Ya-Fen Chang and Shun-Meng Pan

1. Introduction

Nowadays, many users communicate with others via the Internet for convenience. Many network technologies have been proposed to realize ubiquitous communication.However, the Internet is a public but insecure channel, and how to ensure integrity and confidentiality of communication data becomes an urgent issue.Cryptographic technologies play an important role to achieve this goal, and a cryptosystem is regarded as a basic infrastructure. Cryptosystems are divided into two categories, symmetric and asymmetric. In a symmetric cryptosystem, two communication parties need to share one session key to encrypt/decrypt communication information.If there exist n users and any two of them want to communicate with each other secretly, n×(n-1)/2 session keys need to be generated. In an asymmetric cryptosystem,each user possesses a public key and a private key. When a user wants to send a message to another user secretly, the sender uses the receiver’s public key to encrypt the message to get the corresponding ciphertext. After getting the ciphertext, the receiver uses his private key to decrypt the ciphertext to retrieve the message. Thus, asymmetric cryptosystems provide not only encryption but also authentication. Moreover, users may generate signatures in asymmetric cryptosystems. It seems that asymmetric cryptosystems are superior to symmetric ones. Actually, a public key is regarded valid to be used only when it is verified successfully. This approach is cumbersome, and a certificate is needed.

In 1984, Shamir proposed an identity-based (ID-based)cryptosystem[1], where a user’s public information, such as name, e-mail address and so on, is used to be the public key.Via this approach, no certificate is needed to verify a public key. Instead, a private key generator (PKG), needs to issue a private key to the user when he joins the system, and PKG must be a trustworthy third party. An ID-based cryptosystem lets users exchange information securely with no third party’s online service and without verifying the public key. In 2004, Bellare et al. proved that Shamir’s scheme is secure against forgeability[2]. From then on,many ID-based schemes are proposed[3],[4]. As mentioned above, asymmetric cryptosystems enable encryption and digital signature generation. Signature possesses integrity,authentication, non-repudiation such that a signer cannot repudiate the generation of the digital signature and a verifier can ensure the originality of the digital signature.But, how only a specific verifier can retrieve the message and verify the signature to ensure confidentiality becomes another research issue. The simplest way is encrypting the message with the receiver/verifier’s public key and signing the message with the sender/signer’s private key. In 1997,Zheng introduced a novel concept, signcryption, such that encryption and signature generation could be performed at the same time with lower computational costs and communication overheads[5]. Malone-Lee proposed the first identity-based signcryption scheme[6]in 2002. Then many identity-based signcryption schemes have been proposed[7]–[9].

On the other hand, how to ensure uniqueness is a critical requirement. Biometrics, such as fingerprint, palm prints, tongue shape recognition, face recognition, hand geometry, and iris recognition, provides an opportunity to ensure uniqueness because biometric features are unique and cannot be duplicated. Transforming extracted biometric features of the same user may obtain different values because of its nature. Thus, a fuzzy extractor can be adopted to have biometric features of one user transformed into the same value[10],[11].

In 2012, Li and Khan proposed a biometric identity-based signcryption (BIO-IBSC) scheme[12]. In their signcryption scheme, biometric information is used to construct the public key. That is, a sender/signer needs to obtain the receiver/verifier’s biometric feature to signcrypt the message, and the receiver/verifier needs to obtain the sender/signer’s biometric feature to unsigncrypt the ciphertext and signature. It denotes that these two parties need to perform signcryption and unsigncryption cooperatively. This approach is cumbersome and may be against the law on personal data protection.

To overcome the observed drawbacks and to preserve the advantages, we propose an identity-based biometric signcryption (IBBSC) scheme. In our scheme, biometrics is used to protect a user’s private key, and a user’s identity is the corresponding public key. When a signer/sender wants to signcrypt a message, only his biometric feature is needed.And, when a verifier/receiver wants to unsigncrypt he ciphertext and signature, only verifier/receiver’s biometric feature is needed. Thus, signcryption and unsigncryption can be performed by one user independently.

The rest of this paper is organized as follows.Preliminaries are given in Section 2. The formal model of identity-based biometric signcryption is shown in Section 3.Our scheme is presented in Section 4. In Section 5, security analysis of the proposed scheme is made. Finally, some conclusions are drawn in Section 6.

2. Preliminaries

We introduce bilinear pairings and the hard problems which our scheme’s security is based on in Section 2.1.How to generate the key value from biometrics is given in Section 2.2.

2.1 Bilinear Pairings and the Related Hard Problems

Let P be a generator of a cyclic additive group G1and G2be a cyclic multiplicative group with a prime order q. A bilinear pairing map e: G1×G1→G2possesses the following properties.

Alternation: e(P1, P2) = e(P2, P1) for P1, P2∈ G1.

Non-degeneracy: e(P1, P2) ≠ 1 for P1, P2∈ G1.

Bilinearity: e(aP1, bP2) = e(P1, P2)aband e(P1+P3, P2)=e(P1, P2) e(P3, P2) for P1, P2, P3∈ G1and a, b ∈*pZ .

Computability: There exists an efficient algorithm to compute e(P1, P2) for P1, P2∈ G1.

Our scheme’s security is based on the difficulties of solving the q-bilinear Diffie-Hellman Inversion problem and q-strong Diffie-Hellman problem. The definitions are as follows:

Definition 1. q-bilinear Diffie-Hellman inversion problem (q-BDHIP): There are groups G1and G2with a prime order p, a bilinear map e: G1× G1→ G2, and a generator P ∈ G1. It is hard to compute e(P, P)1/αwith given (P, αP, α2P, …, αqP).

Definition 2. q-strong Diffie-Hellman problem(q-SDHP): There are groups G1and G2with a prime order p, a bilinear map e: G1× G1→ G2, and a generator P ∈ G1.It is hard to find a pair (x , P (α +x)) for x ∈Z*pand P(α +x)∈G1with (P, αP, α2P, …, αqP).

2.2 Generating the Key Value from Biometrics

Generating the key value from biometrics is important to make our scheme achieve the goal. Dodis et al. used a fuzzy extractor[10]to obtain a unique identity from an inputted biometric feature b with an allowed error tolerance t. It denotes that the same identity can be retrieved if the distance between the measured biometric feature and the sampled one is within t. Burnett et al. proposed a concrete fuzzy extractor[13]by using an [n, k, 2t+1]Bose-Chaudhuri-Hocquenghem error correction code,Hamming distance metric, and a one-way hash function H:{0, 1}n→ {0, 1}l. Because our scheme is based on Burnett et al.’s concrete fuzzy extractor, the concrete fuzzy extractor is introduced by the following two functions Ebi and Dbi.

· Ebi: After a biometric feature b is inputted, this function computes and returns λ=H(b) and the system parameter PAR = b ⊕ Ce(λ), where Ceis a one-to-one encoding function.

· Dbi: After a biometric feature b′ is inputted and the system parameter PAR is obtained, this function computes and returns λ′= Cd(b′⊕ PAR), where Cdis the decoding function which can correct the errors within a range t. If dis(b, b′) is within the error tolerance t, λ′=λ, where dis(?, ?)is a function to measure the distance between two inputted data items.

3. Formal Model of Identity-Based Biometric Signcryption

To formalize identity-based biometric signcryption(IBBSC) schemes, a generic structure and security notations of IBBSC are given in this section.

3.1 Generic IBBSC Scheme

A generic IBBSC scheme is composed of the following four algorithms, Setup, Extract, Signcrypt, and Unsigncrypt.

· Setup: The PKG (private key generator) executes this algorithm, a probabilistic polynomial-time algorithm, with a security parameter k. This algorithm outputs a master secret key msk and public parameters params.

· Extract: The PKG executes this algorithm, a key generation algorithm, with inputs msk, a user’s identity ID and the user’s biometric feature b. This algorithm outputs the corresponding private keys SID1and SID2.

· Signcrypt: The sender executes this algorithm, a probabilistic polynomial-time algorithm, with the message m, the sender’s private keys Ss1, and Ss2, the sender’s biometric feature bs, and the receiver’s identity IDr. If dis(bs,bs′) ≤ t, this algorithm outputs a ciphertext σ = Signcrypt(m,Ss1, Ss2, bs, IDr).

3.2 Security Notions

An IBBSC scheme should satisfy confidentiality and unforgeability. Confidentiality means indistinguishability adaptive chosen ciphertext attack (IND-CCA2) to make an adversary be unable to distinguish pairs of ciphertexts with the messages he encrypts. Unforgeability denotes existential unforgeability against adaptive chosen messages attacks (EUF-CMA) such that it is computationally infeasible for an adaptive attacker to impersonate an honest sender/signer to forge a valid signature verified by unsigncrypt successfully.

For confidentiality, we take the following game played between a challenger C and an adversary A into consideration.

· Setup: The challenger C runs Setup(k) to get msk and params and runs A with input k and msk.

· Phase 1: The adversary A performs a polynomial bounded number of queries such that each query depends on the responses to the previous ones, where queries consist of extraction, signcryption, and unsigncryption.

1) Extraction queries: A makes an extraction query to C after producing the biometric feature b and ID. C computes Extract(b, ID, msk) to get private keys S1and S2and sends them to A.

2) Signcryption queries: A produces a plaintext m, a sender’s biometric feature bs, a sender’s identity IDs, and a receiver’s identity IDr. C computes the sender’s private keys Ss1and Ss2by Extract(bs, IDs, msk), computes σ by Signcrypt(m, Ss1, Ss2, bs, IDr), and sends σ to A.

3) Unsigncryption queries: A produces a ciphertext σ, a sender’s identity IDs, a receiver’s biometric feature br, and the receiver’s identity IDr. C computes the receiver’s private keys Sr1and Sr2by Extract(br, IDr, msk), computes Unsigncrypt(σ, Sr1, Sr2, br, IDs), and sends the result to A.

· Challenge: A decides when to terminate Phase 1 and generates two messages m0and m1of the same size. A chooses the sender’s biometric feature bs*and makes an extraction query for the sender’s private keys such that (Ss1*,Ss2*) ← Extract(bs*, IDs, msk). C chooses a bit μ randomly,computes σ*= Signcrypt(mμ, Ss1*, Ss2*, bs*, IDr) and returns σ*to A as the challenge.

· Phase 2: A can make a polynomial bounded number of queries as in Phase 1 except that A can make neither an extraction query for the receiver’s private keys nor an unsigncryption query on σ*to get the plaintext.

· Guess: A outputs a bit μ′ and wins the game if μ′ =μ.

The advantage of A is defined as follows:

Definition 3. An IBBSC scheme is said to be IND-CCA2 secure if the advantage for a probabilistic polynomial-time adversary A in the IND-CCA2 game of the security parameter k is negligible.

For unforgeability, we take the following game played between a challenger C and an adversary A into consideration.

· Setup: The challenger C runs Setup(k) to get msk and params and runs A with input k and msk.

· Attack: The adversary A makes a polynomial bounded number of queries as in the previous game.

· Forgery: A produces a new quadruple (σ*, br*, IDr*,IDs*), and A can neither make a signcryption query nor make an extraction query for the sender’s private keys. A wins this game if Unsigncrypt(σ*, Sr1*, Sr2*, br*, IDs*) is not⊥.

Definition 4. An IBBSC scheme is said to be EUF-CMA secure if the advantage for a probabilistic polynomial-time adversary A in the EUF-CMA game of the security parameter k is negligible.

4. Proposed Scheme

In this section, our IBBSC scheme is shown. In our scheme, there exists one PKG. To illustrate how it works,two users UAand UBare involved, where UAis the sender/signer and UBis receiver/verifier.

· Setup: Given a security parameter k, the PKG chooses an additive group G1and a multiplicative group G2with a prime order q, a generator P of G1, a bilinear pairing map e:G1× G1→ G2, three hash functions H1, H2, and H3, an encoding function Ce, a decoding function Cd, and a function H4, where H1: {0, 1}*→, H2: {0, 1}*× G2→, H3: G2→{0, 1}n, H4: b → {0, 1}*and n is the number of the bits of a message to be signcrypted. The PKG randomly chooses a master secret s∈and computes g =e(P, P) and Ppub= sP. The PKG keeps the master secret s secretly and publishes system parameters {G1, G2, e, P, Ppub,g, H1, H2, H3, H4, n, Ce, Cd}.

· Extract: For UA, the PKG computes λA=H4( bA),SA1= bA⊕ Ce( λA), and SA2=P [λA(H1( IDA)+ s )], where IDAis UA’s identity, bAis UA’s inputted biometric pattern and SA1and SA2are UA’s private keys. For UB, the PKG computes λB= H4(bB), SB1= bB⊕ Ce( λB), and, where IDBis UB’s identity, bBis UB’s inputted biometric pattern and SB1and SB2are UB’s private keys.

· Signcrypt: When UAwants to send a message m to UB,UAneeds to perform the following steps:

Step 1: Input bA′.

Step 2: Compute λA′= Cd(bA′⊕ SA1) and SA= λA′SA2. If dis(bA, bA′) ≤ t, λA= λA′, and SA= λA′SA2=

Step 3: Randomly choose x from*pZ.

Step 4: Compute r = gxand c = m ⊕ H3(r).

Step 5: Compute h = H2(m, r).

Step 6: Compute S = (x + h)SA.

Step 7: Compute T = x(H1(IDB)+ Ppub).

Step 8: Output the ciphertext σ = (c, S, T).

· Unsigncrypt: After getting σ from UA, UBunsigncrypts σ by performing the following steps.

Step 1: Input bB′.

Step 2: Compute λB′= Cd(bB′⊕ SB1) and SB= λB′SB2. If dis(bB, bB′) ≤ t, λB= λB′, and SB= λB′SB2=

Step 3: Compute r = e(T, SB).

Step 4: Compute m′ = c⊕ H3(r).

Step 5: Compute h = H2(m′, r).

Step 6: Accept m′ if r = e(S, H1(IDA)P+Ppub)g-h;otherwise, return ⊥.

5. Security Analysis

In this section, we prove that our IBBSC scheme is IND-CCA2 secure and EUF-CMA secure in the random oracle model by giving the following theorems.

Theorem 1. The proposed IBBSC scheme is IND-CCA2 secure in the random oracle model to provide confidentiality.

Proof. If an adversary A breaks IND-CCA2 in the proposed IBBSC scheme, an adversary A′ can be constructed to break IND-CCA2 in Barreto et al.’s IBSC scheme[9].

· Setup: Given k and params, the challenger A′ picks H4, Ceand Cd. A′ sends k, params, H4, Ceand Cdto A.

· Phase 1: The involved queries are constructed as follows.

Extraction queries: A makes an extraction query on the biometric feature b′. A′ computes λ = H4(b′), makes an extraction query on private keys to its own extraction oracle,and forwards the answer to A.

Signcryption queries: A makes a signcryption query with a plaintext m, a sender’s biometric feature bs, a sender’s identity IDs, and a receiver’s identity IDr. After A′gets bs, IDs, IDr, and m from A, A′ computes Ss1and Ss2in its own extraction oracle, computes σ = (c, S, T) with a signcryption query in its own signcryption oracle, and forwards σ to A.

Unsigncryption queries: A makes an unsigncryption query with a ciphertext σ = (c, S, T), the sender’s identity IDs, the receiver’s biometric feature br, and the receiver’s identity IDr. A′ computes the receiver’s private keys Sr1and Sr2and makes an unsigncryption query on σ with Sr1, Sr2, br,and IDsin its own unsigncryption oracle. Then A′ forwards the result to A.

· Challenge: A chooses two plaintexts m0and m1of the same size and the sender’s biometric feature bs*. A′ lets two plaintexts and bs*be its own challenge and gets σ*= (c*, S*,T*). Then A′ forwards σ*to A.

· Phase 2: A can make a polynomial bounded number of queries as in Phase 1 except that A can make neither an extraction query for the receiver’s private keys nor an unsigncryption query on σ*to get the plaintext.

· Guess: Both of A and A′ produces a bit μ′simultaneously.

By the above simulation, if A can correctly guess the signcrypted message, A′ can do it as well. The proposed IBBSC scheme is as IND-CCA2 secure as Barreto et al.’s IBSC scheme in the random oracle model.

Theorem 2. The proposed IBBSC scheme is EUF-CMA secure in the random oracle model to provide unforgeability.

Proof. If an adversary A breaks EUF-CMA in the proposed IBBSC scheme, an adversary A′ can be constructed to break EUF-CMA in Barreto et al.’s IBSC scheme.

· Setup: Given k and params, the challenger A′ picks H4, Ce, and Cd. A′ sends k, params, H4, Ceand Cdto A.

· Attack: The involved queries are constructed as follows.

Extraction queries: A makes an extraction query on the biometric feature b′. A′ computes λ = H4(b′), makes an extraction query on private keys to its own extraction oracle,and forwards the answer to A.

Signcryption queries: A makes a signcryption query with a plaintext m, a sender’s biometric feature bs, a sender’s identity IDs, and a receiver’s identity IDr. After A′gets bs, IDs, IDr, and m from A, A′ computes Ss1and Ss2in its own extraction oracle, computes σ = (c, S, T) by making a signcryption query in its own signcryption oracle, and forwards σ to A.

Unsigncryption queries: A makes an unsigncryption query with a ciphertext σ = (c, S, T), the sender’s identity IDs, the receiver’s biometric feature br, and the receiver’s identity IDr. A′ computes the receiver’s private keys Sr1and Sr2and makes an unsigncryption query on σ with Sr1, Sr2, br,and IDsin its own unsigncryption oracle. If σ is a valid signature, the message m is forwarded to A; otherwise, ⊥ is forwarded to A.

· Forgery: A produces a new quadruple (σ*, br*, IDr*,IDs*) while A can neither make a signcryption query nor make an extraction query for the sender’s private keys. A′computes Sr1*and Sr2*in its own extraction oracle and forwards them to A. A makes an unsigncryption query. If Unsigncrypt(σ*, Sr1*, Sr2*, br*, IDs*) is ⊥, A fails to forge a valid signature.

By the above simulation, if A can forge a valid signature, A′ can do it as well. The proposed IBBSC scheme is as EUF-CMA secure as Barreto et al.’s scheme in the random oracle model.

6. Conclusions

In this paper, we propose an IBBSC scheme. In the proposed scheme, biometric features do not need to be transmitted to other participants such that user personal information can be protected from being misused.Moreover, adopting biometrics makes the proposed scheme preserve uniqueness because users need to input personal biometric features to generate valid signatures or verify received signatures. We also prove that our proposed scheme provides confidentiality and unforgeability in the random oracle such that it is IND-CCA2 and EUF-CMA secure. Because of the mentioned properties, it is believed that the proposed scheme can provide secure message transfer for users who are concerned about security and personal privacy.

[1] A. Shamir, “Identity-based cryptosystem and signature scheme,” in Advances in Cryptology-CRYPTO’84, LNCS, G.R. Blakley and D. Chaum, Ed. Berlin: Springer-Verlag, 1985,pp. 47-53.

[2] M. Bellare, C. Namprempre, and G. Neven, “Security proofs for identity-based identification and signature schemes,” in Advances in Cryptology-EUROCRYPT’04, LNCS, C.Cachin and J. L. Camenisch, Ed. Berlin: Springer-Verlag,2004, pp. 268-286.

[3] D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairings,” in Advances in Cryptology-CRYPTO 2001, LNCS, J. Kilian, Ed. Berlin: Springer-Verlag, 2001,pp. 213-229.

[4] K. G. Paterson, “ID-based signatures from pairings on elliptic curves,” Electronics Letters, vol. 38, no. 18, pp.1025-1026, 2002.

[5] Y. Zheng, “Digital signcryption or how to achieve cost(signature & encryption) << cost (signature) + cost(encryption),” in Advances in Cryptology-CRYPTO’97,LNCS, B. S. Kaliski Jr. Ed. Berlin: Springer-Verlag, 1997,pp. 165-179.

[6] J. Malone-Lee. Identity based signcryption. [Online].Available: http://www.signcryption.org/publications/pdffiles/MaloneLee-eprint2002-098.pdf

[7] B. Libert and J. J. Quisquator, “A new identity based signcryption scheme from pairings,” in Proc. of 2003 IEEE Information Theory Workshop Conf., Paris, 2003, pp.155-158.

[8] L. Chen and J. Malone-Lee, “Improve identity-based signcryption,” in Public Key Cryptography-PKC 2005,LNCS, S. Vaudenay, Ed. Berlin: Springer-Verlag, 2005, pp.362-379.

[9] P. S. L. M. Barreto, B. Libert, N. McCullagh, and J. J.Quisquater, “Efficient and provably-secure identity based signatures and signcryption from bilinear maps,” in Advances in Cryptology-ASIACRYPT 2005, LNCS, B. Roy,Ed. Berlin: Springer-Verlag, 2005, pp. 515-532.

[10] Y. Dodis, L. Reyzin, and A. Smith, “Fuzzy extractors: how to generate strong keys from biometrics and other noisy data,” in Advances in Cryptology-EUROCRYPT 2004,LNCS, C. Cachin and J. L. Camenisch, Ed. Berlin:Springer-Verlag, 2004, pp. 523-540.

[11] R. Alvarez Marino, F. Hernandez Alvarez, and L. Hernandez Encinas, “A crypto-biometric scheme based on iris-templates with fuzzy extractors,” Information Sciences,vol. 195, pp. 91-102, Jul. 2012.

[12] F. Li and M. K. Khan, “A biometric identity-based signcryption scheme,” Future Generation Computer Systems,vol. 28, no. 1, pp. 306-310, Jan. 2012.

[13] A. Burnett, F. Byrne, T. Dowling, and A. Duffy, “A biometric identity based signature scheme,” Int. Journal of Network Security, vol. 5, no. 3, pp. 317-326, 2007.