Leakage-Resilient Hybrid Signcryption in Heterogeneous Public-key Systems

Ho, Ting-Chieh; Tseng, Yuh-Min; Huang, Sen-Shan

doi:10.15388/24-INFOR546

Informatica

Leakage-Resilient Hybrid Signcryption in Heterogeneous Public-key Systems

Volume 35, Issue 1 (2024), pp. 131–154

Ting-Chieh Ho Yuh-Min Tseng Sen-Shan Huang

https://doi.org/10.15388/24-INFOR546

Pub. online: 6 March 2024 Type: Research Article

Open Access

Received
1 September 2023

Accepted
1 February 2024

Published
6 March 2024

Abstract

Signcryption integrates both signature and encryption schemes into single scheme to ensure both content unforgeability (authentication) and message confidentiality while reducing computational complexity. Typically, both signers (senders) and decrypters (receivers) in a signcryption scheme belong to the same public-key systems. When signers and decrypters in a signcryption scheme belong to heterogeneous public-key systems, this scheme is called a hybrid signcryption scheme which provides more elastic usage than typical signcryption schemes. In recent years, a new kind of attack, named side-channel attack, allows adversaries to learn a portion of the secret keys used in cryptographic algorithms. To resist such an attack, leakage-resilient cryptography has been widely discussed and studied while a large number of leakage-resilient schemes have been proposed. Also, numerous hybrid signcryption schemes under heterogeneous public-key systems were proposed, but none of them possesses leakage-resilient property. In this paper, we propose the first hybrid signcryption scheme with leakage resilience, called leakage-resilient hybrid signcryption scheme, in heterogeneous public-key systems (LR-HSC-HPKS). Security proofs are demonstrated to show that the proposed scheme provides both authentication and confidentiality against two types of adversaries in heterogeneous public-key systems.

1 Introduction

Public key cryptography is the foundation of modern information security. So far, several famous public-key systems (PKSs) have been proposed, including public-key infrastructure PKS (PKI-PKS) (Rivest et al., 1978), identity-based PKS (ID-PKS) (Boneh and Franklin, 2001) and certificateless PKS (CL-PKS) (Al-Riyami and Paterson, 2003). These PKSs have evolved in response to their advantages and disadvantages. In the PKI-PKS (Rivest et al., 1978), a user with identity first generates a pair of (secret key, public key) randomly. Also, the user sends her/his identity and public key to a trusted certificate authority (CA) and then receives the associated certificate from the CA. The CA is responsible to respond the management issues of users’ public keys and certificates that include the verification queries for expiration date or revoked users. Thus, a complex PKI architecture needs to be constructed.

To remove such a complex PKI architecture, an identity-based PKS (ID-PKS) was proposed by Boneh and Franklin (2001). In the ID-PKS, a trusted private key generator (PKG) is responsible for producing each member’s secret key by taking each member’s identity as input. Therefore, this ID-PKS encountered a key escrow problem because the PKG possesses all members’ secret keys. To resolve the key escrow problem, a certificateless PKS (CL-PKS) was proposed by Al-Riyami and Paterson (2003). In the CL-PKS, each member holds two pairs of (secret key, public key). One pair is created by the member herself/himself and the other pair is generated by a semi-trusted key generation centre (KGC). Indeed, the CL-PKS possesses the advantages of both the PKI-PKS and the ID-PKS while avoiding their disadvantages. Therefore, this CL-PKS does not require the complex PKI construction and solves the key escrow problem.

In recent years, a new kind of attack, named side-channel attack, has been realized (Brumley and Boneh, 2005; Biham et al., 2008), in the sense that adversaries can learn a portion of these secret keys used in cryptographic algorithms by timing, power analysis or fault attack. By repeatedly using the side-channel attack, adversaries could eventually learn the entire secret keys. Therefore, public-key cryptography failing to resist such side-channel attack is insecure. To resist this attack, leakage-resilient cryptography has been widely discussed and studied by researchers who have also presented a large number of leakage-resilient protocol or schemes (Alwen et al., 2009; Akavia et al., 2009; Kiltz and Pietrzak, 2010; Galindo and Virek, 2013; Galindo et al., 2016; Wu et al., 2018, 2019; Tseng et al., 2020; Peng et al., 2021; Tseng et al., 2022a,b; Xie et al., 2023; Tseng et al., 2023; Tsai et al., 2023). Based on adversaries’ leakage ability, leakage-resilient cryptography is secure in two different leakage models, including the bounded leakage model (Alwen et al., 2009; Akavia et al., 2009) and the unbounded leakage model (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013). Indeed, the unbounded leakage model is considered a more practical and widely accepted leakage model since it only limits the amount of leaked information per round and has overall unbounded characteristics.

1.1 Motivation

Encryption and signature are two important foundations in public-key cryptography. Signcryption integrates both signature and encryption schemes into single scheme to ensure both content unforgeability (authentication) and message confidentiality while reducing computational complexity. Signcryption is also an important foundation in public-key cryptography which is used in many applications, such as secure email, data sharing, etc. Very recently, several leakage-resilient signcryption schemes with the unbounded leakage property have been proposed (Tseng et al., 2022a, 2023; Tsai et al., 2023) which are based on several public-key systems that include the PKI-PKS, the CL-PKS and certificate-based PKS. In these leakage-resilient signcryption (LRSC) schemes mentioned above, both signers (senders) and decrypters (receivers) belong to the same public-key systems.

Moreover, when signers and decrypters in a signcryption scheme belong to heterogeneous public-key systems, such as signers in the PKI-PKS and decrypters in the CL-PKS, such a scheme is called as a hybrid signcryption scheme in heterogeneous public-key systems which provides more elastic usage than typical signcryption schemes. In the past, numerous hybrid signcryption schemes in heterogeneous PKSs (including PKI-PKS, ID-PKS and CL-PKS) were proposed, which will be reviewed later. However, until now, there exists no hybrid signcryption scheme with leakage-resilient property. In this paper, our goal is to design the first hybrid signcryption scheme with leakage resilience, called leakage-resilient hybrid signcryption scheme, in heterogeneous public-key systems (LR-HSC-HPKS) from the PKI-PKS to the CL-PKS.

1.2 Related Work

In this section, let’s review the evolution and development about signcryption schemes and hybrid signcryption schemes in heterogeneous public-key systems.

Based on the PKI-PKS, Zheng (1997) proposed the first signcryption scheme to integrate both signature and encryption schemes into a single scheme to ensure both content authentication and message confidentiality while reducing computational complexity. In 2007, Baek et al. (2007) furthermore defined a formal adversary model of signcryption schemes. Indeed, until now, the research on signcryption schemes is still essential for several issues, namely, various public-key systems, security, communication cost and computational complexity. In the past, some signcryption schemes based on various PKSs (PKI-PKS, ID-PKS and CL-PKS) have been proposed, such as PKI-PKS-based (Li et al., 2010), ID-PKS-based (Wei et al., 2015; Karati et al., 2018) and CL-PKS-based (Barbosa and Farshim, 2008; Li et al., 2013a) signcryption schemes.

When signers and decrypters in a signcryption scheme belong to heterogeneous public-key systems, this scheme is called a hybrid signcryption scheme which provides more elastic usage than typical signcryption schemes. In 2010, Sun and Li (2010) proposed the first hybrid signcryption scheme from the PKI-PKS to the ID-PKS. However, Huang et al. (2011) pointed out several security drawbacks on Sun and Li’s scheme, and proposed an improvement. In the past decade, a large number of hybrid signcryption schemes were proposed, such as hybrid signcryption schemes between the PKI-PKS and the ID-PKS (Li et al., 2013b; Li and Xiong, 2013), hybrid signcryption schemes between the ID-PKS and the CL-PKS (Li et al., 2016a), as well as hybrid signcryption schemes between the PKI-PKS and the CL-PKS (Li et al., 2016b; Liu et al., 2018).

To provide additional properties, several hybrid signcryption schemes were also proposed. Three hybrid signcryption schemes with equality test functionality were proposed, that include Xiong et al.’s scheme from the PKI-PKS to the ID-PKS (Xiong et al., 2021), Hou et al.’s scheme from the PKI-PKS to the CLC-PKS (Hou et al., 2021) and Xiong et al.’s scheme from the ID-PKS to the PKI-PKS (Xiong et al., 2022). A hybrid signcryption schemes with equality test functionality allows users to perform comparative searches on ciphertexts encrypted under different public keys without revealing sensitive data. For the vehicular ad-hoc network (VANET) or Industrial Internet of Things (IIoT) environments, there are four hybrid signcryption schemes that include Ali et al.’s scheme from the ID-PKS to the PKI-PKS (Ali et al., 2020), Elkhalil et al.’s scheme from the CL-PKS to the PKI-PKS (Elkhalil et al., 2021) and Pan et al.’s scheme from the ID-PKS to the PKI-PKS (Pan et al., 2022) and Niu et al.’s scheme from the ID-PKS to the CL-PKS (Niu et al., 2023). Table 1 lists the comparisons among the recently proposed hybrid signcryption schemes and our scheme in terms of the PKS of signers, the PKS of decrypters, and additional properties. We emphasize that our scheme is the first hybrid signcryption scheme with leakage resilience.

Table 1

Comparisons among the recently proposed hybrid signcryption schemes and our scheme.

Schemes	Signers	Decrypters	Additional property
Xiong et al.’s scheme (Xiong et al., 2021)	PKI-PKS	ID-PKS	Equality test functionality
Hou et al.’s scheme (Hou et al., 2021)	PKI-PKS	CL-PKS	Equality test functionality
Xiong et al.’s scheme (Xiong et al., 2022)	ID-PKS	PKI-PKS	Equality test functionality
Ali et al.’s scheme (Ali et al., 2020)	ID-PKS	PKI-PKS	Suitable for VANET environments
Elkhalil et al.’s scheme (Elkhalil et al., 2021)	CL-PKS	PKI-PKS	Suitable for VANET environments
Pan et al.’s scheme (Pan et al., 2022)	ID-PKS	PKI-PKS	Suitable for VANET environments
Niu et al.’s scheme (Niu et al., 2023)	ID-PKS	CL-PKS	Suitable for IIoT environments
Our scheme	PKI-PKS	CL-PKS	Leakage-resilient property

1.3 Contribution

As mentioned earlier, Tseng et al. (2022a) have proposed a PKI-PKS-based leakage-resilient signcryption (LRSC) scheme and Tsai et al. (2023) have also proposed a CL-PKS-based LRSC scheme. Based on Tseng et al.’s and Tsai et al.’s schemes, a new framework of the LR-HSC-HPKS scheme from the PKI-PKS to the CL-PKS is defined. For achieving leakage resilient property of the LR-HSC-HPKS scheme, we employ the key updating process with the multiplicative blinding technique (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013) while partitioning each secret key into two parts. Namely, in the PKI-PKS, the CA’s secret key ${\textit{SK}_{\textit{CA}}}$ and the signer ${\textit{ID}_{\textit{PKI}}}$’s secret key ${\mathit{PKISK}_{\textit{ID}}}$ are initially partitioned into (${\textit{SK}_{\textit{CA},0,0}}$, ${\textit{SK}_{\textit{CA},0,1}}$) and (${\mathit{PKISK}_{\mathit{ID},0,0}}$, ${\mathit{PKISK}_{\mathit{ID},0,1}}$), respectively. In the CL-PKS, the KGC’s secret key ${\textit{SK}_{\textit{KGC}}}$ is partitioned into (${\textit{SK}_{\textit{KGC},0,0}}$, ${\textit{SK}_{\textit{KGC},0,1}}$). Also, the decrypter ${\textit{ID}_{\textit{CL}}}$’s secret key ${\mathit{CLSK}_{\textit{ID}}}$ and identity secret key ${\mathit{CLISK}_{\textit{ID}}}$ are initially partitioned into $({\mathit{CLSK}_{\mathit{ID},0,0}}$, ${\mathit{CLSK}_{\mathit{ID},0,1}})$ and $({\mathit{CLISK}_{\mathit{ID},0,0}},{\mathit{CLISK}_{\mathit{ID},0,1}})$, respectively. Meanwhile, each secret key pair must be updated before it is used in each cryptographic computation, namely, the key updating process.

Moreover, two new adversary games of the LR-HSC-HPKS scheme are defined by extending the adversary games of both Tseng et al.’s scheme (Tseng et al., 2022a) and Tsai et al.’s scheme (Tsai et al., 2023). Based on these two new adversary games under the generic bilinear group (GBG) model (Boneh et al., 2005), security proofs are demonstrated to show that the proposed LR-HSC-HPKS scheme provides both authentication and confidentiality against two types of adversaries in heterogeneous public-key systems. Furthermore, by comparing with several previously proposed hybrid signcryption schemes, the proposed scheme has the following merits: (1) It is the first hybrid signcryption scheme resisting to side-channel attacks. (2) It possesses the unbounded leakage-resilient property, namely, allowing adversaries to repeatedly learn a portion of the secret key used in each computation. (3) All secret keys of the proposed scheme, (including the CA’s secret key ${\textit{SK}_{\textit{CA}}}$, the signer ${\textit{ID}_{\textit{PKI}}}$’s secret key ${\mathit{PKISK}_{\textit{ID}}}$, the KGC’s secret key ${\textit{SK}_{\textit{KGC}}}$, and the decrypter ${\textit{ID}_{\textit{CL}}}$’s secret key ${\mathit{CLSK}_{\textit{ID}}}$ and identity secret key ${\mathit{CLISK}_{\textit{ID}}}$), are allowed to be leaked to adversaries while remaining the security of the proposed scheme. Finally, by the performance experiences on both a PDA and a PC, performance analysis is demonstrated to show that our scheme is well suitable for running on both a PDA and a PC.

1.4 Paper Structure

The rest of this paper is structured as follows. In Section 2, several preliminary contents are introduced. In Section 3, we define a new framework and two new adversary games for the LR-HSC-HPKS scheme. The LR-HSC-HPKS scheme is presented in Section 4. The proofs of two security theorems are shown in Section 5. Section 6 conducts the performance analysis on a PC and a PDA. In Section 7, the conclusions and future work are given.

2 Preliminaries

2.1 Bilinear Groups and GBG Model

Let $G=\langle Q\rangle $ and ${G_{1}}=\langle {Q_{1}}\rangle $ be, respectively, an additive group and a multiplicative group with the same prime order q, where Q and ${Q_{1}}$ are generators of G and ${G_{1}}$, respectively. Meanwhile, the bilinear pairing operation $\hat{e}:G\times G\to {G_{1}}$ is admissible, if it satisfies three conditions below:

– Bilinearity: for $u,v\in {Z_{q}^{\ast }}$, $\hat{e}(u\cdot Q,v\cdot Q)=\hat{e}{(Q,Q)^{uv}}$.
– Non-degeneration: ${Q_{1}}=\hat{e}(Q,Q)\ne 1$.
– Computation: for $u,v\in {Z_{q}^{\ast }}$, $\hat{e}(u\cdot Q,v\cdot Q)$ can be computed efficiently.

Finally, let $\{G,{G_{1}},\hat{e},Q,{Q_{1}},q\}$ represent a bilinear group set. The reader can refer to [BF-01] for detailed parameter settings.

Boneh et al. (2005) introduced a method for security proof, called the generic bilinear group (GBG) model, which is operated on a bilinear group set $\{G,{G_{1}},\hat{e},Q,{Q_{1}},q\}$. Meanwhile, the GBG model is combined into adversary games for security properties. In such adversary games, there is an adversary and a challenger who, respectively, are an oracle (query) requester and a replier. To run the operations on a bilinear group set $\{G,{G_{1}},\hat{e},Q,{Q_{1}},q\}$, the adversary requests the corresponding oracles (queries) and receives the operation results from the challenger. Therefore, the adversary may request three oracles ${O_{a}}$, ${O_{m}}$ and ${O_{\hat{e}}}$, which are, respectively, the additive operation on G, the multiplicative operation on ${G_{1}}$ and the operation $\hat{e}:G\times G\to {G_{1}}$. Two injective random encoding functions $\xi :{Z_{q}^{\ast }}\to \Omega G$ and ${\xi _{1}}:{Z_{q}^{\ast }}\to \Omega {G_{1}}$, are used to map all the elements of G and ${G_{1}}$ to distinct bit strings, respectively, which satisfy both $\Omega G\cap \Omega {G_{1}}=\phi $ and $|\Omega G|=|\Omega {G_{1}}|=q$. Additionally, for all u, $v\in {Z_{q}^{\ast }}$, three oracles ${O_{a}}$, ${O_{m}}$ and ${O_{\hat{e}}}$ have the following operation properties;

– ${O_{a}}(\xi (u),\xi (v))\to \xi (u+v\hspace{2.5pt}\text{mod}\hspace{2.5pt}q)$;
– ${O_{m}}({\xi _{1}}(u),{\xi _{1}}(v))\to {\xi _{1}}(u+v\hspace{2.5pt}\text{mod}\hspace{2.5pt}q)$;
– ${O_{\hat{e}}}(\xi (u),\xi (v)\to {\xi _{1}}(u\cdot v\hspace{2.5pt}\text{mod}\hspace{2.5pt}q)$.

Note that Q is represented by $\xi (1)$, whereas ${\xi _{1}}(1)$ represents ${Q_{1}}=\hat{e}(Q,Q)$. When such an adversary game ends and the adversary finds collisions in G or ${G_{1}}$, the discrete logarithm problem in G or ${G_{1}}$ will be resolved, respectively.

2.2 Security Assumptions and Entropy

In this section, we define two security assumptions on which the proposed scheme is based as follows:

– Discrete logarithm (DL) assumption: In $\{G,{G_{1}},\hat{e},Q,{Q_{1}},q\}$, for given $u\cdot Q\in G$ or ${Q_{1}^{u}}\in {G_{1}}$, without knowing $u\in {Z_{q}^{\ast }}$, it is hard to discover u.
– Secure hash function (SH) assumption: Let $\textit{SH}:{\{0,1\}^{\ast }}\to {\{0,1\}^{t}}$ be a secure hash function, where t is a fixed length. Then it is hard to discover any two random bit strings ${\textit{RBS}_{1}}$ and ${\textit{RBS}_{2}}$ such that $\textit{SH}({\textit{RBS}_{1}})=\textit{SH}({\textit{RBS}_{2}})$.

For evaluating the leakage impact of secret keys incurred by side-channel attacks, we employ the entropy concept by which the secret keys are viewed as finite random variables. Also, two consequences below (Lemmas 1 and 2) have been conducted in the literature (Dodis et al., 2008; Galindo and Virek, 2013).

Lemma 1.

Let $\textit{SK}$ and $\textit{LF}:\textit{SK}\to {\{0,1\}^{\tau }}$, respectively, denote a secret key and the corresponding leak function, where τ is a fixed length. Under the leak function $\textit{LF}()$, we have ${\widetilde{H}_{\infty }}(\textit{SK}|\textit{LF}(\textit{SK}))\geqq {H_{\infty }}(\textit{SK})-\tau $, where $\widetilde{H}$ and ${H_{\infty }}$ are, respectively, the average conditional min-entropy and the min-entropy.

Lemma 2.

Assume that there is a multiple-secret-key polynomial $\textit{MSKF}\in {Z_{q}}[{\textit{SK}_{0}},{\textit{SK}_{1}},\dots ,{\textit{SK}_{n-1}}]$ with degree d, where ${\textit{SK}_{0}},{\textit{SK}_{1}},\dots ,{\textit{SK}_{n-1}}$ are secret keys. Let ${P_{i}}$ (for $i=0,1,\dots ,n-1$) be n mutually independent probability distributions ${\textit{SK}_{i}}=s{k_{i}}\gets {Z_{q}}$, which satisfy $0\leqq \tau \leqq \log q$ and ${H_{\infty }}({P_{i}})\geqq \log q-\tau $. Then the probability $\text{Pb}[\textit{MSKF}({\textit{SK}_{0}}=s{k_{0}},{\textit{SK}_{1}}=s{k_{1}},\dots ,{\textit{SK}_{n-1}}=s{k_{n-1}})=0]\leqq {2^{\tau }}(d/q)$ is negligible if $\tau \lt (1-\omega )\log q$, where ω denotes a positive fraction.

3 Framework and Adversary Games

In this section, we define the framework and adversary games of the LR-HSC-HPKS scheme. For readability, some notations used throughout this paper are first defined in Table 2.

Table 2

Notations.

Notation	Meaning
CA	A certificate authority in the PKI-PKS
KGC	A key generation centre in the CL-PKS
${\textit{SK}_{\textit{CA}}}$/${\textit{PK}_{\textit{CA}}}$	CA’s secret/public key pair
${\textit{SK}_{\textit{KGC}}}$/${\textit{PK}_{\textit{KGC}}}$	KGC’s secret/public key pair
${\textit{ID}_{\textit{PKI}}}$	The identity of a user in the PKI-PKS
${\mathit{PKISK}_{\textit{ID}}}$/${\mathit{PKIPK}_{\textit{ID}}}$	The secret/public key pair of the user ${\textit{ID}_{\textit{PKI}}}$
${\textit{CRT}_{\textit{ID}}}$	The certificate of the user ${\textit{ID}_{\textit{PKI}}}$
${\textit{ID}_{\textit{CL}}}$	The identity of a user in the CL-PKS
${\mathit{CLSK}_{\textit{ID}}}$/${\mathit{CLPK}_{\textit{ID}}}$	The secret/public key pair of the user ${\textit{ID}_{\textit{CL}}}$
${\mathit{CLISK}_{\textit{ID}}}$/${\mathit{CLIPK}_{\textit{ID}}}$	The identity secret/public key pair of the user ${\textit{ID}_{\textit{CL}}}$
M	A message
$\textit{CT}$	A ciphertext
$\textit{SP}$	The system parameters
$\textit{HSE}$	The Hybrid signcryption in the LR-HSC-HPKS scheme
$\textit{HUSE}$	The Hybrid unsigncryption in the LR-HSC-HPKS scheme

Fig. 1

Two key generating procedures of the LR-HSC-HPKS scheme.

3.1 Framework

Based on Tseng et al.’s scheme (Tseng et al., 2022a) and Tsai et al.’s scheme (Tsai et al., 2023), we define a new framework of the LR-HSC-HPKS scheme. In the heterogeneous public-key systems, there are two public-key systems (PKSs), namely, the public-key infrastructure PKS (PKI-PKS) and the certificateless PKS (CL-PKS). In the LR-HSC-HPKS scheme, signers and decrypeters belong to the PKI-PKS and the CL-PKS, respectively. Here, two key generating procedures of the LR-HSC-HPKS scheme are presented in Fig 1. In the PKI-PKS, a signer with identity ${\textit{ID}_{\textit{PKI}}}$ randomly selects a secret key ${\mathit{PKISK}_{\textit{ID}}}$ and computes the associated public key ${\mathit{PKIPK}_{\textit{ID}}}$. The signer sends both ${\textit{ID}_{\textit{PKI}}}$ and ${\mathit{PKIPK}_{\textit{ID}}}$ to a trusted certificate authority (CA) with a key pair of a secret key ${\textit{SK}_{\textit{CA}}}$ and the associated public key ${\textit{PK}_{\textit{CA}}}$. Then, the CA uses ${\textit{SK}_{\textit{CA}}}$ to compute and return the certificate ${\textit{CRT}_{\textit{ID}}}$ to the signer ${\textit{ID}_{\textit{PKI}}}$. In the CL-PKS, a decrypter with identity ${\textit{ID}_{\textit{CL}}}$ randomly selects a secret key ${\mathit{CLSK}_{\textit{ID}}}$ and computes the associated public key ${\mathit{CLPK}_{\textit{ID}}}$. The decrypter sends ${\textit{ID}_{\textit{CL}}}$ to a key generation centre (KGC) with a key pair of a secret key ${\textit{SK}_{\textit{KGC}}}$ and the associated public key ${\textit{PK}_{\textit{KGC}}}$. Then, the KGC uses ${\textit{SK}_{\textit{KGC}}}$ to compute and return the decrypter ${\textit{ID}_{\textit{CL}}}$’s identity secret key ${\mathit{CLISK}_{\textit{ID}}}$ and identity public key ${\mathit{CLIPK}_{\textit{ID}}}$.

For achieving leakage resilient property of the LR-HSC-HPKS scheme, we employ the key updating process with the multiplicative blinding technique (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013) while partitioning each secret key into two parts. Meanwhile, each secret key must be updated before it is used in each cryptographic computation, namely, the key updating process. In the PKI-PKS, the CA’s secret key ${\textit{SK}_{\textit{CA}}}$ and the signer ${\textit{ID}_{\textit{PKI}}}$’s secret key ${\mathit{PKISK}_{\textit{ID}}}$ are initially partitioned into (${\textit{SK}_{\textit{CA},0,0}},{\textit{SK}_{\textit{CA},0,1}}$) and $({\mathit{PKISK}_{\mathit{ID},0,0}},{\mathit{PKISK}_{\mathit{ID},0,1}})$, respectively. In the CL-PKS, the KGC’s secret key ${\textit{SK}_{\textit{KGC}}}$ is partitioned into $({\textit{SK}_{\textit{KGC},0,0}},{\textit{SK}_{\textit{KGC},0,1}})$. Also, the decrypter ${\textit{ID}_{\textit{CL}}}$’s secret key ${\mathit{CLSK}_{\textit{ID}}}$ and identity secret key ${\mathit{CLISK}_{\textit{ID}}}$ are initially partitioned into $({\mathit{CLSK}_{\mathit{ID},0,0}},{\mathit{CLSK}_{\mathit{ID},0,1}})$ and $({\mathit{CLISK}_{\mathit{ID},0,0}},{\mathit{CLISK}_{\mathit{ID},0,1}})$, respectively.

Fig. 2

The inputs/outputs of the $\textit{HSE}$ and the $\textit{HUSE}$ algorithms in the LR-HSC-HPKS scheme.

In the LR-HSC-HPKS scheme, assume that a signer ${\textit{ID}_{\textit{PKI}}}$ runs the Hybrid signcryption $(\textit{HSE})$ algorithm to transmit a message M to a decrypter ${\textit{ID}_{\textit{CL}}}$. For the $\textit{HSE}$ algorithm’s j-th running, the signer ${\textit{ID}_{\textit{PKI}}}$ first updates the old secret key $({\mathit{PKISK}_{\mathit{ID},j-1,0}},{\mathit{PKISK}_{\mathit{ID},j-1,1}})$ to the new secret key (${\mathit{PKISK}_{\mathit{ID},j,0}},{\mathit{PKISK}_{\mathit{ID},j,1}}$) and sends a ciphertext $\textit{CT}=\textit{HSE}(M,{\textit{ID}_{\textit{CL}}},{\mathit{CLPK}_{\textit{ID}}},{\mathit{CLIPK}_{\textit{ID}}},({\mathit{PKISK}_{\mathit{ID},j,0}},{\mathit{PKISK}_{\mathit{ID},j,1}}))$ to the decrypter ${\textit{ID}_{\textit{CL}}}$. For the Hybrid unsigncryption ($\textit{HUSE}$) algorithm’s k-th running and receiving $\textit{CT}$, the decrypter ${\textit{ID}_{\textit{CL}}}$ first updates the old secret key $({\mathit{CLSK}_{\mathit{ID},k-1,0}},{\mathit{CLSK}_{\mathit{ID},k-1,1}})$ to the new identity secret key $({\mathit{CLISK}_{\mathit{ID},k,0}},{\mathit{CLISK}_{\mathit{ID},k,1}})$, and gets the message $M=\textit{HUSE}(\textit{CT},{\textit{ID}_{\textit{PKI}}},{\mathit{PKIPK}_{\textit{ID}}},{\textit{CRT}_{\textit{ID}}},({\mathit{CLSK}_{\mathit{ID},k,0}},{\mathit{CLSK}_{\mathit{ID},k,1}}),({\mathit{CLISK}_{\mathit{ID},k,0}},{\mathit{CLISK}_{\mathit{ID},k,1}}))$. Figure 2 depicts the inputs/outputs of the $\textit{HSE}$ and the $\textit{HUSE}$ algorithms in the LR-HSC-HPKS scheme. A new framework of the LR-HSC-HPKS scheme from the PKI-PKS to the CL-PKS is presented in Definition 1.

Definition 1.

The LR-HSC-HPKS scheme includes the following four parts.

– System setup: Firstly, the system parameters ($\textit{SP}$) are initially set. The heterogeneous public-key systems consist of the PKI-PKS and the CL-PKS. The CA in the PKI-PKS and the KGC in the CL-PKS, respectively, set their secret keys and the associated public keys as follows.
- ♦ PKI-PKS: The CA sets a secret/public key pair (${\textit{SK}_{\textit{CA}}},{\textit{PK}_{\textit{CA}}}$). Initially, the CA partitions ${\textit{SK}_{\textit{CA}}}$ into (${\textit{SK}_{\textit{CA},0,0}},{\textit{SK}_{\textit{CA},0,1}}$).
- ♦ CL-PKS: The KGC sets a secret/public key pair (${\textit{SK}_{\textit{KGC}}},{\textit{PK}_{\textit{KGC}}}$). Initially, the KGC partitions ${\textit{SK}_{\textit{KGC}}}$ into (${\textit{SK}_{\textit{KGC},0,0}},{\textit{SK}_{\textit{KGC},0,1}}$).
Also, $\textit{SP}$, ${\textit{PK}_{\textit{CA}}}$ and ${\textit{PK}_{\textit{KGC}}}$ are publicly published.
– User key generation: For signers in the PKI-PKS and decrypters in the CL-PKS, two key generating procedures are presented as follows.
- ♦ PKI-PKS: A signer with identity ${\textit{ID}_{\textit{PKI}}}$ and the CA cooperatively run the following two algorithms.
  - • Signer secret key generation: The signer ${\textit{ID}_{\textit{PKI}}}$ sets a secret/public key pair $({\mathit{PKISK}_{\textit{ID}}},{\mathit{PKIPK}_{\textit{ID}}})$. Initially, the signer ${\textit{ID}_{\textit{PKI}}}$ partitions ${\mathit{PKISK}_{\textit{ID}}}$ into $({\mathit{PKISK}_{\mathit{ID},0,0}},{\mathit{PKISK}_{\mathit{ID},0,1}})$. Also, the signer ${\textit{ID}_{\textit{PKI}}}$ sends $({\textit{ID}_{\textit{PKI}}},{\mathit{PKIPK}_{\textit{ID}}})$ to the CA.
  - • Signer certificate generation: For this algorithm’s i-th running and giving $({\textit{ID}_{\textit{PKI}}},{\mathit{PKIPK}_{\textit{ID}}})$, the CA first updates the old secret key $({\textit{SK}_{\textit{CA},i-1,0}},{\textit{SK}_{\textit{CA},i-,1,1}})$ to the new secret key $({\textit{SK}_{\textit{CA},i,0}},{\textit{SK}_{\textit{CA},i,1}})$, such that ${\textit{SK}_{\textit{CA}}}={\textit{SK}_{\textit{CA},0,0}}+{\textit{SK}_{\textit{CA},0,1}}={\textit{SK}_{\textit{CA},1,0}}+{\textit{SK}_{\textit{CA},1,1}}=\cdots ={\textit{SK}_{\textit{CA},i,0}}+{\textit{SK}_{\textit{CA},i,1}}$. Subsequently, the CA uses $({\textit{SK}_{\textit{CA},i,0}},{\textit{SK}_{\textit{CA},i,1}})$ to compute and return the certificate ${\textit{CRT}_{\textit{ID}}}$ to the signer ${\textit{ID}_{\textit{PKI}}}$.
- ♦ CL-PKS: A decrypter with identity ${\textit{ID}_{\textit{CL}}}$ and the KGC cooperatively run the following four algorithms.
  - • Decrypter secret key generation: The decrypter ${\textit{ID}_{\textit{CL}}}$ sets a secret/public key pair $({\mathit{CLSK}_{\textit{ID}}},{\mathit{CLPK}_{\textit{ID}}})$. Also, the decrypter ${\textit{ID}_{\textit{CL}}}$ sends ${\textit{ID}_{\textit{CL}}}$ to the KGC.
  - • Decrypter identity secret key generation: For this algorithm’s i-th running and giving ${\textit{ID}_{\textit{CL}}}$, the KGC first updates the old secret key $({\textit{SK}_{\textit{KGC},i-1,0}},{\textit{SK}_{\textit{KGC},i-1,1}})$ to the new secret key $({\textit{SK}_{\textit{KGC},i,0}},{\textit{SK}_{\textit{KGC},i,1}})$ such that ${\textit{SK}_{\textit{KGC}}}={\textit{SK}_{\textit{KGC},0,0}}+{\textit{SK}_{\textit{KGC},0,1}}={\textit{SK}_{\textit{KGC},1,0}}+{\textit{SK}_{\textit{KGC},1,1}}=\cdots ={\textit{SK}_{\textit{KGC},i,0}}+{\textit{SK}_{\textit{KGC},i,1}}$. Subsequently, the KGC uses $({\textit{SK}_{\textit{KGC},i,0}},{\textit{SK}_{\textit{KGC},i,1}})$ to compute and return the identity secret/public key pair $({\mathit{CLISK}_{\textit{ID}}},{\mathit{CLIPK}_{\textit{ID}}})$ to the decrypter ${\textit{ID}_{\textit{CL}}}$.
  - • Decrypter secret key combination: $({\mathit{CLSK}_{\textit{ID}}},{\mathit{CLISK}_{\textit{ID}}})$ is the decrypter ${\textit{ID}_{\textit{CL}}}$’s secret key pair. Initially, the decrypter ${\textit{ID}_{\textit{CL}}}$ partitions ${\mathit{CLSK}_{\textit{ID}}}$ and ${\mathit{CLISK}_{\textit{ID}}}$ into $({\mathit{CLSK}_{\mathit{ID},0,0}},{\mathit{CLSK}_{\mathit{ID},0,1}})$ and $({\mathit{CLISK}_{\mathit{ID},0,0}},{\mathit{CLISK}_{\mathit{ID},0,1}})$, respectively.
  - • Decrypter public key combination: $({\mathit{CLPK}_{\textit{ID}}},{\mathit{CLIPK}_{\textit{ID}}})$ is the decrypter ${\textit{ID}_{\textit{CL}}}$’s public key pair.
– Hybrid signcryption ($\textit{HSE}$): For the $\textit{HSE}$ algorithm’s j-th running and giving $(M,{\textit{ID}_{\textit{CL}}},{\mathit{CLPK}_{\textit{ID}}},{\mathit{CLIPK}_{\textit{ID}}})$, the signer ${\textit{ID}_{\textit{PKI}}}$ first updates the old secret key $({\mathit{PKISK}_{\mathit{ID},j-1,0}},{\mathit{PKISK}_{\mathit{ID},j-1,1}})$ to the new secret key $({\mathit{PKISK}_{\mathit{ID},j,0}},{\mathit{PKISK}_{\mathit{ID},j,1}})$. Then, the signer ${\textit{ID}_{\textit{PKI}}}$ generates a ciphertext $\textit{CT}=\textit{HSE}(M,{\textit{ID}_{\textit{CL}}},{\mathit{CLPK}_{\textit{ID}}},{\mathit{CLIPK}_{\textit{ID}}},({\mathit{PKISK}_{\mathit{ID},j,0}},{\mathit{PKISK}_{\mathit{ID},j,1}}))$ and returns $\textit{CT}$ to the decrypter ${\textit{ID}_{\textit{CL}}}$.
– Hybrid unsigncryption ($\textit{HUSE}$): For the Hybrid unsigncryption ($\textit{HUSE}$) algorithm’s k-th running and giving $\textit{CT}$, the decrypter ${\textit{ID}_{\textit{CL}}}$, respectively, updates the old secret key $({\mathit{CLSK}_{\mathit{ID},k-1,0}},{\mathit{CLSK}_{\mathit{ID},k-1,1}})$ and the identity secret key $({\mathit{CLISK}_{\mathit{ID},k-1,0}},{\mathit{CLISK}_{\mathit{ID},k-1,1}})$ to the new secret key $({\mathit{CLSK}_{\mathit{ID},k,0}},{\mathit{CLSK}_{\mathit{ID},k,1}})$ and the new identity secret key $({\mathit{CLISK}_{\mathit{ID},k,0}},{\mathit{CLISK}_{\mathit{ID},k,1}})$, and gets the message $M=\textit{HUSE}(\textit{CT},{\textit{ID}_{\textit{PKI}}},{\mathit{PKIPK}_{\textit{ID}}},{\textit{CRT}_{\textit{ID}}},({\mathit{CLSK}_{\mathit{ID},k,0}},{\mathit{CLSK}_{\mathit{ID},k,1}})$, $({\mathit{CLISK}_{\mathit{ID},k,0}},{\mathit{CLISK}_{\mathit{ID},k,1}}))$.

3.2 Adversary Games

Based on Tseng et al.’s scheme (Tseng et al., 2022a) and Tsai et al.’s scheme (Tsai et al., 2023), we define two adversary games of the LR-HSC-HPKS scheme in the heterogeneous public-key systems (including the PKI-PKS and the CL-PKS).

For the Signer certificate generation i-th running, a pair of leak functions $({f_{\textit{SCG},i}},{h_{\textit{SCG},i}})$ on $({\textit{SK}_{\textit{CA},i,0}},{\textit{SK}_{\textit{CA},i,1}})$ is employed to model the leak ability of adversaries. Also, the pair $({f_{\textit{ISKG},i}},{h_{\textit{ISKG},i}})$ on $({\textit{SK}_{\textit{KGC},i,0}},{\textit{SK}_{\textit{KGC},i,1}})$ is employed for Decrypter identity secret key generation’s i-th running, the pair $({f_{\textit{HS},j}},{h_{\textit{HS},j}})$ on $({\mathit{PKISK}_{\mathit{ID},j,0}},{\mathit{PKISK}_{\mathit{ID},j,1}})$ is employed for Hybrid signcryption’s j-th running and the pair $({f_{\textit{HUS},k}},{h_{\textit{HUS},k}})$ on $(({\mathit{CLSK}_{\mathit{ID},k,0}},{\mathit{CLISK}_{\mathit{ID},k,0}}),({\mathit{CLSK}_{\mathit{ID},k,1}},{\mathit{CLISK}_{\mathit{ID},k,1}}))$ is employed for Hybrid unsigncryption’s k-th running. Moreover, let $\Delta {f_{\textit{SCG},i}}$, $\Delta {h_{\textit{SCG},i}}$, $\Delta {f_{\textit{ISKG},i}}$, $\Delta {h_{\textit{ISKG},i}}$, $\Delta {f_{\textit{HS},j}}$, $\Delta {h_{\textit{HS},j}}$, $\Delta {f_{\textit{HUS},k}}$ and $\Delta {h_{\textit{HUS},k}}$ denote these functions’ outputs while each output bit length is limited to τ as defined in Lemma 1. The inputs and outputs of eight leak functions are given as follows:

– $\Delta {f_{\textit{SCG},i}}={f_{\textit{SCG},i}}({\textit{SK}_{\textit{CA},i,0}})$.
– $\Delta {h_{\textit{SCG},i}}={h_{\textit{SCG},i}}({\textit{SK}_{\textit{CA},i,1}})$.
– $\Delta {f_{\textit{ISKG},i}}={f_{\textit{ISKG},i}}({\textit{SK}_{\textit{KGC},i,0}})$.
– $\Delta {h_{\textit{ISKG},i}}={h_{\textit{ISKG},i}}({\textit{SK}_{\textit{KGC},i,1}})$.
– $\Delta {f_{\textit{HS},j}}={f_{\textit{HS},j}}({\mathit{PKISK}_{\mathit{ID},j,0}})$.
– $\Delta {h_{\textit{HS},j}}={h_{\textit{HS},j}}({\mathit{PKISK}_{\mathit{ID},j,1}})$.
– $\Delta {f_{\textit{HUS},k}}={f_{\textit{HUS},k}}({\mathit{CLSK}_{\mathit{ID},k,0}},{\mathit{CLISK}_{\mathit{ID},k,0}})$.
– $\Delta {h_{\textit{HUS},k}}={h_{\textit{HUS},k}}({\mathit{CLSK}_{\mathit{ID},k,1}},{\mathit{CLISK}_{\mathit{ID},k,1}})$.

In the heterogeneous public-key systems (including the PKI-PKS and the CL-PKS), there are two types of adversaries, namely, illegitimate member (${A_{I}}$) and malicious CA/KGC (${A_{\textit{II}}}$).

– Illegitimate member (${A_{I}}$): ${A_{I}}$ is used to model the attacking abilities of an illegitimate member as follows.
- • ${A_{I}}$ may obtain any signer ${\textit{ID}_{\textit{PKI}}}$’s secret key ${\mathit{PKISK}_{\textit{ID}}}$, except for the target signer ${{\textit{ID}^{\ast }}_{\textit{PKI}}}$. Also ${A_{I}}$ may obtain any decrypter ${\textit{ID}_{\textit{CL}}}$’s secret key ${\mathit{CLSK}_{\textit{ID}}}$ and identity secret key ${\mathit{CLISK}_{\textit{ID}}}$, except for the identity secret key ${\mathit{CLISK}_{{\textit{ID}^{\ast }}}}$ of the target decrypter ${{\textit{ID}^{\ast }}_{\textit{CL}}}$.
- • ${A_{I}}$ may obtain a portion about ${\mathit{PKISK}_{{\textit{ID}^{\ast }}}}=({\mathit{PKISK}_{{\textit{ID}^{\ast }},j,0}},{\mathit{PKISK}_{{\textit{ID}^{\ast }},j,1}})$ and ${\mathit{CLISK}_{{\textit{ID}^{\ast }}}}=({\mathit{CLISK}_{{\textit{ID}^{\ast }},k,0}},{\mathit{CLISK}_{{\textit{ID}^{\ast }},k,1}})$ by two pairs of leak functions $({f_{\textit{HS},j}},{h_{\textit{HS},j}})$ and $({f_{\textit{HUS},k}},{h_{\textit{HUS},k}})$, respectively.
- • ${A_{I}}$ may obtain a portion of ${\textit{SK}_{\textit{CA}}}=({\textit{SK}_{\textit{CA},i,0}},{\textit{SK}_{\textit{CA},i,1}})$ and ${\textit{SK}_{\textit{KGC}}}=({\textit{SK}_{\textit{KGC},i,0}},{\textit{SK}_{\textit{KGC},i,1}})$ by two pairs of leak functions $({f_{\textit{SCG},i}},{h_{\textit{SCG},i}})$ and $({f_{\textit{ISKG},i}},{h_{\textit{ISKG},i}})$, respectively.
– Malicious CA/KGC (${A_{\textit{II}}}$): ${A_{\textit{II}}}$ is used to model the attacking abilities of a malicious CA/KGC who has both ${\textit{SK}_{\textit{CA}}}$ and ${\textit{SK}_{\textit{KGC}}}$.
- • ${A_{\textit{II}}}$ may obtain any signer ${\textit{ID}_{\textit{PKI}}}$’s secret key ${\mathit{PKISK}_{\textit{ID}}}$ and any decrypter ${\textit{ID}_{\textit{CL}}}$’s secret key ${\mathit{CLSK}_{\textit{ID}}}$, except for the target signer ${{\textit{ID}^{\ast }}_{\textit{PKI}}}$ and decrypter ${{\textit{ID}^{\ast }}_{\textit{CL}}}$.
- • ${A_{\textit{II}}}$ may obtain a portion of ${\mathit{PKISK}_{{\textit{ID}^{\ast }}}}=({\mathit{PKISK}_{{\textit{ID}^{\ast }},j,0}},{\mathit{PKISK}_{{\textit{ID}^{\ast }},j,1}})$ by the pair of leak functions (${f_{\textit{HS},j}},{h_{\textit{HS},j}}$).
- • ${A_{\textit{II}}}$ may obtain a portion of ${\mathit{CLSK}_{{\textit{ID}^{\ast }}}}=({\mathit{CLSK}_{{\textit{ID}^{\ast }},k,0}},{\mathit{CLSK}_{{\textit{ID}^{\ast }},k,1}})$ by the pair of leak functions (${f_{\textit{HUS},k}},{h_{\textit{HUS},k}}$).

In Definitions 2 and 3, we define two adversary games ${\textit{Game}_{1}}$ and ${\textit{Game}_{2}}$ to model the content unforgeability (authentication) and the message confidentiality, respectively.

Definition 2 ($\mathbf{\mathbf{Gam}{e_{1}}}$).

The adversary game ${\textit{Game}_{1}}$ is played by an adversary A (${A_{I}}$ or ${A_{\textit{II}}}$) and a challenger B. If no probabilistic polynomial-time (PPT) adversary A with a non-negligible advantage wins ${\textit{Game}_{1}}$, the LR-HSC-HPKS scheme possesses the existential unforgeability (authentication) under adaptive chosen-message and side-channel attacks (EUF-ACMSCA).

– Initialization phase: The challenger B runs the System setup in Definition 1 to generate the CA’s secret/public key pair $({\textit{SK}_{\textit{CA}}},{\textit{PK}_{\textit{CA}}})$ and the KGC’s secret/public key pair $({\textit{SK}_{\textit{KGC}}},{\textit{PK}_{\textit{KGC}}})$. Also, B sets the system parameters ($\textit{SP}$). In the meantime, B partitions ${\textit{SK}_{\textit{CA}}}$ and ${\textit{SK}_{\textit{KGC}}}$ into $({\textit{SK}_{\textit{CA},0,0}},{\textit{SK}_{\textit{CA},0,1}})$ and $({\textit{SK}_{\textit{KGC},0,0}},{\textit{SK}_{\textit{KGC},0,1}})$, respectively. Additionally, if A is an ${A_{\textit{II}}}$, both ${\textit{SK}_{\textit{CA}}}$ and ${\textit{SK}_{\textit{KGC}}}$ are sent to ${A_{\textit{II}}}$.
– Query phase: A (${A_{I}}$ or ${A_{\textit{II}}}$) may adaptively request various kinds of queries (oracles) to B as follows.
- • Signer secret key query (${\textit{ID}_{\textit{PKI}}}$): The signer ${\textit{ID}_{\textit{PKI}}}$’s secret key ${\mathit{PKISK}_{\textit{ID}}}$ is returned.
- • Signer certificate query (${\textit{ID}_{\textit{PKI}}},{\mathit{PKIPK}_{\textit{ID}}}$). For the i-th request of this query, B first updates the old secret key $({\textit{SK}_{\textit{CA},i-1,0}},{\textit{SK}_{\textit{CA},i-1,1}})$ to the new secret key $({\textit{SK}_{\textit{CA},i,0}},{\textit{SK}_{\textit{CA},i,1}})$. By $({\textit{ID}_{\textit{PKI}}},{\mathit{PKIPK}_{\textit{ID}}})$, B uses $({\textit{SK}_{\textit{CA},i,0}},{\textit{SK}_{\textit{CA},i,1}})$ to generate and return the signer ${\textit{ID}_{\textit{PKI}}}$’s certificate ${\textit{CRT}_{\textit{ID}}}$.
- • Signer certificate leak query $(i,{f_{\textit{SCG},i}},{h_{\textit{SCG},i}})$. For the i-th request of the Signer certificate query, the leak query can only be requested once. B returns $\Delta {f_{\textit{SCG},i}}={f_{\textit{SCG},i}}({\textit{SK}_{\textit{CA},i,0}})$ and $\Delta {h_{\textit{SCG},i}}={h_{\textit{SCG},i}}({\textit{SK}_{\textit{CA},i,1}})$.
- • Decrypter identity secret key query (${\textit{ID}_{\textit{CL}}}$). For the i-th request of this query, B first updates the old secret key $({\textit{SK}_{\textit{KGC},i-1,0}},{\textit{SK}_{\textit{KGC},i-1,1}})$ to the new secret key $({\textit{SK}_{\textit{KGC},i,0}},{\textit{SK}_{\textit{KGC},i,1}})$. By ${\textit{ID}_{\textit{CL}}}$, B uses $({\textit{SK}_{\textit{KGC},i,0}},{\textit{SK}_{\textit{KGC},i,1}})$ to generate and return the identity secret/public key pair $({\mathit{CLISK}_{\textit{ID}}},{\mathit{CLIPK}_{\textit{ID}}})$.
- • Decrypter identity secret key leak query $(i,{f_{\textit{ISKG},i}},{h_{\textit{ISKG},i}})$. For the i-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns $\Delta {f_{\textit{ISKG},i}}={f_{\textit{ISKG},i}}({\textit{SK}_{\textit{KGC},i,0}})$ and $\Delta {h_{\textit{ISKG},i}}={h_{\textit{ISKG},i}}({\textit{SK}_{\textit{KGC},i,1}})$.
- • Decrypter public key replace query $({\textit{ID}_{\textit{CL}}},({\textit{CLPK}^{\prime }_{\textit{ID}}},{\textit{CLIPK}^{\prime }_{\textit{ID}}}))$. The decrypter ${\textit{ID}_{\textit{CL}}}$’s public key is replaced with $({\textit{CLPK}^{\prime }_{\textit{ID}}},{\textit{CLIPK}^{\prime }_{\textit{ID}}})$.
- • Decrypter secret key query (${\textit{ID}_{\textit{CL}}}$). If the Decrypter public key replace query $({\textit{ID}_{\textit{CL}}},({\textit{CLPK}^{\prime }_{\textit{ID}}},{\textit{CLIPK}^{\prime }_{\textit{ID}}}))$ is never requested, the decrypter ${\textit{ID}_{\textit{CL}}}$’s secret key ${\mathit{CLSK}_{\textit{ID}}}$ is returned.
- • Hybrid signcryption query $(M,{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}})$: B first updates the signer ${\textit{ID}_{\textit{PKI}}}$’s old secret key $({\mathit{PKISK}_{\mathit{ID},j-1,0}},{\mathit{PKISK}_{\mathit{ID},j-1,1}})$ to the new secret key $({\mathit{PKISK}_{\mathit{ID},j,0}},{\mathit{PKISK}_{\mathit{ID},j,1}})$, and runs the Hybrid signcryption to return $\textit{CT}$.
- • Hybrid signcryption leak query $({\textit{ID}_{\textit{PKI}}},j,{f_{\textit{HS},j}},{h_{\textit{HS},j}})$: For the signer ${\textit{ID}_{\textit{PKI}}}$’s j-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns $\Delta {f_{\textit{HS},j}}={f_{\textit{HS},j}}({\mathit{PKISK}_{\mathit{ID},j,0}})$ and $\Delta {h_{\textit{HS},j}}={h_{\textit{HS},j}}({\mathit{PKISK}_{\mathit{ID},j,1}})$.
- • Hybrid unsigncryption query $(\textit{CT},{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}})$: B first updates the decrypter ${\textit{ID}_{\textit{CL}}}$’s old secret key $({\mathit{CLSK}_{\mathit{ID},k-1,0}},{\mathit{CLSK}_{\mathit{ID},k-1,1}})$ and identity secret key $({\mathit{CLISK}_{\mathit{ID},k-1,0}},{\mathit{CLISK}_{\mathit{ID},k-1,1}})$ to the new secret key $({\mathit{CLSK}_{\mathit{ID},k,0}},{\mathit{CLSK}_{\mathit{ID},k,1}})$ and identity secret key $({\mathit{CLISK}_{\mathit{ID},k,0}},{\mathit{CLISK}_{\mathit{ID},k,1}})$, respectively. B runs the Hybrid unsigncryption to return M.
- • Hybrid unsigncryption leak query (${\textit{ID}_{\textit{CL}}},k,{f_{\textit{HUS},k}},{h_{\textit{HUS},k}}$: For the decrypter ${\textit{ID}_{\textit{CL}}}$’s k-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns $\Delta {f_{\textit{HUS},k}}={f_{\textit{HUS},k}}({\mathit{CLSK}_{\mathit{ID},k,0}},{\mathit{CLSK}_{\mathit{ID},k,1}})$ and $\Delta {h_{\textit{HUS},k}}={h_{\textit{HUS},k}}({\mathit{CLISK}_{\mathit{ID},k,0}},{\mathit{CLISK}_{\mathit{ID},k,1}})$.
– Forgery phase: Assume that A forges a ciphertext ${\textit{CT}^{\ast }}=({{T^{\ast }}_{0}},{{T^{\ast }}_{1}},{{T^{\ast }}_{2}},{{\textit{ID}^{\ast }}_{\textit{PKI}}},{{\textit{ID}^{\ast }}_{\textit{CL}}})$ for the message ${M^{\ast }}$. We say that A wins ${\textit{Game}_{1}}$ if the following three provisions are true.
- • ${M^{\ast }}$ can be generated by the Hybrid unsigncryption algorithm.
- • The Hybrid signcryption query $({M^{\ast }},{{\textit{ID}^{\ast }}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}})$ is never issued.
- • The Signer secret key query $({{\textit{ID}^{\ast }}_{\textit{PKI}}})$ is never issued.

Definition 3 ($\mathbf{\mathbf{Gam}{e_{2}}}$).

The adversary game ${\textit{Game}_{2}}$ is played by an adversary A (${A_{I}}$ or ${A_{\textit{II}}}$) and a challenger B. If no PPT adversary A with a non-negligible advantage wins ${\textit{Game}_{2}}$, the LR-HSC-HPKS scheme possesses the encryption indistinguishability (message confidentiality) under chosen-ciphertext and side-channel attacks (EIND-CCSCA).

– Initialization phase. The phase is the same with the Initialization phase in Definition 2.
– Query phase. The phase is the same with the Query phase in Definition 2.
– Challenge phase. A selects a target decrypter ${{\textit{ID}^{\ast }}_{\textit{CL}}}$ and a message pair (${M_{0}},{M_{1}}$) as a challenge objective. B randomly selects $c\in \{0,1\}$ and generates a challenge ciphertext ${\textit{CT}^{\ast }}$ by running the Hybrid signcryption with (${M_{c}},{\textit{ID}_{\textit{PKI}}},{{\textit{ID}^{\ast }}_{\textit{CL}}}$). Also, B sends ${\textit{CT}^{\ast }}$ to A. Note that the following two provisions are true.
- 1. If A is an ${A_{I}}$, the Decrypter identity secret key query (${{\textit{ID}^{\ast }}_{\textit{CL}}}$) is never issued.
- 2. If A is an ${A_{\textit{II}}}$, neither the Decrypter public key replace query $({{\textit{ID}^{\ast }}_{\textit{CL}}},({\textit{CLPK}^{\prime }_{{ID^{\ast }}}},{\textit{CLIPK}^{\prime }_{{ID^{\ast }}}}))$ nor the Decrypter secret key query (${{\textit{ID}^{\ast }}_{\textit{CL}}}$) is issued.
– Guessing phase. A outputs ${c^{\prime }}\in \{0,1\}$ and wins ${\textit{Game}_{2}}$ if ${c^{\prime }}=c$. Meanwhile, A’s advantage is defined as $\textit{Adv}(A)=|\text{Pb}[{c^{\prime }}=c]-1/2|$.

4 Our LR-HSC-HPKS Scheme

According to the framework shown in Definition 1, our LR-HSC-HPKS scheme consists of four parts as presented below.

– System setup: The system sets a bilinear group set $\{G,{G_{1}},\hat{e},Q,{Q_{1}},q\}$ defined in Section 2.1. Moreover, the system publishes $SP=\{G,{G_{1}},\hat{e},Q,{Q_{1}},q,W,T,\textit{SE}/\textit{SD},{\textit{SH}_{0}},{\textit{SH}_{1}}\}$, where W and T are random elements in G, $\textit{SE}$ and $\textit{SD}$ are respectively symmetric encryption and decryption functions, and ${\textit{SH}_{0}}:{\{0,1\}^{\ast }}\times G\to {\{0,1\}^{t}}$ and ${\textit{SH}_{1}}:G\times {\{0,1\}^{\ast }}\to {\{0,1\}^{t}}$ are two secure hash functions. The heterogeneous public-key systems consist of the PKI-PKS and the CL-PKS. The CA in the PKI-PKS and the KGC in the CL-PKS, respectively, set their secret/public key pairs as follows.
- ♦ PKI-PKS: The CA randomly selects $r\in {{Z_{q}}^{\ast }}$ and then sets a secret/public key pair $({\textit{SK}_{\textit{CA}}},{\textit{PK}_{\textit{CA}}})$, where ${\textit{SK}_{\textit{CA}}}=r\cdot Q$ and ${\textit{PK}_{\textit{CA}}}=\hat{e}(Q,r\cdot Q)$. Also, the CA randomly selects $w\in {{Z_{q}}^{\ast }}$ and partitions ${\textit{SK}_{\textit{CA}}}$ into ${\textit{SK}_{\textit{CA}}}=({\textit{SK}_{\textit{CA},0,0}},{\textit{SK}_{\textit{CA},0,1}})=(w\cdot Q,{\textit{SK}_{\textit{CA}}}-w\cdot Q)$.
- ♦ CL-PKS: The KGC randomly selects $t\in {{Z_{q}}^{\ast }}$ and then sets a secret/public key pair $({\textit{SK}_{\textit{KGC}}},{\textit{PK}_{\textit{KGC}}})$, where ${\textit{SK}_{\textit{KGC}}}=t\cdot Q$ and ${\textit{PK}_{\textit{KGC}}}=\hat{e}(Q,t\cdot Q)$. Also, the KGC randomly selects $s\in {{Z_{q}}^{\ast }}$ and partitions ${\textit{SK}_{\textit{KGC}}}$ into ${\textit{SK}_{\textit{KGC}}}=({\textit{SK}_{\textit{KGC},0,0}},{\textit{SK}_{\textit{KGC},0,1}})=(s\cdot Q,{\textit{SK}_{\textit{KGC}}}-s\cdot Q)$.
– User key generation: For signers in the PKI-PKS and decrypters in the CL-PKS, two key generating procedures are presented as follows.
- ♦ PKI-PKS: A signer with identity ${\textit{ID}_{\textit{PKI}}}$ and the CA cooperatively run the following two algorithms.
  - • Signer secret key generation: The signer ${\textit{ID}_{\textit{PKI}}}$ randomly selects $x\in {{Z_{q}}^{\ast }}$ and then sets a secret/public key pair (${\mathit{PKISK}_{\textit{ID}}},{\mathit{PKIPK}_{\textit{ID}}}$), where ${\mathit{PKISK}_{\textit{ID}}}=x\cdot Q$ and ${\mathit{PKIPK}_{\textit{ID}}}=\hat{e}(Q,x\cdot Q)$. Also, the signer ${\textit{ID}_{\textit{PKI}}}$ randomly selects ${w_{i}}\in {{Z_{q}}^{\ast }}$ and partitions ${\mathit{PKISK}_{\textit{ID}}}$ into ${\mathit{PKISK}_{\textit{ID}}}=({\mathit{PKISK}_{\mathit{ID},0,0}},{\mathit{PKISK}_{\mathit{ID},0,1}})=({w_{i}}\cdot Q,{\mathit{PKISK}_{\textit{ID}}}-{w_{i}}\cdot Q)$.
  - • Signer certificate generation: For this algorithm’s i-th running and giving (${\textit{ID}_{\textit{PKI}}},{\mathit{PKIPK}_{\textit{ID}}}$), the CA randomly selects $w\in {{Z_{q}}^{\ast }}$ and updates the old secret key $({\textit{SK}_{\textit{CA},i-1,0}},{\textit{SK}_{\textit{CA},i-,1,1}})$ to the new secret key $({\textit{SK}_{\textit{CA},i,0}},{\textit{SK}_{\textit{CA},i,1}})=({\textit{SK}_{\textit{CA},i-1,0}}+w\cdot Q,{\textit{SK}_{\textit{CA},i-1,1}}-w\cdot Q)$, such that ${\textit{SK}_{\textit{CA}}}={\textit{SK}_{\textit{CA},0,0}}+{\textit{SK}_{\textit{CA},0,1}}={\textit{SK}_{\textit{CA},1,0}}+{\textit{SK}_{\textit{CA},1,1}}=\cdots ={\textit{SK}_{\textit{CA},i,0}}+{\textit{SK}_{\textit{CA},i,1}}$. Also, the CA uses $({\textit{SK}_{\textit{CA},i,0}},{\textit{SK}_{\textit{CA},i,1}})$ to compute and return the certificate ${\textit{CRT}_{\textit{ID}}}$ to the signer ${\textit{ID}_{\textit{PKI}}}$.
- ♦ CL-PKS: A decrypter with identity ${\textit{ID}_{\textit{CL}}}$ and the KGC cooperatively run the following four algorithms.
  - • Decrypter secret key generation: The decrypter ${\textit{ID}_{\textit{CL}}}$ randomly selects $l\in {{Z_{q}}^{\ast }}$ and then sets a secret/public key pair (${\mathit{CLSK}_{\textit{ID}}},{\mathit{CLPK}_{\textit{ID}}}$), where ${\mathit{CLSK}_{\textit{ID}}}=l\cdot Q$ and ${\mathit{CLPK}_{\textit{ID}}}=\hat{e}(Q,l\cdot Q)$. Also, the decrypter ${\textit{ID}_{\textit{CL}}}$ sends ${\textit{ID}_{\textit{CL}}}$ to the KGC.
  - • Decrypter identity secret key generation: For this algorithm’s i-th running and giving ${\textit{ID}_{\textit{CL}}}$, the KGC randomly selects ${t_{i}}\in {{Z_{q}}^{\ast }}$ and updates the old secret key $({\textit{SK}_{\textit{KGC},i-1,0}},{\textit{SK}_{\textit{KGC},i-1,1}})$ to the new secret key $({\textit{SK}_{\textit{KGC},i,0}},{\textit{SK}_{\textit{KGC},i,1}})=({\textit{SK}_{\textit{KGC},i-1,0}}+{t_{i}}\cdot Q,{\textit{SK}_{\textit{KGC},i-1,1}}-{t_{i}}\cdot Q)$, such that ${\textit{SK}_{\textit{KGC}}}={\textit{SK}_{\textit{KGC},0,0}}+{\textit{SK}_{\textit{KGC},0,1}}={\textit{SK}_{\textit{KGC},1,0}}+{\textit{SK}_{\textit{KGC},1,1}}=\cdots ={\textit{SK}_{\textit{KGC},i,0}}+{\textit{SK}_{\textit{KGC},i,1}}$. Also, the KGC randomly selects $f\in {{Z_{q}}^{\ast }}$ and uses (${\textit{SK}_{\textit{KGC},i,0}},{\textit{SK}_{\textit{KGC},i,1}}$) to compute and return the identity secret/public key pair (${\mathit{CLISK}_{\textit{ID}}},{\mathit{CLIPK}_{\textit{ID}}}$) of the decrypter ${\textit{ID}_{\textit{CL}}}$ as follows:
    
    (1) ${\mathit{CLIPK}_{\textit{ID}}}=f\cdot Q$.
    
    (2) $\rho ={\textit{SH}_{0}}({\textit{ID}_{\textit{CL}}},{\mathit{CLIPK}_{\textit{ID}}})$.
    
    (3) ${\textit{TK}_{i}}={\textit{SK}_{\textit{KGC},i,1}}+f\cdot (W+\rho \cdot T)$.
    
    (4) ${\mathit{CLISK}_{\textit{ID}}}={\textit{SK}_{\textit{KGC},i,0}}+{\textit{TK}_{i}}$.
  - • Decrypter secret key combination: The decrypter ${\textit{ID}_{\textit{CL}}}$’s secret key pair is (${\mathit{CLSK}_{\textit{ID}}},{\mathit{CLISK}_{\textit{ID}}}$). The ${\textit{ID}_{\textit{CL}}}$ randomly selects δ,$\xi \in {{Z_{q}}^{\ast }}$, and partitions ${\mathit{CLSK}_{\textit{ID}}}$ and ${\mathit{CLISK}_{\textit{ID}}}$ into (${\mathit{CLSK}_{\mathit{ID},0,0}},{\mathit{CLSK}_{\mathit{ID},0,1}})=(\delta \cdot Q,{\mathit{CLSK}_{\textit{ID}}}-\delta \cdot Q)$ and $({\mathit{CLISK}_{\mathit{ID},0,0}},{\mathit{CLISK}_{\mathit{ID},0,1}})=(\xi \cdot Q,{\mathit{CLISK}_{\textit{ID}}}-\xi \cdot Q)$, respectively.
  - • Decrypter public key combination: The decrypter ${\textit{ID}_{\textit{CL}}}$’s public key pair is (${\mathit{CLPK}_{\textit{ID}}},{\mathit{CLIPK}_{\textit{ID}}}$).
– Hybrid signcryption ($\textit{HSE}$): Assume that the signer ${\textit{ID}_{\textit{PKI}}}$ wants to send a message M to the decrypter ${\textit{ID}_{\textit{CL}}}$. For the $\textit{HSE}$ algorithm’s j-th running, the signer ${\textit{ID}_{\textit{PKI}}}$ runs the following steps to generate a ciphertext $\textit{CT}$.
- (1) Randomly select $h\in {{Z_{q}}^{\ast }}$ and update the old secret key (${\mathit{PKISK}_{\mathit{ID},j-1,0}},{\mathit{PKISK}_{\mathit{ID},j-1,1}}$) into the new secret key $({\mathit{PKISK}_{\mathit{ID},j,0}},{\mathit{PKISK}_{\mathit{ID},j,0}})=({\mathit{PKISK}_{\mathit{ID},j-1,0}}+h\cdot Q,{\mathit{PKISK}_{\mathit{ID},j-1,1}}-h\cdot Q)$.
- (2) Randomly select $n\in {{Z_{q}}^{\ast }}$, and compute ${T_{1}}=n\cdot Q$, ${\textit{EK}_{1}}={({\mathit{CLPK}_{\textit{ID}}})^{n}}$, ${\textit{EK}_{2}}={({\textit{PK}_{\textit{KGC}}}\cdot \hat{e}({\mathit{CLIPK}_{\textit{ID}}},(W+\rho \cdot T)))^{n}}$, where $\rho ={\textit{SH}_{0}}({\textit{ID}_{\textit{CL}}},{\mathit{CLIPK}_{\textit{ID}}})$.
- (3) Generate ${T_{2}}={\textit{SE}_{\textit{EK}}}(M)$, where $EK={\textit{EK}_{1}}\oplus {\textit{EK}_{2}}$ is an encryption key.
- (4) Compute $\textit{TS}={\mathit{PKISK}_{\mathit{ID},j,0}}+(n\cdot (W+\beta \cdot T))$, where $\beta ={\textit{SH}_{1}}({T_{1}},{T_{2}},{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}},M)$.
- (5) Generate a signature ${T_{0}}={\mathit{PKISK}_{\mathit{ID},j,1}}+\textit{TS}$.
- (6) Set $\textit{CT}=({T_{0}},{T_{1}},{T_{2}},{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}})$.
– Hybrid unsigncrypion ($\textit{HUSE}$): For the Hybrid unsigncryption ($\textit{HUSE}$) algorithm’s k-th running and giving $\textit{CT}$, the decrypter ${\textit{ID}_{\textit{CL}}}$ runs the following steps to get the message M.
- (1) Randomly select $v\in {{Z_{q}}^{\ast }}$, and update the old secret key $({\mathit{CLSK}_{\mathit{ID},k-1,0}},{\mathit{CLSK}_{\mathit{ID},k-1,1}})$ and the old identity secret key $({\mathit{CLISK}_{\mathit{ID},k-1,0}},{\mathit{CLISK}_{\mathit{ID},k-1,1}})$ to the new secret key $({\mathit{CLSK}_{\mathit{ID},k,0}},{\mathit{CLSK}_{\mathit{ID},k,1}})=({\mathit{CLSK}_{\mathit{ID},k-1,0}}+v\cdot Q,{\mathit{CLSK}_{\mathit{ID},k-1,1}}-v\cdot Q)$ and the new identity secret key $({\mathit{CLISK}_{\mathit{ID},k,0}},{\mathit{CLISK}_{\mathit{ID},k,1}})=({\mathit{CLISK}_{\mathit{ID},k-1,0}}+v\cdot Q,{\mathit{CLISK}_{\mathit{ID},k-1,1}}-v\cdot Q)$, respectively.
- (2) Generate ${\textit{TEK}_{1}}=\hat{e}({T_{1}},{\mathit{CLSK}_{\mathit{ID},k,0}})$ and ${\textit{TEK}_{2}}=\hat{e}({T_{1}},{\mathit{CLISK}_{\mathit{ID},k,0}})$.
- (3) Compute ${\textit{EK}^{\prime }_{1}}={\textit{TEK}_{1}}\cdot \hat{e}({T_{1}},{\mathit{CLSK}_{\mathit{ID},k,1}})$ and ${\textit{EK}^{\prime }_{2}}={\textit{TEK}_{2}}\cdot \hat{e}({T_{1}},{\mathit{CLISK}_{\mathit{ID},k,1}})$.
- (4) Recover $M={\textit{SD}_{{\textit{EK}^{\prime }}}}({T_{2}})$, where ${\textit{EK}^{\prime }}={\textit{EK}^{\prime }_{1}}\oplus {\textit{EK}^{\prime }_{2}}$.
- (5) Set ${\beta ^{\prime }}={\textit{SH}_{1}}({T_{1}},{T_{2}},{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}},M)$.
- (6) Output M if $\hat{e}(Q,{T_{0}})={\mathit{PKIPK}_{\textit{ID}}}\cdot \hat{e}({T_{1}},(W+{\beta ^{\prime }}\cdot T))$ is true.

The correctness of two equations ${\textit{EK}^{\prime }}={\textit{EK}^{\prime }_{1}}\oplus {E{K^{\prime }}_{2}}={\textit{EK}_{1}}\oplus {\textit{EK}_{2}}=EK$ and $\hat{e}(Q,{T_{0}})={\mathit{PKIPK}_{\textit{ID}}}\cdot \hat{e}({T_{1}},(W+{\beta ^{\prime }}\cdot T))$ are shown as follows.

√ $\begin{array}[t]{r@{\hskip4.0pt}c@{\hskip4.0pt}l}E{K^{\prime }}& =& {\textit{EK}^{\prime }_{1}}\oplus {\textit{EK}^{\prime }_{2}}\\ {} & =& {\textit{TEK}_{1}}\cdot \hat{e}({T_{1}},{\mathit{CLSK}_{\mathit{ID},k,1}})\oplus {\textit{TEK}_{2}}\cdot \hat{e}({T_{1}},{\mathit{CLISK}_{\mathit{ID},k,1}})\\ {} & =& \hat{e}({T_{1}},{\mathit{CLSK}_{\mathit{ID},k,0}})\cdot \hat{e}({T_{1}},{\mathit{CLSK}_{\mathit{ID},k,1}})\oplus \hat{e}({T_{1}},{\mathit{CLISK}_{\mathit{ID},k,0}})\\ {} & & \cdot \hat{e}({T_{1}},{\mathit{CLISK}_{\mathit{ID},k,1}})\\ {} & =& \hat{e}({T_{1}},{\mathit{CLSK}_{\textit{ID}}})\oplus \hat{e}({T_{1}},{\mathit{CLISK}_{\textit{ID}}})\\ {} & =& \hat{e}(n\cdot Q,{\mathit{CLSK}_{\textit{ID}}})\oplus \hat{e}(n\cdot Q,{\mathit{CLISK}_{\textit{ID}}})\\ {} & =& \hat{e}{(Q,{\mathit{CLSK}_{\textit{ID}}})^{n}}\oplus \hat{e}\big(n\cdot Q,{\textit{SK}_{\textit{KGC}}}+\big(f\cdot (W+\rho \cdot T)\big)\big)\\ {} & =& \hat{e}{(Q,{\mathit{CLSK}_{\textit{ID}}})^{n}}\oplus \hat{e}(n\cdot Q,{\textit{SK}_{\textit{KGC}}})\cdot \hat{e}\big(n\cdot Q,\big(f\cdot (W+\rho \cdot T)\big)\big)\\ {} & =& \hat{e}{(Q,{\mathit{CLSK}_{\textit{ID}}})^{n}}\oplus \hat{e}{(Q,{\textit{SK}_{\textit{KGC}}})^{n}}\cdot \hat{e}\big(f\cdot Q,\big(n\cdot (W+\rho \cdot T)\big)\big)\\ {} & =& {({\mathit{CLPK}_{\textit{ID}}})^{n}}\oplus {\big({\textit{PK}_{\textit{KGC}}}\cdot \hat{e}\big({\mathit{CLIPK}_{\textit{ID}}},(W+\rho \cdot T)\big)\big)^{n}}\\ {} & =& {\textit{EK}_{1}}\oplus {\textit{EK}_{2}}.\end{array}$
√ $\begin{array}[t]{r@{\hskip4.0pt}c@{\hskip4.0pt}l}\hat{e}(Q,{T_{0}})& =& \hat{e}(Q,{\mathit{PKISK}_{\mathit{ID},j,1}}+TS)\\ {} & =& \hat{e}(Q,{\mathit{PKISK}_{\mathit{ID},j,1}}+\big({\mathit{PKISK}_{\mathit{ID},j,0}}+\big(n\cdot (W+\beta \cdot T)\big)\big)\\ {} & =& \hat{e}\big(Q,{\mathit{PKISK}_{\textit{ID}}}+\big(n\cdot (W+\beta \cdot T)\big)\big)\\ {} & =& \hat{e}(Q,{\mathit{PKISK}_{\textit{ID}}})\cdot \hat{e}\big(Q,\big(n\cdot (W+\beta \cdot T)\big)\big)\\ {} & =& {\mathit{PKIPK}_{\textit{ID}}}\cdot \hat{e}\big(n\cdot Q,(W+\beta \cdot T)\big)\\ {} & =& {\mathit{PKIPK}_{\textit{ID}}}\cdot \hat{e}\big({T_{1}},\big(W+{\beta ^{\prime }}\cdot T\big)\big).\end{array}$

5 Security Analysis

In Definitions 2 and 3, we define two adversary games ${\textit{Game}_{1}}$ and ${\textit{Game}_{2}}$, respectively, to model the content unforgeability (authentication) and the message confidentiality in the LR-HSC-HPKS scheme. Under ${\textit{Game}_{1}}$ and ${\textit{Game}_{2}}$, Theorems 1 and 2 show that the LR-HSC-HPKS scheme is EUF-ACMSCA-secure and EIND-CCSCA-secure against both ${A_{I}}$ and ${A_{\textit{II}}}$, respectively.

Theorem 1.

Based on the SH assumption and the DL assumption in the GBG model, the LR-HSC-HPKS scheme is EUF-ACMSCA-secure against adversaries A (${A_{I}}$ and ${A_{\textit{II}}}$).

Proof.

An adversary A and a challenger B cooperatively play ${\textit{Game}_{1}}$ as follows.

– Initialization phase. B runs the System setup in Definition 1 to generate $\textit{SP}=\{G,{G_{1}},\hat{e},Q,{Q_{1}},q,W,T,\textit{SE}/\textit{SD},{\textit{SH}_{0}},{\textit{SH}_{1}}\}$, the CA’s secret/public key pair (${\textit{SK}_{\textit{CA}}},{\textit{PK}_{\textit{CA}}}$) and the KGC’s secret/public key pair $({\textit{SK}_{\textit{KGC}}},{\textit{PK}_{\textit{KGC}}})$. Additionally, if A is an ${A_{\textit{II}}}$, both ${\textit{SK}_{\textit{CA}}}$ and ${\textit{SK}_{\textit{KGC}}}$ are sent to ${A_{\textit{II}}}$. Also, six initially empty lists ${\textit{LT}_{a}}$, ${\textit{LT}_{b}}$, ${\textit{LT}_{\textit{SK}}}$, ${\textit{LT}_{\textit{ISK}}}$, ${\textit{LT}_{\textit{HSE}}}$ and ${\textit{LT}_{\textit{SH}}}$ are constructed as follows.
- • ${\textit{LT}_{a}}$: Each element of G is recorded as a pair of (multi-variate polynomial, bit-string) in ${\textit{LT}_{a}}$, represented as ($\Psi {G_{x,y,z}},\Omega {G_{x,y,z}}$), where the three x, y and z, denote type-x query, y-th query and z-th item, respectively. Also, B records ($\Psi Q,\Omega {G_{S,0,1}}$), ($\Psi W,\Omega {G_{S,0,2}}$), ($\Psi T,\Omega {G_{S,0,3}}$), $(\Psi {\textit{SK}_{\textit{CA}}},\Omega {G_{S,0,4}})$ and $(\Psi {\textit{SK}_{\textit{KGC}}},\Omega {G_{S,0,5}})$ in ${\textit{LT}_{a}}$. In the subsequent Query phase, there is an auto-transformation process that can transform $\Psi {G_{x,y,z}}$ (or $\Omega {G_{x,y,z}}$) to $\Omega {G_{x,y,z}}$ (or $\Psi {G_{x,y,z}}$).
- • ${\textit{LT}_{b}}$: Each element of ${G_{1}}$ is recorded as a pair of (multi-variate polynomial, bit-string) in ${\textit{LT}_{b}}$, represented as $(\Psi {G_{1,x,y,z}},\Omega {G_{1,x,y,z}})$, where x, y and z are identical with those in ${\textit{LT}_{a}}$. Additionally, B records $(\Psi {\textit{PK}_{\textit{CA}}},\Omega {G_{1,S,0,1}})$ and ($\Psi {\textit{PK}_{\textit{KGC}}},\Omega {G_{1,S,0,1}}$) in ${\textit{LT}_{b}}$. Also, there is an auto-transformation process that can transform $\Psi {G_{1,x,y,z}}$ (or $\Omega {G_{1,x,y,z}}$) to $\Omega {G_{1,x,y,z}}$ (or $\Psi {G_{1,x,y,z}}$).
- • ${\textit{LT}_{\textit{SK}}}$: A secret/public key pair of ${\textit{ID}_{\textit{PKI}}}/{\textit{ID}_{\textit{CL}}}$ is recorded as a tuple $({\textit{ID}_{\textit{PKI}}}/{\textit{ID}_{\textit{CL}}},\Psi {\mathit{PKISK}_{\textit{ID}}}/\Psi {\mathit{CLSK}_{\textit{ID}}},\Psi {\mathit{PKIPK}_{\textit{ID}}}/\Psi {\mathit{CLPK}_{\textit{ID}}})$ in ${\textit{LT}_{\textit{SK}}}$.
- • ${\textit{LT}_{\textit{ISK}}}$: An identity secret/public key pair of ${\textit{ID}_{\textit{CL}}}$ is recorded as a tuple $({\textit{ID}_{\textit{CL}}},\Psi {\mathit{CLISK}_{\textit{ID}}},\Psi {\mathit{CLIPK}_{\textit{ID}}})$ in ${\textit{LT}_{\textit{ISK}}}$.
- • ${L_{\textit{HSE}}}$: The related contents of requesting the Hybrid signcryption query $(M,{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}})$ are recorded as a tuple $(M,\Psi {T_{0}},\Psi {T_{1}},{T_{2}},\Psi {\textit{EK}_{1}},\Psi {\textit{EK}_{2}},\Psi \beta ,{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}})$ in ${L_{\textit{HSE}}}$.
- • ${\textit{LT}_{\textit{SH}}}$: The related contents of requesting ${\textit{SH}_{1}}()$ are recorded as a pair $(\Omega {T_{1}}||{T_{2}}||{\textit{ID}_{\textit{PKI}}}||{\textit{ID}_{\textit{CL}}}||M,\Omega \beta )$.
– Query phase: A (${A_{I}}$ or ${A_{\textit{II}}}$) may adaptively request various kinds of queries (oracles) to B at most p times as follows.
- • ${O_{a}}$ query ($\Omega {G_{O,r,i}},\Omega {G_{O,r,j}},\textit{OP}$): B first transforms $(\Omega {G_{O,r,i}},\Omega {G_{O,r,j}})$ to $(\Psi {G_{O,r,i}},\Psi {G_{O,r,j}})$. B computes $\Psi {G_{O,r,k}}=\Psi {G_{O,r,i}}+\Psi {G_{O,r,j}}$ if $\textit{OP}$ is “addition”. Otherwise, B computes $\Psi {G_{O,l,k}}=\Psi {G_{O,r,i}}-\Psi {G_{O,r,j}}$. Also, B records ($\Psi {G_{O,r,k}},\Omega {G_{O,r,k}}$) in ${\textit{LT}_{a}}$.
- • ${O_{m}}$ query $(\Omega {G_{1,O,r,i}},\Omega {G_{1,O,r,j}},\textit{OP})$: B first transforms $(\Omega {G_{1,O,r,i}},\Omega {G_{1,O,r,j}})$ to $(\Psi {G_{1,O,r,i}},\Psi {G_{1,O,r,j}})$. B computes $\Psi {G_{1,O,r,k}}=\Psi {G_{1,O,r,i}}+\Psi {G_{1,O,r,j}}$ if $\textit{OP}$ is “multiplication”. Otherwise, B computes $\Psi {G_{1,O,r,k}}=\Psi {G_{1,O,r,i}}-\Psi {G_{1,O,r,j}}$. Also, B records ($\Psi {G_{1,O,r,k}},\Omega {G_{1,O,r,k}}$) in ${\textit{LT}_{b}}$.
- • ${O_{\hat{e}}}$ query ($\Omega {G_{O,l,i}},\Omega {G_{O,l,j}}$): B first transforms $(\Omega {G_{O,r,i}},\Omega {G_{O,l,j}})$ to $(\Psi {G_{O,r,i}},\Psi {G_{O,r,j}})$. B computes $\Psi {G_{1,O,r,k}}=\Psi {G_{O,r,i}}\cdot \Psi {G_{O,r,j}}$ and records $(\Psi {G_{1,O,r,k}},\Omega {G_{1,O,r,k}})$ in ${\textit{LT}_{b}}$.
- • Signer secret key query $({\textit{ID}_{\textit{PKI}}})$: B uses ${\textit{ID}_{\textit{PKI}}}$ to find $({\textit{ID}_{\textit{PKI}}},\Psi {\mathit{PKISK}_{\textit{ID}}},\Psi {\mathit{PKIPK}_{\textit{ID}}})$ in ${\textit{LT}_{\textit{SK}}}$. If found, B transforms $\Psi {\mathit{PKISK}_{\textit{ID}}}$ to return $\Omega {\mathit{PKISK}_{\textit{ID}}}$. Otherwise, B chooses $\Psi \textit{GR}$ in G and computes $\Psi \textit{PKR}=\Psi Q\cdot \Psi \textit{GR}$. B records $({\textit{PKI}_{\textit{ID}}},\Psi {\mathit{PKISK}_{\textit{ID}}}=\Psi \textit{GR},\Psi {\mathit{PKIPK}_{\textit{ID}}}=\Psi \textit{PKR})$ in ${\textit{LT}_{\textit{SK}}}$. Also, B respectively records ($\Psi \textit{GR},\Omega \textit{GR}$) and ($\Psi \textit{PKR},\Omega \textit{PKR}$) in ${\textit{LT}_{a}}$ and ${\textit{LT}_{b}}$, and returns $\Omega \textit{GR}$ and $\Omega \textit{PKR}$.
- • Signer certificate query (${\textit{ID}_{\textit{PKI}}},\Omega {\mathit{PKIPK}_{\textit{ID}}}$): For the i-th request of this query, B first updates the old secret key $\Psi {\textit{SK}_{\textit{CA}}}=(\Psi {\textit{SK}_{\textit{CA},i-1,0}},\Psi {\textit{SK}_{\textit{CA},i-1,1}}$) to the new secret key $\Psi {\textit{SK}_{\textit{CA}}}=(\Psi {\textit{SK}_{\textit{CA},i,0}},\Psi {\textit{SK}_{\textit{CA},i,1}}$), and uses ($\Psi {\textit{SK}_{\textit{CA},i,0}},\Psi {\textit{SK}_{\textit{CA},i,1}}$) to generate and return the signer ${\textit{ID}_{\textit{PKI}}}$’s certificate ${\textit{CRT}_{\textit{ID}}}$.
- • Signer certificate leak query $(i,{f_{\textit{SCG},i}},{h_{\textit{SCG},i}})$: For the i-th request of the Signer certificate query, the leak query can only be requested once. B returns $\Delta {f_{\textit{SCG},i}}={f_{\textit{SCG},i}}({\textit{SK}_{\textit{CA},i,0}}$) and $\Delta {h_{\textit{SCG},i}}={h_{\textit{SCG},i}}({\textit{SK}_{\textit{CA},i,1}}$).
- • Decrypter identity secret key query (${\textit{ID}_{\textit{CL}}}$). For the i-th request of this query, B first updates the old secret key $\Psi {\textit{SK}_{\textit{KGC}}}=(\Psi {\textit{SK}_{\textit{KGC},i-1,0}},\Psi {\textit{SK}_{\textit{KGC},i-1,1}}$) to the new secret key $\Psi {\textit{SK}_{\textit{KGC}}}=(\Psi {\textit{SK}_{\textit{KGC},i,0}},\Psi {\textit{SK}_{\textit{KGC},i,1}}$). B chooses $\Psi \textit{GT}$ and $\Psi \rho $ in G, and generates the $\textit{decrypter}$ ${\textit{ID}_{\textit{CL}}}$’s identity secret/public key pair ($\Psi {\mathit{CLISK}_{\textit{ID}}}=\Psi {\textit{SK}_{\textit{KGC}}}+\Psi \textit{GT}\cdot (\Psi W+\Psi \rho \cdot \Psi T),\Psi {\mathit{CLIPK}_{\textit{ID}}}=\Psi \textit{GT})$. B records ($\Psi {\mathit{CLISK}_{\textit{ID}}},\Omega {\mathit{CLISK}_{\textit{ID}}}$), ($\Psi {\mathit{CLIPK}_{\textit{ID}}},\Omega {\mathit{CLIPK}_{\textit{ID}}}$) and ($\Psi \rho ,\Omega \rho ={\textit{ID}_{\textit{CL}}}||\Omega {\mathit{CLIPK}_{\textit{ID}}}$) in ${\textit{LT}_{a}}$. Also, B records (${\textit{ID}_{\textit{CL}}},\Psi {\mathit{CLISK}_{\textit{ID}}},\Psi {\mathit{CLIPK}_{\textit{ID}}}$) in ${\textit{LT}_{\textit{ISK}}}$, and returns both $\Omega {\mathit{CLISK}_{\textit{ID}}}$ and $\Omega {\mathit{CLIPK}_{\textit{ID}}}$.
- • Decrypter identity secret key leak query $(i,{f_{\textit{ISKG},i}},{h_{\textit{ISKG},i}})$. For the i-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns $\Delta {f_{\textit{ISKG},i}}={f_{\textit{ISKG},i}}({\textit{SK}_{\textit{KGC},i,0}})$ and $\Delta {h_{\textit{ISKG},i}}={h_{\textit{ISKG},i}}({\textit{SK}_{\textit{KGC},i,1}})$.
- • Decrypter public key replace query $({\textit{ID}_{\textit{CL}}},(\Omega {\textit{CLPK}^{\prime }_{\textit{ID}}},\Omega {\textit{CLIPK}^{\prime }_{\textit{ID}}}))$. B transforms $(\Omega {\textit{CLPK}^{\prime }_{\textit{ID}}},\Omega {\textit{CLIPK}^{\prime }_{\textit{ID}}})$ to $(\Psi {\textit{CLPK}^{\prime }_{\textit{ID}}},\Psi {\textit{CLIPK}^{\prime }_{\textit{ID}}})$. B modifies $({\textit{CL}_{\textit{ID}}},-,\Psi {\textit{CLPK}^{\prime }_{\textit{ID}}})$ in ${\textit{LT}_{\textit{SK}}}$ and $(C{L_{\textit{ID}}},-,\Psi {\textit{CLIPK}^{\prime }_{\textit{ID}}})$ in ${\textit{LT}_{\textit{ISK}}}$.
- • Decrypter secret key query (${\textit{ID}_{\textit{CL}}}$). B uses ${\textit{ID}_{\textit{CL}}}$ to find $({\textit{ID}_{\textit{CL}}},\Psi {\mathit{CLSK}_{\textit{ID}}},\Psi {\mathit{CLPK}_{\textit{ID}}})$ in ${\textit{LT}_{\textit{SK}}}$. If found, B transforms $\Psi {\mathit{CLSK}_{\textit{ID}}}$ to return $\Omega {\mathit{CLSK}_{\textit{ID}}}$. Otherwise, B chooses $\Psi GR$ in G and computes $\Psi \textit{PKR}=\Psi Q\cdot \Psi \textit{GR}$. B records $({\textit{ID}_{\textit{CL}}},\Psi {\mathit{CLSK}_{\textit{ID}}}=\Psi \textit{GR},\Psi {\mathit{CLPK}_{\textit{ID}}}=\Psi \textit{PKR})$ in ${\textit{LT}_{\textit{SK}}}$. Also, B respectively records ($\Psi \textit{GR},\Omega \textit{GR}$) and $(\Psi \textit{PKR},\Omega \textit{PKR})$ in ${\textit{LT}_{a}}$ and ${\textit{LT}_{b}}$, and returns both $\Omega \textit{GR}$ and $\Omega \textit{PKR}$.
- • Hybrid signcryption query ($M,{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}}$): B first updates the signer ${\textit{ID}_{\textit{PKI}}}$’s old secret key $\Psi {\mathit{PKISK}_{\textit{ID}}}=(\Psi {\mathit{PKISK}_{\mathit{ID},j-1,0}},\Psi {\mathit{PKISK}_{\mathit{ID},j-1,1}})$ to the new secret key $\Psi {\mathit{PKISK}_{\textit{ID}}}=(\Psi {\mathit{PKISK}_{\mathit{ID},j,0}},\Psi {\mathit{PKISK}_{\mathit{ID},j,1}})$. B performs the following detailed processes to return $\textit{CT}$.
  - (1) By ${\textit{ID}_{\textit{CL}}}$, find (${\textit{ID}_{\textit{CL}}},\Psi {\mathit{CLIPK}_{\textit{ID}}},\Psi {\mathit{CLISK}_{\textit{ID}}}$) in ${\textit{LT}_{\textit{ISK}}}$ and (${\textit{ID}_{\textit{CL}}},\Psi {\mathit{CLPK}_{\textit{ID}}},\Psi {\mathit{CLSK}_{\textit{ID}}}$) in ${\textit{LT}_{\textit{SK}}}$. Meanwhile, transform $\Psi {\mathit{CLIPK}_{\textit{ID}}}$ to $\Omega {\mathit{CLIPK}_{\textit{ID}}}$.
  - (2) Select $\Psi \rho $ and $\Psi n$ in G and record ($\Psi \rho ,{\textit{ID}_{\textit{CL}}}||\Omega {\mathit{CLIPK}_{\textit{ID}}}$) in ${\textit{LT}_{a}}$.
  - (3) Compute $\Psi {\textit{EK}_{1}}=\Psi {\mathit{CLPK}_{\textit{ID}}}\cdot \Psi n$ and $\Psi {\textit{EK}_{2}}=(\Psi {\textit{PK}_{\textit{KGC}}}+(\Psi {\mathit{CLIPK}_{\textit{ID}}}\cdot (\Psi W+\Psi \rho \cdot \Psi T)))\cdot \Psi n$.
  - (4) Transform $\Psi n$, $\Psi {\textit{EK}_{1}}$ and $\Psi {\textit{EK}_{2}}$ to $\Omega n$, $\Omega {\textit{EK}_{1}}$ and $\Omega {\textit{EK}_{2}}$, respectively.
  - (5) Compute $\Omega EK=\Omega {\textit{EK}_{1}}\oplus \Omega {\textit{EK}_{2}}$ and ${T_{2}}={\textit{SE}_{\Omega EK}}(M)$.
  - (6) Compute $\Omega \beta ={\textit{SH}_{1}}(\Omega n,{T_{2}},{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}},M)$, select $\Omega \beta $ in G, and record ($\Phi \beta ,\Omega \beta $) in ${\textit{LT}_{a}}$.
  - (7) Compute $\Psi {T_{0}}=\Psi {\mathit{PKISK}_{\textit{ID}}}+(\Psi n\cdot (\Psi W+\Psi T\cdot \Psi \beta ))$ and transform $\Psi {T_{0}}$ to $\Omega {T_{0}}$.
  - (8) Record ($M,\Psi {T_{0}},\Psi n,{T_{2}},\Psi {\textit{EK}_{1}},\Psi {\textit{EK}_{2}},\Psi \beta ,{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}}$) in ${L_{\textit{HSE}}}$.
  - (9) Return $\textit{CT}=(\Omega {T_{0}},\Omega n,{T_{2}},{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}})$.
- • Hybrid signcryption leak query (${\textit{ID}_{\textit{PKI}}},j,{f_{\textit{HS},j}},{h_{\textit{HS},j}}$): For the signer ${\textit{ID}_{\textit{PKI}}}$’s j-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns $\Delta {f_{\textit{HS},j}}={f_{\textit{HS},j}}({\mathit{PKISK}_{\mathit{ID},j,0}})$ and $\Delta {h_{\textit{HS},j}}={h_{\textit{HS},j}}({\mathit{PKISK}_{\mathit{ID},j,1}})$.
- • Hybrid unsigncryption query ($\textit{CT},{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}}$): B first updates the decrypter ${\textit{ID}_{\textit{CL}}}$’s old secret key (${\mathit{CLSK}_{\mathit{ID},k-1,0}},{\mathit{CLSK}_{\mathit{ID},k-1,1}}$) and identity secret key (${\mathit{CLISK}_{\mathit{ID},k-1,0}},{\mathit{CLISK}_{\mathit{ID},k-1,1}}$) to $\Psi {\mathit{CLSK}_{\textit{ID}}}=(\Psi {\mathit{CLSK}_{\mathit{ID},k,0}},\Psi {\mathit{CLSK}_{\mathit{ID},k,1}})$ and $\Psi {\mathit{CLISK}_{\textit{ID}}}=(\Psi {\mathit{CLISK}_{\mathit{ID},k,0}},\Psi {\mathit{CLISK}_{\mathit{ID},k,1}})$, respectively. B performs the following detailed processes to return M.
  - (1) By ${\textit{ID}_{\textit{PKI}}}$, find (${\textit{ID}_{\textit{PKI}}},\Psi {\mathit{PKIPK}_{\textit{ID}}}$) in ${\textit{LT}_{\textit{SK}}}$ and transform $\Psi {\mathit{PKIPK}_{\textit{ID}}}$ to $\Omega {\mathit{PKIPK}_{\textit{ID}}}$.
  - (2) Transform $\Omega {T_{0}}$ and $\Omega n$ to $\Psi {T_{0}}$ and $\Psi n$, respectively.
  - (3) Compute $\Psi {\textit{EK}_{1}}=\Psi n\cdot \Psi {\mathit{CLSK}_{\textit{ID}}}$ and $\Psi {\textit{EK}_{2}}=\Psi n\cdot \Psi {\mathit{CLISK}_{\textit{ID}}}$.
  - (4) Set $\Omega \beta ={\textit{SH}_{1}}(\Omega n,{T_{2}},{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}},M)$ and transform $\Omega \beta $ to $\Psi \beta $.
  - (5) Use ($\Psi {T_{0}},\Psi n,{T_{2}},\Psi n,\Psi {\textit{EK}_{1}},\Psi n,\Psi {\textit{EK}_{2}},\Psi \beta ,{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}}$) to find ($M,\Psi {T_{0}},\Psi {T_{1}},{T_{2}},\Psi {\textit{EK}_{1}},\Psi {\textit{EK}_{2}},\Psi \beta ,{\textit{ID}_{\textit{PKI}}},{\textit{ID}_{\textit{CL}}}$) in ${L_{\textit{HSE}}}$.
  - (6) If found, return M. Otherwise, return “invalid”.
- • Hybrid unsigncryption leak query (${\textit{ID}_{\textit{CL}}},k,{f_{\textit{HUS},k}},{h_{\textit{HUS},k}}$): For the decrypter ${\textit{ID}_{\textit{CL}}}$’s k-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns $\Delta {f_{\textit{HUS},k}}={f_{\textit{HUS},k}}({\mathit{CLSK}_{\mathit{ID},k,0}},{\mathit{CLSK}_{\mathit{ID},k,1}})$ and $\Delta {h_{\textit{HUS},k}}={h_{\textit{HUS},k}}({\mathit{CLISK}_{\mathit{ID},k,0}},{\mathit{CLISK}_{\mathit{ID},k,1}})$.
– Forgery phase: Assume that A forges a ciphertext ${\textit{CT}^{\ast }}=({T_{0}^{\ast }},{{T^{\ast }}_{1}},{{T^{\ast }}_{2}},{{\textit{ID}^{\ast }}_{\textit{PKI}}},{{\textit{ID}^{\ast }}_{\textit{CL}}})$ for the message ${M^{\ast }}$, we say that A wins ${\textit{Game}_{1}}$ when three provisions mentioned in the Forgery phase of Definition 2 (i.e. ${\textit{Game}_{1}}$) are true.

In the following, let us first evaluate the advantage of ${A_{I}}$ without requesting any leak queries in ${\textit{Game}_{1}}$, denoted as ${\textit{Adv}_{1}}({A_{I-wo}})$. By ${\textit{Adv}_{1}}({A_{I-wo}})$, we then evaluate the advantage of ${A_{I}}$ with requesting all leak queries in ${\textit{Game}_{1}}$, denoted as ${\textit{Adv}_{1}}({A_{I}})$. By similar analysis, ${\textit{Adv}_{1}}({A_{\textit{II}}})$ is also gained.

■ The evaluation of ${\textbf{Adv}_{\textbf{1}}}({\textbf{A}_{\textbf{I}-\textbf{wo}}})$: In the GBG model, if adversaries can find collisions in G and ${G_{1}}$, the discrete logarithm problem in G and ${G_{1}}$ will be resolved. The total number of elements in both ${\textit{LT}_{a}}$ and ${\textit{LT}_{b}}$ is first counted. In the Query phase, ${A_{I}}$ may request various kinds of queries (oracles) to B at most p times while the number of the added elements in a query (i.e. the Hybrid signcryption query) is at most 6. Therefore, we have $|{\textit{LT}_{a}}|+|{\textit{LT}_{b}}|\leqq 6p$. Also, the maximal degrees of polynomials in ${\textit{LT}_{a}}$ and ${\textit{LT}_{b}}$ are 3 and 6, respectively. Moreover, ${\textit{Adv}_{1}}({A_{I-wo}})$ includes two cases’ probabilities as evaluated below.
- (1) $\text{Pb}[\textit{Forgery}]$: Let $\text{Pb}[\textit{Forgery}]$ denote the probability that ${A_{I}}$ forges a ciphertext ${\textit{CT}^{\ast }}=({{T^{\ast }}_{0}},{{T^{\ast }}_{1}},{{T^{\ast }}_{2}},{{\textit{ID}^{\ast }}_{\textit{PKI}}},{{\textit{ID}^{\ast }}_{\textit{CL}}})$ for a message ${M^{\ast }}$ that satisfies $\hat{e}(Q,{{T^{\ast }}_{0}})={\mathit{PKIPK}_{{\textit{ID}^{\ast }}}}\cdot \hat{e}({{T^{\ast }}_{1}},(W+{\beta ^{\prime }}\cdot T))$ in the Hybrid unsigncryption. That is, we have $\Psi Q\cdot \Psi {{T^{\ast }}_{0}}=\Psi {\mathit{PKIPK}_{ID\ast }}+\Psi {{T^{\ast }}_{1}}\cdot (\Psi W+\Psi {\beta ^{\prime }}\cdot \Psi T)$ and set $\Psi f=\Psi Q\cdot \Psi {{T^{\ast }}_{0}}-(\Psi {\mathit{PKIPK}_{ID\ast }}+\Psi {{T^{\ast }}_{1}}\cdot (\Psi W+\Psi {\beta ^{\prime }}\cdot \Psi T))$ that has degree 3. By Lemma 2, we have $\text{Pb}[\textit{Forgery}]=3/q$ because the probability of $\Psi f=0$ is $3/q$.
- (2) $\text{Pb}[\textit{Collision}]$: Let $\text{Pb}[\textit{Collision}]$ denote the probability that ${A_{I}}$ may find collisions in ${\textit{LT}_{a}}$ or ${\textit{LT}_{b}}$. Assume that the polynomials in ${\textit{LT}_{a}}$ have s variates, represented by using s random integers ${u_{i}}\in {{Z_{q}}^{\ast }}$, for $i=1,2,\dots ,s$. Let ($\Psi {G_{j}},\Psi {G_{k}}$) denote a pair of two different polynomials in ${\textit{LT}_{a}}$ so that there are $\left(\genfrac{}{}{0pt}{}{|{\textit{LT}_{a}}|}{2}\right)$ pairs of ($\Psi {G_{j}},\Psi {G_{k}}$). For each pair, we set $\Psi {G_{l}}({u_{1}},{u_{2}},\dots ,{u_{s}})=\Psi {G_{j}}-\Psi {G_{k}}$. If there exists any $\Psi {G_{l}}=0$, a collision in ${\textit{LT}_{a}}$ has occurred. Since there are $\left(\genfrac{}{}{0pt}{}{|{\textit{LT}_{a}}|}{2}\right)$ pairs of ($\Psi {G_{j}},\Psi {G_{k}}$) and the maximal degree of polynomials in ${\textit{LT}_{a}}$ is 3, we have that $\text{Pb}[\textit{Collision}]$ in ${\textit{LT}_{a}}$ is $(3/q)\left(\genfrac{}{}{0pt}{}{|{\textit{LT}_{a}}|}{2}\right)$. By similar arguments, we have that $\text{Pb}[\textit{Collision}]$ in ${\textit{LT}_{b}}$ is $(6/q)\left(\genfrac{}{}{0pt}{}{|{\textit{LT}_{b}}|}{2}\right)$. Since $|{\textit{LT}_{a}}|+|{\textit{LT}_{b}}|\leqq 6p$, we have
  \[\begin{aligned}{}\text{Pb}[\textit{Collision}]& \leqq (3/q)\left(\genfrac{}{}{0pt}{}{|{\textit{LT}_{a}}|}{2}\right)+(6/q)\left(\genfrac{}{}{0pt}{}{|{\textit{LT}_{b}}|}{2}\right)\\ {} & \leqq (6/q){\big(|{\textit{LT}_{a}}|+|{\textit{LT}_{b}}|\big)^{2}}\\ {} & \leqq 216{p^{2}}/q=O\big({p^{2}}/q\big).\end{aligned}\]
Due to the above discussions, we have
\[\begin{aligned}{}{\textit{Adv}_{1}}({A_{I-wo}})& =\text{Pb}[\textit{Forgey}]+\text{Pb}[\textit{Collision}]\\ {} & \leqq 3/q+O\big({p^{2}}/q\big)\\ {} & =O\big({p^{2}}/q\big).\end{aligned}\]
■ The evaluation of ${\textbf{Adv}_{\textbf{1}}}({\textbf{A}_{\textbf{I}}})$: By ${\textit{Adv}_{1}}({A_{I-wo}})$, we evaluate the advantage ${\textit{Adv}_{1}}({A_{I}})$ of ${A_{I}}$ with requesting all leak queries in ${\textit{Game}_{1}}$. These leak queries include Signer certificate leak query, Decrypter identity secret key leak query, Hybrid signcryption leak query and Hybrid unsigncryption leak query. Due to the key updating process, any two leaked portions of a secret key are mutually independent. Therefore, ${A_{I}}$ could gain at most $2\tau $ bits of ${\textit{SK}_{\textit{CA}}}$, $2\tau $ bits of ${\textit{SK}_{\textit{KGC}}}$, $2\tau $ bits of ${\mathit{PKISK}_{\textit{ID}}}$, and $2\tau $ bits of both ${\mathit{CLSK}_{\textit{ID}}}$ and ${\mathit{CLISK}_{\textit{ID}}}$. Hence, we have
\[ {\textit{Adv}_{1}}({A_{I}})\leqq {\textit{Adv}_{1}}({A_{I-wo}})\cdot {2^{2\tau }}=O\big(\big({p^{2}}/q\big)\cdot {2^{2\tau }}\big).\]
It is obvious that ${\textit{Adv}_{1}}({A_{I}})=O(({p^{2}}/q)\cdot {2^{2\tau }})$ is negligible if $p=poly(\log q)$ by Lemma 2.
■ The evaluation of ${\textbf{Adv}_{\textbf{1}}}({\textbf{A}_{\textbf{II}}})$: ${A_{\textit{II}}}$ is used to model the attacking ability of a malicious CA/KGC who has both ${\textit{SK}_{\textit{CA}}}$ and ${\textit{SK}_{\textit{KGC}}}$. Therefore, ${A_{\textit{II}}}$ could gain at most $2\tau $ bits of ${\mathit{PKISK}_{\textit{ID}}}$, and $2\tau $ bits of ${\mathit{CLSK}_{\textit{ID}}}$ or ${\mathit{CLISK}_{\textit{ID}}}$. By similar analysis of ${\textit{Adv}_{1}}({A_{I}})$, we also have ${\textit{Adv}_{1}}({A_{\textit{II}}})=O(({p^{2}}/q)\cdot {2^{2\tau }})$, that is negligible if $p=\textit{poly}(\log q)$ by Lemma 2.

□

Theorem 2.

Based on the SH assumption and the DL assumption in the GBG model, the LR-HSC-HPKS scheme is EIND-CCSCA-secure against adversaries A (${A_{I}}$ and ${A_{\textit{II}}}$).

Proof.

An adversary A and a challenger B cooperatively play ${\textit{Game}_{2}}$ as follows.

– Initialization phase: It is exactly the same as the Initialization phase in the proof of Theorem 1.
– Query phase: It is exactly like the Query phase of Theorem 1.
– Challenge phase: A selects a target decrypter ${{\textit{ID}^{\ast }}_{\textit{CL}}}$ and a message pair (${M_{0}},{M_{1}}$) as a challenge objective. B randomly selects $c\in \{0,1\}$ and generates a challenge ciphertext ${\textit{CT}^{\ast }}$ by running the Hybrid signcryption with (${M_{c}},{\textit{ID}_{\textit{PKI}}},{{\textit{ID}^{\ast }}_{\textit{CL}}}$). Also, B sends ${\textit{CT}^{\ast }}$ to A. Note that two provisions mentioned in the Challenge phase of Definition 3 (i.e. ${\textit{Game}_{2}}$) must be satisfied.
– Guessing phase: A outputs ${c^{\prime }}\in \{0,1\}$ and wins ${\textit{Game}_{2}}$ if ${c^{\prime }}=c$. Meanwhile, A’s advantage is defined as $Adv(A)=|\text{Pb}[{c^{\prime }}=c]-1/2|$.

By similar evaluations as in the proof of Theorem 1, we can evaluate the advantages of ${A_{I}}$ without requesting any leak queries in ${\textit{Game}_{2}}$, denoted as ${\textit{Adv}_{2}}({A_{I-wo}})$. By ${\textit{Adv}_{2}}({A_{I-wo}})$, we then evaluate the advantage of ${A_{I}}$ with requesting all leak queries in ${\textit{Game}_{2}}$, denoted as ${\textit{Adv}_{2}}({A_{I}})$. By similar analysis, ${\textit{Adv}_{2}}({A_{\textit{II}}})$ is also gained.

■ The evaluation of ${\textbf{Adv}_{\textbf{2}}}({\textbf{A}_{\textbf{I}-\textbf{wo}}})$: ${\textit{Adv}_{2}}({A_{I-wo}})$ includes two cases’ probabilities as evaluated below.
- (1) Pb[Guessing]: Since ${A_{I-wo}}$ is not permitted to request any leak query, there is no useful information about secret keys. Therefore, the probability of guessing ${c^{\prime }}=c$ is $1/2$, namely, $\text{Pb}[\textit{Guessing}]=1/2$.
- (2) Pb[Collision]: The probability is identical to the probability Pb[Collision] in the proof of Theorem 1, namely, $\text{Pb}[\textit{Collision}]=O({p^{2}}/q)$.
Due to the above discussions, we have
\[\begin{aligned}{}{\textit{Adv}_{2}}({A_{I-wo}})& =|\text{Pb}\big[{c^{\prime }}=c\big]-1/2\big|\\ {} & =\big|\text{Pb}[\textit{Guessing}]-1/2\big|+\big|\text{Pb}[\textit{Collision}]\big|\\ {} & =O\big({p^{2}}/q\big).\end{aligned}\]
- ■ The evaluation of ${\textbf{Adv}_{\textbf{2}}}({\textbf{A}_{\textbf{I}}})$: By ${\textit{Adv}_{2}}({A_{I-wo}})$, we evaluate the advantage ${\textit{Adv}_{2}}({A_{I}})$ of ${A_{I}}$ with requesting all leak queries in ${\textit{Game}_{2}}$. By the same evaluation as ${\textit{Adv}_{1}}({A_{I}})$ in the proof of Theorem 1, ${A_{I}}$ could gain at most $2\tau $ bits of ${\textit{SK}_{\textit{CA}}}$, $2\tau $ bits of ${\textit{SK}_{\textit{KGC}}}$, $2\tau $ bits of ${\mathit{PKISK}_{\textit{ID}}}$, and $2\tau $ bits of both ${\mathit{CLSK}_{\textit{ID}}}$ and ${\mathit{CLISK}_{\textit{ID}}}$. Hence, we also have
\[ {\textit{Adv}_{2}}({A_{I}})\leqq {\textit{Adv}_{2}}({A_{I-wo}})\cdot {2^{2\tau }}=O\big(\big({p^{2}}/q\big)\cdot {2^{2\tau }}\big).\]
It is obvious that ${\textit{Adv}_{2}}({A_{I}})=O(({p^{2}}/q)\cdot {2^{2\tau }})$ is negligible if $p=\textit{poly}(\log q)$ by Lemma 2.
■ The evaluation of ${\textbf{Adv}_{\textbf{2}}}({\textbf{A}_{\textbf{II}}})$: ${A_{\textit{II}}}$ is used to model the attacking abilities of a malicious CA/KGC who has both ${\textit{SK}_{\textit{CA}}}$ and ${\textit{SK}_{\textit{KGC}}}$. Therefore, ${A_{\textit{II}}}$ could gain at most $2\tau $ bits of ${\mathit{PKISK}_{\textit{ID}}}$, and $2\tau $ bits of ${\mathit{CLSK}_{\textit{ID}}}$ or ${\mathit{CLISK}_{\textit{ID}}}$. By similar analysis of ${\textit{Adv}_{2}}({A_{I}})$, we also have ${\textit{Adv}_{2}}({A_{\textit{II}}})=O(({p^{2}}/q)\cdot {2^{2\tau }})$, that is negligible if $p=\textit{poly}(\log q)$ by Lemma 2.

□

6 Performance Analysis

In the following, the notations of three time-consuming computations are defined.

• ${T_{bil}}$: The computational complexity of running a bilinear pairing $\hat{e}:G\times G\to {G_{1}}$.
• ${T_{mul}}$: The computational complexity of running a multiplication in G.
• ${T_{exp}}$: The computational complexity of running an exponentiation in ${G_{1}}$.

By the performance experiences conducted in Xiong and Qin (2015), Table 3 lists the required costs ($ms$) of three time-consuming computations on a mobile device (PDA) and a PC. The security parameter of a bilinear group set $\{G,{G_{1}},\hat{e},Q,{Q_{1}},q\}$ is set to a 512-bit prime order q. Also, the PDA and the PC are equipped with 624 MHz and 3 GHz CPUs, respectively. Table 4 lists the computational complexities and the required running costs ($ms$) of our LR-HSC-HPKS scheme in terms of System setup, User key generation, Hybrid signcryption ($\textit{HSE}$) and Hybrid unsigncryption ($\textit{HUSE}$) algorithms. For achieving leakage resilient property, the key updating process for each secret key must be employed, so that our scheme adds some extra computations. Nevertheless, by Table 4, the proposed scheme is well suitable for running on both a PDA and a PC. The point is that our scheme is the first hybrid signcryption scheme with leakage resilience.

Table 3

Required costs ($ms$) of three time-consuming computations.

Devices	${T_{bil}}$	${T_{mul}}$	${T_{exp}}$
PDA	≈96 ms	≈30 ms	≈30 ms
PC	≈20 ms	≈6 ms	≈6 ms

Table 4

Computational complexities and costs (ms) of our LR-HSC-HPKS scheme.

Algorithms	Computational complexities	Costs on a PDA	Costs on a PC
System setup	${T_{bil}}+2{T_{mul}}$	156 ms	32 ms
User key generation for the PKI-PKS	${T_{bil}}+3{T_{mul}}$	186 ms	38 ms
User key generation for the CL-PKS	${T_{bil}}+7{T_{mul}}$	306 ms	62 ms
Hybrid signcryption	${T_{bil}}+5{T_{mul}}+2{T_{exp}}$	306 ms	62 ms
Hybrid unsigncryption	$6{T_{bil}}+2{T_{mul}}$	636 ms	132 ms

7 Conclusions and Future Work

In recent years, many scholars have been studying several hybrid signcryption schemes in heterogeneous environments, but these schemes cannot withstand side-channel attacks, namely, these schemes do not possess the leakage-resilience property. Fortunately, the $\textit{first}$ leakage-resilient hybrid signcryption in heterogeneous public-key systems (LR-HSC-HPKS) has been proposed in this paper. Also, a new framework and two new adversary games of the LR-HSC-HPKS scheme were defined. Based on the SH assumption and the DL assumption in the GBG model, the proposed LR-HSC-HPKS scheme is EUF-ACMSCA-secure and EIND-CCSCA-secure against adversaries A (${A_{I}}$ and ${A_{\textit{II}}}$), namely, illegitimate member (${A_{I}}$) and malicious CA/KGC (${A_{\textit{II}}}$). Furthermore, by comparing with the previously proposed hybrid signcryption schemes, the proposed scheme has the following merits: (1) It is the first hybrid signcryption scheme resisting to side-channel attacks. (2) It possesses the unbounded leakage-resilient property, namely, allowing adversaries to repeatedly learn a portion of the secret key used in each computation. (3) All secret keys of the proposed scheme are allowed to be leaked to adversaries while maintaining the security of the proposed scheme. Finally, by the computational simulation results, performance analysis is demonstrated to show that the proposed scheme is well suitable for running on both a PDA and a PC. In the future, it is an interesting topic to propose a leakage-resilient hybrid signcryption scheme with equality test functionality in heterogeneous public-key systems.

References

Akavia, A., Goldwasser, S., Vaikuntanathan, V. (2009). Simultaneous hardcore bits and cryptography against memory attacks. In: Theory of Cryptography, TCC’09, LNCS, Vol. 5444, pp. 474–495.

Ali, I., Lawrence, T., Omala, A.A., Li, F. (2020). An efficient hybrid signcryption scheme with conditional privacy-preservation for heterogeneous vehicular communication in VANETs. IEEE Transactions on Vehicular Technology, 69(10), 11266–11280.

Al-Riyami, S., Paterson, K. (2003). Certificateless public key cryptography. In: Advances in Cryptology – ASIACRYPT 2003, LNCS, 2894, pp. 452–473.

Alwen, J., Dodis, Y., Wichs, D. (2009). Leakage-resilient public-key cryptography in the bounded-retrieval model. In: Advances in Cryptology – CRYPTO 2009, LNCS, Vol. 5677, pp. 36–54.

Baek, J., Steinfeld, R., Zheng, Y. (2007). Formal proofs for the security of signcryption. Journal of Cryptology, 20(2), 203–235.

Barbosa, M., Farshim, P. (2008). Certificateless signcryption. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS’08, pp. 369–372.

Biham, E., Carmeli, Y., Shamir, A. (2008). Bug attacks. In: Advances in Cryptology – CRYPTO 2008, LNCS, Vol. 5157, pp. 221–240.

Boneh, D., Franklin, M. (2001). Identity-based encryption from the Weil pairing. In: Advances in Cryptology – CRYPTO 2001, LNCS, 2139, pp. 213–229.

Boneh, D., Boyen, X., Goh, E. (2005). Hierarchical identity-based encryption with constant size ciphertext. In: Advances in Cryptology–EURO–CRYPT 2005, Eurocrypt’05, LNCS, Vol. 3494, pp. 440–456.

Brumley, D., Boneh, D. (2005). Remote timing attacks are practical. Computer Networks, 48(5), 701–716.

Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A. (2008). Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM Journal on Computing, 38(1), 97–139.

Elkhalil, A., Zhang, J., Elhabob, R., Eltayieb, N. (2021). An efficient signcryption of heterogeneous systems for internet of vehicles. Journal of Systems Architecture, 113, 101885.

Galindo, D., Virek, S. (2013). A practical leakage-resilient signature scheme in the generic group model. In: Selected Areas in Cryptography, SAC’12, LNCS, Vol. 7707, pp. 50–65.

Galindo, D., Grobschadl, J., Liu, Z., Vadnala, P., Vivek, S. (2016). Implementation of a leakage-resilient ElGamal key encapsulation mechanism. Journal of Cryptographic Engineering, 6(3), 229–238.

Hou, Y., Huang, X., Chen, Y., Kumari, S., Xiong, H. (2021). Heterogeneous signcryption scheme supporting equality test from PKI to CLC toward IoT. Transactions on Emerging Telecommunications Technologies, 32(8), e4190.

Huang, Q., Wong, D.-S., Yang, G. (2011). Heterogeneous signcryption with key privacy. Computer Journal, 54(4), 525–536.

Karati, A., Islam, S.H., Biswas, G.P., Bhuiyan, M.Z., Vijayakumar, P., Karuppiah, M. (2018). Provably secure identity-based signcryption scheme for crowdsourced industrial Internet of Things environments. IEEE Internet of Things Journal, 5(4), 2904–2914.

Kiltz, E., Pietrzak, K. (2010). Leakage resilient Elgamal encryption. In: Advances in Cryptology – ASIACRYPT 2010, LNCS, Vol. 6477, pp. 595–612.

Li, C., Yang, G., Wong, D., Deng, X., Chow, S.S.M. (2010). An efficient signcryption scheme with key privacy and its extension to ring signcryption. Journal of Computing and Security, 18(3), 451–473.

Li, F., Xiong, P. (2013). Practical secure communication for integrating wireless sensor networks into the Internet of Things. IEEE Sensors Journal, 13(10), 3677–3684.

Li, F., Shirase, M., Takagi, T. (2013a). Certificateless hybrid signcryption. Mathematical and Computer Modelling, 57, 324–343.

Li, F., Zhang, H., Takagi, T. (2013b). Efficient signcryption for heterogeneous systems. IEEE Systems Journal, 7(3), 420–429.

Li, F., Han, Y., Jin, C. (2016a). Practical access control for sensor networks in the context of the internet of things. Computer Communications, 89–90, 154–164.

Li, F., Han, Y., Jin, C. (2016b). Practical signcryption for secure communication of wireless sensor networks. Wireless Personal Communications, 89, 1391–1412.

Liu, J., Zhang, L., Sun, R., Du, X., Guizani, M. (2018). Mutual heterogeneous signcryption schemes for 5G network slicings. IEEE Access, 6, 7854–7863.

Niu, S., Shao, H., Su, Y., Wang, C. (2023). Efficient heterogeneous signcryption scheme based on edge computing for industrial internet of things. Journal of Systems Architecture, 136, 102836.

Pan, X., Jin, Y., Wang, Z., Li, F. (2022). A pairing-free heterogeneous signcryption scheme for unmanned aerial vehicles. IEEE Internet of Things Journal, 9(19), 19426–19437.

Peng, A.-L., Tseng, Y.-M., Huang, S.-S. (2021). An efficient leakage-resilient authenticated key exchange protocol suitable for IoT devices. IEEE Systems Journal, 15(4), 5343–5354.

Rivest, R., Shamir, A., Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of ACM, 21(2), 120–126.

Sun, Y., Li, H. (2010). Efficient signcryption between TPKC and IDPKC and its multi-receiver construction. Science China Information Sciences, 53, 557–566.

Tsai, T.-T., Tseng, Y.-M., Huang, S.-S. (2023). Leakage-resilient certificateless signcryption scheme under a continual leakage model. IEEE Access, 11, 54448–54461.

Tseng, Y.-M., Wu, J.-D., Huang, S.-S., Tsai, T.-T. (2020). Leakage-resilient outsourced revocable certificateless signature with a cloud revocation server. Information Technology and Control, 49(4), 464–481.

Tseng, Y.-M., Huang, S.-S., Tsai, T.-T. (2022a). Practical leakage-resilient signcryption scheme suitable for mobile environments. In: 2022 IEEE 11th Global Conference on Consumer Electronics (GCCE), Osaka, Japan, 2022, pp. 383–384. https://doi.org/10.1109/GCCE56475.2022.10014332.

Tseng, Y.-M., Huang, S.-S., Tsai, T.-T., Chuang, Y.-H., Hung, Y.-H. (2022b). Leakage-resilient revocable certificateless encryption with an outsourced revocation authority. Informatica, 33(1), 151–179.

Tseng, Y.-M., Tsai, T.-T., Huang, S.-S. (2023). Fully continuous leakage-resilient certificate-based signcryption scheme for mobile communications. Informatica, 34(1), 199–222.

Wei, G., Shao, J., Xiang, Y., Zhu, P., Lu, R. (2015). Obtain confidentiality or/and authenticity in big data by ID-based generalized signcryption. Information Sciences, 318, 111–122.

Wu, J.-D., Tseng, Y.-M., Huang, S.-S., Chou, W.-C. (2018). Leakage-resilient certificateless key encapsulation scheme. Informatica, 29(1), 125–155.

Wu, J.-D., Tseng, Y.-M., Huang, S.-S. (2019). An identity-based authenticated key exchange protocol resilient to continuous key leakage. IEEE Systems Journal, 13(4), 3968–3979.

Xie, J.-Y., Tseng, Y.-M., Huang, S.-S. (2023). Leakage-resilient anonymous multi-receiver certificateless encryption resistant to side-channel attacks. IEEE Systems Journal, 17(2), 2674–2685.

Xiong, H., Qin, Z. (2015). Revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks. IEEE Transactions on Information Forensics and Security, 10(7), 1442–1455.

Xiong, H., Zhao, Y., Hou, Y., Huang, X., Jin, C., Wang, L., Kumari, S. (2021). Heterogeneous signcryption with equality test for IIoT environment. IEEE Internet of Things Journal, 8(21), 16142–16152.

Xiong, H., Hou, Y., Huang, X., Zhao, Y., Chen, C.-M. (2022). Heterogeneous signcryption scheme from IBC to PKI with equality test for WBANs. IEEE Systems Journal, 16(2), 2391–2400.

Zheng, Y. (1997). Digital signcryption or how to achieve cost (signature & encryption) cost (signature) + cost (encryption). In: Advances in Cryptology – CRYPTO ’97, LNCS, Vol. 1294, pp. 165–179.

Biographies

Ho Ting-Chieh

T.-C. Ho is currently working toward her PhD degree in the Department of Mathematics, National Changhua University of Education, Changhua, Taiwan. Her research interests include applied cryptography and leakage-resilience cryptography.

Tseng Yuh-Min

ymtseng@cc.ncue.edu.tw

Y.-M Tseng is currently the vice president and a professor in the Department of Mathematics, National Changhua University of Education, Taiwan. He is a member of IEEE Computer Society, IEEE Communications Society and the Chinese Cryptology and Information Security Association (CCISA). He has published over one hundred scientific journal papers on various research areas of cryptography, security and computer network. His research interests include cryptography, network security, computer network and leakage-resilient cryptography. He is an editor of several international journals.

Huang Sen-Shan

S.-S. Huang is currently a professor in the Department of Mathematics, National Changhua University of Education, Taiwan. His research interests include number theory, cryptography, and leakage-resilient cryptography. He obtained his PhD from the University of Illinois at Urbana-Champaign in 1997 under the supervision of Professor Bruce C. Berndt.

Reading mode

Table of contents

1 Introduction
2 Preliminaries
3 Framework and Adversary Games
4 Our LR-HSC-HPKS Scheme
5 Security Analysis
6 Performance Analysis
7 Conclusions and Future Work
References
Biographies

Open access article under the CC BY license.

Keywords

heterogeneous public-key systems side-channel attack leakage-resilience signcryption

Funding

This research was partially supported by National Science and Technology Council, Taiwan, under contract No. NSTC112-2221-E-018-011.

Metrics

since January 2020

258

Article info
views

121

Full article
views

148

PDF
downloads

XML
downloads

RSS

Figures
2
Tables
4
Theorems
2

Fig. 1

Two key generating procedures of the LR-HSC-HPKS scheme.

Fig. 2

The inputs/outputs of the $\textit{HSE}$ and the $\textit{HUSE}$ algorithms in the LR-HSC-HPKS scheme.

Table 1

Comparisons among the recently proposed hybrid signcryption schemes and our scheme.

Table 2

Notations.

Table 3

Required costs ($ms$) of three time-consuming computations.

Table 4

Computational complexities and costs (ms) of our LR-HSC-HPKS scheme.

Theorem 1.

Theorem 2.

Fig. 1

Two key generating procedures of the LR-HSC-HPKS scheme.

Fig. 2

The inputs/outputs of the $\textit{HSE}$ and the $\textit{HUSE}$ algorithms in the LR-HSC-HPKS scheme.