Efficient Identity Based Public Verifiable Signcryption Scheme

Signcryption is a cryptographic primitive which performs encryption and signature in a single logical step. In conventional signcryption only receiver of the signcrypted text can verify the authenticity of the origin i.e. signature of the sender on the message after decrypting the cipher text. In public verifiable signcryption scheme anyone can verify the authenticity of the origin who can access the signcrypted text i.e. signature of the sender on the cipher text. Public verifiable signcryption scheme in which the receiver can convince a third party, by providing additional information other than his private key along with the signcryption is called third party verifiable signcryption schemes. In this paper we proposed an efficient identity based public verifiable signcryption scheme with third party verification and proved its security in the random oracle model.

💡 Research Summary

The paper presents an identity‑based public‑verifiable signcryption scheme (IBPSC) that also supports third‑party verification. Signcryption combines encryption and signing in a single logical step; the proposed construction allows anyone who obtains the signcrypted text to verify the sender’s signature without needing the receiver’s private key, and the receiver can convince a third party of the message’s authenticity by providing additional public information.

The system is built on bilinear pairings. In the Setup phase a trusted Private Key Generator (PKG) selects two cyclic groups G₁ and G₂ of prime order p, a bilinear map e: G₁×G₁→G₂, and four hash functions H₁…H₄ modeled as random oracles. The master secret s and public key P = s·P₀ are generated. For a user with identity ID, the private key is D_ID = (s·H₁(ID)+H₂(ID))·P₀ and the public key Q_ID = H₁(ID)·P₀ + H₂(ID)·P.

Signcryption (IBPSC) works as follows: the sender A chooses a random r∈ℤₚ*, computes R = r·P and S = r·Q_B (where B is the receiver). Several hash values γ₁, γ₂, γ₃ are derived from the message m, R, S, and the identities. A symmetric key K = H₄(γ₁‖γ₂) encrypts the message by XOR, producing c = m⊕K. The signature component T is formed as a linear combination of γ₁·P and γ₂·Q_A. The final signcrypted text σ consists of (c, R, S, T).

Unsigncryption (IBPUSC) by the receiver B recomputes the same hash values from σ, then checks a pairing equation that involves e(T,R) and the public parameters. If the equation holds, B derives K′ = H₄(γ₁′‖γ₂′) and recovers m = c⊕K′. The verification step requires only two pairing evaluations and a few hash calls, providing reasonable efficiency.

Third‑party verification (TP‑Verify) uses only σ, the sender’s and receiver’s IDs, and the public parameters. It repeats the same pairing check as the receiver but does not need B’s private key. Consequently, any external auditor can confirm the authenticity of the signcrypted message, fulfilling the public‑verifiable and third‑party‑verifiable requirements.

Security is analyzed in the random‑oracle model. Two games are defined:

1. IND‑IBPSC‑CCA2 (confidentiality) – an adaptive chosen‑ciphertext attack where the adversary may request hash values, private keys for arbitrary identities (except the target receiver), signcryptions, and unsigncryptions, but cannot query the private key of the target receiver or request unsigncryption of the challenge ciphertext. The paper proves that any adversary with advantage ε can be turned into an algorithm that solves the q‑BDH problem with non‑negligible probability, thus reducing confidentiality to the hardness of q‑BDH.

2. EUF‑IBPSC‑CMA (unforgeability) – an adaptive chosen‑message attack where the adversary may obtain signcryptions for arbitrary messages and identities, but must output a fresh signcrypted text that was not previously returned. The proof again reduces forging to solving q‑BDH (and a related q‑CAAP assumption).

The security reductions are standard: a simulator embeds the q‑BDH challenge into the public parameters, answers oracle queries using programmed random oracles, and aborts only with negligible probability. The paper claims forward secrecy because compromising the sender’s private key does not enable decryption of past ciphertexts; decryption always requires the receiver’s private key.

Efficiency is compared with prior identity‑based public‑verifiable signcryption schemes, notably Selvi et al. (2014) and Chow et al. (2008). The proposed construction eliminates the need for a separate TP‑Verify oracle (the same IBPUSC oracle suffices), and the number of pairing operations per signcryption/unsigncryption is comparable or slightly lower. The authors argue that the scheme is “efficient” because it uses a single random exponent r, a constant number of hash evaluations, and only two pairings in verification.

The paper also includes a consistency proof showing that the verification equations hold when all parties follow the protocol. However, the presentation suffers from numerous typographical errors, ambiguous notation, and a lack of concrete performance measurements (e.g., exact pairing counts, runtime benchmarks). The security model assumes random oracles and relies on the relatively strong q‑CAAP assumption, which is not widely studied. Moreover, while the authors claim third‑party verification is useful, they provide no concrete application scenarios or analysis of potential misuse (e.g., replay attacks).

In conclusion, the work contributes an identity‑based signcryption scheme that simultaneously achieves public verifiability, third‑party verification, and forward secrecy, with security reductions to well‑known hardness assumptions in the random‑oracle model. The scheme’s theoretical efficiency is appealing, but practical adoption would benefit from a cleaner specification, concrete performance data, and a security proof in the standard model.