Heterogeneous hybrid signcryption for multi-message and multi-receiver

To achieve secure communication in heterogeneous cryptography systems, we present a heterogeneous hybrid signcryption scheme. The proposed scheme allows a sender in an identity-based cryptography system to send multi-message to multi-receiver in a certificateless cryptography system with different master keys. At the same time, all users are mapped to a distinct pseudo-identity for conditional identity privacy preservation. A trusted authority could trace the real identity when necessary. Compared with existing schemes, the proposed scheme is more practical for actual applications. In addition, the proposed scheme has indistinguishability against adaptive chosen ciphertext attacks and existential unforgeability against adaptive chosen message attacks under the random oracle model.


Introduction
Diverse network systems have appeared with the development of technology. These systems utilize different cryptography techniques, such as public key infrastructure (PKI), identitybased cryptography (IBC), and certificateless cryptography (CLC). A cryptographic scheme should be constructed for secure communication in heterogeneous systems. Zheng [1] firstly proposed signcryption, a novel cryptographic primitive that functions as both digital signature and public key encryption in a single logical step that significantly costs lower than the traditional signature-then-encryption approach. Signcryption schemes are used to simultaneously achieve confidentiality, integrity, authentication, and non-repudiation for resource-constrained devices over low-bandwidth communication channels. Given those advantageous characteristics, heterogeneous signcryption is investigated. There are two types of heterogeneous signcryption between PKI and IBC: in type I, a sender in the PKI setting transmits a message to a receiver in the IBC setting; in type II, a sender in the IBC setting transmits a message to a receiver in the PKI setting. To achieve secure communication, Sun et al. [2] proposed type I schemes; these schemes, however, can only achieve outsider security. In 2011, Huang et al. [3] proposed a type II signcryption scheme with internal security. In 2013, Li et al. [4] proposed types I and II schemes that meet internal security requirements. Related heterogeneous signcryption paradigms have received considerable attention in recent years [5][6][7][8].
It is a practical way for large messages to use hybrid encryption perform secure communication. Hybrid encryption separates encryption into two parts: one part uses public key a1111111111 a1111111111 a1111111111 a1111111111 a1111111111

OPEN ACCESS
Citation: Niu S, Niu L, Yang X, Wang C, Jia X (2017) Heterogeneous hybrid signcryption for multi-message and multi-receiver. PLoS ONE 12 (9): e0184407. https://doi.org/10.1371/journal. pone.0184407 Definition 1. Given two groups G 1 and G 2 of the same prime order q, a bilinear map e: G 1 × G 1 ! G 2 , and a generator P of G 1 , the decisional bilinear Diffie-Hellman(DBDH) problem is to decide whether T = e(P, P) abc for given (P, aP, bP, cP) and T 2 G 2 .

MHHSC KEM
MHHSC KEM consists of five algorithms: • Setup: With a security parameter ℓ as the input, the PKG and KGC generate their own master key and output the system parameters params.
• Anony-IBC-KG: The algorithm runs by the PKG of the IBC system. With a user's real identity RID A and ID A,1 as the input, the algorithm generates the corresponding private key sk A and pseudo-identity ID A .
• Anony-CLC-KG: The algorithm runs by the KGC of the CLC system. With a user's real identity RID B i and ID B i ,1 as the input, the algorithm generates the corresponding partial private key D B i , secret key sk B i , public key pk B i and pseudo-identity ID B i .
• Encap: Give the sender's identity (Q A , ID A ), and private key sk A , receiver identity (pk B i , , the algorithm outputs the encapsulation key K and encapsulation φ. • Decap: Give the sender's identity (Q A , ID A ), receiver secret key, and public key (D B i , sk B i ), (pk B i , ID B i ), the algorithm outputs the encapsulation key K or the symbol ?.

DEM
DEM is a symmetric encryption scheme that requires security for confidentiality and unforgeability. DEM consists of the following two algorithms: • Enc: Take message M and encapsulation key K as input, the ciphertext C is then output. We denote this as C DEM.Enc(K, M).
• Dec: Take a key K and the ciphertext C as input, the message M or error symbol ? is output.

Security notions
In the proposed scheme, the confidentiality property is defined based on the concept of indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2), which considers two types of adversaries with different capabilities. A type I adversary acts as a dishonest user, whereas a type II adversary acts as a malicious KGC that can obtain the master secret key of KGC. The authenticity property is defined basis on existential unforgeability against adaptive chosen message attacks (EUF-CMA). Definition 4. (Confidentiality) A heterogeneous hybrid signcryption scheme is said achieved IND-CCA2, if no probabilistic polynomial time adversary A 1 has a non-negligible advantage in the following game: Setup: The challenger C runs the Setup algorithm and sends system parameters and public keys to A 1 , whereas the KGC's master key is kept secret. ID Ã B i ði ¼ 1; 2; Á Á Á ; nÞ is the target identity.
Phase 1. A 1 can ask several kinds of queries to the following random oracles: • Partial private key query: Submit a query on ID B j . If ID B j 6 ¼ ID Ã B i (i = 1, 2, Á Á Á, n), then return D B j . Otherwise, C aborts. Challenge: C decides when the Phase 1 ends. A 1 selects two plaintexts M 0 , M 1 of the same length, and ID A , ID B j (j = 1, 2, Á Á Á, n) to C, which wants to challenge. If ID B j 6 ¼ ID Ã B i ði ¼ 1; 2; Á Á Á ; nÞ, C fails and aborts. A 1 is not allowed to ask the partial private key of ID Ã B i . Then, C selects b 2 {0, 1} and runs the corresponding algorithms to obtain the ciphertext σ Ã transmits to A 1 .
Phase 2. A 1 can perform queries as in Phase 1. A 1 cannot query the key extraction for the target identities and should not query the unsigncrypt of σ Ã .
Guess: Finally, A 1 produces a bit b 0 , A 1 wins the game if b 0 = b. Definition 5. (Confidentiality) A heterogeneous hybrid signcryption scheme is said achieved IND-CCA2, if no probabilistic polynomial time adversary A 2 has a non-negligible advantage in the following game: Setup: The challenger C runs the Setup algorithm that sends system parameters and public keys to A 2 . ID Ã B i ði ¼ 1; 2; Á Á Á ; nÞ is the target identity. Phase 1. A 2 can ask several queries to the following random oracles: • Public key query: Submit a public key query on , update PK-list with (ID B j , ?, cP), and return pk B j . Challenge: C decides when Phase 1 ends. A 2 selects two plaintexts m 0 , m 1 of the same length, and ID A , ID B j (j = 1, 2, Á Á Á, n) to C, which wants to challenge. If ID B j 6 ¼ ID Ã B i ði ¼ 1; 2; Á Á Á ; nÞ, C fails and aborts. A 2 is not allowed to query for the secret key of and runs the corresponding algorithms to obtain the ciphertext σ Ã transmits to A 2 .
Phase 2. A 2 can perform queries as Phase 1. A 2 cannot query the key extraction for the target identities and should not query the unsigncrypt of σ Ã .
Guess: Finally, A 2 produces a bit b 0 , and A 2 wins the game if b 0 = b. Definition 6. (Unforgeability) A heterogeneous hybrid signcryption scheme is said achieved EUF-CMA, if no probabilistic polynomial time forger F has a non-negligible advantage in the following game: Setup: The challenger C runs the Setup algorithm and sends system parameters and public keys to F, whereas the PKG's master key is kept secret. ID Ã A is the target identity. Attack: F issues several kinds of queries.
• Private key query: Submit a query on

Heterogeneous hybrid signcryption for multi-message and multireceiver
The MHHSC scheme will be discussed in this section. The proposed scheme involves four parties: PKG, KGC, sender ID A , and n receivers fID B i g n i¼1 , allowing ID A to send m messages to n receivers fID B i g n i¼1 . KDF in scheme denotes a key extract function in G 1 . Moreover, PKG and KGC can calculate pseudo-identities for users in their system, key pairs or partial private keys of all users are generated by PKG or KGC via the pseudo-identities.
• Setup: Let G 1 and G 2 be two cyclic groups with prime order q, where G 1 is additive and G 2 is multiplicative, and P is the generator of G 1 . Let e: G 1 × G 1 ! G 2 be an admissible bilinear map, a key extract function KDF: f0; 1g l m ! G 1 (l m is the length of a key).
1. PKG randomly selects s 1 2 Z Ã q and two hash functions: where s 1 is a master secret key that only the PKG knows.
• Anony-IBC-KG: Users in IBC obtain their private key as follows: where T denotes the valid period of this pseudo-identity. Finally, the identity os sender A is ID A = (ID A,1 , ID A,2 , T).

PKG generates a private key for IBC users as sk
• Anony-CLC-KG: Users in CLC obtain their partial private key as follows: where T i denotes the valid period of this pseudo-identity. Finally, the identity of receiver B i is 2. KGC generates the partial private key for CLC users as • Signcrypt: A sender A signcrypts n messages m i (i = 1, 2, Á Á Á, n) to n receiver B i (i = 1, 2, Á Á Á, n) as follows: • Unsigncrypt: After receiving a ciphertext σ = (C, f (U 1 , U 2 , S, φ)), the receiver B i (i 2 {1, 2, Á Á Á, n}) decrypts σ as follows: 4. Accept the message if and only if the following equation holds: Note that conditional privacy preservation for each user is mapped to a distinct pseudoidentity ID U = (ID U,1 , ID U,2 , T). PKG or KGC can retrieve the real identity from any pseudoidentity by RID U = ID U,2 È H i (sID U,1 , T) for any disputed event. In addition, the pseudo-identity ID U is generated by both users and PKG or KGC. Hence, only the PKG or KGC that knows the master secret s can retrieve the real identity RID U from ID U .

Security proof
In this section, we prove that the proposed IBC to CLC hybrid scheme achieves the security requirements of confidentiality and unforgeability. To demonstrate the security of our scheme, we assume that the adversary asks q H i queries to H i for i = 1, 2, 3, 4, 5, q u queries to unsigncryption; q s queries to the signcryption; q ppk queries to the partial private key; q sk queries to the secret key; q pk queries to the public key extraction; and q pkr queries to the public key replacement.

Confidentiality
Proof. We construct a simulator C that use A 1 to decide whether T = e(P, P) abc −1 by providing a random instance (P, aP, bP, cP, c −1 P, T) as the VDBDH problem. This proof consider the indistinguishability of M.
Setup: At the beginning, C sets P 2 = cP and proves the system parameters to the attacker A 1 . The target identity is ID Ã B i ði ¼ 1; 2; Á Á Á ; nÞ. Phase 1. A 1 requests a number of queries. C keeps the H i -list (i = 1, 2, 3, 4, 5) and PK-list which are used to record answers to the corresponding H i query and public key query.
• H 3 query: Input an identity • H i (i = 0, 1, 2, 5) query: Upon receiving an H i query, if the corresponding query exists in the H i -list, return it to A 1 . Otherwise, C randomly selects an integer as the query result and returns it to A 1 . Meanwhile, C places the query result into the H i -list.
• Partial private key query: Upon receiving a partial private key query on ID B j . If ID B j 6 ¼ ID Ã B i ði ¼ 1; 2; Á Á Á ; nÞ, retrieves the corresponding (ID B j , t j , Q B j ) from the H 3 -list and sets D B j = t j c −1 P return D B j . Otherwise, C aborts.
• Public key query: When C receives a public key query on ID B j , if there exists (ID B j , x B j , pk B j ) in the PK-list, then C returns pk B j ; otherwise, C randomly selects x B j 2 Z Ã q , computes pk B j = x B j P, places (ID B j , x B j , pk B j ) into the PK-list, and returns pk B j as the answer.
• Replace public key: When C receives a replace public key query on ID B j , C first finds (ID B j , x B j , pk B j ) on the PK-list, then C updates the PK-list with tuple ðID B j ; ?; pk 0 B j Þ and sets x B j = ?, pk B j ¼ pk 0 B j Þ.
• Secret key query: When C receives a secret key query on ID B j , if C replaces public key of ID B j , then C returns ?. Otherwise, there exists (ID B j , x B j , pk B j ) in the PK-list and returns x B j as answer.
• Challenge: After the first stage, A 1 outputs two plaintexts M 0 , M 1 and ID A , ID B j (j = 1, 2, Á Á Á, n) to C. If ID B j 6 ¼ ID Ã B i ði ¼ 1; 2; Á Á Á ; nÞ, then C fails and aborts. Otherwise, C randomly chooses Then, we assess probability. The probability to fail in signcryption queries is at most (q H 4 + q s )q s /2 k , and the probability to fail in unsigncryption queries is at most q u /2 k . Note that the probability for C to not to fail in first stage is (q H 3 − q ppk )/q H 3 . Furthermore, with a probability exactly 1/(q H 3 − q ppk ), A 1 chooses to be challenged on ID Ã B i . Thus, the advantage of C is

Lemma 2. In the random oracle, if there is an IND-CCA2 adversary A 2 has an advantage against MHHSC. Then an algorithm C that solves the DBDH problem with an advantage
Proof. We construct a simulator C uses A 2 to decide whether T = e(P, P) abc by providing a random instance (P, aP, bP, cP, T) as the DBDH problem. This proof considers the indistinguishability of m j .
Setup: At the beginning, C sets P 2 = s 2 P and proves the system parameters to the attacker A 2 . The target identity is ID Ã B i ði ¼ 1; 2; Á Á Á ; nÞ. Phase 1. A 2 requests a number of queries. C keeps the H i -list (i = 1, 2, 3, 4, 5) and PK-list, which are used to record answers to the corresponding H i query and public key query.
• H 3 query: Input an identity • H i (i = 0, 1, 2, 4, 5) query: Upon receiving an H i query, if the corresponding query exists in the H i -list, then return it to A 2 . Otherwise, C randomly selects an integer as the query result and returns it to A 2 . Meanwhile, C places the query result into the H i -list.
• Public key query: Upon receiving a public key query on ID B j . If ID B j 6 ¼ ID Ã B i ði ¼ 1; 2; Á Á Á ; nÞ, randomly selects x B j 2 Z Ã q computes pk B j = x B j P and updates the PK-list. If ID B j ¼ ID Ã B i ði ¼ 1; 2; Á Á Á ; nÞ, set pk B j = cP update the PK-list with (ID B j , ?, cP) and return pk B j .
• Secret key query: When C receives a secret key query on ID B j , if ID B j ¼ ID Ã B i ði ¼ 1; 2; Á Á Á ; nÞ returns ?. Otherwise, there exists (ID B j , x B j , pk B j ) in PK-list returns x B j .
• Unsigncrypt query: When receiving an unsigncrypt query under ID A , ID B j and ciphertext σ, C can compute V j = e(U 1 , D B j ), obtains r 2 = φ j ÈH 4 (V j ), K = KDF(r 2 ), recovers M = DEM. Dec(K, C). Then, if ID B j ¼ ID Ã B i ði ¼ 1; 2; Á Á Á ; nÞ, C fails and stops(C cannot compute R j for sk B j is only ID B j can compute). Otherwise, ID B j recovers its own message m j = (m j ÈR j )È R j . Submitting H 5 query to obtain h j . Then, equation e(P 1 , S j ) = e(P, U 2 +h j Q A ) is checked. If holds, m j is returned. Otherwise, output ?.
Challenge: After the first stage, A 2 outputs two plaintexts m 0 , m 1 and ID A , ID B j (j = 1, 2, Á Á Á, n) to C, if ID B j 6 ¼ ID Ã B i ði ¼ 1; 2; Á Á Á ; nÞ, C fails and abort. Otherwise, C randomly chooses A 2 then requests a second series of queries as before. Guess: At the end of the simulation, A 2 outputs a bit b 0 for which believes the relation as a solution of DBDH problem. Then, we assess probability. The probability to fail in signcryption queries is at most q s /2 k , and the probability to fail in unsigncryption queries is at most q u /2 k . Note that the probability for C to not to fail in first stage is (q H 3 − q sk )/q H 3 . Furthermore, with a probability exactly 1/(q H 3 − q sk ), A 2 chooses to be challenged on ID Ã B i . Thus, the advantage of C is À ðq u À q s Þ=2 kÀ 1 2q H 3 .

Unforgeability
Theorem 2. In the random oracle model, if an EUF-CMA adversary F has the advantage against MHHSC, then exists an algorithm C that solves the VCBDH problem with the advantage Proof. We construct a simulator C that uses F to decide whether e(P, P) abd −1 by providing a random instance (P, aP, bP, dP, d −1 ) as the VCBDH problem.
Setup: At the beginning, C sets P 1 = dP and provides the system parameters to the attacker F. The target identity is ID Ã A Attack: F requests a number of queries. C keeps the H i -lists (i = 1, 2, 3, 4, 5) which are used to record answers to the corresponding H i query.
Equation e(P 1 , S i ) = e(P, U 2 +h i Q A ) holds. Forge: Finally, F outputs σ Ã and ID A , ID B i to C. If ID A 6 ¼ ID Ã A , C fails and aborts. Otherwise, by forking lemma [25], C selects a different hash function h i and interacts with F with the same random tape, then the adversary F can provide a different forger σ 0Ã . We know that σ Ã and σ 0Ã should satisfy the equation , is obtained, then C derives the value of e(P, P) abd −1 as e(aP, bd −1 P). Hence, C successfully solves the VCBDH problem.
The probability of failing in signcryption queries is at most (q H 4 + q s )q s /2 k . With a probability of exactly 1/(q H 1 − q sk ), F chooses to be challenged on ID Ã A . Then, the advantage of C is

Performance evaluation Functionality comparison
To our knowledge, no hybrid signcryption schemes have achieved heterogeneity. Therefore, we compare our scheme with existing heterogeneous signcryption schemes [6] [8] in terms of supporting multi-message, multi-recipient, identity privacy-preservation, heterogeneous system, and different master keys. Table 1 illustrates that our scheme has many excellent features. First, the scheme takes advantages of pseudo-identity to ensure the anonymity of senders and receivers. Second, the scheme supports heterogeneous systems with different master keys. Our scheme has more advantages from the functionality and system setup perspective. Then, we compare the computational costs of scheme [8] with that of our scheme. In scheme [8], numerous additions and multiplications must be executed to computing p i (x) and F i . If the steps of computing p i (x) and F i are not considered, Table 2 shows that scheme [8] still requires 7P, 6M and 3E, thus indicating that it is less efficient than our scheme. Here P, M, and E denote pairing, multiplication, and exponentiation operations, respectively.

Computational overhead comparison
To provide numerical results, we implement IBC-CLC MHHSC to measure the performance of signcryption and unsigncryption operations. Our implementation is written in C using the Pairing-Based Cryptography Library (Libpbc) [26]. For the computations, we use the curve groups that are implemented in the Libpbc library. The computations are run on a PC with 3.10 GHz CPU frequency, 4 GB of RAM, and Linux operating system. In the experiment, we used elliptical curves with a base field size of 512 bits and an embedding degree of 2. The security levels are selects as |p| = 512. The performing consequence of our scheme is provided in Fig 1. Including total operation, signcryption, and unsigncryption operation time of our scheme when the number of the receiver is set as n = 1, 10, 50, 100, 200, 500, 1000. From the figure, we can indicate that signcryption time increases with the number of recipients. However, when unsigncryption, each receiver only operates on its own message, the unsigncryption operation time is not related to the increase of the receiver. So compared with the signcryption and total operation time of the receiver for 1000, the unsigncryption operation time is 0.018, near the bottom of the axis. Therefore, we can see that our scheme can achieve more efficient communication between two systems, which have greater difference in computing power. Users in IBC can handle big data, while users in CLC only need deal with a few data, such as infrastructure-to-vehicle (I2V) communication in vehicular ad hoc networks (VANETs). Trusted authorities or road side units can be the users in IBC system, which have much more capability, and hundreds of on board units can be the users in CLC system, which ability is limited.

Conclusion
We propose a novel conditional privacy-preserving heterogeneous hybrid signcryption scheme for IBC to CLC (MHHSC), which allows to send multi-message to multi-receiver. The proposed scheme selects different master secret keys in different systems and maps a distinct Heterogeneous hybrid signcryption pseudo-identity for each user, only the trusted authority could trace the real identity for any disputed event when necessary, which ensures conditional privacy preservation for all users in heterogeneous systems. It is definitely more practical for actual applications, such as VANETs. Moreover, we provide the formal definition and security models for the heterogeneous hybrid signcryption scheme. Proof shows that our scheme is indistinguishability against adaptive chosen ciphertext attacks and existential unforgeability against adaptive chosen message attacks, which is satisfied confidentiality and unforgeability in the random oracle model. Owing to today's diverse and complex network system and application environment, our follow-up work could be propose a bidirectional heterogeneous signcryption scheme between IBC and CLC for multi-party user.