Information Processing Letters 115 (2015) 351–358

Contents lists available at ScienceDirect

Information Processing Letters

www.elsevier.com/locate/ipl

An efficient ID-based cryptographic encryption based on

discrete logarithm problem and integer factorization problem

Chandrashekhar Meshram

Department of Mathematics, R.T.M. Nagpur University, Nagpur (M.S.), India

a r t i c l e i n f o a b s t r a c t

Article history:Received 18 May 2014Received in revised form 6 October 2014Accepted 13 October 2014Available online 24 October 2014Communicated by Jinhui Xu

Keywords:CryptographyIdentity-based encryptionInteger factorization problemDiscrete logarithm problemRandom oracle

ID-based encryption (identity-based) is a very useful tool in cryptography. It has many potential applications. The security of traditional ID-based encryption scheme wholly depends on the security of secret keys. Exposure of secret keys requires reissuing all previously assigned encryptions. This limitation becomes more obvious today as key exposure is more common with increasing use of mobile and unprotected devices. Under this background, mitigating the damage of key exposure in ID-based encryption is an important problem. To deal with this problem, we propose to integrate forward security into ID-based encryption. In this paper, we propose a new construction of ID-based encryption scheme based on integer factorization problem and discrete logarithm problem is semantically secure against chosen plaintext attack (CPA) in random oracle model. We demonstrate that our scheme outperforms the other existing schemes in terms of security, computational cost and the length of public key.

© 2014 Elsevier B.V. All rights reserved.

1. Introduction

An ID-based encryption provides a convenient way to do public key encryption without the burden of distribut-ing public keys. In an ID-based encryption scheme, the sender of a message can encrypt the message using the identity of the receiver as the public key. Therefore, there is no need for the receiver to show his public key cer-tificate to the sender. Such a cryptosystem is particularly useful in applications where message receivers are not al-ways available to present public key certificates. In 1984 Shamir [18] introduced the concepts of ID-based cryptog-raphy to simplify the key management problem. In ID-based cryptography, the unambiguous identity of a user (such as e-mail address, social security number etc.) is used as the public key, while the private key associated with that identity (the public key) is computed and issued secretly to the user by a trusted third party called private key generator (PKG). In such a setting, the only thing that

E-mail address: cs_meshram@rediffmail.com.

http://dx.doi.org/10.1016/j.ipl.2014.10.0070020-0190/© 2014 Elsevier B.V. All rights reserved.

should be certificated is the public parameters of the PKG, so ID-based cryptography drastically reduces the needs for certificates. It was not until 2001 that two ID-based en-cryption schemes were proposed by Cocks [6] and Boneh and Franklin [1], respectively. In their seminal paper [3], Boneh and Franklin used a category of bilinear maps as the basis of their construction. This leads a number of ID-based encryption schemes [1,2,20], among others based on bilinear maps.

Although there have been a number of efficient ID-based encryption schemes, these schemes are still signif-icantly slower than regular public key cryptosystems. For example, the Boneh–Franklin scheme can be 400 times slower than ElGamal in terms of encryption [9]. In practice, applications often need fast encryption and decryption op-erations. Consequently, the time costs of existing ID-based encryption schemes may not meet the need of practice.

After 2003, several ID-based encryption schemes [4,5,10,13,14,16,17,19] have been proposed. But in theseschemes, the public key of each entity is not only an identity, but also some random number selected either by the entity or by the trusted authority. But which makes

352 C. Meshram / Information Processing Letters 115 (2015) 351–358

the ID-based encryption an active research field in recent years.

The first efficient ID-based encryption scheme was pro-posed by Boneh and Franklin [3,4]. The novel approach they use is based on a class of bilinear maps. Following their work, a number of ID-based encryption schemes us-ing bilinear maps were proposed. For example, Boneh and Boyen [1] designed a secure ID-based encryption scheme without random oracles; Waters [20] presented an efficient and secure ID-based encryption scheme without random oracles; Boneh and Boyen [2] gave another efficient ID-based encryption scheme without random oracles, which is secure in the selective identity model. Nevertheless, as pointed out in [9], even the efficient schemes like [3] are still significantly slower than regular public key cryptosys-tems like ElGamal. In contrast, our ID-based encryption scheme is almost as fast as the ElGamal cryptosystem both in encryption and in decryption. Heng and Kurosawa [11,12] used a polynomial based approach to construct an ID-based encryption scheme. Their scheme does not need random oracles and is semantically secure under the inte-ger factorization problem and discrete logarithm problem assumption. However, their scheme is significantly slower than ElGamal as well.

Our contribution. As outlined in the above, unfortu-nately we found that all the existing ID-based encryp-tion schemes based on integer factorization problem and ID-based encryption scheme based on discrete logarithm problem cannot be regarded as secure. Therefore, our main contribution in this paper is to fill this gap by proposing a provably secure ID-based encryption scheme based on integer factorization and discrete logarithm problem. The time costs of encryption and decryption in our ID-based encryption scheme are those of ElGamal. More precisely, except the first encryption operation for each identity, all encryption and decryption operations have the same cost as the corresponding operations of ElGamal. We also provide a formal security proof for semantically secure against CPA under the integer factorization and discrete logarithm problem assumption in the random oracle model using the rewinding technique introduced by Boneh and Franklin [3].

Organization. The rest of this paper is organized as fol-lows: Some preliminaries are introduced in Section 2. Our proposed ID-based encryption scheme based on IFP and DLP is presented in Section 3. Efficiency of the proposed ID-based encryption scheme is discussed in Section 4. The security analysis and security proof of our new scheme are presented in Section 5. The Performance comparison of other ID-based encryption schemes is discussed in Sec-tion 6. Finally, Section 7 concludes the paper.

2. Preliminaries

In this section, we describe some background knowl-edge used in this paper, including discrete logarithm prob-lem and integer factorization problem [18].

2.1. Related definitions

Definition 2.1.1 (IFP). Let N = p ∗ q and gcd(e, φ(N)) = 1, where p and q are randomly safe primes. Given y ∈ Z∗

N , it is computationally intractable to derive x such that y =xe mod N with the knowledge of e and N .

Definition 2.1.2 (DLP over Z∗N ). Let N = p ∗ q and g be a

primitive root for both Z∗p and Z∗

q , where p and q are randomly safe primes. Given y = gx mod N , it is computa-tionally intractable to derive x.

2.2. Complexity assumption

The security of our scheme relies on a standard com-plexity-theoretic assumption, the IFP and DLP assumption. We review it as follows.

2.2.1. IFP and DLP assumptionLet g be a generator of a multiple group G , where

|G| = q. The challenger randomly chooses a, b, c ∈ Z∗p and

a bit σ ∈ {0, 1}, uniformly and independently. If σ = 1 he outputs the tuple (g, ga mod n, gb mod n, gab mod n), otherwise, he outputs the tuple (g, ga mod n, gb mod n,

gc mod n), where n = p ∗ q. Then the adversary outputs a guess σ ′ of σ . An adversary has an ε advantage if∣∣∣∣Pr

[σ = σ ′] − 1

2

∣∣∣∣ = ε.

Definition 2.2.1. The decisional ε-IFP and DLP assumption holds in G if no PPT adversary has at least ε advantage in solving the below game (see Subsection 5.1).

3. Proposed an ID-based encryption scheme based on integer factorization problem and discrete logarithm problem

In this section, we proposed an ID-based encryption scheme based on integer factorization problem (IFP) and discrete logarithm problem (DLP). Our ID-based encryp-tion scheme is defined to be a four-tuple of algorithms, namely: Setup, Extract, Encryption and Decryption. These algorithms are constructed as follows.

3.1. Setup

By taking in security parameter (k, t), this algorithm will be carried out by PKG as follows:

1. Generate large prime number N , such that N = p ∗ qwith q|p − 1. Also let G = {g0, g1, g2, . . . , gq−1} be a prime order q subgroup of multiple group Z∗

N , where g is a generator with prime order q.

2. Generate t dimension secret vectors X = (x1, x2, x3, x4,

. . . , xt), where xi is randomly selected from Z∗N .

3. Generate the corresponding t dimension public vectors Y = (y1, y2, y3, y4, . . . , yt), where yi = gxi mod N and i ∈ (1, t).

4. Construct an identity cryptographic hash function H :{0, 1}∗ → {0, 1}t .

C. Meshram / Information Processing Letters 115 (2015) 351–358 353

The master key of PKG is a set to be mk = {p, q, X} and the public parameter of PKG are pm = {N, g, Y , H}. For the notational convenience, we denote the bit length q by |q| =kq = t and that of p by |p| = kp = s.

3.2. Extract

For a given ID ∈ {0, 1}∗ , the algorithm performs the fol-lowing:

1. Compute H(ID) → (h1, h2, h3, h4, . . . , ht) and suppose that hi is the ith bit of H(ID), where i ∈ (1, t).

2. Compute the private key as follows:

xID =t∑

i=1

hixi mod N

3. Compute the corresponding public key as follows:

yID =t∏

i=1

(yi)hi mod N =

t∏i=1

(gi)hi xi mod N

= gxID mod N.

3.3. Encryption

A message M ∈ {0, 1}∗ is encrypted for ID as follows:

1. Pick random value r ∈ Z∗N and compute

C1 = gr mod N.

2. Compute C2 = M(yID)r mod N .

The ciphertext is given by C = (C1, C2).

3.4. Decryption

To decrypt the ciphertext C = (C1, C2) under entities identity ID, the user can decrypt C using his private key xID as follows:(

C2

C xID1

)mod N =

(M

(yID)r

(gr)xID

)mod N

=(

M(gxID)r

(gr)xID

)mod N = M mod N.

4. Efficiency

If an encryption operation is not the first one for a user identity, then its time cost is the same as an ElGamal en-cryption [7]. If it happens to be the first one for a user identity, then it has an extra cost of t

2 multiplications on average. A decryption operation always has the same time cost as an ElGamal decryption.

5. Security notation and discussion

In this section, we proved that the security of ID-based encryption scheme is based on the hardness of integer fac-torization problem and discrete logarithm problem.

We start with introducing security notation by defin-ing an attacking model, then prove that ID-based encryp-tion scheme is semantically secure against chosen plaintext attack in the random oracle model, using the rewinding technique introduced by Boneh and Franklin [3].

Definition 5.1. An identity-based encryption scheme is (k, ε)-semantically secure against an adaptive chosen plain-text attack (CPA) if all probabilistic polynomial time (PPT) adversaries making at most k private key queries have at most an ε advantage in breaking the scheme.

5.1. Semantic security model against CPA for ID-based encryption schemes

To describe the attack model, we have considered the following game between a challenger and an adversary.

Setup: The challenger generates the public parameters and the master private key; he gives the public parameters to the adversary.

Phase 1: The adversary is allowed to make queries q1, q2,

q3, . . . , qt , where each query qi may depend on the replies to the previous queries q1, q2, q3, . . . , qi−1. In this game, we only allow one type of queries-private key extraction queries. That is, each query is an identity 〈IDi〉. The chal-lenger responds with the corresponding private key for this identity.

Challenge: The adversary sends the challenger another identity ID, which he did not request a private key for in Phase 1, and two messages M0 and M1. The challenger picks γ uniformly at random from {0, 1} and encrypts Mγ

under the identity ID. Then he sends the ciphertext as the challenge to the adversary.

Phase 2: Phase 1 is repeated with the restriction that the adversary cannot request a private key for the identity ID. Each query can be made adaptively, just as in Phase 1.

Guess: Finally, the adversary submits a guess γ ′ ∈ {0, 1}. If γ ′ = γ , the adversary wins; otherwise, he loses.

Adv(A) =∣∣∣∣Pr

[γ ′ = γ

] − 1

2

∣∣∣∣.The probability is over the coin flips of the challenger.

5.2. Security proof

In this subsection, we have proved the security of ID-based encryption scheme based on integer factorization problem and discrete logarithm problem using the rewind-ing technique invented by Boneh and Franklin [3].

Theorem 5.1. Let the identity cryptographic hash function H, be a random oracle, then our ID based encryption scheme is (k, ε)-semantically secure under the decisional ε

2 (1 − 1e −

12t−2k )-integer factorization problem and discrete logarithm problem assumption in the random oracle model.

354 C. Meshram / Information Processing Letters 115 (2015) 351–358

Proof. Suppose that there exists a (k, ε)-adversary A against ID-based encryption scheme. That is to say, the adversary A makes at most k queries and gets at least εadvantage in the IND-ID-CPA game.

We have constructed a probabilistic polynomial time (PPT) simulator B to play the integer factorization prob-lem and discrete logarithm problem game, we have men-tioned in Subsection 5.1. The simulator B takes the chal-lenge (g, A = ga mod N, B = gb mod N, Z ) as input and outputs a guess σ ′ of σ . To find a good guess σ ′ , simula-tor B plays an IND-ID-CPA game with the adversary A. We give a detailed description of the simulator and the IND-ID-CPA game as follows:

Setup: Simulator B randomly chooses kt-dimensional uni-formly and independently, binary vector

V i = (h1i,h2i,h3i, . . . ,hti)T ,

where i ∈ (1, k). B also randomly chooses v1, v2, v3, . . . , vtfrom Z∗

N uniformly and independently. Then B chooses u1, u2, u3, . . . , ut ∈ Z∗

N that satisfies the following equation system:

(u1, u2, u3, . . . , ut)

×

⎛⎜⎜⎜⎝

h11 h12 h13 . . . h1kh21 h22 h23 . . . h2k...

...... . . .

...

ht1 ht2 ht3 . . . htk

⎞⎟⎟⎟⎠ (mod N)

= (0,0,0, . . . ,0) mod N = 0 (5.1)

Note that there exist many tuples u1, u2, u3, . . . , ut ∈ ZtN

that satisfy Eq. (5.1). The simulator B randomly chooses one of them.

B sets the public parameter Y as follows:

Y = (Au1 gv1 ,Au2 gv2 ,Au3 gv3 , . . . ,Aut gvt

)(mod N)

The corresponding master private key is given by X =(x1, x2, x3, x4, . . . , xt) is

X = (au1 + v1,au2 + v2,au3 + v3, . . . ,auk + vk)

Note that B does not know a. The simulator B gives the public parameters (N, g, t, Y ) to the adversary A.

Random oracle queries: In the remaining phases, the ad-versary A needs to make queries to the random oracle H , when he needs to obtain hash values. Note the difference between these random oracle queries and the queries in the IND-ID-CPA game. Below we describe how B answers random oracle queries in the remaining phases.

Suppose that qH is a polynomial upper bound of the number of random oracle queries. That is, A makes at most qH queries to the random oracle H . The simulator B ran-domly chooses μ ⊆ (1, 2, . . . , qH ) such that |μ| = k.

To answer the random oracle queries, the simulator B maintains a list of tuples 〈IDi, H(IDi), αi〉, where IDi is an identity that has appeared in the earlier random oracle queries and αi ∈ {0, 1} is assigned when B responds to the query. Let Hlist denote this list of tuples; at the beginning, Hlist is empty. When there is a random oracle query IDi , B responds as follows.

1. If IDi is already in the list Hlist , then B replies with the recorded hash value H(IDi).

2. If IDi is the ith new query to the random oracle and i′ ∈ μ, suppose that i′ is the ith smallest element in μ, then B sets H(IDi) = (h1i′′ , h2i′′ , h3i′′ , . . . , hti′′) and αi = 1, otherwise, B randomly chooses a binary string h1 j, h2 j, h3 j, . . . , ht j ∈ {0, 1}t that is not in the list Hlist , sets H(IDi) = h1 j, h2 j, h3 j, . . . , ht j and αi = 0, and re-sponds with H(IDi). In both cases, B records the tuple 〈IDi, H(IDi), αi〉 in Hlist .

Given the above method of answering random oracle queries, we can now describe how the simulator works in the remaining phases of the IND-ID-CPA game.

Phase 1: For each private key extraction query IDi issued by the adversary A, B responds as follows:

1. If IDi appears in Hlist and αi = 1, or IDi does not ap-pear in Hlist and all the V j generated in the Setupphase have been used in replying the earlier queries, then B restarts the IND-ID-CPA game; in particular, B needs to re-choose the set μ ⊆ (1, 2, . . . , qH ) in the restarted game. Note that B can restart the IND-ID-CPA game at most

(( qH

k

) − 1)

times. If the time of restart-

ing the IND-ID-CPA game exceeds this number, then B aborts, outputting a uniformly random bit as σ ′ .

2. If IDi appears in Hlist and αi = 1, then B computes xIDi = ∑t

s=1 h′si vs mod N and replies with xIDi , where

h′si is the sth bit of recorded value H(IDi).

3. If IDi does not appear in Hlist and there exists V j

generated in the Setup phase that was never used in replying the previous queries, B chooses such a never used V j , sets H(IDi) = h1 j, h2 j, h3 j, . . . , ht j and αi = 1, answers the query using xIDi = ∑t

s=1 hsi vs mod N , and records the tuple 〈IDi, H(IDi), αi〉 in Hlist .

Note that

xIDi =t∑

s=1

hsixs mod N

=t∑

s=1

hsi(aus + vs) mod N

= at∑

s=1

hsius mod N +t∑

s=1

hsi vs mod N

=t∑

s=1

hsi vs mod N

where the last equality is due to Eq. (5.1). So the above assignment of xIDi is valid.

Challenge: The adversary A submits two plaintexts M0,

M1 ∈ {0, 1}∗ and an identity ID0 = IDi appeared in the private key extraction queries. The simulator B randomly chooses a binary string h10, h20, h30, . . . , ht0 ∈ {0, 1}t . If

C. Meshram / Information Processing Letters 115 (2015) 351–358 355

the binary vector V 0 = (h10, h20, h30, . . . , ht0)T is a lin-

ear combination of V i (1 ≤ i ≤ k), then B aborts, out-putting a uniformly random bit as σ ′ otherwise, B com-putes u = ∑t

i=1 hi0ui mod N , v = ∑ti=1 hi0 vi mod N , and

yID0 = Au gv mod N = gau+v mod N . B records the tuple 〈ID0, h10, h20, h30, . . . , ht0, 0〉 in Hlist . Next, B picks γ uni-formly at random from {0, 1} and uses the ciphertext

C = (B, Mγ Z uBu)

(mod N)

as the challenge to the adversary A.

Phase 2: The adversary A issues private key extraction queries ID0 = IDs+1, . . . , IDk , and the simulator responds in the same way as in Phase 1.

Guess: The simulator B outputs a guess σ ′ of σ based on the output γ ′ of the adversary A as follows: If γ ′ = γ , then σ ′ = 1, otherwise, σ ′ = 0.

To lower bound the advantage of the above simulator, we first define some events and analyze their probabili-ties. Let abort be the event that the simulator aborts in the above game. We observe that there are two possible rea-sons that the simulator B aborts: (1) In Phase 1 or Phase 2, a private key extraction query leads to restarting of the IND-ID-CPA game but the number of restarting the IND-IDCPA game exceeds

(( qH

k

)−1), (2) In the Challenge phase,

the binary vector V 0 = (h10, h20, h30, . . . , ht0)T is a linear

combination of V i (1 ≤ i ≤ k).

Claim. The probability that the simulator B aborts for reason (1)

is at most 1e .

Proof. With one choice of μ, the probability that there is a private key extraction query leading to restarting of the IND-ID-CPA game is at most

{1 − 1( qH

k

) }. Let w = ( qH

k

),

then, the probability that w choices of μ all lead to restarting of the IND-ID-CPA game is at most (1 − 1

w )w ≈1e . That is, the probability that the simulator B aborts for the first reason is at most 1

e . �Claim. The probability that the simulator B aborts for reason (2)

is at most 12t−2k .

Proof. We observe that there are 2t , t-dimensional binary vectors in total. Consequently, we only need to show that the span of k(< t) random t-dimensional binary vectors contains at most 2k binary vectors.

Let Mtk be a matrix that has the k binary vectors V i (1 ≤ i ≤ k) as the column vectors. The rank of matrix Mtk is k′ ≤ k, thus, there exist k′ rows of Mtk that are lin-early independent. Without loss of generality, suppose that the first k′ rows of Mtk are linearly independent. Let V ′

idenote the k′-dimensional vector consisting of the first k′elements of V i (1 ≤ i ≤ k). Set

δ′ = {V ′ ∣∣ V ′ = (

V ′1, V ′

2, V ′3, . . . , V ′

k

)(a1,a2,a3, . . . ,ak)

T ,

where ai ∈ Z N , (1 ≤ i ≤ k),

V ′ is a k′-dimensional binary vector}

δ = {V

∣∣ V = (V 1, V 2, V 3, . . . , Vk)(a1,a2,a3, . . . ,ak)T ,

where ai ∈ Z N , (1 ≤ i ≤ k),

V is a k-dimensional binary vector}

We observe that |δ| ≤ |δ′|. On the other hand, we have |δ′| ≤ 2k′ ≤ 2k .

By combining the above two claims, we know that the probability that the simulator B does not abort is at least (1 − 1

e − 12t−2k ). Next, we work on the conditional proba-

bility that σ = σ ′ when the simulator B does not abort.

Claim. The conditional probability Pr[σ = σ ′ | abort] satisfies that | Pr[σ = σ ′ | abort] − 1

2 | ≥ 12 ε .

Proof. Under the assumption that the simulator does not abort, we distinguish two cases:

1. If Z = gab mod N (i.e., σ = 1), we have

C = (B, Mγ Z uBu)

(mod N)

= (gb, Mγ

(gau+v)b)

(mod N)

It is clear that C is a valid encryption of Mγ under the public key ID0. Therefore,∣∣∣∣Pr

[γ = γ ′ ∣∣ σ = 1 ∧ abort

] − 1

2

∣∣∣∣ ≥ ε.

2. Otherwise (i.e., σ = 0), we have that Z = gc mod Nand that c is a random element of Z∗

N , which gives no information about the γ . So

Pr[γ = γ ′ ∣∣ σ = 0 ∧ abort

]= Pr

[γ = γ ′ ∣∣ σ = 0 ∧ abort

] = 1

2Then we have

Pr[σ = σ ′ ∣∣ abort

]= Pr

[σ = 1 ∧ σ ′ = 1

∣∣ abort]

+ Pr[σ = 0 ∧ σ ′ = 0

∣∣ abort]

= Pr[σ = 1 ∧ γ = γ ′ ∣∣ abort

]+ Pr

[σ = 0 ∧ γ = γ ′ ∣∣ abort

]= Pr

[γ = γ ′ ∣∣ σ = 1∧ ∣∣ abort

]Pr[σ = 1

∣∣ abort]+ Pr

[γ = γ ′ ∣∣ σ = 0∧ ∣∣ abort

]Pr[σ = 0

∣∣ abort]= 1

2η + 1

2.1

2= 1

2η + 1

4

where η = Pr[γ = γ ′ | σ = 1∧ | abort]. Finally, we have∣∣∣∣Pr[σ = σ ′ ∣∣ abort

] − 1

2

∣∣∣∣=

∣∣∣∣1

2η + 1

4− 1

2

∣∣∣∣ =∣∣∣∣1

2η − 1

4

∣∣∣∣ = 1

2

∣∣∣∣η − 1

2

∣∣∣∣ ≥ 1

2ε.

356 C. Meshram / Information Processing Letters 115 (2015) 351–358

By combining the above conditional probability with the probability that the simulator does not abort, we can easily obtain that the advantage of the simulator is at least ε

2 (1 −1e − 1

2t−2k ). This completes the proof of Theorem 5.1. �6. Performance comparison of ID-based encryption schemes

In this section, we have discussed five most wide-used ID-based encryption schemes and compared their perfor-mance. These five ID-based encryption schemes are: Cocks ID-based encryption scheme [6], Boneh–Franklin ID-based encryption scheme [3], Authenticated ID-based encryp-tion scheme [15], Selective-ID Secure ID-based encryption scheme without Random Oracles [2], and our proposed ID-based encryption scheme based integer factorization prob-lem and discrete logarithm problem. These ID-based en-cryption schemes have different performance on server for evaluating encryption algorithm performance, decryption algorithm performance, and computational cost. Notations used in this computation are as follows: P = Pairing op-eration, M = Modular multiplication, e = Exponentiation in G , m = Scalar or Point Multiplication in G , x = XOR op-eration, h = Hashing, a = addition modulo, i = inverses modulo, J = Jacobi symbol and C(θ) = Computation cost of operation θ .

6.1. Performance comparison on encryption/decryption algorithms and computational cost

In this subsection, we explained the required opera-tions, performance and computation cost of our ID-based encryption scheme and other four ID-based encryption scheme as described below.

In the Boneh and Franklin-ID-based encryption scheme [3], the encryption process requires 1 pairing operation, 1 map-to-point hash operation, 1 group exponent in G2, 1 hash (H2) operation, 1 scalar multiplication in G1 and 1XOR operation. The decryption process requires 1 pairing operation, 1 hash operation (H2) and 1 XOR operation. The scheme is basic identity, which is secure against adaptive chosen message attack. By applying the padding technique of Fujisaki–Okamoto [8], the scheme can be extended to full identity, which is secure against chosen ciphertext at-tack (IND-ID-CCA secure).

In the Cocks-ID-based encryption scheme [6], the en-cryption phase requires calculation of 1 Jacobi Symbol, 2 additions, 2 multiplications and 2 inverses modulo Mfor each bit of the transport key. It also requires encryption using symmetric algorithm. The decryption phase requires calculating 1 Jacobi symbol and 1 addition modulo M for each transport key bit to extract the transport key. It then requires one symmetric decryption algorithm. The scheme is very inefficient in terms of bandwidth requirements as each bit of the transport key requires a number of sizesup to M to be sent. The scheme is based on the hardness of quadratic residuosity problem (QRP) and vulnerable to adaptive chosen ciphertext attacks. But no formal security proof for the scheme is available.

In the Authenticated ID-based encryption scheme [15], the encryption and decryption phases each requires 1 pair-

ing operation, 1 map-to-point hash, 3 hash (H1, H3 and H4) operations, and 1 XOR operation. In addition, the en-cryption and decryption schemes require secure symmetric encryption and decryption algorithms respectively. Authen-ticated encryption is faster than plain Encryption because there is one less exponentiation and no point multiplica-tion. Note that both encryption and decryption algorithms benefit greatly from caching C2, obviating the need for an expensive weil pairing computation which makes their computation as fast as a symmetric cipher and mechanics. This scheme provides non-repudiation as well as integrity and confidentiality. The scheme is secure against adaptive chosen ciphertext attack in the random oracle model as-suming the hardness of Bilinear Diffie–Hellman Problem (BDHP).

In the selective-ID Secure ID-based encryption scheme [2], the encryption process requires 3 exponentiations in G1, 1 group multiplication in G1, 1 exponentiation in G2, 1 group multiplication in G2 and 1 pairing op-eration. The decryption process requires 1 exponentia-tion in G1, 1 group multiplication in G1, 1 inversion in G2 and 1 pairing operation. However, in the encryption phase e(g, g) can be pre-computed once and cached so that encryption does not require any pairing operation. This scheme is selective identity, chosen plaintext secure without random oracles based on the q-Decision Bilinear Diffie–Hellman Inversion (q-BDHI) assumption.

In our proposed ID-based encryption scheme based on integer factorization problem and discrete logarithm prob-lem, the encryption process requires 1 multiplication, and 2 exponentiation in G . The decryption process requires 1 multiplication, 1 exponentiation in G , and 1 inversion in G . This scheme is semantically secure against CPA in the random oracle model, using the rewinding technique introduce by Boneh and Franklin [3].

Based on our observation we have observed that our proposed ID-based encryption scheme has a better per-formance than other four schemes Boneh and Franklin-ID-based encryption scheme, Cocks-ID-based encryption scheme, Authenticated ID-based encryption scheme,Selective-ID Secure ID-based encryption scheme in en-cryption and decryption algorithms. Our proposed scheme is faster than Boneh and Franklin-ID-based encryption scheme, Selective-ID Secure ID-based encryption scheme and Authenticated ID-based encryption scheme in two as-pects. First, our proposed scheme needs no pairing com-putation in encryption algorithm and decryption algo-rithm, because e(P1, P2) can be pre-computed. Secondly, in the operation of mapping an identity to an element in G1 or G2, the map-to-point algorithm used by Boneh and Franklin-ID-based encryption scheme and Authenti-cated ID-based encryption scheme is not required because simple hash function is used in our scheme to map an identifier to an element in Z∗

N . Our proposed scheme is faster than Cocks-ID-based encryption scheme in one as-pect. The size of ciphertext is very large and consists of two elements of Z N per bit of the message but the size of our proposed scheme is smaller than Cocks-ID-encryption scheme and consists of an element of Z∗

N per bit of the message.

C. Meshram / Information Processing Letters 115 (2015) 351–358 357

Fig. 1. Computational cost in encryption/decryption presses.

Fig. 2. Total computational cost.

We have evaluated the computational cost of the five schemes and have found that the computation cost of Selective-ID Secure ID-based encryption scheme is near about the Authenticated ID-encryption scheme and the computation cost of Cocks-ID-encryption scheme is near about the Boneh and Franklin-ID-encryption scheme and the computation cost of our proposed is much less to other four schemes and half of Authenticated ID-encryption scheme. As we know that in the Extract algorithm of Boneh and Franklin-ID-encryption scheme and Authenti-cated ID-encryption scheme, an identity string is mapped to a point on an elliptic curve and the correspond-ing private key is computed by multiplying the mapped point with the master key of public key generator (PKG) and Extract algorithm of our proposed scheme requires much simpler hashing than the Boneh and Franklin-ID-encryption scheme, Authenticated ID-encryption scheme and Cocks-ID-encryption scheme so the computational cost is reduced and therefore improves performance. The computational cost of Boneh and Franklin-ID-encryptionscheme, Cocks-ID-encryption scheme, Authenticated ID-en-cryption scheme, Selective-ID Secure ID-based encryption scheme and our proposed ID-based encryption scheme are given in beloved figures. The computational cost in encryp-tion/decryption process and total computational cost of all

the schemes has been given in Fig. 1 and Fig. 2 respec-tively.

7. Conclusion

Thus this paper deals with new construction technique for ID-based encryption scheme whose unforgeability can be reduced to the hardness of the integer factorization problem and discrete logarithm problem, which is a fun-damental intractable problem in cryptography. The time costs of our proposed ID-based encryption scheme are al-most as low as the ElGamal cryptosystem based ID-based encryption scheme and shows that it is semantically se-cure against chosen plaintext attack (CPA) under integer factorization problem and discrete logarithm problem as-sumption in random oracle model. This scheme is fast than Boneh and Franklin-ID-based encryption scheme, Cocks-ID-based encryption scheme, Authenticated ID-based en-cryption scheme, Selective-ID Secure ID-based encryption scheme and having very low computational cost. It is easy to see that our ID-based encryption scheme requires that k < t , i.e., that the overall number of private key extraction queries should be less than t . An interesting open question is whether we can design an ID-based encryption scheme that has similar efficiency but does not require k < t .

358 C. Meshram / Information Processing Letters 115 (2015) 351–358

References

[1] D. Boneh, X. Boyen, Secure identity based encryption without ran-dom oracles, in: Advances in Cryptology, CRYPTO 2004, in: Lecture Notes in Computer Science, vol. 3152, Springer-Verlag, Berlin, 2004, pp. 443–459.

[2] D. Boneh, X. Boyen, Efficient selective-id secure identity based en-cryption without random oracles, in: Advances in Cryptology, EU-ROCRYPT 2004, in: Lecture Notes in Computer Science, vol. 3027, Springer-Verlag, Berlin, 2004, pp. 223–238.

[3] D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing, in: Advances in Cryptology, CRYPTO 2001, in: Lecture Notes in Computer Science, vol. 2193, Springer-Verlag, Berlin, 2001, pp. 213–229.

[4] D. Boneh, M.K. Franklin, Identity based encryption from the Weil pairing, SIAM J. Comput. 32 (3) (2003) 586–615.

[5] D. Boneh, R. Canetti, S. Halevi, J. Katz, Chosen-ciphertext secu-rity from identity-based encryption, SIAM J. Comput. 36 (5) (2003) 1301–1328.

[6] C. Cocks, An identity based encryption scheme based on quadratic residues, in: International Conference on Cryptography and Cod-ing (Proceedings of IMA), in: Lecture Notes in Computer Science, vol. 2260, Springer-Verlag, 2001, pp. 360–363.

[7] T. ElGmal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inf. Theory 31 (1995) 469–472.

[8] E. Fujisaki, T. Okamoto, Secure integration of asymmetric and sym-metric encryption schemes, in: Advances in Cryptology, Crypto’99, in: Lecture Notes in Computer Science, vol. 1666, Springer-Verlag, Berlin, 1999, pp. 537–554.

[9] D. Galindo, The exact security of pairing based encryption and sig-nature schemes, Working Draft, available at http://www.dgalindo.es/galindoEcrypt.pdf, November 1, 2004.

[10] R. Gangishetti, M.C. Gorantla, M.L. Das, A. Saxena, Threshold key is-suing in identity-based cryptosystems, Comput. Stand. Interfaces 29 (2007) 260–264.

[11] S. Heng, K. Kurosawa, k-Resilient identity-based encryption in the standard model, in: Topics in Cryptology, CT-RSA 2004, in: Lecture Notes in Computer Science, vol. 2964, Springer-Verlag, Berlin, 2004, pp. 67–80.

[12] S. Heng, K. Kurosawa, k-Resilient identity-based encryption in the standard model, IEICE Trans. Fundam. E89CA (1) (2006) 39–46.

[13] E. Kiltz, Y. Vahlis, CCA2 secure IBE: standard model efficiency through authenticated symmetric encryption, in: CT-RSA, in: Lecture Notes in Computer Science, vol. 4964, Springer-Verlag, 2008, pp. 221–239.

[14] W.C. Lee, K.C. Liao, Constructing identity-based cryptosystems for discrete logarithm based cryptosystems, J. Netw. Comput. Appl. 22 (2004) 191–199.

[15] B. Lynn, Authenticated ID-based encryption, cryptology, ePrint Archive, Report 2002/072, 2002, http://eprint.iacr.org/2002/072.

[16] C. Meshram, S. Meshram, M. Zhang, An ID-based cryptographic mechanisms based on GDLP and IFP, Inf. Process. Lett. 112 (19) (2012) 753–758.

[17] C. Meshram, S. Meshram, An identity-based cryptographic model for discrete logarithm and integer factoring based cryptosystem, Inf. Pro-cess. Lett. 113 (10–11) (2013) 375–380.

[18] A. Shamir, Identity-based cryptosystems and signature schemes, in: Proceedings of CRYPTO’84, in: Lecture Notes in Computer Science, vol. 196, Springer-Verlag, 1984, pp. 47–53.

[19] J. Sun, C. Zhang, Y. Zhang, Y. Fang, An identity-based security system for user privacy in vehicular ad hoc networks, IEEE Trans. Parallel Distrib. Syst. 27 (9) (2010) 1227–1239.

[20] B. Waters, Efficient identity-based encryption without random ora-cles, in: Advances in Cryptology, CRYPTO 2005, in: Lecture Notes in Computer Science, vol. 3494, Springer-Verlag, Berlin, 2005, pp. 114–127.