Security and Communication Networks

Volume 2018, Article ID 7524102, 11 pages

https://doi.org/10.1155/2018/7524102

## An Efficient and Provably-Secure Certificateless Proxy-Signcryption Scheme for Electronic Prescription System

^{1}School of Cyber Science and Engineering, Wuhan University, Wuhan, China^{2}Jiangsu Key Laboratory of Big Data Security & Intelligent Processing, Nanjing University of Posts and Telecommunications, Nanjing, China^{3}Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, USA^{4}Computer School, Wuhan University, Wuhan, China

Correspondence should be addressed to Xiaohong Li; nc.ude.uhw@hxeel

Received 8 April 2018; Accepted 10 June 2018; Published 29 August 2018

Academic Editor: Debasis Giri

Copyright © 2018 Li Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Electronic prescription is increasingly popular in our society, particularly in technologically advanced countries. Due to strict legal requirements and privacy regulations, authorization and data confidentiality are two important features in electronic prescription system. By combining signature and encryption functions, signcryption is an efficient cryptographic primitive that can be used to provide these two features. While signcryption is a fairly established research area, most signcryption schemes proposed recently have several limitations (e.g., high communication costs, limited bandwidth, and insecurity), and designing secure and practical signcryption schemes remains challenging. In this paper, we propose an improved certificateless proxy signcryption (CLPSC) scheme, based on elliptic curve cryptography (ECC). We also demonstrate that the proposed CLPSC scheme is secure in the random oracle model and evaluate its performance with related schemes. The security and performance evaluations show that the proposed CLPSC scheme can potentially be implemented on resource-constrained low-computing mobile devices in an electronic prescription system.

#### 1. Introduction

Recent advances in cryptographic techniques and consumer and communication technologies have resulted in the migration of services from the brick-and-mortar model to an online model, where transactions are being conducted from mobile devices (e.g., Android and iOS devices and potentially wearable and embedded devices). One such industry application is electronic prescriptions (e-prescriptions) [1, 2], where prescriptions are being sent electronically from a medical practitioner/medical practice to the pharmacist/pharmacy. Payments can also be made online (e.g., using credit cards or bank transfers), and the medications can either be picked up from the pharmacy or delivered to the user’s home [3]. Benefits of an e-prescription system extend beyond mere convenience to the users. For example, pharmacists no longer have to ‘decipher’ the hand-written prescription, which saves time and costs (e.g., having to call the medical practitioner to confirm the actual prescription) and minimizing the chance for errors [4]. Such errors can be fatal. For example, in a study by Brits and Verma [5], it was found that illegible handwriting and other prescription errors on prescriptions resulted in “lorazepam injection 4 mg” being misread as “40 mg (lethal dose) by 20% of [the] healthcare workers.”

There are situations where the patient may not be able to collect the medication in person, for example, due to physical injury or medical condition (e.g., severe gout attack resulting in the patient unable to walk and collect prescribed medication such as Colchicine). Thus, the patient has to give another individual (e.g., family member or neighbor) the proxy delegation to collect the medication on his/her behalf. Pharmacists have legal obligations when handling, dispensing, and supplying medications, particularly drugs of dependence. Therefore, it is important to ensure the security and efficiency of generating such a delegation in the e-prescription system.

One such solution is proxy signcryption, as it allows the delegation of signing privileges in computing devices such as mobile devices. The security of such schemes, as well as many other cryptographic schemes (e.g., key agreement and signature schemes), generally relies on the intractability of hard problems such as Diffie-Hellman problem, integer factorization problem, and discrete logarithm problem [6–10]. In recent times, there have been a large number of proxy-signcryption schemes proposed that are based on bilinear pairings [11–13]. However, such schemes often have high computational and communication costs; thus, they are not suited for deployment on mobile devices. Hence, there have been attempts to design pairing-free proxy-signcryption schemes, such as the certificateless proxy-signcryption (CLPSC) schemes of Liu et al. [14] and Qi et al. [15]. The design of such schemes is challenging. For example, Liu et al. [14] proposed a pairing-free CLPSC scheme based on elliptic curve cryptography (ECC), with reduced computational and communication costs. This scheme is, however, vulnerable to public key replacement attack when deployed on resource-constrained devices.

More recently in 2017, Bhatia and Verma [16] proposed an efficient ECC-based pairing-free CLPSC scheme. However, we reveal in this paper that Bhatia and Vermas’s scheme also cannot resist the public key replacement attack. Specifically, we demonstrate that it is vulnerable to a public key replacement attack by a Type 1 adversary. Then, we propose an improved protocol to mitigate the security weakness. We also demonstrate the security of the improved protocol in the random oracle model and compare with other related schemes in terms of computation costs and security properties.

In the next section, we present relevant background materials. In Section 3, we reveal the vulnerability in the scheme of Bhatia and Verma. Then, we present the proposed scheme in Section 4 and analyze its security in Section 5. A comparative analysis with existing schemes is presented in Section 6. Finally, we conclude this paper in Section 7.

#### 2. Preliminaries

##### 2.1. Syntax Definition of CLPSC Scheme

In general, the CLPSC scheme comprises three different entities: an original signcrypter (OS), a receiver (R), and a proxy signcrypter (PS). An OS (e.g., a patient) delegates to PS (e.g., a trusted individual such as a family member or neighbor) the authority to signcrypt a message [17, 18]. During proxy signcryption, OS sends his/her signing authority to PS with a delegation warrant, which consists of the identities of the delegator, a message space, and the validity time of the delegation. The warrant requires OS’s signature and PS’s public key. PS will generate a signcrypted ciphertext with its signature and send a signcrypted ciphertext to R. Upon receiving the signcrypted ciphertext, R (e.g., the pharmacist) unsigncrypts it and checks whether the proxy signature is valid. If it is valid, then PS is authorized to perform tasks such as collect OS’ medication; otherwise, PS’ request is denied. The CLPSC scheme contains the following polynomial algorithms:(i)**Setup:** This algorithm invoked by a Key Generation Center (KGC). It takes security parameter as an input and runs setup algorithm to obtain system parameter and the master key .(ii)**Extract-Partial-Private-Key:** KGC takes system parameters , master key , and a user as inputs and outputs the partial private key of the user.(iii)**Set-Secret:** This algorithm takes security parameter k and system parameters as inputs and outputs the secret value .(iv)**Set-Private Key:** It inputs system parameters , a user’s secret value , and a user’s partial private key and outputs the public key .(v)**Set-Public Key:** It inputs system parameters and a user’s secret value and outputs the public key .(vi)**Gen-Delegation:** It inputs system parameter , a warrant , an ID, and public/private key of the original signer and then outputs a partial proxy key.(vii)**Verify-Delegation:** It inputs system parameter , a warrant , a partial proxy key, an original signer’s ID, and his/her public key, using the protocol to check whether the partial proxy key is from a legitimate user. If yes, then it outputs 1; otherwise, it outputs 0.(viii)**Gen-Proxy-Key:** It inputs the system parameter , the partial proxy key, and the proxy signer’s partial key and outputs a proxy key.(ix)**Proxy-Signcryption:** It inputs the system parameter , a delegation warrant , a message , an ID and public key of an original signcrypter (OS), an ID and public key of a proxy signcrypter (PS), and a proxy key and outputs a proxy signcrypted ciphertext .(x)**Proxy-Unsigncryption:** It inputs the system parameter , a message , a warrant , an original signcrypter (OS)’s identity and public key, and a proxy signcrypter (PS)’s identity and public key. If the signature is verified to be correct, then it returns 1; otherwise, it returns 0.

##### 2.2. Formal Security Model for CLPSC Scheme

###### 2.2.1. Adversaries

In this section, we discuss two kinds of adversaries in the CLPSC schemes, as well as the types of oracle queries the adversaries have access to.

Type I adversary is a dishonest user who has the ability to replace public key, but is not capable of obtaining the system master key. Type II adversary is a malicious-but-passive KGC. This adversary can access the master key and generates the partial private key of users, but it is not able to replace the public key. Now, we describe eight oracle queries that can be accessed by both adversaries:(i)**Create-User-Oracle:** This oracle inputs a users’ identity ID. If the ID exists, then of the corresponding ID is returned. Otherwise, it generates the private key and the public key , adds to the list L, and returns .(ii)**Reveal-Partial-Private-Key-Oracle:** This oracle looks for list L of an input users’ ID. If the ID exists and then returns the corresponding . Otherwise, it return null.(iii)**Reveal-Secret-Key-Oracle:** This oracle looks for list L of an input users’ ID. If the ID exists, then returns the corresponding . Otherwise, returns null.(iv)**Replace-Public-Key-Oracle:** This oracle can pick a random value instead of the users’ public key. Upon receiving the target ID, the oracle replaces a corresponding public key in the list L.(v)**Generate-Delegation-Oracle:** Upon receiving the system parameter , an original signers private key , and a warrant , this oracle can generate a delegation and send to the proxy signcrypter at a later stage.(vi)**Proxy-Key-Oracle:** This oracle takes an original signers identity , a proxy signers identity , and a warrant as inputs and outputs the proxy key and sends it to the proxy signer.(vii)**Proxy-Signcrypt-Oracle:** This oracle takes a message M, a warrant , an original signers identity , and a proxy signers’ identity as inputs and generates a proxy signature as an output.(viii)**Proxy-Unsigncrypt-Oracle:** This oracle takes the system parameter , the delegation warrant , the signcrypted message , the public keys and ID of the original user and the proxy signer, and the private key of the receiver as inputs and checks if the delegation warrant is valid. If the verification is true, then it unsigncrypts signcrypted message and returns a plaintext m. Otherwise it returns error.

###### 2.2.2. Security Notions

(i)**Confidentiality**(1)**Definition****1**: A certificateless signcryption scheme has ciphertext indistinguishability (IND-CLSC-CCA2) for adaptive selective ciphertext attacks, only if no attacker has no unfair advantage in winning the following games 1 and 2 in polynomial bounded time.(2)**Game 1 IND-CCA**: This game captures the confidentiality requirement, based on the indistinguishability of encryptions under adaptively chosen ciphertext attacks against .(3)**Initialization**: Upon receiving an input k, the setup algorithm is executed to get system parameters and the master key , then sends system parameters to , and keeps the system master key secretly.(4)**Phase I**: can ask for a polynomial bounded number of challenger queries from oracles.(5)**Challenge**: submits three distinct identities: of original signcrypter, of proxy signcrypter, and of receiver and two equal length messages and . The challenger chooses a random number , proxy signcrypts , to produce a corresponding signcrypted ciphertext to .(6)**Phase II**: can ask for similar queries from oracles as in Phase I, except for Reveal-Partial-Private-Key-Oracle and Reveal-Secret-Key-Oracle with receiver’s identity, Proxy-Unsigncrypt-Oracle with , unless their public key has been changed.(7)**Output**: At last, outputs as the response of signcrypts . if , succeeds in the game.(8)**Game 2 IND-CCA**: The game captures confidentiality requirements, based on the indistinguishability of encryptions under adaptively chosen ciphertext attacks against the adversary .(9)**Initialization**: Upon receiving an input , the setup algorithm is executed to obtain the system parameter and the system master key and then sends them to .(10)**Phase I**: can ask for a polynomial bounded number of challenger queries from oracles.(11)**Challenge**: submits three distinct identities: of original signcrypter, of proxy signcrypter, and of receiver and two equal length messages and . The challenger chooses a random number , proxy signcrypts , to produce a corresponding signcrypted ciphertext to the adversary .(12)**Phase II**: can ask for similar queries from oracles as in Phase I, not including Proxy-Unsigncrypt-Oracle as before.(13)**Output**: At last, outputs as the response of signcrypts . if , succeeds in the game.(ii)**Unforgeability**(1)**Definition ****2**: The CLPSC scheme is EUF-CMA secure only if no attacker has an unfair advantage in winning the following games 3 and 4 in the polynomial bounded time.(2)**Game 3 EUF-CMA**: In this game, the adversary needs to successfully fabricate a valid ciphertext without any delegation warrant.(3)**Initialization**: Upon receiving an input k, the setup algorithm is executed to generate the system parameter , the system master key , and then sends system parameters to but keeps the system master key secretly.(4)**Queries**: can ask for a polynomial bounded number of challenger queries from oracles, including Create-User-Oracle, Reveal-Partial-Private-Key-Oracle, Reveal-Secret-Key-Oracle, Replace-Public-Key-Oracle, Generate-Delegation-Oracle, Reveal-Proxy-Key-Oracle, Proxy-Signcrypt-Oracle, and Proxy-Unsigncrypt-Oracle.(5)**Forgery**: At last, outputs a signcryption on message M under , . If is a valid ciphertext in Proxy-Signcrypt-Oracle and then succeeds in this game. However, is not permitted to query the Reveal-Partial-Private-Key oracle, the Replace-Public-Key oracle, or the Reveal-Secret-Key oracle of the original user in the game.(6)**Game 4 EUF-CMA**: In the game, the challenger interacts with as follows:(7)**Initialization**: Upon receiving an input , the setup algorithm is executed to get system parameters and a system master key which are sent to later.(8)**Queries**: may make adaptively a polynomial bounded number of queries to oracles like Create-User, Reveal-Secret-Key, Generate-Delegation, Reveal-Proxy-Key, Proxy-Signcrypt, and Proxy-Unsigncrypt through the challenger.(9)**Forgery**: At last, outputs a signcryption on message M under , . If is a valid ciphertext in Proxy-Signcrypt-Oracle, then succeeds in this game. It is mandatory that has not queried Reveal-Secret-Key oracle during the game.

#### 3. Review and Analysis of Bhatia and Verma’s CLPSC Scheme

##### 3.1. Review of Bhatia and Verma’s CLPSC Scheme

In this section, we review the scheme of Bhatia and Verma, which consists of the following 10 polynomial time algorithms.

*Setup*. After the key generation center (KGC, who has the responsibility for system keys and the partial private keys of users) has chosen a security parameter k, the algorithm performs the following steps:(1)Chooses an elliptic curve over prime finite field (2)Chooses a cyclic subgroup G of the elliptic curve group, sets P as a generator of order q(3)Chooses a master secret key and generates as a master public key(4)Lets the message space be and selects four different hash functions :(5)At last, outputs the system parameters .

*Extract-Partial-Private-Key*. Taking the system parameters , system private key s, and as inputs, KGC can calculate the partial private key of user O, where is randomly chosen. Then, are sent to the user in a secure communication channel.

*Set-Secret*. Upon receiving , the user verifies whether the parameters come from a legitimate KGC by computing . After successful verification, picks a random as its secret value and computes .

*Set-Private-Key*. Given system parameters, partial private key , and secret value as inputs, this algorithm outputs a private key pair .

*Set-Public-Key*. Given system parameters as inputs, this algorithm outputs a public key pair .

*Gen-Delegation*. Having the inputs, the original signcrypters private key pair , public key pair , and message warrant , this algorithm generates the delegation on . Then, the user O randomly chooses , computes , and further computes as follows:where . The delegation is sent to the proxy signcrypter (PS) later.

*Verify-Delegation*. The PS verifies whether the delegation is legitimate by computingand checks whetherIf not, the proxy signcrypter rejects the delegation request.

*Gen-Proxy-Key*. Upon successful verification, PS computes a proxy signing keywhere .

*Proxy-Signcryption*. Given proxy key , message M, and public key of the receiver as inputs, it generates a signcrypted ciphertext on O’s behalf. Specifically, PS randomly chooses and further calculates . The detail processes of generating proxy signcryption on message M are described as follows:After that, the signcrypted ciphertext , is sent to R by PS.

*Proxy-Unsigncryption*. After receiving a complete signcrypted ciphertext , , the receiver R unsigncrypts andIf the above equation holds, then R accepts the message.

##### 3.2. Analysis of Bhatia and Verma’s CLPSC Scheme

We will now present a successful public key replacement attack by a Type 1 adversary against the scheme.

*Step 1. * chooses three random numbers and computesThen, it generates a forged public key pair and substitutes the original public key of OS.

*Step 2. *Given a message warrant , which can be intercepted from the communication channel between OS and PS, OS computes , where . Then, it sends the delegation to the proxy signcrypter (PS).

*Step 3. *After PS receives , it computes and to verify the delegation. Then, it checks whether . Note thatAccording (10), (11), and (12), we computeBy using the above from to the proxy signcrypter, the verification is successful. In other words, the delegation in the scheme of Bhatia and Verma can be forged.

Given the linear relationship between and in the equation, the adversary can use a fake public key to bypass the process of verify-delegation. Specifically, the adversary forges the fake secret key and computes the fake public key, because there is no equation to verify or bind the public key in the verification process. Therefore, in our improved CLPSC scheme, we construct a hash function that contains as the coefficient of . If the adversary executes the public key replacement attack, then the adversary will need to randomly choose and the coefficient will be changed too. This prevents the forgery of .

#### 4. Proposed CLPSC Scheme

Here, we present our proposed scheme that consists of the following three basic components: prescriber (e.g., a medical practitioner), transaction hub, and pharmacy that has implemented the electronic prescription system. Patient’s medical information (e.g., patient’s medical record, medication history) is stored in the database. The prescriber can find this information by searching on the database using the patient’s unique information, such as names, dates of birth, and current addresses. Once the record is found, the doctor can update or upload a new prescription recording new medical information to the server after reviewing it (see Figure 1). The transaction hub works like a database for recording the patient file or all prescriptions. After downloading the patients prescription and successfully executing the proxy-unsigncryption, the pharmacy will dispense the medication listed in the electronic prescription to the proxy signcrypter.