Journal of Applied Mathematics

Volume 2014, Article ID 454393, 10 pages

http://dx.doi.org/10.1155/2014/454393

## A Provably Secure Proxy Signcryption Scheme Using Bilinear Pairings

Department of Information Management, National Taiwan University of Science and Technology, Taipei 106, Taiwan

Received 8 November 2013; Accepted 19 April 2014; Published 19 May 2014

Academic Editor: Ferenc Hartung

Copyright © 2014 Nai-Wei Lo and Jia-Lun Tsai. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

As people in modern societies are busier than any human era and computer network has profound impact on how people work and live through fast and convenient information exchange, people need more help from each other to accomplish more work via network connections in limited period of time. Therefore, privilege delegation mechanism has become a necessary service in modern enterprises and organizations. Proxy signcryption scheme provides a secure privilege delegation mechanism for a person to delegate his privilege to his proxy agent to accomplish things. In 2010, Lin et al. had proposed an efficient signcryption scheme using bilinear pairings. However, we found that the proxy signcryption scheme of Lin et al. is vulnerable to the chosen warrant attack. A provably secure proxy signcryption scheme using bilinear pairings is introduced accordingly. In terms of performance efficiency, the proposed scheme is superior to other existing schemes. In addition, a new security model is proposed to describe proxy signcryption scheme; based on the security model we show that the proposed scheme is provably secure in terms of indistinguishability under adaptive chosen ciphertext attack (IND-CCA2), unforgeability under adaptive chosen message attack (EF-CMA), and unforgeability under adaptive chosen warrant attack (EF-CWA).

#### 1. Introduction

Since Diffie and Hellman proposed the concept of public key cryptosystem [1] in 1976, public key cryptosystems have been widely used for constructing secure network applications and communication systems. Generally, public key cryptosystems can be divided into two categories: public key encryption schemes [2–4] and signature schemes [2, 5, 6]. Public key encryption schemes are usually adopted to assure that the content of transmitted messages cannot be learned by an adversary without knowledge of the receiver’s private key. Signature schemes are mainly used to assure that received messages at the destination party are not modified or falsely generated by an adversary. With rapid evolved Internet environment and more complicated business flow processes, secure privilege delegation mechanism has become a necessary function for enterprises, organizations, and even every modern citizen. New application demands such as online proxy auction, digital contract signing, and work transfer for deputy all require privilege delegation mechanism from time to time to help people delegate their authorities to someone or a group of people in order to accomplish certain work in time. Therefore, traditional public key cryptosystems [7–9] may not be able to meet the needs for these newly developed applications in terms of security robustness and operation efficiency.

The concept of proxy signature scheme was first proposed by Mambo et al. [10] in 1996. A proxy signature scheme allows the original signer to delegate his/her signing authority to a proxy signer. Once the proxy signer gains the delegated authority from the original signer, the proxy signer can generate a proxy signature on behalf of the original signer. Proxy signature schemes have been adopted in many practical applications, particularly in distributed systems and mobile agent-based systems where the delegation of user authority is commonly applied. In general, proxy delegation can be divided into three types: full delegation, partial delegation, and delegation by warrant. In recent years, several proxy signature schemes have been proposed [8–16].

There are occasions in which applications with message transmission feature have to achieve confidentiality, integrity, authenticity, and nonrepudiation simultaneously. In 1997, Zheng first proposed a signcryption scheme in [17] to achieve these security requirements at the same time. The proposed signcryption scheme only allows the designated recipient to recover the original message from the received signcrypted ciphertext generated by the signer and then to verify the validity of this recovered message. Since then, various signcryption schemes were proposed [17–22].

In 1999, the concept of proxy signcryption scheme was first introduced by Gamage et al. [23]. Proxy signcryption scheme is subcategorized under signcryption scheme. Proxy signcryption scheme elaborates on the merits of signcryption and proxy signature. In a proxy signcryption scheme, an original signer can generate a proxy credential to delegate his/her signing authority to a proxy signer. Then, the proxy signer can generate a signcrypted message on behalf of the original signer. Only the recipient has the ability to recover the content of this signcrypted message and then to verify the validity of this recovered message content. In case a dispute occurs from the repudiation of the proxy signer or the original signer, the message recipient can announce the proxy signature to a trusted third party for public verification without extra computational cost. Proxy signcryption schemes can be used in applications such as online proxy auction and business contract signing.

Recently, bilinear pairing [24, 25] from elliptic curves is widely adopted to develop new public key cryptosystems [26–36]. Accordingly many researchers have utilized bilinear pairings to construct pairings-based proxy signcryption schemes [26–28, 30, 31]. In 2010, Lin et al. proposed an efficient proxy signcryption scheme [31] using bilinear pairings. The scheme of Lin et al. is the first one to propose a public verification mechanism for the message recipient to prove the proxy signer or the original signer is dishonest when a dispute occurs between message signers and message recipient. In addition, only four bilinear pairing operations are required in their scheme. To prove security strength of their proxy signcryption scheme, Lin et al. also give a security model for proxy signcryption scheme and then prove their scheme is secure in terms of IND-CCA2 and EF-CMA under random oracle model.

##### 1.1. Contribution

This paper discovers that the signcryption scheme of Lin et al. [31] is vulnerable to two forgery attacks because the proxy credential generated from the original signer is not secure against the chosen warrant attack. In addition, the security model of Lin et al. did not consider unforgeability of generated proxy credential. A new proxy signcryption scheme using bilinear pairings is introduced in which the proposed scheme remedies the vulnerabilities of Lin et al.’s scheme and achieves better performance in terms of computing cost when comparing with other existing schemes. A new security model for proxy signcryption scheme is also presented and used to prove that the proposed scheme is secure in terms of indistinguishability under adaptive chosen ciphertext attack (IND-CCA2), unforgeability under adaptive chosen warrant attack (EF-CWA), and unforgeability under adaptive chosen message attack (EF-CMA) in random oracle.

#### 2. Preliminaries

This section introduces bilinear pairings, the definition of proxy signcryption scheme, and mathematical problems used for cryptography as follows.

##### 2.1. Bilinear Pairings

The properties of bilinear pairings are introduced as follows. Let be an additive cyclic group, let be a multiplicative cyclic group, and let be a generator of , where and have the prime order . A bilinear pairing equation : satisfies the following properties:(1)bilinear: given , , , , and ; besides, given , , ;(2)nondegenerate: there exists and such that , where 1 is the identity element of ;(3)computable: for any , , the value is efficiently computed.

##### 2.2. The Definition of Proxy Signcryption Scheme

The roles of a proxy signcryption scheme can be divided into three parties: an original signer , a proxy signer , and a designated recipient . In a proxy signcryption scheme, an original signer generates a proxy credential to delegate his/her signing authority to a proxy signer. The proxy signer then generates a signcrypted message by using the proxy credential and his/her secret key. Next, the proxy signer sends the signcrypted message to a designated recipient through insecure network. Upon receiving the signcrypted message, only the designated recipient can recover the message content from the signcrypted message and then verify its validity. If a dispute occurs later, the message recipient can announce the proxy signature for public verification without extra computational cost. A proxy signcryption scheme consists of the following algorithms.(i)*Setup*. This algorithm takes a secure parameter as input and then returns public parameters of system* params*.(ii)*Proxy-Credential-Generation (PCG)*. This algorithm takes the private key of original signer* osk* and a warrant as input and then returns a proxy credential on the warrant for the proxy signer.(iii)*Signcrypted-Message-Generation (SMG)*. This algorithm takes a message , a proxy credential , a warrant , a private key of proxy signer* psk*, and a proxy credential as input and then outputs a signcrypted message .(iv)*Signature-Recovery-and-Verification (SRV)*. This algorithm takes a signcrypted message , the private key of designated recipient* rsk*, a warrant , and the public key pair of original signer and proxy signer (*opk*,* ppk*) and then returns a plaintext and its converted ordinary proxy signature if the signcrypted message is valid. Otherwise, this algorithm returns an error symbol .

##### 2.3. Mathematical Problems for Cryptography

We introduce mathematical problems applied within our scheme for security as follows.

*Discrete Logarithm Problem (DLP)*. Given , it is hard to find an integer from .

*Bilinear Diffie-Hellman Problem (BDHP)*. Given an instance for some , it is hard to compute , where is the generator.

#### 3. Review and Cryptanalysis of the Proxy Signcryption Scheme of Lin et al.

This section briefly reviews the proxy signcryption scheme of Lin et al. [31] and then shows that their scheme is vulnerable to two forgery attacks as follows.

##### 3.1. Review of the Proxy Signcryption Scheme of Lin et al.

We briefly review the proxy signcryption scheme of Lin et al. [31] in this subsection. Details of each algorithm are described as follows.

*Setup*. Let and be two groups of the same prime order , where is a generator of . First of all, the system authority chooses a pairing function : and three collision-resistant hash functions: , , and . Next, publishes , , , , , , , , as public parameters. Each signer also chooses a random number as his/her private key and then computes the corresponding public key .

*Proxy-Credential-Generation*. When an original signer wants to delegate his/her signing privilege to a proxy signer , the original signer chooses a random number and then generates a proxy credential by computing the following equations:
where is the warrant including the identities of the original signer and the proxy signer . Next, the original signer sends the proxy credential to a proxy signer . After receiving the proxy credential , the proxy signer verifies the validity of the received proxy credential by computing the values at both sides of the equality symbol in the following equation:
If (2) holds with the two computed values, the proxy credential is accepted; otherwise, the proxy signer requests the original signer to resend the proxy credential .

*Signcrypted-Message-Generation*. When the proxy signer wants to generate a signcrypted message on a plaintext message , he/she computes
where is a random number and is the symmetric encryption function with the secret key . Next, the proxy signer sends the signcrypted message and to the designated recipient .

*Signature-Recovery-and-Verification*. For a signcrypted message , the designated recipient can recover the message and the proxy signature by computing the following equations:
where is the symmetric decryption function with the key . Next, the recipient verifies the validity of the proxy signature by computing the values at both sides of the equality symbol in the following equation:
If (5) holds with the two computed values, the proxy signature is accepted by the designated recipient ; otherwise, the proxy signature is rejected. In case a dispute occurs later, the designated recipient can reveal the proxy signature as well as the message and the warrant to any trusted third party. A trusted third party can use (5) to perform an evaluation task and know whether the proxy signer is dishonest or not.

##### 3.2. Cryptanalysis of the Scheme of Lin et al.

Two forgery attacks on the scheme of Lin et al. are discovered by utilizing security weakness of the proxy credential through chosen warrant attack. Details of two forgery attacks are addressed as follows.

*Forgery Attack 1*. We show that a malicious proxy signer can forge any valid proxy credential on his/her chosen warrant if he/she obtains a valid proxy credential as follows.

Assume that a malicious proxy signer, who has a valid proxy credential on a warrant , wants to forge a valid proxy credential on his/her chosen warrant . The malicious proxy signer needs to generate where is his/her chosen warrant. Now, the forged proxy credential is created by the malicious proxy signer without knowledge of the private key of the original signer.

In the following, we show that the forged proxy credential can pass the proxy credential verification equation shown in (2): where , .

*Forgery Attack 2*. We show that any adversary can forge a proxy signature on his/her chosen message and his/her chosen warrant without knowledge of any valid proxy credential , the private key of the original signer, and the private key of the proxy signer as follows.

Assume that an adversary wants to forge a proxy signature on his/her chosen message and warrant . The adversary first computes where is a random number. Now, the adversary forges a valid proxy signature on his/her chosen message and warrant . In consequence, the proxy signcryption scheme of Lin et al. does not support nonrepudiation.

In the following, we show that the forged proxy signature can pass the proxy signature verification equation shown in (5):

#### 4. The Proposed Scheme

This section presents our efficient proxy signcryption scheme. Details of each algorithm are described as follows.

*Setup*. Let and be two groups of the same prime order and let be a generator of . In the beginning, system authority chooses a pairing function : and four collision-resistant one-way hash functions: , , , and . Then, publishes (, , , , , , , , , as its public parameters. Each signer also chooses a random number as his/her private key and then computes his/her corresponding public key .

*Proxy-Credential-Generation*. Assume that an original signer wants to delegate his/her signing authority to a proxy signer; he/she first computes
where is a random number and is the warrant. The original signer then sends the proxy credential (, , ) to the proxy signer via a secure channel. Upon receiving the proxy credential (, , ), the proxy signer can verify its validity by computing the values at both sides of the equality symbol in the following equation:
If (14) holds with the two computed values, the proxy credential is accepted; otherwise, the proxy credential signature is rejected. In the following, we show the derivation and verification process for (14):
where and .

*Signcrypted-Message-Generation*. In order to generate a signcrypted message on his/her chosen message , the proxy signer computes
Then, the proxy signer sends the signcrypted message (, , , ) and the warrant to the designated recipient .

*Signature-Recovery-and-Verification*. Upon receiving a signcrypted message (, , , ), the recipient first recovers the message by computing the following equations:
Next, the recipient computes
and then verifies the validity of the proxy signature (, , ) by computing the values at both sides of the equality symbol in the following equation:
If (23) holds with the two computed values, the recipient accepts the proxy signature; otherwise, he/she rejects the proxy signature. Notice that the value of is precomputed as one of the public parameters during system setup phase; therefore, the computational cost for the value of can be ignored here.

If a dispute between the proxy signer and the recipient occurs, the designated recipient can send the message , the warrant , and the proxy signature (, , ) to any trusted third party. A trusted third party can use (23) to perform an evaluation task and know whether the proxy signer is dishonest.

In the following, we show the derivation and verification process for (23):

#### 5. Security Analysis

In the literature of Lin et al. [31], they had proposed a security model for proxy signcryption scheme. However, the security model of Lin et al. is incomplete as unforgeability of proxy credential was not considered.To prove security robustness of the proposed proxy signcryption scheme, we propose a new security model for proxy signcryption scheme. Consequently, this proposed security model is applied to prove that our proposed scheme is secure in terms of IND-CCA2, EF-CWA, and EF-CMA under random oracle.

##### 5.1. Security Model

Three security requirements for proxy signcryption scheme are message confidentiality, proxy credential unforgeability, and proxy signcryption unforgeability. We give a new security model for proxy signcryption scheme as follows.

*Definition 1 (confidentiality). *A proxy signcryption scheme achieves confidentiality under adaptive chosen ciphertext attacks if no adversary can play the following game with a challenger and win this game within a probabilistic polynomial time period by possessing nonnegligible advantage.

*Setup*. At the beginning, runs this algorithm to generate all public parameters* params* and then publishes them. Thus, can obtain these public parameters* params*.

*Phase 1. *An adversary has the ability to execute the following queries adaptively.(i)* Proxy-Credential-Generation (PCG) Query*. When calls the PCG query with his/her chosen warrant , returns the corresponding proxy credential to .(ii)* Signcrypted-Message-Generation (SMG) Query*. When calls the SMG query with his/her chosen message , first generates the proxy signature for the message . Then, generates the signcrypted message and then returns it to .(iii)* Signature-Recovery-and-Verification (SRV) Query*. When calls the SRV query, upon receiving a signcrypted message and its warrant from , returns a plaintext message and its convertible proxy signature if the signcrypted message is valid. Otherwise, returns an error symbol to .

*Challenge*. sends two plaintext messages and to , where these two messages with the same length are chosen by the adversary . Next, flips a coin and then generates a signcrypted message for the message . sends the signcrypted message to as a challenge.

*Phase 2. * has the ability to call several new queries defined in Phase 1. Once receives the signcrypted message , can call multiple queries except SRV queries to guess which message, or , is signcrypted inside .

*Guess*. Finally, outputs a bit as its guess. If , wins this game, where the advantage of to win the game is .

*Definition 2 (proxy credential unforgeability). *A proxy signcryption scheme achieves proxy credential unforgeability under adaptive chosen warrant attacks if no adversary can play the following game with a challenger and win this game within a probabilistic polynomial time period by possessing nonnegligible advantage.

*Setup*. In this algorithm, generates all public parameters* params* and then publishes these parameters. Thus, these parameters* params* can be learned by .

*Phase 1. * can call multiple PCG queries defined in Phase 1 of Definition 1 with his/her chosen warrant .

*Forgery*. The adversary forges a valid proxy credential based on his/her chosen warrant without calling any PCG query.

*Definition 3 (proxy signcryption unforgeability). *A proxy signcryption scheme achieves proxy signcryption unforgeability under adaptive chosen message attacks if no adversary can play the following game with a challenger and win this game within a probabilistic polynomial time period by possessing nonnegligible advantage.

*Setup*. First of all, runs the setup algorithm to generate all public parameters* params* and then publishes these parameters. Therefore, can obtain these parameters* params*.

*Phase 1. *In this phase, can ask to generate the proxy signature with his/her chosen message by calling PSG queries defined in Phase 1 of Definition 1.

*Forgery*. The adversary forges a valid proxy signature based on his/her chosen message without calling any PSG query.

##### 5.2. Security Proof

This subsection shows the proposed scheme is secure against the chosen ciphertext attack (IND-CCA2), the adaptive chosen warrant attack (EF-CWA), and the adaptive chosen message attack (EF-CMA) under random oracle as follows.

Theorem 4 (confidentiality). *Let be the time for executing one bilinear pairing operation. If no adversary can -break the bilinear Diffie-Hellman problem in probabilistic polynomial time, the proposed proxy signcryption scheme can -withstand the existential forgery under adaptive chosen ciphertext attack (IND-CCA2) in random oracle model, where
*

*Proof. *Suppose that an algorithm tries to resolve BDHP by taking as inputs. The algorithm simulates itself as the challenger to serve in the following game, where can only ask at most times of oracles , times of PCG query, times of SMG query, and times of SRV query within the period of probabilistic polynomial time .*Setup*. runs the setup algorithm to generate all necessary public parameters , , , , , , , , and then sends , , , , , , , , and (, , ) to . *Phase **1*. In this phase, can call the following queries supported by .(i)* Hash Query*. When calls a hash query on his/her chosen warrant and , first checks whether (, ) exists in the -list. If the pair indeed exists, returns the existing to . Otherwise, randomly selects a number , stores (, , ) into the -list, and returns to .(ii)* Hash Query*. If sends the tuple , , , to the oracle as a query request, first checks whether the tuple exists in the -list. If it exists, returns the existing to . Otherwise, randomly selects a number , stores , , , , into the -list, and returns to .(iii)* Hash Query*. If calls a hash query with the value , first checks whether this value exists in the -list. If it exists, returns the existing to . Otherwise, returns to and then stores the tuple , , into the -list, where is a random number.(iv)* Hash Query*. When calls a hash query with his own chosen value pair , ), first checks whether this pair , exists in the -list. If the pair exists, returns the existing to . Otherwise, generates and returns to before storing the tuple , , into the -list, where is a random number.(v)* Proxy-Credential-Generation (PCG) Query*. When calls this query with his own chosen warrant , first chooses two random numbers and and then computes and , where has never been queried before. Then, returns and to .(vi)* Signcrypted-Message-Generation (SMG) Query*. When calls a SMG query with a message , first computes and , where , , and are three random numbers and and have never been queried before. Next, calls an query to get ,. then computes and the pair , and then returns the signcrypted message and the warrant to .(vii)* Signature-Recovery-and-Verification (SRV) Query*. When calls a SRV query with a signcrypted message (, , , ) and its corresponding warrant , searches the -list according to and and then recovers the message . Next, checks the validity of associated proxy signature. If the validity of the proxy signature is confirmed, returns the warrant , the message , and its proxy signature (, , ). Otherwise, returns to indicate that the proxy signature is invalid.*Challenge*. When sends two plaintext messages and to , first calls a PCG query to obtain and , where and are two random numbers and has never been queried before. Next, flips a coin to determine the value of and accordingly calls one PCG query and one SMG query to compute , , and , where , , , and . Finally, returns the signcrypted message for the message . *Phase **2*. can call new queries defined in Phase 1, but cannot call any SRV query for the signcrypted message to get the message .*Analysis of the Game.* Let SRV_{ERR} be the event that a SRV query returns the failure message for a valid signcrypted message during the entire game, let GP be the event that the entire game is perfect (i.e., no adversary can break the game.), and let be the event that indicates the total number of query times for oracle. The advantage of is defined as () = ; in consequence, we have
In Phase 2 of our game, if never calls hash query, the simulation will fail. Therefore, would have nonnegligible probability to solve the bilinear Diffie-Hellman problem with probability at least
Time complexity of the algorithm is , where is the time for executing one bilinear pairing operation.

Theorem 5 (proxy credential unforgeability). *The proposed proxy signcryption scheme is secure against existential forgery under adaptive chosen warrant attacks (EF-CWA) if no adversary can -break the DLP, where
*

*Proof. *We show that the proposed signcryption scheme can achieve security requirement for proxy credential unforgeability as follows, where can only call at most times of oracles and times of PCG query within the period of probabilistic polynomial time . An algorithm can be constructed to break the DLP by playing the game with an adversary . In this game, the query algorithms and public parameters are the same as those ones defined in Theorem 4. Notice that each hash query has its own hash list to maintain corresponding tuples.*Setup*. runs the setup algorithm to generate all necessary public parameters (, , , , , , , , , , , ) for the adversary . *Phase* *1*. In this phase, we allow to call multiple PCG queries and queries as those ones defined in Phase 1 of the proof of Theorem 4.*Analysis of the Game*. Suppose that can only call at most times of PCG query and times of hash query, and the game simulation is perfect in random oracle. By applying the forking lemma, if , let output two proxy credentials (, , ) and (, , ) based on the same warrant such that . Then, computes as the value of . According to the forking lemma, it indicates that has the ability to solve one DLP instance within the period of time .

Theorem 6 (proxy signcryption unforgeability). *The proxy signcryption scheme can , , , , , , , , -withstand adaptive chosen message attacks (EF-CMA) if no adversary , who plays the game with the challenger , can -break BDHP in probabilistic polynomial time , where
*

*Proof. *Suppose that an adversary can *, **, **, **, **, **, **, **, **-*break the proposed scheme with nonnegligible advantage , where indicates the maximum time consumption used to break the proposed scheme. In this game, the adversary can call at most times of oracles , times of PCG query, and times of SMG query. Then, an algorithm can be constructed to break the BDHP problem by playing the game with an adversary *.* The query algorithms and public parameters are the same as those ones defined in Theorem 4. Notice that each hash query has its own hash list to maintain corresponding tuples.*Setup*. runs this setup algorithm to generate all necessary public parameters (, , , , , , , , , , , and then returns these public parameters to . *Phase **1*. In this phase, can call multiple PCG queries, SMG queries, and queries as those ones defined in Phase 1 of the proof of Theorem 4.*Analysis of the Game.* In the following, we prove that if an adversary can break the proposed scheme, then there is an algorithm which can break the BDHP problem. Assume that the adversary can call at most times of PCG query and times of hash queries . Let SM_{V} be the event that the adversary can forge a valid signature and let QH_{3} and QH_{4} be the events that indicate the total number of query times for and queries by the adversary , respectively. Obviously, the probability that the adversary can correctly guess the hash value without querying or hash queries is less than . Then, we have the following inequality:
Thus, we can rewrite the inequality to get the following inequality:
When the event occurs under the condition that both and hash queries have been called, the probability that returns is only . Therefore, the probability that breaks BDHP is only
within the period of time , where is the time for executing one bilinear pairing operation.

#### 6. Comparisons on Security and Performance

In this section, we compare the proposed scheme with other existing schemes including the scheme of Li and Chen (LC) [26], the scheme of Wang and Cao (WC) [27], the scheme of Duan et al. (DCZ) [28], the scheme of Elkamchouchi and Abouelseoud (EA) [30], and the scheme of Lin et al. (LWHY) [31]. The comparison on security strength among targeted proxy signcryption schemes is given in Table 1. From Table 1, one can observe that only the proposed scheme provides formal security proof on proxy credential unforgeability. In addition, only the LC scheme, the WC scheme, and the proposed scheme are secure against key-compromised attack and forgery attack. The comparison on performance efficiency among targeted schemes is shown in Table 2. As pairing operation is the most time-consuming operation in comparison with the other computing operations used among targeted schemes [37], only the total number of pairing operations is used to measure performance efficiency for all targeted schemes in Table 2. From Table 2, it is obvious that our scheme is the most efficient proxy signcryption scheme in terms of time consumption for scheme operation. In summary, our scheme provides better security strength and achieves the most efficient operation design among existing schemes.

#### 7. Conclusion

This paper first shows that the scheme of Lin et al. [31] is vulnerable to two forgery attacks based on chosen warrant attack. Later, a new proxy signcryption scheme is introduced. The proposed scheme only requires one pairing operation to verify the validity of a proxy signature; therefore, the proposed scheme is computationally more efficient than other existing schemes. Moreover, a new security model for proxy signcryption scheme is derived and adopted to prove our scheme achieves the following security features: IND-CCA2, EF-CWA, and EF-CMA under random oracle model.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

The authors gratefully acknowledge the support from the Taiwan Information Security Center (TWISC) and the National Science Council, Taiwan, under Grant no. NSC 102-2218-E-011-013.

#### References

- W. Diffie and M. E. Hellman, “New directions in cryptography,”
*Institute of Electrical and Electronics Engineers. Transactions on Information Theory*, vol. IT-22, no. 6, pp. 644–654, 1976. View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,”
*Communications of the Association for Computing Machinery*, vol. 21, no. 2, pp. 120–126, 1978. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” in
*Advances in Cryptology—CRYPTO 2001*, vol. 2139 of*Lecture Notes in Computer Science*, pp. 213–229, Springer, Berlin, Germany, 2001. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - C. Gentry and A. Silverberg, “Hierarchical ID-based cryptography,” in
*Advances in Cryptology—ASIACRYPT 2002*, vol. 2501 of*Lecture Notes in Computer Science*, pp. 548–566, Springer, Berlin, Germany, 2002. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the Weil pairing,” in
*Advances in Cryptology—ASIACRYPT 2001*, vol. 2248 of*Lecture Notes in Computer Science*, pp. 514–532, Springer, Berlin, Germany, 2001. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - F. Zhang and K. Kim, “ID-based blind signature and ring signature from pairings,” in
*Advances in Cryptology—ASIACRYPT 2002*, vol. 2501 of*Lecture Notes in Computer Science*, pp. 533–547, Springer, Berlin, Germany, 2002. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - B. C. Neuman, “Proxy-based authorization and accounting for distributed systems,” in
*Proceedings of the IEEE 13th International Conference on Distributed Computing Systems*, pp. 283–291, May 1993. View at Scopus - V. Varadharajan, P. Allen, and S. Black, “An analysis of the proxy problem in distributed systems,” in
*Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy*, pp. 255–275, May 1991. View at Scopus - J. L. Tsai, N. W. Lo, and T. C. Wu, “Secure delegation-based authentication protocol for wireless roaming service,”
*IEEE Communications Letters*, vol. 16, no. 7, pp. 1100–11102, 2012. View at Google Scholar - M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures for delegating signing operation,” in
*Proceedings of the 3rd ACM Conference on Computer and Communications Security*, pp. 48–57, March 1996. View at Scopus - R. Lu, X. Dong, and Z. Cao, “Designing efficient proxy signature schemes for mobile communication,”
*Science in China, Series F: Information Sciences*, vol. 51, no. 2, pp. 183–195, 2008. View at Publisher · View at Google Scholar · View at Scopus - F. Li, M. Shirase, and T. Takagi, “Cryptanalysis of efficient proxy signature schemes for mobile communication,”
*Science China. Information Sciences*, vol. 53, no. 10, pp. 2016–2021, 2010. View at Publisher · View at Google Scholar · View at MathSciNet - A. Wang, J. Li, and Z. Wang, “A provably secure proxy signature scheme from bilinear pairings,”
*Journal of Electronics*, vol. 27, no. 3, pp. 298–304, 2010. View at Publisher · View at Google Scholar · View at Scopus - D. Hongzhen and W. Qiaoyan, “An efficient identity-based short signature scheme from bilinear pairings,” in
*Proceedings of the International Conference on Computational Intelligence and Security (CIS '07)*, pp. 725–729, Haerbin, China, December 2007. View at Publisher · View at Google Scholar · View at Scopus - Y.-C. Lin, T.-C. Wu, and J.-L. Tsai, “ID-based aggregate proxy signature scheme realizing warrant-based delegation,”
*JISE. Journal of Information Science and Engineering*, vol. 29, no. 3, pp. 441–457, 2013. View at Google Scholar · View at MathSciNet - J. L. Tsai, N. W. Lo, and T. C. Wu, “Numerical analysis of stress on pump blade by one-way coupled fluid-structure simulation,”
*Information Technology and Control*, vol. 42, no. 4, pp. 315–324, 2014. View at Google Scholar - Y. Zheng, “Digital signcryption or how to achieve cost(signature & encryption) $\ll $ cost(signature) + cost(encryption),” in
*Advances in Cryptology—CRYPTO 1997*, pp. 165–179, Springer, 1997. View at Google Scholar - Y. Zheng, “Signcryption and its applications in efficient public key solutions,” in
*Proceedings of the Information Security Workshop*, pp. 291–312, Springer, 1997. - F. Bao and R. H. Deng, “A signcryption scheme with signature directly verifiable by public key,” in
*Proceedings of the Workshop on Public Key Cryptography*, pp. 55–59, Springer, 1998. - H. Petersen and M. Michels, “Cryptanalysis and improvement of signcryption schemes,”
*IEE Proceedings Computers and Digital Techniques*, vol. 145, no. 2, pp. 149–151, 1998. View at Google Scholar - W.-H. He and T.-C. Wu, “Cryptanalysis and improvement of Petersen-Michels signcryption scheme,”
*IEE Proceedings: Computers and Digital Techniques*, vol. 146, no. 2, pp. 123–124, 1999. View at Publisher · View at Google Scholar · View at Scopus - J.-L. Tsai, “Convertible multi-authenticated encryption scheme with one-way hash function,”
*Computer Communications*, vol. 32, no. 5, pp. 783–786, 2009. View at Publisher · View at Google Scholar · View at Scopus - C. Gamage, J. Leiwo, and Y. Zheng, “An efficient scheme for secure message transmission using proxy-signcryption,” in
*Proceedings of the 22nd Australasian Computer Science Conference*, pp. 420–431, Springer, 1999. - P. S. L. M. Barreto, H. Y. Kim, B. Lynn, and M. Scott, “Efficient algorithms for pairing-based cryptosystems,” in
*Advances in Cryptology—CRYPTO 2002*, vol. 2442 of*Lecture Notes in Computer Science*, pp. 354–368, Springer, Berlin, Germany, 2002. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - P. S. L. M. Barreto, B. Lynn, and M. Scott, “On the selection of pairing-friendly groups,” in
*Selected Areas in Cryptography*, vol. 3006 of*Lecture Notes in Computer Science*, pp. 17–25, Springer, Berlin, Germany, 2004. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - X. Li and K. Chen, “Identity based proxy-signcryption scheme from pairings,” in
*Proceedings of the IEEE International Conference on Services Computing (SCC '04)*, pp. 494–497, September 2004. View at Publisher · View at Google Scholar · View at Scopus - Q. Wang and Z. Cao, “Efficient ID-based proxy signature and proxy signcryption from bilinear pairings,” in
*Computational Intelligence and Security*, pp. 167–172, Springer, 2005. View at Google Scholar - S. Duan, Z. Cao, and Y. Zhou, “Secure delegation-by-warrant ID-based proxy signcryption scheme,” in
*Proceedings of Computational Intelligence and Security Conference (CIS '05)*, vol. 3802 of*LNAI*, pp. 445–450, Springer, 2005. - S. Duan and Z. Cao, “Efficient and provably secure multi-receiver identity-based signcryption,” in
*Information Security and Privacy*, pp. 195–206, Springer, 2006. View at Google Scholar - H. Elkamchouchi and Y. Abouelseoud, A new proxy identity-based signcryption scheme for partial delegation of signing rights, Cryptology ePrint Archive, Report , 2008, http://eprint.iacr.org/.
- H.-Y. Lin, T.-S. Wu, S.-K. Huang, and Y.-S. Yeh, “Efficient proxy signcryption scheme with provable CCA and CMA security,”
*Computers & Mathematics with Applications*, vol. 60, no. 7, pp. 1850–1858, 2010. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - C.-L. Hsu and H.-Y. Lin, “Pairing-based strong designated verifier proxy signature scheme with low cost,”
*Security and Communication Networks*, vol. 5, no. 5, pp. 517–522, 2012. View at Publisher · View at Google Scholar · View at Scopus - H.-Y. Lin, T.-S. Wu, and S.-K. Huang, “Certificate-based secure three-party signcryption scheme with low costs,”
*JISE. Journal of Information Science and Engineering*, vol. 28, no. 4, pp. 739–753, 2012. View at Google Scholar · View at MathSciNet - J. L. Tsai, N. W. Lo, and T. C. Wu, “ID-Based authenticated group key agreement protocol from bilinear pairings for wireless mobile devices,”
*Adhoc & Sensor Wireless Networks*, vol. 17, no. 3-4, pp. 221–231, 2013. View at Google Scholar - T. S. Wu and H. Y. Lin, “A novel probabilistic signature based on bilinear square Diffie-Hellman problem and its extension,”
*Security and Communication Networks*, vol. 6, no. 6, pp. 757–764, 2013. View at Google Scholar - J. L. Tsai, N. W. Lo, and T. C. Wu, “Secure handover authentication protocol based on bilinear pairings,”
*Wireless Personal Communications*, vol. 73, no. 3, pp. 1037–1047, 2013. View at Google Scholar - M. Scott, N. Costigan, and W. Abdulwahab, “Implementing cryptographic pairings on smartcards,” in
*Cryptographic Hardware and Embedded Systems—CHES 2006*, pp. 134–147, Springer, 2006. View at Google Scholar