GSEP: an E-Mail Protocol Based on Generalized Signcryption
Transcript of GSEP: an E-Mail Protocol Based on Generalized Signcryption
GSEP: An E-mail Protocol based on Generalized Signcryption
Yali Si
College of Liren, Yanshan University, No.438 Hebei, Ave., Qinhuangdao, Hebei, 066004 P.R.China
Keywords: E-mail protocol, Generalized signcryption, Key trace, Identity authentication
Abstract. The security in e-mail protocol has received significant research attention. In this paper,
an e-mail protocol, GSEP, using improved generalized signcryption scheme is proposed. GSEP can
send private e-mail, public e-mail safely, and using key trace to solve the problem of key escrowing,
using identity authentication to solve the problem of junk e-mail. The proposed protocol not only
improves the information processing capability of e-mail system for its multi-function, but also
guarantees the security of transmitting information.
Introduction
E-mail is an important tool to change information in internet. Compared to the conventional mail,
e-mail has the advantages of transmitting information in time, transmitting voice and video, low
price, etc. However, with the improving attack techniques in internet, the transmission of e-mail has
faced many insecurity problems, such as key attacking, information leaking, key escrow problem.
In addition, junk e-mail is a common problem, which is not solved radically though e-mail
companies use filtration technique to decrease the number of garbage e-mails.
In order to solve the above security problems, scholars have done many researches using
generalize signcryption. J.Huifang [1] proposed generalize signcryption models and algorithms but
not have forward security. Z.Jindan et al. [2] improved the security of scheme at the price of high
efficiency. Ayse and Erkay [3] introduced an e-mail protocol based on identity, though the method
of public key changing frequently can avoid being revealed, it requires amount of computation for
Private Key Generator (PKG). L.Qi et al. [4-6] presented e-mail protocols with forward security, but
they do not ensure the information security in transmission process.
In this paper, an e-mail protocol based on generalize signcryption scheme (GSEP) is proposed,
which can send private e-mail and public e-mail safely using the functions of the digital signature
and the data encryption in one computational step. On the one hand, when e-mail system requires
confidentiality and authentication, generalized signcryption scheme applies encryption and
signature synchronous. On the other hand, when e-mail system requires confidentiality or
authentication, generalized signcryption scheme applies encryption or signature without modifying
or adding computation in the cryptosystem. GSEP provides many functions of e-mail and
authentication, in the meantime, it ensures the security of information and key, and prevents
receiving junk e-mails.
The E-mail Protocol based on Generalized Signcryption Scheme
In this section, the frame and the detail of GSEP design are presented.
The frame of GSEP is shown in Fig. 1. The protocol runs the following steps, the user is
confirmed the unique identity by Certificate Authority (CA) first, and then obtains the private key
generated by PKG. The users exchange information through e-mail server. Once the private key is
leaked, the arbitrator executes arbitration process on PKG.
Applied Mechanics and Materials Vols. 397-400 (2013) pp 1941-1944Online available since 2013/Sep/03 at www.scientific.net© (2013) Trans Tech Publications, Switzerlanddoi:10.4028/www.scientific.net/AMM.397-400.1941
All rights reserved. No part of contents of this paper may be reproduced or transmitted in any form or by any means without the written permission of TTP,www.ttp.net. (ID: 136.186.1.81, Swinburne University, Hawthorn, Australia-05/09/14,21:57:27)
Fig. 1. Frame of GSEP
The improved generalize signcryption contains five algorithms: setup, extract, generalize
signcrypt, generalize unsigncrypt and trace, these algorithms are merged into the proposed e-mail
protocol. GSEP consists of six processes: setup of e-mail system, authentication of user’s identity,
extraction of user’s key, sending the e-mail, receiving the e-mail and key trace. The detail of GSEP
design is described as follows.
Setup of GSEP. This initial algorithm sets the parameters of e-mail system. Let G1 and G2 be
bilinear groups of prime order q, let P be an additional generator of G1 (P∈G1). Let e: G1×G1→G2
be a bilinear map. PKG chooses master key s∈Zq* secretly, computes public key Q=sP, then
chooses three hash functions H1:{0,1}→G1*, H2:Zq
*→{0,1}, H3:{0,1}
*×G2
*→Zq
*, and publishes the
e-mail system’s parameters {G1,G2,P,Q,H1,H2,H3}.
Authentication of User’s Identity. The user chooses the identity ID from identity card number,
telephone number or others, and sends ID to CA. CA confirms that ID is the unique identity of the
user, and then responds the information to user.
Extraction of User’s Key. The user’s identity is ID, his key is generated by the following steps.
The user randomly chooses his partial private key s1∈Zq*, computes partial public key Q1=s1P.
PKG computes Q2=H1(ID,Q1), s2=sQ2 and sends (s2,Q2) to the user. Similarly, the sender Alice’s
identity is IDA, her private key is (sA1,sA2) and public key is (QA1,QA2). The receiver Bob’s identity
is IDB, his keys are (sB1,sB2) and (QB1,QB2).
Sending the E-mail. After executing the following signcryption algorithm of plaintext, the
sender Alice sends the e-mail with ciphertext to the receiver Bob by e-mail server.
In order to achieve the function of generalized signcryption, a function is definited as Eq. 1.
H2(QB1)=0 means it is a public e-mail, while H2(QB1)=1 means it is a private e-mail.
2 B1
0, if ( )
1, if
ID IDH Q
ID ID
∅
∅
== ≠
(1)
When the sender Alice signcrypts information m∈RM, Alice confirms the value of H2(QB1) based
on the type of e-mail, chooses t∈RZq* randomly, computes r=e(QA2,Q)
t, v=H3(m,r), u=tsA2-vsA1QA2,
w=m⊕e(QB1QB2,sA2)rH2(QB1), so the ciphertext σ=(v,u,w) is converted into e-mail and then Alice
sends it to the receiver.
Receiving the E-mail. The receiver Bob receives the e-mail from e-mail server, he confirms the
value of w first. If w is 0, it is a public e-mail, otherwise, it is a private e-mail. Then Bob runs the
unsigncrption algorithm to get information m, he computes r′=e(u,P)⋅e(QA2,QA1)v, QA2=H1(ID,QA1).
If QA2 is not equal to Alice’s partial public key, it shows that the received information σ is not legal,
the system prints termination symbol “ ⊥ ” to end the protocol. Otherwise, Bob computes
m=w⊕e(sB1sB2,r′QA2)-P
to restore m.
The
User E-mail
PKG CA
The Arbitrator
(1)ID authentication (2)Generate Key
(4)Return the key of user (3)Return key
(5)Sends m
(6)Confirm user’s ID (7)Return
(8)Receive m
(9)Apply for the arbitration
(11)Return the arbitration information
(10)Arbitration
1942 Advanced Design and Manufacturing Technology III
Key Trace. If PKG fabricates Alice’s partial private key sA1′, generates (sA1′,sA2′), runs the
signcrption operators and sends σ′=(v′,u′,w′) to Bob. After Alice founding this case, key
retrospective algorithm is executed. Alice sends QA1 to the arbitrator and uses zero-knowledge to
proof she has the correct private key sA2. The arbitrator chooses α∈Zq* secretly as the role of PKG’s
master key, computes αP and sends it to PKG. PKG computes and sends e(sA2,αP) to the arbitrator.
The arbitrator verifies Eq. 2. If it holds, the PKG is honest; otherwise, the arbitrator can determine
PKG is dishonest who fabricated Alice’s private key, because only PKG knows the master key.
According to this, the arbitrator revokes the private key generated by PKG, and punishes PKG.
e(sA2,αP)=e(QA2,Q)α (2)
Correctness of GSEP. The correctness proof of r′= r is below. vQQePuer ),(),(' A1A2⋅=
vPsQePQvstse ),(),( A1A2A2A1A2 −=
),(),(),( A2A1A2A1A2 PQvsePQvsePtse −⋅= t
QQe ),( A2= r=
The Eq. 2 is deduced as follow: ααααα ),(),(),(),(),( A2A2A2A2A2 QQesPQePQePsQePse s ====
Security and Performance Analyses of GSEP
Prevention of Junk E-mail. Because the user’s ID is determined valid and unique by CA, it can
guarantee the anonymity of user’s identity in sending the e-mail process, and identity transparency
between receiver and sender in GSEP. When Alice sends the e-mail to Bob first, Bob do not know
Alice’s ID, he can confirm Alice’s authentic identity from e-mail sever or CA after many
information transmissions, and then Bob verifies Alice’s signature and decides whether to receive
the e-mail. So GSEP can authorize the e-mail and avoid receiving junk e-mails from others.
Public Authentication. The e-mail protocol must have the nature of authentication. In other
words, when Bob receives the information, he can authenticate the signature of the sender
legitimacy by the third party. After Bob receives σ from e-mail server, computes and checks r', QA2,
if they are right, it shows that the received information is legitimacy, otherwise, the protocol is
ended. So GSEP has the nature of public authentication.
Solve the Key Escrow Problem. In the identity-based generalized signcryption schemes, the
private key is generated by PKG, so there exits key escrow problem, which is dishonest PKG forges
the user’s signature, or PKG and malicious adversary accomplice user’s private key to acquire the
information of e-mail. In GSEP, the private key is generated by PKG and the user together,
furthermore, key trace technique is proposed to detect dishonest actions of PKG. Therefore, GSEP
can solve the problem of key escrow.
Security of Information. Although one part of private key is generated by PKG, PKG has the
nature of semi-honest which can solve the problem of leak information. In other words, PKG do not
participate in extra protocol activities of gathering any leak information from the protocol. The
information can only be exchanged among sender Alice, receiver Bob and e-mail server in the
process of information transmission. When the e-mail server exchange information with Bob, the
e-mail server verifies the identity of Bob, and then sends information to Bob. Bob verifies the
identity of Alice, and then receives the information from the e-mail server. So the process of
identification can avoid other parties involving, which can ensure the security of information.
Applied Mechanics and Materials Vols. 397-400 1943
Performance Analysis. There is a zero-base pairing computation in signcryption and one-base
pairing computation in the unsigncryption of GSEP. The performance of e-mail protocols are
compared in Table 1. GSEP only needs 4 times exchange, and provides more security performance.
Table 1. Performance comparison of e-mail protocols
Protocols Security of information Prevention of
junk e-mail
Security of
private key
Number of exchange
information
Protocol[3] Ensure the security of information,
if the private key is safe. No provided No guaranteed 5 times
Protocol[4] No provided No provided No guaranteed 5 times
Protocol[5] Ensure the security of information,
if the private key is safe. No provided No guaranteed 6 times
GSEP Ensure the security of information Provided Guaranteed 4 times
Conclusions
In this paper, the multi-functional e-mail protocol based on improved generalized signcryption is
proposed. GSEP solves the problems of leakage information, the key escrow and junk e-mail, and
improves the e-mail transmission capacity and efficiency compared to other schemes. In the future,
the research work is how to prove the security of e-mail protocol in random oracle model and
realize GSEP in the real Internet.
Acknowledgments
This work is partially supported by the National Natural Science Foundation of China (61272466),
Self-financing Project of Qinhuangdao (2012021A058).
References
[1] J.Huifang, H.Wenbao, L.Liandong. Identity Based Generalized Signcryption Scheme for
Multiple PKGs in Standard Model. Journal of Electronics & Information Technology, Vol.33
(2011), p. 1204-1210
[2] Z.Jindan, W.Xuan. Formal Security Proof for Generalized Signcryption. International
Conference on E-Business and Information System Security. IEEE Press, (2009), p. 23-56.
[3] G.K.Ayse, S.Erkay. An Identity-Based Key Infrastructure Suitable for Messaging and Its
Application to E-mail. International Conference on Security and Privacy in Communication
Networks, ACM. (2008), p. 1-11.
[4] L.Qi, W.Jianping, X.Mingwei. Towards a Secure E-mail Protocol with Perfect Forward Secrecy.
Actaelectronica Sinica, Vol.37 (2009), p. 2302-2308.
[5] Z.J.Hong, C.H.Hen. An Efficient Identity-Based Authenticated Email Protocol with Perfect
Forward Secrecy. International Forum on Information Technology and Applications, Vol.3
(2010), p. 68-71.
[6] P.Kushwah, S.Lal. Provable Secure Certificateless Generalized Signcryption Scheme.
Technology & Applications, Vol.3 (2012), p. 925-939.
1944 Advanced Design and Manufacturing Technology III
Advanced Design and Manufacturing Technology III 10.4028/www.scientific.net/AMM.397-400 GSEP: an E-Mail Protocol Based on Generalized Signcryption 10.4028/www.scientific.net/AMM.397-400.1941