Sage Journals: Discover world-class research

Abstract

Due to the popularity of mobile communication, many computing devices are exposed to remote environments without physical protection so that these devices easily suffer from leakage attacks (e.g., side-channel attacks). Under such leakage attacks, when a computing device performs some cryptographic algorithm, an adversary may acquire partial bits of secret keys participated in this cryptographic algorithm. To resist leakage attacks, researchers offer leakage-resilient cryptography as a solution. A signcryption scheme combines signing and encrypting processes to simultaneously provide both authentication and confidentiality, which is an important cryptographic primitive. Indeed, many leakage-resilient signcryption schemes under various public key system (PKS) settings were proposed. Unfortunately, these schemes still have two shortcomings, namely, bounded leakage resilience and conditionally continuous leakage resilience. In this paper, a “fully” continuous leakage-resilient certificate-based signcryption (FCLR-CBSC) scheme is proposed. Security analysis is formally proved to show that our scheme possesses both authentication and confidentiality against two types of adversaries in the certificate-based PKS setting. Performance analysis and simulation experience show that our scheme is suited to run on both a PC and a mobile device.

Keywords

leakage attacks signcryption certificate-based public key system leakage resilience

1 Introduction

In the traditional public key system (PKS) setting (Rivest et al., 1978), a public-key infrastructure (PKI) needs to be established to create and manage each member’s certificate, which is used to validate the member’s public key. To lighten the PKI establishment cost, Boneh and Franklin (2001) presented a practical identity-based PKS (ID-PKS) setting with bilinear pairings, in which a member’s identity is regarded as the member’s public key and no certificate is needed. However, the ID-PKS setting suffers from a constitutional key escrow problem. In 2003, the certificateless PKS (CL-PKS) (Al-Riyami and Paterson, 2003) and the certificate-based PKS (CB-PKS) (Gentry, 2003) settings were constructed respectively to clear up the key escrow problem. Afterwards, the research of various cryptographic mechanisms under the CB-PKS and the CL-PKS settings have been thoroughly studied.

Typically, the security of these cryptographic mechanisms under these PKS settings mentioned above is dependent on the security of secret keys participated in these cryptographic mechanisms, and so these secret keys must be entirely concealed to adversaries. However, due to the popularity of mobile communication, many computing devices are exposed to remote environments without physical protection so that these devices easily suffer from leakage attacks (e.g. side-channel attacks) (Kocher et al., 1999; Brumley and Boneh, 2005; Biham et al., 2008). By leakage attacks, when a computing device performs some cryptographic algorithm, an adversary may acquire partial bits of secret keys participated in this algorithm. To resist such leakage attacks, researchers offer leakage-resilient cryptography as a solution. In the past, numerous leakage-resilient signature (LRS) schemes (Galindo and Virek, 2013; Wu et al., 2019; Tseng et al., 2020; Wu et al., 2020b), leakage-resilient encryption (LRE) schemes (Kiltz and Pietrzak, 2010; Galindo et al., 2016; Wu et al., 2018, 2020a; Tseng et al., 2022), and leakage-resilient authenticated key agreement protocols (Tseng et al., 2021; Peng et al., 2021; Tsai et al., 2022) under various PKS settings have been published in the literature.

For reducing communication and computation costs, a signcryption scheme (Zheng, 1997) combines signing and encrypting processes in a mechanism to simultaneously provide both authentication and confidentiality, which is an important cryptographic primitive. In the past, some signcryption schemes under various PKS settings have been proposed that include PKI-based signcryption (PKI-SC) schemes (Ullah et al., 2020; Ali et al., 2020), certificateless signcryption (CLSC) schemes (Khan et al., 2020; Wu et al., 2022) and certificate-based signcryption (CBSC) schemes (Ullah et al., 2019; Hussain et al., 2020). Nevertheless, these signcryption schemes mentioned above are unable to resist leakage attacks. Indeed, several leakage-resilient (LR) signcryption schemes under the CL-PKS and the CB-PKS settings have been proposed. However, these LR signcryption schemes still have two shortcomings, that is, bounded leakage resilience and conditionally continuous leakage resilience, which will be discussed later. Hence, in this paper, we aim to propose a “fully” continuous leakage-resilient certificate-based signcryption (FCLR-CBSC) scheme to remove the shortcomings of the previously proposed schemes.

1.1 Related Work

Here, let’s introduce two types of leakage attack models, that is, bounded and continuous (i.e. unbounded). The bounded leakage attack model has an impractical property that entire leaked bits of a secret key are bounded in a fractional proportion of the secret key during the usage life of an LR algorithm (Alwen et al., 2009; Katz and Vaikuntanathan, 2009). In such a case, when the leaked bit number of the secret key exceeds the proportion, the secret key can no longer be used. Contrarily, the continuous leakage attack model allows adversaries to continuously obtain a secret key’s partial bits in each usage of the secret key during the usage life of the associated LR algorithm. Therefore, an LR cryptographic scheme against continuous leakage attacks has the unbounded leakage property and is more suitable for real practical environments (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013).

As mentioned earlier, several LR signcryption schemes under the CL-PKS and the CB-PKS settings have been proposed to remove the key escrow problem. Here, let’s review these LR certificateless signcryption (LR-CLSC) (Zhou et al., 2016; Yang et al., 2019) and LR certificate-based signcryption (LR-CBSC) (Zhou et al., 2021) schemes. Zhou et al. (2016) adopted a non-interactive zero-knowledge mechanism to propose an LR-CLSC scheme. As we know, the usage of the non-interactive zero-knowledge mechanism is very time-consuming so that Zhou et al.’s scheme is unsuitable for mobile devices. Subsequently, Yang et al. (2019) presented an improvement on Zhou et al.’s scheme to remove the usage of the non-interactive zero-knowledge mechanism to achieve better performance. However, both schemes (Zhou et al., 2016; Yang et al., 2019) are only secure against bounded leakage attacks and cannot resist the attacks of adversaries with continuous leakage abilities.

To achieve continuous leakage-resilient property, Zhou et al. (2021) first presented a bounded LR-CBSC scheme and adopted the secret key update method proposed by Dodis et al. (2010) to obtain a “conditionally” continuous LR-CBSC (CCLR-CBSC) scheme. That is, by Dodis et al.’s secret key update method, a continuous version is constructed from the associated bounded LR cryptographic scheme. However, Kiltz and Pietrzak (2010) have previously shown that Dodis et al.’s secret key update method has a shortcoming in the sense that the key update process itself does not allow adversaries to leak any bits of the secret key even if the secret key actually participates in the computation of the key update method. Therefore, Zhou et al.’s scheme only possesses the “conditionally” continuous leakage-resilient property.

1.2 Contributions

As mentioned earlier, the LR-CLSC schemes in Zhou et al. (2016), Yang et al. (2019) are only secure against bounded leakage attacks and the CCLR-CBSC scheme in Zhou et al. (2021) only possesses the “conditionally” continuous leakage-resilient property. In this paper, a “fully” CLR-CBSC (FCLR-CBSC) scheme is proposed. In our FCLR-CBSC scheme, there are two roles, namely, a trusted certificate authority (CA) and members. A member ${ID}_{m}$ sets the associated member secret key ${MSK}_{m}$ . The CA uses its own secret key $CSK$ to compute the member’s certificate ${CTF}_{m}$ using the member ${ID}_{m}$ ’s identity information and public key, and returns it back to the member ${ID}_{m}$ . By combining the adversary models of both the LR certificate-based signature (LR-CBS) scheme (Wu et al., 2019) and the LR certificate-based encryption (LR-CBE) scheme (Wu et al., 2020a), we define the adversary model of the FCLR-CBSC scheme. In this adversary model, there are two types of adversaries that include an uncertified member and the honest-but-curious CA.

Table 1
Comparisons between the related schemes and our scheme.

Scheme Zhou et al.’s LR-CLSC scheme (2016) Yang et al.’s LR-CLSC scheme (2019) Zhou et al.’s CCLR-CBSC scheme (2021) Our proposed FCLR-CBSC scheme

PKS setting CL-PKS CL-PKS CB-PKS CB-PKS

Leakage of a member’s secret key Allowed Allowed Allowed Allowed

Leakage of the system’s secret key Not allowed Not allowed Allowed Allowed

Leakage model Bounded Bounded Conditionally continuous Fully continuous

Scheme	Zhou et al.’s LR-CLSC scheme (2016)	Yang et al.’s LR-CLSC scheme (2019)	Zhou et al.’s CCLR-CBSC scheme (2021)	Our proposed FCLR-CBSC scheme
PKS setting	CL-PKS	CL-PKS	CB-PKS	CB-PKS
Leakage of a member’s secret key	Allowed	Allowed	Allowed	Allowed
Leakage of the system’s secret key	Not allowed	Not allowed	Allowed	Allowed
Leakage model	Bounded	Bounded	Conditionally continuous	Fully continuous

To realize the “fully” continuous leakage-resilient property, our scheme adopts the key update method proposed by Kiltz and Pietrzak (2010) to update the member ${ID}_{m}$ ’s secret key ${MSK}_{m}$ and certificate ${CTF}_{m}$ participated in both the signcryption and the unsigncryption algorithms, and the CA’s secret key $CSK$ participated in the certificate generation algorithm. In the process of the key update method, these secret keys or certificates are allowed to be leaked by an adversary so that our scheme has the fully continuous leakage-resilient property. Table 1 lists the comparisons between the LR-CLSC schemes in Zhou et al. (2016), Yang et al. (2019), the CCLR-CBSC scheme in Zhou et al. (2021) and our FCLR-CBSC scheme in terms of PKS setting, leakage of a member’s secret key, leakage of the system’s secret key and leakage model. It is obvious that only our scheme achieves the fully continuous leakage-resilient property and tolerates the leakages of both the system’s secret key and a member’s secret key. Finally, we employ the security proving method of the generic bilinear group (GBG) model (Boneh et al., 2005) to show that our scheme possesses both authentication and confidentiality against two types of adversaries in the CB-PKS setting. Also, performance analysis and simulation experience demonstrate that our scheme is suited to run on both a PC and a mobile device.

1.3 Paper Structure

The remainder of this paper comprises six parts. Four preliminaries are introduced in Section 2. We define a new framework and security model of FCLR-CBSC schemes in Section 3. In Section 4, our FCLR-CBSC scheme is demonstrated. The security analysis of our scheme is given in Section 5. Performance analysis and conclusions are given in Sections 6 and 7, respectively.

2 Preliminaries

2.1 Bilinear Pairing Set

Let ${g_{1}, g_{2}, G_{1}, G_{2}, p, \hat{e}}$ be a bilinear pairing set. The reader can refer to Boneh and Franklin (2001) for the parameter selections of the bilinear pairing set. $g_{1}$ and $g_{2}$ are, respectively, generators of the multiplicative groups $G_{1}$ and $G_{2}$ with the same prime order p. The bilinear pairing function $\hat{e} : G_{1} \times G_{1} \to G_{2}$ satisfies three properties as presented below:

–
Bilinear property: $\hat{e} (g_{1}^{x}, g_{1}^{y}) = \hat{e} {(g_{1}, g_{1})}^{x y}$ , for any $x, y \in Z_{p}^{}$ .
–
Non-degenerate property: $\hat{e} (g_{1}, g_{1}) = g_{2} \neq 1$ .
–
Computable property*: $\hat{e} (X, Y)$ can be effectively computed for any $X, Y \in G_{1}$ .

2.2 Security Assumptions

Our proposed FCLR-CBSC scheme is based on two security assumptions as presented below:

–
Strong-collision-resistant hash (SCRH) assumption: Let a hash function $H : {0, 1}^{} \to {0, 1}^{l}$ , l is a large integer, be strong-collision-resistant. Namely, it is difficult to get two different strings $S_{1}, S_{2} \in {0, 1}^{}$ such that $H (S_{1}) = H (S_{2})$ .
–
Discrete logarithm (DL) assumption: In the bilinear pairing set ${g_{1}, g_{2}, G_{1}, G_{2}, p, \hat{e}}$ presented earlier, it is difficult to compute $x \in Z_{p}^{*}$ for given $g_{1}^{x} \in G_{1}$ or $g_{2}^{x} \in G_{2}$ .

2.3 Generic Bilinear Group Model

The generic bilinear group (GBG) model (Boneh et al., 2005) is a security proving technique of cryptographic schemes. This GBG model is combined into the security game of a cryptographic scheme. In the security game played by an adversary and a challenger, the challenger first creates a bilinear pairing set ${g_{1}, g_{2}, G_{1}, G_{2}, p, \hat{e}}$ . When the adversary performs operations in the bilinear pairing set, it must request the associated queries to the challenger that include the multiplicative query $Q_{1}$ of $G_{1}$ , the multiplicative query $Q_{2}$ of $G_{2}$ and the bilinear pairing query $Q_{\hat{e}}$ . Additionally, the challenger sets two injective random mappings to respectively encode every element of $G_{1}$ and $G_{2}$ to a distinct bit string, namely, $ζ_{1} : Z_{p}^{*} \to Ψ G_{1}$ and $ζ_{2} : Z_{p}^{*} \to Ψ G_{2}$ that satisfy $Ψ G_{1} \cap Ψ G_{2} = \emptyset$ and $| Ψ G_{1} | = | Ψ G_{2} | = p$ . The behaviours of three associated queries $Q_{1}$ , $Q_{2}$ and $Q_{\hat{e}}$ , for $x, y \in Z_{p}^{*}$ , are defined as follows:

–
$Q_{1} (ζ_{1} (x), ζ_{1} (y)) \to ζ_{1} (x + y mod p)$ .
–
$Q_{2} (ζ_{2} (x), ζ_{2} (y)) \to ζ_{2} (x + y mod p)$ .
–
$Q_{\hat{e}} (ζ_{1} (x), ζ_{1} (y)) \to ζ_{2} (x \cdot y mod p)$ .
Note that $ζ_{1} (1)$ and $ζ_{2} (1)$ equal $g_{1}$ and $g_{2}$ , respectively. Finally, the adversary would answer the DL problem on $G_{1} / G_{2}$ if it found any collision on $G_{1} / G_{2}$ after finishing the security game.
2.4 Entropy Evaluation of Secret Keys

Later, we will employ the entropy evaluation of secret keys with partial leakage to establish the security theorems of the proposed scheme. Here, we first introduce two previous consequences. In 2008, Dodis et al. (2008) presented a result (Lemma 1 below) about the entropy evaluation of a secret key K under the leakage function $F (K)$ , where $F : K \to {0, 1}^{ω}$ and ω is the leakage bit size. Moreover, Galindo and Virek (2013) discussed the entropy evaluation of multiple secret keys to obtain the other result (Lemma 2 below).

Lemma 1.
Let K be a secret key and $F : K \to {0, 1}^{ω}$ be its associated leakage function, where ω is the leakage bit size. Under the leakage function F, we have ${\tilde{H}}_{\infty} (K | F (K)) ≧ H_{\infty} (K) - ω$ , where $H_{\infty}$ and ${\tilde{H}}_{\infty}$ denote the min-entropy and the average conditional min-entropy, respectively.
Lemma 2.
Let $K_{1}, K_{2}, \dots, K_{n}$ be multiple secret keys participated in a computation formula. Let $M V P \in Z_{p} [K_{1}, K_{2}, \dots, K_{n}]$ denote a multiple-variable polynomial that has the degree d. Assume that ${PD}_{i}$ denotes the probability distribution of $K_{i} {= k}_{i} \leftarrow Z_{p}$ under a leakage function $F_{i}$ with the leakage bit size ω. Thus, we have $H_{\infty} ({PD}_{i}) ≧ log p - ω$ , for $i = 1, 2, \dots, n$ . When all ${PD}_{i}$ are mutually independent, we have $Pr [MVP (K_{1} = k_{1}, K_{2} = k_{2}, \dots, K_{n} = k_{n}) = 0] ≦ (d / p) 2^{ω}$ , which is negligible if $ω < (1 - ε) log p$ , where ε is a positive fraction.

3 Notations, Framework and Adversary Model

An FCLR-CBSC scheme composes of two roles, namely, a trusted certificate authority (CA) and members. A member ${ID}_{m}$ (a sender ${ID}_{s}$ or a receiver ${ID}_{r}$ ) first sets the member’s secret key ${MSK}_{m}$ and first public key ${MPK}_{m}$ , and transmits ( ${ID}_{m}$ , ${MPK}_{m}$ ) to the CA. The CA uses a secret key $CSK$ to compute and return the member’s certificate ${CTF}_{m}$ and second public key ${UPK}_{m}$ to the member ${ID}_{m}$ via a secure channel. By taking as input a message $msg$ and the public key pair $({MPK}_{r}, {UPK}_{r})$ of the receiver ${ID}_{r}$ , the sender ${ID}_{s}$ uses her/his certificate and secret key to compute a ciphertext $CT$ and send ( ${ID}_{s}$ , $CT$ ) to the receiver ${ID}_{r}$ . By taking as input a ciphertext $CT$ and the public key pair ( ${MPK}_{s}, {UPK}_{s}$ ) of the sender ${ID}_{s}$ , the receiver ${ID}_{r}$ returns $msg$ if $CT$ is “Valid”; otherwise returns “Invalid”. The system model of the FCLR-CBSC scheme is depicted in Fig. 1.

Fig. 1

The system model of an FCLR-CBSC scheme.

To achieve fully continuous leakage-resilient property (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013), every secret key or certificate in the system is partitioned into two parts, which must be updated before being participated in each computation round. Assume that the CA’s secret key $CSK$ is initially partitioned into the beginning secret key pair ( ${CSK}_{1, 0}$ , ${CSK}_{2, 0}$ ). Additionally, let the CA’s current secret key pair be ( ${CSK}_{1, i - 1}, {CSK}_{2, i - 1}$ ), which must be updated to $({CSK}_{1, i}, {CSK}_{2, i})$ when it participates in the i-th invocation of the certificate generation algorithm. Note that we have $CSK = {CSK}_{1, 0} \cdot {CSK}_{2, 0} = \dots = {CSK}_{1, i - 1} \cdot {CSK}_{2, i - 1} = {CSK}_{1, i} \cdot {CSK}_{2, i}$ . For the same reason, the member ${ID}_{m}$ ’s secret key ${MSK}_{m}$ and certificate ${CTF}_{m}$ are initially partitioned into the beginning secret key pair ( ${MSK}_{m, 1, 0}$ , ${MSK}_{m, 2, 0}$ ) and the certificate pair ( ${CTF}_{m, 1, 0}$ , ${CTF}_{m, 2, 0}$ ), respectively. Let the member ${ID}_{m}$ ’s current secret key and certificate pairs be, respectively, $({CTF}_{m, 1, j - 1}, {CTF}_{m, 2, j - 1})$ and $({MSK}_{m, 1, j - 1}, {MSK}_{m, 2, j - 1})$ , which must be updated to $({CTF}_{m, 1, j}, {CTF}_{m, 2, j})$ and $({MSK}_{m, 1, j}, {MSK}_{m, 2, j})$ when they participate in the j-th invocation of the signcryption or unsigncryption algorithm. Note that we have ${MSK}_{m} = {MSK}_{m, 1, 0} \cdot {MSK}_{m, 2, 0} = \dots = {MSK}_{m, 1, j - 1} \cdot {MSK}_{m, 2, j - 1} = {MSK}_{m, 1, j} \cdot {MSK}_{m, 2, j}$ and ${CTF}_{m} = {CTF}_{m, 1, 0} \cdot {CTF}_{m, 2, 0} = \dots = {CTF}_{m, 1, j - 1} \cdot {CTF}_{m, 2, j - 1} = {CTF}_{m, 1, j} \cdot {CTF}_{m, 2, j}$ .

In the following, we first present some symbols and notations used in the proposed FCLR-CBSC scheme. Subsequently, a new framework and adversary model of FCLR-CBSC schemes are defined.

3.1 Symbols and Notations

For reference, the symbols and notations used in the proposed scheme are summarized in Table 2.

Table 2
Symbols and notations.

Symbols/notations Meanings

$PPS$ a public parameter set

$CPK$ the CA’s public key

$CSK$ the CA’s secret key

$({CSK}_{1, 0}, {CSK}_{2, 0})$ the CA’s beginning secret key pair

$({CSK}_{1, i}, {CSK}_{2, i})$ the CA’s i-th secret key pair

${ID}_{m}$ the identity of a member (a sender ${ID}_{s}$ or a receiver ${ID}_{r}$ )

$({MPK}_{m}, {UPK}_{m})$ the public key pair of ${ID}_{m}$

${MSK}_{m}$ the certificate of ${ID}_{m}$

$({MSK}_{m, 1, 0}, {MSK}_{m, 2, 0})$ the beginning secret key pair of ${ID}_{m}$

$({MSK}_{m, 1, j}, {MSK}_{m, 2, j})$ the j-th secret key pair of ${ID}_{m}$

${CTF}_{m}$ the certificate of ${ID}_{m}$

$({CTF}_{m, 1, 0}, {CTF}_{m, 2, 0})$ the beginning certificate pair of ${ID}_{m}$

$({CTF}_{m, 1, j}, {CTF}_{m, 2, j})$ the j-th certificate pair of ${ID}_{m}$

$H ()$ a hash function

$SKE () / SKD ()$ symmetric-key encryption/decryption functions

${ID}_{s}$ the identity of a sender (it is also a member)

${ID}_{r}$ the identity of a receiver (it is also a member)

$msg$ a message

$CT$ a ciphertext

Symbols/notations	Meanings
$PPS$	a public parameter set
$CPK$	the CA’s public key
$CSK$	the CA’s secret key
$({CSK}_{1, 0}, {CSK}_{2, 0})$	the CA’s beginning secret key pair
$({CSK}_{1, i}, {CSK}_{2, i})$	the CA’s i-th secret key pair
${ID}_{m}$	the identity of a member (a sender ${ID}_{s}$ or a receiver ${ID}_{r}$ )
$({MPK}_{m}, {UPK}_{m})$	the public key pair of ${ID}_{m}$
${MSK}_{m}$	the certificate of ${ID}_{m}$
$({MSK}_{m, 1, 0}, {MSK}_{m, 2, 0})$	the beginning secret key pair of ${ID}_{m}$
$({MSK}_{m, 1, j}, {MSK}_{m, 2, j})$	the j-th secret key pair of ${ID}_{m}$
${CTF}_{m}$	the certificate of ${ID}_{m}$
$({CTF}_{m, 1, 0}, {CTF}_{m, 2, 0})$	the beginning certificate pair of ${ID}_{m}$
$({CTF}_{m, 1, j}, {CTF}_{m, 2, j})$	the j-th certificate pair of ${ID}_{m}$
$H ()$	a hash function
$SKE () / SKD ()$	symmetric-key encryption/decryption functions
${ID}_{s}$	the identity of a sender (it is also a member)
${ID}_{r}$	the identity of a receiver (it is also a member)
$msg$	a message
$CT$	a ciphertext

3.2 Framework

Based on the frameworks of both the LR-CBS (Wu et al., 2019) and the LR-CBE (Wu et al., 2020a) schemes, a new framework of FCLR-CBSC schemes is defined as follows.

Definition 1.
An FCLR-CBSC scheme comprises five algorithms as presented below: –
Initialization: The CA runs this algorithm to compute the CA’s secret key $CSK$ and system public key $CPK$ while generating and publishing a public parameter set $PPS$ . Additionally, the CA also partitions $CSK$ to set the beginning secret key pair $({CSK}_{1, 0}, {CSK}_{2, 0})$ .
–
Member secret key generation: A member ${ID}_{m}$ (a sender ${ID}_{s}$ or a receiver ${ID}_{r}$ ) runs this algorithm to compute her/his secret key ${MSK}_{m}$ and first public key ${MPK}_{m}$ . Additionally, the member ${ID}_{m}$ partitions ${MSK}_{m}$ to set the beginning secret key pair ( ${MSK}_{m, 1, 0}, {MSK}_{m, 2, 0}$ ). Finally, the member ${ID}_{m}$ sends ( ${ID}_{m}, {MPK}_{m}$ ) to the CA.
–
Certificate generation: Assume that the CA’s current secret key pair is ( ${CSK}_{1, i - 1}, {CSK}_{2, i - 1}$ ). The CA first obtains a new current secret key pair ( ${CSK}_{1, i}, {CSK}_{2, i}$ ) by updating ( ${CSK}_{1, i - 1}, {CSK}_{2, i - 1}$ ). Upon receiving ( ${ID}_{m}$ , ${MPK}_{m}$ ) from the member ${ID}_{m}$ , the CA creates and returns the certificate ${CTF}_{m}$ and second public key ${UPK}_{m}$ to the member ${ID}_{m}$ . Upon receiving ( ${CTF}_{m}$ , ${UPK}_{m}$ ), the member ${ID}_{m}$ sets her/his beginning certificate pair ( ${CTF}_{m, 1, 0}$ , ${CTF}_{m, 2, 0}$ ) and public key pair ( ${MPK}_{m}$ , ${UPK}_{m}$ ).
–
Signcryption: Assume that the sender ${ID}_{s}$ ’s current certificate and secret key pairs are, respectively, ( ${CTF}_{s, 1, j - 1}$ , ${CTF}_{s, 2, j - 1}$ ) and ( ${MSK}_{s, 1, j - 1}$ , ${MSK}_{s, 2, j - 1}$ ). The sender ${ID}_{s}$ first obtains a new current certificate pair ( ${CTF}_{s, 1, j}$ , ${CTF}_{s, 2, j}$ ) and secret key pair ( ${MSK}_{s, 1, j}$ , ${MSK}_{s, 2, j}$ ) by updating ( ${CTF}_{s, 1, j - 1}$ , ${CTF}_{s, 2, j - 1}$ ) and ( ${MSK}_{s, 1, j - 1}$ , ${MSK}_{s, 2, j - 1}$ ), respectively. By taking as input a message $msg$ and the public key pair ( ${MPK}_{r}, {UPK}_{r}$ ) of the receiver ${ID}_{r}$ , the sender ${ID}_{s}$ runs this algorithm to return a ciphertext $CT$ .
–
Unsigncryption: Assume that the receiver ${ID}_{r}$ ’s current certificate and secret key pairs are, respectively, ( ${CTF}_{r, 1, k - 1}$ , ${CTF}_{r, 2, k - 1}$ ) and ( ${MSK}_{r, 1, k - 1}$ , ${MSK}_{r, 2, k - 1}$ ). The receiver ${ID}_{r}$ first obtains a new current certificate pair ( ${CTF}_{r, 1, k}$ , ${CTF}_{r, 2, k}$ ) and secret key pair ( ${MSK}_{r, 1, k}$ , ${MSK}_{r, 2, k}$ ) by updating ( ${CTF}_{r, 1, k - 1}$ , ${CTF}_{r, 2, k - 1}$ ) and ( ${MSK}_{r, 1, k - 1}$ , ${MSK}_{r, 2, k - 1}$ ), respectively. By taking as input a ciphertext $CT$ and the public key pair ( ${MPK}_{s}, {UPK}_{s}$ ) of the sender ${ID}_{s}$ , the receiver ${ID}_{r}$ returns $msg$ if $CT$ is “Valid”; otherwise returns “Invalid”.

3.3 Adversary Model

Here, six continuous leakage functions $f_{CA, i}$ , $h_{CA, i}$ , $f_{SC, j}$ , $h_{SC, j}$ , $f_{US, k}$ and $h_{US, k}$ are used to simulate the leakage abilities of adversaries. In the i-th invocation of the Certificate generation algorithm, an adversary could obtain partial bits of the CA’s current secret key pair ( ${CSK}_{1, i}, {CSK}_{2, i}$ ) by $f_{CA, i}$ and $h_{CA, i}$ . In the j-th invocation of the Signcryption algorithm, an adversary could obtain partial bits of the sender ${ID}_{s}$ ’s current certificate pair ( ${CTF}_{s, 1, j}$ , ${CTF}_{s, 2, j}$ ) and secret key pair ( ${MSK}_{s, 1, j}$ , ${MSK}_{s, 2, j}$ ) by $f_{SC, j}$ and $h_{SC, j}$ . In the k-th invocation of the Unsigncryption algorithm, an adversary could obtain partial bits of the receiver ${ID}_{r}$ ’s current certificate pair ( ${CTF}_{r, 1, k}$ , ${CTF}_{r, 2, k}$ ) and secret key pair ( ${MSK}_{r, 1, k}$ , ${MSK}_{r, 2, k}$ ) by $f_{US, k}$ and $h_{US, k}$ . Let ω be the maximal leakage bit length for each leakage function. Let $Δ f_{CA, i}$ , $Δ h_{CA, i}$ , $Δ f_{SC, j}$ , $Δ h_{SC, j}$ , $Δ f_{US, k}$ and $Δ h_{US, k}$ , respectively, denote their outputs of the six leakage functions. Therefore, we have $| Δ f_{CA, i} |$ , $| Δ h_{CA, i} |$ , $| Δ f_{SC, j} |$ , $| Δ h_{SC, j} |$ , $| Δ f_{US, k} |$ , $| Δ h_{US, k} | ≦ ω$ and their inputs/outputs are presented as follows:

–
$Δ f_{CA, i} = f_{CA, i} ({CSK}_{1, i})$ .
–
$Δ h_{CA, i} = h_{CA, i} ({CSK}_{2, i})$ .
–
$Δ f_{SC, j} = f_{SC, j} ({CTF}_{s, 1, j}, {MSK}_{s, 1, j})$ .
–
$Δ h_{SC, j} = h_{SC, j} ({CTF}_{s, 2, j}, {MSK}_{s, 2, j})$ .
–
$Δ f_{US, k} = f_{US, k} ({CTF}_{r, 1, k}, {MSK}_{r, 1, k})$ .
–
$Δ h_{US, k} = h_{US, k} ({CTF}_{r, 2, k}, {MSK}_{r, 2, k})$ .
Based on the adversary models of both the LR-CBS (Wu et al., 2019) and the LR-CBE (Wu et al., 2020a) schemes, we define a new adversary model of FCLR-CBSC schemes. In the new adversary model, there are two types of adversaries ( $A_{I}$ and $A_{II}$ ) as presented below: –
$A_{I}$ : $A_{I}$ simulates an “uncertified member” who can set any member ${ID}_{m}$ ’s secret key ${MSK}_{m}$ and first public key ${MPK}_{m}$ , but can obtain neither ${ID}_{m}$ ’s certificate ${CTF}_{m}$ nor second public key ${UPK}_{m}$ . Indeed, $A_{I}$ can get partial bits of the CA’s current secret key pair ( ${CSK}_{1, i}$ , ${CSK}_{2, i}$ ) in the i-th invocation of the Certificate generation algorithm. Also, $A_{I}$ could obtain partial bits of the sender ${ID}_{s}$ ’s current certificate pair ( ${CTF}_{s, 1, j}$ , ${CTF}_{s, 2, j}$ ) in the j-th invocation of the Signcryption algorithm. In the k-th invocation of the Unsigncryption algorithm, $A_{I}$ could obtain partial bits of the receiver ${ID}_{r}$ ’s current certificate pair $({CTF}_{r, 1, k}, {CTF}_{r, 2, k})$ .
–
$A_{II}$ : $A_{II}$ simulates an “honest-but-curious CA” who has the CA’s secret key $CSK$ and produces any member ${ID}_{m}$ ’s certificate ${CTF}_{m}$ and second public key ${UPK}_{m}$ , but $A_{II}$ can obtain neither the member ${ID}_{m}$ ’s secret key ${MSK}_{m}$ nor first public key ${MPK}_{m}$ . Also, $A_{II}$ could obtain partial bits of the sender ${ID}_{s}$ ’s current secret key pair $({MSK}_{s, 1, j}, {MSK}_{s, 2, j})$ in the j-th invocation of the Signcryption algorithm. In the k-th invocation of the Unsigncryption algorithm, $A_{II}$ could obtain partial bits of the receiver ${ID}_{r}$ ’s current secret key pair ( ${MSK}_{r, 1, k}$ , ${MSK}_{r, 2, k}$ ).
An FCLR-CBSC scheme must possess two security properties, namely, authentication of signing process and confidentiality of encrypting process, that are modelled by two security games as defined below. Definition 2 ( $G_{auth}$ ).

The authentication property is modelled by the security game $G_{auth}$ that is played by an adversary A ( $A_{I}$ or $A_{II}$ ) and a challenger B. We say that an FCLR-CBSC scheme has existential unforgeability against both continuous leakage and adaptive chosen-message attacks (EXUF-CLRACMA) if no probabilistic polynomial time (PPT) adversary A has a non-negligible advantage to win the following game $G_{auth}$ .

–
Setup. The challenger B runs the Initialization algorithm in Definition 1 to get the CA’s secret key $CSK$ and public key $CPK$ while generating and publishing a public parameter set $PPS$ . Also, B partitions $CSK$ to set the beginning secret key pair ( ${CSK}_{1, 0}$ , ${CSK}_{2, 0}$ ). Additionally, if A is of type $A_{II}$ , B sends $CSK$ to $A_{II}$ .
–
Queries. A may adaptively request the following queries to B at most η times.
•
Member key generation query ( ${ID}_{m}$ ): B produces and returns the member ${ID}_{m}$ ’s secret key ${MSK}_{m}$ and first public key ${MPK}_{m}$ .
•
Member secret key query ( ${ID}_{m}$ ): B returns the member ${ID}_{m}$ ’s secret key ${MSK}_{m}$ .
•
Certificate generation query ( ${ID}_{m}$ , ${MPK}_{m}$ ): B returns the member ${ID}_{m}$ ’s certificate ${CTF}_{m}$ and second public key ${UPK}_{m}$ .
•
Certificate generation leak query (i, $f_{CA, i}$ , $h_{CA, i}$ ): A may request this query only once. B returns $Δ f_{CA, i} = f_{CA, i} ({CSK}_{1, i})$ and $Δ h_{CA, i} = h_{CA, i} ({CSK}_{2, i})$ .
•
Public key retrieve query ( ${ID}_{m}$ ): B returns the member ${ID}_{m}$ ’s public key pair ( ${MPK}_{m}$ , ${UPK}_{m}$ ).
•
Public key replace query ( ${ID}_{m}$ , ( ${MPK}_{m}^{'}$ , ${UPK}_{m}^{'}$ )): B records the replacement.
•
Signcryption query ( $msg$ , ${ID}_{s}$ , ${ID}_{r}$ ): The sender ${ID}_{s}$ first obtains a new current certificate pair ( ${CTF}_{s, 1, j}$ , ${CTF}_{s, 2, j}$ ) and secret key pair ( ${MSK}_{s, 1, j}$ , ${MSK}_{s, 2, j}$ ) by updating ( ${CTF}_{s, 1, j - 1}$ , ${CTF}_{s, 2, j - 1}$ ) and ( ${MSK}_{s, 1, j - 1}$ , ${MSK}_{s, 2, j - 1}$ ), respectively. B returns a ciphertext $CT$ .
•
Signcryption leak query ( ${ID}_{s}$ , j, $f_{SC, j}$ , $h_{SC, j}$ ): A may request this query only once. B returns $Δ f_{SC, j} = f_{SC, j} ({CTF}_{s, 1, j}, {MSK}_{s, 1, j})$ and $Δ h_{SC, j} = h_{SC, j} ({CTF}_{s, 2, j}, {MSK}_{s, 2, j})$ .
•
Unsigncryption query ( $CT$ , ${ID}_{r}$ ): The receiver ${ID}_{r}$ first obtains a new current certificate pair ( ${CTF}_{r, 1, k}$ , ${CTF}_{r, 2, k}$ ) and secret key pair ( ${MSK}_{r, 1, k}$ , ${MSK}_{r, 2, k}$ ) by updating ( ${CTF}_{r, 1, k - 1}$ , ${CTF}_{r, 2, k - 1}$ ) and ( ${MSK}_{r, 1, k - 1}$ , ${MSK}_{r, 2, k - 1}$ ), respectively. B returns the message $msg$ .
•
Unsigncryption leak query ( ${ID}_{r}$ , k, $f_{US, k}$ , $h_{US, k}$ ): A may request this query only once. B returns $Δ f_{US, k} = f_{US, k} ({CTF}_{r, 1, k}, {MSK}_{r, 1, k})$ and $Δ h_{US, k} = h_{US, k} ({CTF}_{r, 2, k}, {MSK}_{r, 2, k})$ .
–
Forgery. A creates a tuple ( ${msg}^{'}$ , ${CT}^{'} = (σ^{'}, C^{'}, U^{'}, {ID}_{s}^{'}$ , ${ID}_{r}^{'}$ )). It is said that A wins $G_{auth}$ if the following four conditions hold.
(1)
For $({msg}^{'}, {CT}^{'} = (σ^{'}, C^{'}, U^{'}, {ID}_{s}^{'}, {ID}_{r}^{'}))$ , the Unsigncryption algorithm returns “Valid”.
(2)
The Signcryption query $({msg}^{'}, {ID}_{s}^{'}, {ID}_{r}^{'})$ has never been requested.
(3)
If A is of type $A_{I}$ , the Certificate generation query $({ID}_{s}^{'}, {MPK}_{s}^{'})$ has never been requested.
(4)
If A is of type $A_{II}$ , neither the Member secret key query ( ${ID}_{s}^{'}$ ), nor the Public key replace query $({ID}_{s}^{'}, ({MPK}_{s}^{'}, {UPK}_{s}^{'}))$ have never been requested.

Definition 3 ( $G_{conf}$ ).

The confidentiality property is modelled by the security game $G_{conf}$ that is played by an adversary A ( $A_{I}$ or $A_{II}$ ) and a challenger B. We say that an FCLR-CBSC scheme has indistinguishability of encryptions against both continuous leakage and chosen-ciphertext attacks (INDEN-CLCCA) if no PPT adversary A has a non-negligible advantage to win the following game $G_{conf}$ .

–
Setup. It is identical to the Setup in Definition 2.
–
Queries. It is identical to the Queries in Definition 2.
–
Challenge. A sends a receiver’s identity ${ID}_{r}^{'}$ and a message pair ( ${msg}_{0}^{'}$ , ${msg}_{1}^{'}$ ) to B. Then B randomly chooses a bit $b^{'} \in {0, 1}$ and runs the Signcryption algorithm with ( ${msg}_{b}^{'}$ , ${ID}_{s}$ , ${ID}_{r}^{'}$ ) to create and return a ciphertext $CT = (σ, C, U, {ID}_{s}, {ID}_{r}^{'})$ to A. Additionally, the following two conditions must hold.
(1)
If A is of type $A_{I}$ , the Certificate generation query ( ${ID}_{r}^{'}$ , ${MPK}_{r}^{'}$ ) has never been requested.
(2)
If A is of type $A_{II}$ , neither the Member secret key query ( ${ID}_{r}^{'}$ ), nor the Public key replace query ( ${ID}_{r}^{'}$ , ( ${MPK}_{r}^{'}$ , ${UPK}_{r}^{'}$ )) have been requested.
–
Guess. A returns a bit $b \in {0, 1}$ . If $b = b^{'}$ , we say that A wins $G_{conf}$ and its advantage is defined as ${Adv}_{A} = | Pr [b = b^{'}] - 1 / 2 |$ .

4 The Proposed FCLR-CBSC Scheme

By the framework defined in Section 3, a fully continuous leakage-resilient certificate-based signcryption (FCLR-CBSC) scheme is proposed below that comprises five algorithms.

–
Initialization: The CA first create a bilinear pairing set ${g_{1}, g_{2}, G_{1}, G_{2}, p, \hat{e}}$ described in Section 2. By running the following procedure, the CA computes her/his secret key $CSK$ and public key $CPK$ while generating and publishing a public parameter set $PPS$ .
(1)
Choose a random value $s \in Z_{p}^{}$ , and compute the CA’s secret key $CSK = g_{1}^{s}$ and public key $CPK = \hat{e} (CSK, g_{1})$ .
(2)
Choose a random value $t \in Z_{p}^{}$ , and set the CA’s beginning secret key pair $({CSK}_{1, 0}, {CSK}_{2, 0}) = (CSK \cdot g_{1}^{- t}, g_{1}^{t})$ , where $CSK = {CSK}_{1, 0} \cdot {CSK}_{2, 0}$ and the public key $CPK$ is kept unchanged.
(3)
Choose four random values $w, x, y, z \in Z_{p}^{}$ , and compute $W = g_{1}^{w}$ , $X = g_{1}^{x}$ , $Y = g_{1}^{y}$ and $Z = g_{1}^{z}$ .
(4)
Pick symmetric-key encryption and decryption functions, denoted by $SKE$ and $SKD$ .
(5)
Pick a hash function H: ${0, 1}^{} \times G_{1} \to {0, 1}^{l}$ , where l is a large integer.
(6)
Publish $PPS = {g_{1}, g_{2}, G_{1}, G_{2}, p, \hat{e}, CPK, W, X, Y, Z, SKE, SKD, H}$ .
–
Member secret key generation: A member ${ID}_{m}$ (a sender ${ID}_{s}$ or a receiver ${ID}_{r}$ ) first chooses a random value $a \in Z_{p}^{}$ , and computes the member’s secret key ${MSK}_{m} = g_{1}^{a}$ and first public key ${MPK}_{m} = \hat{e} ({MSK}_{m}, g_{1})$ . The member chooses a random value $b \in Z_{p}^{}$ and computes the member ${ID}_{m}$ ’s beginning secret key pair $({MSK}_{m, 1, 0}, {MSK}_{m, 2, 0}) = ({MSK}_{m} \cdot g_{1}^{- b}, g_{1}^{b})$ , where ${MSK}_{m} = {MSK}_{m, 1, 0} \cdot {MSK}_{m, 2, 0}$ . Meanwhile, the member ${ID}_{m}$ sends ( ${ID}_{m}$ , ${MPK}_{m}$ ) to the CA.
–
Certificate generation: Assume that the CA’s current secret key pair is $({CSK}_{1, i - 1}, {CSK}_{2, i - 1})$ . Upon receiving $({ID}_{m}, {MPK}_{m})$ from the member ${ID}_{m}$ , the CA runs the following procedure. (1)
Choose a random value $u \in Z_{p}^{}$ , and update the CA’s current secret key pair as $({CSK}_{1, i}, {CSK}_{2, i}) = ({CSK}_{1, i - 1} \cdot g_{1}^{- u}, {CSK}_{2, i - 1} \cdot g_{1}^{u})$ , where $CSK = {CSK}_{1, i} \cdot {CSK}_{2, i} = {CSK}_{1, i - 1} \cdot {CSK}_{2, i - 1}$ and the public key $CPK$ is kept unchanged.
(2)
Choose a random value $v \in Z_{p}^{}$ , compute the member ${ID}_{m}$ ’s second public key ${UPK}_{m} = g_{1}^{v}$ and set the member ${ID}_{m}$ ’s public key pair ( ${MPK}_{m}$ , ${UPK}_{m}$ ).
(3)
Set $α = {ID}_{m} | | {MPK}_{m} | | {UPK}_{m}$ , and compute a temporary value ${TV}_{m} = {CSK}_{1, i} \cdot {(W \cdot X^{α})}^{v}$ and the member ${ID}_{m}$ ’s certificate ${CTF}_{m} = {CSK}_{2, i} \cdot {TV}_{m}$ .
(4)
Return ${CTF}_{m}$ to the member ${ID}_{m}$ via a secure channel.
Upon receiving ${CTF}_{m}$ , the member ${ID}_{m}$ chooses a random value $c \in Z_{p}^{}$ and sets her/his beginning certificate pair $({CTF}_{m, 1, 0}, {CTF}_{m, 2, 0}) = ({CTF}_{m} \cdot g_{1}^{- c}, g_{1}^{c})$ .
–
Signcryption: Assume that the sender ${ID}_{s}$ ’s current certificate and secret key pairs are, respectively, ( ${CTF}_{s, 1, j - 1}$ , ${CTF}_{s, 2, j - 1}$ ) and ( ${MSK}_{s, 1, j - 1}$ , ${MSK}_{s, 2, j - 1}$ ). The sender ${ID}_{s}$ would like to signcrypt a message $msg$ to the receiver ${ID}_{r}$ with public key pair ( ${MPK}_{r}$ , ${UPK}_{r}$ ) by running the following procedure.
(1)
Choose a random value $d \in Z_{p}^{}$ , and update the two pairs above as $({CTF}_{s, 1, j}, {CTF}_{s, 2, j}) = ({CTF}_{s, 1, j - 1} \cdot g_{1}^{d}, {CTF}_{s, 2, j - 1} \cdot g_{1}^{- d})$ and $({MSK}_{s, 1, j}, {MSK}_{s, 2, j}) = ({MSK}_{s, 1, j - 1} \cdot g_{1}^{d}, {MSK}_{s, 2, j - 1} \cdot g_{1}^{- d})$ , where ${CTF}_{s} = {CTF}_{s, 1, j} \cdot {CTF}_{s, 2, j} = {CTF}_{s, 1, j - 1} \cdot {CTF}_{s, 2, j - 1}$ and ${MSK}_{s} = {MSK}_{s, 1, j} \cdot {MSK}_{s, 2, j} = {MSK}_{s, 1, j - 1} \cdot {MSK}_{s, 2, j - 1}$ . Note that the member ${ID}_{s}$ ’s public key pair ( ${MPK}_{s}, {UPK}_{s}$ ) is kept unchanged.
(2)
Set $α = {ID}_{r} | | {MPK}_{r} | | {UPK}_{r}$ , select a random value $β \in Z_{p}^{}$ , and compute $U = g_{1}^{β}, K_{1} = {({MPK}_{r})}^{β}$ and $K_{2} = {(CPK \cdot \hat{e} ({UPK}_{r}, W \cdot X^{α}))}^{β}$ .
(3)
Set an encryption key $K = K_{1} \oplus K_{2}$ , and compute $C = {SKE}_{K} (msg)$ and $δ = H (msg, C, U, {ID}_{s}, {ID}_{r})$ .
(4)
Compute a temporary value ${TV}_{S} = {CTF}_{s, 1, j} \cdot {MSK}_{s, 1, j} \cdot {(Y \cdot Z^{δ})}^{β}$ .
(5)
Compute a signature $σ = {CTF}_{s, 2, j} \cdot {MSK}_{s, 2, j} \cdot {TV}_{S}$ .
(6)
Produce a ciphertext $CT = (σ, C, U, {ID}_{s}, {ID}_{r})$ .
–
Unsigncryption: Assume that the receiver ${ID}_{r}$ ’s current certificate and secret key pairs are, respectively, ( ${CTF}_{r, 1, k - 1}$ , ${CTF}_{r, 2, k - 1}$ ) and ( ${MSK}_{r, 1, k - 1}$ , ${MSK}_{r, 2, k - 1}$ ). Given $CT = (σ, C, U, {ID}_{s}, {ID}_{r})$ , the receiver ${ID}_{r}$ unsigncrypts $CT$ to obtain the message $msg$ and verify the signature σ by running the following procedure. (1)
Choose a random value $f \in Z_{p}^{}$ , and update the two pairs above as $({CTF}_{r, 1, k}, {CTF}_{r, 2, k}) = ({CTF}_{r, 1, k - 1} \cdot g_{1}^{f}, {CTF}_{r, 2, k - 1} \cdot g_{1}^{- f})$ and $({MSK}_{r, 1, k}, {MSK}_{r, 2, k}) = ({MSK}_{r, 1, k - 1} \cdot g_{1}^{f}, {MSK}_{r, 2, k - 1} \cdot g_{1}^{- f})$ , where ${CTF}_{r} = {CTF}_{r, 1, k} \cdot {CTF}_{r, 2, k} = {CTF}_{r, 1, k - 1} \cdot {CTF}_{r, 2, k - 1}$ and ${MSK}_{r} = {MSK}_{r, 1, k} \cdot {MSK}_{r, 2, k} = {MSK}_{r, 1, k - 1} \cdot {MSK}_{r, 2, k - 1}$ . Note that the member ${ID}_{r}$ ’s public key pair ( ${MPK}_{r}, {UPK}_{r}$ ) is kept unchanged.
(2)
Compute two temporary values ${TV}_{K 1} = \hat{e} (U, {MSK}_{r, 1, k})$ and ${TV}_{K 2} = \hat{e} (U, {CTF}_{r, 1, k})$ .
(3)
Compute $K_{1}^{'} = {TV}_{K 1} \cdot \hat{e} (U, {MSK}_{r, 2, k})$ and $K_{2}^{'} = {TV}_{K 2} \cdot \hat{e} (U, {CTF}_{r, 2, k})$ .
(4)
Set $K^{'} = K_{1}^{'} \oplus K_{2}^{'}$ , and decrypt the message $m s g = S K D_{K}^{'} (C)$ .
(5)
Compute $δ = H (msg, C, U, {ID}_{s}, {ID}_{r})$ , and set $α = {ID}_{r} | |$ ${MPK}_{r}$ $| | {UPK}_{r}$ .
(6)
Verify the equality $\hat{e} (g_{1}, σ) = CPK \cdot {MPK}_{s} \cdot \hat{e} ({UPK}_{s}, W \cdot X^{α}) \cdot \hat{e} (U, Y \cdot Z^{δ})$ . If the equality holds, return $msg$ and “Valid”; otherwise return “Invalid”.
We can arrive at $K^{'} = K_{1}^{'} \oplus K_{2}^{'} = K_{1} \oplus K_{2} = K$ and $\hat{e} (g_{1}, σ) = CPK \cdot {MPK}_{s} \cdot \hat{e} ({UPK}_{s}, W \cdot X^{α}) \cdot \hat{e} (U, Y \cdot Z^{δ})$ by the following equalities.
(1)
$K_{1}^{'} = {TV}_{K 1} \cdot \hat{e} (U, {MSK}_{r, 2, k}) = \hat{e} (U, {MSK}_{r, 1, k}) \cdot \hat{e} (U, {MSK}_{r, 2, k}) = \hat{e} (U, {MSK}_{r, 1, k} \cdot {MSK}_{r, 2, k}) = \hat{e} (U, {MSK}_{r}) = \hat{e} (g_{1}^{β}, {MSK}_{r}) = \hat{e} {({MSK}_{r}, g_{1})}^{β} = {({MPK}_{r})}^{β} = K_{1}$ .
(2)
$K_{2}^{'} = {TV}_{K 2} \cdot \hat{e} (U, {CTF}_{r, 2, k}) = \hat{e} (U, {CTF}_{r, 1, k}) \cdot \hat{e} (U, {CTF}_{r, 2, k}) = \hat{e} (U, {CTF}_{r, 1, k} \cdot {CTF}_{r, 2, k}) = \hat{e} (U, {CTF}_{r}) = \hat{e} (g_{1}^{β}, CSK \cdot {(W \cdot X^{α})}^{v}) = \hat{e} {(g_{1}, CSK \cdot {(W \cdot X^{α})}^{v})}^{β} = \hat{e} (g_{1}, CSK) \cdot \hat{e} {(g_{1}, {(W \cdot X^{α})}^{v})}^{β} = (CPK \cdot \hat{e} {(g_{1}^{v}, (W \cdot X^{α}))}^{β} = {(CPK \cdot \hat{e} ({UPK}_{r}, W \cdot X^{α}))}^{β} = K_{2}$ .
(3)
$\hat{e} (g_{1}, σ) = \hat{e} (g_{1}, {CTF}_{s, 2, j} \cdot {MSK}_{s, 2, j} \cdot {TV}_{S}) = \hat{e} (g_{1}, {CTF}_{s, 2, j} \cdot {MSK}_{s, 2, j} \cdot {CTF}_{s, 1, j} \cdot {MSK}_{s, 1, j} \cdot {(Y \cdot Z^{δ})}^{β}) = \hat{e} (g_{1}, {CTF}_{s, 1, j} \cdot {CTF}_{s, 2, j} \cdot {MSK}_{s, 1, j} \cdot {MSK}_{s, 2, j} \cdot {(Y \cdot Z^{δ})}^{β}) = \hat{e} (g_{1}, {CTF}_{s} \cdot {MSK}_{s} \cdot {(Y \cdot Z^{δ})}^{β}) = \hat{e} (g_{1}, CSK \cdot {(W \cdot X^{α})}^{v} \cdot {MSK}_{s} \cdot {(Y \cdot Z^{δ})}^{β}) = \hat{e} (g_{1}, CSK) \cdot \hat{e} (g_{1}, {(W \cdot X^{α})}^{v}) \cdot \hat{e} (g_{1}, {MSK}_{s}) \cdot \hat{e} (g_{1}, {(Y \cdot Z^{δ})}^{β}) = CPK \cdot \hat{e} (g_{1}^{v}, (W \cdot X^{α})) \cdot {MPK}_{s} \cdot \hat{e} (g_{1}^{β}, (Y \cdot Z^{δ})) = CPK \cdot {MPK}_{s} \cdot \hat{e} ({UPK}_{s}, W \cdot X^{α}) \cdot \hat{e} (U, Y \cdot Z^{δ})$ .

5 Security Analysis

An FCLR-CBSC scheme must possess two security properties, namely, authentication of signing process and confidentiality of encrypting process, that are modelled by two security games $G_{auth}$ and $G_{conf}$ defined in Section 3.3. Both games are played by an adversary A ( $A_{I}$ or $A_{II}$ ) and a challenger B. Theorems 1 and 2 below show that our FCLR-CBSC scheme is EXUF-CLRACMA-secure against $A_{I}$ and $A_{II}$ in $G_{auth}$ , respectively. Also, Theorems 3 and 4 show that the FCLR-CBSC scheme is INDEN-CLCCA-secure against $A_{I}$ and $A_{II}$ in $G_{conf}$ , respectively.

Theorem 1.
Under the SCRH and DL assumptions in the GBG model, our FCLR-CBSC scheme is EXUF-CLRACMA-secure against $A_{I}$ in $G_{auth}$ .
Proof.
$A_{I}$ and B play $G_{auth}$ that comprises three phases as presented below. –
Setup. B runs the Initialization algorithm of the FCLR-CBSC scheme to create the CA’s secret key $CSK$ and public key $CPK$ while setting the public parameter set $PPS = {g_{1}, g_{2}, G_{1}, G_{2}, p, \hat{e}, CPK, W, X, Y, Z, SKE, SKD, H}$ . B also establishes six lists $L_{1}$ , $L_{2}$ , $L_{MS}$ , $L_{MC}$ , $L_{SC}$ and $L_{H}$ as defined below. •
$L_{1}$ is used to record all elements ( $Θ G_{1, a, b, c}$ , $Ψ G_{1, a, b, c}$ ) of $G_{1}$ , where $Θ G_{1, a, b, c}$ and $Ψ G_{1, a, b, c}$ denote a multivariate polynomial and its associated bit string, respectively. The indices a, b, c mean the query-type a, b-th query and c-th element, respectively. Initially, six elements ( $Θ g_{1}$ , $Ψ G_{1, s, 0, 1}$ ), ( $Θ CSK$ , $Ψ G_{1, s, 0, 2}$ ), ( $Θ W$ , $Ψ G_{1, s, 0, 3}$ ), ( $Θ X$ , $Ψ G_{1, s, 0, 4}$ ), ( $Θ Y$ , $Ψ G_{1, s, 0, 5}$ ) and ( $Θ Z$ , $Ψ G_{1, s, 0, 6}$ ) are put in $L_{1}$ .
•
$L_{2}$ is used to record all elements ( $Θ G_{2, a, b, c}$ , $Ψ G_{2, a, b, c}$ ) of $G_{2}$ , where $Θ G_{2, a, b, c}$ and $Ψ G_{2, a, b, c}$ denote a multivariate polynomial and the associated bit string, respectively. The indices a, b, c have the identical meanings as in $L_{1}$ . Initially, two elements ( $Θ g_{2}$ , $Ψ G_{2, s, 0, 1}$ ) and ( $Θ CPK$ , $Ψ G_{2, s, 0, 2}$ ) are put in $L_{2}$ .
Note that $A_{I}$ can apply the following two rules to make converting between a bit string $Ψ G_{1, a, b, c} / Ψ G_{2, a, b, c}$ and a multivariate polynomial $Θ G_{1, a, b, c} / Θ G_{2, a, b, c}$ . (1)
Converting-1 ( $Θ G_{1, a, b, c} / Θ G_{2, a, b, c}$ ): B returns $Ψ G_{1, a, b, c} / Ψ G_{2, a, b, c}$ if $Θ G_{1, a, b, c} / Θ G_{2, a, b, c}$ is found in $L_{1} / L_{2}$ . Otherwise, B chooses a distinct bit string $Ψ G_{1, a, b, c} / Ψ G_{2, a, b, c}$ and puts $(Θ G_{1, a, b, c}, Ψ G_{1, a, b, c}) / (Θ G_{2, a, b, c}, Ψ G_{2, a, b, c})$ in $L_{1} / L_{2}$ .
(2)
Converting-2 ( $Ψ G_{1, a, b, c} / Ψ G_{2, a, b, c}$ ): B returns $Θ G_{1, a, b, c} / Θ G_{2, a, b, c}$ if $Ψ G_{1, a, b, c} / Ψ G_{2, a, b, c}$ is found in $L_{1} / L_{2}$ . Otherwise, B terminates the game.

•
$L_{MS}$ is used to record a member ${ID}_{m}$ ’s secret key ${MSK}_{m}$ and her/his first public key ${MPK}_{m}$ by ( ${ID}_{m}$ , $Θ {MSK}_{m}$ , $Θ {MPK}_{m}$ , replace), for $m = 1, \dots, n$ . Initially, B sets $replace = 0$ to indicate that the member’s public key has never been replaced by the adversary.
•
$L_{MC}$ is used to record a member ${ID}_{m}$ ’s certificate ${CTF}_{m}$ and her/his second public key ${UPK}_{m}$ by ( ${ID}_{m}$ , $Θ {CTF}_{m}$ , $Θ {UPK}_{m}$ , replace), for $m = 1, \dots, n$ . Also, B sets $replace = 0$ .
•
$L_{SC}$ is used to record the content of running the Signcryption algorithm by $({ID}_{s}, {ID}_{r}, msg, Θ U, Θ K_{1}, Θ K_{2}, Θ σ, C, Θ δ)$ .
•
$L_{H}$ is used to record the input/output of the hash function H by $(msg | | C | | Ψ U | | {ID}_{s} | | {ID}_{r}, Ψ δ)$ .
–
Query: $A_{I}$ may issue the following queries to B at most η times.
•
$Q_{1}$ query $(Ψ G_{1, q, k, r}, Ψ G_{1, q, k, s}, ORER)$ : For the k-th $Q_{1}$ , B runs the following procedure.
(1)
Convert ( $Ψ G_{1, q, k, r}$ , $Ψ G_{1, q, k, s}$ ) to ( $Θ G_{1, q, k, r}$ , $Θ G_{1, q, k, s}$ ) in $L_{1}$ .
(2)
Set $Θ G_{1, q, k, t} = Θ G_{1, q, k, r} + Θ G_{1, q, k, s}$ if ORER = “×”, and $Θ G_{1, q, k, t} = Θ G_{1, q, k, r} - Θ G_{1, q, k, s}$ if ORER = “/”.
(3)
Convert $Θ G_{1, q, k, t}$ in $L_{1}$ to return $Ψ G_{1, q, k, t}$ .
•
$Q_{2}$ query ( $Ψ G_{2, q, k, r}$ , $Ψ G_{2, q, k, s}$ , $ORER$ ): For the k-th $Q_{2}$ , B runs the following procedure.
(1)
Convert ( $Ψ G_{2, q, k, r}$ , $Ψ G_{2, q, k, s}$ ) to ( $Θ G_{2, q, k, r}$ , $Θ G_{2, q, k, s}$ ) in $L_{2}$ .
(2)
Set $Θ G_{2, q, k, t} = Θ G_{2, q, k, r} + Θ G_{2, q, k, s}$ if $ORER = “ \times^{″}$ , and $Θ G_{2, q, k, t} = Θ G_{2, q, k, r} - Θ G_{2, q, k, s}$ if ORER = “/”.
(3)
Convert $Θ G_{2, q, k, t}$ in $L_{2}$ to return $Ψ G_{2, q, k, t}$ .
•
$Q_{\hat{e}}$ query ( $Ψ G_{1, q, k, r}$ , $Ψ G_{1, q, k, s}$ ): For the k-th $Q_{\hat{e}}$ , B runs the following procedure.
(1)
Convert ( $Ψ G_{1, q, k, r}$ , $Ψ G_{1, q, k, s}$ ) to ( $Θ G_{1, q, k, r}$ , $Θ G_{1, q, k, s}$ ) in $L_{1}$ .
(2)
Set $Θ G_{2, q, k, t} = Θ G_{1, q, k, r} \cdot Θ G_{1, q, k, s}$ .
(3)
Convert $Θ G_{2, q, k, t}$ in $L_{2}$ to return $Ψ G_{2, q, k, t}$ .
•
Member key generation query ( ${ID}_{m}$ ): B produces the member ${ID}_{m}$ ’s secret key $Θ {MSK}_{m}$ and first public key $Θ {MPK}_{m}$ . B then puts ( ${ID}_{m}$ , $Θ {MSK}_{m}$ , $Θ {MPK}_{m}$ , 0) in $L_{MS}$ . Also, B converts ( $Θ {MSK}_{m}$ , $Θ {MPK}_{m}$ ) in $L_{1}$ to return ( $Ψ {MSK}_{m}$ , $Ψ {MPK}_{m}$ ).
•
Member secret key query ( ${ID}_{m}$ ): If ( ${ID}_{m}$ , $Θ {MSK}_{m}$ , $Θ {MPK}_{m}$ , 0) in $L_{MS}$ is found, B converts $Θ {MSK}_{m}$ in $L_{1}$ to return $Ψ {MSK}_{m}$ . Otherwise, B issues the Member key generation query ( ${ID}_{m}$ ) to return $Ψ {MSK}_{m}$ .
•
Certificate generation query ( ${ID}_{m}$ , $Ψ {MPK}_{m}$ ): Assume that the CA has the i-th secret key pair ( $Θ {CSK}_{1, i}$ , $Θ {CSK}_{2, i}$ ). B runs the following procedure.
(1)
Pick a new variate $Θ {UPK}_{m}$ in $G_{1}$ as the second public key of the member ${ID}_{m}$ .
(2)
Pick a new variate $Θ α$ in $G_{1}$ and put ( $Θ α$ , $Ψ α = {ID}_{m} | |$ $Ψ {MPK}_{m} | |$ $Ψ {UPK}_{m}$ ) in $L_{1}$ .
(3)
Set $Θ {CTF}_{m} = Θ CSK + (Θ W + Θ X \cdot Θ α) \cdot Θ {UPK}_{m}$ and put ( ${ID}_{m}$ , $Θ {CTF}_{m}$ , $Θ {UPK}_{m}$ , 0) in $L_{MC}$ .
(4)
Convert ( $Θ {CTF}_{m}$ , $Θ {UPK}_{m}$ ) in $L_{1}$ to return ( $Ψ {CTF}_{m}$ , $Ψ {UPK}_{m}$ ).
•
Certificate generation leak query (i, $f_{CA, i}$ , $h_{CA, i}$ ): $A_{I}$ can issue this query only once for the CA’s i-th secret key pair ( $Θ {CSK}_{1, i}$ , $Θ {CSK}_{2, i}$ ). B returns $Δ f_{CA, i} = f_{CA, i} (Θ {CSK}_{1, i})$ and $Δ h_{CA, i} = h_{CA, i} (Θ {CSK}_{2, i})$ .
•
Public key retrieve query ( ${ID}_{m}$ ): B finds ${ID}_{m}$ ’s public key pair ( $Θ {MPK}_{m}$ , $Θ {UPK}_{m}$ ) by searching ( ${ID}_{m}$ , $Θ {MSK}_{m}$ , $Θ {MPK}_{m}$ , 0) in $L_{MS}$ and ( ${ID}_{m}$ , $Θ {CTF}_{m}$ , $Θ {UPK}_{m}$ , 0) in $L_{MC}$ . B converts ( $Θ {MPK}_{m}$ , $Θ {UPK}_{m}$ ) in $L_{1}$ to return ( $Ψ {MPK}_{m}$ , $Ψ {UPK}_{m}$ ).
•
Public key replace query ( ${ID}_{m}$ , ( $Ψ {MPK}_{m}^{'}$ , $Ψ {UPK}_{m}^{'}$ )): B converts ( $Ψ {MPK}_{m}^{'}$ , $Ψ {UPK}_{m}^{'}$ ) to ( $Θ {MPK}_{m}^{'}$ , $Θ {UPK}_{m}^{'}$ ). B modifies $({ID}_{m}, -, Θ {MPK}_{m}^{'}, 1)$ in $L_{MS}$ and $({ID}_{m}, -, Θ {UPK}_{m}^{'}, 1)$ in $L_{MC}$ .
•
Signcryption query ( $msg$ , ${ID}_{s}$ , ${ID}_{r}$ ): Assume that the sender ${ID}_{s}$ has the j-th certificate pair ( $Θ {CTF}_{s, 1, j}$ , $Θ {CTF}_{s, 2, j}$ ) and secret key pair ( $Θ {MSK}_{s, 1, j}$ , $Θ {MSK}_{s, 2, j}$ ). B runs the following procedure.
(1)
Use ${ID}_{r}$ to find ( ${ID}_{r}$ , $Θ {MSK}_{r}$ , $Θ {MPK}_{r}$ , replace) in $L_{MS}$ and ( ${ID}_{r}$ , $Θ {CTF}_{r}$ , $Θ {UPK}_{r}$ , replace) in $L_{MC}$ , and convert ( $Θ {MPK}_{r}$ , $Θ {UPK}_{r}$ ) in $L_{1}$ to ( $Ψ {MPK}_{r}$ , $Ψ {UPK}_{r}$ ).
(2)
Set $Ψ α = {ID}_{r} | | Ψ {MPK}_{r} | | Ψ {UPK}_{r}$ and convert $Ψ α$ in $L_{1}$ to $Θ α$ .
(3)
Choose a new variate $Θ U$ in $G_{1}$ , and set $Θ K_{1} = Θ {MPK}_{r} \cdot Θ U$ and $Θ K_{2} = (Θ CPK + Θ {UPK}_{r} \cdot (Θ W + Θ X \cdot Θ α)) \cdot Θ U$ .
(4)
Convert both $Θ U$ and $Θ K_{1}$ in $L_{1}$ , and $Θ K_{2}$ in $L_{2}$ to obtain $Ψ U$ , $Ψ K_{1}$ and $Ψ K_{2}$ .
(5)
Set $Ψ K = Ψ K_{1} \oplus Ψ K_{2}$ and $C = {SKE}_{Ψ K} (msg)$ .
(6)
Choose a new variate $Θ δ$ in $G_{1}$ , and set $Ψ δ = H (msg | | C | | Ψ U | | {ID}_{s} | | {ID}_{r})$ , and put ( $Θ δ$ , $Ψ δ$ ) in $L_{1}$ .
(7)
Set $Θ α = Θ {CTF}_{s} + Θ {MSK}_{s} + (Θ Y + Θ Z \cdot Θ δ) \cdot Θ U$ and convert $Θ δ$ in $L_{1}$ to $Ψ σ$ .
(8)
Put $({ID}_{s}, {ID}_{r}, msg, Θ U, Θ K_{1}, Θ K_{2}, Θ σ, C, Θ δ)$ in $L_{SC}$ .
(9)
Return $CT = (Ψ σ, C, Ψ U, {ID}_{s}, {ID}_{r})$ .
•
Signcryption leak query ( ${ID}_{s}$ , j, $f_{SC, j}$ , $h_{SC, j}$ ): $A_{I}$ can issue this query only once for the member ${ID}_{s}$ ’s j-th certificate pair ( $Θ {CTF}_{s, 1, j}$ , $Θ {CTF}_{s, 2, j}$ ) and secret key pair ( $Θ {MSK}_{s, 1, j}$ , $Θ {MSK}_{s, 2, j}$ ). B returns $Δ f_{SC, j} = f_{SC, j} (Θ {CTF}_{s, 1, j}, Θ {MSK}_{s, 1, j})$ and $Δ h_{SC, j} = h_{SC, j} (Θ {CTF}_{s, 2, j}, Θ {MSK}_{s, 2, j})$ .
•
Unsigncryption query ( ${ID}_{r}$ , $CT = (Ψ σ, C, Ψ U, {ID}_{s}, {ID}_{r})$ ): Assume that the receiver ${ID}_{r}$ has the k-th certificate pair ( $Θ {CTF}_{r, 1, k}$ , $Θ {CTF}_{r, 2, k}$ ) and secret key pair ( $Θ {MSK}_{r, 1, k}$ , $Θ {MSK}_{r, 2, k}$ ). B runs the following procedure.
(1)
Use ${ID}_{s}$ to find ( ${ID}_{s}$ , $Θ {MSK}_{s}$ , $Θ M P K s$ , replace) in $L_{MS}$ and ( ${ID}_{s}$ , $Θ {CTF}_{s}$ , $Θ {UPK}_{s}$ , replace) in $L_{MC}$ , and convert ( $Θ {MPK}_{s}$ , $Θ {UPK}_{s}$ ) in $L_{1}$ to ( $Ψ {MPK}_{s}$ , $Ψ {UPK}_{s}$ ).
(2)
Convert $Ψ σ$ and $Ψ U$ in $L_{1}$ to $Θ σ$ and $Θ U$ , respectively.
(3)
Set $Θ K_{1} = Θ U \cdot Θ {MSK}_{r}$ and $Θ K_{2} = Θ U \cdot Θ {CTF}_{r}$ .
(4)
Set $Ψ δ = H (msg | | C | | Ψ U | | {ID}_{s} | | {ID}_{r})$ and convert $Ψ δ$ in $L_{1}$ to $Θ δ$ .
(5)
Use ${ID}_{s}$ , ${ID}_{r}$ , $Θ U$ , $Θ K_{1}$ , $Θ K_{2}$ , $Θ σ$ , C and $Θ δ$ to find $({ID}_{s}, {ID}_{r}, msg, Θ U, Θ K_{1}, Θ K_{2}, Θ σ, C, Θ δ)$ in $L_{SC}$ . If it is found, return $msg$ and “Valid”.
•
Unsigncryption leak query ( ${ID}_{r}$ , k, $f_{US, k}$ , $h_{US, k}$ ): $A_{I}$ can issue this query only once for the member ${ID}_{r}$ ’s k-th certificate pair ( $Θ {CTF}_{r, 1, k}$ , $Θ {CTF}_{r, 2, k}$ ) and secret key pair ( $Θ {MSK}_{r, 1, k}$ , $Θ {MSK}_{r, 2, k}$ ). B returns $Δ f_{US, k} = f_{US, k} (Θ {CTF}_{r, 1, k}, Θ {MSK}_{r, 1, k})$ and $Δ h_{US, k} = h_{US, k} (Θ {CTF}_{r, 2, k}$ , $Θ {MSK}_{r, 2, k})$ .
–
Forgery. $A_{I}$ produces a pair $({msg}^{'}, {CT}^{'} = (Ψ σ^{'}, C^{'}, Ψ U^{'}, {ID}_{s}^{'}, {ID}_{r}^{'}))$ . Note that the Signcryption query ( ${msg}^{'}$ , ${ID}_{s}^{'}$ , ${ID}_{r}^{'}$ ) and the Certificate generation query ( ${ID}_{s}^{'}$ , ${MPK}_{s}^{'}$ ) have never been requested. If the Unsigncryption algorithm with $({ID}_{r}^{'}, {CT}^{'} = (Ψ σ^{'}, C^{'}, Ψ U^{'}, {ID}_{s}^{'}, {ID}_{r}^{'}))$ returns $msg$ and “Valid”, we say that $A_{I}$ wins $G_{auth}$ .

As mentioned in Section 2.2, if an adversary found any collision of $G_{1} / G_{2}$ , it would solve the discrete logarithm problem on $G_{1} / G_{2}$ . In such a case, we first compute the sum amount of elements in $L_{1}$ and $L_{2}$ , termed as $| L_{1} | + | L_{2} |$ . By counting the added elements in both the Setup and Query phases, we have the inequality $| L_{1} | + | L_{2} | ≦ 6 η$ because $A_{I}$ can request different queries to B η times and at most 6 elements are increased in $L_{1} / L_{2}$ after issuing a query. Additionally, for evaluating the entropy of secret keys with partial leakage, we must compute the maximal degrees of elements in $L_{1}$ and $L_{2}$ , in which $L_{1}$ and $L_{2}$ have the maximal degrees 3 and 6, respectively.

Subsequently, let us compute the advantage ${Adv}_{A I - N}$ that $A_{I}$ wins $G_{auth}$ without issuing leak queries. The advantage ${Adv}_{A I - N}$ comprises two probabilities as discussed below. ■
Let $Pr [Collision]$ be the probability that $A_{I}$ finds a collision in $L_{1}$ or $L_{2}$ . Assume that there are r different variates in $L_{1}$ , which are denoted by r random values $v_{i} \in Z_{p}^{}$ for $i = 1, 2, \dots, r$ . Let $Θ G_{1, j}$ and $Θ G_{1, k}$ be two distinct elements in $L_{1}$ and set $Θ G_{1, l} = Θ G_{1, j} - Θ G_{1, k}$ . If $Θ G_{1, l} (v_{1}, v_{2}, \dots, v_{r}) = 0$ , there exists a collision in $L_{1}$ . Because $L_{1}$ has $(\binom{| L_{1} |}{2})$ pairs of ( $Θ G_{1, j}$ , $Θ G_{1, k}$ ) and the maximal polynomial degree is 3, the probability that $A_{I}$ finds a collision in $L_{1}$ is $(3 / p) (\binom{| L_{1} |}{2})$ by Lemma 2. For the same reason, the probability that $A_{I}$ finds a collision in $L_{2}$ is $(6 / p) (\binom{| L_{2} |}{2})$ . Because of $| L_{1} | + | L_{2} | ≦ 6 η$ , we have the following inequality $Pr [Collision] ≦ (3 / p) (\binom{| L_{1} |}{2}) + (6 / p) (\binom{| L_{2} |}{2}) ≦ (6 / p) {(| L_{0} | + | L_{1} |)}^{2} ≦ 216 η^{2} / p$ .
■
Let $Pr [Forge]$ be the probability that $A_{I}$ forges a valid pair ( ${msg}^{'}$ , ${CT}^{'}$ = ( $Ψ σ^{'}$ , $C^{'}$ , $Ψ U^{'}$ , ${ID}_{s}^{'}$ , ${ID}_{r}^{'}$ )). The valid pair satisfies $\hat{e} (g_{1}, σ^{'}) = CPK \cdot {MPK}_{s}^{'} \cdot \hat{e} ({UPK}_{s}^{'}, W \cdot X^{α}) \cdot \hat{e} (U^{'}, Y \cdot Z^{δ})$ in the Unsigncryption* algorithm, namely, $Θ g_{1} \cdot Θ σ^{'} = Θ CPK + Θ {MPK}_{s}^{'} + Θ {UPK}_{s}^{'} \cdot (Θ W + Θ X \cdot Θ α) + Θ U^{'} \cdot (Θ Y + Θ Z \cdot Θ δ)$ . Let $Θ f = Θ g_{1} \cdot Θ σ^{'} - Θ CPK + Θ {MPK}_{s}^{'} + Θ {UPK}_{s}^{'} \cdot (Θ W + Θ X \cdot Θ α) + Θ U^{'} \cdot (Θ Y + Θ Z \cdot Θ δ)$ . Since $Θ f$ has degree 3, the probability of $Θ f = 0$ is $3 / p$ by Lemma 2 so that we have $Pr [Forge] = 3 / p$ .
By above, we have ${Adv}_{A I - N} = Pr [Collision] + Pr [Forge] ≦ 216 η^{2} / p + 3 / p = O (η^{2} / p),$ which is negligible if $η = poly (log p)$ .

Here, we compute the advantage ${Adv}_{A I}$ that $AI$ wins $G_{auth}$ when permitted to issue three types of leak queries, namely, Certificate generation leak query, Signcryption leak query and Unsigncryption leak query. (1)
By the Certificate generation leak query (i, $f_{CA, i}$ , $h_{CA, i}$ ), $A_{I}$ gets partial bits of the CA’s i-th secret key pair ( $Θ {CSK}_{1, i}$ , $Θ {CSK}_{2, i}$ ), namely, $Δ f_{CA, i} = f_{CA, i} (Θ {CSK}_{1, i})$ and $Δ h_{CA, i} = h_{CA, i} (Θ {CSK}_{2, i})$ with $| Δ f_{CA, i} |,$ $| Δ_{h CA, i} | ≦ ω$ . According to the key update process (Kiltz and Pietrzak, 2010; Galindo and Virek, 2013), the CA’s i-th secret key pair satisfies the relations $CSK = {CSK}_{1, 0} \cdot {CSK}_{2, 0} = \dots = {CSK}_{1, i - 1} \cdot {CSK}_{2, i - 1} = {CSK}_{1, i} \cdot {CSK}_{2, i}$ . Meanwhile, the leakage bits of ( $Θ {CSK}_{1, i - 1}$ , $Θ {CSK}_{2, i - 1}$ ) and ( $Θ {CSK}_{1, i}$ , $Θ {CSK}_{2, i}$ ) are mutually independent, so that $A_{I}$ gets at most $2 ω$ bits of $CSK$ .
(2)
By the Signcryption leak query ( ${ID}_{s}$ , j, $f_{SC, j}$ , $h_{SC, j}$ ), $A_{I}$ gets partial bits of the ${ID}_{s}$ ’s j-th certificate pair ( $Θ {CTF}_{s, 1, j}$ , $Θ {CTF}_{s, 2, j}$ ), namely, $Δ f_{SC, j} = f_{SC, j} (Θ {CTF}_{s, 1, j})$ and $Δ h_{SC, j} = h_{SC, j} (Θ {CTF}_{s, 2, j})$ with $| Δ f_{SC, j} |,$ $| Δ h_{SC, j} | ≦ ω$ . According to the key update procedure, the ${ID}_{s}$ ’s j-th certificate pair satisfies the relations ${CTF}_{s} = {CTF}_{s, 1, 0} \cdot {CTF}_{s, 2, 0} = \dots = {CTF}_{s, 1, j - 1} \cdot {CTF}_{s, 2, j - 1} = {CTF}_{s, 1, j} \cdot {CTF}_{s, 2, j}$ . Thus, $A_{I}$ gets at most $2 ω$ bits of ${CTF}_{s}$ .
(3)
By the Unsigncryption leak query ( ${ID}_{r}$ , k, $f_{US, k}$ , $h_{US, k}$ ), $A_{I}$ gets partial bits of the ${ID}_{r}$ ’s k-th certificate pair ( $Θ {CTF}_{r, 1, k}$ , $Θ {CTF}_{r, 2, k}$ ), namely, $Δ f_{US, k} = f_{US, k} (Θ {CTF}_{r, 1, k})$ and $Δ h_{US, k} = h_{US, k} (Θ {CTF}_{r, 2, k})$ with $| Δ f_{US, k} |$ , $| Δ h_{US, k} | ≦ ω$ . According to the key update procedure, the ${ID}_{r}$ ’s k-th certificate pair satisfies the relations ${CTF}_{r} = {CTF}_{r, 1, 0} \cdot {CTF}_{r, 2, 0} = \dots = {CTF}_{r, 1, j - 1} \cdot {CTF}_{r, 2, j - 1} = {CTF}_{r, 1, j} \cdot {CTF}_{r, 2, j}$ . Thus, $A_{I}$ gets at most $2 ω$ bits of ${CTF}_{r}$ .
Due to the discussions above, we define three events as follows: (1)
Let EVCSK indicate the event that $A_{I}$ obtains $CSK$ by $Δ f_{CA, i}$ and $Δ h_{CA, i}$ . Meanwhile, $\overline{EVCSK}$ means EVCSK’s complement.
(2)
Let EVCTF indicate the event that $A_{I}$ gets ${CTF}_{m}$ (i.e. ${CTF}_{s}$ or ${CTF}_{r}$ ) by $Δ f_{SC, j}$ , $Δ h_{SC, j}$ , $Δ f_{US, k}$ and $Δ h_{US, k}$ . Meanwhile, $\overline{EVCTF}$ means EVCTF’s complement.
(3)
Let ESFV indicate the event that $A_{I}$ successfully forges a valid pair $({msg}^{'}, {CT}^{'} = (Ψ σ^{'}, C^{'}, Ψ U^{'}, {ID}_{s}^{'}, {ID}_{r}^{'}))$ .
Hence, ${Adv}_{A I}$ has the inequality $\begin{aligned} {Adv}_{A I} & = Pr [ESFV] \\ = Pr [ESFV \land (EVCSK \lor EVCTF)] + Pr [ESFV \land (\overline{EVCSK} \land \overline{EVCTF})] \\ ≦ Pr [(EVCSK \lor EVCTF)] + Pr [ESFV \land (\overline{EVSSK} \land \overline{EVUDID})] . \end{aligned}$

By the Certificate generation leak query, $A_{I}$ gets $2 ω$ bits of $CSK$ . Also, by the Signcryption leak query or Unsigncryption leak query, $A_{I}$ gets $2 ω$ bits of ${CTF}_{m}$ (i.e. ${CTF}_{s}$ or ${CTF}_{r}$ ). By Lemma 2, we have $Pr [(EVCSK \lor EVCTF)] ≦ {Adv}_{A I - N} \cdot 2^{2 ω} ≦ O ((η^{2} / p) \cdot 2^{2 ω})$ because of ${Adv}_{A I - N} = O (η^{2} / p)$ . Since $Pr [ESFV \land (\overline{EVSSK} \land \overline{EVUDID})]$ denotes that $A_{I}$ gets no information of both $CSK$ and ${CTF}_{m}$ , we have $Pr [ESFV \land (\overline{EVSSK} \land \overline{EVUDID})] = {Adv}_{A I - N} = O (η^{2} / p)$ . Therefore, $\begin{aligned} {Adv}_{A I} & ≦ Pr [(EVCSK \lor EVCTF)] + Pr [ESFV \land (\overline{EVSSK} \land \overline{EVUDID})] \\ ≦ O ((η^{2} / p) \cdot 2^{2 ω}) + O (η^{2} / p) = O ((η^{2} / p) \cdot 2^{2 ω}) . \end{aligned}$ Finally, ${Adv}_{A I}$ is negligible if $ω = poly (log p)$ , by Lemma 2. □
Theorem 2.
Under the SCRH and DL assumptions in the GBG model, our FCLR-CBSC scheme is EXUF-CLRACMA-secure against $A_{II}$ in $G_{auth}$ .
Proof.
$A_{II}$ and B play $G_{auth}$ that comprises three phases as presented below. –
Setup. It is identical to the Setup in Theorem 1. Because the adversary is of $A_{II}$ , B sends $Ψ CSK$ to $A_{II}$ .
–
Queries. It is identical to the Queries in Theorem 1. Additionally, since $A_{II}$ possesses the CA’s secret key $CSK$ , so that it can create any member ${ID}_{m}$ ’s certificate ${CTF}_{m}$ and second public key ${UPK}_{m}$ . Thus, $A_{II}$ has no need to request the Certificate generation query and Certificate generation leak query.
–
Forgery. $A_{II}$ produces a pair $({msg}^{'}, {CT}^{'} = (Ψ σ^{'}, C^{'}, Ψ U^{'}, {ID}_{s}^{'}, {ID}_{r}^{'}))$ . Note that the Signcryption query ( ${msg}^{'}$ , ${ID}_{s}^{'}$ , ${ID}_{r}^{'}$ ), the Member secret key query ( ${ID}_{m}$ ) and the Public key replace query ( ${ID}_{m}$ , ( $Ψ {MPK}_{m}^{'}$ , $Ψ {UPK}_{m}^{'}$ )) have never been requested. If the Unsigncryption algorithm with $({ID}_{r}^{'}, {CT}^{'} = (Ψ σ^{'}, C^{'}, Ψ U^{'}, {ID}_{s}^{'}, {ID}_{r}^{'}))$ returns $msg$ and “Valid”, we say that $A_{I}$ wins $G_{auth}$ .
Here, let’s compute the advantage ${Adv}_{AII - N}$ that $A_{II}$ wins $G_{auth}$ without issuing leak queries. By $Pr [Collision]$ and $Pr [Forge]$ defined in Theorem 1, we have ${Adv}_{AII - N} = Pr [Collision] + Pr [Forge] ≦ 216 η^{2} / p + 3 / p = O (η^{2} / p),$ which is negligible if $η = poly (log p)$ . Next, we compute the advantage ${Adv}_{AII}$ that $A_{II}$ wins $G_{auth}$ when permitted to issue two types of leak queries, namely, Signcryption leak query and Unsigncryption leak query. (1)
By the Signcryption leak query ( ${ID}_{s}$ , j, $f_{SC, j}$ , $h_{SC, j}$ ), $A_{II}$ gets partial bits of the ${ID}_{s}$ ’s j-th secret key pair ( ${MSK}_{s, 1, j}$ , ${MSK}_{s, 2, j}$ ), namely, $Δ f_{SC, j} = f_{SC, j} ({MSK}_{s, 1, j})$ and $Δ h_{SC, j} = h_{SC, j} ({MSK}_{s, 2, j})$ with $| Δ f_{SC, j} |$ , $| Δ h_{SC, j} | ≦ ω$ . According to the key update procedure, the ${ID}_{s}$ ’s j-th secret key pair satisfies the relations ${MSK}_{s} = {MSK}_{s, 1, 0} \cdot {MSK}_{s, 2, 0} = \dots = {MSK}_{s, 1, j - 1} \cdot {MSK}_{s, 2, j - 1} = {MSK}_{s, 1, j} \cdot {MSK}_{s, 2, j}$ . Thus, $A_{II}$ gets at most $2 ω$ bits of ${MSK}_{s}$ .
(2)
By the Unsigncryption leak query ( ${ID}_{r}$ , k, $f_{US, k}$ , $h_{US, k}$ ), $A_{II}$ gets partial bits of the ${ID}_{r}$ ’s k-th secret key pair ( ${MSK}_{r, 1, k}$ , ${MSK}_{r, 2, k}$ ), namely, $Δ f_{US, k} = f_{US, k} ({MSK}_{r, 1, k})$ and $Δ h_{US, k} = h_{US, k} ({MSK}_{r, 2, k})$ with $| Δ f_{US, k} |$ , $| Δ h_{US, k} | ≦ ω$ . According to the key update procedure, the ${ID}_{r}$ ’s k-th secret key pair satisfies the relations ${MSK}_{r} = {MSK}_{r, 1, 0} \cdot {MSK}_{r, 2, 0} = \dots = {MSK}_{r, 1, j - 1} \cdot {MSK}_{r, 2, j - 1} = {MSK}_{r, 1, j} \cdot {MSK}_{r, 2, j}$ . Thus, $A_{II}$ gets at most $2 ω$ bits of ${MSK}_{r}$ .
Due to the discussions above, we define two events as follows: (1)
Let $EVMSK$ indicate the event that $A_{II}$ obtains ${MSK}_{m}$ (i.e. ${MSK}_{s}$ or ${MSK}_{r}$ ) by $Δ f_{SC, j}$ , $Δ h_{SC, j}$ , $Δ f_{US, k}$ and $Δ h_{US, k}$ . Meanwhile, $\overline{EVMSK}$ denotes $EVMSK$ ’s complement.
(2)
Let ESFV indicate the event that $A_{II}$ successfully forges a valid tuple $({msg}^{'}, {CT}^{'} = (Ψ σ^{'}, C^{'}, Ψ U^{'}, {ID}_{s}^{'}, {ID}_{r}^{'}))$ .
Hence, ${Adv}_{AII}$ has the inequality $\begin{aligned} {Adv}_{AII} & = Pr [ESFV] \\ = Pr [ESFV \land EVMSK] + Pr [ESFV \land \overline{EVMSK}] \\ ≦ Pr [EVMSK] + Pr [ESFV \land \overline{EVMSK}] . \end{aligned}$ By the Signcryption leak query or Unsigncryption leak query, $A_{II}$ gets $2 ω$ bits of ${MSK}_{m}$ (i.e. ${MSK}_{s}$ or ${MSK}_{r}$ ). By Lemma 2, we have $Pr [EVMSK] ≦ {Adv}_{AII - N} \cdot 2^{2 ω} ≦ O ((η^{2} / p) \cdot 2^{2 ω})$ . Since $Pr [ESFV \land \overline{EVMSK}]$ denotes that $A_{II}$ gets no information of ${MSK}_{m}$ , we have $Pr [ESFV \land \overline{EVMSK}] = {Adv}_{AII - N} = O (η^{2} / p)$ . Therefore, $\begin{aligned} {Adv}_{AII} & ≦ Pr [EVMSK] + Pr [ESFV \land \overline{EVMSK}] \\ ≦ O ((η^{2} / p) \cdot 2^{2 ω}) + O (η^{2} / p) = O ((η^{2} / p) \cdot 2^{2 ω}) . \end{aligned}$ Finally, ${Adv}_{AII}$ is negligible if $ω = poly (log p)$ , by Lemma 2. □
Theorem 3.
Under the SCRH and DL assumptions in the GBG model, our FCLR-CBSC scheme is INDEN-CLCCA-secure against $A_{I}$ in $G_{conf}$ .
Proof.
$A_{I}$ and B play $G_{conf}$ that comprises four phases as presented below: –
Setup. It is identical to the Setup in Theorem 1.
–
Queries. It is identical to the Queries in Theorem 1.
–
Challenge. $A_{I}$ sends a receiver’s identity ${ID}_{r}^{'}$ and a message pair ( ${msg}_{0}^{'}$ , ${msg}_{1}^{'}$ ) to B. Note that the Certificate generation query ( ${ID}_{r}^{'}$ , ${MPK}_{r}^{'}$ ) has never been requested. B randomly chooses a bit $b^{'} \in {0, 1}$ and runs the Signcryption algorithm with ( ${msg}_{b}^{'}$ , ${ID}_{s}$ , ${ID}_{r}^{'}$ ) to produce and return a ciphertext $CT = (σ, C, U, {ID}_{s}, {ID}_{r}^{'})$ to $A_{I}$ .
–
Guess. $A_{I}$ returns a bit $b \in {0, 1}$ . We say that $A_{I}$ wins $G_{conf}$ if $b = b^{'}$ . The advantage ${Adv}_{A I}$ is defined as $| Pr [b = b^{'}] - 1 / 2 |$ .
Let us compute the advantage ${Adv}_{A I - N}$ that $A_{I}$ wins $G_{conf}$ without issuing leak queries. The advantage ${Adv}_{A I - N}$ comprises two probabilities as discussed below: ■
Let $Pr [Collision]$ be the probability that $A_{I}$ finds a collision in $L_{1}$ or $L_{2}$ , which is the same with the probability $Pr [Collision]$ in Theorem 1. Thus, we have the inequality $Pr [Collision] ≦ 216 η^{2} / p$ .
■
Let $Pr [Guess]$ be the probability that $A_{I}$ with no useful information outputs a correct bit b. Thus, we have $Pr [Guess] = P r [b = b^{'}] = 1 / 2$ .
Hence, we have the following inequality. $\begin{aligned} {Adv}_{A I - N} & = | Pr [b = b^{'}] - 1 / 2 | = | Pr [Collision] + Pr [Guess] - 1 / 2 | \\ ≦ 216 η^{2} / p = O (η^{2} / p) . \end{aligned}$ Here, let’s compute the advantage ${Adv}_{A I}$ that $A_{I}$ wins $G_{conf}$ when permitted to issue three types of leak queries, namely, Certificate generation leak query, Signcryption leak query and Unsigncryption leak query. As in the proof of Theorem 1, by the Certificate generation leak query, $A_{I}$ gets $2 ω$ bits of $CSK$ . Also, by the Signcryption leak query or the Unsigncryption leak query, $A_{I}$ gets $2 ω$ bits of ${CTF}_{m}$ (i.e. ${CTF}_{s}$ or ${CTF}_{r}$ ). By Lemma 2, we have ${Adv}_{A I} ≦ {Adv}_{A I - N} \cdot 2^{2 ω} ≦ O ((η^{2} / p) \cdot 2^{2 ω})$ , which is negligible if $ω = poly (log p)$ . □
Theorem 4.
Under the SCRH and DL assumptions in the GBG model, our FCLR-CBSC scheme is INDEN-CLCCA-secure against $A_{II}$ in $G_{conf}$ .
Proof.
$A_{II}$ and B play $G_{conf}$ that comprises four phases as presented below: –
Setup. It is identical to the Setup in Theorem 2.
–
Queries. It is identical to the Queries in Theorem 2.
–
Challenge. $A_{II}$ sends a receiver’s identity ${ID}_{r}^{'}$ and a message pair ( ${msg}_{0}^{'}$ , ${msg}_{1}^{'}$ ) to B. Note that neither the Member secret key query ( ${ID}_{r}^{'}$ ) nor the Public key replace query ( ${ID}_{r}^{'}$ , ( ${MPK}_{r}^{'}$ , ${UPK}_{r}^{'}$ )) has been requested. B randomly chooses a bit $b^{'} \in {0, 1}$ and runs the Signcryption algorithm with ( ${msg}_{b}^{'}$ , ${ID}_{s}$ , ${ID}_{r}^{'}$ ) to produce and return a ciphertext $CT = (σ, C, U, {ID}_{s}, {ID}_{r}^{'})$ to $A_{II}$ .
–
Guess. $A_{II}$ returns a bit $b \in {0, 1}$ . We say that $A_{II}$ wins $G_{conf}$ if $b = b^{'}$ . The advantage ${Adv}_{AII}$ is defined as $| Pr [b = b^{'}] - 1 / 2 |$ .
Here, let’s compute ${Adv}_{AII - N}$ that $A_{II}$ wins $G_{conf}$ without request leak queries. By using $Pr [Collision]$ and Pr[Guess] in the proof of Theorem 3, we get ${Adv}_{AII - N} = Pr [Collision] + Pr [Guess] ≦ 216 η^{2} / p + 3 / p = O (η^{2} / p)$ that is negligible if $η = poly (log p)$ . Subsequently, let us compute the advantage ${Adv}_{AII}$ that $A_{II}$ wins $G_{conf}$ when permitted to issue two types of leak queries, namely, Signcryption leak query and Unsigncryption leak query. As in the proof of Theorem 2, $A_{II}$ gets $2 ω$ bits of ${MSK}_{m}$ (i.e. ${MSK}_{s}$ or ${MSK}_{r}$ ). By Lemma 2, we obtain ${Adv}_{AII} ≦ {Adv}_{AII - N} \cdot 2^{2 ω} ≦ O ((η^{2} / p) \cdot 2^{2 ω}$ ) that is negligible if $ω = poly (log p)$ . □

6 Performance Comparisons

Here, let’s evaluate the computation time of our FCLR-CBSC scheme in terms of Initialization, Member secret key generation, Certificate generation, Signcryption and Unsigncryption algorithms. By the simulation results in Xiong and Qin (2015), the notations (i.e. $T_{b p f}$ and $T_{e x p}$ ) for two time-consuming computations and their running time are presented in Table 3. Additionally, the running time of the multiplication in $G_{1}$ or $G_{2}$ is negligible since it is more slighter than $T_{b p f}$ and $T_{e x p}$ . The simulation results in Xiong and Qin (2015) are evaluated under a PC with an Intel 1.80-GHz i7 CPU and a mobile device with an Intel 624-MHz PXA270 CPU. Meanwhile, the order p of both $G_{1}$ and $G_{2}$ is a 512-bit prime security level. The computation costs and the running time of five algorithms in our FCLR-CBSC scheme are listed in Table 4. By Table 4, it is obvious that our scheme performs efficiently on both a PC and a mobile device.

Table 3
Notationsand running time of two time-consuming operations.

Operations Notations Running time on a PC Running time on a mobile device

Bilinear pairing function $\hat{e}$ $T_{b p f}$ ≈20 ms ≈96 ms

Exponentiation in $G_{1}$ or $G_{2}$ $T_{e x p}$ ≈7 ms ≈31 ms

Operations	Notations	Running time on a PC	Running time on a mobile device
Bilinear pairing function $\hat{e}$	$T_{b p f}$	≈20 ms	≈96 ms
Exponentiation in $G_{1}$ or $G_{2}$	$T_{e x p}$	≈7 ms	≈31 ms

Table 4

Computation costs and running time of five algorithms.

Algorithms	Computation costs	Running time on a PC	Running time on a mobile device
Initialization	$T_{b p f} + 7 T_{e x p}$	69 ms	313 ms
Member secret key generation	$T_{b p f} + 3 T_{e x p}$	41 ms	189 ms
Certificate generation	$7 T_{e x p}$	49 ms	217 ms
Signcryption	$T_{b p f} + 8 T_{e x p}$	76 ms	344 ms
Unsigncryption	$7 T_{b p f} + 4 T_{e x p}$	168 ms	796 ms

7 Conclusions

A practical FCLR-CBSC scheme was proposed in the paper. As compared with the previously proposed LR-CLSC and CLR-CBSC schemes, our scheme possesses the fully continuous leakage-resilient property. In our scheme, by the key update method participated in the Certificate generation, Signcryption and Unsigncryption algorithms of our scheme, respectively, an adversary is permitted to obtain partial bits of the CA’s secret key, and a sender/receiver’s certificate and secret key. Based on the SCRH and DL assumptions in the GBG model, four security theorems were formally shown that our scheme is EXUF-CLRACMA-secure and INDEN-CLCCA-secure against two types of adversaries ( $A_{I}$ and $A_{II}$ ) in the CB-PKS setting so that our scheme possesses both authentication of and confidentiality. Finally, performance analysis demonstrated that our scheme is performs efficiently on both a PC and a mobile device.

References

Ali

Lawrence

Omala

(2020). An efficient hybrid signcryption scheme with conditional privacy-preservation for heterogeneous vehicular communication in VANETs. IEEE Transactions on Vehicular Technology, 69(10), 11266–11280.

Al-Riyami

Paterson

(2003). Certificateless public key cryptography. In: ASIACRYPT’03, LNCS , Vol. 2894, pp. 452–473.

Alwen

Dodis

Wichs

(2009). Leakage-resilient public-key cryptography in the bounded-retrieval model. In: Crypto’09, LNCS , Vol. 5677, pp. 36–54.

Biham

Carmeli

Shamir

(2008). Bug attacks. In: Crypto’08, LNCS , Vol. 5157, pp. 221–240.

Boneh

Franklin

(2001). Identity-based encryption from the Weil pairing. In: Crypto’01, LNCS , Vol. 2139, pp. 213–229.

Boneh

Boyen

Goh

(2005). Hierarchical identity-based encryption with constant size ciphertext. In: Eurocrypt’05, LNCS , Vol. 3494, pp. 440–456.

Brumley

Boneh

(2005). Remote timing attacks are practical. Computer Networks, 48(5), 701–716.

Dodis

Ostrovsky

Reyzin

Smith

(2008). Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM Journal on Computing, 38(1), 97–139.

Dodis

Haralambiev

Lopez-Alt

Wichs

(2010). Cryptography resilient to continual memory leakage. In: 51st Annual IEEE Symposium on Foundations of Computer Science, pp. 501–510.

10.

Galindo

Virek

(2013). A practical leakage-resilient signature scheme in the generic group model. In: SAC’12, LNCS , Vol. 7707, pp. 50–65.

11.

Galindo

Grobschadl

Liu

Vadnala

Vivek

(2016). Implementation of a leakage-resilient ElGamal key encapsulation mechanism. Journal of Cryptographic Engineering, 6(3), 229–238.

12.

Gentry

(2003). Certificate-based encryption and the certificate revocation problem. In: EUROCRYPT’03, LNCS , Vol. 2656, pp. 272–293.

13.

Hussain

Ullah

Khattak

Adnan

Kumari

Ullah

Khan

Khattak

(2020). A lightweight and formally secure certificate based signcryption with proxy re-encryption (CBSRE) for internet of things enabled smart grid. IEEE Access, 8, 93230–93248.

14.

Katz

Vaikuntanathan

(2009). Signature schemes with bounded leakage resilience. In: Asiacrypt’09, LNCS , Vol. 5912, pp. 703–720.

15.

Khan

Ullah

Nisar

Noor

Qureshi

Khanzada

Amin

(2020). An efficient and provably secure certificateless key-encapsulated signcryption scheme for flying ad-hoc network. IEEE Access, 8, 36807–36828.

16.

Kiltz

Pietrzak

(2010). Leakage resilient Elgamal encryption. In: Asiacrypt’10, LNCS , Vol. 6477, pp. 595–612.

17.

Kocher

Jaffe

Jun

(1999). Differential power analysis. In: Crypto’99, LNCS , Vol. 1666, pp. 388–397.

18.

Peng

A.-L.

Tseng

Y.-M.

Huang

S.-S.

(2021). An efficient leakage-resilient authenticated key exchange protocol suitable for IoT devices. IEEE Systems Journal, 15(4), 5343–5354.

19.

Rivest

Shamir

Adleman

(1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2), 120–126.

20.

Tsai

T.-T.

Huang

S.-S.

Tseng

Y.-M.

Chuang

Y.-H.

Hung

Y.-H.

(2022). Leakage-resilient certificate-based authenticated key exchange protocol. IEEE Open Journal of the Computer Society, 3, 137–148.

21.

Tseng

Y.-M.

J.-D.

Huang

S.-S.

Tsai

T.-T.

(2020). Leakage-resilient outsourced revocable certificateless signature with a cloud revocation server. Information Technology and Control, 49(4), 464–481.

22.

Tseng

Y.-M.

Chen

J.-L.

Huang

S.-S.

(2021). A lightweight leakage-resilient identity-based mutual authentication and key exchange protocol for resource-limited devices. Computer Networks, 196, 108246.

23.

Tseng

Y.-M.

Huang

S.-S.

Tsai

T.-T.

Chuang

Y.-H.

Hung

Y.-H.

(2022). Leakage-resilient revocable certificateless encryption with an outsourced revocation authority. Informatica, 33(1), 151–179.

24.

Ullah

Alomari

Amin

Khan

Khattak

(2019). An energy efficient and formally secured certificate-based signcryption for wireless body area networks with the internet of things. Electronics, 8(10), 1171.

25.

Ullah

Lan

(2020). A novel trusted third party based signcryption scheme. Multimedia Tools and Applications, 79, 22749–22769.

26.

Gong

Zhang

(2022). An improved efficient certificateless hybrid signcryption scheme for internet of things. Wireless Communications and Mobile Computing, 2022, 6945004.

27.

J.-D.

Tseng

Y.-M.

Huang

S.-S.

Chou

W.-C.

(2018). Leakage-resilient certificateless key encapsulation scheme. Informatica, 29(1), 125–155.

28.

J.-D.

Tseng

Y.-M.

Huang

S.-S.

Tsai

T.-T.

(2019). Leakage-resilient certificate-based signature resistant to side-channel attacks. IEEE Access, 7(1), 19041–19053.

29.

J.-D.

Tseng

Y.-M.

Huang

S.-S.

Tsai

T.-T.

(2020a). Leakage-resilient certificate-based key encapsulation scheme resistant to continual leakage. IEEE Open Journal of the Computer Society, 1, 131–144.

30.

J.-D.

Tseng

Y.-M.

Huang

S.-S.

Tsai

T.-T.

(2020b). Leakage-resilient revocable identity-based signature with cloud revocation authority. Informatica, 31(3), 597–620.

31.

Xiong

Qin

(2015). Revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks. IEEE Transactions on Information Forensics and Security, 10(7), 1442–1455.

32.

Yang

Zhou

(2019). Leakage-resilient certificateless signcryption scheme. In: GLOBECOM Workshops, pp. 1–6.

33.

Zheng

(1997). Digital signcryption or how to achieve cost (signature & encryption) cost (signature)+ cost (encryption). In: Annual International Cryptology Conference, LNCS , Vol. 1294, pp. 165–179.

34.

Zhou

Yang

Zhang

(2016). Provably secure and efficient leakage-resilient certificateless signcryption scheme without bilinear pairing. Discrete Applied Mathematics, 204, 185–202.

35.

Zhou

Qiao

Yang

Zhang

(2021). Continuous leakage-resilient certificate-based signcryption scheme and application in cloud computing. Theoretical Computer Science, 860, 1–22.

Fully Continuous Leakage-Resilient Certificate-Based Signcryption Scheme for Mobile Communications

Abstract

Keywords

1 Introduction

1.1 Related Work

1.2 Contributions

2 Preliminaries

2.1 Bilinear Pairing Set

– Bilinear property: e ˆ ( g 1 x , g 1 y ) = e ˆ ( g 1 , g 1 ) x y , for any x , y ∈ Z p ∗ . – Non-degenerate property: e ˆ ( g 1 , g 1 ) = g 2 ≠ 1 . – Computable property: e ˆ ( X , Y ) can be effectively computed for any X , Y ∈ G 1 . 2.2 Security Assumptions

Table 3 Notationsand running time of two time-consuming operations. Operations Notations Running time on a PC Running time on a mobile device Bilinear pairing function e ˆ T b p f ≈20 ms ≈96 ms Exponentiation in G 1 or G 2 T e x p ≈7 ms ≈31 ms

References

Table 3
Notationsand running time of two time-consuming operations.

Operations Notations Running time on a PC Running time on a mobile device

Bilinear pairing function $\hat{e}$ $T_{b p f}$ ≈20 ms ≈96 ms

Exponentiation in $G_{1}$ or $G_{2}$ $T_{e x p}$ ≈7 ms ≈31 ms