Message security and the sender's identity authentication for communication in the open channel is a basic and important technology of the internet. For keeping the message confidential and unforgeable, the sender can use a digital signature algorithm with his private key to sign the message, and then encrypts the signature on the message. Signcryption which was proposed by Zheng et. al in 1997 is a novel cryptographic primitive that simultaneously provides the authentication and encryption in a single logic step and at lower computational costs and communication overheads than the above sign-then-encrypt way. Since then, there are many signcryption schemes proposed. Only recently, a formal security proof model is formalized providing security proof for Zheng's signcryption in the random oracle model. In the ID-based cryptography, the complexity of the managing certificate is reduced.
In this work, by combining a multisignature with an ID-based signcryption scheme, we build a security model of multi-signcryption to define confidentiality and unforgeability of the ID-based signcryption scheme and have proposed an ID-based multi-signcryption scheme based on the bilinear pairings to adapt to a multi-user setting. Given a message m, a receiver's identity IDB, and n sender's identities IDA1, IDA2, … , IDAn, for each sender Ai, it executes the followings steps:
1. randomly pick xi ε Zq to compute Ri = xiP and ωi = xiQIDB;
2. send (Ri, ωi) to the other senders by a secure channel; (3)after receiving the other senders (Ri, ωi), Ai computes ω = e(Ppub, Σωj) to set c = H2(ω)≈m and R = ΣRj;
3. compute Si = xiH4(m) + H3(R,ω)SIDAi, where SIDAi is the private key of sender Ai.
Then the resulting ciphertext is (c,S,R). To unsigcrypt the ciphertext (c,S,R) in the sender list L = (IDA1, IDA2, … , IDAn), the receiver with identity IDB can compute the following steps to recover and verify the message validity.
1. compute ω = e(R,SIDB) and m = H2(ω)≈c, where SIDB is private key of the receiver;
2. accept the message if and only if the following equation holds
e(S,P)=e(R,H4(m))e(Ppub,∑j-1nQAj)H3(R,ω)By security analysis, we show that our scheme satisfies the two important properties of signcryption: confidentiality and unforgeability, and is proven to have been secure in the random oracle model. The security of the scheme is closely related to the Decisional Bilinear Diffie-Hellman assumption and the computational Diffie-Hellman assumption. Finally, by analyzing the efficiency of the scheme, we show that our scheme is very efficient, and only one pairing computation is needed in the signcryption phase, three pairing operators are needed in the unsigncrytion phase, and the ciphertext size is about 420 bits.