Lightweight cryptographic systems for services delivered by the recently developed Internet of Things (IoT) are being continuously researched. However, existing Public Key Infrastructure (PKI)-based cryptographic algorithms are difficult to apply to IoT services delivered using lightweight devices. Therefore, encryption, authentication, and signature systems based on Certificateless Public Key Cryptography (CL-PKC), which are lightweight because they do not use the certificates of existing PKI-based cryptographic algorithms, are being studied. Of the various public key cryptosystems, signcryption is efficient, and ensures integrity and confidentiality. Recently, CL-based signcryption (CL-SC) schemes have been intensively studied, and a multi-receiver signcryption (MRSC) protocol for environments with multiple receivers, i.e., not involving end-to-end communication, has been proposed. However, when using signcryption, confidentiality and integrity may be violated by public key replacement attacks. In this paper, we develop an efficient CL-based MRSC (CL-MRSC) scheme using CL-PKC for IoT environments. Existing signcryption schemes do not offer public verifiability, which is required if digital signatures are used, because only the receiver can verify the validity of the message; sender authenticity is not guaranteed by a third party. Therefore, we propose a CL-MRSC scheme in which communication participants (such as the gateways through which messages are transmitted) can efficiently and publicly verify the validity of encrypted messages.

Forward secrecy (FS) is a central security requirement of authenticated key exchange (AKE). Especially, strong FS (sFS) is desirable because it can guarantee security against a very realistic attack scenario that an adversary is allowed to be active in the target session. However, most of AKE schemes cannot achieve sFS, and currently known schemes with sFS are only proved in the random oracle model. In this paper, we propose a generic construction of AKE protocol with sFS in the standard model against a constrained adversary. The constraint is that session-specific intermediate computation results (i.e., session state) cannot be revealed to the adversary for achieving sFS, that is shown to be inevitable by Boyd and González Nieto. However, our scheme maintains weak FS (wFS) if session state is available to the adversary. Thus, our scheme satisfies one of strongest security definitions, the CK+ model, which includes wFS and session state reveal. The main idea to achieve sFS is to use signcryption KEM while the previous CK+ secure construction uses ordinary KEM. We show a possible instantiation of our construction from Diffie-Hellman problems.

Recently, Jin, Wen, and Du proposed an identity-based signcryption scheme in the standard model. In this letter, we show that their scheme does not have the indistinguishability against adaptive chosen ciphertext attacks and existential unforgeability against adaptive chosen messages attacks.

Recently, Duan and Cao proposed an multi-receiver identity-based signcryption scheme. They showed that their scheme is secure against adaptive chosen ciphertext attacks in the random oracle model. In this paper, we show that their scheme is in fact not secure against adaptive chosen ciphertext attacks under their defined security model.

In this paper, we analyse Ma signcryption scheme [4] proposed in Inscrypt'2006. Although Ma signcryption scheme [4] is probably secure against adaptive chosen ciphertext attacks and forgery, we show that Ma signcryption scheme is easily forgeable by the receiver and the receiver can impersonate the sender to forge any valid signcryption to any receiver.

In this paper, we analyse the Libert-Quisquater's q-DH signcryption scheme proposed in SCN'2004. Although the paper proved that their scheme is secure against adaptive chosen ciphertext attacks in the random oracle model, we disprove their claim and show that their scheme is not even secure against non-adaptive chosen ciphtertext attacks, which is the weaker security than the adaptive chosen ciphertext attacks. We further show that the semantically secure symmetric encryption scheme defined in their paper is not sufficient to guarantee their signcryption scheme to be secure against adaptive chosen ciphertext attacks.

Mobile ad-hoc networks consist of mobile nodes interconnected by multihop path that has no fixed network infrastructure support. Due to the limited bandwidth and resource, and also the frequent changes in topologies, ad-hoc network should consider these features for the provision of security. We present a secure routing protocol based on identity-based signcryption scheme. Since the proposed protocol uses an identity-based cryptosystem, it does not need to maintain a public key directory and to exchange any certificate. In addition, the signcyption scheme simultaneously fulfills both the functions of digital signature and encryption. Therefore, our protocol can give savings in computation cost and have less amount of overhead than the other protocols based on RSA because it uses identity-based signcryption with pairing on elliptic curve. The effectiveness of our protocol is illustrated by simulations conducted using ns-2.

In this paper, we analyse the signcryption scheme proposed by Libert and Quisquater in 2004 and show that their scheme does not meet the requirements as claimed in their paper in PKC'2004, such as, semantically secure against adaptive chosen ciphtertext attack, ciphertext anonymity and key invisibility.

Recently, a new light-weight version of the secure electronic transaction protocol was proposed. The protocol can achieve two goals. One goal is that the security level is the same as the SET protocol. The other goal is to reduce the computational time in message generation and verification, and reduce the communication overhead. However, the protocol has a weakness, which is that non-repudiation is acquired, but confidentiality is lost. In this paper, we point out the weakness of the protocol. We also propose an improvement to the protocol to overcome this weakness.

Recently, Ma and Chen proposed a new authenticated encryption scheme with public verifiability. The signer can generate a signature with message recovery for a specified recipient. With a dispute, the recipient has ability to convert the signature into an ordinary one that can be verified by anyone without divulging her/his private key and the message. However, we point out that any adversary can forge a converted signature in this article.

In this paper, we formally define and analyze the security notions of authenticated encryption in unconditional security setting. For confidentiality, we define the notions, APS (almost perfect secrecy) and NM (non-malleability), in terms of an information-theoretic viewpoint along with our model where multiple senders and receivers exist. For authenticity, we define the notions, IntC (integrity of ciphertexts) and IntP (integrity of plaintexts), from a view point of information theory. And then we combine the above notions to define the security notions of unconditionally secure authenticated encryption. Then, we analyze relations among the security notions. In particular, it is shown that the strongest security notion is the combined notion of APS and IntC. Finally, we formally define and analyze the following generic composition methods in the unconditional security setting along with our model: Encrypt-and-Sign, Sign-then-Encrypt and Encrypt-then-Sign. Consequently, it is shown that: the Encrypt-and-Sign composition method is not always secure; the Sign-then-Encrypt composition method is not always secure; and the Encrypt-then-Sign composition method is always secure, if a given encryption meets APS and a given signature is secure.

Distributed signcryption is specifically designed for distributing a signcrypted message to a designated group. As such, it can not be used in anonymous communication. Accordingly, the current study adds an anonymity property to distributed signcryption that results in almost the same computational load as regards the modular arithmetic. Therefore, the new scheme is more efficient than the expansion for anonymity in, and has potential applications in electronic commerce.

In the past few years, we have seen the emergence of a large number of proposals for electronic payments over open networks. Among these proposals is the Secure Electronic Transaction (SET) protocol promoted by MasterCard and VISA which is currently being deployed world-widely. While SET has a number of advantages over other proposals in terms of simplicity and openness, there seems to be a consensus regarding the relative inefficiency of the protocol. This paper proposes a light-weight version of the SET protocol, called "LITESET. " For the same level of security as recommended in the latest version of SET specifications, LITESET yields a 56.2/51.4% reduction in the computational time in message generation/verification and a 79.9% reduction in communication overhead. This has been achieved by the use of a new cryptographic primitive called signcryption. We hope that our proposal can contribute to the practical and engineering side of real-world electronic payments.