clear roadmap for further research.