Introduction

INFORMATICA

Informatica

1822-88440868-4952

0868-4952

Vilnius University

INFOR546

10.15388/24-INFOR546

Research Article

Leakage-Resilient Hybrid Signcryption in Heterogeneous Public-key Systems

Ting-Chieh

T.-C. Ho is currently working toward her PhD degree in the Department of Mathematics, National Changhua University of Education, Changhua, Taiwan. Her research interests include applied cryptography and leakage-resilience cryptography.

Tseng

Yuh-Min

ymtseng@cc.ncue.edu.tw∗

Y.-M Tseng is currently the vice president and a professor in the Department of Mathematics, National Changhua University of Education, Taiwan. He is a member of IEEE Computer Society, IEEE Communications Society and the Chinese Cryptology and Information Security Association (CCISA). He has published over one hundred scientific journal papers on various research areas of cryptography, security and computer network. His research interests include cryptography, network security, computer network and leakage-resilient cryptography. He is an editor of several international journals.

Huang

Sen-Shan

S.-S. Huang is currently a professor in the Department of Mathematics, National Changhua University of Education, Taiwan. His research interests include number theory, cryptography, and leakage-resilient cryptography. He obtained his PhD from the University of Illinois at Urbana-Champaign in 1997 under the supervision of Professor Bruce C. Berndt.

Department of Mathematics, National Changhua University of Education, Changhua 500, Taiwan

∗Corresponding author.

2024

632024

3511311549202322024

2024

Open access article under the CC BY license.

Signcryption integrates both signature and encryption schemes into single scheme to ensure both content unforgeability (authentication) and message confidentiality while reducing computational complexity. Typically, both signers (senders) and decrypters (receivers) in a signcryption scheme belong to the same public-key systems. When signers and decrypters in a signcryption scheme belong to heterogeneous public-key systems, this scheme is called a hybrid signcryption scheme which provides more elastic usage than typical signcryption schemes. In recent years, a new kind of attack, named side-channel attack, allows adversaries to learn a portion of the secret keys used in cryptographic algorithms. To resist such an attack, leakage-resilient cryptography has been widely discussed and studied while a large number of leakage-resilient schemes have been proposed. Also, numerous hybrid signcryption schemes under heterogeneous public-key systems were proposed, but none of them possesses leakage-resilient property. In this paper, we propose the first hybrid signcryption scheme with leakage resilience, called leakage-resilient hybrid signcryption scheme, in heterogeneous public-key systems (LR-HSC-HPKS). Security proofs are demonstrated to show that the proposed scheme provides both authentication and confidentiality against two types of adversaries in heterogeneous public-key systems.

Key words heterogeneous public-key systems side-channel attack leakage-resilience signcryption

This research was partially supported by National Science and Technology Council, Taiwan, under contract No. NSTC112-2221-E-018-011.

1 Introduction

Public key cryptography is the foundation of modern information security. So far, several famous public-key systems (PKSs) have been proposed, including public-key infrastructure PKS (PKI-PKS) (Rivest et al., 1978), identity-based PKS (ID-PKS) (Boneh and Franklin, 2001) and certificateless PKS (CL-PKS) (Al-Riyami and Paterson, 2003). These PKSs have evolved in response to their advantages and disadvantages. In the PKI-PKS (Rivest et al., 1978), a user with identity first generates a pair of (secret key, public key) randomly. Also, the user sends her/his identity and public key to a trusted certificate authority (CA) and then receives the associated certificate from the CA. The CA is responsible to respond the management issues of users’ public keys and certificates that include the verification queries for expiration date or revoked users. Thus, a complex PKI architecture needs to be constructed.

To remove such a complex PKI architecture, an identity-based PKS (ID-PKS) was proposed by Boneh and Franklin (2001). In the ID-PKS, a trusted private key generator (PKG) is responsible for producing each member’s secret key by taking each member’s identity as input. Therefore, this ID-PKS encountered a key escrow problem because the PKG possesses all members’ secret keys. To resolve the key escrow problem, a certificateless PKS (CL-PKS) was proposed by Al-Riyami and Paterson (2003). In the CL-PKS, each member holds two pairs of (secret key, public key). One pair is created by the member herself/himself and the other pair is generated by a semi-trusted key generation centre (KGC). Indeed, the CL-PKS possesses the advantages of both the PKI-PKS and the ID-PKS while avoiding their disadvantages. Therefore, this CL-PKS does not require the complex PKI construction and solves the key escrow problem.

In recent years, a new kind of attack, named side-channel attack, has been realized (Brumley and Boneh, 2005; Biham et al., 2008), in the sense that adversaries can learn a portion of these secret keys used in cryptographic algorithms by timing, power analysis or fault attack. By repeatedly using the side-channel attack, adversaries could eventually learn the entire secret keys. Therefore, public-key cryptography failing to resist such side-channel attack is insecure. To resist this attack, leakage-resilient cryptography has been widely discussed and studied by researchers who have also presented a large number of leakage-resilient protocol or schemes (Alwen et al., 2009; Akavia et al., 2009; Kiltz and Pietrzak, 2010; Galindo and Virek, 2013; Galindo et al., 2016; Wu et al., 2018, 2019; Tseng et al., 2020; Peng et al., 2021; Tseng et al., 2022a,b; Xie et al., 2023; Tseng et al., 2023; Tsai et al., 2023). Based on adversaries’ leakage ability, leakage-resilient cryptography is secure in two different leakage models, including the bounded leakage model (Alwen et al., 2009; Akavia et al., 2009) and the unbounded leakage model (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013). Indeed, the unbounded leakage model is considered a more practical and widely accepted leakage model since it only limits the amount of leaked information per round and has overall unbounded characteristics.

1.1 Motivation

Encryption and signature are two important foundations in public-key cryptography. Signcryption integrates both signature and encryption schemes into single scheme to ensure both content unforgeability (authentication) and message confidentiality while reducing computational complexity. Signcryption is also an important foundation in public-key cryptography which is used in many applications, such as secure email, data sharing, etc. Very recently, several leakage-resilient signcryption schemes with the unbounded leakage property have been proposed (Tseng et al., 2022a, 2023; Tsai et al., 2023) which are based on several public-key systems that include the PKI-PKS, the CL-PKS and certificate-based PKS. In these leakage-resilient signcryption (LRSC) schemes mentioned above, both signers (senders) and decrypters (receivers) belong to the same public-key systems.

Moreover, when signers and decrypters in a signcryption scheme belong to heterogeneous public-key systems, such as signers in the PKI-PKS and decrypters in the CL-PKS, such a scheme is called as a hybrid signcryption scheme in heterogeneous public-key systems which provides more elastic usage than typical signcryption schemes. In the past, numerous hybrid signcryption schemes in heterogeneous PKSs (including PKI-PKS, ID-PKS and CL-PKS) were proposed, which will be reviewed later. However, until now, there exists no hybrid signcryption scheme with leakage-resilient property. In this paper, our goal is to design the first hybrid signcryption scheme with leakage resilience, called leakage-resilient hybrid signcryption scheme, in heterogeneous public-key systems (LR-HSC-HPKS) from the PKI-PKS to the CL-PKS.

1.2 Related Work

In this section, let’s review the evolution and development about signcryption schemes and hybrid signcryption schemes in heterogeneous public-key systems.

Based on the PKI-PKS, Zheng (1997) proposed the first signcryption scheme to integrate both signature and encryption schemes into a single scheme to ensure both content authentication and message confidentiality while reducing computational complexity. In 2007, Baek et al. (2007) furthermore defined a formal adversary model of signcryption schemes. Indeed, until now, the research on signcryption schemes is still essential for several issues, namely, various public-key systems, security, communication cost and computational complexity. In the past, some signcryption schemes based on various PKSs (PKI-PKS, ID-PKS and CL-PKS) have been proposed, such as PKI-PKS-based (Li et al., 2010), ID-PKS-based (Wei et al., 2015; Karati et al., 2018) and CL-PKS-based (Barbosa and Farshim, 2008; Li et al., 2013a) signcryption schemes.

When signers and decrypters in a signcryption scheme belong to heterogeneous public-key systems, this scheme is called a hybrid signcryption scheme which provides more elastic usage than typical signcryption schemes. In 2010, Sun and Li (2010) proposed the first hybrid signcryption scheme from the PKI-PKS to the ID-PKS. However, Huang et al. (2011) pointed out several security drawbacks on Sun and Li’s scheme, and proposed an improvement. In the past decade, a large number of hybrid signcryption schemes were proposed, such as hybrid signcryption schemes between the PKI-PKS and the ID-PKS (Li et al., 2013b; Li and Xiong, 2013), hybrid signcryption schemes between the ID-PKS and the CL-PKS (Li et al., 2016a), as well as hybrid signcryption schemes between the PKI-PKS and the CL-PKS (Li et al., 2016b; Liu et al., 2018).

To provide additional properties, several hybrid signcryption schemes were also proposed. Three hybrid signcryption schemes with equality test functionality were proposed, that include Xiong et al.’s scheme from the PKI-PKS to the ID-PKS (Xiong et al., 2021), Hou et al.’s scheme from the PKI-PKS to the CLC-PKS (Hou et al., 2021) and Xiong et al.’s scheme from the ID-PKS to the PKI-PKS (Xiong et al., 2022). A hybrid signcryption schemes with equality test functionality allows users to perform comparative searches on ciphertexts encrypted under different public keys without revealing sensitive data. For the vehicular ad-hoc network (VANET) or Industrial Internet of Things (IIoT) environments, there are four hybrid signcryption schemes that include Ali et al.’s scheme from the ID-PKS to the PKI-PKS (Ali et al., 2020), Elkhalil et al.’s scheme from the CL-PKS to the PKI-PKS (Elkhalil et al., 2021) and Pan et al.’s scheme from the ID-PKS to the PKI-PKS (Pan et al., 2022) and Niu et al.’s scheme from the ID-PKS to the CL-PKS (Niu et al., 2023). Table 1 lists the comparisons among the recently proposed hybrid signcryption schemes and our scheme in terms of the PKS of signers, the PKS of decrypters, and additional properties. We emphasize that our scheme is the first hybrid signcryption scheme with leakage resilience.

Table 1

Comparisons among the recently proposed hybrid signcryption schemes and our scheme.

Schemes	Signers	Decrypters	Additional property
Xiong et al.’s scheme (Xiong et al., 2021)	PKI-PKS	ID-PKS	Equality test functionality
Hou et al.’s scheme (Hou et al., 2021)	PKI-PKS	CL-PKS	Equality test functionality
Xiong et al.’s scheme (Xiong et al., 2022)	ID-PKS	PKI-PKS	Equality test functionality
Ali et al.’s scheme (Ali et al., 2020)	ID-PKS	PKI-PKS	Suitable for VANET environments
Elkhalil et al.’s scheme (Elkhalil et al., 2021)	CL-PKS	PKI-PKS	Suitable for VANET environments
Pan et al.’s scheme (Pan et al., 2022)	ID-PKS	PKI-PKS	Suitable for VANET environments
Niu et al.’s scheme (Niu et al., 2023)	ID-PKS	CL-PKS	Suitable for IIoT environments
Our scheme	PKI-PKS	CL-PKS	Leakage-resilient property

1.3 Contribution

As mentioned earlier, Tseng et al. (2022a) have proposed a PKI-PKS-based leakage-resilient signcryption (LRSC) scheme and Tsai et al. (2023) have also proposed a CL-PKS-based LRSC scheme. Based on Tseng et al.’s and Tsai et al.’s schemes, a new framework of the LR-HSC-HPKS scheme from the PKI-PKS to the CL-PKS is defined. For achieving leakage resilient property of the LR-HSC-HPKS scheme, we employ the key updating process with the multiplicative blinding technique (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013) while partitioning each secret key into two parts. Namely, in the PKI-PKS, the CA’s secret key SK CA and the signer ID PKI ’s secret key PKISK ID are initially partitioned into ( SK CA , 0 , 0 , SK CA , 0 , 1 ) and ( PKISK ID , 0 , 0 , PKISK ID , 0 , 1 ), respectively. In the CL-PKS, the KGC’s secret key SK KGC is partitioned into ( SK KGC , 0 , 0 , SK KGC , 0 , 1 ). Also, the decrypter ID CL ’s secret key CLSK ID and identity secret key CLISK ID are initially partitioned into ( CLSK ID , 0 , 0 , CLSK ID , 0 , 1 ) and ( CLISK ID , 0 , 0 , CLISK ID , 0 , 1 ), respectively. Meanwhile, each secret key pair must be updated before it is used in each cryptographic computation, namely, the key updating process.

Moreover, two new adversary games of the LR-HSC-HPKS scheme are defined by extending the adversary games of both Tseng et al.’s scheme (Tseng et al., 2022a) and Tsai et al.’s scheme (Tsai et al., 2023). Based on these two new adversary games under the generic bilinear group (GBG) model (Boneh et al., 2005), security proofs are demonstrated to show that the proposed LR-HSC-HPKS scheme provides both authentication and confidentiality against two types of adversaries in heterogeneous public-key systems. Furthermore, by comparing with several previously proposed hybrid signcryption schemes, the proposed scheme has the following merits: (1) It is the first hybrid signcryption scheme resisting to side-channel attacks. (2) It possesses the unbounded leakage-resilient property, namely, allowing adversaries to repeatedly learn a portion of the secret key used in each computation. (3) All secret keys of the proposed scheme, (including the CA’s secret key SK CA , the signer ID PKI ’s secret key PKISK ID , the KGC’s secret key SK KGC , and the decrypter ID CL ’s secret key CLSK ID and identity secret key CLISK ID ), are allowed to be leaked to adversaries while remaining the security of the proposed scheme. Finally, by the performance experiences on both a PDA and a PC, performance analysis is demonstrated to show that our scheme is well suitable for running on both a PDA and a PC.

1.4 Paper Structure

The rest of this paper is structured as follows. In Section 2, several preliminary contents are introduced. In Section 3, we define a new framework and two new adversary games for the LR-HSC-HPKS scheme. The LR-HSC-HPKS scheme is presented in Section 4. The proofs of two security theorems are shown in Section 5. Section 6 conducts the performance analysis on a PC and a PDA. In Section 7, the conclusions and future work are given.

2 Preliminaries 2.1 Bilinear Groups and GBG Model

Let G = ⟨ Q ⟩ and G 1 = ⟨ Q 1 ⟩ be, respectively, an additive group and a multiplicative group with the same prime order q, where Q and Q 1 are generators of G and G 1 , respectively. Meanwhile, the bilinear pairing operation e ˆ : G × G → G 1 is admissible, if it satisfies three conditions below: –

Bilinearity: for u , v ∈ Z q ∗ , e ˆ ( u · Q , v · Q ) = e ˆ ( Q , Q ) u v .

–

Non-degeneration: Q 1 = e ˆ ( Q , Q ) ≠ 1.

–

Computation: for u , v ∈ Z q ∗ , e ˆ ( u · Q , v · Q ) can be computed efficiently.

Finally, let { G , G 1 , e ˆ , Q , Q 1 , q }

represent a bilinear group set. The reader can refer to [BF-01] for detailed parameter settings.

Boneh et al. (2005) introduced a method for security proof, called the generic bilinear group (GBG) model, which is operated on a bilinear group set { G , G 1 , e ˆ , Q , Q 1 , q }. Meanwhile, the GBG model is combined into adversary games for security properties. In such adversary games, there is an adversary and a challenger who, respectively, are an oracle (query) requester and a replier. To run the operations on a bilinear group set { G , G 1 , e ˆ , Q , Q 1 , q }, the adversary requests the corresponding oracles (queries) and receives the operation results from the challenger. Therefore, the adversary may request three oracles O a , O m and O e ˆ , which are, respectively, the additive operation on G, the multiplicative operation on G 1 and the operation e ˆ : G × G → G 1 . Two injective random encoding functions ξ : Z q ∗ → Ω G and ξ 1 : Z q ∗ → Ω G 1 , are used to map all the elements of G and G 1 to distinct bit strings, respectively, which satisfy both Ω G ∩ Ω G 1 = ϕ and | Ω G | = | Ω G 1 | = q. Additionally, for all u, v ∈ Z q ∗ , three oracles O a , O m and O e ˆ have the following operation properties; –

O a ( ξ ( u ) , ξ ( v ) ) → ξ ( u + v mod q );

–

O m ( ξ 1 ( u ) , ξ 1 ( v ) ) → ξ 1 ( u + v mod q );

–

O e ˆ ( ξ ( u ) , ξ ( v ) → ξ 1 ( u · v mod q ).

Note that Q is represented by ξ ( 1 )

, whereas ξ 1 ( 1 )

represents Q 1 = e ˆ ( Q , Q )

. When such an adversary game ends and the adversary finds collisions in G or G 1

, the discrete logarithm problem in G or G 1

will be resolved, respectively.

2.2 Security Assumptions and Entropy

In this section, we define two security assumptions on which the proposed scheme is based as follows:

–

Discrete logarithm (DL) assumption: In { G , G 1 , e ˆ , Q , Q 1 , q }, for given u · Q ∈ G or Q 1 u ∈ G 1 , without knowing u ∈ Z q ∗ , it is hard to discover u.

–

Secure hash function (SH) assumption: Let SH : { 0 , 1 } ∗ → { 0 , 1 } t be a secure hash function, where t is a fixed length. Then it is hard to discover any two random bit strings RBS 1 and RBS 2 such that SH ( RBS 1 ) = SH ( RBS 2 ).

For evaluating the leakage impact of secret keys incurred by side-channel attacks, we employ the entropy concept by which the secret keys are viewed as finite random variables. Also, two consequences below (Lemmas 1 and 2) have been conducted in the literature (Dodis et al., 2008; Galindo and Virek, 2013). Lemma 1.

Let SK and LF : SK → { 0 , 1 } τ , respectively, denote a secret key and the corresponding leak function, where τ is a fixed length. Under the leak function LF ( ), we have H ˜ ∞ ( SK | LF ( SK ) ) ≧ H ∞ ( SK ) − τ, where H ˜ and H ∞ are, respectively, the average conditional min-entropy and the min-entropy.

Lemma 2.

Assume that there is a multiple-secret-key polynomial MSKF ∈ Z q [ SK 0 , SK 1 , … , SK n − 1 ] with degree d, where SK 0 , SK 1 , … , SK n − 1 are secret keys. Let P i (for i = 0 , 1 , … , n − 1) be n mutually independent probability distributions SK i = s k i ← Z q , which satisfy 0 ≦ τ ≦ log q and H ∞ ( P i ) ≧ log q − τ. Then the probability Pb [ MSKF ( SK 0 = s k 0 , SK 1 = s k 1 , … , SK n − 1 = s k n − 1 ) = 0 ] ≦ 2 τ ( d / q ) is negligible if τ < ( 1 − ω ) log q, where ω denotes a positive fraction.

3 Framework and Adversary Games

In this section, we define the framework and adversary games of the LR-HSC-HPKS scheme. For readability, some notations used throughout this paper are first defined in Table 2.

Table 2

Notations.

Notation	Meaning
CA	A certificate authority in the PKI-PKS
KGC	A key generation centre in the CL-PKS
SK CA / PK CA	CA’s secret/public key pair
SK KGC / PK KGC	KGC’s secret/public key pair
ID PKI	The identity of a user in the PKI-PKS
PKISK ID / PKIPK ID	The secret/public key pair of the user ID PKI
CRT ID	The certificate of the user ID PKI
ID CL	The identity of a user in the CL-PKS
CLSK ID / CLPK ID	The secret/public key pair of the user ID CL
CLISK ID / CLIPK ID	The identity secret/public key pair of the user ID CL
M	A message
CT	A ciphertext
SP	The system parameters
HSE	The Hybrid signcryption in the LR-HSC-HPKS scheme
HUSE	The Hybrid unsigncryption in the LR-HSC-HPKS scheme

Fig. 1

Two key generating procedures of the LR-HSC-HPKS scheme.

3.1 Framework

Based on Tseng et al.’s scheme (Tseng et al., 2022a) and Tsai et al.’s scheme (Tsai et al., 2023), we define a new framework of the LR-HSC-HPKS scheme. In the heterogeneous public-key systems, there are two public-key systems (PKSs), namely, the public-key infrastructure PKS (PKI-PKS) and the certificateless PKS (CL-PKS). In the LR-HSC-HPKS scheme, signers and decrypeters belong to the PKI-PKS and the CL-PKS, respectively. Here, two key generating procedures of the LR-HSC-HPKS scheme are presented in Fig 1. In the PKI-PKS, a signer with identity ID PKI randomly selects a secret key PKISK ID and computes the associated public key PKIPK ID . The signer sends both ID PKI and PKIPK ID to a trusted certificate authority (CA) with a key pair of a secret key SK CA and the associated public key PK CA . Then, the CA uses SK CA to compute and return the certificate CRT ID to the signer ID PKI . In the CL-PKS, a decrypter with identity ID CL randomly selects a secret key CLSK ID and computes the associated public key CLPK ID . The decrypter sends ID CL to a key generation centre (KGC) with a key pair of a secret key SK KGC and the associated public key PK KGC . Then, the KGC uses SK KGC to compute and return the decrypter ID CL ’s identity secret key CLISK ID and identity public key CLIPK ID .

For achieving leakage resilient property of the LR-HSC-HPKS scheme, we employ the key updating process with the multiplicative blinding technique (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013) while partitioning each secret key into two parts. Meanwhile, each secret key must be updated before it is used in each cryptographic computation, namely, the key updating process. In the PKI-PKS, the CA’s secret key SK CA and the signer ID PKI ’s secret key PKISK ID are initially partitioned into ( SK CA , 0 , 0 , SK CA , 0 , 1 ) and ( PKISK ID , 0 , 0 , PKISK ID , 0 , 1 ), respectively. In the CL-PKS, the KGC’s secret key SK KGC is partitioned into ( SK KGC , 0 , 0 , SK KGC , 0 , 1 ). Also, the decrypter ID CL ’s secret key CLSK ID and identity secret key CLISK ID are initially partitioned into ( CLSK ID , 0 , 0 , CLSK ID , 0 , 1 ) and ( CLISK ID , 0 , 0 , CLISK ID , 0 , 1 ), respectively.

Fig. 2

The inputs/outputs of the HSE and the HUSE algorithms in the LR-HSC-HPKS scheme.

In the LR-HSC-HPKS scheme, assume that a signer ID PKI runs the Hybrid signcryption ( HSE ) algorithm to transmit a message M to a decrypter ID CL . For the HSE algorithm’s j-th running, the signer ID PKI first updates the old secret key ( PKISK ID , j − 1 , 0 , PKISK ID , j − 1 , 1 ) to the new secret key ( PKISK ID , j , 0 , PKISK ID , j , 1 ) and sends a ciphertext CT = HSE ( M , ID CL , CLPK ID , CLIPK ID , ( PKISK ID , j , 0 , PKISK ID , j , 1 ) ) to the decrypter ID CL . For the Hybrid unsigncryption ( HUSE) algorithm’s k-th running and receiving CT, the decrypter ID CL first updates the old secret key ( CLSK ID , k − 1 , 0 , CLSK ID , k − 1 , 1 ) to the new identity secret key ( CLISK ID , k , 0 , CLISK ID , k , 1 ), and gets the message M = HUSE ( CT , ID PKI , PKIPK ID , CRT ID , ( CLSK ID , k , 0 , CLSK ID , k , 1 ) , ( CLISK ID , k , 0 , CLISK ID , k , 1 ) ). Figure 2 depicts the inputs/outputs of the HSE and the HUSE algorithms in the LR-HSC-HPKS scheme. A new framework of the LR-HSC-HPKS scheme from the PKI-PKS to the CL-PKS is presented in Definition 1.

Definition 1.

The LR-HSC-HPKS scheme includes the following four parts. –

System setup: Firstly, the system parameters ( SP) are initially set. The heterogeneous public-key systems consist of the PKI-PKS and the CL-PKS. The CA in the PKI-PKS and the KGC in the CL-PKS, respectively, set their secret keys and the associated public keys as follows. ♦

PKI-PKS: The CA sets a secret/public key pair ( SK CA , PK CA ). Initially, the CA partitions SK CA into ( SK CA , 0 , 0 , SK CA , 0 , 1 ).

♦

CL-PKS: The KGC sets a secret/public key pair ( SK KGC , PK KGC ). Initially, the KGC partitions SK KGC into ( SK KGC , 0 , 0 , SK KGC , 0 , 1 ).

Also, SP

, PK CA

and PK KGC

are publicly published.

–

User key generation: For signers in the PKI-PKS and decrypters in the CL-PKS, two key generating procedures are presented as follows.

♦

PKI-PKS: A signer with identity ID PKI and the CA cooperatively run the following two algorithms.

•

Signer secret key generation: The signer ID PKI sets a secret/public key pair ( PKISK ID , PKIPK ID ). Initially, the signer ID PKI partitions PKISK ID into ( PKISK ID , 0 , 0 , PKISK ID , 0 , 1 ). Also, the signer ID PKI sends ( ID PKI , PKIPK ID ) to the CA.

•

Signer certificate generation: For this algorithm’s i-th running and giving ( ID PKI , PKIPK ID ), the CA first updates the old secret key ( SK CA , i − 1 , 0 , SK CA , i − , 1 , 1 ) to the new secret key ( SK CA , i , 0 , SK CA , i , 1 ), such that SK CA = SK CA , 0 , 0 + SK CA , 0 , 1 = SK CA , 1 , 0 + SK CA , 1 , 1 = ⋯ = SK CA , i , 0 + SK CA , i , 1 . Subsequently, the CA uses ( SK CA , i , 0 , SK CA , i , 1 ) to compute and return the certificate CRT ID to the signer ID PKI .

♦

CL-PKS: A decrypter with identity ID CL and the KGC cooperatively run the following four algorithms.

•

Decrypter secret key generation: The decrypter ID CL sets a secret/public key pair ( CLSK ID , CLPK ID ). Also, the decrypter ID CL sends ID CL to the KGC.

•

Decrypter identity secret key generation: For this algorithm’s i-th running and giving ID CL , the KGC first updates the old secret key ( SK KGC , i − 1 , 0 , SK KGC , i − 1 , 1 ) to the new secret key ( SK KGC , i , 0 , SK KGC , i , 1 ) such that SK KGC = SK KGC , 0 , 0 + SK KGC , 0 , 1 = SK KGC , 1 , 0 + SK KGC , 1 , 1 = ⋯ = SK KGC , i , 0 + SK KGC , i , 1 . Subsequently, the KGC uses ( SK KGC , i , 0 , SK KGC , i , 1 ) to compute and return the identity secret/public key pair ( CLISK ID , CLIPK ID ) to the decrypter ID CL .

•

Decrypter secret key combination: ( CLSK ID , CLISK ID ) is the decrypter ID CL ’s secret key pair. Initially, the decrypter ID CL partitions CLSK ID and CLISK ID into ( CLSK ID , 0 , 0 , CLSK ID , 0 , 1 ) and ( CLISK ID , 0 , 0 , CLISK ID , 0 , 1 ), respectively.

•

Decrypter public key combination: ( CLPK ID , CLIPK ID ) is the decrypter ID CL ’s public key pair.

–

Hybrid signcryption ( HSE): For the HSE algorithm’s j-th running and giving ( M , ID CL , CLPK ID , CLIPK ID ), the signer ID PKI first updates the old secret key ( PKISK ID , j − 1 , 0 , PKISK ID , j − 1 , 1 ) to the new secret key ( PKISK ID , j , 0 , PKISK ID , j , 1 ). Then, the signer ID PKI generates a ciphertext CT = HSE ( M , ID CL , CLPK ID , CLIPK ID , ( PKISK ID , j , 0 , PKISK ID , j , 1 ) ) and returns CT to the decrypter ID CL .

–

Hybrid unsigncryption ( HUSE): For the Hybrid unsigncryption ( HUSE) algorithm’s k-th running and giving CT, the decrypter ID CL , respectively, updates the old secret key ( CLSK ID , k − 1 , 0 , CLSK ID , k − 1 , 1 ) and the identity secret key ( CLISK ID , k − 1 , 0 , CLISK ID , k − 1 , 1 ) to the new secret key ( CLSK ID , k , 0 , CLSK ID , k , 1 ) and the new identity secret key ( CLISK ID , k , 0 , CLISK ID , k , 1 ), and gets the message M = HUSE ( CT , ID PKI , PKIPK ID , CRT ID , ( CLSK ID , k , 0 , CLSK ID , k , 1 ), ( CLISK ID , k , 0 , CLISK ID , k , 1 ) ).

3.2 Adversary Games

Based on Tseng et al.’s scheme (Tseng et al., 2022a) and Tsai et al.’s scheme (Tsai et al., 2023), we define two adversary games of the LR-HSC-HPKS scheme in the heterogeneous public-key systems (including the PKI-PKS and the CL-PKS).

For the Signer certificate generation i-th running, a pair of leak functions ( f SCG , i , h SCG , i ) on ( SK CA , i , 0 , SK CA , i , 1 ) is employed to model the leak ability of adversaries. Also, the pair ( f ISKG , i , h ISKG , i ) on ( SK KGC , i , 0 , SK KGC , i , 1 ) is employed for Decrypter identity secret key generation’s i-th running, the pair ( f HS , j , h HS , j ) on ( PKISK ID , j , 0 , PKISK ID , j , 1 ) is employed for Hybrid signcryption’s j-th running and the pair ( f HUS , k , h HUS , k ) on ( ( CLSK ID , k , 0 , CLISK ID , k , 0 ) , ( CLSK ID , k , 1 , CLISK ID , k , 1 ) ) is employed for Hybrid unsigncryption’s k-th running. Moreover, let Δ f SCG , i , Δ h SCG , i , Δ f ISKG , i , Δ h ISKG , i , Δ f HS , j , Δ h HS , j , Δ f HUS , k and Δ h HUS , k denote these functions’ outputs while each output bit length is limited to τ as defined in Lemma 1. The inputs and outputs of eight leak functions are given as follows: –

Δ f SCG , i = f SCG , i ( SK CA , i , 0 ).

–

Δ h SCG , i = h SCG , i ( SK CA , i , 1 ).

–

Δ f ISKG , i = f ISKG , i ( SK KGC , i , 0 ).

–

Δ h ISKG , i = h ISKG , i ( SK KGC , i , 1 ).

–

Δ f HS , j = f HS , j ( PKISK ID , j , 0 ).

–

Δ h HS , j = h HS , j ( PKISK ID , j , 1 ).

–

Δ f HUS , k = f HUS , k ( CLSK ID , k , 0 , CLISK ID , k , 0 ).

–

Δ h HUS , k = h HUS , k ( CLSK ID , k , 1 , CLISK ID , k , 1 ).

In the heterogeneous public-key systems (including the PKI-PKS and the CL-PKS), there are two types of adversaries, namely, illegitimate member ( A I

) and malicious CA/KGC ( A II

–

Illegitimate member ( A I ): A I is used to model the attacking abilities of an illegitimate member as follows.

•

A I may obtain any signer ID PKI ’s secret key PKISK ID , except for the target signer ID ∗ PKI . Also A I may obtain any decrypter ID CL ’s secret key CLSK ID and identity secret key CLISK ID , except for the identity secret key CLISK ID ∗ of the target decrypter ID ∗ CL .

•

A I may obtain a portion about PKISK ID ∗ = ( PKISK ID ∗ , j , 0 , PKISK ID ∗ , j , 1 ) and CLISK ID ∗ = ( CLISK ID ∗ , k , 0 , CLISK ID ∗ , k , 1 ) by two pairs of leak functions ( f HS , j , h HS , j ) and ( f HUS , k , h HUS , k ), respectively.

•

A I may obtain a portion of SK CA = ( SK CA , i , 0 , SK CA , i , 1 ) and SK KGC = ( SK KGC , i , 0 , SK KGC , i , 1 ) by two pairs of leak functions ( f SCG , i , h SCG , i ) and ( f ISKG , i , h ISKG , i ), respectively.

–

Malicious CA/KGC ( A II ): A II is used to model the attacking abilities of a malicious CA/KGC who has both SK CA and SK KGC .

•

A II may obtain any signer ID PKI ’s secret key PKISK ID and any decrypter ID CL ’s secret key CLSK ID , except for the target signer ID ∗ PKI and decrypter ID ∗ CL .

•

A II may obtain a portion of PKISK ID ∗ = ( PKISK ID ∗ , j , 0 , PKISK ID ∗ , j , 1 ) by the pair of leak functions ( f HS , j , h HS , j ).

•

A II may obtain a portion of CLSK ID ∗ = ( CLSK ID ∗ , k , 0 , CLSK ID ∗ , k , 1 ) by the pair of leak functions ( f HUS , k , h HUS , k ).

In Definitions 2 and 3, we define two adversary games Game 1 and Game 2 to model the content unforgeability (authentication) and the message confidentiality, respectively. Definition 2 (<inline-formula id="j_infor546_ineq_287"><alternatives><mml:math><mml:mstyle mathvariant="bold"> <mml:mi mathvariant="bold">Gam</mml:mi> <mml:msub> <mml:mrow> <mml:mi>e</mml:mi> </mml:mrow> <mml:mrow> <mml:mn>1</mml:mn> </mml:mrow> </mml:msub></mml:mstyle></mml:math><tex-math><![CDATA[$\mathbf{\mathbf{Gam}{e_{1}}}$]]></tex-math></alternatives></inline-formula>)<italic>.</italic>

The adversary game Game 1 is played by an adversary A ( A I or A II ) and a challenger B. If no probabilistic polynomial-time (PPT) adversary A with a non-negligible advantage wins Game 1 , the LR-HSC-HPKS scheme possesses the existential unforgeability (authentication) under adaptive chosen-message and side-channel attacks (EUF-ACMSCA). –

Initialization phase: The challenger B runs the System setup in Definition 1 to generate the CA’s secret/public key pair ( SK CA , PK CA ) and the KGC’s secret/public key pair ( SK KGC , PK KGC ). Also, B sets the system parameters ( SP). In the meantime, B partitions SK CA and SK KGC into ( SK CA , 0 , 0 , SK CA , 0 , 1 ) and ( SK KGC , 0 , 0 , SK KGC , 0 , 1 ), respectively. Additionally, if A is an A II , both SK CA and SK KGC are sent to A II .

–

Query phase: A ( A I or A II ) may adaptively request various kinds of queries (oracles) to B as follows.

•

Signer secret key query ( ID PKI ): The signer ID PKI ’s secret key PKISK ID is returned.

•

Signer certificate query ( ID PKI , PKIPK ID ). For the i-th request of this query, B first updates the old secret key ( SK CA , i − 1 , 0 , SK CA , i − 1 , 1 ) to the new secret key ( SK CA , i , 0 , SK CA , i , 1 ). By ( ID PKI , PKIPK ID ), B uses ( SK CA , i , 0 , SK CA , i , 1 ) to generate and return the signer ID PKI ’s certificate CRT ID .

•

Signer certificate leak query ( i , f SCG , i , h SCG , i ). For the i-th request of the Signer certificate query, the leak query can only be requested once. B returns Δ f SCG , i = f SCG , i ( SK CA , i , 0 ) and Δ h SCG , i = h SCG , i ( SK CA , i , 1 ).

•

Decrypter identity secret key query ( ID CL ). For the i-th request of this query, B first updates the old secret key ( SK KGC , i − 1 , 0 , SK KGC , i − 1 , 1 ) to the new secret key ( SK KGC , i , 0 , SK KGC , i , 1 ). By ID CL , B uses ( SK KGC , i , 0 , SK KGC , i , 1 ) to generate and return the identity secret/public key pair ( CLISK ID , CLIPK ID ).

•

Decrypter identity secret key leak query ( i , f ISKG , i , h ISKG , i ). For the i-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns Δ f ISKG , i = f ISKG , i ( SK KGC , i , 0 ) and Δ h ISKG , i = h ISKG , i ( SK KGC , i , 1 ).

•

Decrypter public key replace query ( ID CL , ( CLPK ID ′ , CLIPK ID ′ ) ). The decrypter ID CL ’s public key is replaced with ( CLPK ID ′ , CLIPK ID ′ ).

•

Decrypter secret key query ( ID CL ). If the Decrypter public key replace query ( ID CL , ( CLPK ID ′ , CLIPK ID ′ ) ) is never requested, the decrypter ID CL ’s secret key CLSK ID is returned.

•

Hybrid signcryption query ( M , ID PKI , ID CL ): B first updates the signer ID PKI ’s old secret key ( PKISK ID , j − 1 , 0 , PKISK ID , j − 1 , 1 ) to the new secret key ( PKISK ID , j , 0 , PKISK ID , j , 1 ), and runs the Hybrid signcryption to return CT.

•

Hybrid signcryption leak query ( ID PKI , j , f HS , j , h HS , j ): For the signer ID PKI ’s j-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns Δ f HS , j = f HS , j ( PKISK ID , j , 0 ) and Δ h HS , j = h HS , j ( PKISK ID , j , 1 ).

•

Hybrid unsigncryption query ( CT , ID PKI , ID CL ): B first updates the decrypter ID CL ’s old secret key ( CLSK ID , k − 1 , 0 , CLSK ID , k − 1 , 1 ) and identity secret key ( CLISK ID , k − 1 , 0 , CLISK ID , k − 1 , 1 ) to the new secret key ( CLSK ID , k , 0 , CLSK ID , k , 1 ) and identity secret key ( CLISK ID , k , 0 , CLISK ID , k , 1 ), respectively. B runs the Hybrid unsigncryption to return M.

•

Hybrid unsigncryption leak query ( ID CL , k , f HUS , k , h HUS , k : For the decrypter ID CL ’s k-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns Δ f HUS , k = f HUS , k ( CLSK ID , k , 0 , CLSK ID , k , 1 ) and Δ h HUS , k = h HUS , k ( CLISK ID , k , 0 , CLISK ID , k , 1 ).

–

Forgery phase: Assume that A forges a ciphertext CT ∗ = ( T ∗ 0 , T ∗ 1 , T ∗ 2 , ID ∗ PKI , ID ∗ CL ) for the message M ∗ . We say that A wins Game 1 if the following three provisions are true.

•

M ∗ can be generated by the Hybrid unsigncryption algorithm.

•

The Hybrid signcryption query ( M ∗ , ID ∗ PKI , ID CL ) is never issued.

•

The Signer secret key query ( ID ∗ PKI ) is never issued.

Definition 3 (<inline-formula id="j_infor546_ineq_359"><alternatives><mml:math><mml:mstyle mathvariant="bold"> <mml:mi mathvariant="bold">Gam</mml:mi> <mml:msub> <mml:mrow> <mml:mi>e</mml:mi> </mml:mrow> <mml:mrow> <mml:mn>2</mml:mn> </mml:mrow> </mml:msub></mml:mstyle></mml:math><tex-math><![CDATA[$\mathbf{\mathbf{Gam}{e_{2}}}$]]></tex-math></alternatives></inline-formula>)<italic>.</italic>

The adversary game Game 2 is played by an adversary A ( A I or A II ) and a challenger B. If no PPT adversary A with a non-negligible advantage wins Game 2 , the LR-HSC-HPKS scheme possesses the encryption indistinguishability (message confidentiality) under chosen-ciphertext and side-channel attacks (EIND-CCSCA). –

Initialization phase. The phase is the same with the Initialization phase in Definition 2.

–

Query phase. The phase is the same with the Query phase in Definition 2.

–

Challenge phase. A selects a target decrypter ID ∗ CL and a message pair ( M 0 , M 1 ) as a challenge objective. B randomly selects c ∈ { 0 , 1 } and generates a challenge ciphertext CT ∗ by running the Hybrid signcryption with ( M c , ID PKI , ID ∗ CL ). Also, B sends CT ∗ to A. Note that the following two provisions are true.

If A is an A I , the Decrypter identity secret key query ( ID ∗ CL ) is never issued.

If A is an A II , neither the Decrypter public key replace query ( ID ∗ CL , ( CLPK I D ∗ ′ , CLIPK I D ∗ ′ ) ) nor the Decrypter secret key query ( ID ∗ CL ) is issued.

–

Guessing phase. A outputs c ′ ∈ { 0 , 1 } and wins Game 2 if c ′ = c. Meanwhile, A’s advantage is defined as Adv ( A ) = | Pb [ c ′ = c ] − 1 / 2 |.

4 Our LR-HSC-HPKS Scheme

According to the framework shown in Definition 1, our LR-HSC-HPKS scheme consists of four parts as presented below.

–

System setup: The system sets a bilinear group set { G , G 1 , e ˆ , Q , Q 1 , q } defined in Section 2.1. Moreover, the system publishes S P = { G , G 1 , e ˆ , Q , Q 1 , q , W , T , SE / SD , SH 0 , SH 1 }, where W and T are random elements in G, SE and SD are respectively symmetric encryption and decryption functions, and SH 0 : { 0 , 1 } ∗ × G → { 0 , 1 } t and SH 1 : G × { 0 , 1 } ∗ → { 0 , 1 } t are two secure hash functions. The heterogeneous public-key systems consist of the PKI-PKS and the CL-PKS. The CA in the PKI-PKS and the KGC in the CL-PKS, respectively, set their secret/public key pairs as follows.

♦

PKI-PKS: The CA randomly selects r ∈ Z q ∗ and then sets a secret/public key pair ( SK CA , PK CA ), where SK CA = r · Q and PK CA = e ˆ ( Q , r · Q ). Also, the CA randomly selects w ∈ Z q ∗ and partitions SK CA into SK CA = ( SK CA , 0 , 0 , SK CA , 0 , 1 ) = ( w · Q , SK CA − w · Q ).

♦

CL-PKS: The KGC randomly selects t ∈ Z q ∗ and then sets a secret/public key pair ( SK KGC , PK KGC ), where SK KGC = t · Q and PK KGC = e ˆ ( Q , t · Q ). Also, the KGC randomly selects s ∈ Z q ∗ and partitions SK KGC into SK KGC = ( SK KGC , 0 , 0 , SK KGC , 0 , 1 ) = ( s · Q , SK KGC − s · Q ).

–

User key generation: For signers in the PKI-PKS and decrypters in the CL-PKS, two key generating procedures are presented as follows.

♦

PKI-PKS: A signer with identity ID PKI and the CA cooperatively run the following two algorithms.

•

Signer secret key generation: The signer ID PKI randomly selects x ∈ Z q ∗ and then sets a secret/public key pair ( PKISK ID , PKIPK ID ), where PKISK ID = x · Q and PKIPK ID = e ˆ ( Q , x · Q ). Also, the signer ID PKI randomly selects w i ∈ Z q ∗ and partitions PKISK ID into PKISK ID = ( PKISK ID , 0 , 0 , PKISK ID , 0 , 1 ) = ( w i · Q , PKISK ID − w i · Q ).

•

Signer certificate generation: For this algorithm’s i-th running and giving ( ID PKI , PKIPK ID ), the CA randomly selects w ∈ Z q ∗ and updates the old secret key ( SK CA , i − 1 , 0 , SK CA , i − , 1 , 1 ) to the new secret key ( SK CA , i , 0 , SK CA , i , 1 ) = ( SK CA , i − 1 , 0 + w · Q , SK CA , i − 1 , 1 − w · Q ), such that SK CA = SK CA , 0 , 0 + SK CA , 0 , 1 = SK CA , 1 , 0 + SK CA , 1 , 1 = ⋯ = SK CA , i , 0 + SK CA , i , 1 . Also, the CA uses ( SK CA , i , 0 , SK CA , i , 1 ) to compute and return the certificate CRT ID to the signer ID PKI .

♦

CL-PKS: A decrypter with identity ID CL and the KGC cooperatively run the following four algorithms.

•

Decrypter secret key generation: The decrypter ID CL randomly selects l ∈ Z q ∗ and then sets a secret/public key pair ( CLSK ID , CLPK ID ), where CLSK ID = l · Q and CLPK ID = e ˆ ( Q , l · Q ). Also, the decrypter ID CL sends ID CL to the KGC.

•

Decrypter identity secret key generation: For this algorithm’s i-th running and giving ID CL , the KGC randomly selects t i ∈ Z q ∗ and updates the old secret key ( SK KGC , i − 1 , 0 , SK KGC , i − 1 , 1 ) to the new secret key ( SK KGC , i , 0 , SK KGC , i , 1 ) = ( SK KGC , i − 1 , 0 + t i · Q , SK KGC , i − 1 , 1 − t i · Q ), such that SK KGC = SK KGC , 0 , 0 + SK KGC , 0 , 1 = SK KGC , 1 , 0 + SK KGC , 1 , 1 = ⋯ = SK KGC , i , 0 + SK KGC , i , 1 . Also, the KGC randomly selects f ∈ Z q ∗ and uses ( SK KGC , i , 0 , SK KGC , i , 1 ) to compute and return the identity secret/public key pair ( CLISK ID , CLIPK ID ) of the decrypter ID CL as follows:

(1)

CLIPK ID = f · Q.

(2)

ρ = SH 0 ( ID CL , CLIPK ID ).

(3)

TK i = SK KGC , i , 1 + f · ( W + ρ · T ).

(4)

CLISK ID = SK KGC , i , 0 + TK i .

•

Decrypter secret key combination: The decrypter ID CL ’s secret key pair is ( CLSK ID , CLISK ID ). The ID CL randomly selects δ, ξ ∈ Z q ∗ , and partitions CLSK ID and CLISK ID into ( CLSK ID , 0 , 0 , CLSK ID , 0 , 1 ) = ( δ · Q , CLSK ID − δ · Q ) and ( CLISK ID , 0 , 0 , CLISK ID , 0 , 1 ) = ( ξ · Q , CLISK ID − ξ · Q ), respectively.

•

Decrypter public key combination: The decrypter ID CL ’s public key pair is ( CLPK ID , CLIPK ID ).

–

Hybrid signcryption ( HSE): Assume that the signer ID PKI wants to send a message M to the decrypter ID CL . For the HSE algorithm’s j-th running, the signer ID PKI runs the following steps to generate a ciphertext CT.

(1)

Randomly select h ∈ Z q ∗ and update the old secret key ( PKISK ID , j − 1 , 0 , PKISK ID , j − 1 , 1 ) into the new secret key ( PKISK ID , j , 0 , PKISK ID , j , 0 ) = ( PKISK ID , j − 1 , 0 + h · Q , PKISK ID , j − 1 , 1 − h · Q ).

(2)

Randomly select n ∈ Z q ∗ , and compute T 1 = n · Q, EK 1 = ( CLPK ID ) n , EK 2 = ( PK KGC · e ˆ ( CLIPK ID , ( W + ρ · T ) ) ) n , where ρ = SH 0 ( ID CL , CLIPK ID ).

(3)

Generate T 2 = SE EK ( M ), where E K = EK 1 ⊕ EK 2 is an encryption key.

(4)

Compute TS = PKISK ID , j , 0 + ( n · ( W + β · T ) ), where β = SH 1 ( T 1 , T 2 , ID PKI , ID CL , M ).

(5)

Generate a signature T 0 = PKISK ID , j , 1 + TS.

(6)

Set CT = ( T 0 , T 1 , T 2 , ID PKI , ID CL ).

–

Hybrid unsigncrypion ( HUSE): For the Hybrid unsigncryption ( HUSE) algorithm’s k-th running and giving CT, the decrypter ID CL runs the following steps to get the message M.

(1)

Randomly select v ∈ Z q ∗ , and update the old secret key ( CLSK ID , k − 1 , 0 , CLSK ID , k − 1 , 1 ) and the old identity secret key ( CLISK ID , k − 1 , 0 , CLISK ID , k − 1 , 1 ) to the new secret key ( CLSK ID , k , 0 , CLSK ID , k , 1 ) = ( CLSK ID , k − 1 , 0 + v · Q , CLSK ID , k − 1 , 1 − v · Q ) and the new identity secret key ( CLISK ID , k , 0 , CLISK ID , k , 1 ) = ( CLISK ID , k − 1 , 0 + v · Q , CLISK ID , k − 1 , 1 − v · Q ), respectively.

(2)

Generate TEK 1 = e ˆ ( T 1 , CLSK ID , k , 0 ) and TEK 2 = e ˆ ( T 1 , CLISK ID , k , 0 ).

(3)

Compute EK 1 ′ = TEK 1 · e ˆ ( T 1 , CLSK ID , k , 1 ) and EK 2 ′ = TEK 2 · e ˆ ( T 1 , CLISK ID , k , 1 ).

(4)

Recover M = SD EK ′ ( T 2 ), where EK ′ = EK 1 ′ ⊕ EK 2 ′ .

(5)

Set β ′ = SH 1 ( T 1 , T 2 , ID PKI , ID CL , M ).

(6)

Output M if e ˆ ( Q , T 0 ) = PKIPK ID · e ˆ ( T 1 , ( W + β ′ · T ) ) is true.

The correctness of two equations EK ′ = EK 1 ′ ⊕ E K ′ 2 = EK 1 ⊕ EK 2 = E K and e ˆ ( Q , T 0 ) = PKIPK ID · e ˆ ( T 1 , ( W + β ′ · T ) ) are shown as follows. √

E K ′ = EK 1 ′ ⊕ EK 2 ′ = TEK 1 · e ˆ ( T 1 , CLSK ID , k , 1 ) ⊕ TEK 2 · e ˆ ( T 1 , CLISK ID , k , 1 ) = e ˆ ( T 1 , CLSK ID , k , 0 ) · e ˆ ( T 1 , CLSK ID , k , 1 ) ⊕ e ˆ ( T 1 , CLISK ID , k , 0 ) · e ˆ ( T 1 , CLISK ID , k , 1 ) = e ˆ ( T 1 , CLSK ID ) ⊕ e ˆ ( T 1 , CLISK ID ) = e ˆ ( n · Q , CLSK ID ) ⊕ e ˆ ( n · Q , CLISK ID ) = e ˆ ( Q , CLSK ID ) n ⊕ e ˆ ( n · Q , SK KGC + ( f · ( W + ρ · T ) ) ) = e ˆ ( Q , CLSK ID ) n ⊕ e ˆ ( n · Q , SK KGC ) · e ˆ ( n · Q , ( f · ( W + ρ · T ) ) ) = e ˆ ( Q , CLSK ID ) n ⊕ e ˆ ( Q , SK KGC ) n · e ˆ ( f · Q , ( n · ( W + ρ · T ) ) ) = ( CLPK ID ) n ⊕ ( PK KGC · e ˆ ( CLIPK ID , ( W + ρ · T ) ) ) n = EK 1 ⊕ EK 2 .

√

e ˆ ( Q , T 0 ) = e ˆ ( Q , PKISK ID , j , 1 + T S ) = e ˆ ( Q , PKISK ID , j , 1 + ( PKISK ID , j , 0 + ( n · ( W + β · T ) ) ) = e ˆ ( Q , PKISK ID + ( n · ( W + β · T ) ) ) = e ˆ ( Q , PKISK ID ) · e ˆ ( Q , ( n · ( W + β · T ) ) ) = PKIPK ID · e ˆ ( n · Q , ( W + β · T ) ) = PKIPK ID · e ˆ ( T 1 , ( W + β ′ · T ) ) .

5 Security Analysis

In Definitions 2 and 3, we define two adversary games Game 1 and Game 2 , respectively, to model the content unforgeability (authentication) and the message confidentiality in the LR-HSC-HPKS scheme. Under Game 1 and Game 2 , Theorems 1 and 2 show that the LR-HSC-HPKS scheme is EUF-ACMSCA-secure and EIND-CCSCA-secure against both A I and A II , respectively. Theorem 1.

Based on the SH assumption and the DL assumption in the GBG model, the LR-HSC-HPKS scheme is EUF-ACMSCA-secure against adversaries A ( A I and A II ).

Proof.

An adversary A and a challenger B cooperatively play Game 1 as follows. –

Initialization phase. B runs the System setup in Definition 1 to generate SP = { G , G 1 , e ˆ , Q , Q 1 , q , W , T , SE / SD , SH 0 , SH 1 }, the CA’s secret/public key pair ( SK CA , PK CA ) and the KGC’s secret/public key pair ( SK KGC , PK KGC ). Additionally, if A is an A II , both SK CA and SK KGC are sent to A II . Also, six initially empty lists LT a , LT b , LT SK , LT ISK , LT HSE and LT SH are constructed as follows.

•

LT a : Each element of G is recorded as a pair of (multi-variate polynomial, bit-string) in LT a , represented as ( Ψ G x , y , z , Ω G x , y , z ), where the three x, y and z, denote type-x query, y-th query and z-th item, respectively. Also, B records ( Ψ Q , Ω G S , 0 , 1 ), ( Ψ W , Ω G S , 0 , 2 ), ( Ψ T , Ω G S , 0 , 3 ), ( Ψ SK CA , Ω G S , 0 , 4 ) and ( Ψ SK KGC , Ω G S , 0 , 5 ) in LT a . In the subsequent Query phase, there is an auto-transformation process that can transform Ψ G x , y , z (or Ω G x , y , z ) to Ω G x , y , z (or Ψ G x , y , z ).

•

LT b : Each element of G 1 is recorded as a pair of (multi-variate polynomial, bit-string) in LT b , represented as ( Ψ G 1 , x , y , z , Ω G 1 , x , y , z ), where x, y and z are identical with those in LT a . Additionally, B records ( Ψ PK CA , Ω G 1 , S , 0 , 1 ) and ( Ψ PK KGC , Ω G 1 , S , 0 , 1 ) in LT b . Also, there is an auto-transformation process that can transform Ψ G 1 , x , y , z (or Ω G 1 , x , y , z ) to Ω G 1 , x , y , z (or Ψ G 1 , x , y , z ).

•

LT SK : A secret/public key pair of ID PKI / ID CL is recorded as a tuple ( ID PKI / ID CL , Ψ PKISK ID / Ψ CLSK ID , Ψ PKIPK ID / Ψ CLPK ID ) in LT SK .

•

LT ISK : An identity secret/public key pair of ID CL is recorded as a tuple ( ID CL , Ψ CLISK ID , Ψ CLIPK ID ) in LT ISK .

•

L HSE : The related contents of requesting the Hybrid signcryption query ( M , ID PKI , ID CL ) are recorded as a tuple ( M , Ψ T 0 , Ψ T 1 , T 2 , Ψ EK 1 , Ψ EK 2 , Ψ β , ID PKI , ID CL ) in L HSE .

•

–

Query phase: A ( A I or A II ) may adaptively request various kinds of queries (oracles) to B at most p times as follows.

•

O a query ( Ω G O , r , i , Ω G O , r , j , OP): B first transforms ( Ω G O , r , i , Ω G O , r , j ) to ( Ψ G O , r , i , Ψ G O , r , j ). B computes Ψ G O , r , k = Ψ G O , r , i + Ψ G O , r , j if OP is “addition”. Otherwise, B computes Ψ G O , l , k = Ψ G O , r , i − Ψ G O , r , j . Also, B records ( Ψ G O , r , k , Ω G O , r , k ) in LT a .

•

O m query ( Ω G 1 , O , r , i , Ω G 1 , O , r , j , OP ): B first transforms ( Ω G 1 , O , r , i , Ω G 1 , O , r , j ) to ( Ψ G 1 , O , r , i , Ψ G 1 , O , r , j ). B computes Ψ G 1 , O , r , k = Ψ G 1 , O , r , i + Ψ G 1 , O , r , j if OP is “multiplication”. Otherwise, B computes Ψ G 1 , O , r , k = Ψ G 1 , O , r , i − Ψ G 1 , O , r , j . Also, B records ( Ψ G 1 , O , r , k , Ω G 1 , O , r , k ) in LT b .

•

O e ˆ query ( Ω G O , l , i , Ω G O , l , j ): B first transforms ( Ω G O , r , i , Ω G O , l , j ) to ( Ψ G O , r , i , Ψ G O , r , j ). B computes Ψ G 1 , O , r , k = Ψ G O , r , i · Ψ G O , r , j and records ( Ψ G 1 , O , r , k , Ω G 1 , O , r , k ) in LT b .

•

Signer secret key query ( ID PKI ): B uses ID PKI to find ( ID PKI , Ψ PKISK ID , Ψ PKIPK ID ) in LT SK . If found, B transforms Ψ PKISK ID to return Ω PKISK ID . Otherwise, B chooses Ψ GR in G and computes Ψ PKR = Ψ Q · Ψ GR. B records ( PKI ID , Ψ PKISK ID = Ψ GR , Ψ PKIPK ID = Ψ PKR ) in LT SK . Also, B respectively records ( Ψ GR , Ω GR) and ( Ψ PKR , Ω PKR) in LT a and LT b , and returns Ω GR and Ω PKR.

•

Signer certificate query ( ID PKI , Ω PKIPK ID ): For the i-th request of this query, B first updates the old secret key Ψ SK CA = ( Ψ SK CA , i − 1 , 0 , Ψ SK CA , i − 1 , 1 ) to the new secret key Ψ SK CA = ( Ψ SK CA , i , 0 , Ψ SK CA , i , 1 ), and uses ( Ψ SK CA , i , 0 , Ψ SK CA , i , 1 ) to generate and return the signer ID PKI ’s certificate CRT ID .

•

Signer certificate leak query ( i , f SCG , i , h SCG , i ): For the i-th request of the Signer certificate query, the leak query can only be requested once. B returns Δ f SCG , i = f SCG , i ( SK CA , i , 0 ) and Δ h SCG , i = h SCG , i ( SK CA , i , 1 ).

•

Decrypter identity secret key query ( ID CL ). For the i-th request of this query, B first updates the old secret key Ψ SK KGC = ( Ψ SK KGC , i − 1 , 0 , Ψ SK KGC , i − 1 , 1 ) to the new secret key Ψ SK KGC = ( Ψ SK KGC , i , 0 , Ψ SK KGC , i , 1 ). B chooses Ψ GT and Ψ ρ in G, and generates the decrypter ID CL ’s identity secret/public key pair ( Ψ CLISK ID = Ψ SK KGC + Ψ GT · ( Ψ W + Ψ ρ · Ψ T ) , Ψ CLIPK ID = Ψ GT ). B records ( Ψ CLISK ID , Ω CLISK ID ), ( Ψ CLIPK ID , Ω CLIPK ID ) and ( Ψ ρ , Ω ρ = ID CL | | Ω CLIPK ID ) in LT a . Also, B records ( ID CL , Ψ CLISK ID , Ψ CLIPK ID ) in LT ISK , and returns both Ω CLISK ID and Ω CLIPK ID .

•

Decrypter public key replace query ( ID CL , ( Ω CLPK ID ′ , Ω CLIPK ID ′ ) ). B transforms ( Ω CLPK ID ′ , Ω CLIPK ID ′ ) to ( Ψ CLPK ID ′ , Ψ CLIPK ID ′ ). B modifies ( CL ID , − , Ψ CLPK ID ′ ) in LT SK and ( C L ID , − , Ψ CLIPK ID ′ ) in LT ISK .

•

Decrypter secret key query ( ID CL ). B uses ID CL to find ( ID CL , Ψ CLSK ID , Ψ CLPK ID ) in LT SK . If found, B transforms Ψ CLSK ID to return Ω CLSK ID . Otherwise, B chooses Ψ G R in G and computes Ψ PKR = Ψ Q · Ψ GR. B records ( ID CL , Ψ CLSK ID = Ψ GR , Ψ CLPK ID = Ψ PKR ) in LT SK . Also, B respectively records ( Ψ GR , Ω GR) and ( Ψ PKR , Ω PKR ) in LT a and LT b , and returns both Ω GR and Ω PKR.

•

Hybrid signcryption query ( M , ID PKI , ID CL ): B first updates the signer ID PKI ’s old secret key Ψ PKISK ID = ( Ψ PKISK ID , j − 1 , 0 , Ψ PKISK ID , j − 1 , 1 ) to the new secret key Ψ PKISK ID = ( Ψ PKISK ID , j , 0 , Ψ PKISK ID , j , 1 ). B performs the following detailed processes to return CT.

(1)

By ID CL , find ( ID CL , Ψ CLIPK ID , Ψ CLISK ID ) in LT ISK and ( ID CL , Ψ CLPK ID , Ψ CLSK ID ) in LT SK . Meanwhile, transform Ψ CLIPK ID to Ω CLIPK ID .

(2)

Select Ψ ρ and Ψ n in G and record ( Ψ ρ , ID CL | | Ω CLIPK ID ) in LT a .

(3)

Compute Ψ EK 1 = Ψ CLPK ID · Ψ n and Ψ EK 2 = ( Ψ PK KGC + ( Ψ CLIPK ID · ( Ψ W + Ψ ρ · Ψ T ) ) ) · Ψ n.

(4)

Transform Ψ n, Ψ EK 1 and Ψ EK 2 to Ω n, Ω EK 1 and Ω EK 2 , respectively.

(5)

Compute Ω E K = Ω EK 1 ⊕ Ω EK 2 and T 2 = SE Ω E K ( M ).

(6)

Compute Ω β = SH 1 ( Ω n , T 2 , ID PKI , ID CL , M ), select Ω β in G, and record ( Φ β , Ω β) in LT a .

(7)

Compute Ψ T 0 = Ψ PKISK ID + ( Ψ n · ( Ψ W + Ψ T · Ψ β ) ) and transform Ψ T 0 to Ω T 0 .

(8)

Record ( M , Ψ T 0 , Ψ n , T 2 , Ψ EK 1 , Ψ EK 2 , Ψ β , ID PKI , ID CL ) in L HSE .

(9)

Return CT = ( Ω T 0 , Ω n , T 2 , ID PKI , ID CL ).

•

Hybrid unsigncryption query ( CT , ID PKI , ID CL ): B first updates the decrypter ID CL ’s old secret key ( CLSK ID , k − 1 , 0 , CLSK ID , k − 1 , 1 ) and identity secret key ( CLISK ID , k − 1 , 0 , CLISK ID , k − 1 , 1 ) to Ψ CLSK ID = ( Ψ CLSK ID , k , 0 , Ψ CLSK ID , k , 1 ) and Ψ CLISK ID = ( Ψ CLISK ID , k , 0 , Ψ CLISK ID , k , 1 ), respectively. B performs the following detailed processes to return M.

(1)

By ID PKI , find ( ID PKI , Ψ PKIPK ID ) in LT SK and transform Ψ PKIPK ID to Ω PKIPK ID .

(2)

Transform Ω T 0 and Ω n to Ψ T 0 and Ψ n, respectively.

(3)

Compute Ψ EK 1 = Ψ n · Ψ CLSK ID and Ψ EK 2 = Ψ n · Ψ CLISK ID .

(4)

Set Ω β = SH 1 ( Ω n , T 2 , ID PKI , ID CL , M ) and transform Ω β to Ψ β.

(5)

Use ( Ψ T 0 , Ψ n , T 2 , Ψ n , Ψ EK 1 , Ψ n , Ψ EK 2 , Ψ β , ID PKI , ID CL ) to find ( M , Ψ T 0 , Ψ T 1 , T 2 , Ψ EK 1 , Ψ EK 2 , Ψ β , ID PKI , ID CL ) in L HSE .

(6)

If found, return M. Otherwise, return “invalid”.

•

Hybrid unsigncryption leak query ( ID CL , k , f HUS , k , h HUS , k ): For the decrypter ID CL ’s k-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns Δ f HUS , k = f HUS , k ( CLSK ID , k , 0 , CLSK ID , k , 1 ) and Δ h HUS , k = h HUS , k ( CLISK ID , k , 0 , CLISK ID , k , 1 ).

–

Forgery phase: Assume that A forges a ciphertext CT ∗ = ( T 0 ∗ , T ∗ 1 , T ∗ 2 , ID ∗ PKI , ID ∗ CL ) for the message M ∗ , we say that A wins Game 1 when three provisions mentioned in the Forgery phase of Definition 2 (i.e. Game 1 ) are true.

In the following, let us first evaluate the advantage of A I without requesting any leak queries in Game 1 , denoted as Adv 1 ( A I − w o ). By Adv 1 ( A I − w o ), we then evaluate the advantage of A I with requesting all leak queries in Game 1 , denoted as Adv 1 ( A I ). By similar analysis, Adv 1 ( A II ) is also gained. ■

The evaluation of Adv 1 ( A I − wo ): In the GBG model, if adversaries can find collisions in G and G 1 , the discrete logarithm problem in G and G 1 will be resolved. The total number of elements in both LT a and LT b is first counted. In the Query phase, A I may request various kinds of queries (oracles) to B at most p times while the number of the added elements in a query (i.e. the Hybrid signcryption query) is at most 6. Therefore, we have | LT a | + | LT b | ≦ 6 p. Also, the maximal degrees of polynomials in LT a and LT b are 3 and 6, respectively. Moreover, Adv 1 ( A I − w o ) includes two cases’ probabilities as evaluated below. (1)

Pb [ Forgery ]: Let Pb [ Forgery ] denote the probability that A I forges a ciphertext CT ∗ = ( T ∗ 0 , T ∗ 1 , T ∗ 2 , ID ∗ PKI , ID ∗ CL ) for a message M ∗ that satisfies e ˆ ( Q , T ∗ 0 ) = PKIPK ID ∗ · e ˆ ( T ∗ 1 , ( W + β ′ · T ) ) in the Hybrid unsigncryption. That is, we have Ψ Q · Ψ T ∗ 0 = Ψ PKIPK I D ∗ + Ψ T ∗ 1 · ( Ψ W + Ψ β ′ · Ψ T ) and set Ψ f = Ψ Q · Ψ T ∗ 0 − ( Ψ PKIPK I D ∗ + Ψ T ∗ 1 · ( Ψ W + Ψ β ′ · Ψ T ) ) that has degree 3. By Lemma 2, we have Pb [ Forgery ] = 3 / q because the probability of Ψ f = 0 is 3 / q.

(2)

Pb [ Collision ]: Let Pb [ Collision ] denote the probability that A I may find collisions in LT a or LT b . Assume that the polynomials in LT a have s variates, represented by using s random integers u i ∈ Z q ∗ , for i = 1 , 2 , … , s. Let ( Ψ G j , Ψ G k ) denote a pair of two different polynomials in LT a so that there are | LT a | 2 pairs of ( Ψ G j , Ψ G k ). For each pair, we set Ψ G l ( u 1 , u 2 , … , u s ) = Ψ G j − Ψ G k . If there exists any Ψ G l = 0, a collision in LT a has occurred. Since there are | LT a | 2 pairs of ( Ψ G j , Ψ G k ) and the maximal degree of polynomials in LT a is 3, we have that Pb [ Collision ] in LT a is ( 3 / q ) | LT a | 2 . By similar arguments, we have that Pb [ Collision ] in LT b is ( 6 / q ) | LT b | 2 . Since | LT a | + | LT b | ≦ 6 p, we have Pb [ Collision ] ≦ ( 3 / q ) | LT a | 2 + ( 6 / q ) | LT b | 2 ≦ ( 6 / q ) ( | LT a | + | LT b | ) 2 ≦ 216 p 2 / q = O ( p 2 / q ) .

Due to the above discussions, we have Adv 1 ( A I − w o ) = Pb [ Forgey ] + Pb [ Collision ] ≦ 3 / q + O ( p 2 / q ) = O ( p 2 / q ) .

■

The evaluation of Adv 1 ( A I ): By Adv 1 ( A I − w o ), we evaluate the advantage Adv 1 ( A I ) of A I with requesting all leak queries in Game 1 . These leak queries include Signer certificate leak query, Decrypter identity secret key leak query, Hybrid signcryption leak query and Hybrid unsigncryption leak query. Due to the key updating process, any two leaked portions of a secret key are mutually independent. Therefore, A I could gain at most 2 τ bits of SK CA , 2 τ bits of SK KGC , 2 τ bits of PKISK ID , and 2 τ bits of both CLSK ID and CLISK ID . Hence, we have Adv 1 ( A I ) ≦ Adv 1 ( A I − w o ) · 2 2 τ = O ( ( p 2 / q ) · 2 2 τ ) . It is obvious that Adv 1 ( A I ) = O ( ( p 2 / q ) · 2 2 τ ) is negligible if p = p o l y ( log q ) by Lemma 2.

■

The evaluation of Adv 1 ( A II ): A II is used to model the attacking ability of a malicious CA/KGC who has both SK CA and SK KGC . Therefore, A II could gain at most 2 τ bits of PKISK ID , and 2 τ bits of CLSK ID or CLISK ID . By similar analysis of Adv 1 ( A I ), we also have Adv 1 ( A II ) = O ( ( p 2 / q ) · 2 2 τ ), that is negligible if p = poly ( log q ) by Lemma 2.

□

Theorem 2.

Based on the SH assumption and the DL assumption in the GBG model, the LR-HSC-HPKS scheme is EIND-CCSCA-secure against adversaries A ( A I and A II ).

Proof.

An adversary A and a challenger B cooperatively play Game 2 as follows. –

Initialization phase: It is exactly the same as the Initialization phase in the proof of Theorem 1.

–

Query phase: It is exactly like the Query phase of Theorem 1.

–

Challenge phase: A selects a target decrypter ID ∗ CL and a message pair ( M 0 , M 1 ) as a challenge objective. B randomly selects c ∈ { 0 , 1 } and generates a challenge ciphertext CT ∗ by running the Hybrid signcryption with ( M c , ID PKI , ID ∗ CL ). Also, B sends CT ∗ to A. Note that two provisions mentioned in the Challenge phase of Definition 3 (i.e. Game 2 ) must be satisfied.

–

Guessing phase: A outputs c ′ ∈ { 0 , 1 } and wins Game 2 if c ′ = c. Meanwhile, A’s advantage is defined as A d v ( A ) = | Pb [ c ′ = c ] − 1 / 2 |.

By similar evaluations as in the proof of Theorem 1, we can evaluate the advantages of A I without requesting any leak queries in Game 2 , denoted as Adv 2 ( A I − w o ). By Adv 2 ( A I − w o ), we then evaluate the advantage of A I with requesting all leak queries in Game 2 , denoted as Adv 2 ( A I ). By similar analysis, Adv 2 ( A II ) is also gained. ■

The evaluation of Adv 2 ( A I − wo ): Adv 2 ( A I − w o ) includes two cases’ probabilities as evaluated below. (1)

Pb[Guessing]: Since A I − w o is not permitted to request any leak query, there is no useful information about secret keys. Therefore, the probability of guessing c ′ = c is 1 / 2, namely, Pb [ Guessing ] = 1 / 2.

(2)

Pb[Collision]: The probability is identical to the probability Pb[Collision] in the proof of Theorem 1, namely, Pb [ Collision ] = O ( p 2 / q ).

Due to the above discussions, we have Adv 2 ( A I − w o ) = | Pb [ c ′ = c ] − 1 / 2 | = | Pb [ Guessing ] − 1 / 2 | + | Pb [ Collision ] | = O ( p 2 / q ) .

■

The evaluation of Adv 2 ( A I ): By Adv 2 ( A I − w o ), we evaluate the advantage Adv 2 ( A I ) of A I with requesting all leak queries in Game 2 . By the same evaluation as Adv 1 ( A I ) in the proof of Theorem 1, A I could gain at most 2 τ bits of SK CA , 2 τ bits of SK KGC , 2 τ bits of PKISK ID , and 2 τ bits of both CLSK ID and CLISK ID . Hence, we also have

Adv 2 ( A I ) ≦ Adv 2 ( A I − w o ) · 2 2 τ = O ( ( p 2 / q ) · 2 2 τ ) .

It is obvious that Adv 2 ( A I ) = O ( ( p 2 / q ) · 2 2 τ )

is negligible if p = poly ( log q )

by Lemma 2.

■

The evaluation of Adv 2 ( A II ): A II is used to model the attacking abilities of a malicious CA/KGC who has both SK CA and SK KGC . Therefore, A II could gain at most 2 τ bits of PKISK ID , and 2 τ bits of CLSK ID or CLISK ID . By similar analysis of Adv 2 ( A I ), we also have Adv 2 ( A II ) = O ( ( p 2 / q ) · 2 2 τ ), that is negligible if p = poly ( log q ) by Lemma 2.

□

6 Performance Analysis

In the following, the notations of three time-consuming computations are defined. •

T b i l : The computational complexity of running a bilinear pairing e ˆ : G × G → G 1 .

•

T m u l : The computational complexity of running a multiplication in G.

•

T e x p : The computational complexity of running an exponentiation in G 1 .

By the performance experiences conducted in Xiong and Qin (2015), Table 3 lists the required costs ( m s

) of three time-consuming computations on a mobile device (PDA) and a PC. The security parameter of a bilinear group set { G , G 1 , e ˆ , Q , Q 1 , q }

is set to a 512-bit prime order q. Also, the PDA and the PC are equipped with 624 MHz and 3 GHz CPUs, respectively. Table 4 lists the computational complexities and the required running costs ( m s

) of our LR-HSC-HPKS scheme in terms of System setup, User key generation, Hybrid signcryption ( HSE

) and Hybrid unsigncryption ( HUSE

) algorithms. For achieving leakage resilient property, the key updating process for each secret key must be employed, so that our scheme adds some extra computations. Nevertheless, by Table 4, the proposed scheme is well suitable for running on both a PDA and a PC. The point is that our scheme is the first hybrid signcryption scheme with leakage resilience.

Table 3

Required costs ( m s) of three time-consuming computations.

Devices	T b i l	T m u l	T e x p
PDA	≈96 ms	≈30 ms	≈30 ms
PC	≈20 ms	≈6 ms	≈6 ms

Table 4

Computational complexities and costs (ms) of our LR-HSC-HPKS scheme.

Algorithms	Computational complexities	Costs on a PDA	Costs on a PC
System setup	T b i l + 2 T m u l	156 ms	32 ms
User key generation for the PKI-PKS	T b i l + 3 T m u l	186 ms	38 ms
User key generation for the CL-PKS	T b i l + 7 T m u l	306 ms	62 ms
Hybrid signcryption	T b i l + 5 T m u l + 2 T e x p	306 ms	62 ms
Hybrid unsigncryption	6 T b i l + 2 T m u l	636 ms	132 ms

7 Conclusions and Future Work

In recent years, many scholars have been studying several hybrid signcryption schemes in heterogeneous environments, but these schemes cannot withstand side-channel attacks, namely, these schemes do not possess the leakage-resilience property. Fortunately, the first leakage-resilient hybrid signcryption in heterogeneous public-key systems (LR-HSC-HPKS) has been proposed in this paper. Also, a new framework and two new adversary games of the LR-HSC-HPKS scheme were defined. Based on the SH assumption and the DL assumption in the GBG model, the proposed LR-HSC-HPKS scheme is EUF-ACMSCA-secure and EIND-CCSCA-secure against adversaries A ( A I and A II ), namely, illegitimate member ( A I ) and malicious CA/KGC ( A II ). Furthermore, by comparing with the previously proposed hybrid signcryption schemes, the proposed scheme has the following merits: (1) It is the first hybrid signcryption scheme resisting to side-channel attacks. (2) It possesses the unbounded leakage-resilient property, namely, allowing adversaries to repeatedly learn a portion of the secret key used in each computation. (3) All secret keys of the proposed scheme are allowed to be leaked to adversaries while maintaining the security of the proposed scheme. Finally, by the computational simulation results, performance analysis is demonstrated to show that the proposed scheme is well suitable for running on both a PDA and a PC. In the future, it is an interesting topic to propose a leakage-resilient hybrid signcryption scheme with equality test functionality in heterogeneous public-key systems.

References

Akavia, A., Goldwasser, S., Vaikuntanathan, V. (2009). Simultaneous hardcore bits and cryptography against memory attacks. In: Theory of Cryptography, TCC’09, LNCS, Vol. 5444, pp. 474–495.

Ali, I., Lawrence, T., Omala, A.A., Li, F. (2020). An efficient hybrid signcryption scheme with conditional privacy-preservation for heterogeneous vehicular communication in VANETs. IEEE Transactions on Vehicular Technology, 69(10), 11266–11280.

Al-Riyami, S., Paterson, K. (2003). Certificateless public key cryptography. In: Advances in Cryptology – ASIACRYPT 2003, LNCS, 2894, pp. 452–473.

Alwen, J., Dodis, Y., Wichs, D. (2009). Leakage-resilient public-key cryptography in the bounded-retrieval model. In: Advances in Cryptology – CRYPTO 2009, LNCS, Vol. 5677, pp. 36–54.

Baek, J., Steinfeld, R., Zheng, Y. (2007). Formal proofs for the security of signcryption. Journal of Cryptology, 20(2), 203–235.

Barbosa, M., Farshim, P. (2008). Certificateless signcryption. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS’08, pp. 369–372.

Biham, E., Carmeli, Y., Shamir, A. (2008). Bug attacks. In: Advances in Cryptology – CRYPTO 2008, LNCS, Vol. 5157, pp. 221–240.

Boneh, D., Franklin, M. (2001). Identity-based encryption from the Weil pairing. In: Advances in Cryptology – CRYPTO 2001, LNCS, 2139, pp. 213–229.

Boneh, D., Boyen, X., Goh, E. (2005). Hierarchical identity-based encryption with constant size ciphertext. In: Advances in Cryptology–EURO–CRYPT 2005, Eurocrypt’05, LNCS, Vol. 3494, pp. 440–456.

Brumley, D., Boneh, D. (2005). Remote timing attacks are practical. Computer Networks, 48(5), 701–716.

Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A. (2008). Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM Journal on Computing, 38(1), 97–139.

Elkhalil, A., Zhang, J., Elhabob, R., Eltayieb, N. (2021). An efficient signcryption of heterogeneous systems for internet of vehicles. Journal of Systems Architecture, 113, 101885.

Galindo, D., Virek, S. (2013). A practical leakage-resilient signature scheme in the generic group model. In: Selected Areas in Cryptography, SAC’12, LNCS, Vol. 7707, pp. 50–65.

Galindo, D., Grobschadl, J., Liu, Z., Vadnala, P., Vivek, S. (2016). Implementation of a leakage-resilient ElGamal key encapsulation mechanism. Journal of Cryptographic Engineering, 6(3), 229–238.

Hou, Y., Huang, X., Chen, Y., Kumari, S., Xiong, H. (2021). Heterogeneous signcryption scheme supporting equality test from PKI to CLC toward IoT. Transactions on Emerging Telecommunications Technologies, 32(8), e4190.

Huang, Q., Wong, D.-S., Yang, G. (2011). Heterogeneous signcryption with key privacy. Computer Journal, 54(4), 525–536.

Karati, A., Islam, S.H., Biswas, G.P., Bhuiyan, M.Z., Vijayakumar, P., Karuppiah, M. (2018). Provably secure identity-based signcryption scheme for crowdsourced industrial Internet of Things environments. IEEE Internet of Things Journal, 5(4), 2904–2914.

Kiltz, E., Pietrzak, K. (2010). Leakage resilient Elgamal encryption. In: Advances in Cryptology – ASIACRYPT 2010, LNCS, Vol. 6477, pp. 595–612.

Li, C., Yang, G., Wong, D., Deng, X., Chow, S.S.M. (2010). An efficient signcryption scheme with key privacy and its extension to ring signcryption. Journal of Computing and Security, 18(3), 451–473.

Li, F., Xiong, P. (2013). Practical secure communication for integrating wireless sensor networks into the Internet of Things. IEEE Sensors Journal, 13(10), 3677–3684.

Li, F., Shirase, M., Takagi, T. (2013a). Certificateless hybrid signcryption. Mathematical and Computer Modelling, 57, 324–343.

Li, F., Zhang, H., Takagi, T. (2013b). Efficient signcryption for heterogeneous systems. IEEE Systems Journal, 7(3), 420–429.

Li, F., Han, Y., Jin, C. (2016a). Practical access control for sensor networks in the context of the internet of things. Computer Communications, 89–90, 154–164.

Li, F., Han, Y., Jin, C. (2016b). Practical signcryption for secure communication of wireless sensor networks. Wireless Personal Communications, 89, 1391–1412.

Liu, J., Zhang, L., Sun, R., Du, X., Guizani, M. (2018). Mutual heterogeneous signcryption schemes for 5G network slicings. IEEE Access, 6, 7854–7863.

Niu, S., Shao, H., Su, Y., Wang, C. (2023). Efficient heterogeneous signcryption scheme based on edge computing for industrial internet of things. Journal of Systems Architecture, 136, 102836.

Pan, X., Jin, Y., Wang, Z., Li, F. (2022). A pairing-free heterogeneous signcryption scheme for unmanned aerial vehicles. IEEE Internet of Things Journal, 9(19), 19426–19437.

Peng, A.-L., Tseng, Y.-M., Huang, S.-S. (2021). An efficient leakage-resilient authenticated key exchange protocol suitable for IoT devices. IEEE Systems Journal, 15(4), 5343–5354.

Rivest, R., Shamir, A., Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of ACM, 21(2), 120–126.

Sun, Y., Li, H. (2010). Efficient signcryption between TPKC and IDPKC and its multi-receiver construction. Science China Information Sciences, 53, 557–566.

Tsai, T.-T., Tseng, Y.-M., Huang, S.-S. (2023). Leakage-resilient certificateless signcryption scheme under a continual leakage model. IEEE Access, 11, 54448–54461.

Tseng, Y.-M., Wu, J.-D., Huang, S.-S., Tsai, T.-T. (2020). Leakage-resilient outsourced revocable certificateless signature with a cloud revocation server. Information Technology and Control, 49(4), 464–481.

Tseng, Y.-M., Huang, S.-S., Tsai, T.-T. (2022a). Practical leakage-resilient signcryption scheme suitable for mobile environments. In: 2022 IEEE 11th Global Conference on Consumer Electronics (GCCE), Osaka, Japan, 2022, pp. 383–384. https://doi.org/10.1109/GCCE56475.2022.10014332.

Tseng, Y.-M., Huang, S.-S., Tsai, T.-T., Chuang, Y.-H., Hung, Y.-H. (2022b). Leakage-resilient revocable certificateless encryption with an outsourced revocation authority. Informatica, 33(1), 151–179.

Tseng, Y.-M., Tsai, T.-T., Huang, S.-S. (2023). Fully continuous leakage-resilient certificate-based signcryption scheme for mobile communications. Informatica, 34(1), 199–222.

Wei, G., Shao, J., Xiang, Y., Zhu, P., Lu, R. (2015). Obtain confidentiality or/and authenticity in big data by ID-based generalized signcryption. Information Sciences, 318, 111–122.

Wu, J.-D., Tseng, Y.-M., Huang, S.-S., Chou, W.-C. (2018). Leakage-resilient certificateless key encapsulation scheme. Informatica, 29(1), 125–155.

Wu, J.-D., Tseng, Y.-M., Huang, S.-S. (2019). An identity-based authenticated key exchange protocol resilient to continuous key leakage. IEEE Systems Journal, 13(4), 3968–3979.

Xie, J.-Y., Tseng, Y.-M., Huang, S.-S. (2023). Leakage-resilient anonymous multi-receiver certificateless encryption resistant to side-channel attacks. IEEE Systems Journal, 17(2), 2674–2685.

Xiong, H., Qin, Z. (2015). Revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks. IEEE Transactions on Information Forensics and Security, 10(7), 1442–1455.

Xiong, H., Zhao, Y., Hou, Y., Huang, X., Jin, C., Wang, L., Kumari, S. (2021). Heterogeneous signcryption with equality test for IIoT environment. IEEE Internet of Things Journal, 8(21), 16142–16152.

Xiong, H., Hou, Y., Huang, X., Zhao, Y., Chen, C.-M. (2022). Heterogeneous signcryption scheme from IBC to PKI with equality test for WBANs. IEEE Systems Journal, 16(2), 2391–2400.

Zheng, Y. (1997). Digital signcryption or how to achieve cost (signature & encryption) cost (signature) + cost (encryption). In: Advances in Cryptology – CRYPTO ’97, LNCS, Vol. 1294, pp. 165–179.