Signcryption integrates both signature and encryption schemes into single scheme to ensure both content unforgeability (authentication) and message confidentiality while reducing computational complexity. Typically, both signers (senders) and decrypters (receivers) in a signcryption scheme belong to the same publickey systems. When signers and decrypters in a signcryption scheme belong to heterogeneous publickey systems, this scheme is called a hybrid signcryption scheme which provides more elastic usage than typical signcryption schemes. In recent years, a new kind of attack, named sidechannel attack, allows adversaries to learn a portion of the secret keys used in cryptographic algorithms. To resist such an attack, leakageresilient cryptography has been widely discussed and studied while a large number of leakageresilient schemes have been proposed. Also, numerous hybrid signcryption schemes under heterogeneous publickey systems were proposed, but none of them possesses leakageresilient property. In this paper, we propose the first hybrid signcryption scheme with leakage resilience, called leakageresilient hybrid signcryption scheme, in heterogeneous publickey systems (LRHSCHPKS). Security proofs are demonstrated to show that the proposed scheme provides both authentication and confidentiality against two types of adversaries in heterogeneous publickey systems.
Public key cryptography is the foundation of modern information security. So far, several famous publickey systems (PKSs) have been proposed, including publickey infrastructure PKS (PKIPKS) (Rivest
To remove such a complex PKI architecture, an identitybased PKS (IDPKS) was proposed by Boneh and Franklin (
In recent years, a new kind of attack, named sidechannel attack, has been realized (Brumley and Boneh,
Encryption and signature are two important foundations in publickey cryptography. Signcryption integrates both signature and encryption schemes into single scheme to ensure both content unforgeability (authentication) and message confidentiality while reducing computational complexity. Signcryption is also an important foundation in publickey cryptography which is used in many applications, such as secure email, data sharing, etc. Very recently, several leakageresilient signcryption schemes with the unbounded leakage property have been proposed (Tseng
Moreover, when signers and decrypters in a signcryption scheme belong to heterogeneous publickey systems, such as signers in the PKIPKS and decrypters in the CLPKS, such a scheme is called as a hybrid signcryption scheme in heterogeneous publickey systems which provides more elastic usage than typical signcryption schemes. In the past, numerous hybrid signcryption schemes in heterogeneous PKSs (including PKIPKS, IDPKS and CLPKS) were proposed, which will be reviewed later. However, until now, there exists no hybrid signcryption scheme with leakageresilient property. In this paper, our goal is to design the first hybrid signcryption scheme with leakage resilience, called leakageresilient hybrid signcryption scheme, in heterogeneous publickey systems (LRHSCHPKS) from the PKIPKS to the CLPKS.
In this section, let’s review the evolution and development about signcryption schemes and hybrid signcryption schemes in heterogeneous publickey systems.
Based on the PKIPKS, Zheng (
When signers and decrypters in a signcryption scheme belong to heterogeneous publickey systems, this scheme is called a hybrid signcryption scheme which provides more elastic usage than typical signcryption schemes. In 2010, Sun and Li (
To provide additional properties, several hybrid signcryption schemes were also proposed. Three hybrid signcryption schemes with equality test functionality were proposed, that include Xiong
Comparisons among the recently proposed hybrid signcryption schemes and our scheme.
Schemes  Signers  Decrypters  Additional property 
Xiong 
PKIPKS  IDPKS  Equality test functionality 
Hou 
PKIPKS  CLPKS  Equality test functionality 
Xiong 
IDPKS  PKIPKS  Equality test functionality 
Ali 
IDPKS  PKIPKS  Suitable for VANET environments 
Elkhalil 
CLPKS  PKIPKS  Suitable for VANET environments 
Pan 
IDPKS  PKIPKS  Suitable for VANET environments 
Niu 
IDPKS  CLPKS  Suitable for IIoT environments 
Our scheme  PKIPKS  CLPKS  Leakageresilient property 
As mentioned earlier, Tseng
Moreover, two new adversary games of the LRHSCHPKS scheme are defined by extending the adversary games of both Tseng
The rest of this paper is structured as follows. In Section
Let
Bilinearity: for
Nondegeneration:
Computation: for
Boneh
In this section, we define two security assumptions on which the proposed scheme is based as follows:
For evaluating the leakage impact of secret keys incurred by sidechannel attacks, we employ the entropy concept by which the secret keys are viewed as finite random variables. Also, two consequences below (Lemmas
In this section, we define the framework and adversary games of the LRHSCHPKS scheme. For readability, some notations used throughout this paper are first defined in Table
Notations.
Notation  Meaning 
CA  A certificate authority in the PKIPKS 
KGC  A key generation centre in the CLPKS 
CA’s secret/public key pair  
KGC’s secret/public key pair  
The identity of a user in the PKIPKS  
The secret/public key pair of the user 

The certificate of the user 

The identity of a user in the CLPKS  
The secret/public key pair of the user 

The identity secret/public key pair of the user 

A message  
A ciphertext  
The system parameters  
The Hybrid signcryption in the LRHSCHPKS scheme  
The Hybrid unsigncryption in the LRHSCHPKS scheme 
Two key generating procedures of the LRHSCHPKS scheme.
Based on Tseng
For achieving leakage resilient property of the LRHSCHPKS scheme, we employ the key updating process with the multiplicative blinding technique (Kiltz and Pietrzak,
The inputs/outputs of the
In the LRHSCHPKS scheme, assume that a signer
The LRHSCHPKS scheme includes the following four parts.
System setup: Firstly, the system parameters (
PKIPKS: The CA sets a secret/public key pair (
CLPKS: The KGC sets a secret/public key pair (
User key generation: For signers in the PKIPKS and decrypters in the CLPKS, two key generating procedures are presented as follows.
PKIPKS: A signer with identity
Signer secret key generation: The signer
Signer certificate generation: For this algorithm’s
CLPKS: A decrypter with identity
Decrypter secret key generation: The decrypter
Decrypter identity secret key generation: For this algorithm’s
Decrypter secret key combination:
Decrypter public key combination:
Based on Tseng
For the
Illegitimate member (
Malicious CA/KGC (
In Definitions
The adversary game
The
The
The adversary game
If
If
According to the framework shown in Definition
PKIPKS: The CA randomly selects
CLPKS: The KGC randomly selects
PKIPKS: A signer with identity
CLPKS: A decrypter with identity
Decrypter secret key generation: The decrypter
Randomly select
Randomly select
Generate
Compute
Generate a signature
Set
Randomly select
Generate
Compute
Recover
Set
Output
The correctness of two equations
In Definitions
An adversary
By
Select
Compute
Transform
Compute
Compute
Compute
Record (
Return
By
Transform
Compute
Set
Use (
If found, return
In the following, let us first evaluate the advantage of
An adversary
By similar evaluations as in the proof of Theorem
Pb[
Pb[
In the following, the notations of three timeconsuming computations are defined.
Required costs (
Devices  
PDA  ≈96 ms  ≈30 ms  ≈30 ms 
PC  ≈20 ms  ≈6 ms  ≈6 ms 
Computational complexities and costs (ms) of our LRHSCHPKS scheme.
Algorithms  Computational complexities  Costs on a PDA  Costs on a PC 
System setup  156 ms  32 ms  
User key generation for the PKIPKS  186 ms  38 ms  
User key generation for the CLPKS  306 ms  62 ms  
Hybrid signcryption  306 ms  62 ms  
Hybrid unsigncryption  636 ms  132 ms 
In recent years, many scholars have been studying several hybrid signcryption schemes in heterogeneous environments, but these schemes cannot withstand sidechannel attacks, namely, these schemes do not possess the leakageresilience property. Fortunately, the