#### Abstract

Generalized signcryption (GSC) can be applied as an encryption scheme, a signature scheme, or a signcryption scheme with only one algorithm and one key pair. A key-insulated mechanism can resolve the private key exposure problem. To ensure the security of cloud storage, we introduce the key-insulated mechanism into GSC and propose a concrete scheme without bilinear pairings in the certificateless cryptosystem setting. We provide a formal definition and a security model of certificateless key-insulated GSC. Then, we prove that our scheme is confidential under the computational Diffie-Hellman (CDH) assumption and unforgeable under the elliptic curve discrete logarithm (EC-DL) assumption. Our scheme also supports both random-access key update and secure key update. Finally, we evaluate the efficiency of our scheme and demonstrate that it is highly efficient. Thus, our scheme is more suitable for users who communicate with the cloud using mobile devices.

#### 1. Introduction

With the rapid development of cloud storage technology, its security has become increasingly important. For cloud storage, confidentiality and authentication are the two main aspects of security that must be addressed. In general, confidentiality can be realized by encryption and authentication via signature. When both methods are needed simultaneously, the sign-then-encrypt approach is traditionally utilized. However, in this traditional method, the computational costs and communication overhead are the sum of those of signature and encryption, being very high. Signcryption [1] can realize both confidentiality and authentication simultaneously in a single logic step, and the cost is much lower than that of the traditional approach.

Zheng’s original signcryption scheme [1] is based on the public key infrastructure (PKI), whose drawback is the high management cost of the public key certificate. An identity-based cryptosystem [2] can greatly reduce the cost of public key management, but it suffers from the private key escrow problem (i.e., the trusted third-party private key generator [PKG] knows all users’ private keys).

In 2003, Al-Riyami and Paterson [3] proposed the certificateless cryptosystem, for which a user’s private key is composed of two parts: the partial-private key produced by the trusted third-party key generation center (KGC) and a secret value chosen by the user. Accordingly, a user’s public key is also composed of two parts: the user’s identity information and the public key corresponding to the secret value. Because the public key does not require a certificate, the cost of public key management is greatly reduced. Meanwhile, the KGC does not know the user’s secret value, and thus, there is no private key escrow problem. Certificateless cryptosystems have attracted widespread attention since their introduction.

Returning to cloud storage, we sometimes need confidentiality and authentication separately, whereas, at other times, both are needed simultaneously. For example, an announcement needs only authentication, private information requires only confidentiality, and information sent to others needs both. To meet this requirement, we can use three algorithms (i.e., encryption, signature, and signcryption). However, three algorithms require three pairs of keys, and hence, the key management cost is high. To reduce the complexity of key management and increase the flexibility of implementation, Han et al. [4] proposed the concept of generalized signcryption (GSC) in 2006, which is the natural extension of signcryption. GSC can realize encryption, signature, and signcryption with only one algorithm and one key pair. Because it can adaptively switch between encryption mode, signature mode, and signcryption mode, GSC can realize confidentiality and authentication separately/simultaneously in an efficient manner. Therefore, we can use GSC to achieve confidentiality and authentication separately/simultaneously in a cloud storage scenario.

In Han et al.’s original GSC scheme [4], however, the private key exposure problem was not considered. With the widespread use of mobile devices, key exposure has become a serious and realistic threat. If an attacker can obtain a victim’s private key, he/she does not need to solve the hard problems on which the cryptosystem is based. To minimize the damage caused by private key exposure, forward-secure [5], key-insulated [6], and intrusion-resilient [7] technologies have been introduced. In forward-secure technology, the lifetime of a system is divided into separate time periods. At the beginning of each time period, a user’s private key must be updated, whileas the public key remains unchanged throughout the lifetime. Thus, the private key exposure of a given time period affects only the security of the current and later time periods, while the previous time periods are protected. Thus, the attacker cannot decrypt the encryption and signcryption ciphertexts in the previous time periods and also cannot forge the signature and signcryption ciphertexts in the previous time periods. As forward-secure technology does not provide backward security, key-insulated technology has been introduced. In this technology, a physically secure but computationally limited device (the helper) is introduced and stores a helper private key. The lifetime of a system is divided into separate time periods, as in forward-security technology. When a user’s private key is updated at the beginning of a time period, the helper is needed to produce an update key. The user updates his/her private key by combining the update key and his/her old time period private key. The public key remains unchanged throughout the lifetime, as in the forward-secure technology. The signature, signcryption, decryption, and un-signcryption computations need only the user’s current time period private key, and the helper is not involved. Thus, a user’s private key being compromised in some given time periods does not affect the security of other time periods. Therefore, both forward and backward security are achieved. In addition, if the helper’s private key is exposed, as long as the user’s period private key in each time period is not exposed, security will be guaranteed. However, if the helper’s private key is exposed at the same time that the user’s private key in any time period is exposed, both forward and backward security will be breached. In intrusion-resilient technology, at the beginning of each time period, both the user’s private key and the helper’s private key must be updated. Thus, it retains the advantage of a key-insulated system while gaining the following advantages. If the helper’s private key is exposed in a given time period, both forward and backward security will still hold as long as the user’s private key is not exposed within the same time period. If the helper’s private key and the user’s private key are exposed in the same time period, forward security will be maintained. Obviously, key-insulated technology is more secure than forward-security technology, and intrusion-resilient technology is more secure than key-insulated technology. Due to the complexity and low efficiency of the current intrusion-resilient technology, here, we consider only key-insulated technology.

In this paper, we introduce key-insulated technology into GSC for the first time and propose a certificateless key-insulated GSC scheme to meet the security requirements of cloud storage. Our scheme has the following advantages. First, we use only one algorithm and one key pair to realize the key-insulated encryption, key-insulated signature, and key-insulated signcryption functions. The algorithm can switch between the encryption, signature, and signcryption modes adaptively. Therefore, it can realize confidentiality and authentication separately or simultaneously, and the total number of keys in the system is greatly reduced. Second, the user’s private keys may be exposed during some time periods, whereas they are not affected in other time periods. Third, our scheme possesses the advantages of a certificateless cryptosystem: low public key management costs and no private key escrow problem. Fourth, our scheme does not rely on costly bilinear pairings. Bilinear pairing is a useful tool in the design of cryptography schemes, but the computational cost of a pairing can be almost 20 times that of elliptic curve point multiplication [8]. Therefore, the computational efficiency of our scheme is high. Fifth, our scheme supports unbounded time periods. In comparison, in the first key-insulated scheme [6], the total number of time periods must be given in advance. Sixth, our scheme supports random-access key update; that is, for any current time period and any desired time period , the private key can be updated from to in one step. Seventh, our scheme supports secure key update. We considered the possibility that an adversary may break into the user’s storage while a key update is occurring. In this scenario, a key update exposure from time period to is equivalent to key exposures in time periods and . Other time periods remain secure.

We give a formal definition and the security concept of certificateless key-insulated GSC. Based on the CDH hard problem, we prove that our scheme is confidential in both encryption and signcryption modes. Based on the EC-DL hard problem, we prove that our scheme is unforgeable in both signature and signcryption modes. Finally, we evaluate the efficiency of our scheme and demonstrate that it is highly efficient.

The remainder of this paper is organized as follows. In Section 2, various related works are described. Section 3 addresses various hard problems. In Section 4, the formal definition and security model are introduced. Section 5 presents the concrete certificateless key-insulated GSC scheme without bilinear pairings. In Section 6, we analyze the security of our scheme. In Section 7, we evaluate the efficiency of our scheme. We conclude the paper in Section 8.

#### 2. Related Work

Han et al. [4] first introduced the notion of GSC in 2006. Subsequently, Han and Gui [9] described a multireceiver GSC scheme and applied it to wireless multicast communication in 2009. Wang et al. [10] gave a formal definition and security model of GSC in the PKI setting for the first time and improved the scheme [4] in 2010. Later, Yu et al. [11] proposed an identity-based GSC scheme and a security model in the same year. Kushwah and Lal [12] simplified the security model of scheme [11] and proposed a more efficient identity-based GSC scheme in 2011. Zhou et al. [13] proposed a certificateless GSC scheme that can resist a malicious-but-passive KGC attack [14] in 2014. Wei et al. [15] proposed an identity-based GSC scheme in the standard model and applied it to big data security in 2015. Zhou [16] described an attack on scheme [9] and improved it in the same year. Subsequently, Han and Lu [17] proposed an attribute-based GSC scheme in the standard model and applied it to online social networks. Zhou et al. [18, 19] extended GSC, introduced two new concepts (generalized proxy signcryption and generalized ring signcryption), and proposed a concrete scheme in 2016. Zhang et al. [20] proposed a lightweight certificateless GSC scheme and applied it to a mobile health system in 2017.

Key-insulated encryption was first introduced by Dodis et al. [6] in 2002. Dodis et al. [21] extended the key-insulated encryption to a key-insulated signature and proposed a concrete scheme in 2003. However, in the two schemes, the total number of time periods must be given in advance. Hanaoka et al. [22] introduced key-insulated encryption into the identity-based setting and proposed an identity-based hierarchical key-insulated encryption scheme in 2005. Zhou et al. [23] proposed the first identity-based key-insulated signature in 2006. Weng et al. [24] developed an identity-based key-insulated signature in the standard model in the same year. Subsequently, Hanaoka et al. [25] introduced parallel key-insulated encryption and proposed some concrete schemes. Later, Bellare and Palacio [26] proposed a key-insulated encryption scheme in which the total number of time periods does not need to be determined in advance in the PKI setting. Li et al. [27] introduced the key-insulated mechanism into the group signature and proposed a concrete scheme in 2007. Liu and Wong [28] introduced the key-insulated mechanism into the ring signature and proposed a concrete scheme in 2008. Wan et al. [29] proposed the first certificateless key-insulated signature in 2009; their scheme was designed in the standard model. In the same year, Liu and Cao [30] noted that scheme [24] is insecure. Later, Wan et al. [31] introduced a key-insulated mechanism into the proxy signature and proposed a concrete scheme. Du et al. [32] proposed the first certificate-based key-insulated signature in 2012. Chen et al. [33] proposed the first key-insulated signcryption in the same year and proved their scheme in the standard model. Fan et al. [34] proposed a PKI-based key-insulated signcryption scheme, and Wang et al. [35] suggested an identity-based key-insulated signcryption scheme in 2013. Zhao et al. [36] introduced the key-insulated mechanism into the aggregate signature and proposed a concrete scheme in 2014. Chen et al. [37] proposed the first attribute-based key-insulated signature and applied it to anonymous authentication for a bidirectional broadcasting service in the same year. Subsequently, Zhu et al. [38] determined that scheme [33] is insecure and reported an improvement. Li et al. [39] proposed a certificate-based key-insulated signature scheme in the same year. Xiong et al. [40] proposed a pairing-free certificate-based key-insulated signature scheme for low-power devices, and Lu et al. [41] proposed a certificateless strong key-insulated signature in the standard model in 2015. Li et al. [42] proposed a certificate-based key-insulated signature in the standard model in 2016. Hong and Sun [43] proposed an attribute-based key-insulated signcryption without bilinear pairings and applied it to mobile networks during the same year.

#### 3. Preliminaries

(1)Elliptic curve discrete logarithm (EC-DL) problem: let be an elliptic curve over the finite field , where is a prime number, and let be an additive group of prime order on . Given for unknown randomly chosen , one must compute .(2)Computational Diffie-Hellman (CDH) problem: given for unknown randomly chosen , one must compute .

#### 4. Formal Definition and Security Model of Certificateless Key-Insulated GSC

##### 4.1. Formal Definition

A certificateless key-insulated GSC scheme consists of the following eight algorithms.

*(**1) Setup.* Given a security parameter , it produces a master private key and a global public parameter . It is usually run by the KGC.

*(**2) Partial-Private-Key-Gen.* Given a user’s identity , the , and the master private key , it produces a partial private key for the user. It is also usually run by the KGC, and the KGC sends to the user securely.

*(**3) User-Key-Gen.* Given a user’s identity and the , it produces a secret value and the corresponding public key for the user. It is usually run by the user.

*(**4) Set-Initial-Key.* Given a user’s identity , the , his/her partial private key , and his/her secret value , it produces a helper private key for the helper and a period private key in time period 0 for the user. It is usually run by the user. Then, the user sends the helper private key to the helper and deletes it from the user.

*(**5) Key-Update-H.* Given a user’s identity , the , the helper private key , the old time period , and the new time period , it produces an update key . It is usually run in the helper device.

*(**6) Key-Update-U.* Given a user’s identity , the , the update key , and a user’s period private key , it produces the user’s period private key . It is usually run by the user.

*(**7) GSC.* Given a sender’s identity , a receiver’s identity , the , a message , a time period , and the sender’s period private key , it produces a GSC ciphertext . It is usually run by the sender or anyone in encryption mode.

This algorithm can be run in three modes.(a)* Encryption mode:* if is null and is not, then the GSC ciphertext is an encryption ciphertext.(b)* Signature mode:* if is null and is not, then the GSC ciphertext is a signature.(c)* Signcryption mode:* if neither nor is null, then the GSC ciphertext is a signcryption ciphertext.

*(**8) Un-GSC*. Given a sender’s identity , a receiver’s identity , the , a GSC ciphertext , a time period , and the receiver’s period private key , it recovers the message in encryption or signcryption mode or returns true in signature mode; otherwise, it returns , indicating decryption failure or an invalid signature. It is usually run by the receiver or anyone in signature mode.

This algorithm can also be run in three modes.(a)* Decryption mode:* if is null and is not, it runs in this mode.(b)* Signature verification mode:* if is null and is not, it runs in this mode. Any person can verify the signature .(c)* Un-signcryption mode:* if neither nor is null, it runs in this mode.

*Note.* The scheme can switch between different modes automatically. If the input of the sender’s identity is null and the receiver’s identity is not, it automatically runs in encryption mode. If the input of is not null and is, it automatically runs in signature mode. If the input of neither nor is null, it automatically runs in signcryption mode. Both and being null is disallowed.

##### 4.2. Security Model

There are two types of attackers in the certificateless cryptosystem [3]. A type I attacker does not know the system master private key, but he/she can replace the public key of any user. This considers an attack by any user other than the KGC. A type II attacker knows the system master private key, but he/she cannot replace anyone’s public key. This considers the attack launched by the KGC, but the KGC is honest-but-curious. Thus, the KGC generates the system parameters honestly according to the Setup algorithm. Then, he/she attempts to attack the system. In 2007, Au et al. [14] introduced a new type of KGC attack: the malicious-but-passive KGC attack. This type of KGC attack assumes that the KGC may imbed some trapdoors in the system parameters when he/she runs the Setup stage. We consider this type of KGC attack in our security model.

In terms of key-insulated security, there are three types of key exposures [6]: () ordinary key exposure, which involves the user-period-private key being compromised; () key-update exposure, which involves the user’s device being compromised during the key-updating step; and () helper-key exposure, which involves the physically secure device being compromised. Security against the first type of exposure is called basic key-insulated security, security against the second type of exposure is called secure key update, and security against the last type of exposure is called strong key-insulated security. Compromising both the user-period-private key and helper key is not allowed because, in this case, the adversary can compute the user-period-private key in any time period.

The security of GSC includes confidentiality and unforgeability. Specifically, the scheme must possess indistinguishability under an adaptively chosen ciphertext attack in encryption and signcryption modes and unforgeability under an adaptively chosen message attack in signature and signcryption modes.

By referring to the security models of schemes [6, 13, 33, 34, 39, 41], we have the following nine definitions. The first four definitions focus on the first type of exposure, Definitions 5–8 focus on the last type of exposure, and Definition 9 focuses on the second type of exposure.

There are nine oracles that can be accessed by adversary as follows.

*(a) User-Creation Query.* Adversary provides an identity . If it has been created, returns the public key to . Otherwise, runs the partial-key-gen and user-key-gen algorithms to produce the partial private key and the user’s secret-value/public key pair . runs the set-initial-key algorithm to produce the helper private key . Then, returns the public key to .

*(b) Partial-Private-Key Query. * provides a created identity , and returns the partial private key to .

*(c) Secret-Value Query. * provides a created identity , and returns the secret value to .

*(d) Public-Key Query. * provides a created identity , and returns the public key to .

*(e) Public-Key-Replacement Query. * provides a created identity and a new public/secret-value pair , and replaces the old public/secret-value pair with the new one .

*(f) User-Period-Private-Key Query. * provides a created identity and a time period , and returns the user’s period private key to (first running the key-update-h and key-update-u algorithms, if necessary).

*(g) Helper-Key Query. * provides a created identity . returns the user’s helper key to .

*(h) GSC Query. * provides two created identities (one of them may be null), a message , and a time period . runs the GSC algorithm and returns its output to .

*(i) Un-GSC Query. * provides two created identities (one of them may be null), a ciphertext , and a time period . runs the Un-GSC algorithm and returns its results to .

###### 4.2.1. Basic Key-Insulated Security

*Definition 1 (type I confidentiality, encryption, and signcryption modes). *A certificateless key-insulated GSC scheme is said to be indistinguishability-certificateless-basic key-insulated-GSC-adaptive chosen ciphertext attack-type I (IND-CL-Basic-KI-GSC-CCA2-I) secure if no probabilistic polynomial time (PPT) adversary has a nonnegligible advantage in the following game.*(**1) Setup.* Given a security parameter , challenger runs the setup algorithm to produce the system public parameter and a master private key . He/she returns to adversary and keeps secret. *(**2) Find Stage. * can adaptively ask all the above oracles, except the helper-key oracle. *(**3) Challenge Stage. * provides two distinct messages with equal length, a created sender’s identity ( may be null), a created receiver’s identity , and a time period . randomly chooses and computes . Then, returns to . *(**4) Guess Stage. * can ask the same queries as in the Find stage adaptively. Finally, gives his/her guess . If , he/she wins the game. The restrictions on are as follows:(a)The receiver’s identity cannot be null.(b) cannot ask for ’s period private key in time period .(c) cannot ask for the partial private key of .(d)In the Guess stage, cannot make an Un-GSC query on the challenge ciphertext under , , and unless the public key of or has been replaced after the Challenge stage. ’s advantage is defined as .

*Note.* In the above Challenge stage, the sender’s identity may be null. In this case, it runs in encryption mode; otherwise it runs in signcryption mode. Thus, the encryption and signcryption modes share the same game, as described above.

*Definition 2 (type II confidentiality, encryption, and signcryption modes). *A certificateless key-insulated GSC scheme is said to be IND-CL-Basic-KI-GSC-CCA2-II secure if no PPT adversary has a nonnegligible advantage in the following game.*(**1) Setup.* Given a security parameter , adversary runs the setup algorithm to produce the system public parameter and a master private key . He/she returns and to challenger . *(**2) Find Stage. * can adaptively ask all the above oracles except the helper-key, partial-private-key, and public-key-replacement oracles. holds the master private key and thus he/she can compute the partial private key by himself/herself. is not allowed to replace anyone’s public key in the certificateless cryptographic system. *(**3) Challenge Stage. * provides two distinct messages with equal length, a created sender’s identity ( may be null), a created receiver’s identity , and a time period . randomly chooses and computes . Then, returns to . *(**4) Guess Stage. * can ask the same queries adaptively as in the Find stage. Finally, gives his/her guess . If , he/she wins the game. The restrictions on are as follows:(a)The receiver’s identity cannot be null.(b) cannot ask for ’s period private key in time period .(c) cannot ask for ’s secret value (d)In the Guess stage, cannot make an Un-GSC query on the challenge ciphertext under , , and . ’s advantage is defined as .

*Note 1.* In the above Challenge stage, the sender’s identity may be null. In this case, it runs in encryption mode; otherwise, it runs in signcryption mode. Thus, the encryption and signcryption modes share the same game, as described above.

*Note 2.* To resist the malicious-but-passive KGC attack, it must let adversary produce the system parameters and master private key in the Setup stage.

*Definition 3 (type I unforgeability, signature, and signcryption modes). *A certificateless key-insulated GSC scheme is said to be existentially unforgeable-certificateless-basic key-insulated-GSC-adaptive chosen message attack-type I (EUF-CL-Basic-KI-GSC-CMA-I) secure if no PPT adversary has a nonnegligible advantage in the following game.*(**1) Setup*. The same as in Definition 1. *(**2) Queries*. The same as in Definition 1. *(**3) Forgery*. Finally, outputs a forged GSC ciphertext in time period with as the sender and as the receiver. wins the game if the output of the Un-GSC algorithm is not the symbol and if the following conditions hold:(a)The sender’s identity cannot be null.(b) cannot ask for ’s period private key in time period .(c) cannot ask for ’s partial private key .(d) is not the output of the GSC query. ’s advantage is its probability of victory.

*Note.* In the above Forgery stage, the receiver’s identity may be null. In this case, it runs in signature mode; otherwise, it runs in signcryption mode. Thus, the signature and signcryption modes share the same game, as described above.

*Definition 4 (type II unforgeability, signature, and signcryption modes). *A certificateless key-insulated GSC scheme is said to be EUF-CL-Basic-KI-GSC-CMA-II secure if no PPT adversary has a nonnegligible advantage in the following game.*(**1) Setup.* The same as in Definition 2.*(**2) Queries.* The same as in Definition 2. *(**3) Forgery.* Finally, outputs a forged GSC ciphertext in time period with as the sender and as the receiver. wins the game if the output of the Un-GSC algorithm is not the symbol and if the following conditions hold:(a)The sender’s identity cannot be null.(b) cannot ask for ’s period private key in time period .(c) cannot ask for ’s secret value .(d) is not the output of the GSC query. ’s advantage is its probability of victory.

*Note.* In the above Forgery stage, the receiver’s identity may be null. In this case, it runs in signature mode; otherwise, it runs in signcryption mode. Thus, the signature and signcryption modes share the same game, as described above.

###### 4.2.2. Strong Key-Insulated Security

*Definition 5 (type I confidentiality, encryption, and signcryption modes). *A certificateless key-insulated GSC scheme is said to be IND-CL-Strong-KI-GSC-CCA2-I secure if no PPT adversary has a nonnegligible advantage in the following game.*(**1) Setup.* The same as in Definition 1. *(**2) Find Stage. * can adaptively ask all the above oracles except the user-period-private-key oracle. *(**3) Challenge Stage*. The same as in Definition 1. *(**4) Guess Stage. * can adaptively make the same queries as in the Find stage. Finally, gives his/her guess . If , he/she wins the game. The restrictions on are as follows:(a)The receiver’s identity cannot be null.(b) cannot ask for the partial private key of .(c)In the Guess stage, cannot make an Un-GSC query on the challenge ciphertext under , , and unless the public key of or has been replaced after the challenge stage. ’s advantage is defined as .

*Note.* In the above Challenge stage, the sender’s identity may be null. In this case, it runs in encryption mode; otherwise, it runs in signcryption mode. Thus, the encryption and signcryption modes share the same game, as described above.

*Definition 6 (type II confidentiality, encryption, and signcryption modes). *A certificateless key-insulated GSC scheme is said to be IND-CL-Strong-KI-GSC-CCA2-II secure if no PPT adversary has a nonnegligible advantage in the following game. *(**1) Setup.* The same as in Definition 2. *(**2) Find Stage. * can adaptively ask all the above oracles except the user-period-private-key, partial-private-key, and public-key-replacement oracles. *(**3) Challenge Stage.* The same as in Definition 2. *(**4) Guess Stage. * can make the same queries adaptively as in the Find stage. Finally, gives his/her guess . If , he/she wins the game. The restrictions on are as follows:(a)The receiver’s identity cannot be null.(b) cannot ask for ’s secret value .(c)In the Guess stage, cannot make an Un-GSC query on the challenge ciphertext under , , and . ’s advantage is defined as .

*Note 1*. In the above Challenge stage, the sender’s identity may be null. In this case, it runs in encryption mode; otherwise, it runs in signcryption mode. Thus, the encryption and signcryption modes share the same game, as described above.

*Note 2*. To resist the malicious-but-passive KGC attack, it must let adversary produce the system parameters and master private key in the Setup stage.

*Definition 7 (type I unforgeability, signature, and signcryption modes). *A certificateless key-insulated GSC scheme is said to be EUF-CL-Strong-KI-GSC-CMA-I secure if no PPT adversary has a nonnegligible advantage in the following game.*(**1) Setup.* The same as in Definition 5. *(**2) Queries.* The same as in Definition 5. *(**3) Forgery.* Finally, outputs a forged GSC ciphertext in time period with as the sender and as the receiver. wins the game if the output of the Un-GSC algorithm is not the symbol and if the following conditions hold:(a)The sender’s identity cannot be null.(b) cannot ask for ’s partial private key .(c) is not the output of the GSC query. ’s advantage is its probability of victory.

*Note.* In the above Forgery stage, the receiver’s identity may be null. In this case, it runs in signature mode; otherwise, it runs in signcryption mode. Thus, the signature and signcryption modes share the same game, as described above.

*Definition 8 (type II unforgeability, signature, and signcryption modes). *A certificateless key-insulated GSC scheme is said to be EUF-CL-Strong-KI-GSC-CMA-II secure if no PPT adversary has a nonnegligible advantage in the following game.*(**1) Setup.* The same as in Definition 6. *(**2) Queries.* The same as in Definition 6. *(**3) Forgery.* Finally, outputs a forged GSC ciphertext in time period with as the sender and as the receiver. wins the game if the output of the Un-GSC algorithm is not the symbol and if the following conditions hold:(a)The sender’s identity cannot be null.(b) cannot ask for ’s secret value .(c) is not the output of the GSC query. ’s advantage is its probability of victory.

*Note*. In the above Forgery stage, the receiver’s identity may be null. In this case, it runs in signature mode; otherwise, it runs in signcryption mode. Thus, the signature and signcryption modes share the same game, as described above.

###### 4.2.3. Secure Key Update

*Definition 9. *A certificateless key-insulated GSC scheme is said to support secure key update if a key update exposure from time period to is equivalent to user-period-private-key exposures in both time periods and .

#### 5. A Concrete Certificateless Key-Insulated GSC Scheme

##### 5.1. Concrete Scheme

By referring to Seo et al.’s [44] pairing-free certificateless signcryption tag key encapsulation mechanism, we propose an efficient pairing-free certificateless key-insulated GSC scheme.

*Setup*. Given a security parameter , the KGC produces two large prime numbers and . Then, he/she defines a secure elliptic curve on the finite field . Let be a cyclic group of order on , and let be a generator of . He/she randomly chooses as the master private key and computes as the master public key. He/she chooses seven hash functions: , and , where is the bit length of message . He/she defines a special function : if the identity is null, then ; otherwise, . The system public parameters are . He/she keeps the master private key secret.

*Partial-Private-Key-Gen*. Given a user’s identity , the KGC randomly chooses and computes and , where . KGC sends to securely.

*User-Key-Gen.* The user with identity randomly chooses as his/her secret value. He/she computes the public key as .

*Set-Initial-Key.* The user with identity randomly chooses and computes , , , , , and . Finally, the helper private key is , and the user’s period private key in time period 0 is . The user broadcasts . Then, the user sends the helper key and the ephemeral variable in time period 0 to the helper and deletes them from the user.

*Key-Update-H.* Given a user’s identity and , the old time period , and the new time period , the helper chooses and computes , , , , , and . Then, the update key is . The helper saves and deletes .

*Key-Update-U.* Given the update key , the user updates his/her period private key from time period to as . Then, he/she broadcasts .

*GSC*. Let , let the sender’s identity be , let the receiver’s identity be , and let the time period be . The sender randomly chooses and computes , , , and . Then, he/she computes , , , , , , and . Finally, the output is .

This algorithm can be run in three modes. We add a in the ciphertext.

*(**1) Encryption Mode.* If is null and is not, then and . The ciphertext is an encryption ciphertext. In this case, , , , and are all set to the infinite point on , and is set to zero. Additionally, in this case, .

*(**2) Signature Mode.* If is null and is not, then and . The ciphertext is a signature. In this case, , , , and are all set to the infinite point on . Additionally, in this case, and .

*(**3) Signcryption Mode.* If neither nor is null, then and . The ciphertext is a signcryption ciphertext.

*Un-GSC.* The ciphertext is .(a). is an encryption ciphertext. The receiver computes and and recovers the message . Then, he/she computes and verifies whether holds true or not. If it does, he/she accepts it.(b). is a signature. In this case, . The verifier computes , , , , , and . Then, he/she verifies whether holds true or not. If it does, he/she accepts the signature.(c). is a signcryption ciphertext. The receiver computes and and recovers the message . Then, he/she computes , , , , , and and verifies whether holds true or not. If it does, he/she accepts it.

##### 5.2. Correctness

①

②

##### 5.3. Random-Access Key Update

Obviously, our scheme supports random-access key update; thus, for any current time period and any desired time period , the private key can be updated from to in one step.

#### 6. Security Analysis of the Proposed Scheme

##### 6.1. Confidentiality of Basic Key Insulation

Theorem 10 (type I confidentiality). *In the random oracle model, if there is a PPT adversary with a nonnegligible advantage against the IND-CL-Basic-KI-GSC-CCA2-I security of the scheme running in encryption or signcryption mode in time and performing at most queries, user-creation queries, partial-private-key queries, period-private-key queries, GSC queries, and Un-GSC queries, then the CDH problem can be solved with probability in time , where denotes the time for a scalar multiplication on .*

*Proof. *Suppose challenger is given for random . does not know the values of and and is asked to compute . To utilize adversary , challenger will simulate all the oracles defined in Definition 1. *Setup. * sets . Other public parameters are produced normally. gives the system public parameters to . maintains nine lists, , and , which are initially empty. randomly selects . *Find Stage. * makes queries to the following oracles adaptively. *User-Creation Query. * provides an identity . looks up list to determine whether it contains the item. If it does, returns ’s public key and public parameters to . Otherwise, proceeds as follows and returns public key and public parameters to .

randomly selects as the secret value and computes the public key as . randomly selects as the helper private key and computes . (1). randomly selects and computes . inserts the tuple into list .(2). randomly selects and computes . inserts the tuple into list . If there is a collision in list , rechooses and repeats the process. inserts the tuple into list .. supplies a tuple . first checks list to determine whether it contains the item . If it does, returns . Otherwise, randomly selects and repeats the process until is not in list . stores the tuple in list and returns to .

. supplies a tuple . first checks list to determine whether it contains the item . If it does, returns . Otherwise, randomly selects and repeats the process until is not in list . stores the tuple in list and returns to .

. supplies a tuple . first checks list to determine whether it contains the item . If it does, returns . Otherwise, randomly selects and repeats the process until is not in list . stores the tuple in list and returns to .

. supplies a tuple . first checks list to determine whether it contains the item . If it does, returns . Otherwise, randomly selects and repeats the process until is not in list . stores the tuple in list and returns to . * Query. * supplies a tuple . first checks list to determine whether it contains the item . If it does, returns . Otherwise, randomly selects and repeats the process until is not in list . stores the tuple in list and returns to . * Query. * supplies a tuple . first checks list to determine whether it contains the item . If it does, returns . Otherwise, randomly selects and repeats the process until is not in list . stores the tuple in list and returns to . * Query. * supplies a tuple . first checks list to determine whether it contains the item . If it does, returns . Otherwise, randomly selects and repeats the process until is not in list . stores the tuple in list and returns to . *Partial-Private-Key Query. * provides a created identity . (1). retrieves from list and returns it to .(2). aborts.*Secret-Value Query. * provides a created identity . retrieves from list and returns it to .*Public-Key Query*. provides a created identity . retrieves the public key and public parameters from list and returns them to . *Public-Key-Replacement Query. * provides a created identity and a new public/secret-value pair . replaces the old public/secret-value pair with the new one and updates list . *User-Period-Private-Key Query. * provides a created identity and a time period . first checks list to determine whether it contains the item . If it does, returns . Otherwise, we consider two cases.(1). randomly chooses and computes . retrieves from list . Then makes an query with the tuple and obtains a response . makes an query with the tuple and obtains a response . makes an query with the tuple and obtains a response . retrieves from list and computes the period private key in time period as . inserts the tuple into list and returns .(2). aborts.*GSC Query. * provides two created identities (one of them may be null), a message , and a time period . If is null, it is equal to an encryption oracle, which only requires the public parameters. Otherwise, we consider two cases. (1). runs the GSC algorithm as normal because can obtain the private key of in time period .(2). first checks list to determine whether it contains the item . If it does, retrieves ; otherwise, randomly chooses , computes , and inserts the tuple into list . randomly chooses and computes , , , and . Then, he/she computes , , and . The values needed for the above computations can be obtained by querying associated oracles. inserts the tuple