You are viewing a javascript disabled version of the site. Please enable Javascript for this site to function properly.
Go to headerGo to navigationGo to searchGo to contentsGo to footer
In content section. Select this link to jump to navigation

Leakage-Resilient Hybrid Signcryption in Heterogeneous Public-key Systems

Abstract

Signcryption integrates both signature and encryption schemes into single scheme to ensure both content unforgeability (authentication) and message confidentiality while reducing computational complexity. Typically, both signers (senders) and decrypters (receivers) in a signcryption scheme belong to the same public-key systems. When signers and decrypters in a signcryption scheme belong to heterogeneous public-key systems, this scheme is called a hybrid signcryption scheme which provides more elastic usage than typical signcryption schemes. In recent years, a new kind of attack, named side-channel attack, allows adversaries to learn a portion of the secret keys used in cryptographic algorithms. To resist such an attack, leakage-resilient cryptography has been widely discussed and studied while a large number of leakage-resilient schemes have been proposed. Also, numerous hybrid signcryption schemes under heterogeneous public-key systems were proposed, but none of them possesses leakage-resilient property. In this paper, we propose the first hybrid signcryption scheme with leakage resilience, called leakage-resilient hybrid signcryption scheme, in heterogeneous public-key systems (LR-HSC-HPKS). Security proofs are demonstrated to show that the proposed scheme provides both authentication and confidentiality against two types of adversaries in heterogeneous public-key systems.

1Introduction

Public key cryptography is the foundation of modern information security. So far, several famous public-key systems (PKSs) have been proposed, including public-key infrastructure PKS (PKI-PKS) (Rivest et al., 1978), identity-based PKS (ID-PKS) (Boneh and Franklin, 2001) and certificateless PKS (CL-PKS) (Al-Riyami and Paterson, 2003). These PKSs have evolved in response to their advantages and disadvantages. In the PKI-PKS (Rivest et al., 1978), a user with identity first generates a pair of (secret key, public key) randomly. Also, the user sends her/his identity and public key to a trusted certificate authority (CA) and then receives the associated certificate from the CA. The CA is responsible to respond the management issues of users’ public keys and certificates that include the verification queries for expiration date or revoked users. Thus, a complex PKI architecture needs to be constructed.

To remove such a complex PKI architecture, an identity-based PKS (ID-PKS) was proposed by Boneh and Franklin (2001). In the ID-PKS, a trusted private key generator (PKG) is responsible for producing each member’s secret key by taking each member’s identity as input. Therefore, this ID-PKS encountered a key escrow problem because the PKG possesses all members’ secret keys. To resolve the key escrow problem, a certificateless PKS (CL-PKS) was proposed by Al-Riyami and Paterson (2003). In the CL-PKS, each member holds two pairs of (secret key, public key). One pair is created by the member herself/himself and the other pair is generated by a semi-trusted key generation centre (KGC). Indeed, the CL-PKS possesses the advantages of both the PKI-PKS and the ID-PKS while avoiding their disadvantages. Therefore, this CL-PKS does not require the complex PKI construction and solves the key escrow problem.

In recent years, a new kind of attack, named side-channel attack, has been realized (Brumley and Boneh, 2005; Biham et al., 2008), in the sense that adversaries can learn a portion of these secret keys used in cryptographic algorithms by timing, power analysis or fault attack. By repeatedly using the side-channel attack, adversaries could eventually learn the entire secret keys. Therefore, public-key cryptography failing to resist such side-channel attack is insecure. To resist this attack, leakage-resilient cryptography has been widely discussed and studied by researchers who have also presented a large number of leakage-resilient protocol or schemes (Alwen et al., 2009; Akavia et al., 2009; Kiltz and Pietrzak, 2010; Galindo and Virek, 2013; Galindo et al., 2016; Wu et al., 2018, 2019; Tseng et al., 2020; Peng et al., 2021; Tseng et al., 2022a,b; Xie et al., 2023; Tseng et al., 2023; Tsai et al., 2023). Based on adversaries’ leakage ability, leakage-resilient cryptography is secure in two different leakage models, including the bounded leakage model (Alwen et al., 2009; Akavia et al., 2009) and the unbounded leakage model (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013). Indeed, the unbounded leakage model is considered a more practical and widely accepted leakage model since it only limits the amount of leaked information per round and has overall unbounded characteristics.

1.1Motivation

Encryption and signature are two important foundations in public-key cryptography. Signcryption integrates both signature and encryption schemes into single scheme to ensure both content unforgeability (authentication) and message confidentiality while reducing computational complexity. Signcryption is also an important foundation in public-key cryptography which is used in many applications, such as secure email, data sharing, etc. Very recently, several leakage-resilient signcryption schemes with the unbounded leakage property have been proposed (Tseng et al., 2022a, 2023; Tsai et al., 2023) which are based on several public-key systems that include the PKI-PKS, the CL-PKS and certificate-based PKS. In these leakage-resilient signcryption (LRSC) schemes mentioned above, both signers (senders) and decrypters (receivers) belong to the same public-key systems.

Moreover, when signers and decrypters in a signcryption scheme belong to heterogeneous public-key systems, such as signers in the PKI-PKS and decrypters in the CL-PKS, such a scheme is called as a hybrid signcryption scheme in heterogeneous public-key systems which provides more elastic usage than typical signcryption schemes. In the past, numerous hybrid signcryption schemes in heterogeneous PKSs (including PKI-PKS, ID-PKS and CL-PKS) were proposed, which will be reviewed later. However, until now, there exists no hybrid signcryption scheme with leakage-resilient property. In this paper, our goal is to design the first hybrid signcryption scheme with leakage resilience, called leakage-resilient hybrid signcryption scheme, in heterogeneous public-key systems (LR-HSC-HPKS) from the PKI-PKS to the CL-PKS.

1.2Related Work

In this section, let’s review the evolution and development about signcryption schemes and hybrid signcryption schemes in heterogeneous public-key systems.

Based on the PKI-PKS, Zheng (1997) proposed the first signcryption scheme to integrate both signature and encryption schemes into a single scheme to ensure both content authentication and message confidentiality while reducing computational complexity. In 2007, Baek et al. (2007) furthermore defined a formal adversary model of signcryption schemes. Indeed, until now, the research on signcryption schemes is still essential for several issues, namely, various public-key systems, security, communication cost and computational complexity. In the past, some signcryption schemes based on various PKSs (PKI-PKS, ID-PKS and CL-PKS) have been proposed, such as PKI-PKS-based (Li et al., 2010), ID-PKS-based (Wei et al., 2015; Karati et al., 2018) and CL-PKS-based (Barbosa and Farshim, 2008; Li et al., 2013a) signcryption schemes.

When signers and decrypters in a signcryption scheme belong to heterogeneous public-key systems, this scheme is called a hybrid signcryption scheme which provides more elastic usage than typical signcryption schemes. In 2010, Sun and Li (2010) proposed the first hybrid signcryption scheme from the PKI-PKS to the ID-PKS. However, Huang et al. (2011) pointed out several security drawbacks on Sun and Li’s scheme, and proposed an improvement. In the past decade, a large number of hybrid signcryption schemes were proposed, such as hybrid signcryption schemes between the PKI-PKS and the ID-PKS (Li et al., 2013b; Li and Xiong, 2013), hybrid signcryption schemes between the ID-PKS and the CL-PKS (Li et al., 2016a), as well as hybrid signcryption schemes between the PKI-PKS and the CL-PKS (Li et al., 2016b; Liu et al., 2018).

To provide additional properties, several hybrid signcryption schemes were also proposed. Three hybrid signcryption schemes with equality test functionality were proposed, that include Xiong et al.’s scheme from the PKI-PKS to the ID-PKS (Xiong et al., 2021), Hou et al.’s scheme from the PKI-PKS to the CLC-PKS (Hou et al., 2021) and Xiong et al.’s scheme from the ID-PKS to the PKI-PKS (Xiong et al., 2022). A hybrid signcryption schemes with equality test functionality allows users to perform comparative searches on ciphertexts encrypted under different public keys without revealing sensitive data. For the vehicular ad-hoc network (VANET) or Industrial Internet of Things (IIoT) environments, there are four hybrid signcryption schemes that include Ali et al.’s scheme from the ID-PKS to the PKI-PKS (Ali et al., 2020), Elkhalil et al.’s scheme from the CL-PKS to the PKI-PKS (Elkhalil et al., 2021) and Pan et al.’s scheme from the ID-PKS to the PKI-PKS (Pan et al., 2022) and Niu et al.’s scheme from the ID-PKS to the CL-PKS (Niu et al., 2023). Table 1 lists the comparisons among the recently proposed hybrid signcryption schemes and our scheme in terms of the PKS of signers, the PKS of decrypters, and additional properties. We emphasize that our scheme is the first hybrid signcryption scheme with leakage resilience.

Table 1

Comparisons among the recently proposed hybrid signcryption schemes and our scheme.

SchemesSignersDecryptersAdditional property
Xiong et al.’s scheme (Xiong et al., 2021)PKI-PKSID-PKSEquality test functionality
Hou et al.’s scheme (Hou et al., 2021)PKI-PKSCL-PKSEquality test functionality
Xiong et al.’s scheme (Xiong et al., 2022)ID-PKSPKI-PKSEquality test functionality
Ali et al.’s scheme (Ali et al., 2020)ID-PKSPKI-PKSSuitable for VANET environments
Elkhalil et al.’s scheme (Elkhalil et al., 2021)CL-PKSPKI-PKSSuitable for VANET environments
Pan et al.’s scheme (Pan et al., 2022)ID-PKSPKI-PKSSuitable for VANET environments
Niu et al.’s scheme (Niu et al., 2023)ID-PKSCL-PKSSuitable for IIoT environments
Our schemePKI-PKSCL-PKSLeakage-resilient property

1.3Contribution

As mentioned earlier, Tseng et al. (2022a) have proposed a PKI-PKS-based leakage-resilient signcryption (LRSC) scheme and Tsai et al. (2023) have also proposed a CL-PKS-based LRSC scheme. Based on Tseng et al.’s and Tsai et al.’s schemes, a new framework of the LR-HSC-HPKS scheme from the PKI-PKS to the CL-PKS is defined. For achieving leakage resilient property of the LR-HSC-HPKS scheme, we employ the key updating process with the multiplicative blinding technique (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013) while partitioning each secret key into two parts. Namely, in the PKI-PKS, the CA’s secret key SKCA and the signer IDPKI’s secret key PKISKID are initially partitioned into (SKCA,0,0, SKCA,0,1) and (PKISKID,0,0, PKISKID,0,1), respectively. In the CL-PKS, the KGC’s secret key SKKGC is partitioned into (SKKGC,0,0, SKKGC,0,1). Also, the decrypter IDCL’s secret key CLSKID and identity secret key CLISKID are initially partitioned into (CLSKID,0,0, CLSKID,0,1) and (CLISKID,0,0,CLISKID,0,1), respectively. Meanwhile, each secret key pair must be updated before it is used in each cryptographic computation, namely, the key updating process.

Moreover, two new adversary games of the LR-HSC-HPKS scheme are defined by extending the adversary games of both Tseng et al.’s scheme (Tseng et al., 2022a) and Tsai et al.’s scheme (Tsai et al., 2023). Based on these two new adversary games under the generic bilinear group (GBG) model (Boneh et al., 2005), security proofs are demonstrated to show that the proposed LR-HSC-HPKS scheme provides both authentication and confidentiality against two types of adversaries in heterogeneous public-key systems. Furthermore, by comparing with several previously proposed hybrid signcryption schemes, the proposed scheme has the following merits: (1) It is the first hybrid signcryption scheme resisting to side-channel attacks. (2) It possesses the unbounded leakage-resilient property, namely, allowing adversaries to repeatedly learn a portion of the secret key used in each computation. (3) All secret keys of the proposed scheme, (including the CA’s secret key SKCA, the signer IDPKI’s secret key PKISKID, the KGC’s secret key SKKGC, and the decrypter IDCL’s secret key CLSKID and identity secret key CLISKID), are allowed to be leaked to adversaries while remaining the security of the proposed scheme. Finally, by the performance experiences on both a PDA and a PC, performance analysis is demonstrated to show that our scheme is well suitable for running on both a PDA and a PC.

1.4Paper Structure

The rest of this paper is structured as follows. In Section 2, several preliminary contents are introduced. In Section 3, we define a new framework and two new adversary games for the LR-HSC-HPKS scheme. The LR-HSC-HPKS scheme is presented in Section 4. The proofs of two security theorems are shown in Section 5. Section 6 conducts the performance analysis on a PC and a PDA. In Section 7, the conclusions and future work are given.

2Preliminaries

2.1Bilinear Groups and GBG Model

Let G=Q and G1=Q1 be, respectively, an additive group and a multiplicative group with the same prime order q, where Q and Q1 are generators of G and G1, respectively. Meanwhile, the bilinear pairing operation eˆ:G×GG1 is admissible, if it satisfies three conditions below:

  • Bilinearity: for u,vZq, eˆ(u·Q,v·Q)=eˆ(Q,Q)uv.

  • Non-degeneration: Q1=eˆ(Q,Q)1.

  • Computation: for u,vZq, eˆ(u·Q,v·Q) can be computed efficiently.

Finally, let {G,G1,eˆ,Q,Q1,q} represent a bilinear group set. The reader can refer to [BF-01] for detailed parameter settings.

Boneh et al. (2005) introduced a method for security proof, called the generic bilinear group (GBG) model, which is operated on a bilinear group set {G,G1,eˆ,Q,Q1,q}. Meanwhile, the GBG model is combined into adversary games for security properties. In such adversary games, there is an adversary and a challenger who, respectively, are an oracle (query) requester and a replier. To run the operations on a bilinear group set {G,G1,eˆ,Q,Q1,q}, the adversary requests the corresponding oracles (queries) and receives the operation results from the challenger. Therefore, the adversary may request three oracles Oa, Om and Oeˆ, which are, respectively, the additive operation on G, the multiplicative operation on G1 and the operation eˆ:G×GG1. Two injective random encoding functions ξ:ZqΩG and ξ1:ZqΩG1, are used to map all the elements of G and G1 to distinct bit strings, respectively, which satisfy both ΩGΩG1=ϕ and |ΩG|=|ΩG1|=q. Additionally, for all u, vZq, three oracles Oa, Om and Oeˆ have the following operation properties;

  • Oa(ξ(u),ξ(v))ξ(u+vmodq);

  • Om(ξ1(u),ξ1(v))ξ1(u+vmodq);

  • Oeˆ(ξ(u),ξ(v)ξ1(u·vmodq).

Note that Q is represented by ξ(1), whereas ξ1(1) represents Q1=eˆ(Q,Q). When such an adversary game ends and the adversary finds collisions in G or G1, the discrete logarithm problem in G or G1 will be resolved, respectively.

2.2Security Assumptions and Entropy

In this section, we define two security assumptions on which the proposed scheme is based as follows:

  • Discrete logarithm (DL) assumption: In {G,G1,eˆ,Q,Q1,q}, for given u·QG or Q1uG1, without knowing uZq, it is hard to discover u.

  • Secure hash function (SH) assumption: Let SH:{0,1}{0,1}t be a secure hash function, where t is a fixed length. Then it is hard to discover any two random bit strings RBS1 and RBS2 such that SH(RBS1)=SH(RBS2).

For evaluating the leakage impact of secret keys incurred by side-channel attacks, we employ the entropy concept by which the secret keys are viewed as finite random variables. Also, two consequences below (Lemmas 1 and 2) have been conducted in the literature (Dodis et al., 2008; Galindo and Virek, 2013).

Lemma 1.

Let SK and LF:SK{0,1}τ, respectively, denote a secret key and the corresponding leak function, where τ is a fixed length. Under the leak function LF(), we have H˜(SK|LF(SK))H(SK)τ, where H˜ and H are, respectively, the average conditional min-entropy and the min-entropy.

Lemma 2.

Assume that there is a multiple-secret-key polynomial MSKFZq[SK0,SK1,,SKn1] with degree d, where SK0,SK1,,SKn1 are secret keys. Let Pi (for i=0,1,,n1) be n mutually independent probability distributions SKi=skiZq, which satisfy 0τlogq and H(Pi)logqτ. Then the probability Pb[MSKF(SK0=sk0,SK1=sk1,,SKn1=skn1)=0]2τ(d/q) is negligible if τ<(1ω)logq, where ω denotes a positive fraction.

3Framework and Adversary Games

In this section, we define the framework and adversary games of the LR-HSC-HPKS scheme. For readability, some notations used throughout this paper are first defined in Table 2.

Table 2

Notations.

NotationMeaning
CAA certificate authority in the PKI-PKS
KGCA key generation centre in the CL-PKS
SKCA/PKCACA’s secret/public key pair
SKKGC/PKKGCKGC’s secret/public key pair
IDPKIThe identity of a user in the PKI-PKS
PKISKID/PKIPKIDThe secret/public key pair of the user IDPKI
CRTIDThe certificate of the user IDPKI
IDCLThe identity of a user in the CL-PKS
CLSKID/CLPKIDThe secret/public key pair of the user IDCL
CLISKID/CLIPKIDThe identity secret/public key pair of the user IDCL
MA message
CTA ciphertext
SPThe system parameters
HSEThe Hybrid signcryption in the LR-HSC-HPKS scheme
HUSEThe Hybrid unsigncryption in the LR-HSC-HPKS scheme
Fig. 1

Two key generating procedures of the LR-HSC-HPKS scheme.

Two key generating procedures of the LR-HSC-HPKS scheme.

3.1Framework

Based on Tseng et al.’s scheme (Tseng et al., 2022a) and Tsai et al.’s scheme (Tsai et al., 2023), we define a new framework of the LR-HSC-HPKS scheme. In the heterogeneous public-key systems, there are two public-key systems (PKSs), namely, the public-key infrastructure PKS (PKI-PKS) and the certificateless PKS (CL-PKS). In the LR-HSC-HPKS scheme, signers and decrypeters belong to the PKI-PKS and the CL-PKS, respectively. Here, two key generating procedures of the LR-HSC-HPKS scheme are presented in Fig 1. In the PKI-PKS, a signer with identity IDPKI randomly selects a secret key PKISKID and computes the associated public key PKIPKID. The signer sends both IDPKI and PKIPKID to a trusted certificate authority (CA) with a key pair of a secret key SKCA and the associated public key PKCA. Then, the CA uses SKCA to compute and return the certificate CRTID to the signer IDPKI. In the CL-PKS, a decrypter with identity IDCL randomly selects a secret key CLSKID and computes the associated public key CLPKID. The decrypter sends IDCL to a key generation centre (KGC) with a key pair of a secret key SKKGC and the associated public key PKKGC. Then, the KGC uses SKKGC to compute and return the decrypter IDCL’s identity secret key CLISKID and identity public key CLIPKID.

For achieving leakage resilient property of the LR-HSC-HPKS scheme, we employ the key updating process with the multiplicative blinding technique (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013) while partitioning each secret key into two parts. Meanwhile, each secret key must be updated before it is used in each cryptographic computation, namely, the key updating process. In the PKI-PKS, the CA’s secret key SKCA and the signer IDPKI’s secret key PKISKID are initially partitioned into (SKCA,0,0,SKCA,0,1) and (PKISKID,0,0,PKISKID,0,1), respectively. In the CL-PKS, the KGC’s secret key SKKGC is partitioned into (SKKGC,0,0,SKKGC,0,1). Also, the decrypter IDCL’s secret key CLSKID and identity secret key CLISKID are initially partitioned into (CLSKID,0,0,CLSKID,0,1) and (CLISKID,0,0,CLISKID,0,1), respectively.

Fig. 2

The inputs/outputs of the HSE and the HUSE algorithms in the LR-HSC-HPKS scheme.

The inputs/outputs of the HSE and the HUSE algorithms in the LR-HSC-HPKS scheme.

In the LR-HSC-HPKS scheme, assume that a signer IDPKI runs the Hybrid signcryption (HSE) algorithm to transmit a message M to a decrypter IDCL. For the HSE algorithm’s j-th running, the signer IDPKI first updates the old secret key (PKISKID,j1,0,PKISKID,j1,1) to the new secret key (PKISKID,j,0,PKISKID,j,1) and sends a ciphertext CT=HSE(M,IDCL,CLPKID,CLIPKID,(PKISKID,j,0,PKISKID,j,1)) to the decrypter IDCL. For the Hybrid unsigncryption (HUSE) algorithm’s k-th running and receiving CT, the decrypter IDCL first updates the old secret key (CLSKID,k1,0,CLSKID,k1,1) to the new identity secret key (CLISKID,k,0,CLISKID,k,1), and gets the message M=HUSE(CT,IDPKI,PKIPKID,CRTID,(CLSKID,k,0,CLSKID,k,1),(CLISKID,k,0,CLISKID,k,1)). Figure 2 depicts the inputs/outputs of the HSE and the HUSE algorithms in the LR-HSC-HPKS scheme. A new framework of the LR-HSC-HPKS scheme from the PKI-PKS to the CL-PKS is presented in Definition 1.

Definition 1.

The LR-HSC-HPKS scheme includes the following four parts.

  • System setup: Firstly, the system parameters (SP) are initially set. The heterogeneous public-key systems consist of the PKI-PKS and the CL-PKS. The CA in the PKI-PKS and the KGC in the CL-PKS, respectively, set their secret keys and the associated public keys as follows.

    • PKI-PKS: The CA sets a secret/public key pair (SKCA,PKCA). Initially, the CA partitions SKCA into (SKCA,0,0,SKCA,0,1).

    • CL-PKS: The KGC sets a secret/public key pair (SKKGC,PKKGC). Initially, the KGC partitions SKKGC into (SKKGC,0,0,SKKGC,0,1).

    Also, SP, PKCA and PKKGC are publicly published.

  • User key generation: For signers in the PKI-PKS and decrypters in the CL-PKS, two key generating procedures are presented as follows.

    • PKI-PKS: A signer with identity IDPKI and the CA cooperatively run the following two algorithms.

      • Signer secret key generation: The signer IDPKI sets a secret/public key pair (PKISKID,PKIPKID). Initially, the signer IDPKI partitions PKISKID into (PKISKID,0,0,PKISKID,0,1). Also, the signer IDPKI sends (IDPKI,PKIPKID) to the CA.

      • Signer certificate generation: For this algorithm’s i-th running and giving (IDPKI,PKIPKID), the CA first updates the old secret key (SKCA,i1,0,SKCA,i,1,1) to the new secret key (SKCA,i,0,SKCA,i,1), such that SKCA=SKCA,0,0+SKCA,0,1=SKCA,1,0+SKCA,1,1==SKCA,i,0+SKCA,i,1. Subsequently, the CA uses (SKCA,i,0,SKCA,i,1) to compute and return the certificate CRTID to the signer IDPKI.

    • CL-PKS: A decrypter with identity IDCL and the KGC cooperatively run the following four algorithms.

      • Decrypter secret key generation: The decrypter IDCL sets a secret/public key pair (CLSKID,CLPKID). Also, the decrypter IDCL sends IDCL to the KGC.

      • Decrypter identity secret key generation: For this algorithm’s i-th running and giving IDCL, the KGC first updates the old secret key (SKKGC,i1,0,SKKGC,i1,1) to the new secret key (SKKGC,i,0,SKKGC,i,1) such that SKKGC=SKKGC,0,0+SKKGC,0,1=SKKGC,1,0+SKKGC,1,1==SKKGC,i,0+SKKGC,i,1. Subsequently, the KGC uses (SKKGC,i,0,SKKGC,i,1) to compute and return the identity secret/public key pair (CLISKID,CLIPKID) to the decrypter IDCL.

      • Decrypter secret key combination: (CLSKID,CLISKID) is the decrypter IDCL’s secret key pair. Initially, the decrypter IDCL partitions CLSKID and CLISKID into (CLSKID,0,0,CLSKID,0,1) and (CLISKID,0,0,CLISKID,0,1), respectively.

      • Decrypter public key combination: (CLPKID,CLIPKID) is the decrypter IDCL’s public key pair.

  • Hybrid signcryption (HSE): For the HSE algorithm’s j-th running and giving (M,IDCL,CLPKID,CLIPKID), the signer IDPKI first updates the old secret key (PKISKID,j1,0,PKISKID,j1,1) to the new secret key (PKISKID,j,0,PKISKID,j,1). Then, the signer IDPKI generates a ciphertext CT=HSE(M,IDCL,CLPKID,CLIPKID,(PKISKID,j,0,PKISKID,j,1)) and returns CT to the decrypter IDCL.

  • Hybrid unsigncryption (HUSE): For the Hybrid unsigncryption (HUSE) algorithm’s k-th running and giving CT, the decrypter IDCL, respectively, updates the old secret key (CLSKID,k1,0,CLSKID,k1,1) and the identity secret key (CLISKID,k1,0,CLISKID,k1,1) to the new secret key (CLSKID,k,0,CLSKID,k,1) and the new identity secret key (CLISKID,k,0,CLISKID,k,1), and gets the message M=HUSE(CT,IDPKI,PKIPKID,CRTID,(CLSKID,k,0,CLSKID,k,1), (CLISKID,k,0,CLISKID,k,1)).

3.2Adversary Games

Based on Tseng et al.’s scheme (Tseng et al., 2022a) and Tsai et al.’s scheme (Tsai et al., 2023), we define two adversary games of the LR-HSC-HPKS scheme in the heterogeneous public-key systems (including the PKI-PKS and the CL-PKS).

For the Signer certificate generation i-th running, a pair of leak functions (fSCG,i,hSCG,i) on (SKCA,i,0,SKCA,i,1) is employed to model the leak ability of adversaries. Also, the pair (fISKG,i,hISKG,i) on (SKKGC,i,0,SKKGC,i,1) is employed for Decrypter identity secret key generation’s i-th running, the pair (fHS,j,hHS,j) on (PKISKID,j,0,PKISKID,j,1) is employed for Hybrid signcryption’s j-th running and the pair (fHUS,k,hHUS,k) on ((CLSKID,k,0,CLISKID,k,0),(CLSKID,k,1,CLISKID,k,1)) is employed for Hybrid unsigncryption’s k-th running. Moreover, let ΔfSCG,i, ΔhSCG,i, ΔfISKG,i, ΔhISKG,i, ΔfHS,j, ΔhHS,j, ΔfHUS,k and ΔhHUS,k denote these functions’ outputs while each output bit length is limited to τ as defined in Lemma 1. The inputs and outputs of eight leak functions are given as follows:

  • ΔfSCG,i=fSCG,i(SKCA,i,0).

  • ΔhSCG,i=hSCG,i(SKCA,i,1).

  • ΔfISKG,i=fISKG,i(SKKGC,i,0).

  • ΔhISKG,i=hISKG,i(SKKGC,i,1).

  • ΔfHS,j=fHS,j(PKISKID,j,0).

  • ΔhHS,j=hHS,j(PKISKID,j,1).

  • ΔfHUS,k=fHUS,k(CLSKID,k,0,CLISKID,k,0).

  • ΔhHUS,k=hHUS,k(CLSKID,k,1,CLISKID,k,1).

In the heterogeneous public-key systems (including the PKI-PKS and the CL-PKS), there are two types of adversaries, namely, illegitimate member (AI) and malicious CA/KGC (AII).

  • Illegitimate member (AI): AI is used to model the attacking abilities of an illegitimate member as follows.

    • AI may obtain any signer IDPKI’s secret key PKISKID, except for the target signer IDPKI. Also AI may obtain any decrypter IDCL’s secret key CLSKID and identity secret key CLISKID, except for the identity secret key CLISKID of the target decrypter IDCL.

    • AI may obtain a portion about PKISKID=(PKISKID,j,0,PKISKID,j,1) and CLISKID=(CLISKID,k,0,CLISKID,k,1) by two pairs of leak functions (fHS,j,hHS,j) and (fHUS,k,hHUS,k), respectively.

    • AI may obtain a portion of SKCA=(SKCA,i,0,SKCA,i,1) and SKKGC=(SKKGC,i,0,SKKGC,i,1) by two pairs of leak functions (fSCG,i,hSCG,i) and (fISKG,i,hISKG,i), respectively.

  • Malicious CA/KGC (AII): AII is used to model the attacking abilities of a malicious CA/KGC who has both SKCA and SKKGC.

    • AII may obtain any signer IDPKI’s secret key PKISKID and any decrypter IDCL’s secret key CLSKID, except for the target signer IDPKI and decrypter IDCL.

    • AII may obtain a portion of PKISKID=(PKISKID,j,0,PKISKID,j,1) by the pair of leak functions (fHS,j,hHS,j).

    • AII may obtain a portion of CLSKID=(CLSKID,k,0,CLSKID,k,1) by the pair of leak functions (fHUS,k,hHUS,k).

In Definitions 2 and 3, we define two adversary games Game1 and Game2 to model the content unforgeability (authentication) and the message confidentiality, respectively.

Definition 2

Definition 2(Game1).

The adversary game Game1 is played by an adversary A (AI or AII) and a challenger B. If no probabilistic polynomial-time (PPT) adversary A with a non-negligible advantage wins Game1, the LR-HSC-HPKS scheme possesses the existential unforgeability (authentication) under adaptive chosen-message and side-channel attacks (EUF-ACMSCA).

  • Initialization phase: The challenger B runs the System setup in Definition 1 to generate the CA’s secret/public key pair (SKCA,PKCA) and the KGC’s secret/public key pair (SKKGC,PKKGC). Also, B sets the system parameters (SP). In the meantime, B partitions SKCA and SKKGC into (SKCA,0,0,SKCA,0,1) and (SKKGC,0,0,SKKGC,0,1), respectively. Additionally, if A is an AII, both SKCA and SKKGC are sent to AII.

  • Query phase: A (AI or AII) may adaptively request various kinds of queries (oracles) to B as follows.

    • Signer secret key query (IDPKI): The signer IDPKI’s secret key PKISKID is returned.

    • Signer certificate query (IDPKI,PKIPKID). For the i-th request of this query, B first updates the old secret key (SKCA,i1,0,SKCA,i1,1) to the new secret key (SKCA,i,0,SKCA,i,1). By (IDPKI,PKIPKID), B uses (SKCA,i,0,SKCA,i,1) to generate and return the signer IDPKI’s certificate CRTID.

    • Signer certificate leak query (i,fSCG,i,hSCG,i). For the i-th request of the Signer certificate query, the leak query can only be requested once. B returns ΔfSCG,i=fSCG,i(SKCA,i,0) and ΔhSCG,i=hSCG,i(SKCA,i,1).

    • Decrypter identity secret key query (IDCL). For the i-th request of this query, B first updates the old secret key (SKKGC,i1,0,SKKGC,i1,1) to the new secret key (SKKGC,i,0,SKKGC,i,1). By IDCL, B uses (SKKGC,i,0,SKKGC,i,1) to generate and return the identity secret/public key pair (CLISKID,CLIPKID).

    • Decrypter identity secret key leak query (i,fISKG,i,hISKG,i). For the i-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns ΔfISKG,i=fISKG,i(SKKGC,i,0) and ΔhISKG,i=hISKG,i(SKKGC,i,1).

    • Decrypter public key replace query (IDCL,(CLPKID,CLIPKID)). The decrypter IDCL’s public key is replaced with (CLPKID,CLIPKID).

    • Decrypter secret key query (IDCL). If the Decrypter public key replace query (IDCL,(CLPKID,CLIPKID)) is never requested, the decrypter IDCL’s secret key CLSKID is returned.

    • Hybrid signcryption query (M,IDPKI,IDCL): B first updates the signer IDPKI’s old secret key (PKISKID,j1,0,PKISKID,j1,1) to the new secret key (PKISKID,j,0,PKISKID,j,1), and runs the Hybrid signcryption to return CT.

    • Hybrid signcryption leak query (IDPKI,j,fHS,j,hHS,j): For the signer IDPKI’s j-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns ΔfHS,j=fHS,j(PKISKID,j,0) and ΔhHS,j=hHS,j(PKISKID,j,1).

    • Hybrid unsigncryption query (CT,IDPKI,IDCL): B first updates the decrypter IDCL’s old secret key (CLSKID,k1,0,CLSKID,k1,1) and identity secret key (CLISKID,k1,0,CLISKID,k1,1) to the new secret key (CLSKID,k,0,CLSKID,k,1) and identity secret key (CLISKID,k,0,CLISKID,k,1), respectively. B runs the Hybrid unsigncryption to return M.

    • Hybrid unsigncryption leak query (IDCL,k,fHUS,k,hHUS,k: For the decrypter IDCL’s k-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns ΔfHUS,k=fHUS,k(CLSKID,k,0,CLSKID,k,1) and ΔhHUS,k=hHUS,k(CLISKID,k,0,CLISKID,k,1).

  • Forgery phase: Assume that A forges a ciphertext CT=(T0,T1,T2,IDPKI,IDCL) for the message M. We say that A wins Game1 if the following three provisions are true.

    • M can be generated by the Hybrid unsigncryption algorithm.

    • The Hybrid signcryption query (M,IDPKI,IDCL) is never issued.

    • The Signer secret key query (IDPKI) is never issued.

Definition 3

Definition 3(Game2).

The adversary game Game2 is played by an adversary A (AI or AII) and a challenger B. If no PPT adversary A with a non-negligible advantage wins Game2, the LR-HSC-HPKS scheme possesses the encryption indistinguishability (message confidentiality) under chosen-ciphertext and side-channel attacks (EIND-CCSCA).

  • Initialization phase. The phase is the same with the Initialization phase in Definition 2.

  • Query phase. The phase is the same with the Query phase in Definition 2.

  • Challenge phase. A selects a target decrypter IDCL and a message pair (M0,M1) as a challenge objective. B randomly selects c{0,1} and generates a challenge ciphertext CT by running the Hybrid signcryption with (Mc,IDPKI,IDCL). Also, B sends CT to A. Note that the following two provisions are true.

    • 1. If A is an AI, the Decrypter identity secret key query (IDCL) is never issued.

    • 2. If A is an AII, neither the Decrypter public key replace query (IDCL,(CLPKID,CLIPKID)) nor the Decrypter secret key query (IDCL) is issued.

  • Guessing phase. A outputs c{0,1} and wins Game2 if c=c. Meanwhile, A’s advantage is defined as Adv(A)=|Pb[c=c]1/2|.

4Our LR-HSC-HPKS Scheme

According to the framework shown in Definition 1, our LR-HSC-HPKS scheme consists of four parts as presented below.

  • System setup: The system sets a bilinear group set {G,G1,eˆ,Q,Q1,q} defined in Section 2.1. Moreover, the system publishes SP={G,G1,eˆ,Q,Q1,q,W,T,SE/SD,SH0,SH1}, where W and T are random elements in G, SE and SD are respectively symmetric encryption and decryption functions, and SH0:{0,1}×G{0,1}t and SH1:G×{0,1}{0,1}t are two secure hash functions. The heterogeneous public-key systems consist of the PKI-PKS and the CL-PKS. The CA in the PKI-PKS and the KGC in the CL-PKS, respectively, set their secret/public key pairs as follows.

    • PKI-PKS: The CA randomly selects rZq and then sets a secret/public key pair (SKCA,PKCA), where SKCA=r·Q and PKCA=eˆ(Q,r·Q). Also, the CA randomly selects wZq and partitions SKCA into SKCA=(SKCA,0,0,SKCA,0,1)=(w·Q,SKCAw·Q).

    • CL-PKS: The KGC randomly selects tZq and then sets a secret/public key pair (SKKGC,PKKGC), where SKKGC=t·Q and PKKGC=eˆ(Q,t·Q). Also, the KGC randomly selects sZq and partitions SKKGC into SKKGC=(SKKGC,0,0,SKKGC,0,1)=(s·Q,SKKGCs·Q).

  • User key generation: For signers in the PKI-PKS and decrypters in the CL-PKS, two key generating procedures are presented as follows.

    • PKI-PKS: A signer with identity IDPKI and the CA cooperatively run the following two algorithms.

      • Signer secret key generation: The signer IDPKI randomly selects xZq and then sets a secret/public key pair (PKISKID,PKIPKID), where PKISKID=x·Q and PKIPKID=eˆ(Q,x·Q). Also, the signer IDPKI randomly selects wiZq and partitions PKISKID into PKISKID=(PKISKID,0,0,PKISKID,0,1)=(wi·Q,PKISKIDwi·Q).

      • Signer certificate generation: For this algorithm’s i-th running and giving (IDPKI,PKIPKID), the CA randomly selects wZq and updates the old secret key (SKCA,i1,0,SKCA,i,1,1) to the new secret key (SKCA,i,0,SKCA,i,1)=(SKCA,i1,0+w·Q,SKCA,i1,1w·Q), such that SKCA=SKCA,0,0+SKCA,0,1=SKCA,1,0+SKCA,1,1==SKCA,i,0+SKCA,i,1. Also, the CA uses (SKCA,i,0,SKCA,i,1) to compute and return the certificate CRTID to the signer IDPKI.

    • CL-PKS: A decrypter with identity IDCL and the KGC cooperatively run the following four algorithms.

      • Decrypter secret key generation: The decrypter IDCL randomly selects lZq and then sets a secret/public key pair (CLSKID,CLPKID), where CLSKID=l·Q and CLPKID=eˆ(Q,l·Q). Also, the decrypter IDCL sends IDCL to the KGC.

      • Decrypter identity secret key generation: For this algorithm’s i-th running and giving IDCL, the KGC randomly selects tiZq and updates the old secret key (SKKGC,i1,0,SKKGC,i1,1) to the new secret key (SKKGC,i,0,SKKGC,i,1)=(SKKGC,i1,0+ti·Q,SKKGC,i1,1ti·Q), such that SKKGC=SKKGC,0,0+SKKGC,0,1=SKKGC,1,0+SKKGC,1,1==SKKGC,i,0+SKKGC,i,1. Also, the KGC randomly selects fZq and uses (SKKGC,i,0,SKKGC,i,1) to compute and return the identity secret/public key pair (CLISKID,CLIPKID) of the decrypter IDCL as follows:

        • (1) CLIPKID=f·Q.

        • (2) ρ=SH0(IDCL,CLIPKID).

        • (3) TKi=SKKGC,i,1+f·(W+ρ·T).

        • (4) CLISKID=SKKGC,i,0+TKi.

      • Decrypter secret key combination: The decrypter IDCL’s secret key pair is (CLSKID,CLISKID). The IDCL randomly selects δ,ξZq, and partitions CLSKID and CLISKID into (CLSKID,0,0,CLSKID,0,1)=(δ·Q,CLSKIDδ·Q) and (CLISKID,0,0,CLISKID,0,1)=(ξ·Q,CLISKIDξ·Q), respectively.

      • Decrypter public key combination: The decrypter IDCL’s public key pair is (CLPKID,CLIPKID).

  • Hybrid signcryption (HSE): Assume that the signer IDPKI wants to send a message M to the decrypter IDCL. For the HSE algorithm’s j-th running, the signer IDPKI runs the following steps to generate a ciphertext CT.

    • (1) Randomly select hZq and update the old secret key (PKISKID,j1,0,PKISKID,j1,1) into the new secret key (PKISKID,j,0,PKISKID,j,0)=(PKISKID,j1,0+h·Q,PKISKID,j1,1h·Q).

    • (2) Randomly select nZq, and compute T1=n·Q, EK1=(CLPKID)n, EK2=(PKKGC·eˆ(CLIPKID,(W+ρ·T)))n, where ρ=SH0(IDCL,CLIPKID).

    • (3) Generate T2=SEEK(M), where EK=EK1EK2 is an encryption key.

    • (4) Compute TS=PKISKID,j,0+(n·(W+β·T)), where β=SH1(T1,T2,IDPKI,IDCL,M).

    • (5) Generate a signature T0=PKISKID,j,1+TS.

    • (6) Set CT=(T0,T1,T2,IDPKI,IDCL).

  • Hybrid unsigncrypion (HUSE): For the Hybrid unsigncryption (HUSE) algorithm’s k-th running and giving CT, the decrypter IDCL runs the following steps to get the message M.

    • (1) Randomly select vZq, and update the old secret key (CLSKID,k1,0,CLSKID,k1,1) and the old identity secret key (CLISKID,k1,0,CLISKID,k1,1) to the new secret key (CLSKID,k,0,CLSKID,k,1)=(CLSKID,k1,0+v·Q,CLSKID,k1,1v·Q) and the new identity secret key (CLISKID,k,0,CLISKID,k,1)=(CLISKID,k1,0+v·Q,CLISKID,k1,1v·Q), respectively.

    • (2) Generate TEK1=eˆ(T1,CLSKID,k,0) and TEK2=eˆ(T1,CLISKID,k,0).

    • (3) Compute EK1=TEK1·eˆ(T1,CLSKID,k,1) and EK2=TEK2·eˆ(T1,CLISKID,k,1).

    • (4) Recover M=SDEK(T2), where EK=EK1EK2.

    • (5) Set β=SH1(T1,T2,IDPKI,IDCL,M).

    • (6) Output M if eˆ(Q,T0)=PKIPKID·eˆ(T1,(W+β·T)) is true.

The correctness of two equations EK=EK1EK2=EK1EK2=EK and eˆ(Q,T0)=PKIPKID·eˆ(T1,(W+β·T)) are shown as follows.

  • EK=EK1EK2=TEK1·eˆ(T1,CLSKID,k,1)TEK2·eˆ(T1,CLISKID,k,1)=eˆ(T1,CLSKID,k,0)·eˆ(T1,CLSKID,k,1)eˆ(T1,CLISKID,k,0)·eˆ(T1,CLISKID,k,1)=eˆ(T1,CLSKID)eˆ(T1,CLISKID)=eˆ(n·Q,CLSKID)eˆ(n·Q,CLISKID)=eˆ(Q,CLSKID)neˆ(n·Q,SKKGC+(f·(W+ρ·T)))=eˆ(Q,CLSKID)neˆ(n·Q,SKKGC)·eˆ(n·Q,(f·(W+ρ·T)))=eˆ(Q,CLSKID)neˆ(Q,SKKGC)n·eˆ(f·Q,(n·(W+ρ·T)))=(CLPKID)n(PKKGC·eˆ(CLIPKID,(W+ρ·T)))n=EK1EK2.

  • eˆ(Q,T0)=eˆ(Q,PKISKID,j,1+TS)=eˆ(Q,PKISKID,j,1+(PKISKID,j,0+(n·(W+β·T)))=eˆ(Q,PKISKID+(n·(W+β·T)))=eˆ(Q,PKISKID)·eˆ(Q,(n·(W+β·T)))=PKIPKID·eˆ(n·Q,(W+β·T))=PKIPKID·eˆ(T1,(W+β·T)).

5Security Analysis

In Definitions 2 and 3, we define two adversary games Game1 and Game2, respectively, to model the content unforgeability (authentication) and the message confidentiality in the LR-HSC-HPKS scheme. Under Game1 and Game2, Theorems 1 and 2 show that the LR-HSC-HPKS scheme is EUF-ACMSCA-secure and EIND-CCSCA-secure against both AI and AII, respectively.

Theorem 1.

Based on the SH assumption and the DL assumption in the GBG model, the LR-HSC-HPKS scheme is EUF-ACMSCA-secure against adversaries A (AI and AII).

Proof.

An adversary A and a challenger B cooperatively play Game1 as follows.

  • Initialization phase. B runs the System setup in Definition 1 to generate SP={G,G1,eˆ,Q,Q1,q,W,T,SE/SD,SH0,SH1}, the CA’s secret/public key pair (SKCA,PKCA) and the KGC’s secret/public key pair (SKKGC,PKKGC). Additionally, if A is an AII, both SKCA and SKKGC are sent to AII. Also, six initially empty lists LTa, LTb, LTSK, LTISK, LTHSE and LTSH are constructed as follows.

    • LTa: Each element of G is recorded as a pair of (multi-variate polynomial, bit-string) in LTa, represented as (ΨGx,y,z,ΩGx,y,z), where the three x, y and z, denote type-x query, y-th query and z-th item, respectively. Also, B records (ΨQ,ΩGS,0,1), (ΨW,ΩGS,0,2), (ΨT,ΩGS,0,3), (ΨSKCA,ΩGS,0,4) and (ΨSKKGC,ΩGS,0,5) in LTa. In the subsequent Query phase, there is an auto-transformation process that can transform ΨGx,y,z (or ΩGx,y,z) to ΩGx,y,z (or ΨGx,y,z).

    • LTb: Each element of G1 is recorded as a pair of (multi-variate polynomial, bit-string) in LTb, represented as (ΨG1,x,y,z,ΩG1,x,y,z), where x, y and z are identical with those in LTa. Additionally, B records (ΨPKCA,ΩG1,S,0,1) and (ΨPKKGC,ΩG1,S,0,1) in LTb. Also, there is an auto-transformation process that can transform ΨG1,x,y,z (or ΩG1,x,y,z) to ΩG1,x,y,z (or ΨG1,x,y,z).

    • LTSK: A secret/public key pair of IDPKI/IDCL is recorded as a tuple (IDPKI/IDCL,ΨPKISKID/ΨCLSKID,ΨPKIPKID/ΨCLPKID) in LTSK.

    • LTISK: An identity secret/public key pair of IDCL is recorded as a tuple (IDCL,ΨCLISKID,ΨCLIPKID) in LTISK.

    • LHSE: The related contents of requesting the Hybrid signcryption query (M,IDPKI,IDCL) are recorded as a tuple (M,ΨT0,ΨT1,T2,ΨEK1,ΨEK2,Ψβ,IDPKI,IDCL) in LHSE.

    • LTSH: The related contents of requesting SH1() are recorded as a pair (ΩT1||T2||IDPKI||IDCL||M,Ωβ).

  • Query phase: A (AI or AII) may adaptively request various kinds of queries (oracles) to B at most p times as follows.

    • Oa query (ΩGO,r,i,ΩGO,r,j,OP): B first transforms (ΩGO,r,i,ΩGO,r,j) to (ΨGO,r,i,ΨGO,r,j). B computes ΨGO,r,k=ΨGO,r,i+ΨGO,r,j if OP is “addition”. Otherwise, B computes ΨGO,l,k=ΨGO,r,iΨGO,r,j. Also, B records (ΨGO,r,k,ΩGO,r,k) in LTa.

    • Om query (ΩG1,O,r,i,ΩG1,O,r,j,OP): B first transforms (ΩG1,O,r,i,ΩG1,O,r,j) to (ΨG1,O,r,i,ΨG1,O,r,j). B computes ΨG1,O,r,k=ΨG1,O,r,i+ΨG1,O,r,j if OP is “multiplication”. Otherwise, B computes ΨG1,O,r,k=ΨG1,O,r,iΨG1,O,r,j. Also, B records (ΨG1,O,r,k,ΩG1,O,r,k) in LTb.

    • Oeˆ query (ΩGO,l,i,ΩGO,l,j): B first transforms (ΩGO,r,i,ΩGO,l,j) to (ΨGO,r,i,ΨGO,r,j). B computes ΨG1,O,r,k=ΨGO,r,i·ΨGO,r,j and records (ΨG1,O,r,k,ΩG1,O,r,k) in LTb.

    • Signer secret key query (IDPKI): B uses IDPKI to find (IDPKI,ΨPKISKID,ΨPKIPKID) in LTSK. If found, B transforms ΨPKISKID to return ΩPKISKID. Otherwise, B chooses ΨGR in G and computes ΨPKR=ΨQ·ΨGR. B records (PKIID,ΨPKISKID=ΨGR,ΨPKIPKID=ΨPKR) in LTSK. Also, B respectively records (ΨGR,ΩGR) and (ΨPKR,ΩPKR) in LTa and LTb, and returns ΩGR and ΩPKR.

    • Signer certificate query (IDPKI,ΩPKIPKID): For the i-th request of this query, B first updates the old secret key ΨSKCA=(ΨSKCA,i1,0,ΨSKCA,i1,1) to the new secret key ΨSKCA=(ΨSKCA,i,0,ΨSKCA,i,1), and uses (ΨSKCA,i,0,ΨSKCA,i,1) to generate and return the signer IDPKI’s certificate CRTID.

    • Signer certificate leak query (i,fSCG,i,hSCG,i): For the i-th request of the Signer certificate query, the leak query can only be requested once. B returns ΔfSCG,i=fSCG,i(SKCA,i,0) and ΔhSCG,i=hSCG,i(SKCA,i,1).

    • Decrypter identity secret key query (IDCL). For the i-th request of this query, B first updates the old secret key ΨSKKGC=(ΨSKKGC,i1,0,ΨSKKGC,i1,1) to the new secret key ΨSKKGC=(ΨSKKGC,i,0,ΨSKKGC,i,1). B chooses ΨGT and Ψρ in G, and generates the decrypter IDCL’s identity secret/public key pair (ΨCLISKID=ΨSKKGC+ΨGT·(ΨW+Ψρ·ΨT),ΨCLIPKID=ΨGT). B records (ΨCLISKID,ΩCLISKID), (ΨCLIPKID,ΩCLIPKID) and (Ψρ,Ωρ=IDCL||ΩCLIPKID) in LTa. Also, B records (IDCL,ΨCLISKID,ΨCLIPKID) in LTISK, and returns both ΩCLISKID and ΩCLIPKID.

    • Decrypter identity secret key leak query (i,fISKG,i,hISKG,i). For the i-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns ΔfISKG,i=fISKG,i(SKKGC,i,0) and ΔhISKG,i=hISKG,i(SKKGC,i,1).

    • Decrypter public key replace query (IDCL,(ΩCLPKID,ΩCLIPKID)). B transforms (ΩCLPKID,ΩCLIPKID) to (ΨCLPKID,ΨCLIPKID). B modifies (CLID,,ΨCLPKID) in LTSK and (CLID,,ΨCLIPKID) in LTISK.

    • Decrypter secret key query (IDCL). B uses IDCL to find (IDCL,ΨCLSKID,ΨCLPKID) in LTSK. If found, B transforms ΨCLSKID to return ΩCLSKID. Otherwise, B chooses ΨGR in G and computes ΨPKR=ΨQ·ΨGR. B records (IDCL,ΨCLSKID=ΨGR,ΨCLPKID=ΨPKR) in LTSK. Also, B respectively records (ΨGR,ΩGR) and (ΨPKR,ΩPKR) in LTa and LTb, and returns both ΩGR and ΩPKR.

    • Hybrid signcryption query (M,IDPKI,IDCL): B first updates the signer IDPKI’s old secret key ΨPKISKID=(ΨPKISKID,j1,0,ΨPKISKID,j1,1) to the new secret key ΨPKISKID=(ΨPKISKID,j,0,ΨPKISKID,j,1). B performs the following detailed processes to return CT.

      • (1) By IDCL, find (IDCL,ΨCLIPKID,ΨCLISKID) in LTISK and (IDCL,ΨCLPKID,ΨCLSKID) in LTSK. Meanwhile, transform ΨCLIPKID to ΩCLIPKID.

      • (2) Select Ψρ and Ψn in G and record (Ψρ,IDCL||ΩCLIPKID) in LTa.

      • (3) Compute ΨEK1=ΨCLPKID·Ψn and ΨEK2=(ΨPKKGC+(ΨCLIPKID·(ΨW+Ψρ·ΨT)))·Ψn.

      • (4) Transform Ψn, ΨEK1 and ΨEK2 to Ωn, ΩEK1 and ΩEK2, respectively.

      • (5) Compute ΩEK=ΩEK1ΩEK2 and T2=SEΩEK(M).

      • (6) Compute Ωβ=SH1(Ωn,T2,IDPKI,IDCL,M), select Ωβ in G, and record (Φβ,Ωβ) in LTa.

      • (7) Compute ΨT0=ΨPKISKID+(Ψn·(ΨW+ΨT·Ψβ)) and transform ΨT0 to ΩT0.

      • (8) Record (M,ΨT0,Ψn,T2,ΨEK1,ΨEK2,Ψβ,IDPKI,IDCL) in LHSE.

      • (9) Return CT=(ΩT0,Ωn,T2,IDPKI,IDCL).

    • Hybrid signcryption leak query (IDPKI,j,fHS,j,hHS,j): For the signer IDPKI’s j-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns ΔfHS,j=fHS,j(PKISKID,j,0) and ΔhHS,j=hHS,j(PKISKID,j,1).

    • Hybrid unsigncryption query (CT,IDPKI,IDCL): B first updates the decrypter IDCL’s old secret key (CLSKID,k1,0,CLSKID,k1,1) and identity secret key (CLISKID,k1,0,CLISKID,k1,1) to ΨCLSKID=(ΨCLSKID,k,0,ΨCLSKID,k,1) and ΨCLISKID=(ΨCLISKID,k,0,ΨCLISKID,k,1), respectively. B performs the following detailed processes to return M.

      • (1) By IDPKI, find (IDPKI,ΨPKIPKID) in LTSK and transform ΨPKIPKID to ΩPKIPKID.

      • (2) Transform ΩT0 and Ωn to ΨT0 and Ψn, respectively.

      • (3) Compute ΨEK1=Ψn·ΨCLSKID and ΨEK2=Ψn·ΨCLISKID.

      • (4) Set Ωβ=SH1(Ωn,T2,IDPKI,IDCL,M) and transform Ωβ to Ψβ.

      • (5) Use (ΨT0,Ψn,T2,Ψn,ΨEK1,Ψn,ΨEK2,Ψβ,IDPKI,IDCL) to find (M,ΨT0,ΨT1,T2,ΨEK1,ΨEK2,Ψβ,IDPKI,IDCL) in LHSE.

      • (6) If found, return M. Otherwise, return “invalid”.

    • Hybrid unsigncryption leak query (IDCL,k,fHUS,k,hHUS,k): For the decrypter IDCL’s k-th request of the Decrypter identity secret key query, the leak query can only be requested once. B returns ΔfHUS,k=fHUS,k(CLSKID,k,0,CLSKID,k,1) and ΔhHUS,k=hHUS,k(CLISKID,k,0,CLISKID,k,1).

  • Forgery phase: Assume that A forges a ciphertext CT=(T0,T1,T2,IDPKI,IDCL) for the message M, we say that A wins Game1 when three provisions mentioned in the Forgery phase of Definition 2 (i.e. Game1) are true.

In the following, let us first evaluate the advantage of AI without requesting any leak queries in Game1, denoted as Adv1(AIwo). By Adv1(AIwo), we then evaluate the advantage of AI with requesting all leak queries in Game1, denoted as Adv1(AI). By similar analysis, Adv1(AII) is also gained.

  • The evaluation of Adv1(AIwo): In the GBG model, if adversaries can find collisions in G and G1, the discrete logarithm problem in G and G1 will be resolved. The total number of elements in both LTa and LTb is first counted. In the Query phase, AI may request various kinds of queries (oracles) to B at most p times while the number of the added elements in a query (i.e. the Hybrid signcryption query) is at most 6. Therefore, we have |LTa|+|LTb|6p. Also, the maximal degrees of polynomials in LTa and LTb are 3 and 6, respectively. Moreover, Adv1(AIwo) includes two cases’ probabilities as evaluated below.

    • (1) Pb[Forgery]: Let Pb[Forgery] denote the probability that AI forges a ciphertext CT=(T0,T1,T2,IDPKI,IDCL) for a message M that satisfies eˆ(Q,T0)=PKIPKID·eˆ(T1,(W+β·T)) in the Hybrid unsigncryption. That is, we have ΨQ·ΨT0=ΨPKIPKID+ΨT1·(ΨW+Ψβ·ΨT) and set Ψf=ΨQ·ΨT0(ΨPKIPKID+ΨT1·(ΨW+Ψβ·ΨT)) that has degree 3. By Lemma 2, we have Pb[Forgery]=3/q because the probability of Ψf=0 is 3/q.

    • (2) Pb[Collision]: Let Pb[Collision] denote the probability that AI may find collisions in LTa or LTb. Assume that the polynomials in LTa have s variates, represented by using s random integers uiZq, for i=1,2,,s. Let (ΨGj,ΨGk) denote a pair of two different polynomials in LTa so that there are |LTa|2 pairs of (ΨGj,ΨGk). For each pair, we set ΨGl(u1,u2,,us)=ΨGjΨGk. If there exists any ΨGl=0, a collision in LTa has occurred. Since there are |LTa|2 pairs of (ΨGj,ΨGk) and the maximal degree of polynomials in LTa is 3, we have that Pb[Collision] in LTa is (3/q)|LTa|2. By similar arguments, we have that Pb[Collision] in LTb is (6/q)|LTb|2. Since |LTa|+|LTb|6p, we have

      Pb[Collision](3/q)|LTa|2+(6/q)|LTb|2(6/q)(|LTa|+|LTb|)2216p2/q=O(p2/q).

    Due to the above discussions, we have
    Adv1(AIwo)=Pb[Forgey]+Pb[Collision]3/q+O(p2/q)=O(p2/q).

  • The evaluation of Adv1(AI): By Adv1(AIwo), we evaluate the advantage Adv1(AI) of AI with requesting all leak queries in Game1. These leak queries include Signer certificate leak query, Decrypter identity secret key leak query, Hybrid signcryption leak query and Hybrid unsigncryption leak query. Due to the key updating process, any two leaked portions of a secret key are mutually independent. Therefore, AI could gain at most 2τ bits of SKCA, 2τ bits of SKKGC, 2τ bits of PKISKID, and 2τ bits of both CLSKID and CLISKID. Hence, we have

    Adv1(AI)Adv1(AIwo)·22τ=O((p2/q)·22τ).
    It is obvious that Adv1(AI)=O((p2/q)·22τ) is negligible if p=poly(logq) by Lemma 2.

  • The evaluation of Adv1(AII): AII is used to model the attacking ability of a malicious CA/KGC who has both SKCA and SKKGC. Therefore, AII could gain at most 2τ bits of PKISKID, and 2τ bits of CLSKID or CLISKID. By similar analysis of Adv1(AI), we also have Adv1(AII)=O((p2/q)·22τ), that is negligible if p=poly(logq) by Lemma 2.

 □

Theorem 2.

Based on the SH assumption and the DL assumption in the GBG model, the LR-HSC-HPKS scheme is EIND-CCSCA-secure against adversaries A (AI and AII).

Proof.

An adversary A and a challenger B cooperatively play Game2 as follows.

  • Initialization phase: It is exactly the same as the Initialization phase in the proof of Theorem 1.

  • Query phase: It is exactly like the Query phase of Theorem 1.

  • Challenge phase: A selects a target decrypter IDCL and a message pair (M0,M1) as a challenge objective. B randomly selects c{0,1} and generates a challenge ciphertext CT by running the Hybrid signcryption with (Mc,IDPKI,IDCL). Also, B sends CT to A. Note that two provisions mentioned in the Challenge phase of Definition 3 (i.e. Game2) must be satisfied.

  • Guessing phase: A outputs c{0,1} and wins Game2 if c=c. Meanwhile, A’s advantage is defined as Adv(A)=|Pb[c=c]1/2|.

By similar evaluations as in the proof of Theorem 1, we can evaluate the advantages of AI without requesting any leak queries in Game2, denoted as Adv2(AIwo). By Adv2(AIwo), we then evaluate the advantage of AI with requesting all leak queries in Game2, denoted as Adv2(AI). By similar analysis, Adv2(AII) is also gained.

  • The evaluation of Adv2(AIwo): Adv2(AIwo) includes two cases’ probabilities as evaluated below.

    • (1) Pb[Guessing]: Since AIwo is not permitted to request any leak query, there is no useful information about secret keys. Therefore, the probability of guessing c=c is 1/2, namely, Pb[Guessing]=1/2.

    • (2) Pb[Collision]: The probability is identical to the probability Pb[Collision] in the proof of Theorem 1, namely, Pb[Collision]=O(p2/q).

    Due to the above discussions, we have
    Adv2(AIwo)=|Pb[c=c]1/2|=|Pb[Guessing]1/2|+|Pb[Collision]|=O(p2/q).
    • The evaluation of Adv2(AI): By Adv2(AIwo), we evaluate the advantage Adv2(AI) of AI with requesting all leak queries in Game2. By the same evaluation as Adv1(AI) in the proof of Theorem 1, AI could gain at most 2τ bits of SKCA, 2τ bits of SKKGC, 2τ bits of PKISKID, and 2τ bits of both CLSKID and CLISKID. Hence, we also have

    Adv2(AI)Adv2(AIwo)·22τ=O((p2/q)·22τ).
    It is obvious that Adv2(AI)=O((p2/q)·22τ) is negligible if p=poly(logq) by Lemma 2.

  • The evaluation of Adv2(AII): AII is used to model the attacking abilities of a malicious CA/KGC who has both SKCA and SKKGC. Therefore, AII could gain at most 2τ bits of PKISKID, and 2τ bits of CLSKID or CLISKID. By similar analysis of Adv2(AI), we also have Adv2(AII)=O((p2/q)·22τ), that is negligible if p=poly(logq) by Lemma 2.

 □

6Performance Analysis

In the following, the notations of three time-consuming computations are defined.

  • Tbil: The computational complexity of running a bilinear pairing eˆ:G×GG1.

  • Tmul: The computational complexity of running a multiplication in G.

  • Texp: The computational complexity of running an exponentiation in G1.

By the performance experiences conducted in Xiong and Qin (2015), Table 3 lists the required costs (ms) of three time-consuming computations on a mobile device (PDA) and a PC. The security parameter of a bilinear group set {G,G1,eˆ,Q,Q1,q} is set to a 512-bit prime order q. Also, the PDA and the PC are equipped with 624 MHz and 3 GHz CPUs, respectively. Table 4 lists the computational complexities and the required running costs (ms) of our LR-HSC-HPKS scheme in terms of System setup, User key generation, Hybrid signcryption (HSE) and Hybrid unsigncryption (HUSE) algorithms. For achieving leakage resilient property, the key updating process for each secret key must be employed, so that our scheme adds some extra computations. Nevertheless, by Table 4, the proposed scheme is well suitable for running on both a PDA and a PC. The point is that our scheme is the first hybrid signcryption scheme with leakage resilience.

Table 3

Required costs (ms) of three time-consuming computations.

DevicesTbilTmulTexp
PDA≈96 ms≈30 ms≈30 ms
PC≈20 ms≈6 ms≈6 ms
Table 4

Computational complexities and costs (ms) of our LR-HSC-HPKS scheme.

AlgorithmsComputational complexitiesCosts on a PDACosts on a PC
System setupTbil+2Tmul156 ms32 ms
User key generation for the PKI-PKSTbil+3Tmul186 ms38 ms
User key generation for the CL-PKSTbil+7Tmul306 ms62 ms
Hybrid signcryptionTbil+5Tmul+2Texp306 ms62 ms
Hybrid unsigncryption6Tbil+2Tmul636 ms132 ms

7Conclusions and Future Work

In recent years, many scholars have been studying several hybrid signcryption schemes in heterogeneous environments, but these schemes cannot withstand side-channel attacks, namely, these schemes do not possess the leakage-resilience property. Fortunately, the first leakage-resilient hybrid signcryption in heterogeneous public-key systems (LR-HSC-HPKS) has been proposed in this paper. Also, a new framework and two new adversary games of the LR-HSC-HPKS scheme were defined. Based on the SH assumption and the DL assumption in the GBG model, the proposed LR-HSC-HPKS scheme is EUF-ACMSCA-secure and EIND-CCSCA-secure against adversaries A (AI and AII), namely, illegitimate member (AI) and malicious CA/KGC (AII). Furthermore, by comparing with the previously proposed hybrid signcryption schemes, the proposed scheme has the following merits: (1) It is the first hybrid signcryption scheme resisting to side-channel attacks. (2) It possesses the unbounded leakage-resilient property, namely, allowing adversaries to repeatedly learn a portion of the secret key used in each computation. (3) All secret keys of the proposed scheme are allowed to be leaked to adversaries while maintaining the security of the proposed scheme. Finally, by the computational simulation results, performance analysis is demonstrated to show that the proposed scheme is well suitable for running on both a PDA and a PC. In the future, it is an interesting topic to propose a leakage-resilient hybrid signcryption scheme with equality test functionality in heterogeneous public-key systems.

References

1 

Akavia, A., Goldwasser, S., Vaikuntanathan, V. ((2009) ). Simultaneous hardcore bits and cryptography against memory attacks. In: Theory of Cryptography, TCC’09, LNCS, Vol. 5444: , pp. 474–495.

2 

Ali, I., Lawrence, T., Omala, A.A., Li, F. ((2020) ). An efficient hybrid signcryption scheme with conditional privacy-preservation for heterogeneous vehicular communication in VANETs. IEEE Transactions on Vehicular Technology, 69: (10), 11266–11280.

3 

Al-Riyami, S., Paterson, K. ((2003) ). Certificateless public key cryptography. In: Advances in Cryptology – ASIACRYPT 2003, LNCS, 2894: , pp. 452–473.

4 

Alwen, J., Dodis, Y., Wichs, D. ((2009) ). Leakage-resilient public-key cryptography in the bounded-retrieval model. In: Advances in Cryptology – CRYPTO 2009, LNCS, Vol. 5677: , pp. 36–54.

5 

Baek, J., Steinfeld, R., Zheng, Y. ((2007) ). Formal proofs for the security of signcryption. Journal of Cryptology, 20: (2), 203–235.

6 

Barbosa, M., Farshim, P. ((2008) ). Certificateless signcryption. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS’08, pp. 369–372.

7 

Biham, E., Carmeli, Y., Shamir, A. ((2008) ). Bug attacks. In: Advances in Cryptology – CRYPTO 2008, LNCS, Vol. 5157: , pp. 221–240.

8 

Boneh, D., Franklin, M. ((2001) ). Identity-based encryption from the Weil pairing. In: Advances in Cryptology – CRYPTO 2001, LNCS, 2139: , pp. 213–229.

9 

Boneh, D., Boyen, X., Goh, E. ((2005) ). Hierarchical identity-based encryption with constant size ciphertext. In: Advances in Cryptology–EURO–CRYPT 2005, Eurocrypt’05, LNCS, Vol. 3494: , pp. 440–456.

10 

Brumley, D., Boneh, D. ((2005) ). Remote timing attacks are practical. Computer Networks, 48: (5), 701–716.

11 

Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A. ((2008) ). Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM Journal on Computing, 38: (1), 97–139.

12 

Elkhalil, A., Zhang, J., Elhabob, R., Eltayieb, N. ((2021) ). An efficient signcryption of heterogeneous systems for internet of vehicles. Journal of Systems Architecture, 113: , 101885.

13 

Galindo, D., Virek, S. ((2013) ). A practical leakage-resilient signature scheme in the generic group model. In: Selected Areas in Cryptography, SAC’12, LNCS, Vol. 7707: , pp. 50–65.

14 

Galindo, D., Grobschadl, J., Liu, Z., Vadnala, P., Vivek, S. ((2016) ). Implementation of a leakage-resilient ElGamal key encapsulation mechanism. Journal of Cryptographic Engineering, 6: (3), 229–238.

15 

Hou, Y., Huang, X., Chen, Y., Kumari, S., Xiong, H. ((2021) ). Heterogeneous signcryption scheme supporting equality test from PKI to CLC toward IoT. Transactions on Emerging Telecommunications Technologies, 32: (8), e4190.

16 

Huang, Q., Wong, D.-S., Yang, G. ((2011) ). Heterogeneous signcryption with key privacy. Computer Journal, 54: (4), 525–536.

17 

Karati, A., Islam, S.H., Biswas, G.P., Bhuiyan, M.Z., Vijayakumar, P., Karuppiah, M. ((2018) ). Provably secure identity-based signcryption scheme for crowdsourced industrial Internet of Things environments. IEEE Internet of Things Journal, 5: (4), 2904–2914.

18 

Kiltz, E., Pietrzak, K. ((2010) ). Leakage resilient Elgamal encryption. In: Advances in Cryptology – ASIACRYPT 2010, LNCS, Vol. 6477: , pp. 595–612.

19 

Li, C., Yang, G., Wong, D., Deng, X., Chow, S.S.M. ((2010) ). An efficient signcryption scheme with key privacy and its extension to ring signcryption. Journal of Computing and Security, 18: (3), 451–473.

20 

Li, F., Xiong, P. ((2013) ). Practical secure communication for integrating wireless sensor networks into the Internet of Things. IEEE Sensors Journal, 13: (10), 3677–3684.

21 

Li, F., Shirase, M., Takagi, T. ((2013) a). Certificateless hybrid signcryption. Mathematical and Computer Modelling, 57: , 324–343.

22 

Li, F., Zhang, H., Takagi, T. ((2013) b). Efficient signcryption for heterogeneous systems. IEEE Systems Journal, 7: (3), 420–429.

23 

Li, F., Han, Y., Jin, C. ((2016) a). Practical access control for sensor networks in the context of the internet of things. Computer Communications, 89–90: , 154–164.

24 

Li, F., Han, Y., Jin, C. ((2016) b). Practical signcryption for secure communication of wireless sensor networks. Wireless Personal Communications, 89: , 1391–1412.

25 

Liu, J., Zhang, L., Sun, R., Du, X., Guizani, M. ((2018) ). Mutual heterogeneous signcryption schemes for 5G network slicings. IEEE Access, 6: , 7854–7863.

26 

Niu, S., Shao, H., Su, Y., Wang, C. ((2023) ). Efficient heterogeneous signcryption scheme based on edge computing for industrial internet of things. Journal of Systems Architecture, 136: , 102836.

27 

Pan, X., Jin, Y., Wang, Z., Li, F. ((2022) ). A pairing-free heterogeneous signcryption scheme for unmanned aerial vehicles. IEEE Internet of Things Journal, 9: (19), 19426–19437.

28 

Peng, A.-L., Tseng, Y.-M., Huang, S.-S. ((2021) ). An efficient leakage-resilient authenticated key exchange protocol suitable for IoT devices. IEEE Systems Journal, 15: (4), 5343–5354.

29 

Rivest, R., Shamir, A., Adleman, L. ((1978) ). A method for obtaining digital signatures and public-key cryptosystems. Communications of ACM, 21: (2), 120–126.

30 

Sun, Y., Li, H. ((2010) ). Efficient signcryption between TPKC and IDPKC and its multi-receiver construction. Science China Information Sciences, 53: , 557–566.

31 

Tsai, T.-T., Tseng, Y.-M., Huang, S.-S. ((2023) ). Leakage-resilient certificateless signcryption scheme under a continual leakage model. IEEE Access, 11: , 54448–54461.

32 

Tseng, Y.-M., Wu, J.-D., Huang, S.-S., Tsai, T.-T. ((2020) ). Leakage-resilient outsourced revocable certificateless signature with a cloud revocation server. Information Technology and Control, 49: (4), 464–481.

33 

Tseng, Y.-M., Huang, S.-S., Tsai, T.-T. ((2022) a). Practical leakage-resilient signcryption scheme suitable for mobile environments. In: 2022 IEEE 11th Global Conference on Consumer Electronics (GCCE), Osaka, Japan, 2022, pp. 383–384. https://doi.org/10.1109/GCCE56475.2022.10014332.

34 

Tseng, Y.-M., Huang, S.-S., Tsai, T.-T., Chuang, Y.-H., Hung, Y.-H. ((2022) b). Leakage-resilient revocable certificateless encryption with an outsourced revocation authority. Informatica, 33: (1), 151–179.

35 

Tseng, Y.-M., Tsai, T.-T., Huang, S.-S. ((2023) ). Fully continuous leakage-resilient certificate-based signcryption scheme for mobile communications. Informatica, 34: (1), 199–222.

36 

Wei, G., Shao, J., Xiang, Y., Zhu, P., Lu, R. ((2015) ). Obtain confidentiality or/and authenticity in big data by ID-based generalized signcryption. Information Sciences, 318: , 111–122.

37 

Wu, J.-D., Tseng, Y.-M., Huang, S.-S., Chou, W.-C. ((2018) ). Leakage-resilient certificateless key encapsulation scheme. Informatica, 29: (1), 125–155.

38 

Wu, J.-D., Tseng, Y.-M., Huang, S.-S. ((2019) ). An identity-based authenticated key exchange protocol resilient to continuous key leakage. IEEE Systems Journal, 13: (4), 3968–3979.

39 

Xie, J.-Y., Tseng, Y.-M., Huang, S.-S. ((2023) ). Leakage-resilient anonymous multi-receiver certificateless encryption resistant to side-channel attacks. IEEE Systems Journal, 17: (2), 2674–2685.

40 

Xiong, H., Qin, Z. ((2015) ). Revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks. IEEE Transactions on Information Forensics and Security, 10: (7), 1442–1455.

41 

Xiong, H., Zhao, Y., Hou, Y., Huang, X., Jin, C., Wang, L., Kumari, S. ((2021) ). Heterogeneous signcryption with equality test for IIoT environment. IEEE Internet of Things Journal, 8: (21), 16142–16152.

42 

Xiong, H., Hou, Y., Huang, X., Zhao, Y., Chen, C.-M. ((2022) ). Heterogeneous signcryption scheme from IBC to PKI with equality test for WBANs. IEEE Systems Journal, 16: (2), 2391–2400.

43 

Zheng, Y. ((1997) ). Digital signcryption or how to achieve cost (signature & encryption) cost (signature) + cost (encryption). In: Advances in Cryptology – CRYPTO ’97, LNCS, Vol. 1294: , pp. 165–179.