Cryptanalysis of Mu et al.'s and Li et al.'s Schemes and a Provably Secure ID-Based Broadcast Signcryption (IBBSC) Scheme

In applications like wireless content distribution, a central authority needs to deliver encrypted data to a large number of recipients in such a way that only a privileged subset of users can decrypt it. In addition, to avert junk content or spam, subscribers must have source authentication with respect to their broadcasters. The limited memory and computational power of mobile devices, coupled with escalating costs of wireless bandwidth make efficiency a major concern. Broadcast signcryption, which enables the broadcaster to simultaneously encrypt and sign the content meant for a specific set of users in a single logical step, provides the most efficient solution to this dual problem of confidentiality and authentication. It is arguably most efficiently implemented in the ID-based setting because of its well known advantages. Only three IBBSC schemes exist in literature, one of which has already been shown to be flawed and its security leaks fixed. In this paper, we show that the remaining two - Mu et al.'s scheme and Li et al.'s scheme are also flawed. Specifically, we show that while Mu et al.'s scheme is insecure with respect to unforgeability, Li et al.'s scheme can be totally broken (with respect to both unforgeability and confidentiality). Following this, we propose a new IBBSC scheme and formally prove its security under the strongest existing security models for broadcast signcryption (IND-CCA2 and EUF-CMA).