Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018, Article ID 7524102, 11 pages
https://doi.org/10.1155/2018/7524102
Research Article

An Efficient and Provably-Secure Certificateless Proxy-Signcryption Scheme for Electronic Prescription System

1School of Cyber Science and Engineering, Wuhan University, Wuhan, China
2Jiangsu Key Laboratory of Big Data Security & Intelligent Processing, Nanjing University of Posts and Telecommunications, Nanjing, China
3Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, USA
4Computer School, Wuhan University, Wuhan, China

Correspondence should be addressed to Xiaohong Li; nc.ude.uhw@hxeel

Received 8 April 2018; Accepted 10 June 2018; Published 29 August 2018

Academic Editor: Debasis Giri

Copyright © 2018 Li Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

Electronic prescription is increasingly popular in our society, particularly in technologically advanced countries. Due to strict legal requirements and privacy regulations, authorization and data confidentiality are two important features in electronic prescription system. By combining signature and encryption functions, signcryption is an efficient cryptographic primitive that can be used to provide these two features. While signcryption is a fairly established research area, most signcryption schemes proposed recently have several limitations (e.g., high communication costs, limited bandwidth, and insecurity), and designing secure and practical signcryption schemes remains challenging. In this paper, we propose an improved certificateless proxy signcryption (CLPSC) scheme, based on elliptic curve cryptography (ECC). We also demonstrate that the proposed CLPSC scheme is secure in the random oracle model and evaluate its performance with related schemes. The security and performance evaluations show that the proposed CLPSC scheme can potentially be implemented on resource-constrained low-computing mobile devices in an electronic prescription system.

1. Introduction

Recent advances in cryptographic techniques and consumer and communication technologies have resulted in the migration of services from the brick-and-mortar model to an online model, where transactions are being conducted from mobile devices (e.g., Android and iOS devices and potentially wearable and embedded devices). One such industry application is electronic prescriptions (e-prescriptions) [1, 2], where prescriptions are being sent electronically from a medical practitioner/medical practice to the pharmacist/pharmacy. Payments can also be made online (e.g., using credit cards or bank transfers), and the medications can either be picked up from the pharmacy or delivered to the user’s home [3]. Benefits of an e-prescription system extend beyond mere convenience to the users. For example, pharmacists no longer have to ‘decipher’ the hand-written prescription, which saves time and costs (e.g., having to call the medical practitioner to confirm the actual prescription) and minimizing the chance for errors [4]. Such errors can be fatal. For example, in a study by Brits and Verma [5], it was found that illegible handwriting and other prescription errors on prescriptions resulted in “lorazepam injection 4 mg” being misread as “40 mg (lethal dose) by 20% of [the] healthcare workers.”

There are situations where the patient may not be able to collect the medication in person, for example, due to physical injury or medical condition (e.g., severe gout attack resulting in the patient unable to walk and collect prescribed medication such as Colchicine). Thus, the patient has to give another individual (e.g., family member or neighbor) the proxy delegation to collect the medication on his/her behalf. Pharmacists have legal obligations when handling, dispensing, and supplying medications, particularly drugs of dependence. Therefore, it is important to ensure the security and efficiency of generating such a delegation in the e-prescription system.

One such solution is proxy signcryption, as it allows the delegation of signing privileges in computing devices such as mobile devices. The security of such schemes, as well as many other cryptographic schemes (e.g., key agreement and signature schemes), generally relies on the intractability of hard problems such as Diffie-Hellman problem, integer factorization problem, and discrete logarithm problem [610]. In recent times, there have been a large number of proxy-signcryption schemes proposed that are based on bilinear pairings [1113]. However, such schemes often have high computational and communication costs; thus, they are not suited for deployment on mobile devices. Hence, there have been attempts to design pairing-free proxy-signcryption schemes, such as the certificateless proxy-signcryption (CLPSC) schemes of Liu et al. [14] and Qi et al. [15]. The design of such schemes is challenging. For example, Liu et al. [14] proposed a pairing-free CLPSC scheme based on elliptic curve cryptography (ECC), with reduced computational and communication costs. This scheme is, however, vulnerable to public key replacement attack when deployed on resource-constrained devices.

More recently in 2017, Bhatia and Verma [16] proposed an efficient ECC-based pairing-free CLPSC scheme. However, we reveal in this paper that Bhatia and Vermas’s scheme also cannot resist the public key replacement attack. Specifically, we demonstrate that it is vulnerable to a public key replacement attack by a Type 1 adversary. Then, we propose an improved protocol to mitigate the security weakness. We also demonstrate the security of the improved protocol in the random oracle model and compare with other related schemes in terms of computation costs and security properties.

In the next section, we present relevant background materials. In Section 3, we reveal the vulnerability in the scheme of Bhatia and Verma. Then, we present the proposed scheme in Section 4 and analyze its security in Section 5. A comparative analysis with existing schemes is presented in Section 6. Finally, we conclude this paper in Section 7.

2. Preliminaries

2.1. Syntax Definition of CLPSC Scheme

In general, the CLPSC scheme comprises three different entities: an original signcrypter (OS), a receiver (R), and a proxy signcrypter (PS). An OS (e.g., a patient) delegates to PS (e.g., a trusted individual such as a family member or neighbor) the authority to signcrypt a message [17, 18]. During proxy signcryption, OS sends his/her signing authority to PS with a delegation warrant, which consists of the identities of the delegator, a message space, and the validity time of the delegation. The warrant requires OS’s signature and PS’s public key. PS will generate a signcrypted ciphertext with its signature and send a signcrypted ciphertext to R. Upon receiving the signcrypted ciphertext, R (e.g., the pharmacist) unsigncrypts it and checks whether the proxy signature is valid. If it is valid, then PS is authorized to perform tasks such as collect OS’ medication; otherwise, PS’ request is denied. The CLPSC scheme contains the following polynomial algorithms:(i)Setup: This algorithm invoked by a Key Generation Center (KGC). It takes security parameter as an input and runs setup algorithm to obtain system parameter and the master key .(ii)Extract-Partial-Private-Key: KGC takes system parameters , master key , and a user as inputs and outputs the partial private key of the user.(iii)Set-Secret: This algorithm takes security parameter k and system parameters as inputs and outputs the secret value .(iv)Set-Private Key: It inputs system parameters , a user’s secret value , and a user’s partial private key and outputs the public key .(v)Set-Public Key: It inputs system parameters and a user’s secret value and outputs the public key .(vi)Gen-Delegation: It inputs system parameter , a warrant , an ID, and public/private key of the original signer and then outputs a partial proxy key.(vii)Verify-Delegation: It inputs system parameter , a warrant , a partial proxy key, an original signer’s ID, and his/her public key, using the protocol to check whether the partial proxy key is from a legitimate user. If yes, then it outputs 1; otherwise, it outputs 0.(viii)Gen-Proxy-Key: It inputs the system parameter , the partial proxy key, and the proxy signer’s partial key and outputs a proxy key.(ix)Proxy-Signcryption: It inputs the system parameter , a delegation warrant , a message , an ID and public key of an original signcrypter (OS), an ID and public key of a proxy signcrypter (PS), and a proxy key and outputs a proxy signcrypted ciphertext .(x)Proxy-Unsigncryption: It inputs the system parameter , a message , a warrant , an original signcrypter (OS)’s identity and public key, and a proxy signcrypter (PS)’s identity and public key. If the signature is verified to be correct, then it returns 1; otherwise, it returns 0.

2.2. Formal Security Model for CLPSC Scheme
2.2.1. Adversaries

In this section, we discuss two kinds of adversaries in the CLPSC schemes, as well as the types of oracle queries the adversaries have access to.

Type I adversary is a dishonest user who has the ability to replace public key, but is not capable of obtaining the system master key. Type II adversary is a malicious-but-passive KGC. This adversary can access the master key and generates the partial private key of users, but it is not able to replace the public key. Now, we describe eight oracle queries that can be accessed by both adversaries:(i)Create-User-Oracle: This oracle inputs a users’ identity ID. If the ID exists, then of the corresponding ID is returned. Otherwise, it generates the private key and the public key , adds to the list L, and returns .(ii)Reveal-Partial-Private-Key-Oracle: This oracle looks for list L of an input users’ ID. If the ID exists and then returns the corresponding . Otherwise, it return null.(iii)Reveal-Secret-Key-Oracle: This oracle looks for list L of an input users’ ID. If the ID exists, then returns the corresponding . Otherwise, returns null.(iv)Replace-Public-Key-Oracle: This oracle can pick a random value instead of the users’ public key. Upon receiving the target ID, the oracle replaces a corresponding public key in the list L.(v)Generate-Delegation-Oracle: Upon receiving the system parameter , an original signers private key , and a warrant , this oracle can generate a delegation and send to the proxy signcrypter at a later stage.(vi)Proxy-Key-Oracle: This oracle takes an original signers identity , a proxy signers identity , and a warrant as inputs and outputs the proxy key and sends it to the proxy signer.(vii)Proxy-Signcrypt-Oracle: This oracle takes a message M, a warrant , an original signers identity , and a proxy signers’ identity as inputs and generates a proxy signature as an output.(viii)Proxy-Unsigncrypt-Oracle: This oracle takes the system parameter , the delegation warrant , the signcrypted message , the public keys and ID of the original user and the proxy signer, and the private key of the receiver as inputs and checks if the delegation warrant is valid. If the verification is true, then it unsigncrypts signcrypted message and returns a plaintext m. Otherwise it returns error.

2.2.2. Security Notions

(i)Confidentiality(1)Definition1: A certificateless signcryption scheme has ciphertext indistinguishability (IND-CLSC-CCA2) for adaptive selective ciphertext attacks, only if no attacker has no unfair advantage in winning the following games 1 and 2 in polynomial bounded time.(2)Game 1 IND-CCA: This game captures the confidentiality requirement, based on the indistinguishability of encryptions under adaptively chosen ciphertext attacks against .(3)Initialization: Upon receiving an input k, the setup algorithm is executed to get system parameters and the master key , then sends system parameters to , and keeps the system master key secretly.(4)Phase I: can ask for a polynomial bounded number of challenger queries from oracles.(5)Challenge: submits three distinct identities: of original signcrypter, of proxy signcrypter, and of receiver and two equal length messages and . The challenger chooses a random number , proxy signcrypts , to produce a corresponding signcrypted ciphertext to .(6)Phase II: can ask for similar queries from oracles as in Phase I, except for Reveal-Partial-Private-Key-Oracle and Reveal-Secret-Key-Oracle with receiver’s identity, Proxy-Unsigncrypt-Oracle with , unless their public key has been changed.(7)Output: At last, outputs as the response of signcrypts . if , succeeds in the game.(8)Game 2 IND-CCA: The game captures confidentiality requirements, based on the indistinguishability of encryptions under adaptively chosen ciphertext attacks against the adversary .(9)Initialization: Upon receiving an input , the setup algorithm is executed to obtain the system parameter and the system master key and then sends them to .(10)Phase I: can ask for a polynomial bounded number of challenger queries from oracles.(11)Challenge: submits three distinct identities: of original signcrypter, of proxy signcrypter, and of receiver and two equal length messages and . The challenger chooses a random number , proxy signcrypts , to produce a corresponding signcrypted ciphertext to the adversary .(12)Phase II: can ask for similar queries from oracles as in Phase I, not including Proxy-Unsigncrypt-Oracle as before.(13)Output: At last, outputs as the response of signcrypts . if , succeeds in the game.(ii)Unforgeability(1)Definition 2: The CLPSC scheme is EUF-CMA secure only if no attacker has an unfair advantage in winning the following games 3 and 4 in the polynomial bounded time.(2)Game 3 EUF-CMA: In this game, the adversary needs to successfully fabricate a valid ciphertext without any delegation warrant.(3)Initialization: Upon receiving an input k, the setup algorithm is executed to generate the system parameter , the system master key , and then sends system parameters to but keeps the system master key secretly.(4)Queries: can ask for a polynomial bounded number of challenger queries from oracles, including Create-User-Oracle, Reveal-Partial-Private-Key-Oracle, Reveal-Secret-Key-Oracle, Replace-Public-Key-Oracle, Generate-Delegation-Oracle, Reveal-Proxy-Key-Oracle, Proxy-Signcrypt-Oracle, and Proxy-Unsigncrypt-Oracle.(5)Forgery: At last, outputs a signcryption on message M under , . If is a valid ciphertext in Proxy-Signcrypt-Oracle and then succeeds in this game. However, is not permitted to query the Reveal-Partial-Private-Key oracle, the Replace-Public-Key oracle, or the Reveal-Secret-Key oracle of the original user in the game.(6)Game 4 EUF-CMA: In the game, the challenger interacts with as follows:(7)Initialization: Upon receiving an input , the setup algorithm is executed to get system parameters and a system master key which are sent to later.(8)Queries: may make adaptively a polynomial bounded number of queries to oracles like Create-User, Reveal-Secret-Key, Generate-Delegation, Reveal-Proxy-Key, Proxy-Signcrypt, and Proxy-Unsigncrypt through the challenger.(9)Forgery: At last, outputs a signcryption on message M under , . If is a valid ciphertext in Proxy-Signcrypt-Oracle, then succeeds in this game. It is mandatory that has not queried Reveal-Secret-Key oracle during the game.

3. Review and Analysis of Bhatia and Verma’s CLPSC Scheme

3.1. Review of Bhatia and Verma’s CLPSC Scheme

In this section, we review the scheme of Bhatia and Verma, which consists of the following 10 polynomial time algorithms.

Setup. After the key generation center (KGC, who has the responsibility for system keys and the partial private keys of users) has chosen a security parameter k, the algorithm performs the following steps:(1)Chooses an elliptic curve over prime finite field (2)Chooses a cyclic subgroup G of the elliptic curve group, sets P as a generator of order q(3)Chooses a master secret key and generates as a master public key(4)Lets the message space be and selects four different hash functions :(5)At last, outputs the system parameters .

Extract-Partial-Private-Key. Taking the system parameters , system private key s, and as inputs, KGC can calculate the partial private key of user O, where is randomly chosen. Then, are sent to the user in a secure communication channel.

Set-Secret. Upon receiving , the user verifies whether the parameters come from a legitimate KGC by computing . After successful verification, picks a random as its secret value and computes .

Set-Private-Key. Given system parameters, partial private key , and secret value as inputs, this algorithm outputs a private key pair .

Set-Public-Key. Given system parameters as inputs, this algorithm outputs a public key pair .

Gen-Delegation. Having the inputs, the original signcrypters private key pair , public key pair , and message warrant , this algorithm generates the delegation on . Then, the user O randomly chooses , computes , and further computes as follows:where . The delegation is sent to the proxy signcrypter (PS) later.

Verify-Delegation. The PS verifies whether the delegation is legitimate by computingand checks whetherIf not, the proxy signcrypter rejects the delegation request.

Gen-Proxy-Key. Upon successful verification, PS computes a proxy signing keywhere .

Proxy-Signcryption. Given proxy key , message M, and public key of the receiver as inputs, it generates a signcrypted ciphertext on O’s behalf. Specifically, PS randomly chooses and further calculates . The detail processes of generating proxy signcryption on message M are described as follows:After that, the signcrypted ciphertext , is sent to R by PS.

Proxy-Unsigncryption. After receiving a complete signcrypted ciphertext , , the receiver R unsigncrypts andIf the above equation holds, then R accepts the message.

3.2. Analysis of Bhatia and Verma’s CLPSC Scheme

We will now present a successful public key replacement attack by a Type 1 adversary against the scheme.

Step 1. chooses three random numbers and computesThen, it generates a forged public key pair and substitutes the original public key of OS.

Step 2. Given a message warrant , which can be intercepted from the communication channel between OS and PS, OS computes , where . Then, it sends the delegation to the proxy signcrypter (PS).

Step 3. After PS receives , it computes and to verify the delegation. Then, it checks whether . Note thatAccording (10), (11), and (12), we computeBy using the above from to the proxy signcrypter, the verification is successful. In other words, the delegation in the scheme of Bhatia and Verma can be forged.

Given the linear relationship between and in the equation, the adversary can use a fake public key to bypass the process of verify-delegation. Specifically, the adversary forges the fake secret key and computes the fake public key, because there is no equation to verify or bind the public key in the verification process. Therefore, in our improved CLPSC scheme, we construct a hash function that contains as the coefficient of . If the adversary executes the public key replacement attack, then the adversary will need to randomly choose and the coefficient will be changed too. This prevents the forgery of .

4. Proposed CLPSC Scheme

Here, we present our proposed scheme that consists of the following three basic components: prescriber (e.g., a medical practitioner), transaction hub, and pharmacy that has implemented the electronic prescription system. Patient’s medical information (e.g., patient’s medical record, medication history) is stored in the database. The prescriber can find this information by searching on the database using the patient’s unique information, such as names, dates of birth, and current addresses. Once the record is found, the doctor can update or upload a new prescription recording new medical information to the server after reviewing it (see Figure 1). The transaction hub works like a database for recording the patient file or all prescriptions. After downloading the patients prescription and successfully executing the proxy-unsigncryption, the pharmacy will dispense the medication listed in the electronic prescription to the proxy signcrypter.

Figure 1: Improved CLPSC scheme for electronic prescription system.

Now, we describe how to send the proxy delegation from the original signcrypter OS to the proxy signcrypter PS securely.(i) Setup: KGC picks a security parameter as an input of this algorithm. After running this algorithm, system parameters will be published, where is an elliptic curve chosen by KGC over prime finite field Fp, G is a cyclic subgroup of the elliptic curve group, P is a generator of G, q is the order of G, and can be easily computed. In addition, there are four cryptographic collision resistant hash functions as follows:The message space is .(ii) Extract-Partial-Private-Key: This algorithm takes system parameters , system private key s, and user O’s identity as inputs and computes to obtain the extract-partial-private-key of entity O, where is randomly chosen. is computed, and the results are sent to entity O via a secure communicate channel (this algorithm is run by the KGC.)(iii) Set-Secret: This algorithm takes system parameters , user O’s identity as inputs and runs to verify whether . If the verification passes, then entity O picks a random as its secret value and computes its partial public key ; otherwise, the process fails (his algorithm is run by users).(iv) Set-Private-Key: This algorithm takes system parameters , partial private key , and secret value as inputs and generates a private key pair as the output (this algorithm is run by users.)(v) Set-Public-Key: Given system parameters , and as inputs, this algorithm generates a public key pair as the output. When this algorithm completes executing, user publishes the public key (this algorithm is run by users.)(vi) Gen-Delegation: Given the original signcrypters private key pair , public key pair , and message warrant as input, this algorithm generates the delegation on as the output. Then, the entity O randomly chooses , computes and computes as follows: , where . The delegation is finally sent to PS.(vii) Verify-Delegation: PS verifies whether the delegation is valid by computing  and checks whetherIf the following does not hold, then it implies that the delegation is invalid.(viii) Gen-Proxy-Key: Upon successful verification, PS generates a proxy signing key , where (ix) Proxy-Signcryption: Given the proxy key , an original message , and the receiver’s public key as inputs, a signcrypted message is generated for R. The following describe the details: PS randomly chooses , computes , and the proxy signcryption of message M is generated as follows: . After that the signcrypted ciphertext is sent to the receiver R by PS.(x) Proxy-Unsigncryption: Upon receiving the signcrypted ciphertext , , calculates , and only if the following holds, will R accept the message:

4.1. Correctness Analysis

The CLPSC scheme contains two parts of authentication, namely, verification of delegation (i.e., proxy signcrypter PS checks whether ) and proxy-unsigncryption (i.e., message receiver checks whether ).(i) Decryption process(ii) Verification processOne part isAnother part is

5. Security Analysis

As defined in Section 2.2, there are two types of adversaries: and . We consider four games where and can get honest answer when they interact with the challenger.

5.1. Confidentiality

We define the fact that the certificateless signcryption scheme is IND-CLSC-CCA2-secure to adaptive chosen ciphertext attacks, only if no attacker with a nonnegligible advantage can win the games in polynomial time.

Game 1. In this game, we assume that is a dishonest user.

Lemma 1. Assume that can break the proposed CLPSC scheme with . Let , , , , , , , , and denote the number of -queries, Create-User-queries, Reveal-Partial-Private-Key-queries, Reveal-Secret-Key-queries, Replace-Public-Key-queries, Generate-Delegation-queries, Reveal-Proxy-Key-queries, Proxy-Signcrypt-queries, and Proxy-Usigncrypt-queries, respectively. There is an algorithm that can solve the ECCDH problem with advantage in probabilistic polynomial time:where is the time for an ECC-based scalar point multiplication operation.

Proof. Suppose that an algorithm accepts an ECCDH instance with unknown and ; the problem is to compute . In order to solve this problem, the algorithm uses as a subroutine and acts as a challenger to interact with it in IND-CCA2-I. When the game starts, the challenger creates and maintains lists, which stores the responses to the queries by the adversary . The lists are initially set to be empty. When makes a query, will respond as follows:(i)-Query: maintains a hash list as explained below. When asks for the -Query-Oracle and if the query ID is found in , then the algorithm returns the record to . Otherwise, chooses a random number and adds it to .(ii)-Query: maintains a hash list as explained below. When asks for the -Query-Oracle and if the tuple is found in , then the algorithm returns to . Otherwise, chooses a random number and adds to .(iii)-Query: maintains a hash list as explained below. When asks for the -Query-Oracle and if the tuple is found in , then the algorithm returns to . Otherwise, chooses a random number and adds it to .(iv)-Query: maintains a hash list as explained below. When asks for the -Query-Oracle and if the tuple is found in , then the algorithm returns to . Otherwise, chooses a random number and adds it to .(v)Create-User query: maintains a list . If the query ID is found on the , then it returns . Otherwise, the oracle is simulated as follows:(1) choosing three numbers randomly(2)computing (3)adding the tuple to list and to , respectively.(vi)Extract-Partial-Private-Key-Query: When queries and if , then the simulation is stopped. Otherwise, probes the list for the query ID. If it exists on , then it returns the corresponding . Otherwise, performs the Create-User query, gets , and sends its partial private key to .(vii)Reveal-Secret-Key-Query: If , then the simulation is stopped. Otherwise, probes the list for the query ID. If it exists on , then it returns the corresponding . Otherwise, performs the Create-User query and sends its partial private key to .(viii)Replace-Public-Key-Query: can replace the public key with a random value .(ix)Generate-Delegation-Query: When asks the Generate-Delegation query on , starts to run the Gen-Delegation algorithm and sends the results to .(x)Reveal-Proxy-Key-Query: maintains a list of issued proxy keys . If the query exists on the , then it returns a proxy key . Otherwise, works as follows:(1)performing Generate-Delegation-Query to obtain .(2)querying the list with for the corresponding secret key .(3)computing and adds the tuple to list . Finally, it sends to .(xi)Proxy-Signcrypt-Query: When makes a query for signcrypting a message M with the message warrant and three input identities and if the query entry (, , ) exists on list , then the corresponding proxy key and K on the tuple can be used by to create a signcrypted message . Otherwise, performs the aforementioned Reveal-Proxy-Key query to obtain the proxy key . To generate a signcrypted message on behalf of an original signer, checks whether and are correct. If not, the proxy-signcryption algorithm is run until the secret key of user is obtained. Then, the tuple is added to as the result. Otherwise, performs the following:(1)choosing random numbers and computing .(2)probing for (V) and returning as a result.(3)computing and adding a tuple to list , where (xii)Proxy-Unsigncrypt-Query: Taking the signcrypted message , S) as inputs, checks if is a challenging identity. If it is true, probes for an tuple and obtains the corresponding plaintext message M. Otherwise, performs as follows:(1)taking the secret key of the receiver as an input and calculating .(2)probing for (V) and returning to calculate .(3)probing the list for (, ) and (, ), for and and for , to get , and respectively. If is valid, returns M. Otherwise, it throws an error message.

Challenge. submits three distinct identities: of original signcrypter, of proxy signcrypter, and of receiver and two equal length messages and . A random number is chosen by . What is more, signcrypts to produce a corresponding signcrypted ciphertext to . further probes for to obtain , calculates , and adds to the list. Finally, a signcrypted message for is returned by to . can continue to ask queries with the exception of the Proxy-Unsigncrypt query on , Reveal-Partial-Private-Key-query, and Reveal-Secret-Key-query in the game.

Output. At last, outputs as the guess of value b. If , then outputs as the solution of the ECCDH question; otherwise, the challenge fails.

Game 2. Let be a malicious-but-passive KGC.

Lemma 2. Assume that has the ability of breaking the proposed CLPSC scheme with an advantage of . Let , , , , , , , and denote the number of -queries, Create-User-queries, Reveal-Partial-Private-Key-queries, Reveal-Secret-Key-queries, Generate-Delegation-queries, Reveal-Proxy-Key-queries, Proxy-Signcrypt-queries, and Proxy-Usigncrypt-queries, respectively. In probabilistic polynomial time, there is an algorithm which can solve ECCDH problem with advantage :where is the time for an ECC-based scalar point multiplication operation.

Proof. The proof for this game is similar to that of Game 1, and hence we will not repeat the proof.

5.2. Unforgeability

We defined that the certificateless signcryption scheme is EUF-CMA-secure to adaptive chosen ciphertext attacks, only if no attacker with a nonnegligible advantage can win the following games in polynomial time.

Game 3. Assume that is a dishonest user.

Lemma 3. Assume that can break the proposed CLPSC scheme with . Let , , , ,, , , and denote the number of -queries, Create-User-queries, Reveal-Partial-Private-Key-queries, Reveal-Secret-Key-queries, Generate-Delegation-queries, Reveal-Proxy-Key-queries, and Proxy-Signcrypt-queries, respectively. There is an algorithm in probabilistic polynomial time that can solve ECCDH problem with advantage :where is the time for an ECC-based scalar point multiplication operation.

Proof. Suppose that an algorithm accepts an ECCDH instance with unknown and ; the problem is to compute . In order to solve this problem, the algorithm uses as a subroutine and acts as a challenger to interact with it. gives honest answer to the queries of . When the game starts, the relevant system parameters are created and sent to by . We set . Then, can make queries for information. The challenger creates and maintains lists, which store the returns of the responses to the adversary’s queries. The lists are initially set to be empty.

Forgery. At last, a signcrypted ciphertext on message M and warrant is produced as the output, where is the original signer and is the receiver. Unlike normal cases, it does not go through the ProxySigncrypt oracle. is a forge ID as a proxy signer for . takes this signcrypted ciphertext as an input of the Proxy-Unsigncrypt oracle and makes queries to except for Reveal-Partial-Private-Key-Oracle and Replace-Public-Key-Oracle or Reveal-Secret-Key-Oracle in probabilistic polynomial time. If Proxy-Unsigncrypt-Oracle is not an error, then succeeds in this game. Otherwise, fails. The solution of the problem is .

Game 4. Let be a malicious-but-passive KGC.

Lemma 4. Assume that can break the proposed CLPSC scheme with . Let , , , , , and denote the number of -queries, Create-User-queries, Reveal-Partial-Private-Key-queries, Reveal-Secret-Key-queries, Generate-Delegation-queries, Reveal-Proxy-Key-queries, and Proxy-Signcrypt-queries, respectively. In probabilistic polynomial time, there is an algorithm that can solve ECCDH problem with advantage :where is the time for an ECC-based scalar point multiplication operation.

Proof. The proof for this game is similar to that of Game 3, and hence we will not repeat the proof.

6. Performance Evaluation

In this section, we compare the efficiency and security of our improved scheme with other proxy-signcryption schemes [15, 16] in the literature. We use the standard cryptographic library MIRACL [19] to measure the runtime, whose comparative summary is given in Table 1, where denotes an ECC-based point multiplication operation time and denotes general hash operation time.

Table 1: Performance comparison.

Our evaluation environment is a personal computer (PC; Dell with an I5-4460S 2.90GHz processor, 4G bytes memory and the Window 8 operating system) with the MIRACL library [20]. The curve is over 163 bits random prime, where . A Koblitz curve ect163k1 over is selected from the list of elliptic curves indicated by NIST [21]. In this setup, we have .21, .007 approximately. Then, we compute the total runtime with their operation times. From Table 1, we observe that the runtime of [16] and our scheme are less than other schemes. Because our scheme is an improved scheme from [16], the runtime is very close to that of the original scheme. However, from Table 2, it is clear that our scheme is the most secure of these schemes. It is also trivial to note that the original scheme in [16] cannot resist forgery attack, unlike our scheme (at a slight cost of about 0.112 ms).

Table 2: Security comparison.

7. Conclusion

While signcryption is a fairly established research area, designing secure signcryption schemes remains challenging. For example, in this paper we revisited a recently proposed certificateless proxy-signcryption (CLPSC) scheme of Bhatia and Verma and revealed that the scheme is susceptible to the public key replacement attack by a Type 1 adversary. Then, we presented an improved scheme to mitigate such an attack from both Type 1 and Type 2 adversaries. We also evaluated its security and performance to demonstrate its utility in an electronic prescription system.

Future research includes implementing a prototype of the improved protocol for evaluation in a real-world environment.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of the paper.

Acknowledgments

This work is supported by the National Natural Science Foundation of China (Grant nos. 61501333, 61572370, 61572379, and U1536204), the National High-Tech Research and Development Program of China (863 Program) (Grant no. 2015AA016004), and the open funding of the Jiangsu Key Laboratory of Big Data Security & Intelligent Processing (Grant no. BDSIP1807).

References

  1. M. Mäkinen, P. Rautava, J. Forsström, and M. Äärimaa, “Electronic prescriptions are slowly spreading in the European Union,” Telemedicine and e-Health, vol. 17, no. 3, pp. 217–222, 2011. View at Publisher · View at Google Scholar · View at Scopus
  2. M. Samadbeik, M. Ahmadi, F. Sadoughi, and A. Garavand, “A copmarative review of electronic prescription systems: Lessons learned from developed countries,” Journal of Research in Pharmacy Practice, vol. 6, no. 1, p. 3, 2017. View at Publisher · View at Google Scholar
  3. K. L. Lapane, R. K. Rosen, and C. Dubé, “Perceptions of e-prescribing efficiencies and inefficiencies in ambulatory care,” International Journal of Medical Informatics, vol. 80, no. 1, pp. 39–46, 2011. View at Publisher · View at Google Scholar · View at Scopus
  4. M. A. Fischer, M. R. Stedman, J. Lii et al., “Primary medication non-adherence: analysis of 195,930 electronic prescriptions,” Journal of General Internal Medicine, vol. 25, no. 4, pp. 284–290, 2010. View at Publisher · View at Google Scholar · View at Scopus
  5. H. Brits, A. Botha, L. Niksch, R. Terblanché, K. Venter, and G. Joubert, “Illegible handwriting and other prescription errors on prescriptions at national district hospital, bloemfontein,” South African Family Practice, vol. 59, no. 1, pp. 52–55, 2017. View at Publisher · View at Google Scholar · View at Scopus
  6. H.-Y. Lin, T.-S. Wu, S.-K. Huang, and Y.-S. Yeh, “Efficient proxy signcryption scheme with provable CCA and CMA security,” Computers & Mathematics with Applications, vol. 60, no. 7, pp. 1850–1858, 2010. View at Publisher · View at Google Scholar · View at Scopus
  7. Y. Zheng, “Digital signcryption or how to achieve cost(signature encryption,” in Proceedings of the cost(signature) + cost(encryption) , in Advances in Cryptology - CRYPTO 97, 17th Annual International Cryptology Conference, pp. 165–179, Santa Barbara, California, USA, 1997.
  8. R. Steinfeld and Y. Zheng, “A Signcryption Scheme Based on Integer Factorization,” in Proceedings of the Third International Workshop, ISW 2000, Wollongong, NSW, Australia, Information Security, pp. 308–322, December, 2000.
  9. J. H. An, Y. Dodis, and T. Rabin, “On the security of joint signature and encryption,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, vol. 2332 of Advances in Cryptology - EUROCRYPT 2002, pp. 83–107, Amsterdam, The Netherlands, April, 2002.
  10. D. He, S. Zeadally, and L. Wu, “Certificateless public auditing scheme for cloud-assisted wireless body area networks,” IEEE Systems Journal, vol. 12, no. 1, pp. 64–73, 2018. View at Publisher · View at Google Scholar · View at Scopus
  11. C. Wang, Y. Han, and F. Li, “A secure mobile agent protocol for m-commerce using self-certified proxy signcryption,” in Proceedings of the 2009 2nd International Symposium on Information Science and Engineering, ISISE 2009, pp. 376–380, China, December 2009. View at Scopus
  12. H. M. Elkamchouchi and Y. Abouelseoud, “A new proxy identity-based signcryption scheme for partial delegation of signing rights,” Cryptology ePrint Archive, vol. 2008, p. 41, 2008. View at Google Scholar
  13. N.-W. Lo and J.-L. Tsai, “A provably secure proxy signcryption scheme using bilinear pairings,” Journal of Applied Mathematics, vol. 2014, 2014. View at Google Scholar · View at Scopus
  14. Z. Liu, Y. Hu, X. Zhang, and H. Ma, “Certificateless signcryption scheme in the standard model,” Information Sciences, vol. 180, no. 3, pp. 452–464, 2010. View at Publisher · View at Google Scholar · View at MathSciNet
  15. Q. Yanfeng, T. Chunming, L. Yu, X. Maozhi, and G. Baoan, “Certificateless proxy identity-based signcryption scheme without bilinear pairings,” China Communications, vol. 10, no. 11, pp. 37–41, 2013. View at Publisher · View at Google Scholar · View at Scopus
  16. T. Bhatia and A. K. Verma, “Cryptanalysis and improvement of certificateless proxy signcryption scheme for e-prescription system in mobile cloud computing,” Annals of Telecommunications-Annales des Télécommunications, vol. 72, no. 9-10, pp. 563–576, 2017. View at Publisher · View at Google Scholar · View at Scopus
  17. Z. Ullah, I. Ullah, H. Khan, H. Khattak, and S. Ullah, “Secure protocol for mobile agents using proxy signcryption scheme based on hyper elliptic curve,” International Journal of Computer Science and Information Security<, vol. 14, no. 2, p. 1009, 2016. View at Google Scholar
  18. V. Saraswat, R. A. Sahu, and A. K. Awasthi, “A secure anonymous proxy signcryption scheme,” Journal of Mathematical Cryptology, vol. 11, no. 2, pp. 63–84, 2017. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus
  19. Shamus software ltd., miracl library. http://www.shamus.ie/index.php?page=home, 2016.
  20. D. He, S. Zeadally, N. Kumar, and W. Wu, “Efficient and Anonymous Mobile User Authentication Protocol Using Self-Certified Public Key Cryptography for Multi-Server Architectures,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 9, pp. 2052–2064, 2016. View at Publisher · View at Google Scholar · View at Scopus
  21. M. Qu, Sec 2: Recommended elliptic curve domain parameters, 1999.