Efficient and Provable Secure Pairing-Free Security-Mediated Identity-Based Identification Schemes

Security-mediated cryptography was first introduced by Boneh et al. in 2001. The main motivation behind security-mediated cryptography was the capability to allow instant revocation of a user's secret key by necessitating the cooperation of a security mediator in any given transaction. Subsequently in 2003, Boneh et al. showed how to convert a RSA-based security-mediated encryption scheme from a traditional public key setting to an identity-based one, where certificates would no longer be required. Following these two pioneering papers, other cryptographic primitives that utilize a security-mediated approach began to surface. However, the security-mediated identity-based identification scheme (SM-IBI) was not introduced until Chin et al. in 2013 with a scheme built on bilinear pairings. In this paper, we improve on the efficiency results for SM-IBI schemes by proposing two schemes that are pairing-free and are based on well-studied complexity assumptions: the RSA and discrete logarithm assumptions.


Introduction
1.1. Background. Identification schemes allow one party, the prover, to prove itself to another party, the verifier, that it knows its secret key without revealing anything else about itself in the process. The main utilization of the identification primitive is to facilitate one-sided entity authentication and is conventionally deployed in access control mechanisms to facilitate resource control and distribution.
In traditional public key cryptography, certificates are used to ensure that a user's public key is legitimately bound to a particular user and cannot be replaced. This certificate is usually issued by a certificate authority. However, certificate management can become an issue when the number of users in a cryptosystem grows larger. One of the methods of mitigating this potentially costly problem is through the deployment of the cryptographic primitive in an identitybased setting introduced by Shamir [1].
Another issue that traditional public key cryptography faces is the revocation of user secret keys. This would necessarily involve the revocation of a user's certificate along with his public/secret key pair and is a costly operation.
Timeliness is also a factor, as the procedure to revoke a user's keys may be a (relatively) long one and creates additional load on the certificate authority, turning the revocation procedure into a potentially costly process exercise. All these compound the certificate management issue mentioned earlier.
In the identity-based setting, where certificates are not used, key revocation is conventionally done by tagging validity periods onto the user's identity-string as an extension. This also creates an issue of timeliness since revocation is only possible at the end of those validity dates. Without checking certificates, it is also difficult to check if a user is still valid or if his user secret key has been revoked already.
In [2], Boneh et al. proposed the initial groundwork for instant revocation of user keys and privileges, including the public key and certificates by introducing the concept of security-mediated cryptography. The idea of securitymediated cryptography is to necessitate the cooperation of a security mediator, a trusted third party, in any form of transaction that a user needs to use. For example, in an encryption scheme, a security mediator needs to lend his cooperation to the user in order for the user to decrypt a particular ciphertext. And for signatures, a security mediator 2 The Scientific World Journal has to agree to cooperate with a signer in order to produce a valid signature.
Specifically, this is done by separating the user's secret key into two portions during the key generation. One portion of the key is given to the mediator while the other is given to the user. Therefore, the security mediator cooperates in the form of providing his portion of the secret key to be combined with the user's portion to create the full secret key for the transaction.

Related Work.
Identification schemes were first introduced by Fiat and Shamir [3], while their identity-based counterparts, namely, identity-based identification schemes, were first formalized by Bellare et al. [4] and Kurosawa and Heng [5] independently. In recent years, there have been various advances in the area of identity-based identification, such as the introduction of identity-based identification schemes in the standard model [6,7], hierarchical model [8][9][10], and certificateless model [11].
Following Boneh et al. 's initial work, Ding and Tsudik expanded on security-mediated cryptography to cover identity-based encryption using the RSA assumption [12]. Shortly thereafter, Libert and Quisquater proposed the first pairing-based security-mediated identity-based encryption schemes [13]. On the signature front, Cheng et al. proposed the first security-mediated identity-based signature [14].
Chow et al. [15] and Yap et al. [16] both extended securitymediated cryptography into the certificateless setting, where the issue of key escrow was addressed. In certificateless cryptography, first proposed by Al-Riyami and Paterson [17], the key generation center only produces half of the user secret key. The user then produces the other half of the user secret key to be combined into the full user secret key, thus securing their key from even the key generation center. However, the cryptographic primitives in the certificateless setting introduce more operational cost to the scheme and are known to be difficult to be proven secure [18].

Motivations and Contribution.
In 2013, Chin et al. first combined the notion of security-mediated cryptography with identifications in the identity-based setting to propose the first security-mediated identity-based identification (SM-IBI) scheme [19]. In the paper, the authors provided the first formal definitions for SM-IBIs and also proposed a concrete construction. The motivation of the authors was to allow fast revocation of keys for identification schemes in the identitybased setting.
For SM-IBI schemes, a security mediator is required to participate in the identification protocol in order for a user to authenticate himself to a verifier. The security mediator can then hold a revocation list to identify which users' secret keys have been revoked and refuse participation for those users.
However the first concrete scheme that was proposed by the authors was built based on bilinear pairings. The pairing operation is widely known by cryptographers to be a costly operation; thus, it would be beneficial to construct pairingfree alternatives to facilitate more efficient running of the cryptographic primitive.
In this paper, we propose two pairing-free SM-IBI constructs as faster alternatives to the pairing-based scheme proposed by Chin et al. Our two schemes are constructed based on the RSA assumption and the discrete logarithm assumption, respectively. The RSA-based scheme, which we name as the GQ-SM-IBI, is constructed based on the Guillou Quisquater identification scheme constructed by Bellare and Palacio [20]. On the other hand, the discrete logarithmbased scheme, which we name as the BNN-SM-IBI, is constructed based on the BNN identity-based identification scheme proposed by Bellare et al. [4]. We provide security analysis for both schemes, proving them secure against impersonation under passive attacks if the RSA assumption and the discrete logarithm assumption hold and secure against impersonation under active and concurrent attacks if the one-more RSA inversion assumption and the onemore discrete logarithm assumption hold. Lastly, we provide an efficiency analysis, both theoretically and practically, and show that both schemes are significantly faster than Chin et al. 's pairing-based SM-IBI scheme.
The rest of the paper is organized as follows. We begin with some preliminaries and review the formal definitions and security model of SM-IBI schemes in Section 2. Then we show the construction and security analysis for the GQ-SM-IBI scheme in Section 3. This is followed by the construction and security analysis for the BNN-SM-IBI scheme in Section 4. In Section 5 we show the operational costs of both schemes as well as presenting our implementation results. Finally we conclude in Section 6.

Discrete Logarithm Assumption.
Let be a cyclic group with prime order and let be a generator of . The DL problem (DL) is defined as given a number = in group , output . Definition 1. The discrete logarithm assumption states that there exists no polynomial-time algorithm that is able to ( DL , DL )-solve the discrete logarithm problem with nonnegligible probability such that Pr [ ( , , , ) = ] ≥ DL . (1)

The
One-More Discrete Logarithm Assumption. The onemore discrete logarithm ( ) problem was first introduced by Bellare and Palacio [20] in their proof against impersonation under active and concurrent attacks for the standard Schnorr identification scheme. Later work that involves proving security of identification schemes based on discrete logarithms to be secure against active and concurrent attacks for discrete logarithm also makes use of this assumption such as [4,21].
Let be a finite cyclic group of order and let be a generator of . Define an experiment DL where an adversary is given a challenge oracle that produces a random group element ∈ when queried and a discrete log oracle , which provides the discrete log ∈ corresponding to the query where = . wins The Scientific World Journal 3 if after making queries to DL , is able to output solutions to all challenges with only − 1 queries to , meaning has to solve at least one instance of the discrete logarithm problem without relying on the discrete log oracle. returns 1 if is successful and 0 otherwise.
The assumption states that there exists no polynomial-time algorithm that is able to 2.4. One-More RSA Inversion (OMRSAI) Assumption. This is the interactive variant of the problem first proposed by Bellare and Palacio [20] to prove security of the GQ identification scheme and is analogous to the assumption. This assumption is applied in the proof of security against active and concurrent attacks for RSA-based schemes.
Define an experiment where an adversary is given ( , ) $ ← (1 ) as input and access to two oracles and . on any input returns a random point , while on any input ℎ will return ℎ where = 1 mod . is required to compute the solutions to all the target points 0 , . . . , while using strictly less queries to the oracle. In other words, is required to find 0 , . . . , while using the oracle only < times. returns 1 if is successful and 0 otherwise.
2.5. Definition of Security-Mediated IBI Schemes. In this section, we review the definition of SM-IBI schemes as defined by [19]. The definition follows closely to that of conventional IBI schemes, with the difference being that the prover segment is extended to encompass obtaining tokens from the security mediator. The SM-IBI scheme is defined as five probabilistic polynomial-time algorithms.
(i) Setup. It takes in the security parameter 1 as input and outputs the system parameters params along with the master secret key MSK.
(ii) Extract. Upon receiving a user's request for a key, it takes in params MSK and a user's identity ID. Once the secret key is created, the PKG separates the key into two portions, one for the user, USK , and one for the security mediator, USK , and returns the portions to the respective parties.
(iii) Identification Protocol. The identification protocol is an interactive protocol run by the 3 algorithms: User-Prover and SEM-prover on the prover side trying to authenticate himself to the Verifier. Both provers are used cooperatively in the interactive three-step canonical honest verifier zero knowledge proof of knowledge protocol with the verifier as follows.
(1) User-Prover initiates by sending his identity to ID to the SEM-prover. SEM-prover checks whether ID's keys have been revoked and stops with an error code if true. If ID is legitimate then it generates and sends SEM-COMMIT to User-Prover who then combines SEM-COMMIT with his own USER-COMMIT to form FULL-COMMIT to send to Verifier. (2) Verifier selects a random CHALLENGE and sends it to the User-Prover. (3) User-Prover relays CHALLENGE to SEM-Prover and receives SEM-RESPONSE from SEM-Prover which it then combines with his own USER-RESPONSE to form FULL-RESPONSE and sends to the Verifier. The Verifier will choose to either accept or reject it.

Security Model for Security-Mediated IBI.
Adversaries of SM-IBI follow the description of standard identification schemes: passive and active/concurrent attackers. However, the adversary for SM-IBI is able to query additionally partial conversation components, specifically the user's prover and the security mediator's prover besides the usual full prover query.
The security of SM-IBI schemes is modelled as a game played by an adversary against a challenger as follows.
runs Setup, creates the system parameters params and passes them to while keeping the master secret key MSK to itself.
(ii) Phase 1. This is the training phase. is allowed to adaptively make the following queries to .
(a) User-Extract (ID). will run Extract but returns only the user's portion of the secret key to . (b) SEM-Extract (ID).
will run Extract but returns only the security mediator's portion of the secret key to .

4
The Scientific World Journal (c) Full-Extract (ID). will run Extract and returns both the user's portion of the secret key and the security mediator's portion of the secret key to . (d) Identification Queries (ID). For passive adversaries, will generate transcripts of valid conversations for . For active/concurrent adversaries, will act as the cheating prover, engaging as the cheating verifier in conversations. is able to issue any one of the following identification queries.
(1) SEM-Identification (ID). runs the security mediator's half of the prover session. (iii) Phase 2. will eventually output ID * on which it wants to be challenged on and begins its role as the cheating prover for both security mediator and user prover sessions. on the other hand assumes the role of the verifier. wins the game if it manages to convince to accept with nonnegligible probability.
We say a security-mediated IBI scheme Π is ( , , )-secure under passive or active/concurrent attacks if for any passive or active/concurrent Type-1 impersonator who runs in time , Pr[ can impersonate] < , where can make at most full extract queries. It is interesting to point out that extracting the security mediator's half of the secret key gives no information about the full user key and that neither security mediator's prover sessions nor user's prover sessions done alone will provide a valid conversation, but only the combined session will. This models the security requirement that any user cannot legitimately prove himself to a verifier without the security mediator's help.

GQ-SMIBI: RSA-Based Security-Mediated IBI Scheme
The GQ-SM-IBI scheme is derived from the GQ identification scheme proposed in [20] and is provably secure against passive attackers assuming the assumption and against active/concurrent attackers assuming the assumption.
The GQ-SM-IBI scheme is constructed as follows.  . It gives to the user as its partial secret key and to the security mediator as its partial private key and keeps secret.
(3) Identification Protocol. It is run by the User-Prover and SEM-Prover with Verifier as such. To check for completeness,

Security Analysis: Impersonation under Passive Attack
Proof. Assume the GQ-SM-IBI scheme is ( , , )-breakable; then a simulator that ( , )breaks the problem can be shown. takes in input ( , , ) and runs the impersonator as a subroutine.
ID ⟩ which is initially empty. The following shows how simulates the environment and oracle queries for .
chooses ∈ {1, . . . , } randomly and lets ID = ID * at this point. Whenever makes a query on ID , consider the following.
adds ⟨ID , ID , ID , ID , ID , ID , ID , ID ⟩ to . returns ID to .
(3) SEM-Extract (ID ). If ID = ID * and USER-Extract (ID * ) has been queried before, aborts. If ID = ID * , but USER-Extract (ID * ) has not been queried If queries The Scientific World Journal − < 1 − 2 < , ( , 1 − 2 ) = 1. Use the extended Euclidean algorithm to obtain integers and such that + ( 1 − 2 ) = 1. It follows that then calculates the solution to the problem as follows: It remains to calculate the probability of solving the problem and winning the game. The probability of successfully extracting two valid conversation transcripts from is bounded by ( − (1/2 ( ) )) 2 as given by the reset lemma [20]: Finally calculate Pr [¬abort]. Let be the probability that issues both a SEM-Extract and a USER-Extract query on ID * and that makes a total of of such queries. The probability of answering all the extraction queries is . In Phase 2, the probability of not aborting is if outputs the challenge identity ID * that was not queried before. This is given by the probability 1 − . Compiling them, the probability of not aborting is (1 − ). This probability is maximised at = 1 − (1/( + 1)).

Security Analysis: Impersonation under
Active/Concurrent Attack Proof. Assume the GQ-SM-IBI scheme is ( , , )-breakable; then a simulator that ( , , )-breaks the problem can be shown.
takes in input ( , ), is given access to and oracles, and runs the impersonator as a subroutine. Any SEM-Extract, User-Extract, SEM-Identification, User-Identification, and Full-Identification queries are preceded by a Create-User query. maintains a list = ⟨ID , ID , ID , ID , ID , ID , ID , ID ⟩ which is initially empty. The following shows how simulates the environment and oracle queries for .
chooses ∈ {1, . . . , } randomly and lets ID = ID * at this point. Whenever makes a query on ID , consider the following.
If no session is specified for the query, just returns the next session in sequence. One can see that SEM-Identification (ID * , ) and User-Identification (ID * , ) can be combined to create a full and valid conversation on session : (ID) 2 . One can then obtain Since is a prime and − < 1 − 2 < , ( , 1 − 2 ) = 1. Use the extended Euclidean algorithm to obtain integers and such that + ( 1 − 2 ) = 1. It follows that The Scientific World Journal then calculates the solution to the problem as follows: proceeds to calculate the solutions to the other challenges as follows: The probability study for the simulation above is similar to that of the impersonation under passive attack game and is therefore omitted.

BNN-SM-IBI: An DL-Based Security-Mediated IBI Scheme
The BNN-SM-IBI scheme is derived from the BNN-IBI scheme proposed in the work of [4] and is provably secure against passive attackers assuming the DL assumption and against active/concurrent attackers assuming the assumption.
The BNN-SM-IBI scheme is constructed as follows.  to the user as its partial private key and to the security mediator as its partial private key and keeps secret.
(3) Identification Protocol. It is run by the User-Prover and SEM-Prover with Verifier as such.
Proof. Assume the BNN-SM-IBI scheme is ( , , )-breakable; then a simulator that ( , )breaks the DL problem can be shown. takes in input The Scientific World Journal 9 ( , = ) and runs the impersonator as a subroutine. Without loss of generality, it can be assumed that any SEM-Extract, User-Extract, SEM-Identification, User-Identification, and Full-Identification queries are preceded by a Create-User query. To avoid collision and consistently respond to these queries, maintains a list = ⟨ID , ID , ID , ID , ID ⟩ which is initially empty. The following shows how simulates the environment and oracle queries for .
sets the system parameters as mpk = ⟨ , , , = , ⟩ and keeps master private key secret. It sends mpk to .
chooses ∈ {1, . . . , } randomly and lets ID = ID * at this point. Whenever makes a query on ID , consider the following. Otherwise for all other ID ̸ = ID * , just retrieves ⟨ ID , ID ⟩ in and returns it to .
(5) Identification (ID , ). will act as the cheating verifier to learn information from valid conversation transcripts from . If ID ̸ = ID * , just retrieves ID 's entry in and runs the identification protocol for either the SEM's interactions, the user's interactions, or both combined as in the protocol.
Otherwise, for ID = ID * , then creates a full valid transcript for each th query by picking Eventually, stops Phase 1 and outputs the challenge ID, ID * on which it wishes to be challenged on. checks if ID = ID from and aborts if not. Otherwise, runs now as a cheating prover on ID * by obtaining its commitment, ID * , ID * , ID * selecting a challenge 1 $ ← Z * and obtaining the response ID * ,1 from . then resets to the step whereby just sent ID * , ID * , ID * , selects a second challenge 2 $ ← Z * , and receives ID * ,2 as response. is then able to extract the full user private key as follows: outputs as the discrete log solution. It remains to calculate the probability of solving the CDH problem and winning the game. The probability of successfully extracting two valid conversation transcripts from is bounded by ( − (1/ )) 2 as given by the reset lemma [20]: Finally, let be the probability that issues a SEM-Extract and a USER-Extract query on ID * and that makes a total of of such queries. The probability of answering all the extraction queries is . In Phase 2, the probability of not aborting is if outputs the challenge identity ID * that was not queried before. This is given by the probability 1 − . Compiling them, the probability of not aborting is (1− ). This value is maximised at = 1−(1/( + 1)). Using , The probability that does not abort is at least 1/ ( +1) because the value (1−(1/( +1))) approaches 1/ for large . Therefore, the advantage of , DL , and the bound of the simulation is given as follows: takes in input ( , ), is given access to and oracles, and runs the impersonator as a subroutine. Without loss of generality, it can be assumed that any SEM-Extract, User-Extract, SEM-Identification, User-Identification, and Full-Identification queries are preceded by a Create-User query. To avoid collision and consistently respond to these queries, maintains a list = ⟨ID , ID , ID , ID , ID , ID , ID , ID , ID , ID , ID , ID , ID , ID ⟩ which is initially empty. The following shows how simulates the environment and oracle queries for .
sets the system parameters as mpk = ⟨ , , , = , ⟩ and keeps master private key secret. It sends mpk to .
chooses ∈ {1, . . . , } randomly and lets ID = ID * at this point. Whenever makes a query on ID , consider the following.
Eventually, stops Phase 1 and outputs the challenge ID, ID * on which it wishes to be challenged on.
checks if ID * = ID from and aborts if not. Otherwise, runs now as a cheating prover on ID * . runs by obtaining its commitment, ID * , ID * , ID * , selects a challenge 1 $ ← Z * , and obtains the response ID * ,1 from . then resets to the step whereby just sent ID * , ID * , ID * , selects a second challenge 2 $ ← Z * , and receives ID * ,2 as response. is then able to extract the full user private key as follows: outputs 0 as the initial discrete log challenge solution.  proceeds to calculate the solutions to the other challenges as follows: (28) The probability study for the simulation above is similar to that of the impersonation under passive attack game and is therefore omitted.

Efficiency Analysis
In this section we provide the breakdown of operation costs for both the GQ-SM-IBI scheme and the BNN-SM-IBI scheme.
We measure the operation costs of the GQ-SM-IBI scheme in terms of addition operations in Z ( ) , multiplication operations in Z ( ) and Z * , and exponentiation operations in Z * . Overall, the operational costs of the GQ-SM-IBI scheme are given in Table 1.
We also provide the communication costs of the GQ-SM-IBI scheme in Table 2.
As for the BNN-SM-IBI scheme, we measure the operational costs in terms of group operational costs of addition modulo , multiplication modulo , multiplication in group , and exponentiations modulo . Overall, the operational costs of the BNN-SM-IBI scheme are given in Table 3.
We also provide the communication costs of the BNN-SM-IBI scheme in Table 4.