An efficient and secure attribute based signcryption scheme with LSSS access structure

Attribute based encryption (ABE) and attribute based signature (ABS) provide flexible access control with authentication for data sharing between users, but realizing both functions will bring about too much computation burden. In this paper, we combine the advantages of CP-ABE with ABS and propose a ciphertext policy attribute based signcryption scheme. In our scheme, only legal receivers can decrypt the ciphertext and verify the signature signed by data owner. Furthermore, we use linear secret sharing scheme instead of tree structure to avoid the frequent calls of recursive algorithm. By security and performance analysis, we prove that our scheme is secure as well as gains higher efficiency.

academia. Wang and Huang (2011) proposed a signcryption scheme from pairings. Their scheme provides the same functions of encryption and authentication and is proved to be more efficient than the simply combination of "CP-ABE + CP-ABS". Hu and Zhang (2013) proposed a fuzzy attribute based signcryption and apply it in the BAN (Body area network). Their scheme is a novel security mechanism and achieves outstand performance. However, the proposed (Wang and Huang 2011;Hu and Zhang 2013) schemes are based on the tree structure (Bethencourt et al. 2007) and threshold structure, which need frequent calls of recursive algorithm for the purpose of recovering the secret encryption component. Thus this will bring about external computation overhead.
To better improve the efficiency of attribute based signcryption scheme, in this paper, we propose an improved ciphertext policy attribute based signcryption scheme. We use LSSS structure (Beimel 1996) instead of access tree structure to avoid the frequent calls of recursive algorithm. By security and performance analysis, we prove that our scheme is secure as well as achieves higher efficiency.

Bilinear pairings
Let G 1 and G 2 be two cyclic groups of prime order q. Let g be a generator of G 1 . A bilinear pairing ê: G 1 × G 1 → G 2 , G 2 has these features: Bilinearity: for a, b ∈ Z q , we have ê g a , g b =ê g, g ab . Non-degeneracy: for any g ∈ G 1 , ê g, g � = 1. Computability: the value of ê(u, v) can be computed for any u, v ∈ G 1 .

Discrete logarithm assumption (DL)
Given P, Q ∈ G 1 , no probabilistic polynomial-time (PPT) algorithm can find an integer n ∈ Z * q such that Q = P n with non-negligible probability.

Decision bilinear Diffie-Hellman problem (DBDH)
For a, b, c, z ∈ Z * q , given {g, g a , g b , g c , z}, no probabilistic polynomial-time (PPT) algorithm can distinguish the following tuples A = g a , B = g b , C = g c ,ê g, g abc and A = g a , B = g b , C = g c ,ê g, g z with non-negligible probability.

Formulized definitions of our scheme
Our scheme consists of the following algorithms: Setup On input security parameter, it returns the system public parameter PK and master key MK. PK is shared by users while MK is kept private by the private key generator.
Private Key generation On input the system public key PK, the master key MK, and an attribute set {A i }, private key generator (PKG) outputs D i as the user's attribute private key. To distinguish the role of signers and receivers, in this paper, we define the private key of signer as D s while the private key of receiver as D r .
Signcrypt This algorithm is run by a signer which takes the systems public parameter PK, a plaintext M, signer's private key D s and an access structure as input. Then it outputs the ciphertext CT {U , V , E}.
De-signcrypt This algorithm is run by the receiver. The algorithm takes as input the ciphertext CT {U , V , E} and the receiver's private key D r , it outputs either the plaintext M or the reject symbol ⊥.

Security model
Definition 1 Our scheme has the essential confidentiality under chosen plaintext attack in selected model if no Adversary has non-negligible advantage in the challenge game.
Setup: Adversary claims a challenging attribute set γ. Challenger runs setup algorithm to obtain PK. It sends PK to Adversary.
Adversary may make the following queries to Challenger.
Private key generation query: Adversary can request the private key of an attribute set (expect for the challenging attribute set).
Adversary cannot ask Challenger for Private key generation query for the challenging attribute set γ.
Adversary outputs a value µ * as a conjecture of µ. If µ * = µ then Adversary wins the game. Denote Pr [µ * = µ] − 1 2 to be the advantage of Adversary.
Definition 2 Our scheme has the existential unforgeability under chosen message attack in the selective model if no Adversary has non-negligible advantage in the challenge game.
Setup: Adversary claims a challenging attribute set γ. Challenger takes a security parameter and runs setup procedure to obtain the system parameters. It sends the PK to Adversary.
Private key generation query: Adversary can request the private key of an attribute set (expect for the challenging attribute set).
Signcryptquery: Adversary chooses an attribute set {A i }, an access structure, a plaintext M. Challenger calculates D s and runs the signcrypt procedure to calculate the ciphertext CT = Signcrypt{PK , M, D i , γ }. After then, Challenger sends CT to Adversary.
Adversary wins the game if the output of De-signcrypt is not ⊥.
Denote Adv(A) = Pr [Result = M] to be the advantage of Adversary.

Our contributions to attribute based signcryption scheme
Let G 1 and G 2 be two cyclic groups of prime order p, while g is the generator of G 1 . Let ê : G 1 × G 1 → G 2 be a bilinear pairing. Define 2 functions: H 1 , H 2 . The function H 1 associates attributes to rows of access Matrix (the number of rows ∈ Z * p ).
Setup PKG randomly chooses α i ∈ Z * p for each attribute i in the system. Besides, PKG chooses another secret number α ∈ Z * p . The system outputs the system master keys g α , α i , public parameters ê g, g α ,ê g, g Private key generation For signer's attribute set A j , PKG chooses u ∈ Z * p and calculates its private key D s,1 , D s,2 , D s,3 = g u+α j H 1( j) , g α+u ,ê g, g u . Likewisely, for receiver's attribute set {A i } PKG chooses h ∈ Z * p calculates its private key D r,1 , D r,2 , D r,3 = g α i H 1 (i)+h , g α+h ,ê g, g h . PKG transfers the private key to each user through secure channels.
Signcrypt Signer firstly picks x ∈ Z * p and a LSSS access structure Matrix, then chooses (Matrix i stands for the ith row of the corresponding Matrix). Finally, singer randomly picks r i ∈ Z * p and calculates the signcryption information: Signer sends CT = {U , V , E} to the receiver.
De-signcrypt Let ω ∈ Z p i∈l be a set of constants such that if { i } are valid shares of secret x according to Matrix, then i∈l ω i i = x. Receiver calculates M * as follows: Then, receiver verifies if If Eq. (3) holds then the algorithm outputs plaintext M with the signature. If not, it outputs reject "⊥".
Correctness proof: Proof In the challenge game, if there exists an Adversary which has advantage ε in attacking our scheme, there exists a simulator solving the DBDH problem with an advantage of ε 2 . The simulator is constructed as follows: Phase 1 Setup: Adversary claims a challenging attribute set γ. Challenger defines a set of attributes {A i }. Let G 1 and G 2 be two cyclic groups of prime order p,while g is the generator of G 1 . Let ê : G 1 × G 1 → G 2 be a bilinear pairing. Define 2 functions : H 1 associates attributes to rows of access Matrix, H 2 : {0, 1} * → Z * p .
The aim of simulator is to output a value µ * as a conjecture of µ.
The simulator simulates the role of Challenger and runs Adversary's algorithm as subprogram.
Phase 2 Queries: Adversary asks for private key for attributes A i . Simulator picks u, y, a i ∈ Z * p and makes the following settings: (4) e v 1 , g =ê g j∈S (αjH1(j)+u)·(x+t) , g =ê g, g j∈S α j H 1( j)·(x+t) ·ê g, g j∈S u(x+t) =ê g, g j∈S α j H 1( j)·x ·ê g, g j∈S α j H 1( j)·t ·ê g, g j∈S u(x+t) The queries like Phase 2 can be asked by Adversary for a bounded times.
Phase 3 Challenge: Adversary picks plaintext M 0 , M 1 and a challenging LSSS containing attribute set γ.
Let x = c, accoding to the previous setting in the Setup phase: Adversary outputs a value µ * as a guess of µ. If µ * = µ Adversary wins the game. Then we will discuss simulator's advantage in distinguishing the following two tuples A = g a , B = g b , C = g c ,ê g, g abc and A = g a , B = g b , C = g c ,ê g, g z .
When µ = 1, E is a illegal ciphertext and Adversary cannot acquire useful information of σ .

Theorem 2 If an Adversary can break our scheme chosen message attack in the selective model, then it can be constructed that a simulator with a non-negligible advantage solves the DBDH problem.
Proof In the challenge game, if there exists an Adversary which has advantage ε in forging a legal ciphertext, there exists a simulator which can solve the DBDH problem with an advantage of ε 2 .
Phase 1 Setup: Adversary claims a challenging attribute set γ. Challenger defines a set of attributes {A i }; Let G 1 and G 2 be two cyclic groups of prime order p, while g is the generator of G 1 . Let ê : G 1 × G 1 → G 2 be a bilinear pairing. Define 2 functions: H 1 associates attributes to rows of access Matrix, H 2 : {0, 1} * → Z * p .
The aim of simulator is to output a value µ * as a conjecture of µ.

Phase 2 Queries:
Private key generation query: Adversary chooses a set of attributes A j , a plaintext M and a LSSS. Simulator picks u, y, a i , b i , y i ∈ Z * p and makes the following settings: Signcrypt query: Adversary picks a message M for signcrypt query. Simulator runs algorithm Signcrypt{M, D s , PK } and returns the result CT = {U , V , E} to Adversary. The queries like Phase 2 can be asked by Adversary for a bounded times.

according to the previous setting in the
Setup phase: When µ = 1, ê v * 1 , g is a random number and Adversary fails to forge a legal ciphertext.
When µ = 0, E is a legal ciphertext and Adversary successfully forges the ciphertext. According to the assumption, Adversary has an advantage ε.
As is mentioned above, the advantage of simulator is

Efficiency analysis
In this paper, we compare the proposed scheme with Wang's and Hu's schemes with respect to the computation cost and access control method. Due to the fact that the computation cost of add operation and multiply operation is much smaller than that of exponential operation and bilinear pairing operation, consequently, we mainly compare the number of exponential operation and bilinear pairing operation in different schemes. We denote "Exp" and "Pair" by exponential operation and bilinear pairings. Detailed results are listed in Table 1.
From Table 1, we can figure out that the number of exponential operation in the signcryption in our CP-ABSC is more than those in Wang and Huang (2011) and Hu and Zhang (2013), however, the number of bilinear pairing operation in the de-signcryption is decreased greatly. Since the computation burden of bilinear pairing operation is heavier than that of exponential operation, the total computation cost has been reduced in our scheme. What's more, our CP-ABSC adopts LSSS to realize data access control, which differs from the access structures in Wang andHuang (2011 andHu andZhang (2013). The LSSS access structure not only avoids the frequent calls of recursive algorithm used in access tree structure model, but also provides more flexible control management and increases the overall efficiency of the cryptosystem.

Conclusion
In this paper, we propose an optimized attribute based signcryption scheme. By security analysis, we prove that it meets the security demands of confidentiality, unforgeability and non-repudiation. Besides, by introducing LSSS structure to implement the access control function, the flexibility and efficiency of the whole attributed based signcryption system has been improved.
Our future work should focus on the attribute revocation and key refreshing in the attribute based encryption. Since users with the same set of attributes share the same private key, once a single user's private key has been leaked, a group of users' privacy and privilege will be damaged. Consequently, protecting users' privacy and refreshing private keys at a lower cost when private key leakage happens is a problem urgently to be solved and should be taken into our future research direction. Our scheme LSSS matrix (5n + 2) Exp (n + 1) Exp + (2n + 1) Pair