Sage Journals: Discover world-class research

Abstract

The mobile-health system, also known as the wireless body area network for remote patient monitoring, is a system used to remotely monitor the human body’s health status parameters in real time. The generalized signcryption can realize encryption, signature, and signcryption with only one key pair and one algorithm. To address the communication security requirement for the mobile-health system, Zhang et al. recently proposed a lightweight secure data transmission protocol for the mobile-health system, which uses a certificateless generalized signcryption scheme. However, Zhang et al.’s certificateless generalized signcryption scheme is insecure. In this article, we propose an improved certificateless generalized signcryption scheme and then give a rigorous security proof of it. The confidentiality of our improved scheme can be reduced to the computational Diffie–Hellman problem, and the unforgeability, the Elliptic Curve Discrete Logarithm problem. Performance evaluation shows that our scheme has only slightly increased computational and communicational costs compared with the original scheme, but it is more efficient than other certificateless generalized signcryption schemes existing at present. What is more, it is also an efficient scheme compared with those ones protecting the mobile-health system. Based on our scheme, the same lightweight secure data transmission protocol for the mobile-health system can also be constructed, just like the one based on the original scheme.

Keywords

Certificateless cryptography D2D communication generalized signcryption mobile-health system wireless body area network

Introduction

With the rapid development of the micro-electro-mechanical system (MEMS), integrated circuit, and wireless communication technology, the mobile-health (M-Health) system has become a research hotspot. The M-Health system, also referred to as the wireless body area network (WBAN)¹ for remote patient monitoring, is a system where many low-power, intelligent, and miniaturized sensors are worn by or implanted in a human body to monitor his or her health status. These sensors collect personal health information (PHI) such as breathing rate, heart rate, and blood pressure and transmit them wirelessly to a controller like a mobile phone or a similar device. Then, the controller will send the PHI data to a remote health server, which will be processed by physicians in a timely manner. The general architecture of an M-Health system is depicted in Figure 1. The communication between the controller and the health server can be done via a cellular network or the Internet.² In 2017, Zhang et al.³ proposed a lightweight secure data transmission protocol to protect the communication between the controller and the health server based on the cellular network. To alleviate the traffic overload problem in the cellular network, they adopted the Device-to-Device (D2D) communication technology⁴ which has attracted great attention in the literature recently. The D2D communication technology allows direct communication between user equipment (like mobile phones) with physical proximity to extend the battery lifetime, enhance users’ throughput, and improve resource utilization.⁴

Figure 1.

General architecture of the M-Health system.

Zhang et al.’s protocol has the following advantages. (1) Data confidentiality and integrity: Data confidentiality means that the PHI data are encrypted, and the integrity means that if the PHI data are altered during the communication, then it can be discovered by the recipient. (2) Mutual authentication: It means that the M-Health client and the physician can authenticate each other to guarantee that they are communicating with the real peer. (3) Anonymity: The physician only needs to know the bio-information of the M-Health client, whereas all other private information, such as name, must be kept secret.⁵ In Zhang et al.’s scheme, an M-Health client uses a pseudo identity to achieve anonymity in communication. (4) Unlinkability: Whether two communications are initiated by the sameM-Health client is undecidable. (5) Forward security: In Zhang et al.’s scheme, a symmetric session key is introduced, and it is updated by a hash function in each session. If the current session key is exposed, the previous session key will still be secure. (6) Contextual privacy:⁶ It means that if an adversary can link an M-Health client with a specific physician, then he or she may deduce the patient’s disease. In Zhang et al.’s scheme, the attackers or legitimate users in the system do not have the ability to link the origin and the destination of the data if they do not collude. (7) Lightweight: The controller is a device with limited computation and storage capabilities, so the protocol must be lightweight. Zhang et al.’s scheme does not use time-consuming computations like bilinear pairings,⁶ and its ciphertext size is also short.

Zhang et al.’s protocol is based on the certificateless generalized signcryption (CLGSC) technology.⁷ Signcryption⁸ can perform encryption and signature in a single logic step with the costs of computation and communication being far lower than the sum of those of encryption and signature. Generalized signcryption⁹ is a natural extension of signcryption, which can realize encryption, signature, and signcryption in a single logic step. In this way, people only need to hold one key pair and use one algorithm to achieve encryption, signature, and signcryption functions, and with lower cost of key management and less storage space. Certificateless cryptosystem¹⁰ can avoid the private key escrow problem in the identity-based cryptosystem¹¹ and reduce the high cost of public key management in the public key infrastructure (PKI)-based public key cryptosystem.¹² Zhang et al. gave the proof of their CLGSC scheme. Based on the scheme, they proposed a lightweight and robust security-aware D2D-assist data transmission protocol for the M-Health system. However, Zhou¹³ pointed out that their CLGSC scheme is not secure. In this article, we propose an improved scheme to remedy the weaknesses of their scheme and prove the security of ours. The confidentiality of our improved scheme can be reduced to the computational Diffie–Hellman (CDH) problem and the unforgeability, the Elliptic Curve Discrete Logarithm (EC-DL) problem. Efficiency analysis shows that our scheme increases only a little amount of computational and communicational costs compared with the original scheme, but it is more efficient than other CLGSC schemes there are at present. What is more, it is also an efficient scheme compared with those ones protecting the M-Health system. Based on our improved scheme, the same lightweight secure data transmission protocol for theM-Health system can also be constructed, just like the one based on the original scheme.

The rest of the article is organized as follows. In section “Related works,” some related works are introduced. In section “Preliminaries,” some complexity assumptions are described. In section “Formal definition and security model of CLGSC,” the algorithm constitution and the security model of CLGSC are given. In section “Zhang et al.’s communication model and scheme and Zhou’s security analysis,” Zhang et al.’s communication model and scheme and Zhou’s attacks are described. In section “An improved CLGSC scheme,” an improved scheme is proposed. In section “Security and efficiency analyses,” the security and efficiency of the improved scheme are discussed. The article is concluded in section “Conclusion.”

Related works

The communication security of the M-Health system must be solved first before its actual deployment. There are two types of communications in the M-Health system,¹⁴ that is, intra-BAN communication and beyond-BAN communication. The former addresses either the communication among the sensors or that between the sensors and the controller. The latter refers to the communication between the controller and the health server. The earliest work that paid attention to the communication security of the M-Health system is Cherukuri et al.’s paper¹⁵ in 2003, where they used the biometric information measured from a human body to encrypt a symmetric key to protect the intra-BAN communication. The latest works to protect the intra-BAN communication are listed as follows.^16,17

In 2011, Kumar et al.¹⁸ proposed a protocol to protect the beyond-BAN communication of the M-Health system. Their model is to allow the medical service providers (such as physicians or nurses) to access the controller to get the PHI data. Subsequent works include the studies by Li and Hong and Liu et al.^19,20 But in these schemes, it requires that the medical service providers initiatively visit the controller, so it is not applicable to the emergency scenario.

In 2013, Yeh et al.²¹ proposed an anonymous authentication protocol for WBAN to protect the beyond-BAN communication. However, their protocol, based on the traditional public key cryptosystem, has high complicated certificate management cost. In 2014, Liu et al.⁵ proposed two certificateless remote anonymous authentication protocols for WBAN to protect the beyond-BAN communication. However, Zhao²² pointed out that Liu et al.’s⁵ first protocol cannot provide anonymity and that their second protocol is vulnerable to the stolen verifier-table attack. Then, they proposed a new protocol using the PKI-based public key cryptosystem. Later, Wang and Zhang²³ pointed out that Zhao’s²² protocol cannot provide real anonymity and then they proposed a new protocol using the identity-based cryptosystem. Unfortunately, Omala et al.²⁴ pointed out that in Wang and Zhang’s²³ protocol, the medical service provider can impersonate an M-Health client. Furthermore, they proposed a new protocol using the certificateless cryptosystem. In recent years, remote anonymous authentication in M-Health has been a research hotspot, on which many research results have been obtained, including PKI-based protocols,^25,26 identity-based protocols,^27,28 and certificateless protocols.^29,30 All these remote anonymous authentication protocols have one common characteristic, which is that they require one or more interactions between the controller and the health server.

Regarding non-interactive protocols, Tan et al.³¹ proposed a scheme to protect the beyond-BAN communication of the M-Health system in 2008. They used a lightweight identity-based encryption scheme to achieve their goal. However, this scheme does not consider the authentication problem and has the private key escrow problem. In 2009, Lin et al.⁶ proposed a protocol that can achieve data confidentiality and contextual privacy and can resist replaying attacks and forging attacks. However, their scheme is also based on the identity-based cryptosystem, so it still has the private key escrow problem. In 2012, Huang et al.³² improved Tan et al.’s³¹ scheme, but their protocol is still in the identity-based setting. In 2014 and 2015, Wang et al. proposed a ciphertext-policy attribute-based ring signcryption³³ and a key-policy attribute-based ring signcryption³⁴ to protect the beyond-BAN communication of the M-Health system, respectively. The ring signature technology can maintain M-Health clients’ anonymity unconditionally, and the attribute-based encryption technology can provide fine-grained access control for medical service providers. In 2016, Zhou et al.³⁵ proposed an identity-based generalized ring signcryption scheme to protect the beyond-BAN communication. However, the above three schemes all have high computational costs and communication overhead. In 2016, Omala et al.³⁶ proposed a certificateless signcryption scheme, but it does not support anonymity. In 2017, Zhang et al.³ proposed an efficient CLGSC scheme, but Zhou¹³ pointed out that it is not secure.

Regarding generalized signcryption, Han et al.⁹ proposed the first generalized signcryption scheme to save storage space and simplify key management in 2006. Later, Han and Gui³⁷ proposed a multi-receiver generalized signcryption scheme and applied it to wireless multicast communication in 2009. Wang et al.³⁸ improved Han et al.’s scheme⁹ and gave a formal definition and security model of generalized signcryption in the PKI setting in 2010. Later, Yu et al.³⁹ proposed an identity-based generalized signcryption scheme and a corresponding security model in the same year. Kushwah and Lal⁴⁰ simplified the security model in scheme [39] and proposed a more efficient identity-based generalized signcryption scheme in 2011. Zhou et al.⁷ proposed a CLGSC scheme that can resist the malicious-but-passive KGC (key generation center) attack⁴¹ in 2014. Wei et al.⁴² proposed an identity-based generalized signcryption scheme in the standard model and applied it to big data security in 2015. Zhou⁴³ pointed out in the same year that scheme [37] is insecure under the confidentiality attack. Later, Han and Lu⁴⁴ proposed an attribute-based generalized signcryption scheme in the standard model and applied it to online social network security. Zhou and colleagues^35,45 extended generalized signcryption to generalized ring signcryption and generalized proxy signcryption and proposed a concrete identity-based scheme, respectively, in 2016. Zhang et al.³ proposed a lightweight CLGSC scheme and applied it to the M-Health system in 2017. Zhou et al.⁴⁶ proposed in the same year a certificateless key-insulated generalized signcryption scheme and applied it to cloud storage. Zhou¹³ pointed out that scheme [3] is insecure in 2018.

Preliminaries

In the following, we will give some complexity assumptions used in the proofs of our scheme.

1. EC-DL Problem: Let E be an elliptic curve over the finite field $F_{p}$ where p is a prime number, and let G be an additive group of prime order q on $E (F_{p})$ . Given $(P, a P) \in G^{2}$ for unknown randomly chosen $a \in Z_{q}^{*}$ , one must compute a.

The advantage of any probabilistic polynomial time (PPT) algorithm A in solving the EC-DL problem in G is defined to be as follows: ${ADV}_{A}^{EC - DL} = \Pr [A (P, aP) = a, a \in Z_{q}^{*}]$ .

EC-DL assumption: for every PPT algorithm A, ${ADV}_{A}^{EC - DL}$ is negligible.

2. CDH Problem: Given $(P, aP, bP) \in G^{3}$ for unknown randomly chosen $a, b \in Z_{q}^{*}$ , one must compute abP.

The advantage of any PPT algorithm A in solving the CDH problem in G is defined to be as follows: ${ADV}_{A}^{CDH} = \Pr [A (P, aP, bP) = abP, a, b \in Z_{q}^{*}]$ .

CDH assumption: for every PPT algorithm A, ${ADV}_{A}^{CDH}$ is negligible.

Formal definition and security model of CLGSC

Formal definition

A CLGSC scheme consists of the following six algorithms.

1. Setup: Given a security parameter $1^{k}$ , it produces a master private key s and a global public parameter Params. It is usually run by the KGC.

2. User-Key-Gen: Given a user’s identity ID and the Params, it produces a secret value $x_{ID}$ and a public key $P K_{ID}$ . It is usually run by the user.

3. Partial-Key-Gen: Given a user’s identity ID, the Params, and the master private key s, it produces a partial private key $D_{ID}$ . It is usually run by the KGC and the KGC sends $D_{ID}$ to the user securely.

4. Private-Key-Gen: Given a user’s identity ID, the Params, his or her partial private key $D_{ID}$ , and his or her secret value $x_{ID}$ , it produces a full private key $S_{ID}$ . It is usually run by the user.

5. CLGSC: Given a sender’s identity $I D_{A}$ , a receiver’s identity $I D_{B}$ , the Params, a message m, and a sender’s full private key $S_{I D_{A}}$ , it produces a CLGSC ciphertext $σ$ . It is usually run by the sender $I D_{A}$ or anyone in the encryption mode.

This algorithm can be run in three modes.

Encryption mode: if $I D_{A}$ is null and $I D_{B}$ is not, then the CLGSC ciphertext $σ$ is an encryption ciphertext.

Signature mode: if $I D_{B}$ is null and $I D_{A}$ is not, then the CLGSC ciphertext $σ$ is a signature.

Signcryption mode: if neither $I D_{A}$ nor $I D_{B}$ is null, then the CLGSC ciphertext $σ$ is a signcryption ciphertext.

6. Un-CLGSC: Given a sender’s identity $I D_{A}$ , a receiver’s identity $I D_{B}$ , the Params, a CLGSC ciphertext $σ$ , and a receiver’s full private key $S_{I D_{B}}$ , it recovers the message m in the encryption/signcryption mode or returns true in the signature mode; otherwise, it returns ⊥, indicating a decryption failure or invalid signature. It is usually run by the receiver $I D_{B}$ or anyone in the signature verification mode.

This algorithm can also be run in three modes.

Decryption mode: if $I D_{A}$ is null and $I D_{B}$ is not, it runs in this mode. The receiver $I D_{B}$ recovers the message m or outputs an invalid symbol ⊥.

Signature verification mode: if $I D_{B}$ is null and $I D_{A}$ is not, it runs in this mode. Any person can verify the signature $σ$ . If it is valid, the signature is accepted.

Un-signcryption mode: if neither $I D_{A}$ nor $I D_{B}$ is null, it runs in this mode. The receiver $I D_{B}$ recovers the message m or outputs an invalid symbol ⊥.

Note: The scheme can switch to different modes automatically. If the input of the sender’s identity $I D_{A}$ is null and the receiver’s identity $I D_{B}$ is not, it automatically runs in the encryption mode; if the input of $I D_{A}$ is not null and $I D_{B}$ is, it automatically runs in the signature mode; if the input of neither $I D_{A}$ nor $I D_{B}$ is null, it automatically runs in the signcryption mode. Both $I D_{A}$ and $I D_{B}$ being null is disallowed.

Security model

There are two types of attackers in a CLGSC scheme.¹⁰ Type I attacker $A_{I}$ does not know the master private key, but he or she can replace anyone’s public key, which models the kind of attacker other than the KGC. The type II attacker $A_{II}$ knows the master private key but he or she cannot replace anyone’s public key, which models the honest-but-curious KGC attacker. It is assumed that this type of KGC attacker produces the system parameters honestly according to the setup algorithm of the scheme. In 2007, Au et al.⁴¹ introduced a new type of KGC attack, named malicious-but-passive KGC attack. The malicious-but-passive KGC may imbed some trapdoors in the system parameters in the setup stage so as to attack the system more easily in the later stage. Such type of KGC attack is taken into account in our security model. In addition, in our security model in the signcryption mode, the insider attacks are also considered, which were first introduced by An et al.⁴⁷ in 2002. The insider attacks include the sender’s attack and the receiver’s attack. The sender may damage the confidentiality of the scheme and the receiver may damage its unforgeability. In fact, Zhang et al.’s³ security model takes into account all the above types of attacks, so does our security model.

The security of a CLGSC scheme must satisfy confidentiality under Type I and Type II attacks (in the encryption and signcryption modes), and unforgeability under Type I and Type II attacks (in the signature and signcryption modes).

There are six oracles which can be accessed by the adversaries as follows:

Partial-private-key queries.A submits an identity ID. C calls the Partial-Key-Gen algorithm to produce a partial private key $D_{ID}$ and returns $D_{ID}$ to A.

Public-Key queries.A submits an identity ID. C computes the corresponding public key $P K_{ID}$ and sends it to A.

Private-Key queries.A submits an identity ID. C computes the corresponding private key $S_{ID}$ and sends it to A.

Public-Key-Replacement queries.A submits an identity ID and a new public key $P K'_{ID}$ . C replaces the current public key ${PK}_{ID}$ with the new key $P K'_{ID}$ .

CLGSC queries.A submits two identities $I D_{A}$ and $I D_{B}$ , and a message m. C calls the CLGSC algorithm and returns the results $σ$ to A.

If $I D_{A}' s$ public key has been replaced, we require A to supply $I D_{A}' s$ secret value $x_{A}$ to make C produce correct results.

UN-CLGSC queries.A submits two identities $I D_{A}$ and $I D_{B}$ , and a ciphertext $σ$ . C calls the UN-CLGSC algorithm and returns the results to A.

If $I D_{B}' s$ public key has been replaced, we require A to supply $I D_{B}' s$ secret value $x_{B}$ to make C produce correct results.

Definition 1 (Type I confidentiality, encryption and signcryption modes)

A CLGSC scheme is said to be indistinguishability-CLGSC-adaptive chosen ciphertext attack-type I (IND-CLGSC-CCA2-I) secure if no PPT adversary $A_{I}$ has a non-negligible advantage in the following game:

Setup. Given a security parameter $1^{k}$ , challenger C runs the setup algorithm to produce the system’s parameters Params and a master private key s. C gives Params to $A_{I}$ and keeps s private.

Find stage. $A_{I}$ can make the above six oracles adaptively.

Challenge. $A_{I}$ submits two distinct messages $m_{0}$ and $m_{1}$ with equal length, a sender’s identity ${ID}_{A}^{*}$ and a receiver’s identity ${ID}_{B}^{*}$ . C randomly selects a bit $b \in {0, 1}$ and calls CLGSC algorithm on ${m_{b}, I D_{A}^{*}, I D_{B}^{*}}$ . Then, C returns the results $σ^{*}$ to $A_{I}$ .

Guess stage. $A_{I}$ can make a polynomially bounded number of queries like in the Find stage. Finally, $A_{I}$ must outputs his or her guess $b'$ . If $b' = b$ , he or she wins the game. The restrictions on $A_{I}$ are as follows:

${ID}_{B}^{*}$ cannot be null.

$A_{I}$ cannot make the private key queries for any identity if his or her public key has been replaced.

$A_{I}$ cannot make the private key query for ${ID}_{B}^{*}$ at any time.

$A_{I}$ cannot make the partial private key query for ${ID}_{B}^{*}$ if his or her public key has been replaced before the challenge stage.

In the Guess stage, $A_{I}$ cannot make a UN-CLGSC query on ${σ^{*}, {ID}_{A}^{*}, {ID}_{B}^{*}}$ unless the public key of ${ID}_{A}^{*}$ or ${ID}_{B}^{*}$ has been replaced after the Challenge stage.

$A_{I}' s$ advantage is defined as $A d v_{A_{I}}^{I N D - C L G S C - C C A 2 - I} = 2 \Pr [b^{'} = b] - 1$ .

Note. In the above Challenge stage, the sender’s identity ${ID}_{A}^{*}$ can be null. In this case, algorithm runs in encryption mode; otherwise, it runs in signcryption mode. Thus, the encryption and signcryption modes share the same game, as described above.

Definition 2 (Type II confidentiality, encryption, and signcryption modes)

A CLGSC scheme is said to be IND-CLGSC-CCA2-II secure if no PPT adversary $A_{II}$ has a non-negligible advantage in the following game:

Setup. Given a security parameter $1^{k}$ , $A_{II}$ runs the setup algorithm to produce the system’s parameters Params and a master private key s. Then he or she gives Params and s to C.

Find stage. $A_{II}$ can make Public-Key, Private-Key, CLGSC, and UN-CLGSC oracles adaptively.

Challenge. $A_{II}$ submits two distinct messages $m_{0}$ and $m_{1}$ with equal length, a sender’s identity ${ID}_{A}^{*}$ and a receiver’s identity ${ID}_{B}^{*}$ . C randomly selects a bit $b \in {0, 1}$ and calls CLGSC algorithm on ${m_{b}, I D_{A}^{*}, I D_{B}^{*}}$ . Then, C returns the results $σ^{*}$ to $A_{II}$ .

Guess stage. $A_{II}$ can make a polynomially bounded number of queries like in the Find stage. Finally, $A_{II}$ must outputs his or her guess $b'$ . If $b' = b$ , he or she wins the game. The restrictions on $A_{II}$ are as follows:

${ID}_{B}^{*}$ cannot be null.

$A_{II}$ cannot make the private key query for ${ID}_{B}^{*}$ at any time.

In the Guess stage, $A_{II}$ cannot make a UN-CLGSC query on ${σ^{*}, {ID}_{A}^{*}, {ID}_{B}^{*}}$ .

$A_{II}' s$ advantage is defined as ${Adv}_{A_{II}}^{IND - CLGSC - CCA 2 - II} = 2 \Pr [b' = b] - 1$ .

Definition 3 (Type I unforgeability, signature, and signcryption modes)

A CLGSC scheme is said to be existentially unforgeable-CLGSC-adaptive chosen message attack-type I (EUF-CLGSC-CMA-I) secure if no PPT adversary $A_{I}$ has a non-negligible advantage in the following game:

Setup. The same as in Definition 1.

Queries stage. The same as in the Find stage of Definition 1.

Forgery. Eventually, $A_{I}$ outputs a forged CLGSC ciphertext $σ^{*}$ on message $m^{*}$ with ${ID}_{A}^{*}$ as the sender and ${ID}_{B}^{*}$ as the receiver. $A_{I}$ wins the game if the output of the UN-CLGSC on ${σ^{*}, {ID}_{A}^{*}, {ID}_{B}^{*}}$ is not the symbol ⊥ and the following conditions holds.

${ID}_{A}^{*}$ cannot be null.

$A_{I}$ cannot make the private key queries for any identity if his or her public key has been replaced.

$A_{I}$ cannot make the private key query for ${ID}_{A}^{*}$ at any time.

$A_{I}$ cannot make the partial private key query for ${ID}_{A}^{*}$ if his or her public key has been replaced.

$σ^{*}$ is not the output of a CLGSC query on message $m^{*}$ with ${ID}_{A}^{*}$ as the sender and ${ID}_{B}^{*}$ as the receiver.

$A_{I}' s$ advantage is its probability of victory.

Note. In the above Forgery stage, ${ID}_{B}^{*}$ can be null. In this case, algorithm runs in signature mode; otherwise, it runs in signcryption mode. Thus, the signature and signcryption modes share the same game, as described above.

Definition 4 (Type II unforgeability, signature, and signcryption modes)

A CLGSC scheme is said to be EUF-CLGSC-CMA-II secure if no PPT adversary $A_{II}$ has a non-negligible advantage in the following game:

Setup. The same as in Definition 2.

Queries stage. The same as in the Find stage of Definition 2.

Forgery. Eventually, $A_{II}$ outputs a forged CLGSC ciphertext $σ^{*}$ on message $m^{*}$ with ${ID}_{A}^{*}$ as the sender and ${ID}_{B}^{*}$ as the receiver. $A_{II}$ wins the game if the output of the UN-CLGSC on ${σ^{*}, {ID}_{A}^{*}, {ID}_{B}^{*}}$ is not the symbol ⊥ and the following conditions holds:

${ID}_{A}^{*}$ cannot be null.

$A_{II}$ cannot make the private key query for ${ID}_{A}^{*}$ at any time.

$σ^{*}$ is not the output of a CLGSC query on message $m^{*}$ with ${ID}_{A}^{*}$ as the sender and ${ID}_{B}^{*}$ as the receiver.

$A_{II}' s$ advantage is its probability of victory.

Zhang et al.’s communication model and scheme and Zhou’s security analysis

The communication model

Zhang et al.’s communication model is depicted in Figure 2, which consists of three entities: network manager (NM), M-Health clients, and medical service providers (such as physicians). The NM is the manager of the system whose duty is to initialize the system and generate partial private key for the registered users. Suppose that at session t, the M-Health client S wants to transmit his or her PHI data to the physician H and that those clients $C_{i 1}, C_{i 2}, \dots, C_{in}$ form the D2D link. Through $C_{ij} (j = 1, 2, \dots, n)$ , the PHI data can be transmitted to the NM. Then, the NM delivers the PHI data to the physician H.

Figure 2.

Communication model of the M-Health system.

To achieve the security goal, the M-Health client first registers his or her pseudo identity S with the NM to achieve anonymity and the physician registers his or her real identity H. The NM also registers his or her real identity N. Then, S and H negotiate a symmetric key $K_{t}$ through a secure key agreement protocol. At the next session, $K_{t}$ is updated to $K_{t + 1}$ using a secure hash function to achieve forward security. To begin a transmission, S signcrypts the PHI data m to get $μ_{S}$ using $S' s$ full private key, $H' s$ public key, and the session key $K_{t}$ . S encrypts the identity S with $H' s$ public key to get $e_{H}^{S}$ and encrypts the identity H with $N' s$ public key to get $e_{N}^{H}$ . Then, S signs on $M = (μ_{S} | | e_{H}^{S} | | e_{N}^{H})$ to get $σ_{S}$ . S sends $(M | | S | | σ_{S})$ to relay $C_{i 1}$ , and $C_{i 1}$ verifies $σ_{S}$ . If it is valid, $C_{i 1}$ signs on M to get $σ_{C_{i 1}}$ and sends $(M | | C_{i 1} | | σ_{C_{i 1}})$ to relay $C_{i 2}$ . The process continues until $(M | | C_{in} | | σ_{C_{in}})$ reaches NM. NM verifies $σ_{C_{in}}$ . If it is valid, NM parses M as $(μ_{S} | | e_{H}^{S} | | e_{N}^{H})$ and decrypts $e_{N}^{H}$ to get the identity H. Then, NM signs on $(μ_{S} | | e_{H}^{S})$ to get $σ_{N}$ and sends $(μ_{S} | | e_{H}^{S} | | N | | σ_{N})$ to the physician H. When receiving $(μ_{S} | | e_{H}^{S} | | N | | σ_{N})$ , the physician H first verifies $σ_{N}$ . If it is valid, he or she decrypts $e_{H}^{S}$ to get the pseudo identity S. Then, he or she un-signcrypts the $μ_{S}$ using his or her full private key and $S' s$ public key. If it is valid, H will provide corresponding medical services.

In the above process of encryption, signature, and signcryption, we only need a generalized signcryption scheme to achieve the goal.

Zhang et al.’s original scheme

Setup: Given a security parameter $1^{k}$ , the KGC selects two primes p and q which satisfy the condition $q | (p - 1)$ and a secure elliptic curve $E (F_{p})$ . Let G be an cyclic group of order q on $E (F_{p})$ , and P be a generator of G. The KGC randomly selects $s \in Z_{q}^{*}$ as the master private key and sets $P_{pub} = sP$ as the master public key. The KGC defines three hash functions: $H_{1} : {0, 1}^{*} \times G \times G \times G \to Z_{q}^{*}$ , $H_{2} : G \times {0, 1}^{*} \times {0, 1}^{*} \to Z_{q}^{*}$ , $H_{3} : G \times G \to {0, 1}^{n}$ , where n is the bit length of a message. In addition, the KGC defines a special function f. If the identity ID is null, then $f (ID) = 0$ ; else, $f (ID) = 1$ . The system public parameters are ${p, q, E (F_{p}), G, P, P_{pub}, H_{1}, H_{2}, H_{3}, f}$ .

Key-Generation:

A user $I D_{i}$ randomly selects $x_{i} \in Z_{q}^{*}$ as his or her secret value and computes his or her partial public key as $X_{i} = x_{i} \cdot P$ .

The user sends $(I D_{i}, X_{i})$ to the KGC.

The KGC randomly selects $y_{i} \in Z_{q}^{*}$ and computes $Y_{i} = y_{i} \cdot P$ , $z_{i} = y_{i} + s \cdot H_{1} (I D_{i}, Y_{i}, X_{i}, P_{pub})$ . $z_{i}$ is sent to the user secretly. $z_{i}$ can be checked by equation $z_{i} \cdot P = Y_{i} + H_{1} (I D_{i}, Y_{i}, X_{i}, P_{pub}) \cdot P_{pub}$ by the user.

The user’s full public key is $(X_{i}, Y_{i})$ and full private key is $(x_{i}, z_{i})$ . The KGC publishes the public key $(X_{i}, Y_{i})$ of $I D_{i}$ in a public directory.

CLGSC: Let $I D_{A}$ be the sender, $I D_{B}$ be the receiver, and m be the message. $I D_{A}$ does the following:

Computes $f (I D_{A})$ , $f (I D_{B})$ ;

Randomly chooses $r \in Z_{q}^{*}$ , and computes $h_{1} = H_{1} (I D_{B}, Y_{B}, X_{B}, P_{pub})$ , $v_{1} = r \cdot X_{B}, F_{1} =$ $r \cdot P$ , $h_{2} = f (I D_{A}) \cdot H_{2} (F_{1}, I D_{A}, m) + f (I D_{B}) \cdot H_{2} (v_{1}, I D_{B}, m)$ , $f_{2} = r \cdot f (I D_{A}) / (x_{A} + z_{A} + h_{2})$ ;

Computes $v_{2} = r \cdot (Y_{B} + h_{1} \cdot P_{pub})$ and $c = (H_{3} (v_{1}, v_{2}) \cdot f (I D_{B})) \oplus m$ ;

Returns $σ = (F_{1}, f_{2}, h_{2}, c)$ as the ciphertext.

UN-CLGSC: Given a generalized signcryption ciphertext $σ = (F_{1}, f_{2}, h_{2}, c)$ . The verifier $I D_{B}$ does the following:

Computes $f (I D_{A})$ , $f (I D_{B})$ ;

Computes $h_{1} = H_{1} (I D_{A}, Y_{A}, X_{A}, P_{pub})$ , $v_{1} = x_{B} \cdot F_{1}$ , $v_{2} = z_{B} \cdot F_{1}$ , and $m = (H_{3} (v_{1}, v_{2}) \cdot f (I D_{B})) \oplus c$ ;

The verifier checks whether $H_{2} (f_{2} \cdot (X_{A} + Y_{A} + h_{1} \cdot P_{pub} + h_{2} \cdot P), I D_{A}, m) \cdot f (I D_{A}) + H_{2} (v_{1}, I D_{B}, m) \cdot f (I D_{B}) = h_{2}$ holds true. If it does, the verifier accepts it.

Cryptanalysis of the above scheme

Insider attack (signcryption mode): Zhou¹³ gave two attacks to scheme [3], which are as follows. According to the IND-CLGSC-CCA2-I game of Definition 1, in the Find stage, an attacker makes no oracle queries. In the Challenge stage, an attacker chooses to give two different messages $m_{0}$ and $m_{1}$ , a sender’s identity ${ID}_{A}^{*}$ , and a receiver’s identity ${ID}_{B}^{*}$ to the challenger. The challenger returns a challenge ciphertext $σ^{*} = (F_{1}^{*}, f_{2}^{*}, h_{2}^{*}, c^{*})$ . In the Guess stage, the attacker makes a private key query of ${ID}_{A}^{*}$ to get $(x_{A}^{*}, z_{A}^{*})$ . Then, he or she computes $r^{*} = f_{2}^{*} \cdot (x_{A}^{*} + z_{A}^{*} + h_{2}^{*})$ . With $r^{*}$ , he or she can compute $h_{1}^{*} = H_{1} ({ID}_{B}^{*}, Y_{B}^{*}, X_{B}^{*}, P_{pub})$ , $v_{1}^{*} = r^{*} \cdot X_{B}^{*}$ , and $v_{2}^{*} = r^{*} \cdot (Y_{B}^{*} + h_{1}^{*} \cdot P_{pub})$ . Thus, he or she can recover the message $m = H_{3} (v_{1}^{*}, v_{2}^{*}) \oplus c^{*}$ . The attack does not violate the restrictions of IND-CLGSC-CCA2-I game of Definition 1. The attacker wins the IND-CLGSC-CCA2-I game of Definition 1 with probability 1.

In addition, after computing $r^{*} = f_{2}^{*} \cdot (x_{A}^{*} + z_{A}^{*} + h_{2}^{*})$ , the attacker can also do the following to attack the confidentiality of the scheme. The attacker selects another identity $I D'_{A}$ . He or she makes a private key query of $I D'_{A}$ to get $(x'_{A}, z'_{A})$ in the Guess stage. He or she computes $v'_{1} = r^{*} \cdot X_{B}^{*}$ , $h'_{2} = H_{2} (F_{1}^{*}, I D'_{A}, m_{0}) + H_{2} (v'_{1}, {ID}_{B}^{*}, m_{0})$ , and $f'_{2} = r^{*} / (x'_{A} + z'_{A} + h'_{2})$ . Then, he or she makes an UN-CLGSC query for $σ' = (F_{1}^{*}, f'_{2}, h'_{2}, c^{*})$ in the Guess stage. If the challenger returns $m_{0}$ , then $m_{b} = m_{0}$ . If the challenger returns ⊥, then $m_{b} = m_{1}$ . Thus, he or she can guess the bit b successfully. The attacker wins the IND-CLGSC-CCA2-I game of Definition 1 with probability 1.

An improved CLGSC scheme

The CLGSC algorithm of Zhang et al.’s scheme uses only one ephemeral variable, so the ephemeral variable can be calculated by an inside attacker. However, our improved scheme uses two ephemeral variables in the CLGSC algorithm. The details are as follows. In addition, to prevent some potential attacks, we incorporate many elements into the calculation of hash functions:

Setup: Given a security parameter $1^{k}$ , the KGC selects two primes p and q which satisfy the condition $q | (p - 1)$ and a secure elliptic curve $E (F_{p})$ . Let G be an cyclic group of order q on $E (F_{p})$ , and P be a generator of G. The KGC randomly selects $s \in Z_{q}^{*}$ as the master private key and sets $P_{pub} = sP$ as the master public key. The KGC defines five hash functions: $H_{1}, H_{2}, H_{3}, H_{4} : {0, 1}^{*} \to Z_{q}^{*}, H_{5} : {0, 1}^{*} \to {0, 1}^{m} \times Z_{q}^{*}$ , where m represents the bit length of a message. In addition, the KGC defines a special function f. If the identity ID is null then $f (ID) = 0$ ; else, $f (ID) = 1$ . The system public parameters are ${p, q, E (F_{p}), G, P, P_{pub}, H_{1}, H_{2}, H_{3}, H_{4}, H_{5}, f}$ .

User-Key-Gen: A user ID randomly selects $x_{ID} \in Z_{q}^{*}$ as his or her secret value and computes his or her public key as $X_{ID} = x_{ID} \cdot P$ .

Partial-Key-Gen: Given a user’s identity ID, the KGC randomly selects $y_{ID} \in Z_{q}^{*}$ and computes $Y_{ID} = y_{ID} \cdot P$ , $z_{ID} = y_{ID} + s \cdot H_{1} (ID, Y_{ID}, P_{pub}) modq$ . KGC broadcasts $Y_{ID}$ and sends $z_{ID}$ to the user secretly. $z_{ID}$ can be checked by equation $z_{ID} \cdot P = Y_{ID} + H_{1} (ID, Y_{ID}, P_{pub}) \cdot P_{pub}$ by the user.

Private-Key-Gen: The user ID sets his or her full private key as $(x_{ID}, z_{ID})$ .

CLGSC: Let $I D_{A}$ be the sender, $I D_{B}$ be the receiver, and m be the message. $I D_{A}$ computes $f (I D_{A})$ and $f (I D_{B})$ . He or she randomly chooses $r_{1}, r_{2} \in Z_{q}^{*}$ and computes $F_{1} = r_{1} \cdot P$ , $F_{2} = r_{2} \cdot P$ , $h_{2} = H_{2} (F_{1}, F_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m)$ , $h_{3} = H_{3} (F_{1}, F_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m)$ , $h_{4} = H_{4} (F_{1}, F_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m)$ , and $f_{2} = f (I D_{A}) \cdot (x_{I D_{A}} \cdot h_{2} + z_{I D_{A}} \cdot h_{3}) + r_{1} \cdot h_{4} + r_{2} mod q$ . Then, he or she computes $h_{1} = H_{1} (I D_{B}, Y_{I D_{B}}, P_{pub})$ , $V_{1} = r_{1} \cdot X_{I D_{B}}$ , $V_{2} = r_{1} \cdot (Y_{I D_{B}} + h_{1} \cdot P_{pub})$ , and $c = f (I D_{B}) \cdot H_{5} (F_{1}, F_{2}, V_{1}, V_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}) \oplus (m | | f_{2})$ . The ciphertext is $σ = (F_{1}, F_{2}, c)$ .

This algorithm can be run in three modes. We add a tag in the ciphertext:

Encryption mode. If $I D_{A}$ is null and $I D_{B}$ is not, then $f (I D_{A}) = 0$ and $f (I D_{B}) = 1$ . The ciphertext $σ = (F_{1}, F_{2}, c, tag = 1)$ is an encryption ciphertext. In this case, both $X_{I D_{A}}$ and $Y_{I D_{A}}$ are set to the infinite point $\infty$ on $E (F_{p})$ , and both $x_{I D_{A}}$ and $z_{I D_{A}}$ are set to zero. And in this case, $f_{2} = r_{1} \cdot h_{4} + r_{2} mod q$ .

Signature mode. If $I D_{B}$ is null and $I D_{A}$ is not, then $f (I D_{A}) = 1$ and $f (I D_{B}) = 0$ . The ciphertext $σ = (F_{1}, F_{2}, c, tag = 2)$ is a signature. In this case, both $X_{I D_{B}}$ and $Y_{I D_{B}}$ are set to the infinite point $\infty$ on $E (F_{p})$ . And in this case, $c = m | | f_{2}$ .

Signcryption mode. If neither $I D_{A}$ nor $I D_{B}$ is null, then $f (I D_{A}) = 1$ and $f (I D_{B}) = 1$ . The ciphertext $σ = (F_{1}, F_{2}, c, tag = 3)$ is a signcryption ciphertext.

UN-CLGSC: Given a generalized signcryption ciphertext $σ = (F_{1}, F_{2}, c, tag)$ , the verifier $I D_{B}$ computes $f (I D_{A})$ , $f (I D_{B})$ , $V_{1} = x_{I D_{B}} \cdot F_{1}$ , $V_{2} = z_{I D_{B}} \cdot F_{1}$ , and $m | | f_{2} = f (I D_{B}) \cdot H_{5} (F_{1}, F_{2}, V_{1}, V_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}) \oplus c$ and then computes $h_{1} = H_{1} (I D_{A}, Y_{I D_{A}}, P_{pub})$ , $h_{2} = H_{2} (F_{1}, F_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m)$ , $h_{3} = H_{3} (F_{1}, F_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m)$ , and $h_{4} = H_{4} (F_{1}, F_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m)$ . He or she verifies whether $f_{2} \cdot P = f (I D_{A}) \cdot (X_{I D_{A}} \cdot h_{2} + (Y_{I D_{A}} + h_{1} \cdot P_{p u b}) \cdot h_{3}) + F_{1} \cdot h_{4} + F_{2}$ holds true. If it does, he or she accepts it; else, he or she rejects it.

This algorithm can also be run in three modes:

Decryption mode. This mode applies if $tag = 1$ . The verification equation becomes $f_{2} \cdot P = F_{1} \cdot h_{4} + F_{2}$ . In this case, both $X_{I D_{A}}$ and $Y_{I D_{A}}$ are set to the infinite point $\infty$ on $E (F_{p})$ .

Signature verification mode. This mode applies if $tag = 2$ . In this case, both $X_{I D_{B}}$ and $Y_{I D_{B}}$ are set to the infinite point $\infty$ on $E (F_{p})$ , and both $x_{I D_{B}}$ and $z_{I D_{B}}$ are set to zero.

Un-signcryption mode. This mode applies if $tag = 3$ .

Note: Based on the above CLGSC scheme, a lightweight secure data transmission protocol for the M-Health system can also be constructed, just like the one based on Zhang et al.’s scheme.³ We suggest the readers refer to scheme [3] for a more detailed description of the protocol.

Security and efficiency analyses

In this section, we analyze the security and efficiency of our improved scheme.

Confidentiality

Theorem 1 (Type I confidentiality)

In the random oracle model, if there is a PPT adversary $A_{I}$ with a non-negligible advantage $ε$ against the IND-CLGSC-CCA2-I security of the scheme running in the encryption or signcryption mode in time t and performing at most $q_{H_{i}} H_{i} (i = 1, 2, 3, 4, 5)$ queries, $q_{p - p - k}$ partial-private-key queries, $q_{p - k}$ private-key queries, $q_{CLGSC}$ CLGSC queries, and $q_{Un - CLGSC}$ Un-CLGSC queries, then the CDH problem can be solved with probability $ε^{'} \geq ε \cdot 1 / q_{H_{1}} \cdot {(1 - 1 / q_{H_{1}})}^{q_{p - p - k}} \cdot {(1 - 1 / q_{H_{1}})}^{q_{p - k}} \cdot (1 - q_{U n - C L G S C} / 2^{k})$ in time $t' < t + (5 \cdot q_{CLGSC} + 7 \cdot q_{Un - CLGSC}) \cdot t_{m}$ , where $t_{m}$ denotes the time for a scalar multiplication on G.

Proof

Suppose that challenger C is given $(P, aP, bP) \in G^{3}$ for random $a, b \in Z_{q}^{*}$ . C does not know the values of a and b and is asked to compute abP. To utilize adversary $A_{I}$ , challenger C will simulate all the oracles as in the Find stage:

Setup: C sets $P_{pub} = aP$ . Other public parameters are produced normally. C gives the system public parameters $Params = {p, q, E (F_{p}), G, P, P_{pub}, H_{1}, H_{2}, H_{3}, H_{4}, H_{5}, f}$ to $A_{I}$ and maintains seven lists $L_{1}$ , $L_{2}$ , $L_{3}$ , $L_{4}$ , $L_{5}$ , $L_{k_{1}}$ , and $L_{k_{2}}$ , which are initially empty. C randomly selects $λ \in {1, 2, \dots, q_{H_{1}}}$ .

Find stage: $A_{I}$ makes queries to the following oracles adaptively:

$H_{1}$ query: $A_{I}$ supplies a tuple $(ID, Y_{ID}, P_{pub})$ . C first checks list $L_{1}$ to see whether it contains the item $(ID, Y_{ID}, P_{pub}, h_{1})$ . If it does, C returns $h_{1}$ . Otherwise, C randomly selects $h_{1} \in Z_{q}^{*}$ and repeats the process until $h_{1}$ is not in list $L_{1}$ . C stores the tuple $(ID, Y_{ID}, P_{pub}, h_{1})$ in list $L_{1}$ and returns $h_{1}$ to $A_{I}$ .

$H_{i} (i = 2, 3, 4)$ query: $A_{I}$ supplies a tuple $(F_{1}, F_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m)$ . C first checks list $L_{i} (i = 2, 3, 4)$ to see whether it contains the item $(F_{1}, F_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m, h_{i}) (i = 2, 3, 4)$ . If it does, C returns $h_{i}$ . Otherwise, C randomly selects $h_{i} \in Z_{q}^{*}$ and repeats the process until $h_{i}$ is not in list $L_{i}$ . C stores the tuple $(F_{1}, F_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m, h_{i})$ in list $L_{i}$ and returns $h_{i}$ to $A_{I}$ .

$H_{5}$ query: $A_{I}$ supplies a tuple $(F_{1}, F_{2}, V_{1}, V_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}})$ . C first checks list $L_{5}$ to see whether it contains the item $(F_{1}, F_{2}, V_{1}, V_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, h_{5})$ . If it does, C returns $h_{5}$ . Otherwise, C randomly selects $h_{5} \in {0, 1}^{m} \times Z_{q}^{*}$ and repeats the process until $h_{5}$ is not in list $L_{5}$ . C stores the item $(F_{1}, F_{2}, V_{1}, V_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, h_{5})$ in list $L_{5}$ and returns $h_{5}$ to $A_{I}$ .

Partial-private-key query: $A_{I}$ provides an identity ID:

$ID \neq I D_{λ}$ . C first checks list $L_{k_{2}}$ to see whether it contains the item $(ID, Y_{ID}, -, z_{ID})$ . If it does, C returns $z_{ID}$ . Otherwise, C randomly selects $z_{ID}, h_{1} \in Z_{q}^{*}$ and computes $Y_{ID} = z_{ID} \cdot P - h_{1} \cdot P_{pub}$ . C inserts the tuple $(ID, Y_{ID}, P_{pub}, h_{1})$ into list $L_{1}$ . If there is a collision in list $L_{1}$ , C re-chooses $z_{ID}, h_{1} \in Z_{q}^{*}$ and repeats the process again. C inserts the tuple $(ID, Y_{ID}, -, z_{ID})$ into list $L_{k_{2}}$ and returns $(z_{ID}, Y_{ID})$ .

2. $ID = I D_{λ}$ . C aborts.

Public-key query: $A_{I}$ provides an identity ID.C first checks list $L_{k_{1}}$ to see whether it contains the item $(ID, X_{ID}, x_{ID})$ . If it does, C returns $X_{ID}$ . Otherwise, C randomly selects $x_{ID} \in Z_{q}^{*}$ as the secret value and computes $X_{ID} = x_{ID} \cdot P$ . C inserts the tuple $(ID, X_{ID}, x_{ID})$ into list $L_{k_{1}}$ and returns $X_{ID}$ .

Public-key-replacement query: $A_{I}$ provides an identity ID and a new public key $X'_{ID}$ ; C replaces the old public key $X_{ID}$ with the new one $X'_{ID}$ and updates list $L_{k_{1}}$ into $(ID, X'_{ID}, -)$ .

Private-key query: $A_{I}$ provides an identity ID:

$ID \neq I D_{λ}$ . C retrieves $x_{ID}$ and $z_{ID}$ from list $L_{k_{1}}$ and $L_{k_{2}}$ , respectively (if they do not exist in list $L_{k_{1}}$ or $L_{k_{2}}$ , C makes public-key or partial-private-key query first). Then, C returns them to $A_{I}$ .

$ID = I D_{λ}$ . C aborts.

Note: If $ID' s$ public key has been replaced by $A_{I}$ , then $A_{I}$ is not allowed to query this oracle.

CLGSC query: $A_{I}$ provides two identities ${I D_{A}, I D_{B}}$ (one of them may be null) and a message m. If $I D_{A}$ is null, then it is equal to an encryption oracle, which just needs public parameters. Otherwise, we consider two cases:

$I D_{A} \neq I D_{λ}$ . C runs the CLGSC algorithm as normal because C can get the private key $(x_{I D_{A}}, z_{I D_{A}})$ of $I D_{A}$ .

$I D_{A} = I D_{λ}$ . C first checks list $L_{k_{2}}$ to see whether it contains the item $(I D_{λ}, Y_{I D_{λ}}, y_{I D_{λ}}, -)$ . If it does, C retrieves $Y_{I D_{λ}}$ . Otherwise, C randomly selects $y_{I D_{λ}} \in Z_{q}^{*}$ and computes $Y_{I D_{λ}} = y_{I D_{λ}} \cdot P$ . C inserts the tuple $(I D_{λ}, Y_{I D_{λ}}, y_{I D_{λ}}, -)$ into list $L_{k_{2}}$ . Then, C retrieves $x_{I D_{λ}}$ , $X_{I D_{λ}}$ , $X_{I D_{B}}$ , and $Y_{I D_{B}}$ from the corresponding lists.

C randomly chooses $r_{1}, t_{2}, h_{3} \in Z_{q}^{*}$ and computes $F_{1} = r_{1} \cdot P$ , $F_{2} = t_{2} \cdot P - (Y_{I D_{λ}} + H_{1} (I D_{λ}, Y_{I D_{λ}}, P_{p u b}) \cdot P_{p u b}) \cdot h_{3}$ , $h_{2} = H_{2} (F_{1}, F_{2}, I D_{λ}, X_{I D_{λ}}, Y_{I D_{λ}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m)$ , $h_{4} = H_{4} (F_{1}, F_{2}, I D_{λ}, X_{I D_{λ}}, Y_{I D_{λ}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m)$ , and $f_{2} = x_{I D_{λ}} \cdot h_{2} + r_{1} \cdot h_{4} + t_{2} mod q$ . Then, he or she com-putes $h_{1} = H_{1} (I D_{B}, Y_{I D_{B}}, P_{pub})$ , $V_{1} = r_{1} \cdot X_{I D_{B}}$ , $V_{2} = r_{1} \cdot (Y_{I D_{B}} + h_{1} \cdot P_{pub})$ , and $c = f (I D_{B}) \cdot H_{5} (F_{1}, F_{2}, V_{1}, V_{2}, I D_{λ}, X_{I D_{λ}}, Y_{I D_{λ}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}) \oplus (m | | f_{2})$ . C inserts the tuple $(F_{1}, F_{2}, I D_{λ}, X_{I D_{λ}}, Y_{I D_{λ}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m, h_{3})$ into list $L_{3}$ . If there is a collision, C re-chooses $r_{1}, t_{2}, h_{3} \in Z_{q}^{*}$ and repeats the process again. Finally, C returns $σ = (F_{1}, F_{2}, c)$ and $Y_{I D_{λ}}$ to $A_{I}$ .

Note: If $I D_{A}' s$ public key has been replaced by $A_{I}$ , then $A_{I}$ must supply the corresponding secret value.

Un-CLGSC query: $A_{I}$ provides two identities ${I D_{A}, I D_{B}}$ (one of them may be null) and a ciphertext $σ$ . If $I D_{B}$ is null, it is equal to a signature verification oracle, which just needs public parameters. Otherwise, we consider two cases:

$I D_{B} \neq I D_{λ}$ . C runs the Un-CLGSC algorithm as normal because C can get the private key $(x_{I D_{B}}, z_{I D_{B}})$ of $I D_{B}$ .

$I D_{B} = I D_{λ}$ . C does not know the partial private key of $I D_{B}$ . C starts from the first item of list $L_{5}$ to compute $m | | f_{2} = h_{5} \oplus c$ and verifies whether the equation $f_{2} \cdot P = f (I D_{A}) \cdot (X_{I D_{A}} \cdot h_{2} + (Y_{I D_{A}} + h_{1} \cdot P_{pub}) \cdot h_{3}) + F_{1} \cdot h_{4} + F_{2}$ holds true, where $h_{1} = H_{1} (I D_{A}, Y_{I D_{A}}, P_{pub})$ , $h_{2} = H_{2} (F_{1}, F_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{λ}, X_{I D_{λ}}, Y_{I D_{λ}}, m)$ , $h_{3} = H_{3} (F_{1}, F_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{λ}, X_{I D_{λ}}, Y_{I D_{λ}}, m)$ , and $h_{4} = H_{4} (F_{1}, F_{2}, I D_{A}, X_{I D_{A}}, Y_{I D_{A}}, I D_{λ}, X_{I D_{λ}}, Y_{I D_{λ}}, m)$ . The required values of the above computations can be obtained from the corresponding lists. If the equation holds true, C returns the message m; else, C moves to the next item of list $L_{5}$ and repeats the process again. If no message returns when C traverses all the items in list $L_{5}$ , C returns ⊥.

Note: If $I D_{B}' s$ public key has been replaced by $A_{I}$ , then $A_{I}$ must supply the corresponding secret value.

Challenge stage: $A_{I}$ chooses two different messages $(m_{0}, m_{1})$ with equal length and two challenge identities $({ID}_{A}^{*}, {ID}_{B}^{*})$ ( ${ID}_{A}^{*}$ may be null). If ${ID}_{B}^{*} \neq I D_{λ}$ , C aborts. Otherwise, C randomly chooses a bit $η$ and randomly chooses $t_{2}, h_{4}^{*} \in Z_{q}^{*}$ . C sets $F_{1}^{*} = bP$ . C randomly chooses $V_{1}^{*}, V_{2}^{*} \in G$ . C computes $F_{2}^{*} = t_{2} . P - (bP) \cdot h_{4}^{*}$ , $h_{2}^{*} = H_{2} (F_{1}^{*}, F_{2}^{*}, {ID}_{A}^{*}, X_{I D_{A}}^{*}, Y_{I D_{A}}^{*}, {ID}_{λ}, X_{I D_{λ}}, Y_{I D_{λ}}, m_{η})$ , $h_{3}^{*} = H_{3} (F_{1}^{*}, F_{2}^{*}, {ID}_{A}^{*}, X_{I D_{A}}^{*}, Y_{I D_{A}}^{*}, {ID}_{λ}, X_{I D_{λ}}, Y_{I D_{λ}}, m_{η})$ , $f_{2}^{*} = f (I D_{A}^{*}) \cdot (x_{I D_{A}}^{*} \cdot h_{2}^{*} + z_{I D_{A}}^{*} \cdot h_{3}^{*}) + t_{2} \mod q$ , and $c^{*} = H_{5} (F_{1}^{*}, F_{2}^{*}, V_{1}^{*}, V_{2}^{*}, {ID}_{A}^{*}, X_{I D_{A}}^{*}, Y_{I D_{A}}^{*}, {ID}_{λ}, X_{{ID}_{λ}}, Y_{{ID}_{λ}}) \oplus (m_{η} | | f_{2}^{*})$ . The required values of the above computations can be obtained by querying associated oracles. C inserts the tuple $(F_{1}^{*}, F_{2}^{*}, {ID}_{A}^{*}, X_{I D_{A}}^{*}, Y_{I D_{A}}^{*}, {ID}_{λ}, X_{I D_{λ}}, Y_{I D_{λ}}, m_{η}, h_{4}^{*})$ into list $L_{4}$ . If there is a collision, C re-chooses $t_{2}, h_{4}^{*} \in Z_{q}^{*}$ and repeats the process again and returns the challenge ciphertext $σ^{*} = (F_{1}^{*}, F_{2}^{*}, c^{*})$ to $A_{I}$ .

Note: If ${ID}_{A}^{*}' s$ public key has been replaced by $A_{I}$ , then $A_{I}$ must supply the corresponding secret value.

Guess stage: $A_{I}$ can make the same queries adaptively as in the Find stage with the restriction that $A_{I}$ does not make an Un-CLGSC query on the challenge ciphertext $σ^{*}$ under ${ID}_{A}^{*}$ and ${ID}_{B}^{*}$ unless the public key of ${ID}_{A}^{*}$ or ${ID}_{B}^{*}$ has been replaced after the Challenge stage.

Finally, $A_{I}$ must give his or her guess $η'$ . $A_{I}$ cannot discover that $σ^{*}$ is not a valid ciphertext unless he or she asks $H_{5}$ oracle with the tuple $(F_{1}^{*}, F_{2}^{*}, V_{1}^{*}, V_{2}^{*}, {ID}_{A}^{*}, X_{I D_{A}}^{*}, Y_{I D_{A}}^{*}, {ID}_{λ}, X_{I D_{λ}}, Y_{I D_{λ}})$ , where $V_{1}^{*} = x_{I D_{λ}} \cdot (bP)$ , $V_{2}^{*} = (y_{I D_{λ}} \cdot bP) + h_{1}^{*} \cdot (abP)$ , and $h_{1}^{*} = H_{1} (I D_{λ}, Y_{I D_{λ}}, P_{pub})$ . If this happens, the CDH problem can be solved by computing $abP = (h_{1}^{*})^{- 1} \cdot (V_{2}^{*} - y_{I D_{λ}} \cdot (bP))$ , where $y_{I D_{λ}}$ can be retrieved from list $L_{k_{2}}$ .

Now we assess the probability of success. In the Challenge stage, the probability of ${ID}_{B}^{*} = I D_{λ}$ is $1 / q_{H_{1}}$ . In both the partial-private-key and private-key queries, the probability of C querying with $I D_{λ}$ is $1 / q_{H_{1}}$ . In the UN-CLGSC stage, the probability of C refuging the right ciphertext is less than $q_{Un - CLGSC} / 2^{k}$ .

In terms of time complexity, CLGSC and Un-CLGSC queries need 5 and 7 $t_{m}$ computations, respectively.

Note: $A_{I}$ is allowed to query the full private key $S_{I D_{A}}^{*}$ in the Find and the Guess stages, considering the inside attacker ${ID}_{A}^{*}$ may damage the security of the scheme.

Theorem 2 (Type II confidentiality)

In the random oracle model, if there is a PPT adversary $A_{II}$ with a non-negligible advantage $ε$ against the IND-CLGSC-CCA2-II security of the scheme running in the encryption or signcryption mode in time t and performing at most $q_{H_{i}} H_{i} (i = 1, 2, 3, 4, 5)$ queries, $q_{p - k}$ private-key queries, $q_{CLGSC}$ CLGSC queries, and $q_{Un - CLGSC}$ Un-CLGSC queries, then the CDH problem can be solved with probability $ε' \geq ε \cdot 1 / q_{H_{1}} \cdot (1 - 1 / q_{H_{1}})^{q_{p - k}} \cdot (1 - q_{Un - CLGSC} / 2^{k})$ in time $t' < t + (5 \cdot q_{CLGSC} + 7 \cdot q_{Un - CLGSC}) \cdot t_{m}$ , where $t_{m}$ denotes the time for a scalar multiplication on G.

Proof

Suppose that challenger C is given $(P, aP, bP) \in G^{3}$ for random $a, b \in Z_{q}^{*}$ . C does not know the values of a and b and is asked to compute abP. To utilize adversary $A_{II}$ , challenger C will simulate all the oracles as in the Find stage:

Setup: $A_{II}$ randomly selects $s \in Z_{q}^{*}$ as the master private key and computes the master public key as $P_{pub} = sP$ . Other public parameters are produced normally. $A_{II}$ gives the system public parameters $P a r a m s = {p, q, E (F_{p}), G, P, P_{p u b}, H_{1}, H_{2}, H_{3}, H_{4}, H_{5}, f}$ and s to C. C maintains seven lists $L_{1}$ , $L_{2}$ , $L_{3}$ , $L_{4}$ , $L_{5}$ , $L_{k_{1}}$ , and $L_{k_{2}}$ , which are initially empty. C randomly selects $λ \in {1, 2, \dots, q_{H_{1}}}$ .

Find stage: $A_{II}$ makes queries to the following oracles adaptively: $H_{1}$ , $H_{2}$ , $H_{3}$ , $H_{4}$ , $H_{5}$ , Un-CLGSC queries, and Challenge stage are all the same as in Theorem 1. $A_{II}$ does not need to make public-key-replacement and partial-private-key queries.

Public-key query: $A_{II}$ provides an identity ID:

$ID \neq I D_{λ}$ . C first checks list $L_{k_{1}}$ to see whether it contains the item $(ID, X_{ID}, x_{ID})$ . If it does, C returns $X_{ID}$ . Otherwise, C randomly selects $x_{ID} \in Z_{q}^{*}$ as the secret value and computes $X_{ID} = x_{ID} \cdot P$ . C inserts the tuple $(ID, X_{ID}, x_{ID})$ into list $L_{k_{1}}$ and returns $X_{ID}$ .

$ID = I D_{λ}$ . C sets $X_{ID} = aP$ . Then, it inserts the tuple $(ID, X_{ID}, -)$ into list $L_{k_{1}}$ and returns $X_{ID}$ .

Private-key query: $A_{II}$ provides an identity ID.C first checks list $L_{k_{2}}$ to see whether it contains the item $(ID, Y_{ID}, y_{ID}, z_{ID})$ . If it does, C retrieves $z_{ID}$ . Otherwise, C randomly selects $y_{ID} \in Z_{q}^{*}$ . Then, C computes $Y_{ID} = y_{ID} \cdot P$ and $z_{ID} = y_{ID} + s \cdot H_{1} (ID, Y_{ID}, P_{pub})$ . And then, C inserts the tuple $(ID, Y_{ID}, y_{ID}, z_{ID})$ into list $L_{k_{2}}$ :

$ID \neq I D_{λ}$ . C retrieves $x_{ID}$ from list $L_{k_{1}}$ (if it does not exist in list $L_{k_{1}}$ , then C makes the public-key query first). Then, C returns $(x_{ID}, z_{ID})$ and $Y_{ID}$ to $A_{II}$ .

$ID = I D_{λ}$ . C aborts.

CLGSC query: $A_{II}$ provides two identities ${I D_{A}, I D_{B}}$ (one of them may be null) and a message m. If $I D_{A}$ is null, then it is equal to an encryption oracle, which just needs public parameters. Otherwise, we consider two cases:

$I D_{A} \neq I D_{λ}$ . C runs the CLGSC algorithm as normal because C can get the full private key $(x_{I D_{A}}, z_{I D_{A}})$ of $I D_{A}$ .

$I D_{A} = I D_{λ}$ . C retrieves $z_{I D_{λ}}$ , $X_{I D_{λ}}$ , $Y_{I D_{λ}}$ , $X_{I D_{B}}$ , and $Y_{I D_{B}}$ from corresponding lists.

C randomly chooses $r_{1}, t_{2}, h_{2} \in Z_{q}^{*}$ and computes $F_{1} = r_{1} \cdot P$ , $F_{2} = t_{2} \cdot P - X_{I D_{λ}} \cdot h_{2}$ , $h_{3} = H_{3} (F_{1}, F_{2}, I D_{λ}, X_{I D_{λ}}, Y_{I D_{λ}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m)$ , $h_{4} = H_{4} (F_{1}, F_{2}, I D_{λ}, X_{I D_{λ}}, Y_{I D_{λ}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m)$ , and $f_{2} = z_{I D_{λ}} \cdot h_{3} + r_{1} \cdot h_{4} + t_{2} mod q$ . Then, he or she computes $h_{1} = H_{1} (I D_{B}, Y_{I D_{B}}, P_{pub})$ , $V_{1} = r_{1} \cdot X_{I D_{B}}$ , $V_{2} = r_{1} \cdot (Y_{I D_{B}} + h_{1} \cdot P_{pub})$ , $c = f (I D_{B}) \cdot H_{5} (F_{1}, F_{2}, V_{1}, V_{2}, I D_{λ}, X_{I D_{λ}}, Y_{I D_{λ}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}) \oplus (m | | f_{2})$ . C inserts the tuple $(F_{1}, F_{2}, I D_{λ}, X_{I D_{λ}}, Y_{I D_{λ}}, I D_{B}, X_{I D_{B}}, Y_{I D_{B}}, m, h_{2})$ into list $L_{2}$ . If there is a collision, C re-chooses $r_{1}, t_{2}, h_{2} \in Z_{q}^{*}$ and repeats the process again. Finally, C returns $σ = (F_{1}, F_{2}, c)$ and $Y_{I D_{λ}}$ to $A_{II}$ .

Guess stage: $A_{II}$ can make the same queries adaptively as in the Find stage with the restriction that $A_{II}$ does not make an Un-CLGSC query on the challenge ciphertext $σ^{*}$ under ${ID}_{A}^{*}$ and ${ID}_{B}^{*}$ . Finally, $A_{II}$ must give his or her guess $η^{'}$ . $A_{II}$ cannot discover that $σ^{*}$ is not a valid ciphertext unless he or she asks $H_{5}$ oracle with the tuple $(F_{1}^{*}, F_{2}^{*}, V_{1}^{*}, V_{2}^{*}, {ID}_{A}^{*}, X_{I D_{A}}^{*}, Y_{I D_{A}}^{*}, {ID}_{λ}, X_{I D_{λ}}, Y_{I D_{λ}})$ , where $V_{1}^{*} = abP, V_{2}^{*} =$ $(y_{I D_{λ}} + s \cdot H_{1} ({ID}_{λ}, Y_{I D_{λ}}, P_{pub})) (bP)$ . If this happens, C outputs $V_{1}^{*} = abP$ as the solution to the CDH problem.

Now, we assess the probability of success. In the Challenge stage, the probability of ${ID}_{B}^{*} = I D_{λ}$ is $1 / q_{H_{1}}$ . In the private-key query, the probability of C querying with $I D_{λ}$ is $1 / q_{H_{1}}$ . In the UN-CLGSC stage, the probability of C refuging the right ciphertext is less than $q_{Un - CLGSC} / 2^{k}$ .

In terms of time complexity, CLGSC and Un-CLGSC queries need 5 and 7 $t_{m}$ computations, respectively.

Note 1: In order to resist the malicious-but-passive KGC attack, we must let adversary $A_{II}$ produce the system parameters Params and master private key s in the Setup stage.

Note 2: $A_{II}$ is allowed to query the full private key $S_{I D_{A}}^{*}$ in the Find and the Guess stages, considering the inside attacker ${ID}_{A}^{*}$ may damage the security of the scheme.

Unforgeability

Theorem 3 (Type I unforgeability)

In the random oracle model, if there is a PPT adversary $A_{I}$ with a non-negligible advantage $ε$ against the EUF-CLGSC-CMA-I security of the scheme running in the signature or signcryption mode in time t and performing at most $q_{H_{i}} H_{i} (i = 1, 2, 3, 4, 5)$ queries, $q_{p - p - k}$ partial-private-key queries, $q_{p - k}$ private-key queries, $q_{CLGSC}$ CLGSC queries, and $q_{Un - CLGSC}$ Un-CLGSC queries, then the EC-DL problem can be solved with probability $ε^{'} \geq ε \cdot 1 / q_{H_{1}} \cdot {(1 - 1 / q_{H_{1}})}^{q_{p - p - k}} \cdot {(1 - 1 / q_{H_{1}})}^{q_{p - k}} \cdot (1 - q_{U n - C L G S C} / 2^{k}) \cdot (ε^{3} / {(q_{H_{1}} + q_{H_{3}})}^{6} - 3 / 2^{k})$ in time $t' < t + (5 \cdot q_{CLGSC} + 7 \cdot q_{Un - CLGSC}) \cdot t_{m}$ , where $t_{m}$ denotes the time for a scalar multiplication on G.

Proof

Suppose that challenger C is given $(P, aP) \in G^{2}$ for random $a \in Z_{q}^{*}$ . C does not know the value of a and is asked to compute a. To utilize adversary $A_{I}$ , challenger C will simulate all the oracles as in the Query stage:

Setup: The same as in Theorem 1.

Queries: The same as in the Find stage of Theorem 1.

Forgery: Finally, $A_{I}$ outputs a forged CLGSC ciphertext $σ^{*} = (F_{1}^{*}, F_{2}^{*}, c^{*})$ on message $m^{*}$ with ${ID}_{A}^{*}$ as the sender and ${ID}_{B}^{*}$ as the receiver. If ${ID}_{A}^{*} \neq I D_{λ}$ , C aborts. Otherwise, if $σ^{*}$ can pass the validation of the Un-CLGSC algorithm and $σ^{*} = (F_{1}^{*}, F_{2}^{*}, c^{*})$ is not the output of a CLGSC query, according to the multiple forking lemma,⁴⁸ we can obtain four valid signatures $(I D_{λ}, {ID}_{B}^{*}, m^{*}, f_{2}^{* (1)}, h_{1}^{* (1)}, h_{3}^{* (1)})$ , $(I D_{λ}, {ID}_{B}^{*}, m^{*}, f_{2}^{* (2)}, h_{1}^{* (1)}, h_{3}^{* (2)})$ , $(I D_{λ}, {ID}_{B}^{*}, m^{*}, f_{2}^{* (3)}, h_{1}^{* (2)}, h_{3}^{* (3)})$ , and $(I D_{λ}, {ID}_{B}^{*}, m^{*}, f_{2}^{* (4)}, h_{1}^{* (2)}, h_{3}^{* (4)})$ , where $h_{1}^{* (1)}$ and $h_{1}^{* (2)}$ are two different hash values corresponding to the $H_{1}$ oracle, and $h_{3}^{* (1)}$ , $h_{3}^{* (2)}$ , $h_{3}^{* (3)}$ , $h_{3}^{* (4)}$ are four different hash values corresponding to the $H_{3}$ oracle. Because $f_{2}^{*} = x_{I D_{λ}} \cdot h_{2}^{*} + (y_{I D_{λ}} + a \cdot h_{1}^{*}) \cdot h_{3}^{*} + r_{1}^{*} \cdot h_{4}^{*} + r_{2}^{*} mod q$ , we can obtain the following four equations: $f_{2}^{* (1)} = x_{I D_{λ}} \cdot h_{2}^{*} + (y_{I D_{λ}} + a \cdot h_{1}^{* (1)}) \cdot h_{3}^{* (1)} + r_{1}^{*} \cdot h_{4}^{*} + r_{2}^{*} \mod q$ , $f_{2}^{* (2)} = x_{I D_{λ}} \cdot h_{2}^{*} + (y_{I D_{λ}} + a \cdot h_{1}^{* (1)}) \cdot h_{3}^{* (2)} + r_{1}^{*} \cdot h_{4}^{*} + r_{2}^{*} mod q$ , $f_{2}^{* (3)} = x_{I D_{λ}} \cdot h_{2}^{*} + \ 1 (y_{I D_{λ}} + a \cdot h_{1}^{* (2)}) \cdot h_{3}^{* (3)} + r_{1}^{*} \cdot h_{4}^{*} + r_{2}^{*} mod q$ , and $f_{2}^{* (4)} = x_{I D_{λ}} \cdot h_{2}^{*} + (y_{I D_{λ}} + a \cdot h_{1}^{* (2)}) \cdot h_{3}^{* (4)} + r_{1}^{*} \cdot h_{4}^{*} + r_{2}^{*} mod q$ .

Then, C can compute $[(f_{2}^{* (1)} - f_{2}^{* (2)}) (h_{3}^{* (1)} - h_{3}^{* (2)})^{- 1} - (f_{2}^{* (3)} - f_{2}^{* (4)}) (h_{3}^{* (3)} - h_{3}^{* (4)})^{- 1}] \cdot (h_{1}^{* (1)} - h_{1}^{* (2)})^{- 1} = a$ .

Now, we assess the probability of success. In the Forgery stage, the probability of ${ID}_{A}^{*} = I D_{λ}$ is $1 / q_{H_{1}}$ . In both the partial-private-key and private-key queries, the probability of C querying with $I D_{λ}$ is $1 / q_{H_{1}}$ . In the UN-CLGSC stage, the probability of C refuging the right ciphertext is less than $q_{Un - CLGSC} / 2^{k}$ . In conjunction with the multiple forking lemma,⁴⁸ the EC-DL problem can be solved with probability $ε^{'} \geq ε \cdot 1 / q_{H_{1}} \cdot {(1 - 1 / q_{H_{1}})}^{q_{p - p - k}} \cdot {(1 - 1 / q_{H_{1}})}^{q_{p - k}} \cdot (1 - q_{U n - C L G S C} / 2^{k}) \cdot (ε^{3} / {(q_{H_{1}} + q_{H_{3}})}^{6} - 3 / 2^{k})$ .

In terms of time complexity, CLGSC and Un-CLGSC queries need 5 and 7 $t_{m}$ computations, respectively.

Note 1: $A_{I}$ is allowed to query the full private key $S_{I D_{B}}^{*}$ in the Query stage, considering the inside attacker ${ID}_{B}^{*}$ may damage the security of the scheme.

Note 2: The coefficient of a in $f_{2}^{*}$ is $(h_{1}^{*} \cdot h_{3}^{*})$ . $h_{1}^{*}$ and $h_{3}^{*}$ have multiplication relationships, so the multiple forking lemma is applicable to this scenario.

Theorem 4 (Type II unforgeability)

In the random oracle model, if there is a PPT adversary $A_{II}$ with a non-negligible advantage $ε$ against the EUF-CLGSC-CMA-II security of the scheme running in signature or signcryption mode in time t and performing at most $q_{H_{i}} H_{i} (i = 1, 2, 3, 4, 5)$ queries, $q_{p - k}$ private-key queries, $q_{CLGSC}$ CLGSC queries, and $q_{Un - CLGSC}$ Un-CLGSC queries, then the EC-DL problem can be solved with probability $ε' \geq ε \cdot 1 / q_{H_{1}} \cdot (1 - 1 / q_{H_{1}})^{q_{p - k}} \cdot (1 - q_{Un - CLGSC} / 2^{k}) \cdot (ε / q_{H_{2}} - 1 / 2^{k})$ in time $t' < t + (5 \cdot q_{CLGSC} + 7 \cdot q_{Un - CLGSC}) \cdot t_{m}$ , where $t_{m}$ denotes the time for a scalar multiplication on G.

Proof

Suppose that challenger C is given $(P, aP) \in G^{2}$ for random $a \in Z_{q}^{*}$ . C does not know the value of a and is asked to compute a. To utilize adversary $A_{II}$ , challenger C will simulate all the oracles as in the Query stage:

Setup: The same as in Theorem 2.

Queries: The same as in the Find stage of Theorem 2.

Forgery: Finally, $A_{II}$ outputs a forged CLGSC ciphertext $σ^{*} = (F_{1}^{*}, F_{2}^{*}, c^{*})$ on message $m^{*}$ with ${ID}_{A}^{*}$ as the sender and ${ID}_{B}^{*}$ as the receiver. If ${ID}_{A}^{*} \neq I D_{λ}$ , C aborts. Otherwise, if $σ^{*}$ can pass the validation of Un-CLGSC algorithm and $σ^{*} = (F_{1}^{*}, F_{2}^{*}, c^{*})$ is not the output of a CLGSC query, according to the general forking lemma,⁴⁹ we can obtain two valid signatures $(I D_{λ}, {ID}_{B}^{*}, m^{*}, f_{2}^{* (1)}, h_{2}^{* (1)})$ and $(I D_{λ}, {ID}_{B}^{*}, m^{*}, f_{2}^{* (2)}, h_{2}^{* (2)})$ , where $h_{2}^{* (1)}$ and $h_{2}^{* (2)}$ are two different hash values corresponding to the $H_{2}$ oracle. Because $f_{2}^{*} = a \cdot h_{2}^{*} + z_{I D_{λ}} \cdot h_{3}^{*} + r_{1}^{*} \cdot h_{4}^{*} + r_{2}^{*} mod q$ , we can obtain the following two equations: $f_{2}^{* (1)} = a \cdot h_{2}^{* (1)} + z_{I D_{λ}} \cdot h_{3}^{*} + r_{1}^{*} \cdot h_{4}^{*} + r_{2}^{*} mod q$ and $f_{2}^{* (2)} = a \cdot h_{2}^{* (2)} + z_{I D_{λ}} \cdot h_{3}^{*} + r_{1}^{*} \cdot h_{4}^{*} + r_{2}^{*} mod q$ .

Then, C can compute $(f_{2}^{* (1)} - f_{2}^{* (2)}) {(h_{2}^{* (1)} - h_{2}^{* (2)})}^{- 1} = a$ .

Now, we assess the probability of success. In the Forgery stage, the probability of ${ID}_{A}^{*} = I D_{λ}$ is $1 / q_{H_{1}}$ . In the private-key query, the probability of C querying with $I D_{λ}$ is $1 / q_{H_{1}}$ . In the UN-CLGSC stage, the probability of C refuging the right ciphertext is less than $q_{Un - CLGSC} / 2^{k}$ . In conjunction with the general forking lemma,⁴⁹ the EC-DL problem can be solved with probability $ε^{'} \geq ε \cdot 1 / q_{H_{1}} \cdot {(1 - 1 / q_{H_{1}})}^{q_{p - k}} \cdot (1 - q_{U n - C L G S C} / 2^{k}) \cdot (ε / q_{H_{2}} - 1 / 2^{k})$ .

In terms of time complexity, CLGSC and Un-CLGSC queries need 5 and 7 $t_{m}$ computations, respectively.

Note 1: $A_{II}$ is allowed to query the full private key $S_{I D_{B}}^{*}$ in the Query stage, considering the inside attacker ${ID}_{B}^{*}$ may damage the security of the scheme.

Note 2: The coefficient of a in $f_{2}^{*}$ is $h_{2}^{*}$ . $h_{2}^{*}$ , $h_{3}^{*}$ , and $h_{4}^{*}$ have linear relationships, so the general forking lemma is applicable to this scenario.

Efficiency

We compare our scheme with other CLGSC schemes, including the schemes of Zhang et al.,³ Zhou et al.,⁷ and Zhou et al.,⁴⁶ with the time-consuming computations taken into account. The comparison results are listed in Table 1. The symbols p, e, $m_{1}$ , and $m_{2}$ denote a pairing computation, an exponentiation computation on $G_{2}$ , a pairing-based scalar multiplication computation on $G_{1}$ , and an elliptic curve cryptography-based (ecc-based) scalar multiplication computation on $G_{1}$ , respectively. $| G_{1} |$ , $| G_{2} |$ , $| q |$ , $| m |$ , and $| ID |$ represent the bit lengths of an element on $G_{1}$ , $G_{2}$ , $z_{q}^{*}$ , a message m, and an identity, respectively. From Table 1, we can see that our scheme requires one more $m_{2}$ computation than scheme [3] in the CLGSC and Un-CLGSC stage, respectively, and is $| q |$ bit longer than scheme [3] in the ciphertext size. In order to improve the security of scheme [3], ours increases the computational costs, but only slightly. And, compared with other pairing-based schemes, our scheme proves to be excellent.

Table 1.

Comparisons of performance I.

Schemes	CLGSC	Un-CLGSC	Ciphertext size
[3]	4m₂	5m₂	\|G₁\| + 2\|q\| + \|m\|
[7]	4m₁ + e	4p + m₁	2\|G₁\| + \|m\|
[46]	7m₂	8m₂	2\|G₁\| + \|q\| + \|m\|
Ours	5m₂	7m₂	2\|G₁\| + \|q\| + \|m\|

CLGSC: certificateless generalized signcryption.

To show the comparisons more directly, we use the MIRACL library⁵⁰ to test the runtime of the basic cryptographic operations. The average runtime is listed in Table 2 (we tested it 1000 times). The experiment was run on a Windows 7 Home Basic 64-bit Operating System. The hardware consists of an Intel Core i7-4510U CPU running at 2.0 GHz with 8 GB of memory. For pairing-based schemes, we use the supersingular elliptic curve $E / F_{p} : y^{2} = x^{3} - 3 x$ with an embedding degree of 2, where q is a 160-bit Solinas prime $q = 2^{159} + 2^{17} + 1$ and p a 512-bit prime satisfying $p + 1 = 2 qh$ . Its security level is equivalent to 1024-bit RSA. To achieve the same security level, for ecc-based schemes, we use secp160r1, as recommended by the Certicom Corporation.⁵¹

Table 2.

Computational costs (ms).

p	e	m ₁	m ₂
14.9	1.25	4.31	0.97

When we adopt the above parameters, for pairing-based schemes, $| G_{1} | = | G_{2} | = 1024$ |, $| q | = 160$ , and for ecc-based schemes, $| G_{1} | = 320$ , $| q | = 160$ . Let $| m | = 160$ and $| ID | = 160$ . We can obtain Table 3 by combining Tables 1 and 2.

Table 3.

Comparisons of performance II.

Schemes	CLGSC	Un-CLGSC	Ciphertext size (bit)
[3]	3.88	4.85	800
[7]	18.49	63.91	2208
[46]	6.79	7.76	960
Ours	4.85	6.79	960

CLGSC: certificateless generalized signcryption.

From Table 3, we can see that scheme [3] is $(4.85 - 3.88) / 4.85 = 20 %$ faster than ours in the CLGSC stage and $(6.79 - 4.85) / 6.79 = 28.6 %$ faster than ours in the UN-CLGSC stage. But ours is $(18.49 - 4.85) / 18.49 = 73.8 %$ faster than scheme [7] and $(6.79 - 4.85) / 6.79 = 28.6 %$ faster than scheme [46] in the CLGSC stage, and $(63.91 - 6.79) / 63.91 = 89.4 %$ faster than scheme [7] and $(7.76 - 6.79) / 7.76 = 12.5 %$ faster than scheme [46] in the UN-CLGSC stage.

About the ciphertext size, scheme [3] is $(960 - 800) / 960 = 16.7 %$ shorter than ours. But ours is $(2208 - 960) / 2208 = 56.5 %$ shorter than scheme [7]. What is more, scheme [46] and ours have the same length.

To further convince people that our scheme is highly efficient, we also compare ours with those ones protecting the M-Health system, including the schemes of Wang et al.,³³ Wang and Liu,³⁴ Zhou et al.,³⁵ and Omala et al.³⁶ The comparisons are listed in Table 4. By combining Tables 2 and 4, we can obtain Table 5.

Table 4.

Comparisons of performance III.

Schemes	SC	Un-SC	Ciphertext size
[33]	(n + 3w + 2)m₁ + e	(w + 3)p + wm₁ + we	(n + 2w + 2)\|G₁\| + \|G₂\| + \|q\| + \|ID\|
[34]	(n + w + 1)m₁ + e	(w + 2)p + nm₁ + we	(n + w + 1)\|G₁\| + \|G₂\| + \|q\| + \|ID\|
[35]	p + (n + 3)m₁ + e	3p + nm₁	(n + 2)\|G₁\| + \|m\|
[36]	4m₂	5m₂	\|G₁\| + \|q\| + 2\|m\|
Ours	5m₂	7m₂	2\|G₁\| + \|q\| + \|m\|

SC: signcryption.

w and n represent the number of attributes and the number of elements in the ring, respectively.

Table 5.

Comparisons of performance IV (w = 2, n = 2).

Schemes	SC	Un-SC	Ciphertext size (bit)
[33]	44.35	85.62	8512
[34]	22.8	70.72	6464
[35]	37.7	53.32	1440
[36]	3.88	4.85	800
Ours	4.85	6.79	960

SC: signcryption.

From Table 5, we can see that scheme [36] is $(4.85 - 3.88) / 4.85 = 20 %$ faster than ours in the SC stage and $(6.79 - 4.85) / 6.79 = 28.6 %$ faster than ours in the Un-SC stage, but unfortunately, this scheme does not support anonymity. Ours is $(44.35 - 4.85) / 44.35 = 89 %$ faster than scheme [33], $(22.8 - 4.85) / 22.8 = 78.7 %$ faster than scheme [34] and $(37.7 - 4.85) / 37.7 = 87.1 %$ faster than scheme [35] in the SC stage, and $(85.62 - 6.79) / 85.62 = 92.1 %$ faster than scheme [33], $(70.72 - 6.79) / 70.72 = 90.1 %$ faster than scheme [34] and $(53.32 - 6.79) / 53.32 = 87.3 %$ faster than scheme [35] in the Un-SC stage.

On the whole, our scheme is a lightweight one and can be used in mobile-health systems.

Conclusion

In this article, we propose an improved scheme to overcome the drawbacks of Zhang et al.’s scheme and give the rigorous security proof of it. The confidentiality of our improved scheme can be reduced to the CDH problem and the unforgeability, the EC-DL problem. Performance evaluation shows that ours increases only a little amount of computational and communicational costs compared with the original scheme, but it is more efficient than other CLGSC schemes there are at present. What is more, it is also an efficient scheme compared with those ones protecting the M-Health system. Based on our improved scheme, the same lightweight secure data transmission protocol for the M-Health system can be constructed, just like the one based on the original scheme. Our future work is to study the secure data transmission protocols for the M-Health system without the random oracle model.

Footnotes

Acknowledgements

The author thanks Ms Yan Di for checking the manuscript.

Handling Editor: Yee Wei Law

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the National Natural Science Foundation of China (nos 61462048, 61562047, and 61662039).

ORCID iD

Caixue Zhou

References

Movassaghi

Abolhasan

Lipman

et al . Wireless body area networks: a survey. IEEE Commun Surv Tut 2014; 16(3): 1658–1686.

Sampangi

Dey

Urs

et al . A security suite for wireless body area networks. Int J Netw Secur Appl 2012; 4(1): 97–116.

Zhang

Wang

et al . Light-weight and robust security-aware D2D-assist data transmission protocol for mobile-health systems. IEEE T Inf Foren Sec 2017; 12(3): 662–675.

Zhang

Chen

RQY

et al . SeDS: secure data sharing strategy for D2D communication in LTE-advanced networks. IEEE T Veh Technol 2016; 65(4): 2659–2672.

Liu

Zhang

Chen

et al . Certificateless remote anonymous authentication schemes for wireless body area networks. IEEE T Parallel Distrib Syst 2014; 25(2): 332–342.

Lin

Shen

et al . SAGE: a strong privacy-preserving scheme against global eavesdropping for eHealth systems. IEEE J Sel Areas Commun 2009; 27(4): 365–378.

Zhou

Dong

et al . Provable certificateless generalized signcryption scheme. Des Codes Cryptogr 2014; 71(2): 331–346.

Zhou

Gao

Cui

ZM.

Certificateless signcryption in the standard model. Wireless Pers Commun 2017; 92(2): 495–513.

Han

Yang

Wei

et al . ECGSC: elliptic curve based generalized signcryption. In: Proceedings of the international conference on ubiquitous intelligence and computing, Wuhan, China, 3–6 September 2006, pp.956–965. New York: Springer.

10.

Han

Jin

CH.

Certificateless online/offline signcryption for the Internet of things. Wireless Netw 2017; 23(1): 145–158.

11.

Zheng

Jin

CH.

Identity-based deniable authenticated encryption and its application to e-mail system. Telecommun Syst 2016; 62(4): 625–639.

12.

Vollala

Begum

Joshi

et al . High-radix modular exponentiation for hardware implementation of public-key cryptography. In: Proceedings of the international conference on computing, analytics and security trends (CAST), Pune, India, 19–21 December 2016, pp.346–350. New York; IEEE.

13.

Zhou

CX.

Comments on light-weight robust security-aware D2D-assist data transmission protocol for mobile-health systems. IEEE T Inf Foren Secur 2018; 13(7): 1869–1870.

14.

Karaoglan

Levi

A survey on the development of security mechanisms for body area networks. Comput J 2014; 57(10): 1484–1512.

15.

Cherukuri

Venkatasubramanian

Gupta

SKS

. Biosec: a biometric based approach for securing communication in wireless networks of biosensors implanted in the human body. In: Proceedings of the ICPPW, Kaohsiung, Taiwan, 6–9 October 2003, pp.432–439. New York: IEEE.

16.

Ibrahim

Kumari

Das

et al . Secure anonymous mutual authentication for star two-tier wireless body area networks. Comput Meth Program Biomed 2016; 135: 37–50.

17.

Ibrahim

Kumari

et al . Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks. Comput Netw 2017; 129(SI): 429–443.

18.

Kumar

Lee

. A user authentication for healthcare application using wireless medical sensor networks. In: Proceedings of the high performance computing and communications, Banff, AB, Canada, 2–4 September 2011, pp.647–652. New York: IEEE.

19.

Hong

JJ.

Efficient certificateless access control for wireless body area networks. IEEE Sens J 2016; 16(13): 5389–5396.

20.

Liu

Chung

YF.

Secure user authentication scheme for wireless healthcare sensor networks. Comput Electr Eng 2017; 59: 250–261.

21.

Yeh

Chen

JW.

An authentication protocol for ubiquitous health monitoring systems. J Med Biol Eng 2013; 33(4): 415–419.

22.

Zhao

ZG.

An efficient anonymous authentication scheme for wireless body area networks using elliptic curve cryptosystem. J Med Syst 2014; 38(2): 13.

23.

Wang

Zhang

YM.

New authentication scheme for wireless body area networks using the bilinear pairing. J Med Syst 2015; 39(11): 136.

24.

Omala

Kibiwott

FG.

An efficient remote authentication scheme for wireless body area network. J Med Syst 2017; 41(2): 25.

25.

Liu

Zhang

Sun

1-RAAP: an efficient 1-round anonymous authentication protocol for wireless body area networks. Sensors 2016; 16(5): 728–743.

26.

Peng

Kumari

et al . An enhanced 1-round authentication protocol for wireless body area networks with user anonymity. Comput Electr Eng 2017; 61: 238–249.

27.

Jiang

Lian

Yang

et al . A bilinear pairing based anonymous authentication scheme in wireless body area networks for mHealth. J Med Syst 2016; 40(11): 231.

28.

Zeadally

Kumar

et al . Anonymous authentication for wireless body area networks with provable security. IEEE Syst J 2017; 11(4): 2590–2601.

29.

Xiong

Cost-effective scalable and anonymous certificateless remote authentication protocol. IEEE T Inf Foren Sec 2014; 9(12): 2327–2339.

30.

Xiong

Qin

ZG.

Revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks. IEEE T Inf Foren Sec 2015; 10(7): 1442–1455.

31.

Tan

Wang

Zhong

et al . Body sensor network security: an identity-based cryptography approach. In: Proceedings of the first ACM conference on wireless network security, Alexandria, VA, 2008, pp.148–153. New York: ACM.

32.

Huang

Lee

DH.

A privacy-strengthened scheme for e-healthcare monitoring system. J Med Syst 2012; 36(5): 2959–2971.

33.

Wang

et al . Integrating ciphertext-policy attribute-based encryption with identity-based ring signature to enhance security and privacy in wireless body area networks. In: Proceedings of the international conference on information security and cryptology, Beijing, China, 13–15 December 2014, pp.424–442. New York: Springer.

34.

Wang

Liu

Attribute-based ring signcryption scheme and its application in wireless body area networks. In: Proceedings of the international workshops and symposiums on algorithms and architectures for parallel processing, Zhangjiajie, China, 18–20 November 2015, pp.521–530. New York: Springer.

35.

Zhou

Cui

Gao

GY.

Efficient identity-based generalized ring signcryption scheme. KSII T Intern Inf Syst 2016; 10(12): 5553–5571.

36.

Omala

Robert

FG.

A provably-secure transmission scheme for wireless body area networks. J Med Syst 2016; 40(11): 247.

37.

Han

Gui

XL.

Adaptive secure multicast in wireless networks. Int J Commun Syst 2009; 22(9): 1213–1239.

38.

Wang

Yang

Zhang

Provable secure generalized signcryption. J Comput 2010; 5(5): 807–814.

39.

Shen

et al . Provable secure identity based generalized signcryption scheme. Theor Comput Sci 2010; 411(40–42): 3614–3624.

40.

Kushwah

Lal

An efficient identity based generalized signcryption scheme. Theor Comput Sci 2011; 412(45): 6382–6389.

41.

Chen

Liu

et al . Malicious KGC attacks in certificateless cryptography. In: Proceedings of the 2nd ACM symposium on information, computer and communications security, Singapore, 20–22 March 2007, pp.302–311. New York: ACM.

42.

Wei

Shao

Xiang

et al . Obtain confidentiality or/and authenticity in big data by id-based generalized signcryption. Inform Sci 2015; 318: 111–122.

43.

Zhou

CX.

An improved multi-receiver generalized signcryption scheme. Int J Network Secur 2015; 17(3): 340–350.

44.

Han

. Attribute based generalized signcryption for online social network. In: Proceedings of the 34th Chinese control conference (CCC), Hangzhou, China, 28–30 July 2015, pp.6434–6439. New York: IEEE.

45.

Zhou

CX.

Identity-based generalized proxy signcryption scheme. Inf Tech Control 2016; 45(1): 13–26.

46.

Zhou

Zhao

Zhou

et al . Certificateless key-insulated generalized signcryption scheme without bilinear pairings. Secur Commun Netw 2017; 2017: 8405879.

47.

Dodis

Rabin

. On the security of joint signature and encryption. In: Proceedings of the international conference on the theory and applications of cryptographic techniques EUROCRYPT 2002, Amsterdam, 28 April–2 May 2002, pp.83–107. New York: Springer.

48.

Boldyreva

Palacio

Warinschi

Secure proxy signature schemes for delegation of signing rights. J Cryptol 2012; 25(1): 57–115.

49.

Bellare

Neven

. Multi-signatures in the plain public-key model and a general forking lemma. In: Proceedings of the 13th ACM conference on computer and communications security, CCS, Alexandria, VA, 30 October–3 November 2006, pp.390–399. New York: ACM.

50.

Shamus Software Ltd. MIRACL library, http://github.com/miracl/MIRACL

51.

The Certicom Corporation. SEC 2: recommended elliptic curve domain parameters. The Standard for Efficient Cryptography Group, 2000, http://www.secg.org/SEC2-Ver-1.0.pdf

An improved lightweight certificateless generalized signcryption scheme for mobile-health system

Abstract

Keywords

Introduction

Related works

Preliminaries

Formal definition and security model of CLGSC

Formal definition

Security model

Definition 1 (Type I confidentiality, encryption and signcryption modes)

Definition 2 (Type II confidentiality, encryption, and signcryption modes)

Definition 3 (Type I unforgeability, signature, and signcryption modes)

Definition 4 (Type II unforgeability, signature, and signcryption modes)

Zhang et al.’s communication model and scheme and Zhou’s security analysis

The communication model

Zhang et al.’s original scheme

Cryptanalysis of the above scheme

An improved CLGSC scheme

Security and efficiency analyses

Confidentiality

Theorem 1 (Type I confidentiality)

Proof

Theorem 2 (Type II confidentiality)

Proof

Unforgeability

Theorem 3 (Type I unforgeability)

Proof

Theorem 4 (Type II unforgeability)

Proof

Efficiency

Conclusion

Footnotes

Acknowledgements

Declaration of conflicting interests

Funding

ORCID iD

References