Privacy protection

There is much information that is vulnerable to attackers. In 2017, Adat et al. discussed the history, background, statistics of IoT and security based analysis of IoT architecture and provided taxonomy of various defense mechanisms [20]. It is urgent to protect private information. The existing privacy protection technologies can be divided into two categories: data distortion and data encryption approaches [11].

Technologies based on data distortion distort sensitive data while keeping some data or data attributes unchanged, and the most common technique of this type is the differential privacy technique. In 2018, Ye [21] proposed a new localized differential privacy protection model. The protection model adopts random response technology, which first makes the data private and then sends it, to provide comprehensive protection for sensitive information; this approach can not only resist attackers with arbitrary background knowledge but also prevent privacy attacks from distrusted third parties. However, it depends heavily on the accompanying data, and different algorithms are designed for different data, so it has no universality. In 2021, Stergoiu et al. [22] proposed an innovative system of secure caching scenario which operates in a wireless-mobile 6G network for managing BD on Smart Buildings(SB) and created a novel and secure Cache Decision System(CDS) in a wireless network that operates over a SB, which offer the users a safer and efficient environment for browsing the internet, sharing and managing large-scale data in the fog. It could be a start point for better and more efficient wireless networking scenario, for managing and sharing Big Data on a Smart Building.

Technologies based on data encryption hide sensitive data in the process of data mining. It is mainly used in distributed application environments and can solve the communication security problem. At present, Homomorphic Encryption (HE) is widely used. HE refers to specific classes of encryption schemes that allow for computing directly on encrypted data without having to decrypt them. In 2020, Zhao [23] presented a circular secure public key homomorphic encryption scheme using noise flooding technique, and provided security proofs and parameter setting. Furthermore, by introducing the refuse sampling technique, an optimized circular secure public key homomorphic encryption scheme was given, and the system parameters were reduced from the super-polynomial level to the polynomial level, thereby greatly reducing the size of the public key and ciphertext. Then, the computational complexity of ciphertext evaluation could be effectively improved, and the performance of the homomorphic encryption scheme could be enhanced. However, at the same time, there are some problems with this method, such as high computing costs, high communication costs, complex deployment, and high practical application difficulty. In 2021, Zhang et al. [24] proposed a secure decentralized spatial crowdsourcing scheme for 6G-Enabled Network in Box using CBC-MAC authenticated encryption mechanism to provide confidentiality and integrity. It solves leakage of sensing nodes locations. But it Still hasn’t solved the problem of data leaks in transit. In the same year, in order to solve the security of shared information VANET system, Vijayakumar et al. [25] proposed an efficient batch authentication and key exchange schemes, which will be applied to blockchain users in the future. Then, Azees et al. [26] completed the following work, applying blockchain technology to the security guarantee of VANET system, realizing the rapid reauthentication of vehicles, and making a contribution to the information security in the future blockchain era.

Content extraction signature

The Content Extraction Signature (CES) was first proposed by Steinfeld [27]. According to the technology used, CES types are mainly divided into a CommitVector (CV)-based content extraction signature, an RSA-based content extraction signature, and a hash tree (HT)-based content extraction signature.

A CES scheme [3] based on a CV has the characteristics of unforgeability and exclusivity. Its unforgeability is jointly guaranteed by the standard digital signature EUF-CMA and the binding of the message commitment scheme, while its exclusivity is guaranteed by the hiding of the message commitment scheme. Scheme [27] formalized and proved these two securities. Scheme [3] has a lower computational cost than the CES scheme [27], which requires a signature operation and a commitment operation to be performed for the original signature generation process. However, because the original signature and the intercepted signature contain the committed random numbers of all the retained sub-data and the committed values of the deleted sub-data, the length of the signature expands, and the communication overhead increases.

To solve the problem of CVs, an RSA-based CES was proposed. An RSA-based CES is formed on the basis of a CV-based CES using the RSA signature, and the length of the signature is only the length of the modulo of the RSA signature, which greatly reduces the length of the signature. Combining this with the idea of batch signatures, in 2014, Li [4] proposed an improved scheme for content extraction signatures based on RSA. The scheme can judge whether a content extraction access structure (CEAS) meets the given extraction conditions through the correspondence between (M′) and CI(M′). In 2015, Lan [28] proposed an identity-based CES scheme. This scheme does not need to sign every sub-message, thereby improving efficiency, and it can prevent PKG from forging signatures and thus improve its application value. In 2017, Wang [29], based on [28], achieved the goal of shortening the length of the signature by reducing the commitment value and random number and performed unified signature and verification operations on sub-messages, which improved the efficiency of signing and verification.

However, by using quantum cryptography, the keys of Std.RSA might get broken down to approximately 850 bits. This result in the need to enhance the current public key cryptosystem. Thus, the HT-based CES was proposed. Drawing on the idea of a binary tree, hashing every two message blocks generates a commitment hash value, recursively, layer by layer, and obtains a total hash value, which greatly reduces the chance of the CES breaking. In 2016, Thirumalai [30] proposed a commitment tree-based batch signature scheme. Compared with the CV-based CES and RSA-based CES, this scheme has a lower signature length, fewer calculation operations, and improved signature efficiency. In 2019, Szalachowski [31] proposed a TLS-N method based on the TLS extension. In this method, the Merkle tree is used during the process of generating evidence. The server generates evidence about the TLS session content, generates a noninteractive certificate about the TLS session content on the client, and then sends the session content and the certificate to a third party for verification. In 2020, Cheng [32] proposed a blockchain based secure storage and sharing scheme for electronic health records data. In this scheme, a certificateless content extraction signature algorithm is used to provide privacy protection, secure sharing of data has realized in combination with smart contracts. The combination of blockchain and content extraction signature is better applied in the electronic medical records.

Signcryption

Signcryption is a cryptographic primitive that captures a common practical scenario where one simultaneously requires confidentiality and nonrepudiation for transmitted data. Signcryption schemes achieve confidentiality and authentication simultaneously by combining public key encryption and digital signatures, offering better overall performance and security than other schemes [11]. There are three types of signcryption: public key infrastructure (PKI)-based signcryption, identity (ID)-based signcryption, and certificateless signcryption.

A PKI is required to manage and distribute public keys. In such systems, a public key is bound to the corresponding unique user ID. Trusted third-party tools are used to bind the users to unique public keys through an appropriate registration process. Based on the PKI concept, in 1997, Zheng [2] proposed signcryption, which has since been widely discussed and studied. The original scheme used interactive zero-knowledge proof technology, which is not efficient. In 2019, Yan [5] proposed a signcryption scheme that directly uses the sender’s public key to verify the validity of the signature. Compared with the sign-then-encrypt mechanism, the public key size and the computational cost of the signcryption operation are both obviously reduced. However, the use of an additional third-party application makes public key cryptography expensive and inefficient.

To overcome the problem of the PKI management system, many ID-based signcryption schemes have been proposed. The idea of ID-based signcryption was first proposed by Malone [6] in 2002 along with a security model. This model was developed by Boyen [7]. Three new security notions were added: ciphertext unlinkability, ciphertext authentication and ciphertext anonymity. In 2019, Wang [8] proposed a basic model for ID-based signcryption schemes that can use bilinear pairs to design signcryption schemes. In the same year, Shankar [8] pointed out that scheme [8] was not secure and proposed three new secure solutions. However, they do not satisfy public verifiability and forward security at the same time. In response to this problem, in 2019, Pan [10] proposed a solution that uses two private keys for signcryption and unsigncryption. In 2019, Deng [33] proposed a new ID-based signcryption model, that solved the problem in which [9] does not simultaneously satisfy public verifiability and forward security. However, the system needs a third-party application for private key management to generate them secretly and distribute them to users.

To address PKI-based and ID-based signcryption issues, a certificateless signcryption approach was proposed by Riyamin [11] in 2008. It presents stronger security properties than one might expect from its internal building blocks; sharing randomness between encryption and signature modules not only provides extra savings in terms of the computational and bandwidth loads but also yields strong insider security guarantees. In 2019, Gao [12] proposed an improved certificateless signcryption scheme. This scheme guarantees the security of the signcryption phase by defining the length of the message space during the system establishment phase. In the same year, Wang [13] proposed the definition of a blind signcryption scheme under certificated and certificateless public key cryptosystems and proposed a blind signcryption scheme based on bilinear pairing. The scheme increases blindness, but the computational cost does not increase significantly. In 2020, Fang [34] proposed a certificateless multi-receiver multi-message simultaneous broadcast signcryption scheme. Combined with random elements in an elliptic curve cyclic group, the encryption key is generated, which solves the problems of receiver decryption ciphertext and identity anonymity protection. However, the scheme lacks a security mechanism when verifying the signcryption.

Commitment

Commitment, with two characteristics of Hiding and Binding, is a fundamental model in the field of cryptography. Hiding means that the commitment can hide information, that is, no other entity can obtain information from the commitment except the entity that places the information there. Binding means that no entity is allowed to change the information within the commitment, and it can verify that the information it receives is indeed the information originally promised.

The commitment scheme is composed of three algorithms: Gen(), Com() nad Ver().

Initialization phase: Gen() accepts a “1” bit string of length k as input and outputs a common reference string crs.

(1)

Commitment phase: Com() accepts a common reference string crs and a committed message m as input, and outputs m’s commitment value com and decommitment information dec.

(2)

Decommitment phase: The sender sends dec and m to the receiver.

Verification phase: Ver() accepts the message m, common string crs, commitment value com and decommitment information dec as input, and it outputs verification result.

(3)

In the SECCESPP scheme, the entire message M is divided into n blocks, M = {M[1], M[2], … M[i], …, M[n]}, along with a random number string called salt, and used as input for the message commitment algorithm C(). Because the entropy of the message block is low, pseudorandom salt can be used to protect the committed privacy and avoid brute force attacks. Combine the message block M[i] and pseudorandom salt together to generate the commitment . Recalculate the commitment for the new message M′[i] during the verification phase. If c = c′ is true, the new message M′[i] is indeed the message M[i] originally promised.

Salt tree

The leaf nodes in a salt tree are used as salt to generate a binary commitment tree to greatly increase the computations required by an attack.

To protect privacy, and must remain independent, meaning that the salt tree generation process cannot be sent directly to the verifier and must be retrieve. The salt tree is constructed by the function E(), and the salt value is obtained as the input of the binary commitment tree. The inputs for the function E() are a session-based secret value and a Nonce random value, and the output is a pseudorandom salt. During the verification process, the corresponding salt is required for completion.

Binary commitment tree

The purpose of building the binary commitment tree is to include the commitment in the proof. The commitment value generated by the commitment algorithm serves as input for obtaining the leaf node value of the binary commitment tree. The hash value h_i of the binary commitment tree is calculated by the anti-collision hash function of the hash value, session message length l_r and signer information of O_i its child node. O_i is the i-th member of the order vector. The commitment values generated in section II.B are used as leaf nodes to generate the hash chain. All the leaf nodes can be verified by signature verification of the root node using the binary commitment tree.

The generation process for a binary commitment tree is as follow: A session message Record i consists of n sub-message blocks. Each message block and its corresponding salt leaf node salt secret serve as input; the commitment value c is generated as the leaf node of the binary commitment tree. Every two leaf nodes are hashed in a cascade recursively, layer by layer, until the root node is finally obtained. At this point, the binary commitment tree construction process is completed.

Content extraction access structure

To extract sub-message blocks from the original message, the concept of a content extraction access structure (CEAS) is introduced. Sub-message block numbers in a CEAS must be extracted after the original message is partitioned. For example, {M[1], M[2], M[3], M[4]} means that the original message M is divided into four sub-message blocks; CEAS = {1,3} means that sub-message blocks M[1] and M[3] must be extracted, and sub-message blocks M[2] and M[4] can be extracted. If CI(M′) = {1, 3, 4}, then M = {M[1],?, M[3], M[4]}, where ‘?’ represents the unextracted sub-message block, which is denoted as CEAS ∈ CI(M′). Such an extraction method is legal. If CI(M′) = {3, 4}, then M′ = {?,?, M[3], M[4]}, and this is represented as CEAS ∉ CI(M′); this kind of extraction method is illegal.

Key-Generation algorithm

The Key-Generation algorithm generates a public key SK_A and a private key PK_A for signer A in a certificateless cryptosystem.

1. Set up the system parameters: First, the KGC (key generator center) selects the master number of k-bits P, where k is the security parameter, and obtains {F_P, E / F_P, G, P}. Then, is selected as the system master key msk, and the master public key P_pub = xP is calculated. Next, hash function are selected:, H₂: {0, 1}* → {0,1}^k, H₃: {0, 1}* → {0,1}^k and . The KGC saves params = {F_p, E / F_p, G, P, H₁, H₂, H₃, H₄}.
2. Signer A randomly selects as the secret value, computes P_A = x_A · P, and sends it to the KGC, where the identity of signer A is ID_A. The KGC calculates h_A = H₁(ID_A, R_A, P_A), R_A = r_A · P and s_A = r_A + h_Ax mod n to generate a partial key D_A = {S_A, R_A}. Finally, the private key SK_A = (x_A, s_A) and public key PK_A = (P_A, R_A) are produced for signer A in a certificateless public cryptosystem.

Signature-Generation algorithm

The Signature-Generation algorithm generates the signature σ_F for the entire message M. The entire message M is divided into n blocks, M = {M[1], M[2], … M[i], …, M[n]}. M′ is any submessage extracted from M.ext(i) represents the number of submessage blocks that are common in M and M′. CEAS is a content extraction access structure. The complete pseudocode for signature generation is given in Algorithm 1.

Algorithm 1 Signature-Generation

Input: params, ID_A, SK_A, PK_A, M, CEAS

Output: signature σ_F

1: repeat

2:  , a[i] = A_n[i]l v_a[i] = c[i]

3: until i > n

4:  while a ∈ I_n do v_a = H₂ (v_a,0, v_a,1)

5:  end while

6: choose , R = l · P

7: h = H₃ (v₀, R, PK_A)

8: if gcd(l + h, n) = 1 then

9:  s = (l + h)⁻¹ (x_A + s_A)mod n

10: end if σ_F = (CEAS, R, s, c[i]_i∈n)

11: return σ_F //generates signature

Signcryption-Extraction algorithm

After receiving the signature σ_F, the signcryptor obtains v₀ according to the Signature-Generation algorithm, calculates h_A = H₁(ID_A, R_A, P_A) and h = H₃(v₀, R, PK_A), and verifies the equation s(R+ hP) = P_A + R_A + h_AP_pub. If the equation is not correct, the signcryptor stops the algorithm. Otherwise, the following steps are performed to obtain the signcryption σ_E:

1. Generate ext(i) according to the CEAS.
2. Extract M′ = {M′[1], M′[2], M′[3], …, M′[i], …, M′[n]}. The specific measures are as follows: if i ∈ ext(i), M′[i] = M[i], indicating that the submessage block is extracted; Otherwise, M′[i] = c[i].
3. Calculate E_A, E and extract the signcryption σ_E

The complete pseudo code for signcryption extraction is given in Algorithm 2.

Algorithm 2 Signcryption-Extraction

Input: message M, signature σ_F, ext(i), PK_A

Output: signature σ_E

1: (CEAS, R, s, c[i]_i∈n) ← σ_F

2:  repeat

3:   v_a[i] = c[i]

4:   while a ∈ I_n do v_a = H₂(V_a,0, V_a,1)

5:   end while

6:  h_A = H₁(ID_A, R_A, P_A), h = H₃(v₀, R, PK_A)

7:  if s(R + hP) = P_A + R_A + h_AP_pub then

8:    if i ∈ ext(i) then //generates ext(i)

9:    M′[i] = M[i]

10:   else M′[i] = c[i]

11:   end if

12:  end if

13:  E_A = l(P_A + R_A + h_AP_pub), E = H₄(E_A) ⊕ M′

14:  σ_E = (E, CEAS, ext(i), R, s)

15:  return σ_E

Signcryption-Verification algorithm

After receiving the signcryption σ_E, the verifier decrypts M′and v₀ and verifies the signcryption by the equation s(R + hP) = P_A + R_A + h_AP_pub. The complete pseudocode for signcryption verification is given in Algorithm 3.

Algorithm 3 Signcryption-Verification

Input: submessage M′, signcryption σ_E, PK_A

Output: verification result

1:  if ext(i) ∈ CEAS then //else, stops the algorithm

2:  E_B = s(x_A + s_A)(P_A + R_A R + h · p)

3:   M′ = E ⊕ H₄(E_B) //decrypts M′

4:  repeat

5:   c[i] = C(M[i], S_iR,ic), a[i] = A_n[i]; v_a[i] = c[i]

6:   while a ∈ I_n do

7:    v_a = H₂(v_a,0, v_a,1) //gets (decrypts) v₀

8:   end while

9:  h_A = H₁(ID_A, R_A, P_A), h = H₄(v₀, R, PK_A)

10:  if s(R + hP) = P_A + R_A + h_AP_pub then

11:   return Acc // σ_E verified successfully

12:  else

13:   return Rej // σ_E verification failed

Message consistency

Message consistency indicates that the extracted message M′ in the Signcryption-Extraction algorithm is consistent with the decrypted message M′ in the Signcryption-Verification algorithm.

We analyze the consistency between the submessage M″ extracted in the Signcryption-Extraction algorithm and the submessage M‴ decrypted in the Signcryption-Verification algorithm.

Submessage M″ is extracted in the Signcryption-Extraction algorithm using the following equation: (4)

Submessage M″ is decrypted in the Signcryption-Verification algorithm using the following equation: (5)

The fact is that M″ and M‴ are the same, hence, the SECCESPP scheme has consistency.

Equation accuracy

If equation s(R + hP) = P_A + R_A + h_AP_pub in the Signcryption-Verification algorithm is true, then the SECCESPP scheme is bounded. In this section, we check s(R + hP) = P_A + R_A + h_AP_pub with the following process.

(6)

Therefore, s(R + hP) = P_A + R_A + h_AP_pub is true, and the SECCESPP scheme is bounded.

Security under the random oracle model

The SECCESPP scheme is demonstrably secure under the random oracle model in [35] and can resist adaptive chosen message attack. The possible attacks are divided into two types.

TYPE 1: The attacker does not have access to the primary key. However, the attacker can request or replace the user public key. As discussed above, we impose several natural restrictions on TYPE 1: (1) The attacker cannot extract the private key for ID_i at any point. (2) The attacker cannot request the private key for and identity if the corresponding public has already been replaced.

TYPE 2: The attacker does have access to privacy, but cannot request or replace the user public key. The restrictions on this type of attacker are as follows: (1) The attacker cannot replace public keys at any point. (2) The attacker cannot extract the private key for ID_i at any point.

The proofs for the two types of attacks are similar. Hence, we only present the proof for the attacker who does not access the primary key but can request or replace the user public key.

Definition (ECDLP): For a random number , given two elements P, Q such that Q = x * P, the goal of the ECDLP is to calculate x.

Theorem: In the random oracle model, the SECCESPP scheme is secure if the ECDLP is intractable.

Proof: Assume that attacker B who attacks the SECCESPP scheme. Let attacker B construct algorithm F to solve the ECDLP problem.

Initialization Phase: F initializes P and Q and transmits the public parameters to attacker B. The public parameter is params = {F_p, E / F_p, G, P, P_pub = Q, H₁, H₂, H₃, H₄}.

Queries Phase: Attacker B executes the following queries, and F adaptively responds to these queries.

1. User query: When attacker B performs a user query on ID_i, challenger F selects a random number t ∈ {1, 2, …, q_c}. Then, the pseudo-code is executed.
   User query pseudo-code
   1:  if (i ≠ t) {
   2:   F selects , s_i · P = R_i + h_i · P_pub;
   3:   Computes R_i = a · P_pub + b · P, P_i = c · P, s_i = b, x_i = c, h_i = H₁(ID_i, R_i, P_i) ← −a mod n;
   4:    Returns (ID_i, R_i, P_i, s_i, x_i, h_i)and adds into ;}
   5:   else{
   6:   F selects ;
   7:    Computes R_i = a · P_pub + b · P, P_i = c · P, s_i = x_i = ⊥, h_i = H₁(ID_i, R_i, P_i) ← −a mod n;
   8:   Adds (ID_i, R_i, P_i, s_i, x_i, h_i) to C − List
   9:   Adds (ID_i, R_i, P_i, h_i) to ;
   10:   Returns (ID_i, R_i, P_i, h_i) to attacker B;}
2. Partial Key Extraction query: If ID_i does not exist, ⊥is output. If ID_i exists and (i ≠ t), some of the private keys are returned. Otherwise, F stops.
3. Public Key Replacement query: If ID_i does not exist, ⊥is output. Otherwise, B replaces user ID_i’s public key PK_i with and adds it into L_R.
4. Secret Value query: When B executes, it is inputs ID_i. If ID_i does not exist, ⊥ is output. If ID_i exists and (i ≠ t), x_i = c is sent to B. If (i ≠ t), then the process stops and returns ‘failure’.
5. Digest Calculation query: B executes the summary computation query on ω_i = (v₀, R, PK_i). If ID_i does not exists, ⊥is output. Otherwise, for the i-th H₃ query, if ID_i ≠ ID_t, F queries whether (ID_i, R_i, P_i, s_i, x_i, h_i) exists in C − List; If it exists, F picks randomly, and h = H₄(v₀, R, PK_i), whereas if it does not exists, the user’s public key has been replaced. In this case, F generates , and lets s = a, R = a⁻¹h_iP_pub and h = H₄(v₀, R, PK_i) ← a⁻¹(r_i + x_i). If ID_i = ID_t, F picks ξ ∈ {0, 1} at random and sets Pr[ξ = 1] = ξ and Pr[ξ = 0] = 1 − ξ. If ξ = 0, F generates and h = H₄(v₀, R, PK_i) ← a⁻¹(r_i + x_i). If ξ = 1, F generates and lets h = H₄(v₀, R, PK_i). Finally, F returns h to B and adds (ID_i, v₀, R_i, PK_i, h) to C − List.
6. Signcryption Extraction query: When B extracts the signcryption of (v₀, ID_i, H₄(ω_i)), if ID_i does not exist, F outputs ⊥. When ID_i ≠ ID_t, if (ID_i, R_i, P_i, s_i, x_i, h_i) exist in C − List, F signs it with the corresponding private key. However, if (ID_i, R_i, P_i, s_i, x_i, h_i)does not exist in C − List, that means the user’s public key has been replaced. Thus, F lets s = a, R = a⁻¹h_iP_pub and outputs (R, s) as the signcryption. When ID_i ≠ ID_t, if ξ = 1, F returns ‘failure’; otherwise, ξ = 0, F lets s = a, R = a⁻¹h_iP_pub, and it outputs (R, s) as the signcryption.

Forgery: B stops the queries and outputs a valid signcryption (R, s⁽¹⁾). If ID_i ≠ ID*, ‘failure’ is declared. Otherwise, the attack is successful. Then, F makes full use of the generalized Forking lemma [36] of certificateless signatures, inputs two different H₂ values, repeats the above process, and obtains two different signatures (R, s⁽²⁾) and (R, s⁽³⁾). Then, s^(k)(R + h^(k)P) = P_i + R_i + h_iP_pub, k = 1, 2, 3. Additionally R = lP, P_i = r_iP, P_pub = xP; thus, s^(k)(l + h^(k)) = x_i + r_i + h_ix, k = 1, 2, 3.

In the above interrogation process, i, r_i, x are unknown, but F can solve the three unknowns and output x; therefore, the elliptic curve discrete logarithm problem can be solved.

To solve a given instance of the ECDLP, F is required to successfully execute the following events:

T₁: F does not stop the whole time.

T₂: (R, s) is a valid signcryption forgery of .

T₃: q_s is finite and ξ = 1.

The probability of the attack of F being successful is .

Claim1: If T₁ occurs, during the attack of F, the probability of success of the Partial Key Extraction query is , where is the number of times some keys are queried.

Claim2: The probability of success for the Secret Value query is , where is the number of times the secret value is queried.

Claim3: The probability of success for the Signcryption Extraction query is , where q_s represents the number of times the signcryption is extracted.

As a result,. We state that Pr[T₂ | T₁] = ε, so Pr[T₃ | T₁ ^ T₂] = ξ / q_c. We can obtain . At ξ = 1 /(q_s + 1), reaches its maximum value, so . Of course, is a constant and you cannot ignore ε, so you cannot ignore , which contradicts the hypothesis. The SECCESPP scheme is secure under the random oracle model in [29].

Privacy

We analyze the privacy of a signed message in the SECCESPP scheme using the formal analysis tool ProVerif [37,38]. Privacy is modeled as confidentiality. First, Applied PI is used to formalize the SECCESPP scheme. Then, ProVerif is used for analyzing privacy.

Function and equational theory.

The functions and equations used in the modeling process are described in this section. We use the Applied PI calculus to formalize the SECCESPP scheme. Fig 2 depicts the function and equational theory.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 2. Function and equational theory.

https://doi.org/10.1371/journal.pone.0258907.g002

The function and equational theory of the SECCESPP scheme mainly includes the public key encryption algorithm En(x, Pu) encrypt the message x with public key Pu and the decryption algorithm De(y, Pu) decrypt the message which the En(x, Pu) encrypted with private key Pu. The function Pu(y) accepts private value y as input and produces public key as output. The function Pr(y) accepts private value y as input and produces private key as output.

Process

The whole process in Fig 3 consists of three processes: the signer process processSig in Fig 4, the signcryptor process processSc in Fig 5 and the verifier process processVer in Fig 6. They constitute the main process together, as shown.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. Main process.

https://doi.org/10.1371/journal.pone.0258907.g003

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 4. Process processSig.

https://doi.org/10.1371/journal.pone.0258907.g004

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 5. Process processSc.

https://doi.org/10.1371/journal.pone.0258907.g005

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 6. Process processVer.

https://doi.org/10.1371/journal.pone.0258907.g006

The signer first divides the entire message into n blocks, and then generates a commitment for each block. After that, the signer calculates R and h. Then, the signer compares the value gcd() and ‘1’. If they are equal then forwards the signature σ_F to the signcryptor process processSc in form of the message m₁ through the public channel c.

The signcryptor receives the message m₁ from the signer process through the public channel c. Then it extracts the extracted message blocks and the correspondent commitments. After that, the signcryptor calculates h and h_A. Then it compares the value s · (R + hP)with P_A + R_A + h_A · P_pub. If they are equal then encrypts the extracted message M′ and follows the content extraction signcryption σ_E to the verifier process processVer in form of the message m₂ through the public channel c.

The verifier receives message m₂ from the signcryptor process through the public channel c. Then it decrypt M′ and v[i], and verifies the signcryption by the equation s(R + hP) = P_A + R_A + h_AP_pub. Finally, the verifier inputs message m₃ as the verification results.

ProVerif for automatic privacy verification.

The privacy of the SECCESPP scheme is modelled as the confidentiality of the signed message M. query attacker: M′ is used to model the confidentiality of the signed message. and is added into formal model in Fig 7.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 7. Model for event query.

https://doi.org/10.1371/journal.pone.0258907.g007

Result analysis.

The result in Fig 8 is true, and the SECCESPP scheme has privacy because M′ is encrypted before it is sent to the verifier. Attackers can only get encrypted message block, thus, privacy is guaranteed.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 8. The result of the privacy analysis.

https://doi.org/10.1371/journal.pone.0258907.g008

Unforgeability

In a certificateless public key cryptosystem, KGC generates a partial private key, and the user generates a secret value and generates a full private key and the public key respectively according to the secret value and the partial private key. This method solves the key management issue in identity-based cryptosystem and the certificate problem in PKI cryptosystem. It is possible for KGC to forge the user’s signature because KGC holds part of the user’s private key. Therefore, we divide the attack model of the SECCESPP scheme into two types:

Adversary A_I: ordinary user attack. In this attack, the attacker cannot obtain the master key but can replace the public key.

Adversary A_II: malicious KGC attack. In this attack, the attacker has the master key and can generate any part of the user’s private key, but it is specified that the user’s public key cannot be replaced.

Since Adversary A_I type is similar to Adversary A_II type but Adversary A_II type is more representative, we provide a proof of unforgeability for the Adversary A_II type.

Theorem: If Adversary A_II can output a valid content extraction signcryption σ_E and has not performed a Signcryption Extraction query, then the attacker succeeds, that is, the SECCESPP scheme is broken.

Lemma: If Adversary A_II wins the game by at least the probability of ε after q_k User query, q_PK Key Extract query and q_s Signcryption Extraction query within a bounded time, then the SECCESPP scheme is said to be unforgeability under an adaptive chosen message attack.

Game: The SECCESPP scheme in the Adversary A_II case of the adaptive chosen message attack game, which is between challenger C and Adversary A_II.

Proof: The security model of unforgeability consist of three phases: Setup Phase, Queries Phase and Forgery Phase. In Queries phase, adversary A_II performs multiple queries including User query, Key Extraction query and Signcryption query. challenger C gives corresponding responses.

Setup Phase: Adversary A_II makes multiple queries, challenger C maintains lists l₁ − l₃ that are empty initially.

Initialization: Challenger C runs the Initialization algorithm. Input security parameter k, challenger C generates , system master key P_pub and the system parameter params, and sends them to Adversary A_II. The params = {F_p, E / F_p, G, P, P_pub = Q, H₁, H₂, H₃, H₄}. Set .

Queries Phase: Adversary A_II executes the following queries, and challenger C adaptively responds to these queries.

1. User query: When Adversary A_II presents query on ID_t, challenger C maintains a hash list H₁ − list that is initially empty including two-tuples (ID_t, Q_t). Challenger C checks whether record exists in a hash list H₁ − list. If so, challenger C returns corresponding record, else challenger C makes the following responses: (7)
2. Key Extract query: Adversary A_II performs queries on the certificateless public key cryptosystem, m_i represents the identity of the user. Challenge C calculates ID_i’s public key PK_i and sends it to Adversary A_II.
3. Signcryption Extraction query: Adversary inputs ID_i and a new message M′, and challenger C runs Signcrpytion-Extraction algorithm according to private key SK_i and sends result to the Adversary A_II.

Forgery Phase: Adversary A_II inputs (ID*, PK*, M′, σ*). To win this game, Adversary A_II is required to successfully execute the following events:

T₁: is a valid signcryption forgery of .

T₂: ID*never executed Key Extract query.

T₃: no executed Signcryption Extraction query.

Let Succ_UF−CMA = ε = Pr[T₁ ^ T₂ ^ T₃] be the probability that Adversary A_II wins the game.

Claim1: The probability of success for the Signcryption Extraction query is , where q_s represents the number of times the signcryption is extracted and ξ ∈ {0, 1}.

Claim2: The probability of success for the User query is , where q_k is the number of times the private key is queried.

Claim3: During the attack of Adversary A_II, the probability of success for the Key Extract query is , where q_PK is the number of times public key are queried.

As a result, . We say that Pr[T₂ | T₁] = ε, so Pr[T₃ | T₁ ^ T₂] = ξ / q_c. We can obtain . At ξ = 1 / (q_s + 1), reaches its maximum value, so . Of course, is a constant and you cannot ignore ε, so you cannot ignore Succ_UF−CMA (ε), which satisfies what Lemma says. Therefore, the SECCESPP scheme has unforgeability.