Sensors and Applications in Agricultural and Environmental Monitoring
View this Special IssueResearch Article  Open Access
Pengfei Su, Yong Xie, Ping Liu, "Anonymous and Efficient Certificateless Multirecipient Signcryption Scheme for Ecological Data Sharing", Journal of Sensors, vol. 2020, Article ID 5132861, 16 pages, 2020. https://doi.org/10.1155/2020/5132861
Anonymous and Efficient Certificateless Multirecipient Signcryption Scheme for Ecological Data Sharing
Abstract
Air pollution, water pollution, soil erosion, land desertification, and other environmental issues are becoming more and more serious. And ecological security has become a key issue for the sustainable development of the world, so research on ecology has received more and more attention. At present, ecological data is collected and stored separately by various departments or agencies. In order to conduct better research, various institutions or individuals begin to share their own data. However, data sharing between different organizations is affected by many factors, especially data security issues. At the moment, there is no scheme that has been commonly recognized to solve the problem of ecological data sharing. To provide a secure data sharing way for ecological research, a certificateless multireceiver signcryption scheme is proposed. In this paper, the proposed scheme can solve the key escrow problem, and it can improve efficiency on the basis of ensuring security by adopting elliptic curve cryptography (ECC). A rigorous security analysis proves that the scheme can resist various security attacks and ensure privacy protection based on a random oracle model. Performance analysis also shows that this scheme has the advantage of computational overhead compared to the same type of scheme. Therefore, the scheme is very suitable for the safe sharing of ecological data.
1. Introduction
Ecological data is receiving more and more attentions nowadays. It plays an important role in global climate change prediction, ecological network observation and simulation, regional air pollution control, and so on. However, the scope, degree, quality, and usability of data sets mastered by different research institutions vary greatly, which is not conductive to the research in related fields. In order to solve this problem, relevant organizations begin to share their own data, which enables researchers to find and reuse relevant data. Combining data from multiple sources can better raise new questions and accelerate the pace of science. Sharing of relevant data can also make the related scientific research more transparent, which helps boost public trust.
In the process of information sharing, on the one hand, the sender of the information only wants the authorized receiver to receive the correct information in order to prevent the information from being maliciously revealed. On the other hand, the recipient of the message wants to verify the sender of the message to prevent the message from being tampered with and the sender from being forged.
In view of all the requirements above, the information sent needs to be confidential and verifiable. The confidentiality needs to be implemented by encryption, and the verification needs to be implemented by signature. Traditionally, the method of first signing and then encrypting is adopted, but it is too computationally intensive resulted in the low efficiency. In order to improve the efficiency on the basis of ensuring confidentiality and verification of messages, Zheng [1] proposed the concept of signcryption, which enables encryption and signature to be performed simultaneously; therefore, encryption and signature functions can be realized by one signcryption.
With the development of communication, the identitybased multireceiver encryption (IMRE) proposal was presented by Baek et al. [2]; this proposal can encrypt multiple recipients’ messages by one calculation. And then, the IMRE schemes [3–5] were proposed successively. Subsequently, on the basis of the scheme in [2], the identitybased multireceiver signcryption (IMRS) proposal was presented by Duan and Cao [6]. According to this scheme, the sender only needs to perform a signcryption operation to simultaneously send messages to multiple authorized recipients, and each authorized recipient can perform corresponding decryption and verification. The ciphertext received by the receiver does not contain a list of receiver identity information, and the receiver cannot find the relevant information in the ciphertext. It is more effective than onetoone scheme and is an ideal choice for information sharing. Then, many IMRS schemes [7–14] were proposed. What is more, communicators are paying more and more attentions to personal privacy issues. Usually, people intend to conceal their identities when they use multireceiver signcryptionrelated devices. In order to realize anonymity, Fan et al. [15] proposed the first anonymous IMRE scheme. However, Wang et al. [16] proposed that the scheme in [15] does not truly achieve that goal. Also, Wang et al. [16] proposed a new anonymity scheme, but Li and Pang [17] proposed that the scheme in [16] still could not completely realize anonymity either. Later, Fan and Tseng [18] proposed an anonymous IMRE scheme and the receiver of the scheme has the capability of identity verification, but the efficiency is not high because of the excessive bilinear parings operations in the scheme. Then, Pang et al. [19] put forward an absolutely cryptonymous IMRS proposal which can realize the anonymity of the receiver and sender. Gradually, people have found a serious problem that these multireceiver schemes have key escrow problems because they cannot block malicious key generation center (KGC) attacks. If nothing is done to solve this problem, the KGC can view all users’ communications and can pretend to be any user, which is insecure.
Given the above requirements, AlRiyami and Paterson [20] proposed a certificateless public key cryptosystem. For the user in this system, he and KGC jointly generate his private key, and the system parameters and his private key jointly determine his public key. The scheme in [20] can solve the problem of certificate management in traditional public key cryptography and key escrow in identitybased cryptosystems, so the certificateless multirecipient scheme has become a research hotspot. Influenced by the scheme in [20], the proposals [21–24] were successively put forward. Selvi et al. [25] came up with the earliest certificateless multireceiver signcryption (CMRS) scheme, but it does not have the confidentiality of messages under external attacks and is inefficient due to the use of a large number of bilinear pairing operations (BPO).
Gradually, people began to pursue efficiency on the basis of satisfying the safety function. A cryptonymous certificateless multireceiver encryption (CMRE) proposal was presented by Islam et al. [26]. In order to improve efficiency, the scheme in [26] uses scalar point multiplication operations on elliptic curve cryptography (SPMOOECC), which does not use BPO. Since schemes in [26] can still further improve efficiency, schemes in [27–30] have been proposed successively. The scheme in [27] used the BPO and maptopoint hash function (MTPHF), scheme in [28] and scheme in [30] used lots of SPMOOECC, and scheme in [29] used BPO in the decryption step, all of which greatly limit the efficiency of the scheme. Among them, schemes in [26–30] have no signature function and cannot resist forgery attacks, and schemes in [25, 27–29] did not successfully achieve fair decryption, nor did they implement the verification of part of the private key.
Through the analysis of the schemes, we found that the multirecipient signcryption scheme is required to solve the main problems as below during the communication process: (1)Key escrow problem: malicious KGC can forge encrypted ciphertext and decrypt ciphertext, which dramatically reduces the confidentiality of the message. In order to prevent malicious KGC attacks, we need to solve the key escrow problem(2)The calculation efficiency is not ideal: in the process of encryption or decryption, BPO or a large number of SPMOOECC will result in inefficiency
In view of the requirements of ecological data sharing communication and taking into account the shortcomings of existing communication mechanisms, we propose a CMRS scheme for ecological data sharing. Relevant institutions or researchers can send data to other researchers or related institutions through our program. The communication process is shown in Figures 1 and 2. When multiple researchers or related organizations share relevant ecological data (such as forest ecological data, grassland ecological data, and desert ecological data), they first exchange key with KGC to obtain their own public key and private key; then, they signcrypt the data and send the signcrypted message to the cloud space; finally, the signcrypted data in the cloud space will be forwarded to the authorized recipient and the receiver performs verification and decryption after receiving the message.
The specific features of the scheme are as follows: (1)The scheme realizes the anonymity of the receiver. Not only the attacker cannot obtain the information of the receiver, but also the receiver does not know the information of other receivers(2)The scheme uses a certificateless method and can perform partial private key verification. It not only solves the key escrow problem but also ensures the correctness of some private keys received from KGC(3)The scheme is of high efficiency. Instead of using BPO and exponential operations in the signcryption and decryption phases, the scheme uses the SPMOOECC during encryption and decryption processes and minimizes the number of SPMOOECC, which greatly increases efficiency
Finally, in using the stochastic prediction model, we prove the confidentiality, unforgeability, and recipient anonymity of our CMRS scheme based on the difficult problems.
The rest of the paper is as follows: in the second part, the initial knowledge is described. In the third part, the proposed scheme is described. In addition, in the fourth part, the correctness and security of the scheme were analyzed. Next, in the fifth part, the proposed scheme and the existing scheme are compared in terms of efficiency and functionality. Finally, the sixth section summarizes this paper.
For ease of understanding, the symbols used are listed in Table 1.

2. Preliminaries
We will make an introduction of difficult problems, algorithm model, and security models.
2.1. Difficult Problems
It is specified that is a cyclic group on ECC, the generator of is the , and is the nonzero multiplication group, which depend on the big prime number . The elliptic curve discrete logarithm problem (ECDLP) and DiffieHellman problem (CDHP) are described below:
(1) CDHP. Known , calculating is CDHP
Definition 1. If the probabilistic polynomial time (PPT) algorithm A can solve CDHP, the probability advantage is specified as CDHP hypothesis: we believe that can be ignored for any PPT algorithm A.
(2) ECDLP. Known , calculating is ECDLP
Definition 2. If the PPT algorithm B can solve CDHP, the probability advantage is specified as ECDLP hypothesis: we believe that can be ignored for any PPT algorithm B.
2.2. Algorithm Model
Definition 3. The algorithm model of this proposal consists of SetUpAlgorithm, SetSecretValueAlgorithm, ExtractPartialPrivateKeyAlgorithm, SetPublicAndPrivateKeysAlgorithm, SigncryptionAlgorithm, and DesigncryptionAlgorithm:
SetUpAlgorithm: input , is the security parameter; KGC executes the algorithm; the system’s master key and the public parameter pars are generated by KGC; and KGC exposes pars and secretly saves .
SetSecretValueAlgorithm: enter , is the user’s information; the user executes the algorithm; and the user gets the secret value and the secret value parameter .
ExtractPartialPrivateKeyAlgorithm: enter the user’s information , the master key , the secret value parameter X_{i}, and the public key parameter pars. For the user, KGC uses this algorithm to obtain the partial private key and key generation parameter .
SetPublicAndPrivateKeysAlgorithm: input the parameter pars of the system, the information of the user, the partial private key of the user, the secret value , and the key generation parameter and the user uses the algorithm to obtain public key pair and the private key pair .
SigncryptionAlgorithm: input the system’s public parameter pars, receiver information , plaintext , the recipient’s public key , the private key of THE transmitter, and the information of the transmitter. The transmitter initiates the algorithm to obtain the ciphertext .
DesigncryptionAlgorithm: enter the public parameter pars, the recipient’s private key , the recipient’s information , and ciphertext C. The receiver uses the algorithm to gain the plaintext and verifies using the sender’s public key .
2.3. Security Models
The security model required for our scheme consists of information confidentiality, unforgeability, and recipient anonymity. In each security model, there are two types of opponents, called and [20]. does not know the system master key but does, and can replace the user’s public key but cannot. Specific descriptions are as follows:
2.3.1. Information Confidentiality
Information confidentiality means that an attacker cannot successfully decrypt a plaintext message in his or her own attack. In this scheme, information confidentiality is the indistinguishability of certificateless signcryption in the context of selecting ciphertext attack and selective multiple ID (INCMRSCA) [25]. We defined Game1 for ’s INCMRSCA and Game2 for ’s INCMRSCA.
Game1: this game is the interaction of opponent and challenger in the context of INCMRSCA.
Setup. performs the corresponding steps for obtaining the public parameter pars and the master key s, then sends the pars to the and secretly saves s. After receives the pars, the outputs a group of target identities , where is a positive integer.
Phase 4. requires to perform flexible queries, and performs feedback. The details are the following:
SetSecretValueQuery: requires to run the SetSecretValueQuery on the ID. After the request is received, uses the SetSecretValueAlgorithm to get the user’s secret value, and transmits the result to .
ExtractPartialPrivateKeyQuery: lets run the ExtractPartialPrivateKeyQuery against the ID. After the request is received, executes the ExtractPartialPrivateKeyAlgorithm to gain the partial private key of the user and sends result to .
SetPublicAndPrivateKeysQuery: requires to run the SetPublicAndPrivateKeysQuery on the ID. After receiving the request, executes the SetPublicAndPrivateKeysAlgorithm to get the public and private keys of user and returns them to .
PublicKeyReplacementQuery: requires to use the PK_{ID} to run the PublicKeyReplacementQuery on the ID. Upon receipt, will retain the as the new public key.
SigncryptionQuery: lets perform the SigncryptionQuery with a series of information and plaintext . After the request is received, randomly selects the information ID_{s} to execute the SigncryptionAlgorithm to obtain the ciphertext C and transmits to .
DesigncryptionQuery: requires to perform the DesigncryptionQuery for ciphertext . After the request is received, executes the DesigncryptionAlgorithm to obtain the plaintext , after that, verify that is compliant, and returns to.
Challenge: chooses a pair of plaintext , the length of the plaintext is the same, and transmits to . selects ; then, uses the selected plaintext to obtain and transmits to .
Phase 5. wants to provide the same query as Phase 4, but cannot perform the private key portion of SetPublicAndPrivateKeysQuery and ExtractPartialPrivateKeyQuery on the user who has replaced the public key. cannot perform DesigncryptionQuery on ciphertext .
Guess: gives , and if can be determined, wins, otherwise, fails. The probability advantage of winning is defined as follows:
Definition 6. The probability that any in the case of INCMRSCA can obtain the Game1 victory in time can satisfy , indicating that the scheme conforms to INCMRSCA security, represents a nonnegligible probability advantage and represents the time of a polynomial operation.
Game2: this game is the interaction of opponent and challenger in the context of INCMRSCA. The details are the following:
Setup. performs the corresponding steps for obtaining the public parameter pars and the master key , then transmits the result to the . After successful reception, gives a set of target identifiers is a positive integer.
Phase 7. makes a series of queries to like Phase 4 of Game1, but cannot carry out PublicKeyReplacementQuery. responds accordingly.
Challenge: selects a pair of plaintext ; the length of the plaintext is the same and transmits to . selects ; then, uses the selected plaintext to obtain , transmits to .
Phase 8. needs to perform the same query as Phase 4, but cannot execute the SetSecretValueQuery for the target identity , and cannot run the DesigncryptionQuery against the ciphertext .
Guess: gives , and if can be determined, wins, otherwise, fails. The probability advantage of winning is defined as follows:
Definition 9. The probability that any in the case of INCMRSCA can obtain the Game2 victory in time can satisfy , indicating that the scheme conforms to INCMRSCA security, represents a nonnegligible probability advantage and represents a time of a polynomial operation.
2.3.2. Unforgeability
The unforgeability of the proposal in this paper is prescribed as the strong unforgeability of certificateless signcryption in the context of selecting ciphertext attacks and optional multiple ID (SUCMRSPA) [25]. Game3 and Game4 are used to describe the SUCMRSPA of the opponent and , respectively.
Game3: this section is the mutual response between and under SUCMRSPA. The details are the following:
Setup. This procedure is similar to Setup in Game1.
Attack: requires to perform flexible queries. The queries are similar to Phase 4 in Game1, after which responds.
Forgery: uses and plaintext to forge ciphertext . If any recipient in can correctly decrypt , then wins, otherwise fails. In this process, SigncryptionQuery cannot get , other restrictions are similar to Phase 5 in Game1.
Definition 10. The probability that any in the case of SUCMRSPA can obtain the Game3 victory in time can satisfy , indicating that the scheme conforms to SUCMRSPA security, represents a nonnegligible probability advantage and represents the time of a polynomial operation.
Game4: this process is the interaction between and under SUCMRSPA. The details are the following:
Setup. This procedure is similar to Setup in Game2.
Attack: performs flexible queries for . The queries are similar to Phase 4 in Game2, after which responds.
Forgery: uses and plaintext to forge ciphertext . If any recipient in can correctly decrypt , then wins, otherwise fails. In this process, SigncryptionQuery cannot get , and the other restrictions are similar to Phase 5 in Game2.
Definition 11. The probability that any in the case of SUCMRSPA can obtain the Game4 victory in time can satisfy , indicating that the scheme conforms to SUCMRSPA security, represents a probabilistic advantage that is not negligible. represents the time of a polynomial operation.
2.3.3. Receiver Anonymity
In this scheme, receiver anonymity is prescribed as the anonymous indistinguishability of certificateless signcryption in the context of selecting ciphertext attacks and selective multiple ID (ANOCMRSCA) [26]. Game5 and Game6 each implement ANOCMRSCA for and .
Game5: this process is the interaction between and under ANOCMRSCA. The details are the following:
Setup. performs the corresponding steps for obtaining the public parameter pars and the master key , then transmits pars to and secretly saves . After receiving, selects and sends to .
Phase 12. This procedure is similar to Phase 4 in Game1.
Challenge: picks identity list and plaintext , transmits them to . selects and forms the ciphertext with a new set of identity list , and transmits to .
Phase 13. This procedure is similar to Phase 5 in Game1.
Guess: gives e, and If can be determined, wins, otherwise, fails. The probability advantage of winning is defined as follows:
Definition 14. The probability that any in the case of I ANOCMRSCA can obtain the Game5 victory in time can satisfy , indicating that the scheme conforms to ANOCMRSCA security, represents a nonnegligible probability advantage and represents the time of a polynomial operation.
Game6: this process is the interaction between and under ANOCMRSCA. The details are the following:
Setup. performs the corresponding steps for obtaining the public parameter pars and the master key , then transmits the result to , selects and output .
Phase 15. This procedure is similar to Phase 4 in Game2.
Challenge: picks identity list and a plaintext , transmits L and to . selects and forms a ciphertext with a new set of identity list , and sends to .
Phase 16. This procedure is similar to Phase 5 in Game2.
Guess: gives e, and if can be determined, wins, otherwise, fails. The probability advantage of winning is defined as follows:
Definition 17. The probability that any in the case of ANOCMRSCA can obtain the Game6 victory in time can satisfy , indicating that the scheme conforms to ANOCMRSCA security, represents a nonnegligible probability advantage and represents the time of a polynomial operation.
3. The Proposed Scheme
Our scheme includes SetUpAlgorithm, KeyExtractAlgorithm, SigncryptionAlgorithm, and DesigncryptionAlgorithm. The KeyExtractAlgorithm includes SetSecretValueAlgorithm, ExtractPartialPrivateKeyAlgorithm, and SetPublicAndPrivateKeysAlgorithm.
3.1. Setup Algorithm
KGC performs the corresponding steps for obtaining the public parameter and master keys. The details are the following: (1)Input , is the security parameter and KGC selects a large prime number on the finite field at random and generates a finite field with order. Next, a suitable elliptic curve E_{p} is generated on the domain F_{p}, and an addition cycle group is determined on the elliptic curve , and the generator of is (2)Select a positive whole number at random, is the system master key and secretly save and calculate the system public key (3)Select five safe and reliable hash function as follows: (4)The appropriate symmetric encryption algorithm and decryption algorithm are selected at random. as a symmetric key(5)Output the public parameters .
3.2. Key Extract Algorithm
The user and KGC perform the corresponding steps for obtaining the user’s private and public keys. (1)SetSecretValueAlgorithm: user randomly selects as a secret value and keeps it in secret, calculates , and sends and to KGC via a secure channel(2)ExtractPartialPrivateKeyAlgorithm: after receiving, KGC randomly selects the integer , then calculates and , and then calculates and , finally sending and to the user via a secure channel(3)SetPublicAndPrivateKeysAlgorithm: after the user receives and , it calculates and . Then, check if the equation is established, and if so, the user receives successfully. Otherwise, the reception fails
The user public key pair is , private key pair is . is published by KGC.
3.3. Signcryption Algorithm
The sender uses the public parameter pars, its own private key , plaintext , a set of recipient information , the recipient’s public key , and the information of a transmitter for signcryption: (1)Select the integer at random and then calculate (2)Calculate (3)Select the whole number at random, , then calculate the formula: (4)Calculate .(5)Calculate , where (6)Generate ciphertext and send the ciphertext to all recipients
3.4. Designcryption Algorithm
The receiver decrypts after receiving the ciphertext . Proceed as follows: (1)Calculate (2)Calculate (3)Calculate and (4)Search and obtain , calculate .
And judge whether is established, If successful, the recipient receives the plaintext and then exits. Otherwise, the recipient rejects and quits.
4. Correctness Analysis and Security Proofs
4.1. Correctness Analysis
Theorem 18. Confirm that the part private key of the user in KeyExtractAlgorithm is right.
Proof. In order for the user’s partial private key to be verified correctly, needs to be established. The specific inference of this equation is as follows: The establishment of the formula determines that the verification of the part private key is right in the KeyExtractAlgorithm.
Theorem 19. The DesigncryptionAlgorithm is right.
Proof. The formula guarantees the correctness of the DesigncryptionAlgorithm. The specific inference of the formula is as follows: The formula holds, so it is determined that the DesigncryptionAlgorithm is correct.
4.2. Security Proofs
We have security proofs of the proposal based on the safety model outlined in section 2. Theorem 20 and Theorem 23 guarantee confidentiality of the message, Theorem 26 and Theorem 27 ensure unforgeability, and recipient anonymity is ensured by Theorem 28 and Theorem 31.
Theorem 20. There is an opponent under the INCMRSCA, in the polynomial time , if wins the Game1 victory with a probability advantage that cannot be ignored, ( can request up to hash queries , KeyQuery, SetSecretValueQuery, ExtractPrivateKeyQuery, SetPublicAndPrivateKeysQuery, PublicKeyReplacementQuery, SigncryptionQuery, and DesigncryptionQuery), then within time , challenger ’s interaction with opponent makes overcome CDHP with a probability advantage of is the time of SPMOOECC.
Proof. Under a nonnegligible probability, it is assumed that opponent can attack the INCMRSCA security, the probability advantage is , and under the stochastic prediction model, requires challenger to perform queries. Given , in the timelimited polynomial, obtains through the opponent interaction to overcome CDHP. and opponent will interact with the followings:
Setup. performs the corresponding steps for obtaining the public parameter and master key , and then transmits pars to and save . After the recipient receives it, selects the target identity and transmits to , denotes a positive whole number. are all random oracles; they are controlled by . The details are the following: (1)H_{1}HashQuery: the tuple is taken as input, and requires to execute H_{1}HashQuery. After receiving, checks whether the tuple exists in list . If it exists, will send to . Otherwise, selects at random and sends to and restores the tuple into list (2)H_{2}HashQuery: the tuple and are taken as input, and requires to execute H_{2}HashQuery. After receiving, checks whether the tuple and exist in the list . If yes, will send and to . Otherwise, selects two integer and at random and transmits them to and restores the tuple and into list (3)H_{3}HashQuery: the tuple is taken as input, and requires to execute H_{3}HashQuery. After receiving, judges whether or not the tuple exists in the list . If it exists, will send α_{j} to . Otherwise, selects at random and sends α_{j} to and restores the tuple into list (4)H_{4}HashQuery: the tuple is taken as input, and requires to execute H_{4}HashQuery. After receiving, judges whether or not the tuple exists in the list . If it exists, will send to . Otherwise, selects at random, and sends k to , and restores the tuple into list L_{4}(5)H_{5}HashQuery: The tuple is taken as input, and requires to execute H_{5}HashQuery. After receiving, judges whether or not the tuple exists in list . If it exists, will send to . Otherwise, selects at random, and sends to and restores the tuple into list
Phase 21. requires to perform flexible queries and performs feedback. The details are the following: (1)KeyQuery: checks if the tuple exists in the list . If it exists, reserves the tuple . Otherwise, does the following: (a)If , selects two integers at random, sets , computes , and then updates tuples in list and in list , respectively(b)If , selects two integers at random, sets computes and then updates tuples in list and in list , respectively(2)SetSecretValueQuery: requires to execute the SetSecretValueQuery on . After receiving the request, checks whether there are tuples in list . if it exists, sends to , otherwise, C performs the KeyQuery to generate a tuple and then sends to (3)ExtractPartialPrivateKeyQuery: requires to perform the ExtractPartialPrivateKeyQuery on . After receiving the request, the details are the followings: (a)If sends “failure” to (b)If judges whether or not the tuple exists in the list , and if so, sends to , otherwise, performs the KeyQuery to generate tuple and sends to (4)SetPublicAndPrivateKeysQuery: requires to execute the public key portion of SetPublicAndPrivateKeysQuery on the . After the recipient receives it, judges whether or not the tuple exists in list . If it exists, sends to , otherwise performs KeyQuery to generate a tuple and then send to requires to execute the private key portion of SetPublicAndPrivateKeysQuery on the . After the recipient receives it, responds: (a)If sends “failure” to (b)If judges whether or not the tuple exists in list , and if so, sends to , otherwise, uses KeyQuery to generate tuple and sends to (5)PublicKeyReplacementQuery: requires to perform a PublicKeyReplacementQuery on with . After the recipient receives it, queries the tuple in list , and uses instead of PK_{j}. Next, restores the tuple in list (6)SigncryptionQuery: requires to perform the SigncryptionQuery for plaintext and information ID_{s}. After receiving the request, determines if is correct, . If the expression is correct, executes the SetPublicAndPrivateKeysQuery to generate the private key SK_{s} and ciphertext , and then sends to if not, implement the corresponding operation (a)Select at random and calculate Select at random and define the formula: (b)Calculate (c)Select at random(d)Output the ciphertext to (7)DesigncryptionQuery: requires to perform a DesigncryptionQuery for ciphertext . After receiving the request, selects at random and verifies whether is true, . If the formula is true, sends “failure” to Otherwise, will perform the corresponding operation: (a)Search for the tuple in list to obtain SK_{j} and compute (b)Calculate , generate with and .(c)Calculate (d)Consider whether the equation can be established. If it is established, sends to If not, sends “failure” to Challenge: selects the plaintext at random, they are equal in length, and they are transmitted to . After receiving, selects a bit at random, uses to get the ciphertext , and is the selected plaintext. The details are the following: (a)Stipulate and (b)Select at random and define the formula: (c)Calculate and (d)Select at random(e)Output the to
Phase 22. requires to perform the same queries as Phase 4, but cannot run the DesigncryptionQuery against .
Guess: gives a at random. If , then wins, outputs CDHP’s solution . Otherwise, outputs “failure.”
From the above discussion, it can be concluded that the H_{5}hash provides a valid ciphertext during the DesigncryptionQuery; therefore, the probability of ciphertext being denied is no more than . During the attack process, since requires to execute the DesigncryptionQuery, the probability of decryption success is . The H_{3} hash satisfies CDHP during the guessing process, so the probability that is correctly calculated by is at least . in the running time , ‘s interaction with opponent makes overcome CDHP, and the probability advantage is , is the time of the SPMOOECC.
Theorem 23. There is an opponent under the INCLMSCA. In the polynomial time , if the wins the Game2 victory with a probability advantage that cannot be ignored, ( can request up to q_{i} hash queries, KeyQuery, SetSecretValueQuery, ExtractPrivateKeyQuery, SetPublicAndPrivateKeysQuery, SigncryptionQuery, and DesigncryptionQuery.), then within time , challenger ’s interaction with opponent makes overcome CDHP with a probability advantage of , is the time of SPMOOECC.
Proof. Under a nonnegligible probability, it is assumed that the opponent can attack the INCMRSCA security, the probability advantage is , and under the stochastic prediction model, requires challenger to perform a series of queries. Given , in the timelimited polynomial, obtains through the opponent interaction to overcome CDHP. and opponent will interact with the following:
Setup. performs the corresponding steps for obtaining the public parameter and master key s, and then returns the result to , where . After receiving the result, outputs , where is a positive integer. are random predictions controlled by , the interactions between and is similar to Setup in Theorem 20.
Phase 24. requires to perform flexible queries and performs feedback. The details are the following: (1)KeyQuery: checks if there is a tuple in the list . If it exists, reserves the tuple. Otherwise, will perform related operations as follows: (a)If , selects two integers at random and computes , , and then updates tuples in list and in list , respectively, where and (b)If selects two integers at random, and sets , computes , and then updates tuples in list and in list , respectively(2)SetSecretValueQuery: requires to execute SetSecretValueQuery for . Upon receipt of the request, executes as follows: (a)If , sends “failure” to (b)If , judges whether or not the tuple exists in list . If yes, returns to. Otherwise, uses KeyQuery to generate the tuple and sends to .(3)ExtractPartialPrivateKeyQuery: requires to perform ExtractPartialPrivateKeyQuery against . After the recipient receives it, checks whether there is a tuple in list . If it exists, sends to . Otherwise, runs KeyQuery to generate tuple and sends to (4)SetPublicAndPrivateKeysQuery: requires to perform the public key portion of SetPublicAndPrivateKeysQuery against ID_{j}. After receiving the request, checks whether there is a tuple in list . If it exists, sends PK_{j} to . Otherwise, runs KeyQuery to generate tuple and sends PK_{j} to requires to perform the private key portion of SetPublicAndPrivateKeysQuery against . After the recipient receives it, responded with the following response: (a)If , sends “failure” to (b)If , judges whether or not the tuple exists in list . If yes, returns SK_{j} to . Otherwise, run the KeyQuery to generate the tuple and sends SK_{j} to (5)SigncryptionQuery: this section is similar to the SigncryptionQuery in Theorem 20(6)DesigncryptionQuery: this section is similar to the DesigncryptionQuery in Theorem 20Challenge: selects plaintext at random, they are equal in length, and transmits the result to . After receiving the result, .selects at random and obtains the ciphertext generated by : (a)Stipulate and (b)Select at random and define the formula: (c)_{Calculate} and