1 Introduction
In the traditional public key system (PKS) setting (Rivest et al., 1978), a public-key infrastructure (PKI) needs to be established to create and manage each member’s certificate, which is used to validate the member’s public key. To lighten the PKI establishment cost, Boneh and Franklin (2001) presented a practical identity-based PKS (ID-PKS) setting with bilinear pairings, in which a member’s identity is regarded as the member’s public key and no certificate is needed. However, the ID-PKS setting suffers from a constitutional key escrow problem. In 2003, the certificateless PKS (CL-PKS) (Al-Riyami and Paterson, 2003) and the certificate-based PKS (CB-PKS) (Gentry, 2003) settings were constructed respectively to clear up the key escrow problem. Afterwards, the research of various cryptographic mechanisms under the CB-PKS and the CL-PKS settings have been thoroughly studied.
Typically, the security of these cryptographic mechanisms under these PKS settings mentioned above is dependent on the security of secret keys participated in these cryptographic mechanisms, and so these secret keys must be entirely concealed to adversaries. However, due to the popularity of mobile communication, many computing devices are exposed to remote environments without physical protection so that these devices easily suffer from leakage attacks (e.g. side-channel attacks) (Kocher et al., 1999; Brumley and Boneh, 2005; Biham et al., 2008). By leakage attacks, when a computing device performs some cryptographic algorithm, an adversary may acquire partial bits of secret keys participated in this algorithm. To resist such leakage attacks, researchers offer leakage-resilient cryptography as a solution. In the past, numerous leakage-resilient signature (LRS) schemes (Galindo and Virek, 2013; Wu et al., 2019; Tseng et al., 2020; Wu et al., 2020b), leakage-resilient encryption (LRE) schemes (Kiltz and Pietrzak, 2010; Galindo et al., 2016; Wu et al., 2018, 2020a; Tseng et al., 2022), and leakage-resilient authenticated key agreement protocols (Tseng et al., 2021; Peng et al., 2021; Tsai et al., 2022) under various PKS settings have been published in the literature.
For reducing communication and computation costs, a signcryption scheme (Zheng, 1997) combines signing and encrypting processes in a mechanism to simultaneously provide both authentication and confidentiality, which is an important cryptographic primitive. In the past, some signcryption schemes under various PKS settings have been proposed that include PKI-based signcryption (PKI-SC) schemes (Ullah et al., 2020; Ali et al., 2020), certificateless signcryption (CLSC) schemes (Khan et al., 2020; Wu et al., 2022) and certificate-based signcryption (CBSC) schemes (Ullah et al., 2019; Hussain et al., 2020). Nevertheless, these signcryption schemes mentioned above are unable to resist leakage attacks. Indeed, several leakage-resilient (LR) signcryption schemes under the CL-PKS and the CB-PKS settings have been proposed. However, these LR signcryption schemes still have two shortcomings, that is, bounded leakage resilience and conditionally continuous leakage resilience, which will be discussed later. Hence, in this paper, we aim to propose a “fully” continuous leakage-resilient certificate-based signcryption (FCLR-CBSC) scheme to remove the shortcomings of the previously proposed schemes.
1.1 Related Work
Here, let’s introduce two types of leakage attack models, that is, bounded and continuous (i.e. unbounded). The bounded leakage attack model has an impractical property that entire leaked bits of a secret key are bounded in a fractional proportion of the secret key during the usage life of an LR algorithm (Alwen et al., 2009; Katz and Vaikuntanathan, 2009). In such a case, when the leaked bit number of the secret key exceeds the proportion, the secret key can no longer be used. Contrarily, the continuous leakage attack model allows adversaries to continuously obtain a secret key’s partial bits in each usage of the secret key during the usage life of the associated LR algorithm. Therefore, an LR cryptographic scheme against continuous leakage attacks has the unbounded leakage property and is more suitable for real practical environments (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013).
As mentioned earlier, several LR signcryption schemes under the CL-PKS and the CB-PKS settings have been proposed to remove the key escrow problem. Here, let’s review these LR certificateless signcryption (LR-CLSC) (Zhou et al., 2016; Yang et al., 2019) and LR certificate-based signcryption (LR-CBSC) (Zhou et al., 2021) schemes. Zhou et al. (2016) adopted a non-interactive zero-knowledge mechanism to propose an LR-CLSC scheme. As we know, the usage of the non-interactive zero-knowledge mechanism is very time-consuming so that Zhou et al.’s scheme is unsuitable for mobile devices. Subsequently, Yang et al. (2019) presented an improvement on Zhou et al.’s scheme to remove the usage of the non-interactive zero-knowledge mechanism to achieve better performance. However, both schemes (Zhou et al., 2016; Yang et al., 2019) are only secure against bounded leakage attacks and cannot resist the attacks of adversaries with continuous leakage abilities.
To achieve continuous leakage-resilient property, Zhou et al. (2021) first presented a bounded LR-CBSC scheme and adopted the secret key update method proposed by Dodis et al. (2010) to obtain a “conditionally” continuous LR-CBSC (CCLR-CBSC) scheme. That is, by Dodis et al.’s secret key update method, a continuous version is constructed from the associated bounded LR cryptographic scheme. However, Kiltz and Pietrzak (2010) have previously shown that Dodis et al.’s secret key update method has a shortcoming in the sense that the key update process itself does not allow adversaries to leak any bits of the secret key even if the secret key actually participates in the computation of the key update method. Therefore, Zhou et al.’s scheme only possesses the “conditionally” continuous leakage-resilient property.
1.2 Contributions
As mentioned earlier, the LR-CLSC schemes in Zhou et al. (2016), Yang et al. (2019) are only secure against bounded leakage attacks and the CCLR-CBSC scheme in Zhou et al. (2021) only possesses the “conditionally” continuous leakage-resilient property. In this paper, a “fully” CLR-CBSC (FCLR-CBSC) scheme is proposed. In our FCLR-CBSC scheme, there are two roles, namely, a trusted certificate authority (CA) and members. A member ${\textit{ID}_{m}}$ sets the associated member secret key ${\textit{MSK}_{m}}$. The CA uses its own secret key $\textit{CSK}$ to compute the member’s certificate ${\textit{CTF}_{m}}$ using the member ${\textit{ID}_{m}}$’s identity information and public key, and returns it back to the member ${\textit{ID}_{m}}$. By combining the adversary models of both the LR certificate-based signature (LR-CBS) scheme (Wu et al., 2019) and the LR certificate-based encryption (LR-CBE) scheme (Wu et al., 2020a), we define the adversary model of the FCLR-CBSC scheme. In this adversary model, there are two types of adversaries that include an uncertified member and the honest-but-curious CA.
Table 1
Comparisons between the related schemes and our scheme.
| Scheme | Zhou et al.’s LR-CLSC scheme (2016) | Yang et al.’s LR-CLSC scheme (2019) | Zhou et al.’s CCLR-CBSC scheme (2021) | Our proposed FCLR-CBSC scheme |
| PKS setting | CL-PKS | CL-PKS | CB-PKS | CB-PKS |
| Leakage of a member’s secret key | Allowed | Allowed | Allowed | Allowed |
| Leakage of the system’s secret key | Not allowed | Not allowed | Allowed | Allowed |
| Leakage model | Bounded | Bounded | Conditionally continuous | Fully continuous |
To realize the “fully” continuous leakage-resilient property, our scheme adopts the key update method proposed by Kiltz and Pietrzak (2010) to update the member ${\textit{ID}_{m}}$’s secret key ${\textit{MSK}_{m}}$ and certificate ${\textit{CTF}_{m}}$ participated in both the signcryption and the unsigncryption algorithms, and the CA’s secret key $\textit{CSK}$ participated in the certificate generation algorithm. In the process of the key update method, these secret keys or certificates are allowed to be leaked by an adversary so that our scheme has the fully continuous leakage-resilient property. Table 1 lists the comparisons between the LR-CLSC schemes in Zhou et al. (2016), Yang et al. (2019), the CCLR-CBSC scheme in Zhou et al. (2021) and our FCLR-CBSC scheme in terms of PKS setting, leakage of a member’s secret key, leakage of the system’s secret key and leakage model. It is obvious that only our scheme achieves the fully continuous leakage-resilient property and tolerates the leakages of both the system’s secret key and a member’s secret key. Finally, we employ the security proving method of the generic bilinear group (GBG) model (Boneh et al., 2005) to show that our scheme possesses both authentication and confidentiality against two types of adversaries in the CB-PKS setting. Also, performance analysis and simulation experience demonstrate that our scheme is suited to run on both a PC and a mobile device.
1.3 Paper Structure
The remainder of this paper comprises six parts. Four preliminaries are introduced in Section 2. We define a new framework and security model of FCLR-CBSC schemes in Section 3. In Section 4, our FCLR-CBSC scheme is demonstrated. The security analysis of our scheme is given in Section 5. Performance analysis and conclusions are given in Sections 6 and 7, respectively.
2 Preliminaries
2.1 Bilinear Pairing Set
Let $\{{g_{1}},{g_{2}},{G_{1}},{G_{2}},p,\hat{e}\}$ be a bilinear pairing set. The reader can refer to Boneh and Franklin (2001) for the parameter selections of the bilinear pairing set. ${g_{1}}$ and ${g_{2}}$ are, respectively, generators of the multiplicative groups ${G_{1}}$ and ${G_{2}}$ with the same prime order p. The bilinear pairing function $\hat{e}:{G_{1}}\times {G_{1}}\to {G_{2}}$ satisfies three properties as presented below:
2.2 Security Assumptions
Our proposed FCLR-CBSC scheme is based on two security assumptions as presented below:
-
– Strong-collision-resistant hash (SCRH) assumption: Let a hash function $H:{\{0,1\}^{\ast }}\to {\{0,1\}^{l}}$, l is a large integer, be strong-collision-resistant. Namely, it is difficult to get two different strings ${S_{1}},{S_{2}}\in {\{0,1\}^{\ast }}$ such that $H({S_{1}})=H({S_{2}})$.
-
– Discrete logarithm (DL) assumption: In the bilinear pairing set $\{{g_{1}},{g_{2}},{G_{1}},{G_{2}},p,\hat{e}\}$ presented earlier, it is difficult to compute $x\in {Z_{p}^{\ast }}$ for given ${g_{1}^{x}}\in {G_{1}}$ or ${g_{2}^{x}}\in {G_{2}}$.
2.3 Generic Bilinear Group Model
The generic bilinear group (GBG) model (Boneh et al., 2005) is a security proving technique of cryptographic schemes. This GBG model is combined into the security game of a cryptographic scheme. In the security game played by an adversary and a challenger, the challenger first creates a bilinear pairing set $\{{g_{1}},{g_{2}},{G_{1}},{G_{2}},p,\hat{e}\}$. When the adversary performs operations in the bilinear pairing set, it must request the associated queries to the challenger that include the multiplicative query ${Q_{1}}$ of ${G_{1}}$, the multiplicative query ${Q_{2}}$ of ${G_{2}}$ and the bilinear pairing query ${Q_{\hat{e}}}$. Additionally, the challenger sets two injective random mappings to respectively encode every element of ${G_{1}}$ and ${G_{2}}$ to a distinct bit string, namely, ${\zeta _{1}}:{Z_{p}^{\ast }}\to \Psi {G_{1}}$ and ${\zeta _{2}}:{Z_{p}^{\ast }}\to \Psi {G_{2}}$ that satisfy $\Psi {G_{1}}\cap \Psi {G_{2}}=\varnothing $ and $|\Psi {G_{1}}|=|\Psi {G_{2}}|=p$. The behaviours of three associated queries ${Q_{1}}$, ${Q_{2}}$ and ${Q_{\hat{e}}}$, for $x,y\in {Z_{p}^{\ast }}$, are defined as follows:
Note that ${\zeta _{1}}(1)$ and ${\zeta _{2}}(1)$ equal ${g_{1}}$ and ${g_{2}}$, respectively. Finally, the adversary would answer the DL problem on ${G_{1}}/{G_{2}}$ if it found any collision on ${G_{1}}/{G_{2}}$ after finishing the security game.
-
– ${Q_{1}}({\zeta _{1}}(x),{\zeta _{1}}(y))\to {\zeta _{1}}(x+y\hspace{2.5pt}\text{mod}\hspace{2.5pt}p)$.
-
– ${Q_{2}}({\zeta _{2}}(x),{\zeta _{2}}(y))\to {\zeta _{2}}(x+y\hspace{2.5pt}\text{mod}\hspace{2.5pt}p)$.
-
– ${Q_{\hat{e}}}({\zeta _{1}}(x),{\zeta _{1}}(y))\to {\zeta _{2}}(x\cdot y\hspace{2.5pt}\text{mod}\hspace{2.5pt}p)$.
2.4 Entropy Evaluation of Secret Keys
Later, we will employ the entropy evaluation of secret keys with partial leakage to establish the security theorems of the proposed scheme. Here, we first introduce two previous consequences. In 2008, Dodis et al. (2008) presented a result (Lemma 1 below) about the entropy evaluation of a secret key K under the leakage function $F(K)$, where $F:K\to {\{0,1\}^{\omega }}$ and ω is the leakage bit size. Moreover, Galindo and Virek (2013) discussed the entropy evaluation of multiple secret keys to obtain the other result (Lemma 2 below).
Lemma 1.
Let K be a secret key and $F:K\to {\{0,1\}^{\omega }}$ be its associated leakage function, where ω is the leakage bit size. Under the leakage function F, we have ${\widetilde{H}_{\infty }}(K|F(K))\geqq {H_{\infty }}(K)-\omega $, where ${H_{\infty }}$ and ${\widetilde{H}_{\infty }}$ denote the min-entropy and the average conditional min-entropy, respectively.
Lemma 2.
Let ${K_{1}},{K_{2}},\dots ,{K_{n}}$ be multiple secret keys participated in a computation formula. Let $MVP\in {Z_{p}}[{K_{1}},{K_{2}},\dots ,{K_{n}}]$ denote a multiple-variable polynomial that has the degree d. Assume that ${\textit{PD}_{i}}$ denotes the probability distribution of ${K_{i}}{=k_{i}}\gets {Z_{p}}$ under a leakage function ${F_{i}}$ with the leakage bit size ω. Thus, we have ${H_{\infty }}({\textit{PD}_{i}})\geqq \log p-\omega $, for $i=1,2,\dots ,n$. When all ${\textit{PD}_{i}}$ are mutually independent, we have $\Pr [\mathit{MVP}({K_{1}}={k_{1}},{K_{2}}={k_{2}},\dots ,{K_{n}}={k_{n}})=0]\leqq (d/p){2^{\omega }}$, which is negligible if $\omega <(1-\varepsilon )\log p$, where ε is a positive fraction.
3 Notations, Framework and Adversary Model
An FCLR-CBSC scheme composes of two roles, namely, a trusted certificate authority (CA) and members. A member ${\textit{ID}_{m}}$ (a sender ${\textit{ID}_{s}}$ or a receiver ${\textit{ID}_{r}}$) first sets the member’s secret key ${\textit{MSK}_{m}}$ and first public key ${\textit{MPK}_{m}}$, and transmits (${\textit{ID}_{m}}$, ${\textit{MPK}_{m}}$) to the CA. The CA uses a secret key $\textit{CSK}$ to compute and return the member’s certificate ${\textit{CTF}_{m}}$ and second public key ${\textit{UPK}_{m}}$ to the member ${\textit{ID}_{m}}$ via a secure channel. By taking as input a message $\textit{msg}$ and the public key pair $({\textit{MPK}_{r}},{\textit{UPK}_{r}})$ of the receiver ${\textit{ID}_{r}}$, the sender ${\textit{ID}_{s}}$ uses her/his certificate and secret key to compute a ciphertext $\textit{CT}$ and send (${\textit{ID}_{s}}$, $\textit{CT}$) to the receiver ${\textit{ID}_{r}}$. By taking as input a ciphertext $\textit{CT}$ and the public key pair (${\textit{MPK}_{s}},{\textit{UPK}_{s}}$) of the sender ${\textit{ID}_{s}}$, the receiver ${\textit{ID}_{r}}$ returns $\textit{msg}$ if $\textit{CT}$ is “Valid”; otherwise returns “Invalid”. The system model of the FCLR-CBSC scheme is depicted in Fig. 1.
To achieve fully continuous leakage-resilient property (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013), every secret key or certificate in the system is partitioned into two parts, which must be updated before being participated in each computation round. Assume that the CA’s secret key $\textit{CSK}$ is initially partitioned into the beginning secret key pair (${\textit{CSK}_{1,0}}$, ${\textit{CSK}_{2,0}}$). Additionally, let the CA’s current secret key pair be (${\textit{CSK}_{1,i-1}},{\textit{CSK}_{2,i-1}}$), which must be updated to $({\textit{CSK}_{1,i}},{\textit{CSK}_{2,i}})$ when it participates in the i-th invocation of the certificate generation algorithm. Note that we have $\textit{CSK}={\textit{CSK}_{1,0}}\cdot {\textit{CSK}_{2,0}}=\cdots ={\textit{CSK}_{1,i-1}}\cdot {\textit{CSK}_{2,i-1}}={\textit{CSK}_{1,i}}\cdot {\textit{CSK}_{2,i}}$. For the same reason, the member ${\textit{ID}_{m}}$’s secret key ${\textit{MSK}_{m}}$ and certificate ${\textit{CTF}_{m}}$ are initially partitioned into the beginning secret key pair (${\textit{MSK}_{m,1,0}}$, ${\textit{MSK}_{m,2,0}}$) and the certificate pair (${\textit{CTF}_{m,1,0}}$, ${\textit{CTF}_{m,2,0}}$), respectively. Let the member ${\textit{ID}_{m}}$’s current secret key and certificate pairs be, respectively, $({\textit{CTF}_{m,1,j-1}},{\textit{CTF}_{m,2,j-1}})$ and $({\textit{MSK}_{m,1,j-1}},{\textit{MSK}_{m,2,j-1}})$, which must be updated to $({\textit{CTF}_{m,1,j}},{\textit{CTF}_{m,2,j}})$ and $({\textit{MSK}_{m,1,j}},{\textit{MSK}_{m,2,j}})$ when they participate in the j-th invocation of the signcryption or unsigncryption algorithm. Note that we have ${\textit{MSK}_{m}}={\textit{MSK}_{m,1,0}}\cdot {\textit{MSK}_{m,2,0}}=\cdots ={\textit{MSK}_{m,1,j-1}}\cdot {\textit{MSK}_{m,2,j-1}}={\textit{MSK}_{m,1,j}}\cdot {\textit{MSK}_{m,2,j}}$ and ${\textit{CTF}_{m}}={\textit{CTF}_{m,1,0}}\cdot {\textit{CTF}_{m,2,0}}=\cdots ={\textit{CTF}_{m,1,j-1}}\cdot {\textit{CTF}_{m,2,j-1}}={\textit{CTF}_{m,1,j}}\cdot {\textit{CTF}_{m,2,j}}$.
In the following, we first present some symbols and notations used in the proposed FCLR-CBSC scheme. Subsequently, a new framework and adversary model of FCLR-CBSC schemes are defined.
3.1 Symbols and Notations
For reference, the symbols and notations used in the proposed scheme are summarized in Table 2.
Table 2
Symbols and notations.
| Symbols/notations | Meanings |
| $\textit{PPS}$ | a public parameter set |
| $\textit{CPK}$ | the CA’s public key |
| $\textit{CSK}$ | the CA’s secret key |
| $({\textit{CSK}_{1,0}},{\textit{CSK}_{2,0}})$ | the CA’s beginning secret key pair |
| $({\textit{CSK}_{1,i}},{\textit{CSK}_{2,i}})$ | the CA’s i-th secret key pair |
| ${\textit{ID}_{m}}$ | the identity of a member (a sender ${\textit{ID}_{s}}$ or a receiver ${\textit{ID}_{r}}$) |
| $({\textit{MPK}_{m}},{\textit{UPK}_{m}})$ | the public key pair of ${\textit{ID}_{m}}$ |
| ${\textit{MSK}_{m}}$ | the certificate of ${\textit{ID}_{m}}$ |
| $({\textit{MSK}_{m,1,0}},{\textit{MSK}_{m,2,0}})$ | the beginning secret key pair of ${\textit{ID}_{m}}$ |
| $({\textit{MSK}_{m,1,j}},{\textit{MSK}_{m,2,j}})$ | the j-th secret key pair of ${\textit{ID}_{m}}$ |
| ${\textit{CTF}_{m}}$ | the certificate of ${\textit{ID}_{m}}$ |
| $({\textit{CTF}_{m,1,0}},{\textit{CTF}_{m,2,0}})$ | the beginning certificate pair of ${\textit{ID}_{m}}$ |
| $({\textit{CTF}_{m,1,j}},{\textit{CTF}_{m,2,j}})$ | the j-th certificate pair of ${\textit{ID}_{m}}$ |
| $H()$ | a hash function |
| $\textit{SKE}()/\textit{SKD}()$ | symmetric-key encryption/decryption functions |
| ${\textit{ID}_{s}}$ | the identity of a sender (it is also a member) |
| ${\textit{ID}_{r}}$ | the identity of a receiver (it is also a member) |
| $\textit{msg}$ | a message |
| $\textit{CT}$ | a ciphertext |
3.2 Framework
Based on the frameworks of both the LR-CBS (Wu et al., 2019) and the LR-CBE (Wu et al., 2020a) schemes, a new framework of FCLR-CBSC schemes is defined as follows.
Definition 1.
An FCLR-CBSC scheme comprises five algorithms as presented below:
-
– Initialization: The CA runs this algorithm to compute the CA’s secret key $\textit{CSK}$ and system public key $\textit{CPK}$ while generating and publishing a public parameter set $\textit{PPS}$. Additionally, the CA also partitions $\textit{CSK}$ to set the beginning secret key pair $({\textit{CSK}_{1,0}},{\textit{CSK}_{2,0}})$.
-
– Member secret key generation: A member ${\textit{ID}_{m}}$ (a sender ${\textit{ID}_{s}}$ or a receiver ${\textit{ID}_{r}}$) runs this algorithm to compute her/his secret key ${\textit{MSK}_{m}}$ and first public key ${\textit{MPK}_{m}}$. Additionally, the member ${\textit{ID}_{m}}$ partitions ${\textit{MSK}_{m}}$ to set the beginning secret key pair (${\textit{MSK}_{m,1,0}},{\textit{MSK}_{m,2,0}}$). Finally, the member ${\textit{ID}_{m}}$ sends (${\textit{ID}_{m}},{\textit{MPK}_{m}}$) to the CA.
-
– Certificate generation: Assume that the CA’s current secret key pair is (${\textit{CSK}_{1,i-1}},{\textit{CSK}_{2,i-1}}$). The CA first obtains a new current secret key pair (${\textit{CSK}_{1,i}},{\textit{CSK}_{2,i}}$) by updating (${\textit{CSK}_{1,i-1}},{\textit{CSK}_{2,i-1}}$). Upon receiving (${\textit{ID}_{m}}$, ${\textit{MPK}_{m}}$) from the member ${\textit{ID}_{m}}$, the CA creates and returns the certificate ${\textit{CTF}_{m}}$ and second public key ${\textit{UPK}_{m}}$ to the member ${\textit{ID}_{m}}$. Upon receiving (${\textit{CTF}_{m}}$, ${\textit{UPK}_{m}}$), the member ${\textit{ID}_{m}}$ sets her/his beginning certificate pair (${\textit{CTF}_{m,1,0}}$, ${\textit{CTF}_{m,2,0}}$) and public key pair (${\textit{MPK}_{m}}$, ${\textit{UPK}_{m}}$).
-
– Signcryption: Assume that the sender ${\textit{ID}_{s}}$’s current certificate and secret key pairs are, respectively, (${\textit{CTF}_{s,1,j-1}}$, ${\textit{CTF}_{s,2,j-1}}$) and (${\textit{MSK}_{s,1,j-1}}$, ${\textit{MSK}_{s,2,j-1}}$). The sender ${\textit{ID}_{s}}$ first obtains a new current certificate pair (${\textit{CTF}_{s,1,j}}$, ${\textit{CTF}_{s,2,j}}$) and secret key pair (${\textit{MSK}_{s,1,j}}$, ${\textit{MSK}_{s,2,j}}$) by updating (${\textit{CTF}_{s,1,j-1}}$, ${\textit{CTF}_{s,2,j-1}}$) and (${\textit{MSK}_{s,1,j-1}}$, ${\textit{MSK}_{s,2,j-1}}$), respectively. By taking as input a message $\textit{msg}$ and the public key pair (${\textit{MPK}_{r}},{\textit{UPK}_{r}}$) of the receiver ${\textit{ID}_{r}}$, the sender ${\textit{ID}_{s}}$ runs this algorithm to return a ciphertext $\textit{CT}$.
-
– Unsigncryption: Assume that the receiver ${\textit{ID}_{r}}$’s current certificate and secret key pairs are, respectively, (${\textit{CTF}_{r,1,k-1}}$, ${\textit{CTF}_{r,2,k-1}}$) and (${\textit{MSK}_{r,1,k-1}}$, ${\textit{MSK}_{r,2,k-1}}$). The receiver ${\textit{ID}_{r}}$ first obtains a new current certificate pair (${\textit{CTF}_{r,1,k}}$, ${\textit{CTF}_{r,2,k}}$) and secret key pair (${\textit{MSK}_{r,1,k}}$, ${\textit{MSK}_{r,2,k}}$) by updating (${\textit{CTF}_{r,1,k-1}}$, ${\textit{CTF}_{r,2,k-1}}$) and (${\textit{MSK}_{r,1,k-1}}$, ${\textit{MSK}_{r,2,k-1}}$), respectively. By taking as input a ciphertext $\textit{CT}$ and the public key pair (${\textit{MPK}_{s}},{\textit{UPK}_{s}}$) of the sender ${\textit{ID}_{s}}$, the receiver ${\textit{ID}_{r}}$ returns $\textit{msg}$ if $\textit{CT}$ is “Valid”; otherwise returns “Invalid”.
3.3 Adversary Model
Here, six continuous leakage functions ${f_{\textit{CA},i}}$, ${h_{\textit{CA},i}}$, ${f_{\textit{SC},j}}$, ${h_{\textit{SC},j}}$, ${f_{\textit{US},k}}$ and ${h_{\textit{US},k}}$ are used to simulate the leakage abilities of adversaries. In the i-th invocation of the Certificate generation algorithm, an adversary could obtain partial bits of the CA’s current secret key pair (${\textit{CSK}_{1,i}},{\textit{CSK}_{2,i}}$) by ${f_{\textit{CA},i}}$ and ${h_{\textit{CA},i}}$. In the j-th invocation of the Signcryption algorithm, an adversary could obtain partial bits of the sender ${\textit{ID}_{s}}$’s current certificate pair (${\textit{CTF}_{s,1,j}}$, ${\textit{CTF}_{s,2,j}}$) and secret key pair (${\textit{MSK}_{s,1,j}}$, ${\textit{MSK}_{s,2,j}}$) by ${f_{\textit{SC},j}}$ and ${h_{\textit{SC},j}}$. In the k-th invocation of the Unsigncryption algorithm, an adversary could obtain partial bits of the receiver ${\textit{ID}_{r}}$’s current certificate pair (${\textit{CTF}_{r,1,k}}$, ${\textit{CTF}_{r,2,k}}$) and secret key pair (${\textit{MSK}_{r,1,k}}$, ${\textit{MSK}_{r,2,k}}$) by ${f_{\textit{US},k}}$ and ${h_{\textit{US},k}}$. Let ω be the maximal leakage bit length for each leakage function. Let $\Delta {f_{\textit{CA},i}}$, $\Delta {h_{\textit{CA},i}}$, $\Delta {f_{\textit{SC},j}}$, $\Delta {h_{\textit{SC},j}}$, $\Delta {f_{\textit{US},k}}$ and $\Delta {h_{\textit{US},k}}$, respectively, denote their outputs of the six leakage functions. Therefore, we have $|\Delta {f_{\textit{CA},i}}|$, $|\Delta {h_{\textit{CA},i}}|$, $|\Delta {f_{\textit{SC},j}}|$, $|\Delta {h_{\textit{SC},j}}|$, $|\Delta {f_{\textit{US},k}}|$, $|\Delta {h_{\textit{US},k}}|\leqq \omega $ and their inputs/outputs are presented as follows:
Based on the adversary models of both the LR-CBS (Wu et al., 2019) and the LR-CBE (Wu et al., 2020a) schemes, we define a new adversary model of FCLR-CBSC schemes. In the new adversary model, there are two types of adversaries (${A_{I}}$ and ${A_{\textit{II}}}$) as presented below:
An FCLR-CBSC scheme must possess two security properties, namely, authentication of signing process and confidentiality of encrypting process, that are modelled by two security games as defined below.
-
– $\Delta {f_{\textit{CA},i}}={f_{\textit{CA},i}}({\textit{CSK}_{1,i}})$.
-
– $\Delta {h_{\textit{CA},i}}={h_{\textit{CA},i}}({\textit{CSK}_{2,i}})$.
-
– $\Delta {f_{\textit{SC},j}}={f_{\textit{SC},j}}({\textit{CTF}_{s,1,j}},{\textit{MSK}_{s,1,j}})$.
-
– $\Delta {h_{\textit{SC},j}}={h_{\textit{SC},j}}({\textit{CTF}_{s,2,j}},{\textit{MSK}_{s,2,j}})$.
-
– $\Delta {f_{\textit{US},k}}={f_{\textit{US},k}}({\textit{CTF}_{r,1,k}},{\textit{MSK}_{r,1,k}})$.
-
– $\Delta {h_{\textit{US},k}}={h_{\textit{US},k}}({\textit{CTF}_{r,2,k}},{\textit{MSK}_{r,2,k}})$.
-
– ${A_{I}}$: ${A_{I}}$ simulates an “uncertified member” who can set any member ${\textit{ID}_{m}}$’s secret key ${\textit{MSK}_{m}}$ and first public key ${\textit{MPK}_{m}}$, but can obtain neither ${\textit{ID}_{m}}$’s certificate ${\textit{CTF}_{m}}$ nor second public key ${\textit{UPK}_{m}}$. Indeed, ${A_{I}}$ can get partial bits of the CA’s current secret key pair (${\textit{CSK}_{1,i}}$, ${\textit{CSK}_{2,i}}$) in the i-th invocation of the Certificate generation algorithm. Also, ${A_{I}}$ could obtain partial bits of the sender ${\textit{ID}_{s}}$’s current certificate pair (${\textit{CTF}_{s,1,j}}$, ${\textit{CTF}_{s,2,j}}$) in the j-th invocation of the Signcryption algorithm. In the k-th invocation of the Unsigncryption algorithm, ${A_{I}}$ could obtain partial bits of the receiver ${\textit{ID}_{r}}$’s current certificate pair $({\textit{CTF}_{r,1,k}},{\textit{CTF}_{r,2,k}})$.
-
– ${A_{\textit{II}}}$: ${A_{\textit{II}}}$ simulates an “honest-but-curious CA” who has the CA’s secret key $\textit{CSK}$ and produces any member ${\textit{ID}_{m}}$’s certificate ${\textit{CTF}_{m}}$ and second public key ${\textit{UPK}_{m}}$, but ${A_{\textit{II}}}$ can obtain neither the member ${\textit{ID}_{m}}$’s secret key ${\textit{MSK}_{m}}$ nor first public key ${\textit{MPK}_{m}}$. Also, ${A_{\textit{II}}}$ could obtain partial bits of the sender ${\textit{ID}_{s}}$’s current secret key pair $({\textit{MSK}_{s,1,j}},{\textit{MSK}_{s,2,j}})$ in the j-th invocation of the Signcryption algorithm. In the k-th invocation of the Unsigncryption algorithm, ${A_{\textit{II}}}$ could obtain partial bits of the receiver ${\textit{ID}_{r}}$’s current secret key pair (${\textit{MSK}_{r,1,k}}$, ${\textit{MSK}_{r,2,k}}$).
Definition 2 (${\mathbf{G}_{\mathbf{auth}}}$).
The authentication property is modelled by the security game ${G_{\textit{auth}}}$ that is played by an adversary A (${A_{I}}$ or ${A_{\textit{II}}}$) and a challenger B. We say that an FCLR-CBSC scheme has existential unforgeability against both continuous leakage and adaptive chosen-message attacks (EXUF-CLRACMA) if no probabilistic polynomial time (PPT) adversary A has a non-negligible advantage to win the following game ${G_{\textit{auth}}}$.
-
– Setup. The challenger B runs the Initialization algorithm in Definition 1 to get the CA’s secret key $\textit{CSK}$ and public key $\textit{CPK}$ while generating and publishing a public parameter set $\textit{PPS}$. Also, B partitions $\textit{CSK}$ to set the beginning secret key pair (${\textit{CSK}_{1,0}}$, ${\textit{CSK}_{2,0}}$). Additionally, if A is of type ${A_{\textit{II}}}$, B sends $\textit{CSK}$ to ${A_{\textit{II}}}$.
-
– Queries. A may adaptively request the following queries to B at most η times.
-
• Member key generation query (${\textit{ID}_{m}}$): B produces and returns the member ${\textit{ID}_{m}}$’s secret key ${\textit{MSK}_{m}}$ and first public key ${\textit{MPK}_{m}}$.
-
• Member secret key query (${\textit{ID}_{m}}$): B returns the member ${\textit{ID}_{m}}$’s secret key ${\textit{MSK}_{m}}$.
-
• Certificate generation query (${\textit{ID}_{m}}$, ${\textit{MPK}_{m}}$): B returns the member ${\textit{ID}_{m}}$’s certificate ${\textit{CTF}_{m}}$ and second public key ${\textit{UPK}_{m}}$.
-
• Certificate generation leak query (i, ${f_{\textit{CA},i}}$, ${h_{\textit{CA},i}}$): A may request this query only once. B returns $\Delta {f_{\textit{CA},i}}={f_{\textit{CA},i}}({\textit{CSK}_{1,i}})$ and $\Delta {h_{\textit{CA},i}}={h_{\textit{CA},i}}({\textit{CSK}_{2,i}})$.
-
• Public key retrieve query (${\textit{ID}_{m}}$): B returns the member ${\textit{ID}_{m}}$’s public key pair (${\textit{MPK}_{m}}$, ${\textit{UPK}_{m}}$).
-
• Public key replace query (${\textit{ID}_{m}}$, (${\textit{MPK}^{\prime }_{m}}$, ${\textit{UPK}^{\prime }_{m}}$)): B records the replacement.
-
• Signcryption query ($\textit{msg}$, ${\textit{ID}_{s}}$, ${\textit{ID}_{r}}$): The sender ${\textit{ID}_{s}}$ first obtains a new current certificate pair (${\textit{CTF}_{s,1,j}}$, ${\textit{CTF}_{s,2,j}}$) and secret key pair (${\textit{MSK}_{s,1,j}}$, ${\textit{MSK}_{s,2,j}}$) by updating (${\textit{CTF}_{s,1,j-1}}$, ${\textit{CTF}_{s,2,j-1}}$) and (${\textit{MSK}_{s,1,j-1}}$, ${\textit{MSK}_{s,2,j-1}}$), respectively. B returns a ciphertext $\textit{CT}$.
-
• Signcryption leak query (${\textit{ID}_{s}}$, j, ${f_{\textit{SC},j}}$, ${h_{\textit{SC},j}}$): A may request this query only once. B returns $\Delta {f_{\textit{SC},j}}={f_{\textit{SC},j}}({\textit{CTF}_{s,1,j}},{\textit{MSK}_{s,1,j}})$ and $\Delta {h_{\textit{SC},j}}={h_{\textit{SC},j}}({\textit{CTF}_{s,2,j}},{\textit{MSK}_{s,2,j}})$.
-
• Unsigncryption query ($\textit{CT}$, ${\textit{ID}_{r}}$): The receiver ${\textit{ID}_{r}}$ first obtains a new current certificate pair (${\textit{CTF}_{r,1,k}}$, ${\textit{CTF}_{r,2,k}}$) and secret key pair (${\textit{MSK}_{r,1,k}}$, ${\textit{MSK}_{r,2,k}}$) by updating (${\textit{CTF}_{r,1,k-1}}$, ${\textit{CTF}_{r,2,k-1}}$) and (${\textit{MSK}_{r,1,k-1}}$, ${\textit{MSK}_{r,2,k-1}}$), respectively. B returns the message $\textit{msg}$.
-
• Unsigncryption leak query (${\textit{ID}_{r}}$, k, ${f_{\textit{US},k}}$, ${h_{\textit{US},k}}$): A may request this query only once. B returns $\Delta {f_{\textit{US},k}}={f_{\textit{US},k}}({\textit{CTF}_{r,1,k}},{\textit{MSK}_{r,1,k}})$ and $\Delta {h_{\textit{US},k}}={h_{\textit{US},k}}({\textit{CTF}_{r,2,k}},{\textit{MSK}_{r,2,k}})$.
-
-
– Forgery. A creates a tuple (${\textit{msg}^{\prime }}$, ${\textit{CT}^{\prime }}=({\sigma ^{\prime }},{C^{\prime }},{U^{\prime }},{\textit{ID}^{\prime }_{s}}$, ${\textit{ID}^{\prime }_{r}}$)). It is said that A wins ${G_{\textit{auth}}}$ if the following four conditions hold.
-
(1) For $({\textit{msg}^{\prime }},{\textit{CT}^{\prime }}=({\sigma ^{\prime }},{C^{\prime }},{U^{\prime }},{\textit{ID}^{\prime }_{s}},{\textit{ID}^{\prime }_{r}}))$, the Unsigncryption algorithm returns “Valid”.
-
(2) The Signcryption query $({\textit{msg}^{\prime }},{\textit{ID}^{\prime }_{s}},{\textit{ID}^{\prime }_{r}})$ has never been requested.
-
(3) If A is of type ${A_{I}}$, the Certificate generation query $({\textit{ID}^{\prime }_{s}},{\textit{MPK}^{\prime }_{s}})$ has never been requested.
-
(4) If A is of type ${A_{\textit{II}}}$, neither the Member secret key query (${\textit{ID}^{\prime }_{s}}$), nor the Public key replace query $({\textit{ID}^{\prime }_{s}},({\textit{MPK}^{\prime }_{s}},{\textit{UPK}^{\prime }_{s}}))$ have never been requested.
-
Definition 3 (${\mathbf{G}_{\mathbf{conf}}}$).
The confidentiality property is modelled by the security game ${G_{\textit{conf}}}$ that is played by an adversary A (${A_{I}}$ or ${A_{\textit{II}}}$) and a challenger B. We say that an FCLR-CBSC scheme has indistinguishability of encryptions against both continuous leakage and chosen-ciphertext attacks (INDEN-CLCCA) if no PPT adversary A has a non-negligible advantage to win the following game ${G_{\textit{conf}}}$.
-
– Setup. It is identical to the Setup in Definition 2.
-
– Queries. It is identical to the Queries in Definition 2.
-
– Challenge. A sends a receiver’s identity ${\textit{ID}^{\prime }_{r}}$ and a message pair (${\textit{msg}^{\prime }_{0}}$, ${\textit{msg}^{\prime }_{1}}$) to B. Then B randomly chooses a bit ${b^{\prime }}\in \{0,1\}$ and runs the Signcryption algorithm with (${\textit{msg}^{\prime }_{b}}$, ${\textit{ID}_{s}}$, ${\textit{ID}^{\prime }_{r}}$) to create and return a ciphertext $\textit{CT}=(\sigma ,C,U,{\textit{ID}_{s}},{\textit{ID}^{\prime }_{r}})$ to A. Additionally, the following two conditions must hold.
-
(1) If A is of type ${A_{I}}$, the Certificate generation query (${\textit{ID}^{\prime }_{r}}$, ${\textit{MPK}^{\prime }_{r}}$) has never been requested.
-
(2) If A is of type ${A_{\textit{II}}}$, neither the Member secret key query (${\textit{ID}^{\prime }_{r}}$), nor the Public key replace query (${\textit{ID}^{\prime }_{r}}$, (${\textit{MPK}^{\prime }_{r}}$, ${\textit{UPK}^{\prime }_{r}}$)) have been requested.
-
-
– Guess. A returns a bit $b\in \{0,1\}$. If $b={b^{\prime }}$, we say that A wins ${G_{\textit{conf}}}$ and its advantage is defined as ${\mathrm{Adv}_{A}}=|\Pr [b={b^{\prime }}]-1/2|$.
4 The Proposed FCLR-CBSC Scheme
By the framework defined in Section 3, a fully continuous leakage-resilient certificate-based signcryption (FCLR-CBSC) scheme is proposed below that comprises five algorithms.
-
– Initialization: The CA first create a bilinear pairing set $\{{g_{1}},{g_{2}},{G_{1}},{G_{2}},p,\hat{e}\}$ described in Section 2. By running the following procedure, the CA computes her/his secret key $\textit{CSK}$ and public key $\textit{CPK}$ while generating and publishing a public parameter set $\textit{PPS}$.
-
(1) Choose a random value $s\in {Z_{p}^{\ast }}$, and compute the CA’s secret key $\textit{CSK}={g_{1}^{s}}$ and public key $\textit{CPK}=\hat{e}(\textit{CSK},{g_{1}})$.
-
(2) Choose a random value $t\in {Z_{p}^{\ast }}$, and set the CA’s beginning secret key pair $({\textit{CSK}_{1,0}},{\textit{CSK}_{2,0}})=(\textit{CSK}\cdot {g_{1}^{-t}},{g_{1}^{t}})$, where $\textit{CSK}={\textit{CSK}_{1,0}}\cdot {\textit{CSK}_{2,0}}$ and the public key $\textit{CPK}$ is kept unchanged.
-
(3) Choose four random values $w,x,y,z\in {Z_{p}^{\ast }}$, and compute $W={g_{1}^{w}}$, $X={g_{1}^{x}}$, $Y={g_{1}^{y}}$ and $Z={g_{1}^{z}}$.
-
(4) Pick symmetric-key encryption and decryption functions, denoted by $\textit{SKE}$ and $\textit{SKD}$.
-
(5) Pick a hash function H: ${\{0,1\}^{\ast }}\times {G_{1}}\to {\{0,1\}^{l}}$, where l is a large integer.
-
(6) Publish $\textit{PPS}=\{{g_{1}},{g_{2}},{G_{1}},{G_{2}},p,\hat{e},\textit{CPK},W,X,Y,Z,\textit{SKE},\textit{SKD},H\}$.
-
-
– Member secret key generation: A member ${\textit{ID}_{m}}$ (a sender ${\textit{ID}_{s}}$ or a receiver ${\textit{ID}_{r}}$) first chooses a random value $a\in {Z_{p}^{\ast }}$, and computes the member’s secret key ${\textit{MSK}_{m}}={g_{1}^{a}}$ and first public key ${\textit{MPK}_{m}}=\hat{e}({\textit{MSK}_{m}},{g_{1}})$. The member chooses a random value $b\in {Z_{p}^{\ast }}$ and computes the member ${\textit{ID}_{m}}$’s beginning secret key pair $({\textit{MSK}_{m,1,0}},{\textit{MSK}_{m,2,0}})=({\textit{MSK}_{m}}\cdot {g_{1}^{-b}},{g_{1}^{b}})$, where ${\textit{MSK}_{m}}={\textit{MSK}_{m,1,0}}\cdot {\textit{MSK}_{m,2,0}}$. Meanwhile, the member ${\textit{ID}_{m}}$ sends (${\textit{ID}_{m}}$, ${\textit{MPK}_{m}}$) to the CA.
-
– Certificate generation: Assume that the CA’s current secret key pair is $({\textit{CSK}_{1,i-1}},{\textit{CSK}_{2,i-1}})$. Upon receiving $({\textit{ID}_{m}},{\textit{MPK}_{m}})$ from the member ${\textit{ID}_{m}}$, the CA runs the following procedure.Upon receiving ${\textit{CTF}_{m}}$, the member ${\textit{ID}_{m}}$ chooses a random value $c\in {Z_{p}^{\ast }}$ and sets her/his beginning certificate pair $({\textit{CTF}_{m,1,0}},{\textit{CTF}_{m,2,0}})=({\textit{CTF}_{m}}\cdot {g_{1}^{-c}},{g_{1}^{c}})$.
-
(1) Choose a random value $u\in {Z_{p}^{\ast }}$, and update the CA’s current secret key pair as $({\textit{CSK}_{1,i}},{\textit{CSK}_{2,i}})=({\textit{CSK}_{1,i-1}}\cdot {g_{1}^{-u}},{\textit{CSK}_{2,i-1}}\cdot {g_{1}^{u}})$, where $\textit{CSK}={\textit{CSK}_{1,i}}\cdot {\textit{CSK}_{2,i}}={\textit{CSK}_{1,i-1}}\cdot {\textit{CSK}_{2,i-1}}$ and the public key $\textit{CPK}$ is kept unchanged.
-
(2) Choose a random value $v\in {Z_{p}^{\ast }}$, compute the member ${\textit{ID}_{m}}$’s second public key ${\textit{UPK}_{m}}={g_{1}^{v}}$ and set the member ${\textit{ID}_{m}}$’s public key pair (${\textit{MPK}_{m}}$, ${\textit{UPK}_{m}}$).
-
(3) Set $\alpha ={\textit{ID}_{m}}||{\textit{MPK}_{m}}||{\textit{UPK}_{m}}$, and compute a temporary value ${\textit{TV}_{m}}={\textit{CSK}_{1,i}}\cdot {(W\cdot {X^{\alpha }})^{v}}$ and the member ${\textit{ID}_{m}}$’s certificate ${\textit{CTF}_{m}}={\textit{CSK}_{2,i}}\cdot {\textit{TV}_{m}}$.
-
(4) Return ${\textit{CTF}_{m}}$ to the member ${\textit{ID}_{m}}$ via a secure channel.
-
-
– Signcryption: Assume that the sender ${\textit{ID}_{s}}$’s current certificate and secret key pairs are, respectively, (${\textit{CTF}_{s,1,j-1}}$, ${\textit{CTF}_{s,2,j-1}}$) and (${\textit{MSK}_{s,1,j-1}}$, ${\textit{MSK}_{s,2,j-1}}$). The sender ${\textit{ID}_{s}}$ would like to signcrypt a message $\textit{msg}$ to the receiver ${\textit{ID}_{r}}$ with public key pair (${\textit{MPK}_{r}}$, ${\textit{UPK}_{r}}$) by running the following procedure.
-
(1) Choose a random value $d\in {Z_{p}^{\ast }}$, and update the two pairs above as $({\textit{CTF}_{s,1,j}},{\textit{CTF}_{s,2,j}})=({\textit{CTF}_{s,1,j-1}}\cdot {g_{1}^{d}},{\textit{CTF}_{s,2,j-1}}\cdot {g_{1}^{-d}})$ and $({\textit{MSK}_{s,1,j}},{\textit{MSK}_{s,2,j}})=({\textit{MSK}_{s,1,j-1}}\cdot {g_{1}^{d}},{\textit{MSK}_{s,2,j-1}}\cdot {g_{1}^{-d}})$, where ${\textit{CTF}_{s}}={\textit{CTF}_{s,1,j}}\cdot {\textit{CTF}_{s,2,j}}={\textit{CTF}_{s,1,j-1}}\cdot {\textit{CTF}_{s,2,j-1}}$ and ${\textit{MSK}_{s}}={\textit{MSK}_{s,1,j}}\cdot {\textit{MSK}_{s,2,j}}={\textit{MSK}_{s,1,j-1}}\cdot {\textit{MSK}_{s,2,j-1}}$. Note that the member ${\textit{ID}_{s}}$’s public key pair (${\textit{MPK}_{s}},{\textit{UPK}_{s}}$) is kept unchanged.
-
(2) Set $\alpha ={\textit{ID}_{r}}||{\textit{MPK}_{r}}||{\textit{UPK}_{r}}$, select a random value $\beta \in {Z_{p}^{\ast }}$, and compute $U={g_{1}^{\beta }},{K_{1}}={({\textit{MPK}_{r}})^{\beta }}$ and ${K_{2}}={(\textit{CPK}\cdot \hat{e}({\textit{UPK}_{r}},W\cdot {X^{\alpha }}))^{\beta }}$.
-
(3) Set an encryption key $K={K_{1}}\oplus {K_{2}}$, and compute $C={\textit{SKE}_{K}}(\textit{msg})$ and $\delta =H(\textit{msg},C,U,{\textit{ID}_{s}},{\textit{ID}_{r}})$.
-
(4) Compute a temporary value ${\textit{TV}_{S}}={\textit{CTF}_{s,1,j}}\cdot {\textit{MSK}_{s,1,j}}\cdot {(Y\cdot {Z^{\delta }})^{\beta }}$.
-
(5) Compute a signature $\sigma ={\textit{CTF}_{s,2,j}}\cdot {\textit{MSK}_{s,2,j}}\cdot {\textit{TV}_{S}}$.
-
(6) Produce a ciphertext $\textit{CT}=(\sigma ,C,U,{\textit{ID}_{s}},{\textit{ID}_{r}})$.
-
-
– Unsigncryption: Assume that the receiver ${\textit{ID}_{r}}$’s current certificate and secret key pairs are, respectively, (${\textit{CTF}_{r,1,k-1}}$, ${\textit{CTF}_{r,2,k-1}}$) and (${\textit{MSK}_{r,1,k-1}}$, ${\textit{MSK}_{r,2,k-1}}$). Given $\textit{CT}=(\sigma ,C,U,{\textit{ID}_{s}},{\textit{ID}_{r}})$, the receiver ${\textit{ID}_{r}}$ unsigncrypts $\textit{CT}$ to obtain the message $\textit{msg}$ and verify the signature σ by running the following procedure.We can arrive at ${K^{\prime }}={K^{\prime }_{1}}\oplus {K^{\prime }_{2}}={K_{1}}\oplus {K_{2}}=K$ and $\hat{e}({g_{1}},\sigma )=\textit{CPK}\cdot {\textit{MPK}_{s}}\cdot \hat{e}({\textit{UPK}_{s}},W\cdot {X^{\alpha }})\cdot \hat{e}(U,Y\cdot {Z^{\delta }})$ by the following equalities.
-
(1) Choose a random value $f\in {Z_{p}^{\ast }}$, and update the two pairs above as $({\textit{CTF}_{r,1,k}},{\textit{CTF}_{r,2,k}})=({\textit{CTF}_{r,1,k-1}}\cdot {g_{1}^{f}},{\textit{CTF}_{r,2,k-1}}\cdot {g_{1}^{-f}})$ and $({\textit{MSK}_{r,1,k}},{\textit{MSK}_{r,2,k}})=({\textit{MSK}_{r,1,k-1}}\cdot {g_{1}^{f}},{\textit{MSK}_{r,2,k-1}}\cdot {g_{1}^{-f}})$, where ${\textit{CTF}_{r}}={\textit{CTF}_{r,1,k}}\cdot {\textit{CTF}_{r,2,k}}={\textit{CTF}_{r,1,k-1}}\cdot {\textit{CTF}_{r,2,k-1}}$ and ${\textit{MSK}_{r}}={\textit{MSK}_{r,1,k}}\cdot {\textit{MSK}_{r,2,k}}={\textit{MSK}_{r,1,k-1}}\cdot {\textit{MSK}_{r,2,k-1}}$. Note that the member ${\textit{ID}_{r}}$’s public key pair (${\textit{MPK}_{r}},{\textit{UPK}_{r}}$) is kept unchanged.
-
(2) Compute two temporary values ${\textit{TV}_{K1}}=\hat{e}(U,{\textit{MSK}_{r,1,k}})$ and ${\textit{TV}_{K2}}=\hat{e}(U,{\textit{CTF}_{r,1,k}})$.
-
(3) Compute ${K^{\prime }_{1}}={\textit{TV}_{K1}}\cdot \hat{e}(U,{\textit{MSK}_{r,2,k}})$ and ${K^{\prime }_{2}}={\textit{TV}_{K2}}\cdot \hat{e}(U,{\textit{CTF}_{r,2,k}})$.
-
(4) Set ${K^{\prime }}={K^{\prime }_{1}}\oplus {K^{\prime }_{2}}$, and decrypt the message $msg=SK{D^{\prime }_{K}}(C)$.
-
(5) Compute $\delta =H(\textit{msg},C,U,{\textit{ID}_{s}},{\textit{ID}_{r}})$, and set $\alpha ={\textit{ID}_{r}}||$ ${\textit{MPK}_{r}}$ $||{\textit{UPK}_{r}}$.
-
(6) Verify the equality $\hat{e}({g_{1}},\sigma )=\textit{CPK}\cdot {\textit{MPK}_{s}}\cdot \hat{e}({\textit{UPK}_{s}},W\cdot {X^{\alpha }})\cdot \hat{e}(U,Y\cdot {Z^{\delta }})$. If the equality holds, return $\textit{msg}$ and “Valid”; otherwise return “Invalid”.
-
(1) ${K^{\prime }_{1}}={\textit{TV}_{K1}}\cdot \hat{e}(U,{\textit{MSK}_{r,2,k}})=\hat{e}(U,{\textit{MSK}_{r,1,k}})\cdot \hat{e}(U,{\textit{MSK}_{r,2,k}})=\hat{e}(U,{\textit{MSK}_{r,1,k}}\cdot {\textit{MSK}_{r,2,k}})=\hat{e}(U,{\textit{MSK}_{r}})=\hat{e}({g_{1}^{\beta }},{\textit{MSK}_{r}})=\hat{e}{({\textit{MSK}_{r}},{g_{1}})^{\beta }}={({\textit{MPK}_{r}})^{\beta }}={K_{1}}$.
-
(2) ${K^{\prime }_{2}}={\textit{TV}_{K2}}\cdot \hat{e}(U,{\textit{CTF}_{r,2,k}})=\hat{e}(U,{\textit{CTF}_{r,1,k}})\cdot \hat{e}(U,{\textit{CTF}_{r,2,k}})=\hat{e}(U,{\textit{CTF}_{r,1,k}}\cdot {\textit{CTF}_{r,2,k}})=\hat{e}(U,{\textit{CTF}_{r}})=\hat{e}({g_{1}^{\beta }},\textit{CSK}\cdot {(W\cdot {X^{\alpha }})^{v}})=\hat{e}{({g_{1}},\textit{CSK}\cdot {(W\cdot {X^{\alpha }})^{v}})^{\beta }}=\hat{e}({g_{1}},\textit{CSK})\cdot \hat{e}{({g_{1}},{(W\cdot {X^{\alpha }})^{v}})^{\beta }}=(\textit{CPK}\cdot \hat{e}{({g_{1}^{v}},(W\cdot {X^{\alpha }}))^{\beta }}={(\textit{CPK}\cdot \hat{e}({\textit{UPK}_{r}},W\cdot {X^{\alpha }}))^{\beta }}={K_{2}}$.
-
(3) $\hat{e}({g_{1}},\sigma )=\hat{e}({g_{1}},{\textit{CTF}_{s,2,j}}\cdot {\textit{MSK}_{s,2,j}}\cdot {\textit{TV}_{S}})=\hat{e}({g_{1}},{\textit{CTF}_{s,2,j}}\cdot {\textit{MSK}_{s,2,j}}\cdot {\textit{CTF}_{s,1,j}}\cdot {\textit{MSK}_{s,1,j}}\cdot {(Y\cdot {Z^{\delta }})^{\beta }})=\hat{e}({g_{1}},{\textit{CTF}_{s,1,j}}\cdot {\textit{CTF}_{s,2,j}}\cdot {\textit{MSK}_{s,1,j}}\cdot {\textit{MSK}_{s,2,j}}\cdot {(Y\cdot {Z^{\delta }})^{\beta }})=\hat{e}({g_{1}},{\textit{CTF}_{s}}\cdot {\textit{MSK}_{s}}\cdot {(Y\cdot {Z^{\delta }})^{\beta }})=\hat{e}({g_{1}},\textit{CSK}\cdot {(W\cdot {X^{\alpha }})^{v}}\cdot {\textit{MSK}_{s}}\cdot {(Y\cdot {Z^{\delta }})^{\beta }})=\hat{e}({g_{1}},\textit{CSK})\cdot \hat{e}({g_{1}},{(W\cdot {X^{\alpha }})^{v}})\cdot \hat{e}({g_{1}},{\textit{MSK}_{s}})\cdot \hat{e}({g_{1}},{(Y\cdot {Z^{\delta }})^{\beta }})=\textit{CPK}\cdot \hat{e}({g_{1}^{v}},(W\cdot {X^{\alpha }}))\cdot {\textit{MPK}_{s}}\cdot \hat{e}({g_{1}^{\beta }},(Y\cdot {Z^{\delta }}))=\textit{CPK}\cdot {\textit{MPK}_{s}}\cdot \hat{e}({\textit{UPK}_{s}},W\cdot {X^{\alpha }})\cdot \hat{e}(U,Y\cdot {Z^{\delta }})$.
-
5 Security Analysis
An FCLR-CBSC scheme must possess two security properties, namely, authentication of signing process and confidentiality of encrypting process, that are modelled by two security games ${G_{\textit{auth}}}$ and ${G_{\textit{conf}}}$ defined in Section 3.3. Both games are played by an adversary A (${A_{I}}$ or ${A_{\textit{II}}}$) and a challenger B. Theorems 1 and 2 below show that our FCLR-CBSC scheme is EXUF-CLRACMA-secure against ${A_{I}}$ and ${A_{\textit{II}}}$ in ${G_{\textit{auth}}}$, respectively. Also, Theorems 3 and 4 show that the FCLR-CBSC scheme is INDEN-CLCCA-secure against ${A_{I}}$ and ${A_{\textit{II}}}$ in ${G_{\textit{conf}}}$, respectively.
Theorem 1.
Under the SCRH and DL assumptions in the GBG model, our FCLR-CBSC scheme is EXUF-CLRACMA-secure against ${A_{I}}$ in ${G_{\textit{auth}}}$.
Proof.
${A_{I}}$ and B play ${G_{\textit{auth}}}$ that comprises three phases as presented below.
-
– Setup. B runs the Initialization algorithm of the FCLR-CBSC scheme to create the CA’s secret key $\textit{CSK}$ and public key $\textit{CPK}$ while setting the public parameter set $\textit{PPS}=\{{g_{1}},{g_{2}},{G_{1}},{G_{2}},p,\hat{e},\textit{CPK},W,X,Y,Z,\textit{SKE},\textit{SKD},H\}$. B also establishes six lists ${L_{1}}$, ${L_{2}}$, ${L_{\textit{MS}}}$, ${L_{\textit{MC}}}$, ${L_{\textit{SC}}}$ and ${L_{H}}$ as defined below.Note that ${A_{I}}$ can apply the following two rules to make converting between a bit string $\Psi {G_{1,a,b,c}}/\Psi {G_{2,a,b,c}}$ and a multivariate polynomial $\Theta {G_{1,a,b,c}}/\Theta {G_{2,a,b,c}}$.
-
• ${L_{1}}$ is used to record all elements ($\Theta {G_{1,a,b,c}}$, $\Psi {G_{1,a,b,c}}$) of ${G_{1}}$, where $\Theta {G_{1,a,b,c}}$ and $\Psi {G_{1,a,b,c}}$ denote a multivariate polynomial and its associated bit string, respectively. The indices a, b, c mean the query-type a, b-th query and c-th element, respectively. Initially, six elements ($\Theta {g_{1}}$, $\Psi {G_{1,s,0,1}}$), ($\Theta \textit{CSK}$, $\Psi {G_{1,s,0,2}}$), ($\Theta W$, $\Psi {G_{1,s,0,3}}$), ($\Theta X$, $\Psi {G_{1,s,0,4}}$), ($\Theta Y$, $\Psi {G_{1,s,0,5}}$) and ($\Theta Z$, $\Psi {G_{1,s,0,6}}$) are put in ${L_{1}}$.
-
• ${L_{2}}$ is used to record all elements ($\Theta {G_{2,a,b,c}}$, $\Psi {G_{2,a,b,c}}$) of ${G_{2}}$, where $\Theta {G_{2,a,b,c}}$ and $\Psi {G_{2,a,b,c}}$ denote a multivariate polynomial and the associated bit string, respectively. The indices a, b, c have the identical meanings as in ${L_{1}}$. Initially, two elements ($\Theta {g_{2}}$, $\Psi {G_{2,s,0,1}}$) and ($\Theta \textit{CPK}$, $\Psi {G_{2,s,0,2}}$) are put in ${L_{2}}$.
-
(1) Converting-1 ($\Theta {G_{1,a,b,c}}/\Theta {G_{2,a,b,c}}$): B returns $\Psi {G_{1,a,b,c}}/\Psi {G_{2,a,b,c}}$ if $\Theta {G_{1,a,b,c}}/\Theta {G_{2,a,b,c}}$ is found in ${L_{1}}/{L_{2}}$. Otherwise, B chooses a distinct bit string $\Psi {G_{1,a,b,c}}/\Psi {G_{2,a,b,c}}$ and puts $(\Theta {G_{1,a,b,c}},\Psi {G_{1,a,b,c}})/(\Theta {G_{2,a,b,c}},\Psi {G_{2,a,b,c}})$ in ${L_{1}}/{L_{2}}$.
-
(2) Converting-2 ($\Psi {G_{1,a,b,c}}/\Psi {G_{2,a,b,c}}$): B returns $\Theta {G_{1,a,b,c}}/\Theta {G_{2,a,b,c}}$ if $\Psi {G_{1,a,b,c}}/\Psi {G_{2,a,b,c}}$ is found in ${L_{1}}/{L_{2}}$. Otherwise, B terminates the game.
-
• ${L_{\textit{MS}}}$ is used to record a member ${\textit{ID}_{m}}$’s secret key ${\textit{MSK}_{m}}$ and her/his first public key ${\textit{MPK}_{m}}$ by (${\textit{ID}_{m}}$, $\Theta {\textit{MSK}_{m}}$, $\Theta {\textit{MPK}_{m}}$, replace), for $m=1,\dots ,n$. Initially, B sets $\textit{replace}=0$ to indicate that the member’s public key has never been replaced by the adversary.
-
• ${L_{\textit{MC}}}$ is used to record a member ${\textit{ID}_{m}}$’s certificate ${\textit{CTF}_{m}}$ and her/his second public key ${\textit{UPK}_{m}}$ by (${\textit{ID}_{m}}$, $\Theta {\textit{CTF}_{m}}$, $\Theta {\textit{UPK}_{m}}$, replace), for $m=1,\dots ,n$. Also, B sets $\textit{replace}=0$.
-
• ${L_{\textit{SC}}}$ is used to record the content of running the Signcryption algorithm by $({\textit{ID}_{s}},{\textit{ID}_{r}},\textit{msg},\Theta U,\Theta {K_{1}},\Theta {K_{2}},\Theta \sigma ,C,\Theta \delta )$.
-
• ${L_{H}}$ is used to record the input/output of the hash function H by $(\textit{msg}||C||\Psi U||{\textit{ID}_{s}}||{\textit{ID}_{r}},\Psi \delta )$.
-
-
– Query: ${A_{I}}$ may issue the following queries to B at most η times.
-
• ${Q_{1}}$ query $(\Psi {G_{1,q,k,r}},\Psi {G_{1,q,k,s}},\textit{ORER})$: For the k-th ${Q_{1}}$, B runs the following procedure.
-
(1) Convert ($\Psi {G_{1,q,k,r}}$, $\Psi {G_{1,q,k,s}}$) to ($\Theta {G_{1,q,k,r}}$, $\Theta {G_{1,q,k,s}}$) in ${L_{1}}$.
-
(2) Set $\Theta {G_{1,q,k,t}}=\Theta {G_{1,q,k,r}}+\Theta {G_{1,q,k,s}}$ if ORER = “×”, and $\Theta {G_{1,q,k,t}}=\Theta {G_{1,q,k,r}}-\Theta {G_{1,q,k,s}}$ if ORER = “/”.
-
(3) Convert $\Theta {G_{1,q,k,t}}$ in ${L_{1}}$ to return $\Psi {G_{1,q,k,t}}$.
-
-
• ${Q_{2}}$ query ($\Psi {G_{2,q,k,r}}$, $\Psi {G_{2,q,k,s}}$, $\textit{ORER}$): For the k-th ${Q_{2}}$, B runs the following procedure.
-
(1) Convert ($\Psi {G_{2,q,k,r}}$, $\Psi {G_{2,q,k,s}}$) to ($\Theta {G_{2,q,k,r}}$, $\Theta {G_{2,q,k,s}}$) in ${L_{2}}$.
-
(2) Set $\Theta {G_{2,q,k,t}}=\Theta {G_{2,q,k,r}}+\Theta {G_{2,q,k,s}}$ if $\textit{ORER}=“{\times ^{\prime\prime }}$, and $\Theta {G_{2,q,k,t}}=\Theta {G_{2,q,k,r}}-\Theta {G_{2,q,k,s}}$ if ORER = “/”.
-
(3) Convert $\Theta {G_{2,q,k,t}}$ in ${L_{2}}$ to return $\Psi {G_{2,q,k,t}}$.
-
-
• ${Q_{\hat{e}}}$ query ($\Psi {G_{1,q,k,r}}$, $\Psi {G_{1,q,k,s}}$): For the k-th ${Q_{\hat{e}}}$, B runs the following procedure.
-
• Member key generation query (${\textit{ID}_{m}}$): B produces the member ${\textit{ID}_{m}}$’s secret key $\Theta {\textit{MSK}_{m}}$ and first public key $\Theta {\textit{MPK}_{m}}$. B then puts (${\textit{ID}_{m}}$, $\Theta {\textit{MSK}_{m}}$, $\Theta {\textit{MPK}_{m}}$, 0) in ${L_{\textit{MS}}}$. Also, B converts ($\Theta {\textit{MSK}_{m}}$, $\Theta {\textit{MPK}_{m}}$) in ${L_{1}}$ to return ($\Psi {\textit{MSK}_{m}}$, $\Psi {\textit{MPK}_{m}}$).
-
• Member secret key query (${\textit{ID}_{m}}$): If (${\textit{ID}_{m}}$, $\Theta {\textit{MSK}_{m}}$, $\Theta {\textit{MPK}_{m}}$, 0) in ${L_{\textit{MS}}}$ is found, B converts $\Theta {\textit{MSK}_{m}}$ in ${L_{1}}$ to return $\Psi {\textit{MSK}_{m}}$. Otherwise, B issues the Member key generation query (${\textit{ID}_{m}}$) to return $\Psi {\textit{MSK}_{m}}$.
-
• Certificate generation query (${\textit{ID}_{m}}$, $\Psi {\textit{MPK}_{m}}$): Assume that the CA has the i-th secret key pair ($\Theta {\textit{CSK}_{1,i}}$, $\Theta {\textit{CSK}_{2,i}}$). B runs the following procedure.
-
(1) Pick a new variate $\Theta {\textit{UPK}_{m}}$ in ${G_{1}}$ as the second public key of the member ${\textit{ID}_{m}}$.
-
(2) Pick a new variate $\Theta \alpha $ in ${G_{1}}$ and put ($\Theta \alpha $, $\Psi \alpha ={\textit{ID}_{m}}||$ $\Psi {\textit{MPK}_{m}}||$ $\Psi {\textit{UPK}_{m}}$) in ${L_{1}}$.
-
(3) Set $\Theta {\textit{CTF}_{m}}=\Theta \textit{CSK}+(\Theta W+\Theta X\cdot \Theta \alpha )\cdot \Theta {\textit{UPK}_{m}}$ and put (${\textit{ID}_{m}}$, $\Theta {\textit{CTF}_{m}}$, $\Theta {\textit{UPK}_{m}}$, 0) in ${L_{\textit{MC}}}$.
-
(4) Convert ($\Theta {\textit{CTF}_{m}}$, $\Theta {\textit{UPK}_{m}}$) in ${L_{1}}$ to return ($\Psi {\textit{CTF}_{m}}$, $\Psi {\textit{UPK}_{m}}$).
-
-
• Certificate generation leak query (i, ${f_{\textit{CA},i}}$, ${h_{\textit{CA},i}}$): ${A_{I}}$ can issue this query only once for the CA’s i-th secret key pair ($\Theta {\textit{CSK}_{1,i}}$, $\Theta {\textit{CSK}_{2,i}}$). B returns $\Delta {f_{\textit{CA},i}}={f_{\textit{CA},i}}(\Theta {\textit{CSK}_{1,i}})$ and $\Delta {h_{\textit{CA},i}}={h_{\textit{CA},i}}(\Theta {\textit{CSK}_{2,i}})$.
-
• Public key retrieve query (${\textit{ID}_{m}}$): B finds ${\textit{ID}_{m}}$’s public key pair ($\Theta {\textit{MPK}_{m}}$, $\Theta {\textit{UPK}_{m}}$) by searching (${\textit{ID}_{m}}$, $\Theta {\textit{MSK}_{m}}$, $\Theta {\textit{MPK}_{m}}$, 0) in ${L_{\textit{MS}}}$ and (${\textit{ID}_{m}}$, $\Theta {\textit{CTF}_{m}}$, $\Theta {\textit{UPK}_{m}}$, 0) in ${L_{\textit{MC}}}$. B converts ($\Theta {\textit{MPK}_{m}}$, $\Theta {\textit{UPK}_{m}}$) in ${L_{1}}$ to return ($\Psi {\textit{MPK}_{m}}$, $\Psi {\textit{UPK}_{m}}$).
-
• Public key replace query (${\textit{ID}_{m}}$, ($\Psi {\textit{MPK}^{\prime }_{m}}$, $\Psi {\textit{UPK}^{\prime }_{m}}$)): B converts ($\Psi {\textit{MPK}^{\prime }_{m}}$, $\Psi {\textit{UPK}^{\prime }_{m}}$) to ($\Theta {\textit{MPK}^{\prime }_{m}}$, $\Theta {\textit{UPK}^{\prime }_{m}}$). B modifies $({\textit{ID}_{m}},-,\Theta {\textit{MPK}^{\prime }_{m}},1)$ in ${L_{\textit{MS}}}$ and $({\textit{ID}_{m}},-,\Theta {\textit{UPK}^{\prime }_{m}},1)$ in ${L_{\textit{MC}}}$.
-
• Signcryption query ($\textit{msg}$, ${\textit{ID}_{s}}$, ${\textit{ID}_{r}}$): Assume that the sender ${\textit{ID}_{s}}$ has the j-th certificate pair ($\Theta {\textit{CTF}_{s,1,j}}$, $\Theta {\textit{CTF}_{s,2,j}}$) and secret key pair ($\Theta {\textit{MSK}_{s,1,j}}$, $\Theta {\textit{MSK}_{s,2,j}}$). B runs the following procedure.
-
(1) Use ${\textit{ID}_{r}}$ to find (${\textit{ID}_{r}}$, $\Theta {\textit{MSK}_{r}}$, $\Theta {\textit{MPK}_{r}}$, replace) in ${L_{\textit{MS}}}$ and (${\textit{ID}_{r}}$, $\Theta {\textit{CTF}_{r}}$, $\Theta {\textit{UPK}_{r}}$, replace) in ${L_{\textit{MC}}}$, and convert ($\Theta {\textit{MPK}_{r}}$, $\Theta {\textit{UPK}_{r}}$) in ${L_{1}}$ to ($\Psi {\textit{MPK}_{r}}$, $\Psi {\textit{UPK}_{r}}$).
-
(2) Set $\Psi \alpha ={\textit{ID}_{r}}||\Psi {\textit{MPK}_{r}}||\Psi {\textit{UPK}_{r}}$ and convert $\Psi \alpha $ in ${L_{1}}$ to $\Theta \alpha $.
-
(3) Choose a new variate $\Theta U$ in ${G_{1}}$, and set $\Theta {K_{1}}=\Theta {\textit{MPK}_{r}}\cdot \Theta U$ and $\Theta {K_{2}}=(\Theta \textit{CPK}+\Theta {\textit{UPK}_{r}}\cdot (\Theta W+\Theta X\cdot \Theta \alpha ))\cdot \Theta U$.
-
(4) Convert both $\Theta U$ and $\Theta {K_{1}}$ in ${L_{1}}$, and $\Theta {K_{2}}$ in ${L_{2}}$ to obtain $\Psi U$, $\Psi {K_{1}}$ and $\Psi {K_{2}}$.
-
(5) Set $\Psi K=\Psi {K_{1}}\oplus \Psi {K_{2}}$ and $C={\textit{SKE}_{\Psi K}}(\textit{msg})$.
-
(6) Choose a new variate $\Theta \delta $ in ${G_{1}}$, and set $\Psi \delta =H(\textit{msg}||C||\Psi U||{\textit{ID}_{s}}||{\textit{ID}_{r}})$, and put ($\Theta \delta $, $\Psi \delta $) in ${L_{1}}$.
-
(7) Set $\Theta \alpha =\Theta {\textit{CTF}_{s}}+\Theta {\textit{MSK}_{s}}+(\Theta Y+\Theta Z\cdot \Theta \delta )\cdot \Theta U$ and convert $\Theta \delta $ in ${L_{1}}$ to $\Psi \sigma $.
-
(8) Put $({\textit{ID}_{s}},{\textit{ID}_{r}},\textit{msg},\Theta U,\Theta {K_{1}},\Theta {K_{2}},\Theta \sigma ,C,\Theta \delta )$ in ${L_{\textit{SC}}}$.
-
(9) Return $\textit{CT}=(\Psi \sigma ,C,\Psi U,{\textit{ID}_{s}},{\textit{ID}_{r}})$.
-
-
• Signcryption leak query (${\textit{ID}_{s}}$, j, ${f_{\textit{SC},j}}$, ${h_{\textit{SC},j}}$): ${A_{I}}$ can issue this query only once for the member ${\textit{ID}_{s}}$’s j-th certificate pair ($\Theta {\textit{CTF}_{s,1,j}}$, $\Theta {\textit{CTF}_{s,2,j}}$) and secret key pair ($\Theta {\textit{MSK}_{s,1,j}}$, $\Theta {\textit{MSK}_{s,2,j}}$). B returns $\Delta {f_{\textit{SC},j}}={f_{\textit{SC},j}}(\Theta {\textit{CTF}_{s,1,j}},\Theta {\textit{MSK}_{s,1,j}})$ and $\Delta {h_{\textit{SC},j}}={h_{\textit{SC},j}}(\Theta {\textit{CTF}_{s,2,j}},\Theta {\textit{MSK}_{s,2,j}})$.
-
• Unsigncryption query (${\textit{ID}_{r}}$, $\textit{CT}=(\Psi \sigma ,C,\Psi U,{\textit{ID}_{s}},{\textit{ID}_{r}})$): Assume that the receiver ${\textit{ID}_{r}}$ has the k-th certificate pair ($\Theta {\textit{CTF}_{r,1,k}}$, $\Theta {\textit{CTF}_{r,2,k}}$) and secret key pair ($\Theta {\textit{MSK}_{r,1,k}}$, $\Theta {\textit{MSK}_{r,2,k}}$). B runs the following procedure.
-
(1) Use ${\textit{ID}_{s}}$ to find (${\textit{ID}_{s}}$, $\Theta {\textit{MSK}_{s}}$, $\Theta MPKs$, replace) in ${L_{\textit{MS}}}$ and (${\textit{ID}_{s}}$, $\Theta {\textit{CTF}_{s}}$, $\Theta {\textit{UPK}_{s}}$, replace) in ${L_{\textit{MC}}}$, and convert ($\Theta {\textit{MPK}_{s}}$, $\Theta {\textit{UPK}_{s}}$) in ${L_{1}}$ to ($\Psi {\textit{MPK}_{s}}$, $\Psi {\textit{UPK}_{s}}$).
-
(2) Convert $\Psi \sigma $ and $\Psi U$ in ${L_{1}}$ to $\Theta \sigma $ and $\Theta U$, respectively.
-
(3) Set $\Theta {K_{1}}=\Theta U\cdot \Theta {\textit{MSK}_{r}}$ and $\Theta {K_{2}}=\Theta U\cdot \Theta {\textit{CTF}_{r}}$.
-
(4) Set $\Psi \delta =H(\textit{msg}||C||\Psi U||{\textit{ID}_{s}}||{\textit{ID}_{r}})$ and convert $\Psi \delta $ in ${L_{1}}$ to $\Theta \delta $.
-
(5) Use ${\textit{ID}_{s}}$, ${\textit{ID}_{r}}$, $\Theta U$, $\Theta {K_{1}}$, $\Theta {K_{2}}$, $\Theta \sigma $, C and $\Theta \delta $ to find $({\textit{ID}_{s}},{\textit{ID}_{r}},\textit{msg},\Theta U,\Theta {K_{1}},\Theta {K_{2}},\Theta \sigma ,C,\Theta \delta )$ in ${L_{\textit{SC}}}$. If it is found, return $\textit{msg}$ and “Valid”.
-
-
• Unsigncryption leak query (${\textit{ID}_{r}}$, k, ${f_{\textit{US},k}}$, ${h_{\textit{US},k}}$): ${A_{I}}$ can issue this query only once for the member ${\textit{ID}_{r}}$’s k-th certificate pair ($\Theta {\textit{CTF}_{r,1,k}}$, $\Theta {\textit{CTF}_{r,2,k}}$) and secret key pair ($\Theta {\textit{MSK}_{r,1,k}}$, $\Theta {\textit{MSK}_{r,2,k}}$). B returns $\Delta {f_{\textit{US},k}}={f_{\textit{US},k}}(\Theta {\textit{CTF}_{r,1,k}},\Theta {\textit{MSK}_{r,1,k}})$ and $\Delta {h_{\textit{US},k}}={h_{\textit{US},k}}(\Theta {\textit{CTF}_{r,2,k}}$, $\Theta {\textit{MSK}_{r,2,k}})$.
-
-
– Forgery. ${A_{I}}$ produces a pair $({\textit{msg}^{\prime }},{\textit{CT}^{\prime }}=(\Psi {\sigma ^{\prime }},{C^{\prime }},\Psi {U^{\prime }},{\textit{ID}^{\prime }_{s}},{\textit{ID}^{\prime }_{r}}))$. Note that the Signcryption query (${\textit{msg}^{\prime }}$, ${\textit{ID}^{\prime }_{s}}$, ${\textit{ID}^{\prime }_{r}}$) and the Certificate generation query (${\textit{ID}^{\prime }_{s}}$, ${\textit{MPK}^{\prime }_{s}}$) have never been requested. If the Unsigncryption algorithm with $({\textit{ID}^{\prime }_{r}},{\textit{CT}^{\prime }}=(\Psi {\sigma ^{\prime }},{C^{\prime }},\Psi {U^{\prime }},{\textit{ID}^{\prime }_{s}},{\textit{ID}^{\prime }_{r}}))$ returns $\textit{msg}$ and “Valid”, we say that ${A_{I}}$ wins ${G_{\textit{auth}}}$.
As mentioned in Section 2.2, if an adversary found any collision of ${G_{1}}/{G_{2}}$, it would solve the discrete logarithm problem on ${G_{1}}/{G_{2}}$. In such a case, we first compute the sum amount of elements in ${L_{1}}$ and ${L_{2}}$, termed as $|{L_{1}}|+|{L_{2}}|$. By counting the added elements in both the Setup and Query phases, we have the inequality $|{L_{1}}|+|{L_{2}}|\leqq 6\eta $ because ${A_{I}}$ can request different queries to B η times and at most 6 elements are increased in ${L_{1}}/{L_{2}}$ after issuing a query. Additionally, for evaluating the entropy of secret keys with partial leakage, we must compute the maximal degrees of elements in ${L_{1}}$ and ${L_{2}}$, in which ${L_{1}}$ and ${L_{2}}$ have the maximal degrees 3 and 6, respectively.
Subsequently, let us compute the advantage ${\textit{Adv}_{AI-N}}$ that ${A_{I}}$ wins ${G_{\textit{auth}}}$ without issuing leak queries. The advantage ${\textit{Adv}_{AI-N}}$ comprises two probabilities as discussed below.
By above, we have ${\textit{Adv}_{AI-N}}=\Pr [\textit{Collision}]+\Pr [\textit{Forge}]\leqq 216{\eta ^{2}}/p+3/p=O({\eta ^{2}}/p),$ which is negligible if $\eta =\textit{poly}(\log p)$.
-
■ Let $\Pr [\textit{Collision}]$ be the probability that ${A_{I}}$ finds a collision in ${L_{1}}$ or ${L_{2}}$. Assume that there are r different variates in ${L_{1}}$, which are denoted by r random values ${v_{i}}\in {Z_{p}^{\ast }}$ for $i=1,2,\dots ,r$. Let $\Theta {G_{1,j}}$ and $\Theta {G_{1,k}}$ be two distinct elements in ${L_{1}}$ and set $\Theta {G_{1,l}}=\Theta {G_{1,j}}-\Theta {G_{1,k}}$. If $\Theta {G_{1,l}}({v_{1}},{v_{2}},\dots ,{v_{r}})=0$, there exists a collision in ${L_{1}}$. Because ${L_{1}}$ has $\left(\genfrac{}{}{0pt}{}{|{L_{1}}|}{2}\right)$ pairs of ($\Theta {G_{1,j}}$, $\Theta {G_{1,k}}$) and the maximal polynomial degree is 3, the probability that ${A_{I}}$ finds a collision in ${L_{1}}$ is $(3/p)\left(\genfrac{}{}{0pt}{}{|{L_{1}}|}{2}\right)$ by Lemma 2. For the same reason, the probability that ${A_{I}}$ finds a collision in ${L_{2}}$ is $(6/p)\left(\genfrac{}{}{0pt}{}{|{L_{2}}|}{2}\right)$. Because of $|{L_{1}}|+|{L_{2}}|\leqq 6\eta $, we have the following inequality $\Pr [\textit{Collision}]\leqq (3/p)\left(\genfrac{}{}{0pt}{}{|{L_{1}}|}{2}\right)+(6/p)\left(\genfrac{}{}{0pt}{}{|{L_{2}}|}{2}\right)\leqq (6/p){(|{L_{0}}|+|{L_{1}}|)^{2}}\leqq 216{\eta ^{2}}/p$.
-
■ Let $\Pr [\textit{Forge}]$ be the probability that ${A_{I}}$ forges a valid pair (${\textit{msg}^{\prime }}$, ${\textit{CT}^{\prime }}$ = ($\Psi {\sigma ^{\prime }}$, ${C^{\prime }}$, $\Psi {U^{\prime }}$, ${\textit{ID}^{\prime }_{s}}$, ${\textit{ID}^{\prime }_{r}}$)). The valid pair satisfies $\hat{e}({g_{1}},{\sigma ^{\prime }})=\textit{CPK}\cdot {\textit{MPK}^{\prime }_{s}}\cdot \hat{e}({\textit{UPK}^{\prime }_{s}},W\cdot {X^{\alpha }})\cdot \hat{e}({U^{\prime }},Y\cdot {Z^{\delta }})$ in the Unsigncryption algorithm, namely, $\Theta {g_{1}}\cdot \Theta {\sigma ^{\prime }}=\Theta \textit{CPK}+\Theta {\textit{MPK}^{\prime }_{s}}+\Theta {\textit{UPK}^{\prime }_{s}}\cdot (\Theta W+\Theta X\cdot \Theta \alpha )+\Theta {U^{\prime }}\cdot (\Theta Y+\Theta Z\cdot \Theta \delta )$. Let $\Theta f=\Theta {g_{1}}\cdot \Theta {\sigma ^{\prime }}-\Theta \textit{CPK}+\Theta {\textit{MPK}^{\prime }_{s}}+\Theta {\textit{UPK}^{\prime }_{s}}\cdot (\Theta W+\Theta X\cdot \Theta \alpha )+\Theta {U^{\prime }}\cdot (\Theta Y+\Theta Z\cdot \Theta \delta )$. Since $\Theta f$ has degree 3, the probability of $\Theta f=0$ is $3/p$ by Lemma 2 so that we have $\Pr [\textit{Forge}]=3/p$.
Here, we compute the advantage ${\textit{Adv}_{AI}}$ that $\textit{AI}$ wins ${G_{\textit{auth}}}$ when permitted to issue three types of leak queries, namely, Certificate generation leak query, Signcryption leak query and Unsigncryption leak query.
Due to the discussions above, we define three events as follows:
Hence, ${\textit{Adv}_{AI}}$ has the inequality
-
(1) By the Certificate generation leak query (i, ${f_{\textit{CA},i}}$, ${h_{\textit{CA},i}}$), ${A_{I}}$ gets partial bits of the CA’s i-th secret key pair ($\Theta {\textit{CSK}_{1,i}}$, $\Theta {\textit{CSK}_{2,i}}$), namely, $\Delta {f_{\textit{CA},i}}={f_{\textit{CA},i}}(\Theta {\textit{CSK}_{1,i}})$ and $\Delta {h_{\textit{CA},i}}={h_{\textit{CA},i}}(\Theta {\textit{CSK}_{2,i}})$ with $|\Delta {f_{\textit{CA},i}}|,$ $|{\Delta _{h\textit{CA},i}}|\leqq \omega $. According to the key update process (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013), the CA’s i-th secret key pair satisfies the relations $\textit{CSK}={\textit{CSK}_{1,0}}\cdot {\textit{CSK}_{2,0}}=\cdots ={\textit{CSK}_{1,i-1}}\cdot {\textit{CSK}_{2,i-1}}={\textit{CSK}_{1,i}}\cdot {\textit{CSK}_{2,i}}$. Meanwhile, the leakage bits of ($\Theta {\textit{CSK}_{1,i-1}}$, $\Theta {\textit{CSK}_{2,i-1}}$) and ($\Theta {\textit{CSK}_{1,i}}$, $\Theta {\textit{CSK}_{2,i}}$) are mutually independent, so that ${A_{I}}$ gets at most $2\omega $ bits of $\textit{CSK}$.
-
(2) By the Signcryption leak query (${\textit{ID}_{s}}$, j, ${f_{\textit{SC},j}}$, ${h_{\textit{SC},j}}$), ${A_{I}}$ gets partial bits of the ${\textit{ID}_{s}}$’s j-th certificate pair ($\Theta {\textit{CTF}_{s,1,j}}$, $\Theta {\textit{CTF}_{s,2,j}}$), namely, $\Delta {f_{\textit{SC},j}}={f_{\textit{SC},j}}(\Theta {\textit{CTF}_{s,1,j}})$ and $\Delta {h_{\textit{SC},j}}={h_{\textit{SC},j}}(\Theta {\textit{CTF}_{s,2,j}})$ with $|\Delta {f_{\textit{SC},j}}|,$ $|\Delta {h_{\textit{SC},j}}|\leqq \omega $. According to the key update procedure, the ${\textit{ID}_{s}}$’s j-th certificate pair satisfies the relations ${\textit{CTF}_{s}}={\textit{CTF}_{s,1,0}}\cdot {\textit{CTF}_{s,2,0}}=\cdots ={\textit{CTF}_{s,1,j-1}}\cdot {\textit{CTF}_{s,2,j-1}}={\textit{CTF}_{s,1,j}}\cdot {\textit{CTF}_{s,2,j}}$. Thus, ${A_{I}}$ gets at most $2\omega $ bits of ${\textit{CTF}_{s}}$.
-
(3) By the Unsigncryption leak query (${\textit{ID}_{r}}$, k, ${f_{\textit{US},k}}$, ${h_{\textit{US},k}}$), ${A_{I}}$ gets partial bits of the ${\textit{ID}_{r}}$’s k-th certificate pair ($\Theta {\textit{CTF}_{r,1,k}}$, $\Theta {\textit{CTF}_{r,2,k}}$), namely, $\Delta {f_{\textit{US},k}}={f_{\textit{US},k}}(\Theta {\textit{CTF}_{r,1,k}})$ and $\Delta {h_{\textit{US},k}}={h_{\textit{US},k}}(\Theta {\textit{CTF}_{r,2,k}})$ with $|\Delta {f_{\textit{US},k}}|$, $|\Delta {h_{\textit{US},k}}|\leqq \omega $. According to the key update procedure, the ${\textit{ID}_{r}}$’s k-th certificate pair satisfies the relations ${\textit{CTF}_{r}}={\textit{CTF}_{r,1,0}}\cdot {\textit{CTF}_{r,2,0}}=\cdots ={\textit{CTF}_{r,1,j-1}}\cdot {\textit{CTF}_{r,2,j-1}}={\textit{CTF}_{r,1,j}}\cdot {\textit{CTF}_{r,2,j}}$. Thus, ${A_{I}}$ gets at most $2\omega $ bits of ${\textit{CTF}_{r}}$.
-
(1) Let EVCSK indicate the event that ${A_{I}}$ obtains $\textit{CSK}$ by $\Delta {f_{\textit{CA},i}}$ and $\Delta {h_{\textit{CA},i}}$. Meanwhile, $\overline{\textit{EVCSK}}$ means EVCSK’s complement.
-
(2) Let EVCTF indicate the event that ${A_{I}}$ gets ${\textit{CTF}_{m}}$ (i.e. ${\textit{CTF}_{s}}$ or ${\textit{CTF}_{r}}$) by $\Delta {f_{\textit{SC},j}}$, $\Delta {h_{\textit{SC},j}}$, $\Delta {f_{\textit{US},k}}$ and $\Delta {h_{\textit{US},k}}$. Meanwhile, $\overline{\textit{EVCTF}}$ means EVCTF’s complement.
-
(3) Let ESFV indicate the event that ${A_{I}}$ successfully forges a valid pair $({\textit{msg}^{\prime }},{\textit{CT}^{\prime }}=(\Psi {\sigma ^{\prime }},{C^{\prime }},\Psi {U^{\prime }},{\textit{ID}^{\prime }_{s}},{\textit{ID}^{\prime }_{r}}))$.
\[\begin{aligned}{}{\textit{Adv}_{AI}}& =\Pr [\textit{ESFV}]\\ {} & =\Pr \big[\textit{ESFV}\wedge (\textit{EVCSK}\vee \textit{EVCTF})\big]+\Pr \big[\textit{ESFV}\wedge (\overline{\textit{EVCSK}}\wedge \overline{\textit{EVCTF}})\big]\\ {} & \leqq \Pr \big[(\textit{EVCSK}\vee \textit{EVCTF})\big]+\Pr \big[\textit{ESFV}\wedge (\overline{\textit{EVSSK}}\wedge \overline{\textit{EVUDID}})\big].\end{aligned}\]
By the Certificate generation leak query, ${A_{I}}$ gets $2\omega $ bits of $\textit{CSK}$. Also, by the Signcryption leak query or Unsigncryption leak query, ${A_{I}}$ gets $2\omega $ bits of ${\textit{CTF}_{m}}$ (i.e. ${\textit{CTF}_{s}}$ or ${\textit{CTF}_{r}}$). By Lemma 2, we have $\Pr [(\textit{EVCSK}\vee \textit{EVCTF})]\leqq {\textit{Adv}_{AI-N}}\cdot {2^{2\omega }}\leqq O(({\eta ^{2}}/p)\cdot {2^{2\omega }})$ because of ${\textit{Adv}_{AI-N}}=O({\eta ^{2}}/p)$. Since $\Pr [\textit{ESFV}\wedge (\overline{\textit{EVSSK}}\wedge \overline{\textit{EVUDID}})]$ denotes that ${A_{I}}$ gets no information of both $\textit{CSK}$ and ${\textit{CTF}_{m}}$, we have $\Pr [\textit{ESFV}\wedge (\overline{\textit{EVSSK}}\wedge \overline{\textit{EVUDID}})]={\textit{Adv}_{AI-N}}=O({\eta ^{2}}/p)$. Therefore,
\[\begin{aligned}{}{\textit{Adv}_{AI}}& \leqq \Pr \big[(\textit{EVCSK}\vee \textit{EVCTF})\big]+\Pr \big[\textit{ESFV}\wedge (\overline{\textit{EVSSK}}\wedge \overline{\textit{EVUDID}})\big]\\ {} & \leqq O\big(\big({\eta ^{2}}/p\big)\cdot {2^{2\omega }}\big)+O\big({\eta ^{2}}/p\big)=O\big(\big({\eta ^{2}}/p\big)\cdot {2^{2\omega }}\big).\end{aligned}\]
Finally, ${\textit{Adv}_{AI}}$ is negligible if $\omega =\textit{poly}(\log p)$, by Lemma 2. □Theorem 2.
Under the SCRH and DL assumptions in the GBG model, our FCLR-CBSC scheme is EXUF-CLRACMA-secure against ${A_{\textit{II}}}$ in ${G_{\textit{auth}}}$.
Proof.
${A_{\textit{II}}}$ and B play ${G_{\textit{auth}}}$ that comprises three phases as presented below.
Here, let’s compute the advantage ${\textit{Adv}_{\textit{AII}-N}}$ that ${A_{\textit{II}}}$ wins ${G_{\textit{auth}}}$ without issuing leak queries. By $\Pr [\textit{Collision}]$ and $\Pr [\textit{Forge}]$ defined in Theorem 1, we have ${\textit{Adv}_{\textit{AII}-N}}=\Pr [\textit{Collision}]+\Pr [\textit{Forge}]\leqq 216{\eta ^{2}}/p+3/p=O({\eta ^{2}}/p),$ which is negligible if $\eta =\textit{poly}(\log p)$. Next, we compute the advantage ${\textit{Adv}_{\textit{AII}}}$ that ${A_{\textit{II}}}$ wins ${G_{\textit{auth}}}$ when permitted to issue two types of leak queries, namely, Signcryption leak query and Unsigncryption leak query.
Due to the discussions above, we define two events as follows:
Hence, ${\textit{Adv}_{\textit{AII}}}$ has the inequality
-
– Setup. It is identical to the Setup in Theorem 1. Because the adversary is of ${A_{\textit{II}}}$, B sends $\Psi \textit{CSK}$ to ${A_{\textit{II}}}$.
-
– Queries. It is identical to the Queries in Theorem 1. Additionally, since ${A_{\textit{II}}}$ possesses the CA’s secret key $\textit{CSK}$, so that it can create any member ${\textit{ID}_{m}}$’s certificate ${\textit{CTF}_{m}}$ and second public key ${\textit{UPK}_{m}}$. Thus, ${A_{\textit{II}}}$ has no need to request the Certificate generation query and Certificate generation leak query.
-
– Forgery. ${A_{\textit{II}}}$ produces a pair $({\textit{msg}^{\prime }},{\textit{CT}^{\prime }}=(\Psi {\sigma ^{\prime }},{C^{\prime }},\Psi {U^{\prime }},{\textit{ID}^{\prime }_{s}},{\textit{ID}^{\prime }_{r}}))$. Note that the Signcryption query (${\textit{msg}^{\prime }}$, ${\textit{ID}^{\prime }_{s}}$, ${\textit{ID}^{\prime }_{r}}$), the Member secret key query (${\textit{ID}_{m}}$) and the Public key replace query (${\textit{ID}_{m}}$, ($\Psi {\textit{MPK}^{\prime }_{m}}$, $\Psi {\textit{UPK}^{\prime }_{m}}$)) have never been requested. If the Unsigncryption algorithm with $({\textit{ID}^{\prime }_{r}},{\textit{CT}^{\prime }}=(\Psi {\sigma ^{\prime }},{C^{\prime }},\Psi {U^{\prime }},{\textit{ID}^{\prime }_{s}},{\textit{ID}^{\prime }_{r}}))$ returns $\textit{msg}$ and “Valid”, we say that ${A_{I}}$ wins ${G_{\textit{auth}}}$.
-
(1) By the Signcryption leak query (${\textit{ID}_{s}}$, j, ${f_{\textit{SC},j}}$, ${h_{\textit{SC},j}}$), ${A_{\textit{II}}}$ gets partial bits of the ${\textit{ID}_{s}}$’s j-th secret key pair (${\textit{MSK}_{s,1,j}}$, ${\textit{MSK}_{s,2,j}}$), namely, $\Delta {f_{\textit{SC},j}}={f_{\textit{SC},j}}({\textit{MSK}_{s,1,j}})$ and $\Delta {h_{\textit{SC},j}}={h_{\textit{SC},j}}({\textit{MSK}_{s,2,j}})$ with $|\Delta {f_{\textit{SC},j}}|$, $|\Delta {h_{\textit{SC},j}}|\leqq \omega $. According to the key update procedure, the ${\textit{ID}_{s}}$’s j-th secret key pair satisfies the relations ${\textit{MSK}_{s}}={\textit{MSK}_{s,1,0}}\cdot {\textit{MSK}_{s,2,0}}=\cdots ={\textit{MSK}_{s,1,j-1}}\cdot {\textit{MSK}_{s,2,j-1}}={\textit{MSK}_{s,1,j}}\cdot {\textit{MSK}_{s,2,j}}$. Thus, ${A_{\textit{II}}}$ gets at most $2\omega $ bits of ${\textit{MSK}_{s}}$.
-
(2) By the Unsigncryption leak query (${\textit{ID}_{r}}$, k, ${f_{\textit{US},k}}$, ${h_{\textit{US},k}}$), ${A_{\textit{II}}}$ gets partial bits of the ${\textit{ID}_{r}}$’s k-th secret key pair (${\textit{MSK}_{r,1,k}}$, ${\textit{MSK}_{r,2,k}}$), namely, $\Delta {f_{\textit{US},k}}={f_{\textit{US},k}}({\textit{MSK}_{r,1,k}})$ and $\Delta {h_{\textit{US},k}}={h_{\textit{US},k}}({\textit{MSK}_{r,2,k}})$ with $|\Delta {f_{\textit{US},k}}|$, $|\Delta {h_{\textit{US},k}}|\leqq \omega $. According to the key update procedure, the ${\textit{ID}_{r}}$’s k-th secret key pair satisfies the relations ${\textit{MSK}_{r}}={\textit{MSK}_{r,1,0}}\cdot {\textit{MSK}_{r,2,0}}=\cdots ={\textit{MSK}_{r,1,j-1}}\cdot {\textit{MSK}_{r,2,j-1}}={\textit{MSK}_{r,1,j}}\cdot {\textit{MSK}_{r,2,j}}$. Thus, ${A_{\textit{II}}}$ gets at most $2\omega $ bits of ${\textit{MSK}_{r}}$.
-
(1) Let $\textit{EVMSK}$ indicate the event that ${A_{\textit{II}}}$ obtains ${\textit{MSK}_{m}}$ (i.e. ${\textit{MSK}_{s}}$ or ${\textit{MSK}_{r}}$) by $\Delta {f_{\textit{SC},j}}$, $\Delta {h_{\textit{SC},j}}$, $\Delta {f_{\textit{US},k}}$ and $\Delta {h_{\textit{US},k}}$. Meanwhile, $\overline{\textit{EVMSK}}$ denotes $\textit{EVMSK}$’s complement.
-
(2) Let ESFV indicate the event that ${A_{\textit{II}}}$ successfully forges a valid tuple $({\textit{msg}^{\prime }},{\textit{CT}^{\prime }}=(\Psi {\sigma ^{\prime }},{C^{\prime }},\Psi {U^{\prime }},{\textit{ID}^{\prime }_{s}},{\textit{ID}^{\prime }_{r}}))$.
\[\begin{aligned}{}{\textit{Adv}_{\textit{AII}}}& =\Pr [\textit{ESFV}]\\ {} & =\Pr [\textit{ESFV}\wedge \textit{EVMSK}]+\Pr [\textit{ESFV}\wedge \overline{\textit{EVMSK}}]\\ {} & \leqq \Pr [\textit{EVMSK}]+\Pr [\textit{ESFV}\wedge \overline{\textit{EVMSK}}].\end{aligned}\]
By the Signcryption leak query or Unsigncryption leak query, ${A_{\textit{II}}}$ gets $2\omega $ bits of ${\textit{MSK}_{m}}$ (i.e. ${\textit{MSK}_{s}}$ or ${\textit{MSK}_{r}}$). By Lemma 2, we have $\Pr [\textit{EVMSK}]\leqq {\textit{Adv}_{\textit{AII}-N}}\cdot {2^{2\omega }}\leqq O(({\eta ^{2}}/p)\cdot {2^{2\omega }})$. Since $\Pr [\textit{ESFV}\wedge \overline{\textit{EVMSK}}]$ denotes that ${A_{\textit{II}}}$ gets no information of ${\textit{MSK}_{m}}$, we have $\Pr [\textit{ESFV}\wedge \overline{\textit{EVMSK}}]={\textit{Adv}_{\textit{AII}-N}}=O({\eta ^{2}}/p)$. Therefore,
\[\begin{aligned}{}{\textit{Adv}_{\textit{AII}}}& \leqq \Pr [\textit{EVMSK}]+\Pr [\textit{ESFV}\wedge \overline{\textit{EVMSK}}]\\ {} & \leqq O\big(\big({\eta ^{2}}/p\big)\cdot {2^{2\omega }}\big)+O\big({\eta ^{2}}/p\big)=O\big(\big({\eta ^{2}}/p\big)\cdot {2^{2\omega }}\big).\end{aligned}\]
Finally, ${\textit{Adv}_{\textit{AII}}}$ is negligible if $\omega =\textit{poly}(\log p)$, by Lemma 2. □Theorem 3.
Under the SCRH and DL assumptions in the GBG model, our FCLR-CBSC scheme is INDEN-CLCCA-secure against ${A_{I}}$ in ${G_{\textit{conf}}}$.
Proof.
${A_{I}}$ and B play ${G_{\textit{conf}}}$ that comprises four phases as presented below:
Let us compute the advantage ${\textit{Adv}_{AI-N}}$ that ${A_{I}}$ wins ${G_{\textit{conf}}}$ without issuing leak queries. The advantage ${\textit{Adv}_{AI-N}}$ comprises two probabilities as discussed below:
Hence, we have the following inequality.
-
– Setup. It is identical to the Setup in Theorem 1.
-
– Queries. It is identical to the Queries in Theorem 1.
-
– Challenge. ${A_{I}}$ sends a receiver’s identity ${\textit{ID}^{\prime }_{r}}$ and a message pair (${\textit{msg}^{\prime }_{0}}$, ${\textit{msg}^{\prime }_{1}}$) to B. Note that the Certificate generation query (${\textit{ID}^{\prime }_{r}}$, ${\textit{MPK}^{\prime }_{r}}$) has never been requested. B randomly chooses a bit ${b^{\prime }}\in \{0,1\}$ and runs the Signcryption algorithm with (${\textit{msg}^{\prime }_{b}}$, ${\textit{ID}_{s}}$, ${\textit{ID}^{\prime }_{r}}$) to produce and return a ciphertext $\textit{CT}=(\sigma ,C,U,{\textit{ID}_{s}},{\textit{ID}^{\prime }_{r}})$ to ${A_{I}}$.
-
– Guess. ${A_{I}}$ returns a bit $b\in \{0,1\}$. We say that ${A_{I}}$ wins ${G_{\textit{conf}}}$ if $b={b^{\prime }}$. The advantage ${\textit{Adv}_{AI}}$ is defined as $|\Pr [b={b^{\prime }}]-1/2|$.
-
■ Let $\Pr [\textit{Collision}]$ be the probability that ${A_{I}}$ finds a collision in ${L_{1}}$ or ${L_{2}}$, which is the same with the probability $\Pr [\textit{Collision}]$ in Theorem 1. Thus, we have the inequality $\Pr [\textit{Collision}]\leqq 216{\eta ^{2}}/p$.
-
■ Let $\Pr [\textit{Guess}]$ be the probability that ${A_{I}}$ with no useful information outputs a correct bit b. Thus, we have $\Pr [\textit{Guess}]=Pr[b={b^{\prime }}]=1/2$.
\[\begin{aligned}{}{\textit{Adv}_{AI-N}}& =|\Pr \big[b={b^{\prime }}\big]-1/2|=|\Pr [\textit{Collision}]+\Pr [\textit{Guess}]-1/2|\\ {} & \leqq 216{\eta ^{2}}/p=O\big({\eta ^{2}}/p\big).\end{aligned}\]
Here, let’s compute the advantage ${\textit{Adv}_{AI}}$ that ${A_{I}}$ wins ${G_{\textit{conf}}}$ when permitted to issue three types of leak queries, namely, Certificate generation leak query, Signcryption leak query and Unsigncryption leak query. As in the proof of Theorem 1, by the Certificate generation leak query, ${A_{I}}$ gets $2\omega $ bits of $\textit{CSK}$. Also, by the Signcryption leak query or the Unsigncryption leak query, ${A_{I}}$ gets $2\omega $ bits of ${\textit{CTF}_{m}}$ (i.e. ${\textit{CTF}_{s}}$ or ${\textit{CTF}_{r}}$). By Lemma 2, we have ${\textit{Adv}_{AI}}\leqq {\textit{Adv}_{AI-N}}\cdot {2^{2\omega }}\leqq O(({\eta ^{2}}/p)\cdot {2^{2\omega }})$, which is negligible if $\omega =\textit{poly}(\log p)$. □Theorem 4.
Under the SCRH and DL assumptions in the GBG model, our FCLR-CBSC scheme is INDEN-CLCCA-secure against ${A_{\textit{II}}}$ in ${G_{\textit{conf}}}$.
Proof.
${A_{\textit{II}}}$ and B play ${G_{\textit{conf}}}$ that comprises four phases as presented below:
Here, let’s compute ${\textit{Adv}_{\textit{AII}-N}}$ that ${A_{\textit{II}}}$ wins ${G_{\textit{conf}}}$ without request leak queries. By using $\Pr [\textit{Collision}]$ and Pr[Guess] in the proof of Theorem 3, we get ${\textit{Adv}_{\textit{AII}-N}}=\Pr [\textit{Collision}]+\Pr [\textit{Guess}]\leqq 216{\eta ^{2}}/p+3/p=O({\eta ^{2}}/p)$ that is negligible if $\eta =\textit{poly}(\log p)$. Subsequently, let us compute the advantage ${\textit{Adv}_{\textit{AII}}}$ that ${A_{\textit{II}}}$ wins ${G_{\textit{conf}}}$ when permitted to issue two types of leak queries, namely, Signcryption leak query and Unsigncryption leak query. As in the proof of Theorem 2, ${A_{\textit{II}}}$ gets $2\omega $ bits of ${\textit{MSK}_{m}}$ (i.e. ${\textit{MSK}_{s}}$ or ${\textit{MSK}_{r}}$). By Lemma 2, we obtain ${\textit{Adv}_{\textit{AII}}}\leqq {\textit{Adv}_{\textit{AII}-N}}\cdot {2^{2\omega }}\leqq O(({\eta ^{2}}/p)\cdot {2^{2\omega }}$) that is negligible if $\omega =\textit{poly}(\log p)$. □
-
– Setup. It is identical to the Setup in Theorem 2.
-
– Queries. It is identical to the Queries in Theorem 2.
-
– Challenge. ${A_{\textit{II}}}$ sends a receiver’s identity ${\textit{ID}^{\prime }_{r}}$ and a message pair (${\textit{msg}^{\prime }_{0}}$, ${\textit{msg}^{\prime }_{1}}$) to B. Note that neither the Member secret key query (${\textit{ID}^{\prime }_{r}}$) nor the Public key replace query (${\textit{ID}^{\prime }_{r}}$, (${\textit{MPK}^{\prime }_{r}}$, ${\textit{UPK}^{\prime }_{r}}$)) has been requested. B randomly chooses a bit ${b^{\prime }}\in \{0,1\}$ and runs the Signcryption algorithm with (${\textit{msg}^{\prime }_{b}}$, ${\textit{ID}_{s}}$, ${\textit{ID}^{\prime }_{r}}$) to produce and return a ciphertext $\textit{CT}=(\sigma ,C,U,{\textit{ID}_{s}},{\textit{ID}^{\prime }_{r}})$ to ${A_{\textit{II}}}$.
-
– Guess. ${A_{\textit{II}}}$ returns a bit $b\in \{0,1\}$. We say that ${A_{\textit{II}}}$ wins ${G_{\textit{conf}}}$ if $b={b^{\prime }}$. The advantage ${\textit{Adv}_{\textit{AII}}}$ is defined as $|\Pr [b={b^{\prime }}]-1/2|$.
6 Performance Comparisons
Here, let’s evaluate the computation time of our FCLR-CBSC scheme in terms of Initialization, Member secret key generation, Certificate generation, Signcryption and Unsigncryption algorithms. By the simulation results in Xiong and Qin (2015), the notations (i.e. ${T_{bpf}}$ and ${T_{exp}}$) for two time-consuming computations and their running time are presented in Table 3. Additionally, the running time of the multiplication in ${G_{1}}$ or ${G_{2}}$ is negligible since it is more slighter than ${T_{bpf}}$ and ${T_{exp}}$. The simulation results in Xiong and Qin (2015) are evaluated under a PC with an Intel 1.80-GHz i7 CPU and a mobile device with an Intel 624-MHz PXA270 CPU. Meanwhile, the order p of both ${G_{1}}$ and ${G_{2}}$ is a 512-bit prime security level. The computation costs and the running time of five algorithms in our FCLR-CBSC scheme are listed in Table 4. By Table 4, it is obvious that our scheme performs efficiently on both a PC and a mobile device.
Table 3
Notationsand running time of two time-consuming operations.
| Operations | Notations | Running time on a PC | Running time on a mobile device |
| Bilinear pairing function $\hat{e}$ | ${T_{bpf}}$ | ≈20 ms | ≈96 ms |
| Exponentiation in ${G_{1}}$ or ${G_{2}}$ | ${T_{exp}}$ | ≈7 ms | ≈31 ms |
Table 4
Computation costs and running time of five algorithms.
| Algorithms | Computation costs | Running time on a PC | Running time on a mobile device |
| Initialization | ${T_{bpf}}+7{T_{exp}}$ | 69 ms | 313 ms |
| Member secret key generation | ${T_{bpf}}+3{T_{exp}}$ | 41 ms | 189 ms |
| Certificate generation | $7{T_{exp}}$ | 49 ms | 217 ms |
| Signcryption | ${T_{bpf}}+8{T_{exp}}$ | 76 ms | 344 ms |
| Unsigncryption | $7{T_{bpf}}+4{T_{exp}}$ | 168 ms | 796 ms |
7 Conclusions
A practical FCLR-CBSC scheme was proposed in the paper. As compared with the previously proposed LR-CLSC and CLR-CBSC schemes, our scheme possesses the fully continuous leakage-resilient property. In our scheme, by the key update method participated in the Certificate generation, Signcryption and Unsigncryption algorithms of our scheme, respectively, an adversary is permitted to obtain partial bits of the CA’s secret key, and a sender/receiver’s certificate and secret key. Based on the SCRH and DL assumptions in the GBG model, four security theorems were formally shown that our scheme is EXUF-CLRACMA-secure and INDEN-CLCCA-secure against two types of adversaries (${A_{I}}$ and ${A_{\textit{II}}}$) in the CB-PKS setting so that our scheme possesses both authentication of and confidentiality. Finally, performance analysis demonstrated that our scheme is performs efficiently on both a PC and a mobile device.
