Security and Communication Networks

Volume 2018, Article ID 3578942, 11 pages

https://doi.org/10.1155/2018/3578942

## An Efficient Certificateless Generalized Signcryption Scheme

^{1}School of Information Science and Engineering, University of Jinan, Jinan 250022, China^{2}School of Information Technology, Deakin University, Melbourne, VIC 3125, Australia^{3}Shandong Provincial Key Laboratory of Network Based Intelligent Computing, University of Jinan, Jinan 250022, China

Correspondence should be addressed to Bo Zhang; moc.liamg@udsobgnahz

Received 3 November 2017; Revised 2 March 2018; Accepted 5 April 2018; Published 15 May 2018

Academic Editor: Jiankun Hu

Copyright © 2018 Bo Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Generalized signcryption can adaptively work as an encryption scheme, a signature scheme, or a signcryption scheme with only one algorithm. The paper proposes an efficient certificateless generic signcryption scheme without utilizing bilinear pairing operations. It is proved to satisfy confidentiality and unforgeability against chosen ciphertext and message attacks in an adaptive manner, respectively, in the random oracle model. Due to the lower computational cost and communication overhead, the proposed scheme is suitable for low power and processor devices.

#### 1. Introduction

In the traditional Public Key Infrastructure (PKI), a certificate authority (CA) which is a third party issues the certificates to bind the identity of a user and the corresponding public key. The certificate provides an unforgeable and trusted link by CA’s digital signature. However, the problem of certificate management, including the storage, revocation, and distribution of certificates, is complex in this kind of PKI. Identity-based Public Key Cryptosystems (ID-PKC) were introduced by Shamir [1] in 1984 to simplify certificate management problem. A user’s public key can be easily derived from arbitrary strings corresponding to his identity information, such as passport number, telephone number, name, and email address. A trusted third party named private key generator (PKG) computes private keys from a master secret and users’ identity information and distributes these private keys to users participating in the scheme. This eliminates the need for certificates as used in a traditional PKI. ID-based systems may be a good alternative for certificate-based systems from the viewpoint of efficiency and convenience. But an inherent problem of ID-based cryptosystems is the key escrow; that is, the PKG knows the user’s private key, resulting in no user privacy and authenticity. To eliminate these problems simultaneously, Al-Riyami and Paterson introduced the concept of certificateless public key cryptography (CL-PKC) in 2003 [2]. In a CL-PKC, a public/secret key pair is produced by the user himself independently without requiring the public key to be certified. Also, a partial private key is generated by a semi-trusted third party, called the key generation center (KGC), from the unique identifier information of the user. Knowing only one of them should not be able to impersonate the user and carry out any of the cryptographic operations as the user. In other words, CL-PKC can act as an intermediate between traditional PKI and ID-PKC.

The confidentiality and authenticity of messages are the basic requirement for secure communication. In 1997, Zheng proposed a cryptographic primitive signcryption [3], which simultaneously fulfils the integrated function of public encryption and digital signature with a computing and communication cost significantly smaller than that required by the signature-then-encryption method. According to the three public key authentication methods, signcryption can be divided into three types: PKI-based signcryption schemes [4–10], ID-based signcryption schemes (IBSC) [11–16], and certificateless signcryption schemes (CLSC) [17–20].

Sometimes, confidentiality and authenticity are needed separately, and sometimes, both of them are needed simultaneously. We can use encryption, signature, or signcryption to achieve the security properties, respectively. But maintaining three different primitives or components at the same time is quite a burden to a system, especially to the low power and processor devices in low-bandwidth environments. Generalized signcryption (GSC) was proposed [21–23] to solve this problem. GSC scheme can adaptively work as encryption scheme, signature scheme, or signcryption scheme with only one algorithm. In other words, without any additional modification and computation, it provides double functions when confidentiality and authenticity are required simultaneously and the separate encryption or signature function when one of them is required. So, the GSC scheme can be viewed as a primitive with three work modes. In 2010, the first certificateless generalized signcryption (CLGSC) scheme was introduced by Ji et al. [24]. In their work, the formal definition, security model, and a concrete scheme were proposed. But Kushwah and Lai [25] noted that the scheme [24] is not existentially unforgeable against Type* I* adversary, and they proposed a new secure and efficient CLGSC scheme. Zhou et al. [26] proposed a more efficient CLGSC scheme based on the certificateless signcryption proposed in [17]. However, all the existing CLGSC schemes are realized with bilinear pairing operations. Compared with other operations, the bilinear pairing operation is much more complicated. Therefore, a concrete scheme without bilinear pairing is more suitable for applications. Very recently, Zhou et al. [27] introduced the key-insulated mechanism into GSC and propose a concrete scheme without bilinear pairings in the certificateless cryptosystem setting.

In this paper, we give a formal definition and the security concept of CLGSC and propose an efficient concrete scheme without utilizing bilinear pairing operations based on a certificateless signcryption-tag key encapsulation mechanism [28]. The concrete scheme is proved to satisfy confidentiality and unforgeability against chosen ciphertext and message attacks in an adaptive manner, respectively, in the random oracle model. Due to less computational cost and communication overhead, the proposed scheme is suitable for low power and processor devices.

The rest of the paper is organized as follows. The security problems, complexity assumptions, and the formal model of CLGSC scheme are introduced in Section 2. We describe a new CLGSC scheme in Section 3 and give the security proof and performance analysis of the new scheme in Sections 4 and 5, respectively. Finally, the conclusions are given in Section 6.

#### 2. Preliminaries

##### 2.1. Security Problems and Complexity Assumptions

Several related mathematical hard problems and security assumptions are presented here.

(i) The Elliptic Curve Discrete Log Problem (ECDLP) [29]: for group which is generated by , given , to find such that .

*Definition 1 (ECDLP assumption). *For group which is generated by , given , the successful advantage of any probabilistic polynomial time (PPT) adversary is presented as . If there exists no PPT adversary with nonnegligible advantage in solving the ECDLP problem, we say that the ECDLP assumption holds.

(ii) One-sided Gap Diffie-Hellman problem (ECDLP) [30]: for group which is generated by , is a fixed point, given , to find with the help of a one-sided decision Diffie-Hellman (ODDH) oracle. The ODDH oracle gets the tuple as the input and outputs 1 if and 0 otherwise.

*Definition 2 (ECDLP assumption). *For group which is generated by , is a fixed point, given . The successful advantage of any PPT adversary is presented as . If there exists no PPT adversary with nonnegligible advantage by making ODDH oracle queries in solving the ECDLP problem, we say that the -ECDLP assumption holds.

##### 2.2. Certificateless Generic Signcryption Scheme (CLGSC)

###### 2.2.1. Framework

Certificateless generic signcryption scheme (CLGSC) consists of the following probabilistic polynomial time algorithms.

*(1) Setup*. Take a security parameter as input, KGC runs Setup algorithm to generate common parameters* params* and a master key* msk*.* params* are publicly available, whereas the* msk* is kept by the KGC secretly. Formally, we can write

*(2) Set-User-Key*. Take the common parameters* params* and the identity information of himself as input; each user runs Set-User-Key algorithm to generate a secure value and the corresponding public key value for himself. It returns the user’s secret value and a corresponding public value* PV*. Formally, we can write

*(3) Extract-Partial-Private-Key*. Given the common parameters* params*, an identity* ID*, and the corresponding public value* PV*, KGC runs Extract-Partial-Private-Key algorithm to generate the partial private key associated with* ID*. It distributes to the user via a secure channel. Formally, we can write

*(4) Set-Private-Key*. Given the common parameters* params*, the partial private key , and the secret value , the user with identity* ID* runs this algorithm to generate the full private key* SK* for himself. Formally, we can write

*(5) Set-Public-Key*. Given the common parameters* params*, the partial private key , the secret value , and the public value* PV*, the user with identity* ID* runs this algorithm to generate the full public key* PK* as the output. Formally, we can write

*(6) CLGSC-Signcrypt*. Given the common parameters* params*, the message , the receiver’s identity , and the full public value , the user with identity and the full private key runs this algorithm to generate the ciphertext as the output. Note that and could be null string. Formally, we can write

*(7) CLGSC-Unsigncrypt*. Given the ciphertext , the sender’s identity , and the public key , the receiver with identity and the full private key runs this algorithm to unsigncrypt (or decrypt) the ciphertext. It returns or true for the valid signcryption ciphertext or signature; return means invalid. Note that and could be null string. Formally, we can write

###### 2.2.2. Security Model

A CLGSC must satisfy confidentiality in encryption mode or signcryption mode and unforgeability in signcryption mode or signature mode. In a CLGSC scheme, we must consider two types of adversaries: a common user of the system and a honest-but-curious KGC. A common user cannot be in possession of the master secret key generated by KGC. But he can replace the public key of the users with valid public keys of his choice in an adaptive manner. This type of adversary is modeled by the Type* I* adversary. An honest-but-curious KGC knows the KGC’s master secret key. But he is not able to replace the public keys of the users. This type of adversary is modeled by the Type* II* adversary.

An adversary can access seven kinds of oracles as follows.

*Set-User-Key Queries*. requests the secret value for a user with . uses the Set-User-Key algorithm to compute and sends to . If ’s public key has already been replaced, then a Type* I* adversary cannot submit ’s identity and requests the secret value of .

*Extract-Partial-Private-Key Queries*. requests the partial private key for a user with ; uses the Set-User-Key algorithm to compute and then sends a partial private key generated by the Extract-Partial-Private-Key algorithm to .

*Set-Private-Key Queries*. requests the private key for a user with ; sends the full private key generated by the Set-User-Key algorithm and Extract-Partial-Private-Key algorithm to . Note that if ’s public key has already been replaced, then a Type* I* adversary cannot submit the identity and requests the full private key of .

*Set-Public-Key Queries*. requests the public key for a user with ; returns the public key to generated by the Set-User-Key algorithm and Extract-Partial-Private-Key algorithm.

*Public-Key-Replacement Queries*. computes a new public key for and replaces . Note that a Type* II* adversary cannot access Public-Key-Replacement queries.

*CLGSC-Signcrypt Queries*. submits to , in which is a message and and are the sender’s and the receiver’s identities, respectively. returns the ciphertext to . Note that if the public key of the sender has been replaced, then may not return the ciphertext . In this case, must provide the secret value to .

*CLGSC-Unsigncrypt Queries*. submits to , in which is a signature or signcryption ciphertext and and are the sender’s and the receiver’s identities, respectively. returns the output of CLGSC-unsigncrypt to . Note that if the public key of the receiver is replaced, then may not return the corresponding value. In this case, must provide the secret value to .

*Confidentiality*

*Definition 3 (IND-CLGSC-CCA2 confidentiality). *A certificateless generic signcryption scheme in signcryption mode or encryption mode is semantically secure against adaptive chosen ciphertext attacks if, for all PPT adversary, the advantage is negligible in the following games. The games are played between a challenger and the adversaries and , respectively.

*GAME 1 (IND-CLGSC-CCA2-I)*

*Initial*. generates the system parameters* params* and the master secret key* msk* by running the Setup algorithm. It keeps* msk* secret and sends* params* to .

*Phase I*. performs a polynomially bounded number of the above queries.

*Challenge*. outputs a tuple , in which and are distinct messages of equal length and and are the sender’s and the receiver’s identities, respectively. Here, it is to be noted that ’s full private key has not been extracted by in Phase* I*. It is also to be noted that ’s partial private key has not been extracted and his public key has not been replaced simultaneously. picks randomly, runs the algorithm of CLGSC-signcrypt with , and sends the output to .

*Phase II*. asks queries adaptively again. However, the full private key for may not be extracted by and the partial private key for may not be extracted if the public key of has been replaced in Phase* I*. Only after the public key or has been replaced, CLGSC-unsigncrypt query on with sender and receiver is allowed.

*Guess Stage*. outputs his guess and if he wins the game.

The advantage of is .

*GAME 2 (IND-CLGSC-CCA2-II)*

*Initial*. generates* params* and* msk* by running the Setup algorithm. It sends* params* and* msk* to .

*Phase I*. performs a polynomially bounded number of queries just as in IND-CLGSC-CCA2-*I* game. Extract-Partial-Private-Key queries are not included here, because knows , and he can generate users’ partial private keys by himself.

*Challenge*. At the end of Phase* I*, outputs a tuple , in which and are distinct messages of equal length and and are the sender’s and the receiver’s identities, respectively. Here, it is to be noted that must have made no Set-Private-Key queries on in Phase* I*. picks randomly, runs the algorithm of CLGSC-signcrypt with , and sends the output to .

*Phase II*. asks queries adaptively again. However, the full private key for may not be extracted and only after the public key or has been replaced, CLGSC-unsigncrypt query on with sender and receiver is allowed.

*Guess Stage*. outputs his guess and if he wins the game.

The advantage of is .

Note that, in the above games, only the signcryption mode and encryption mode of the CLGSC scheme must be considered. The receiver’s identity cannot be vacant. If the sender’s identity is not vacant, the algorithm runs in signcryption mode; otherwise it runs in encryption mode.

*Unforgeability*

*Definition 4 (EUF-CLGSC-CMA unforgeability). *A certificateless generic signcryption scheme in signature mode or signcryption mode is existentially unforgeable against adaptive chosen message attacks if, for all PPT adversary, the advantage is negligible in the following games. The games are played between a challenger and the adversaries and , respectively.

*GAME 3 (EUF-CLGSC-CMA-**)*

*Initial*. generates* params* and* msk* by running the Setup algorithm. It keeps* msk* secret and sends* params* to .

*Training Phase*. Like in Phase* I* of the IND-CLGSC-CCA2-*I* game, may perform a series of adaptive queries.

*Forgery*. outputs a tuple . It must not be an output of the CLGSC-signcrypt query. The full private key of must not be extracted by during the Training Phase. Moreover, must have not replaced ’s public key and extracted ’s partial private key simultaneously. If the output of CLGSC-unsigncrypt is not , wins the game.

*GAME 4 (EUF-CLGSC-CMA-**)*

*Initial*. generates* params* and* msk* by running the Setup algorithm. It sends* params* and* msk* to .

*Training Phase*. Like in Phase* I* of the IND-CLGSC-CCA2-*II* game, may perform a series of adaptive queries.

*Forgery*. outputs a tuple . It must not be an output of the CLGSC-signcrypt query. During the Training Phase, must have made no Set-Private-Key queries and Set-User-Key queries on . If the output of CLGSC-unsigncrypt is not , wins the game.

Note that, in the above games, only the signcryption mode and signature mode of the CLGSC scheme must be considered. The sender’s identity cannot be vacant. If the receiver’s identity is not vacant, the algorithm runs in signcryption mode; otherwise it runs in signature mode.

#### 3. The Concrete Scheme

Motivated by the pairing-free CLSC-TKEM protocol, in this section, we present a novel certificateless generalized signcryption scheme. It consists of seven algorithms.

*(1) Setup*. Given a security parameters , the KGC executes the following operations:(i)It chooses a -bits prime and the tuple , where is generated by .(ii)It chooses uniformly as the master key and computes .(iii)Let , , be cryptography hash functions, where , , , where is the plaintext block length.(iv)Define an index function as follows: if ; otherwise, .(v)The public parameters and functions are presented as .

*(2) Set-User-Key*. A user with the identity randomly chooses as its secret value and computes the corresponding public value as .

*(3) Extract-Partial-Private-Key*. sends to the KGC. In turn, the KGC generates and returns the partial private key of as follows:(i)It chooses and computes .(ii)It computes .

is the partial private key of . can accept as a valid partial private key by determining if holds.

*(4) Set-Private-Key*. The user takes the pair as its full private key .

*(5) Set-Public-Key*. The user takes the pair as its full public key .

*(6) CLGSC-Signcrypt*. With the message and the receiver’s identity , the sender performs as follows:(i)It chooses randomly and computes .(ii)It computes , .(iii)It computes , where .(iv)It computes .(v)It sets and returns as the ciphertext.

*(7) CLGSC-Unsigncrypt*. Given the ciphertext , the receiver decrypts and verifies the ciphertext as follows:(i)It computes , .(ii)It computes , where .(iii)It checks if . If the equation does not hold, then return indicating the message is not valid. Otherwise, return true when indicating it is a valid signature of user or indicating it is a valid encryption/signcryption ciphertext of the message sent to user .

*Correctness of the Scheme*. The correctness of the proposed concrete scheme is proved as follows.

*(i) Correctness of the Encryption*

*(ii) Correctness of the Signature*

#### 4. Security Analysis of the Proposed Scheme

In this section, the security of the proposed concrete CLGSC scheme is proved as follows.

##### 4.1. Confidentiality

Theorem 5. *The CLGSC scheme is semantically secure against adaptive chosen ciphertext attacks in encryption mode or signcryption mode in the random oracle model.*

Theorem 5 is proved based on Lemmas 6 and 7.

Lemma 6. *If an adversary has a nonnegligible advantage against the IND-CLGSC-CCA2- security of our scheme and performing queries to oracles , Extract-Partial-Private-Key queries, and Set-Private-Key queries, then there is an algorithm that solves the ECDLP problem with probability .*

*Proof. *Given an instance of the ECDLP problem, for group generated by and a fixed second point having as input , has to compute for the point such that with the help of a ODDH oracle. Suppose the IND-CLGSC-CCA2- security of the CLGSC can be violated by a Type adversary . can utilize to compute as the solution to this instance by the following interactive game.

chooses uniformly as the master key and computes . It sends* params* to and maintains lists to keep the consistency between the responses to the hash queries and a list of issued keys which are initially empty. selects randomly, where , and takes as the target identity. chooses and sets , , and . inserts into the list and into the list .

answers ’s queries to random oracles as follows.

(i) * queries*: when submits a query with for some , checks in , and if exists, returns . Otherwise, chooses and returns to . Then inserts into the list .

(ii) * queries*: when submits a query with for some , sets the tuple as the input of ODDH orale. If the output of ODDH oracle is 1, then returns as the solution and stops; else searches in , if exists, it replaces the symbol with and returns . Otherwise, chooses and returns to . Then inserts into the list .

(iii) * queries*: when submits a query with for some , checks in , and if exists in , returns . Otherwise, chooses and returns to . Then inserts into .

can answer ’s other queries as follows.*Phase I**(i) Set-User-Key Queries*. requests a secret value of the user with . If the public key of has not been replaced, then responds with by retrieving from the list .*(ii) Extract-Partial-Private-Key Queries*. requests the partial private key of a user with . If , aborts the execution. Otherwise, checks in , and if exists, returns . Otherwise, computes the partial private key of by using the actual Extract-Partial-Private-Key algorithm, and inserts into the list and returns .*(iii) Set-Private-Key Queries*. requests a user’s full private key with . aborts the execution when . Otherwise, checks in , and if exists, returns the corresponding private key . Otherwise, picks , then sets , , and computes · and it satisfies the equation . returns to and inserts into the list and into .*(iv) Set-Public-Key Queries*. requests a user’s public key with . checks in , and if exists, returns the corresponding public key . Otherwise, picks , then sets , , and computes the public key as and it satisfies the equation . returns to and inserts into the list and into .*(v) Public-Key-Replacement Queries*. requests to replace a user’s public key with chosen values . updates corresponding tuple with .*(vi) CLGSC-Signcrypt Queries*. sends the tuple to . For each query , if , executes the Set-Private-Key algorithm to compute corresponding to . Then, gets the ciphertext by running the actual CLGSC-signcrypt algorithm. sends to . If (and hence, ), can obtain the full private key corresponding to . computes , , sets , , and adds the tuples and to the list in which . computes and . outputs as the ciphertext.

The tuple can pass the verification as the valid ciphertext because the equality holds as follows: *(vii) CLGSC-Unsigncrypt Queries*. submits to . If , obtains the receiver’s private key and returns the output of CLGSC-unsigncrypt algorithm to . Note that if the receiver’s public value is replaced, may not obtain the receiver’s secret value. In this case, receiver’s secret value is requested to be provided by . Otherwise, searches in for and . If the entries exist and the equality holds, is retrieved. If can find a tuple in making the ODDH oracle return 1 when queries are on , then the message is .*Challenge*. submits in which and are distinct messages of equal length and and are the sender’s and the receiver’s identities, respectively. Here, it is to be noted that must have made no Set-Private-Key queries on in Phase* I*. It is also to be noted that ’s partial private key has not been extracted and his public key has not been replaced simultaneously. aborts the game if . Otherwise, generates the challenge ciphertext as follows.(1)It sets and chooses .(2)It selects randomly a bit and a random hash value and sets .(3)It selects , satisfies the equation , and sends to .*Phase II*. asks queries adaptively again. In addition, the full private key for may not be extracted by and the partial private key for may not be extracted if the public key of has been replaced in Phase* I*. Only after the public key or has been replaced, CLGSC-unsigncrypt query on with sender and receiver is allowed.*Guess.* Since is able to break the IND-CLGSC-CCA2-*I* security of the CLGSC, a query with should have been asked. Note that . Therefore, one of the ’s in is the ECDLP problem’s solution. chooses one randomly and outputs it as the solution.

In the above challenge query, the senders and can be for the encryption mode; otherwise, it works as signcryption. Thus, the proof is suitable for the two modes.*Analysis*. Lets , , and be the events when aborts this game.

(i) is an event in which the target identity ’s partial private key is queried by . The probability of is .

(ii) is an event in which the target identity ’s private key is queried by . The probability of is .

(iii) is an event in which the target identity has not been chosen as the receiver by during the challenge phase. The probability of is .

Thus, does not abort this game’s probability of .

chooses the solution of ECDLP problem from ’s probability of . So, the successful advantage of is .

Lemma 7. *If has nonnegligible advantage against the IND-CLGSC-CCA2- II security of our scheme and performing Extract-Secret-Value queries, Set-Private-Key queries, and queries to oracles , then there is an algorithm that solves the ECDLP problem with probability .*

*Proof. *Given an instance of the ECDLP problem, for group generated by and a fixed second point having as input , has to compute for the point such that with the help of a ODDH oracle. Suppose the IND-CLGSC-CCA2-*II* security of the CLGSC can be violated by a Type* II* adversary . can utilize to compute as the solution to this instance by the following interactive game.

chooses uniformly as the master key and computes . sends* params* and to and maintains lists to avoid the inconsistency between the responses to the hash queries and a list of issued keys which is initially empty. selects randomly, where , and fixes as the target identity. chooses , sets , and computes , and the public key as . inserts into the list and into the list .

answers ’s queries to random oracles as follows:

(i) * queries*: when submits a query with for some , checks if there exists a tuple in . If such a tuple exists, answers with . Otherwise, chooses and returns as the answer. Then inserts into the list .

(ii) * queries*: when submits a query with , where , sets the tuple as the input of ODDH oracle. If the output of ODDH oracle is 1, then outputs as the solution; else searches with entries . If such a tuple exists, it replaces the symbol with and returns . Otherwise, chooses , inserts into , and returns to .

(iii) * queries*: when submits a query with , where , checks whether exists in . If it exists, returns . Otherwise, chooses , inserts into , and returns .

can answer ’s other queries as follows.*Phase I**(i) Set-User-Key Queries*. requests a user’s secret value with . If , aborts. If , checks for a tuple in . If it exists, returns . Otherwise, chooses , then sets , and computes , , and the public key as . inserts into the list and into the list and returns .*(ii) Set-Private-Key Queries*. produces to and requests a user’s private key with . If , aborts. Otherwise, checks for a tuple in . If it exists, returns . Otherwise, chooses , then sets , and computes , , and . inserts into the list and into the list and returns .*(iii) Set-Public-Key Queries*. requests a user’s public key with . checks for a tuple . If it exists, returns the corresponding public key . Otherwise, chooses , then sets , and computes , , and the public key as . inserts into the list and into the list and returns .*(iv) CLGSC-Signcrypt Queries*. sends the tuple to . For each query , if , executes the Set-Private-Key algorithm to compute corresponding to . Then, gets the ciphertext by running the actual CLGSC-signcrypt algorithm. sends to . If (and hence, ), can obtain the full private key corresponding to . computes , , sets , , and adds the tuples and to the list in which . computes and . outputs as the ciphertext.

The tuple can pass the verification as the valid ciphertext because the equality holds as follows: *(v) CLGSC-Unsigncrypt Queries*. submits to . If , obtains the receiver’s private key, runs the CLGSC-unsigncrypt algorithm, and returns the output of CLGSC-unsigncrypt to . Otherwise, searches in for and . If the entries exist and the equality holds, is retrieved. If can find a tuple in making the ODDH oracle return 1 when queries are on , then the message is .*Challenge*. submits in which and are distinct messages of equal length and and are the sender’s and the receiver’s identities, respectively. Here, it is to be noted that must have made no Set-Private-Key queries on in Phase* I*. aborts the game if . Otherwise, generates the challenge ciphertext as follows. (1)It sets , where is given in the instance of the ECDLP problem and computes .(2)It selects randomly a bit and as a random hash value and sets .(3)It selects , satisfies the equation , and sends to .*Phase II*. asks queries adaptively again. In addition, it cannot query CLGSC-unsigncrypt on .*Guess*. Since is able to break the IND-CLGSC-CCA2-*II* security of the CLGSC, a query with should have been asked. Note that . Therefore, one of the values of in is the ECDLP problem’s solution. chooses one randomly and outputs it as the solution.

In the above challenge query, the senders and can be for the encryption mode; otherwise, it works as signcryption. Thus, the proof is suitable for the two modes.*Analysis*. In order to assess the probability of success of the challenger, lets , , and be the events in which aborts the IND-CLGSC-CCA2-*II* game.

(i) is an event in which asks to query the secret value of the target identity . The probability of is .

(ii) is an event in which asks to query the private key of the target identity . The probability of is .

(iii) is an event in which the target identity has not been chosen as the receiver by during the challenge. The probability of is .

Thus, does not abort the IND-CLGSC-CCA2-II game’s probability of .

So, the successful advantage of is