GSEP: An E-mail Protocol based on Generalized Signcryption

Yali Si

College of Liren, Yanshan University, No.438 Hebei, Ave., Qinhuangdao, Hebei, 066004 P.R.China

siyali2008@126.com

Keywords: E-mail protocol, Generalized signcryption, Key trace, Identity authentication

Abstract. The security in e-mail protocol has received significant research attention. In this paper,

an e-mail protocol, GSEP, using improved generalized signcryption scheme is proposed. GSEP can

send private e-mail, public e-mail safely, and using key trace to solve the problem of key escrowing,

using identity authentication to solve the problem of junk e-mail. The proposed protocol not only

improves the information processing capability of e-mail system for its multi-function, but also

guarantees the security of transmitting information.

Introduction

E-mail is an important tool to change information in internet. Compared to the conventional mail,

e-mail has the advantages of transmitting information in time, transmitting voice and video, low

price, etc. However, with the improving attack techniques in internet, the transmission of e-mail has

faced many insecurity problems, such as key attacking, information leaking, key escrow problem.

In addition, junk e-mail is a common problem, which is not solved radically though e-mail

companies use filtration technique to decrease the number of garbage e-mails.

In order to solve the above security problems, scholars have done many researches using

generalize signcryption. J.Huifang [1] proposed generalize signcryption models and algorithms but

not have forward security. Z.Jindan et al. [2] improved the security of scheme at the price of high

efficiency. Ayse and Erkay [3] introduced an e-mail protocol based on identity, though the method

of public key changing frequently can avoid being revealed, it requires amount of computation for

Private Key Generator (PKG). L.Qi et al. [4-6] presented e-mail protocols with forward security, but

they do not ensure the information security in transmission process.

In this paper, an e-mail protocol based on generalize signcryption scheme (GSEP) is proposed,

which can send private e-mail and public e-mail safely using the functions of the digital signature

and the data encryption in one computational step. On the one hand, when e-mail system requires

confidentiality and authentication， generalized signcryption scheme applies encryption and

signature synchronous. On the other hand, when e-mail system requires confidentiality or

authentication, generalized signcryption scheme applies encryption or signature without modifying

or adding computation in the cryptosystem. GSEP provides many functions of e-mail and

authentication, in the meantime, it ensures the security of information and key, and prevents

receiving junk e-mails.

The E-mail Protocol based on Generalized Signcryption Scheme

In this section, the frame and the detail of GSEP design are presented.

The frame of GSEP is shown in Fig. 1. The protocol runs the following steps, the user is

confirmed the unique identity by Certificate Authority (CA) first, and then obtains the private key

generated by PKG. The users exchange information through e-mail server. Once the private key is

leaked, the arbitrator executes arbitration process on PKG.

Applied Mechanics and Materials Vols. 397-400 (2013) pp 1941-1944Online available since 2013/Sep/03 at www.scientific.net© (2013) Trans Tech Publications, Switzerlanddoi:10.4028/www.scientific.net/AMM.397-400.1941

All rights reserved. No part of contents of this paper may be reproduced or transmitted in any form or by any means without the written permission of TTP,www.ttp.net. (ID: 136.186.1.81, Swinburne University, Hawthorn, Australia-05/09/14,21:57:27)

Fig. 1. Frame of GSEP

The improved generalize signcryption contains five algorithms: setup, extract, generalize

signcrypt, generalize unsigncrypt and trace, these algorithms are merged into the proposed e-mail

protocol. GSEP consists of six processes: setup of e-mail system, authentication of user’s identity,

extraction of user’s key, sending the e-mail, receiving the e-mail and key trace. The detail of GSEP

design is described as follows.

Setup of GSEP. This initial algorithm sets the parameters of e-mail system. Let G1 and G2 be

bilinear groups of prime order q, let P be an additional generator of G1 (P∈G1). Let e: G1×G1→G2

be a bilinear map. PKG chooses master key s∈Zq* secretly, computes public key Q=sP, then

chooses three hash functions H1:{0,1}→G1*, H2:Zq

*→{0,1}, H3:{0,1}

*×G2

*→Zq

*, and publishes the

e-mail system’s parameters {G1,G2,P,Q,H1,H2,H3}.

Authentication of User’s Identity. The user chooses the identity ID from identity card number,

telephone number or others, and sends ID to CA. CA confirms that ID is the unique identity of the

user, and then responds the information to user.

Extraction of User’s Key. The user’s identity is ID, his key is generated by the following steps.

The user randomly chooses his partial private key s1∈Zq*, computes partial public key Q1=s1P.

PKG computes Q2=H1(ID,Q1), s2=sQ2 and sends (s2,Q2) to the user. Similarly, the sender Alice’s

identity is IDA, her private key is (sA1,sA2) and public key is (QA1,QA2). The receiver Bob’s identity

is IDB, his keys are (sB1,sB2) and (QB1,QB2).

Sending the E-mail. After executing the following signcryption algorithm of plaintext, the

sender Alice sends the e-mail with ciphertext to the receiver Bob by e-mail server.

In order to achieve the function of generalized signcryption, a function is definited as Eq. 1.

H2(QB1)=0 means it is a public e-mail, while H2(QB1)=1 means it is a private e-mail.

2 B1

0, if ( )

1, if

ID IDH Q

ID ID

∅

∅

== ≠

(1)

When the sender Alice signcrypts information m∈RM, Alice confirms the value of H2(QB1) based

on the type of e-mail, chooses t∈RZq* randomly, computes r=e(QA2,Q)

t, v=H3(m,r), u=tsA2-vsA1QA2,

w=m⊕e(QB1QB2,sA2)rH2(QB1), so the ciphertext σ=(v,u,w) is converted into e-mail and then Alice

sends it to the receiver.

Receiving the E-mail. The receiver Bob receives the e-mail from e-mail server, he confirms the

value of w first. If w is 0, it is a public e-mail, otherwise, it is a private e-mail. Then Bob runs the

unsigncrption algorithm to get information m, he computes r′=e(u,P)⋅e(QA2,QA1)v, QA2=H1(ID,QA1).

If QA2 is not equal to Alice’s partial public key, it shows that the received information σ is not legal,

the system prints termination symbol “ ⊥ ” to end the protocol. Otherwise, Bob computes

m=w⊕e(sB1sB2,r′QA2)-P

to restore m.

The

User E-mail

PKG CA

The Arbitrator

(1)ID authentication (2)Generate Key

(4)Return the key of user (3)Return key

(5)Sends m

(6)Confirm user’s ID (7)Return

(8)Receive m

(9)Apply for the arbitration

(11)Return the arbitration information

(10)Arbitration

1942 Advanced Design and Manufacturing Technology III

Key Trace. If PKG fabricates Alice’s partial private key sA1′, generates (sA1′,sA2′), runs the

signcrption operators and sends σ′=(v′,u′,w′) to Bob. After Alice founding this case, key

retrospective algorithm is executed. Alice sends QA1 to the arbitrator and uses zero-knowledge to

proof she has the correct private key sA2. The arbitrator chooses α∈Zq* secretly as the role of PKG’s

master key, computes αP and sends it to PKG. PKG computes and sends e(sA2,αP) to the arbitrator.

The arbitrator verifies Eq. 2. If it holds, the PKG is honest; otherwise, the arbitrator can determine

PKG is dishonest who fabricated Alice’s private key, because only PKG knows the master key.

According to this, the arbitrator revokes the private key generated by PKG, and punishes PKG.

e(sA2,αP)=e(QA2,Q)α (2)

Correctness of GSEP. The correctness proof of r′= r is below. vQQePuer ),(),(' A1A2⋅=

vPsQePQvstse ),(),( A1A2A2A1A2 −=

),(),(),( A2A1A2A1A2 PQvsePQvsePtse −⋅= t

QQe ),( A2= r=

The Eq. 2 is deduced as follow: ααααα ),(),(),(),(),( A2A2A2A2A2 QQesPQePQePsQePse s ====

Security and Performance Analyses of GSEP

Prevention of Junk E-mail. Because the user’s ID is determined valid and unique by CA, it can

guarantee the anonymity of user’s identity in sending the e-mail process, and identity transparency

between receiver and sender in GSEP. When Alice sends the e-mail to Bob first, Bob do not know

Alice’s ID, he can confirm Alice’s authentic identity from e-mail sever or CA after many

information transmissions, and then Bob verifies Alice’s signature and decides whether to receive

the e-mail. So GSEP can authorize the e-mail and avoid receiving junk e-mails from others.

Public Authentication. The e-mail protocol must have the nature of authentication. In other

words, when Bob receives the information, he can authenticate the signature of the sender

legitimacy by the third party. After Bob receives σ from e-mail server, computes and checks r', QA2,

if they are right, it shows that the received information is legitimacy, otherwise, the protocol is

ended. So GSEP has the nature of public authentication.

Solve the Key Escrow Problem. In the identity-based generalized signcryption schemes, the

private key is generated by PKG, so there exits key escrow problem, which is dishonest PKG forges

the user’s signature, or PKG and malicious adversary accomplice user’s private key to acquire the

information of e-mail. In GSEP, the private key is generated by PKG and the user together,

furthermore, key trace technique is proposed to detect dishonest actions of PKG. Therefore, GSEP

can solve the problem of key escrow.

Security of Information. Although one part of private key is generated by PKG, PKG has the

nature of semi-honest which can solve the problem of leak information. In other words, PKG do not

participate in extra protocol activities of gathering any leak information from the protocol. The

information can only be exchanged among sender Alice, receiver Bob and e-mail server in the

process of information transmission. When the e-mail server exchange information with Bob, the

e-mail server verifies the identity of Bob, and then sends information to Bob. Bob verifies the

identity of Alice, and then receives the information from the e-mail server. So the process of

identification can avoid other parties involving, which can ensure the security of information.

Applied Mechanics and Materials Vols. 397-400 1943

Performance Analysis. There is a zero-base pairing computation in signcryption and one-base

pairing computation in the unsigncryption of GSEP. The performance of e-mail protocols are

compared in Table 1. GSEP only needs 4 times exchange, and provides more security performance.

Table 1. Performance comparison of e-mail protocols

Protocols Security of information Prevention of

junk e-mail

Security of

private key

Number of exchange

information

Protocol[3] Ensure the security of information,

if the private key is safe. No provided No guaranteed 5 times

Protocol[4] No provided No provided No guaranteed 5 times

Protocol[5] Ensure the security of information,

if the private key is safe. No provided No guaranteed 6 times

GSEP Ensure the security of information Provided Guaranteed 4 times

Conclusions

In this paper, the multi-functional e-mail protocol based on improved generalized signcryption is

proposed. GSEP solves the problems of leakage information, the key escrow and junk e-mail, and

improves the e-mail transmission capacity and efficiency compared to other schemes. In the future,

the research work is how to prove the security of e-mail protocol in random oracle model and

realize GSEP in the real Internet.

Acknowledgments

This work is partially supported by the National Natural Science Foundation of China (61272466),

Self-financing Project of Qinhuangdao (2012021A058).

References

[1] J.Huifang, H.Wenbao, L.Liandong. Identity Based Generalized Signcryption Scheme for

Multiple PKGs in Standard Model. Journal of Electronics & Information Technology, Vol.33

(2011), p. 1204-1210

[2] Z.Jindan, W.Xuan. Formal Security Proof for Generalized Signcryption. International

Conference on E-Business and Information System Security. IEEE Press, (2009), p. 23-56.

[3] G.K.Ayse, S.Erkay. An Identity-Based Key Infrastructure Suitable for Messaging and Its

Application to E-mail. International Conference on Security and Privacy in Communication

Networks, ACM. (2008), p. 1-11.

[4] L.Qi, W.Jianping, X.Mingwei. Towards a Secure E-mail Protocol with Perfect Forward Secrecy.

Actaelectronica Sinica, Vol.37 (2009), p. 2302-2308.

[5] Z.J.Hong, C.H.Hen. An Efficient Identity-Based Authenticated Email Protocol with Perfect

Forward Secrecy. International Forum on Information Technology and Applications, Vol.3

(2010), p. 68-71.

[6] P.Kushwah, S.Lal. Provable Secure Certificateless Generalized Signcryption Scheme.

Technology & Applications, Vol.3 (2012), p. 925-939.

1944 Advanced Design and Manufacturing Technology III

Advanced Design and Manufacturing Technology III 10.4028/www.scientific.net/AMM.397-400 GSEP: an E-Mail Protocol Based on Generalized Signcryption 10.4028/www.scientific.net/AMM.397-400.1941