Wireless Communications and Mobile Computing

Wireless Communications and Mobile Computing / 2018 / Article
Special Issue

Security, Privacy, and Trust on Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2018 |Article ID 8646973 | https://doi.org/10.1155/2018/8646973

Honglong Dai, Ding Wang, Jinyong Chang, Maozhi Xu, "On the RCCA Security of Hybrid Signcryption for Internet of Things", Wireless Communications and Mobile Computing, vol. 2018, Article ID 8646973, 11 pages, 2018. https://doi.org/10.1155/2018/8646973

On the RCCA Security of Hybrid Signcryption for Internet of Things

Academic Editor: Weizhi Meng
Received31 Aug 2018
Accepted28 Oct 2018
Published12 Nov 2018

Abstract

With the rapid development of the Internet of Things (IoT), a lot of sensitive information in our daily lives are now digitalized and open to remote access. The provision of security and privacy of such data would incur comprehensive cryptographic services and has raised wide concern. Hybrid signcryption schemes could achieve various kinds of cryptographic services (e.g., confidentiality, authenticity, and integrity) with much lower cost than the combination of separate traditional cryptographic schemes with each providing a single cryptographic service. Thus, hybrid signcryption schemes are very suitable for IoT environments where resources are generally very constrained (e.g., lightweight sensors and mobile phones). To ensure that the overall hybrid signcryption scheme provides adequate cryptographic service (e.g., confidentiality, integrity, and authentication), its parts of KEM (key encryption mechanism) and DEM (data encryption mechanism) must satisfy some security requirements. Chosen-ciphertext attack (CCA) security has been widely accepted as the golden standard requirement for general encryption schemes. However, CCA security appears too strong in some conditions. Accordingly, Canetti et al. (CRYPTO 2003) proposed the notion of replayable CCA security (RCCA) for encryption schemes, which is a strictly weaker security notion than CCA security and naturally more efficient. This new security notion has proved to be sufficient for most existing applications of CCA security, e.g., encrypted password authentication. This is particularly promising for IoT environments, where security is demanding, yet resources are constrained. In this paper, we examine the RCCA security of the well-known SKEM+DEM style hybrid signcryption scheme by Dent at ISC 2005. Meanwhile, we also examine the RCCA security of the Tag-SKEM+DEM style hybrid signcryption scheme by Bjorstad and Dent at PKC 2006. We rigorously prove that a hybrid signcryption scheme can achieve RCCA security if both its SKEM part and its DEM part satisfy some security assumptions.

1. Introduction

With the booming development of wireless technology, Internet of Things (IoT) has seen its proliferation in various applications such as personal health, government work, and battle surveillance. How to ensure security and privacy of the sensitive data in these security-critical applications is a challenging issue, because it would generally incur comprehensive cryptographic services. Hybrid signcryption schemes could achieve various kinds of cryptographic services (e.g., confidentiality, authenticity, and integrity) with much lower cost than the combination of separate traditional cryptographic schemes with each providing a single cryptographic service [1]. Thus, hybrid signcryption schemes are very suitable for IoT environments where resources are generally very constrained (e.g., lightweight sensors and mobile phones).

The first signcryption scheme was proposed by Zheng [2] at CRYPTO’97. The notion of confidentiality for a signcryption scheme is analogous to an original encryption scheme, while the nonrepudiation service is analogous to a digital signature one [3]. Since then, various kinds of signcryption schemes have been suggested. At 2002, Lee [4] proposed identity-based signcryption; At AsiaCCS’08, Barbosa et al. [5] proposed certificateless signcryption. At IMACC’13, Nakano et al. [6] presented two generic constructions of signcryption in the standard model. At 2017, Li et al. [7] proposed a signcryption for cloud computing. At PQCrypto’18 Sato et al. [8] proposed lattice-based signcryption without random oracles. At the same time, Datta et al. [9] proposed the functional signcryption.

In addition, a number of signcryption schemes have been proposed for the IoT environments (e.g., key establishment over ATM networks [10], defense against fragment duplication attack in 6LoWPAN networks [11], short signcryption scheme for IoT [12], and provably secure signcryption for IoT [13]). Belguith et al. [14] proposed privacy preserving attribute based signcryption for IoT.

However, in the traditional signcryption schemes, the keyed encapsulation encryption is generally not made full use of, and the length of messages is always related to the signcryption scheme. Further, the major weakness of asymmetric encryption schemes is that the computational efficiency is worse than these symmetric ones [15]. Accordingly, the notion of hybrid signcryption is proposed. Hybrid signcryption uses a symmetric encryption scheme to improve the overall performance and flexibility of asymmetric signcryption. Hybrid signcryption can simultaneously combine the main advantages of a public key encryption and a digital signature scheme with much lower cost when compared with traditional schemes [1, 16]. As sensor nodes in IoT are resource-constrained (e.g., limited battery power) and deployed to run for years, hybrid cryptography is particularly suitable for data storage and transmission to achieve secure and efficient communication [17]. At 2004, Dent [15] proposed a formal composition model for hybrid signcryption, and this model covers Zheng’s scheme [2]. Later, Bjorstad et al. [18] proposed an improve signcryption scheme with tag-KEMs, Li et al. [19] proposed a certificateless hybrid signcryption scheme, and Zhou [20] proposed an improved certificateless hybrid signcryption scheme. Due to the usage of a symmetric encryption scheme to overcome the weakness and restricted message space of traditional asymmetric encryption schemes, these hybrid signcryption schemes can make the length of message independent of the security of the overall signcryption scheme.

Secure encryption is one of the most fundamental tasks in cryptographic schemes, while CCA security has been widely accepted as the golden standard requirement for encryption schemes [21, 22]. However, chosen-ciphertext attack security appears to be too strong in many conditions; there exist many encryption schemes that are not CCA secure but still have practical applications [23]. Here we take a CCA secure public key encryption scheme PKE as example. We change it into a public key encryption scheme PKE’, which is equal to public key encryption scheme PKE except that this encryption oracle algorithm appends a bit 0 to each ciphertext and the decryption oracle algorithm of PKE’ discards this bit 0 of a ciphertext. Then, one naturally obtains a different ciphertext decrypted to the same message as the original one. However, this change takes no real consequence in most situation, because the modified scheme PKE′ appears to be as secure as the scheme PKE in most situations. This example is also used in [23].

Accordingly, Canetti et al. [23] proposed the RCCA security notion at CRYPTO 2003. RCCA security is a strictly weaker security notion than CCA security, which has proved to be abundant for most cryptographic primitives, e.g., encrypted password authentication [24]. There are some studies (e.g., [23, 25]) about the RCCA security of hybrid cryptography, and there are also several studies (e.g., [2, 3, 15]) about the CCA security of hybrid signcryption. As far as we know, there is no work about examining the RCCA security of hybrid signcryption. To fill the gap, in this paper we consider the RCCA security of hybrid signcryption and show that hybrid signcryption can achieve RCCA security (rather than only CCA security) based on certain conditions.

1.1. Main Contributions

In this paper, we examine the RCCA security of the hybrid signcryption scheme Tag-SKEM+DEM [18] and the hybrid signcryption scheme SKEM+DEM [3]. We will show the following: (1) The hybrid signcryption scheme (SKEM+DEM) can be RCCA-secure if the scheme Tag-SKEM is RCCA-secure and the scheme DEM is RCCA-secure. (2) The hybrid encryption scheme (Tag-SKEM+DEM) can be RCCA-secure if the signcryption scheme Tag-SKEM is RCCA-secure and the scheme DEM is RCCA-secure. Although our results might be expected and somewhat straightforward, we concretely confirm such expectations with a formal proof. When giving our proof, we mainly use the hybrid game-based reduction technique presented in [2628].

1.2. Related Works and Discussions

It is obvious that if the hybrid signcryption scheme is going to provide an integrity and authentication service, then its KEM part and DEM part must satisfy some kind of security criterion. Dent et al. [15] examined the CCA security of hybrid signcryption schemes (SKEM+DEM and Tag-SKEM+DEM). Chen et al. [27] examined the RCCA security for hybrid encryption scheme KEM+DEM. Cui et al. [29] gave two kinds of RKA-secure signcryption schemes. In 2017, Dai et al. [30] considered the ECCA security for hybrid encryptions Tag-KEM+DEM and KEM+Tag-DEM. Abe et al. [26] provided a hybrid encryption scheme Tag-KEM+DEM, and they presented a useful way to get CCA secure hybrid encryptions. Cramer et al. [31] have shown that the hybrid encryption scheme Tag-KEM+DEM is CCA secure if its KEM part is CCA secure and its DEM part is one-time secure.

As, for the scheme Tag-SKEM+DEM, the ciphertext of scheme DEM is a tag of the scheme Tag-SKEM, one may think that the security assumption of scheme SKEM could be weakened to chosen plaintext attack (CPA) security when considering the RCCA security of signcryption. As it is impossible to make a simulation for the decryption oracle query for an adversary when the adversary attacks the hybrid signcryption, we leave it as an open problem that the security of scheme SKEM and DEM could be relaxed to a weaker security (e.g., CPA). One may also think that, with the RCCA security of Tag-KEM and one-time security of DEM, one can get the RCCA security of hybrid signcryption scheme Tag-KEM+DEM. However, the adversary cannot generate useful challenge ciphers if the adversary does not change the tag used for the scheme Tag-DEM. In this paper, when proving our results, we make a perfect simulation for the adversary, who initiates a IND-RCCA experiment to hybrid signcryption. We summarise the hybrid cryptology and their security in Table 1.


Hybrid cryptology Security notion Reference

KEM+DEM RCCA+RCCARCCA[27]
KEM+DEM CCA+CCACCA[31]
SKEM+DEM RCCA+RCCARCCASection 3.2
SKEM+DEMCCA+CCACCA[15]
Tag-KEM+DEMCCA+one time security CCA[32]
Tag-KEM+DEM RCCA+RCCARCCA[27]
Tag-SKEM+DEM CCA+CCACCA[15]
Tag-SKEM+DEM RCCA+RCCARCCASection 3.4

KEM: key encapsulation mechanism, DEM: data encapsulation mechanism.

Organizations of the Paper. In Section 2, we review some basic notations and definitions. In Section 3 we review the definition of general hybrid signcryption scheme, and , and then we prove its security. In Section 4, we review our main conclusions.

2. Preliminaries

In this section, we will review some useful notations and cryptographic primitives that will be used throughout this paper.

Notations. We denote by the security parameter and write to denote the algorithm that picks an randomly from the set . PPT denotes probabilistic polynomial time. we write to denote the algorithm that runs algorithm with inputs and then outputs . We define a function as negligible: if for any constant , there exits a , such that for all , .

2.1. RCCA Security Definition

is a public key encryption (PKE) scheme that consists of three polynomial-time algorithms:(i) is key generation algorithm that inputs the security parameter and outputs a pair of public/private keys .(ii) is PPT encryption algorithm that encrypts a message into a ciphertext .(iii) is a deterministic decryption algorithm that decrypts a ciphertext and outputs either message or a reject symbol .

Now, we define its RCCA security by describing the attack experiment between a challenger and an PPT adversary with the following experiment:(i)Setup: The adversary queries algorithm: .(ii)Stage 1: The adversary queries a ciphertext to : , and adversary responds with .(iii)Challenge stage: The adversary queries a pair message to , where , and then the challenger chooses a bit , computes the challenge cipher , and, finally, sends the challenge to .(iv)Stage 2: The adversary makes continuous queries to ; here, we require that the cipher is not identical to the challenge cipher . The decryption algorithm runs . Finally, if , adversary responds with , or else adversary responds with or reject symbol .(v)Guess stage: The adversary outputs .

We let = in the above experiment.

If for any PPT adversary , the function is negligible, we believe that is RCCA-secure.

2.2. Signcryption Key Encryption Mechanism (SKEM) and Its RCCA Security Notions

A signcryption key encryption mechanism , , , is a asymmetric encryption scheme [3], which consists of the four algorithms with the following:(i) is a PPT algorithm that inputs a security parameter and outputs the sender’s public/private key .(ii) is a PPT algorithm that inputs a security parameter and outputs the receiver’s public/private key .(iii) is a PPT encryption algorithm that inputs the send’s private key and the receiver’s public key and outputs ; here, is a symmetric key and is the key encapsulation of .(iv) is a deterministic, polynomial-time decryption algorithm that inputs the sender’s public key , a key encapsulation , and the receiver’s private key and outputs either a key or the error symbol .

We now define its RCCA security by describing the attack experiment; this experiment is played by an adversary and the challenger:(i)Setup: The challenger queries a key generation oracle and . The key generation oracle runs and the key generation oracle runs . Finally, the key generation oracle and sends to adversary .(ii)Stage 1: The adversary inputs and makes queries to encapsulation oracle and decapsulation oracle. For every decapsulation oracle algorithm query, the adversary submits a ciphertext to decryption algorithm : . Finally, responds the adversary with or .(iii)Challenge stage: The challenger computes , chooses , where is the key space, , and sends to adversary .(iv)Stage 2: The adversary inputs and makes continuous queries to . Here, we require that adversary is not allowed to query to . However, we admit that adversary can query on for any and on for any . The decryption oracle algorithm responds with . Finally, if , is responded with , or else is responded with .(v)Guess stage: In the end, outputs a bit .

In the attack experiment, we let = . If for any PPT adversary , the function is negligible, we say the signcryption scheme is -secure.

2.3. Data Encryption Mechanism and Its IND-RCCA Security

A signcryption data encryption mechanism is a symmetric encryption scheme, which consists of the following two algorithms: , .(i) ; is a polynomial-time encryption algorithm; encrypts by using a key K and outputs the corresponding ciphertext .(ii) ; is a polynomial-time decryption algorithm; it inputs ciphertext and decrypts the cipher by using the same key K.

We define its security by describing the attack experiment; this experiment is played by an adversary and the challenger:(i)Setup 1: The challenger chooses a key symmetric .(ii)Challenge stage: The adversary queries to , . The challenger chooses , computes the challenge cipher , and then sends the challenge cipher to adversary .(iii)Setup 2: The adversary continues to make queries cipher to : ; here, is not equal to the challenge cipher . If , responds to adversary with , or else responds to adversary with .(iv)Guess stage: In the end, the adversary outputs .

We define in the above experiment.

If for any PPT adversary , the function is negligible, the scheme is secure.

3. The RCCA Security of Hybrid Signcryption Schemes

In this section, we will recall the definition of hybrid signcryption which is adapted by Dent and An [15, 33]. Some definitions include the verification algorithm, whose aim is to provide nonrepudiation. However, in their view, nonrepudiation is unnecessary for most cryptography applications and hence will not be discussed further. Next, we examine the security for hybrid signcryption and consider the outsider security (the adversary is third party, neither sender nor receiver) of hybrid signcryption, which is proposed by Dent in [3].

3.1. SKEM+DEM Hybrid Signcryption Scheme and Its Relaxing Chosen Cipher Attack Security

is signcryption key encapsulation mechanism, is data encapsulation mechanism, and hybrid signcryption scheme can be constructed from and as follows:(i) It runs receiver’s key generation algorithm and runs sender’s key generation algorithm , Finally, it outputs and .(ii)(pk, m): is a PPT algorithm that inputs the sender’s private key , a message m, and the receiver’s public key . It chooses and computes ; here is the signcryption scheme ’s key space. Then it computes , and the resulting signcryption is (iii)(sk, c): the algorithm inputs the sender’s public key , a cipher c, and the receiver’s private key . It then parses cipher as and runs In the end, it outputs or “reject” symbol

3.2. The RCCA Security of Hybrid Signcryption Schemes

Theorem 1. The hybrid signcryption scheme can be constructed from a signcryption scheme and a scheme . If the signcryption scheme is secure and the signcryption scheme is secure, then hybrid signcryption scheme can achieve security. For every given adversary , there exist probabilistic adversary and adversary , such that the following conclusion holds:

Here, we assume the adversary at most makes the queries to the encryption-decryption oracle, the running times of and are equal to that of adversary , and is the signcryption scheme ’s key space.

Proof. Fix adversary and ; is a PPT adversary, which attacks the hybrid signcryption scheme ; then we proved the theorem by the following experiments.

: This is an experiment on the signcryption scheme , which is played by an adversary and the challenger. (We denote by the event of adversary succeeding in this experiment.)(i)Setup: The adversary makes queries to key generation algorithm and makes queries to key generation algorithm . Finally, it sends to adversary .(ii)Stage 1: The adversary inputs a public key pair and makes continuous queries to decryption oracle algorithm. For adversary s decryption algorithm query , the adversary sends a cipher to the challenger , and the challenger runs decryption algorithm In the end, the challenger responds to with .(iii)Challenge stage: The adversary inputs and queries to an encryption oracle, and the challenger chooses and chooses . Then the challenger computes and computes the signcryption (iv)Stage 2: The adversary inputs and makes continuous queries to the challenger. Here, the adversary is not admitted to query to the decryption oracle algorithm. But we admit that adversary can make a query to the decryption oracle algorithm on for any and on for any cipher . The challenger runs decryption oracle and . If , the challenger responds to with or else responds to with .(v)Guess stage: In the end, the adversary outputs a guessing bit .

The following conclusion holds:

: We now modify experiment to obtain a new experiment . These two experiments are identical except that we use a uniformly random key to compute the challenge cipher in step 3 of ; the challenge cipher is computed by the encryption algorithm and . To maintain consistency, the challenger should use the symmetric key to answer the decryption oracle algorithm query . Hence, the distinction between experiment and experiment mainly lies in how the scheme runs. (Denote by the sign of the adversary succeeding in this experiment.) We have the following conclusion.

Lemma 2. There is an adversary , and its running time is equal to the running time of adversary ; the following conclusion holds:

Proof. We prove the lemma by constructing an adversary who attacks the signcryption scheme SKEM. The adversary simulates the environment for , their interactions can be described as follows: (i) Setup: The adversary was given , and the adversary sent to .(ii) Stage 1: The adversary inputs and makes some queries c to the decryption oracle: . Finally, is reponded with or reject symbol .(iii) Challenge stage: The adversary inputs and queries to an encryption oracle, . The adversary computes and computes , and finally the adversary sends the challenge cipher to the adversary .(iv) Stage 2: The adversary inputs and makes queries to decryption oracle algorithm. Here, we require that cannot query to the decryption oracle algorithm. However, we admit that adversary can query the decryption oracle algorithm on for any and on for . The adversary runs Finally, if , responds with , or else is responded with .(v) Guess stage: The adversary outputs a guessing bit and outputs in the end.This has completed the construction of . By description, we can see that the adversary played a perfectly simulated decryption for adversary unless the cipher is decrypted to and test is returned by the correct answer from the decryption oracle for every query. However, the probability of this event is since in that case the key is uniformly random and independent of the opinion of the adversary for each such query. (i)If , we can obtain that cipher is computed by a random key ; meanwhile, the opinion of the adversary is equal to that in .(ii)If , we can obtain that is corresponding correct key embedded in the cipher ; meanwhile, the opinion of the adversary is equal to that in . Thus, We can get the following conclusion: Lemma 2 is proved.

In the stage of experiment ’s encryption and decryption oracle algorithms, we use a uniformly random key , so the challenger cipher is not be decrypted. From this point, we notice that the challenge cipher is generated by using a random symmetric key in experiment . Meanwhile, the other cipher is decrypted by using random key , which has no other role in experiment . Hence, in experiment , the adversary plays an adaptive replayable chosen ciphertext attack against (RCCA) the signcryption scheme in substance, so the following conclusion holds.

Lemma 3. There is a probabilistic adversary , and its running time is equal to the running time of the adversary , such that the following conclusion holds:

Proof. The symmetric key was chosen uniformly, randomly, and independently, so the challenge cipher does not reveal related information about which message was encrypted. Hence, to gain success in experiment 2, the adversary must learn some information from the challenger cipher . We prove Lemma 3 by constructing a probabilistic adversary , who attacks the signcryption scheme , and provides an environment for the adversary . Now, we describe their interactions:(i)Setup: The adversary runs receiver key generation algorithm , runs sender key generation algorithm , and sends to .(ii)Stage 1: The adversary inputs and makes queries ciphertext to a decryption oracle algorithm: , . If , the decryption oracle algorithm responds to adversary with or reject symbol .(iii)Challenge Stage: The adversary inputs a public key pair and sends to the adversary . the adversary chooses , runs , and sends the challenge to . We notice that the symmetric key was chosen as the encryption key of scheme and embedded in cipher , which is uniformly random and independent of each other.(iv)Stage 2: The adversary inputs and makes continuous queries to decryption oracle algorithm. Here, we require that adversary cannot query to the decryption oracle algorithm. However, we admit adversary can make a query to the decryption oracle algorithm on for any cipher and on for any . The adversary uses the secret key to run the decryption oracle algorithm and answer the decryption query of adversary with the following:(a)If , hence . Then The adversary runs the decryption oracle . If , the adversary responds to with or else . If , the adversary responds to with , or else responds to with .(v)Guess Stage: Finally, adversary outputs a bit and also outputs a bit .This has completed the description of the adversary . By our construction, it is obvious that the adversary plays a perfectly simulated decryption for , and whenever gets success, so does . We have the following conclusion:

We can know that the advantage of in is which is negligible; we have proved Theorem 1.

3.3. The Hybrid Signcryption Scheme Tag-SKEM+DEM and Its RCCA Security

Definition 4 (signcryption scheme Tag-SKEM). A signcryption scheme consists of the following three algorithms:(i): is a PPT algorithm that inputs a security parameter and outputs a pair of public/private keys .(ii): is a PPT algorithm that inputs a security parameter and outputs a pair of public/private keys .(iii)An encryption algorithm It runs . is a PPT algorithm that inputs the private key of sender and public key of receiver and outputs one-time key and Intermediate state information . Choose and compute . is a PPT algorithm that encrypts the key (embedded in ) into cipher along with a tag and returns a cipher ; here, is called a tag.(iv)An decryption algorithm . TKEM.Dec is a deterministic decryption verification algorithm for a signcryption cipher, which inputs the receiver’s private key , the cipher c, the sender’s public key , and a tag ; the decryption oracle returns a key or reject symbol .

Definition 5 (hybrid signcryption scheme Tag-SKEM+DEM). The signcryption scheme is a asymmetric encryption scheme and the signcryption scheme is a corresponding symmetric encryption scheme [18].

Then the hybrid signcryption scheme can be constructed as follows:(i)Key generation algorithm : is a probabilistic receiver’s key generation algorithm that inputs a and outputs the receiver’s public/private key pair ; we write this as . is a probabilistic receiver key generation algorithm, which takes a as input a security parameter and as output a receiver’s public/private key pair ; we write this as .(ii)An encryption algorithm is a probabilistic algorithm that inputs the receiver’s public key and outputs a symmetric key and the internal state information , . Here is the scheme DEM’s key space. Then choose and compute , . Finally, output the signcrypt cipher .(iii)A decryption algorithm First, it parses the cipher to obtain . Next, it computes to obtain a symmetric key and computes Finally, it outputs the message or “reject” symbol .

3.4. The RCCA Security of Hybrid Signcryption Scheme Tag-SKEM+DEM

Theorem 6. The hybrid signcryption scheme is constructed from a scheme and a scheme . If the signcryption scheme is secure and the signcryption scheme is secure, then the hybrid signcryption scheme is also secure. For every adversary , there are probabilistic adversary and adversary , whose running times are essentially equal to that of adversary , such that for all , the following holds.

Here, we assume the adversary at most makes the queries to the encryption-decryption oracle algorithm and is the scheme ’s key space.

Proof. We prove the theorem by constructing a adversary who attacks the hybrid signcryption scheme with the following experiments. (We denote by the event of the adversary succeeding in the -th game.)

: This is the experiment on the signcryption scheme - , and this experiment is played between an adversary and the challenger as follows:(i) Setup: The adversary queries a key generation oracle. The challenger runs receiver key generation algorithm , runs sender key generation algorithm , and responds to the adversary with .(ii) Stage 1: The adversary inputs and makes continuous queries to decryption oracle algorithm. The adversary sends a cipher to the decryption oracle algorithm, and the decryption oracle algorithm runs , . If , the decryption oracle algorithm responds to with or else responds to with .(iii) Challenge stage: The adversary inputs a public key pair and queries to an encryption oracle algorithm, and then the challenger runs , . Then the challenger computes , and sends the challenge cipher to the adversary .(iv) Stage 2: The adversary inputs a public key pair and makes continuous queries to the challenger. Here, we require that adversary is not admitted to query to the decryption oracle. However, we admit that adversary can make a query to the decryption oracle on for any public key and on for any cipher . The challenger runs decryption oracle. Finally, if , responds with , or else responds with .(v) Guess stage: In the end, the adversary outputs a guess bit .

Naturally, the following holds:

: We now modify to obtain a new ; this experiment is equal to the above experiment except that we just use a random key to encrypt the message in step 3 of ; hence, we get the following conclusion.

Lemma 7. There exists a probabilistic adversary , and its running time is equal to that of adversary , such that the following conclusion holds:

Here, we assume the adversary at most makes the queries to the encryption-decryption oracle algorithm.

Proof. We prove the lemma by constructing an adversary who attacks signcryption scheme Tag-SKEM. The adversary simulates an environment for adversary ; their interactions can be described as follows: (i)Stage 1: The adversary was given , and at the same time, was sent to adversary .(ii)Stage 2: The adversary inputs a public key pair and makes continuous queries c to a decryption oracle algorithm Dec. The decryption oracle algorithm runs . Finally, if , responds with or reject symbol .(iii)Stage 3: The adversary inputs a pair public key and queries to the encryption oracle, . The adversary requires the encryptions oracle of scheme Tag-SKEM to obtain . The adversary chooses and computes . Finally, the adversary sends challenge cipher to the adversary .(iv)Stage 4: The adversary inputs and makes continuous calls to decryption oracle query. Here, we require that adversary is not admitted to query to the decryption oracle algorithm. However, we admit that adversary can make a query to the decryption oracle on for any and on for any . The adversary runs its own decryption oracle to answer the adversary ’s decryption query as follows:(a)If is returned, then the adversary responds to with .(b)If is returned and , then uses to decrypt the cipher .(1)If or is returned, then the adversary responds to with .(2)Otherwise, responds to with the result.(c)If is returned and cipher , then the adversary responds to with .(d)If is returned, then the adversary uses to decrypt the cipher .(1)If or is returned, then the adversary responds to adversary with .(2)Otherwise, responds to adversary with the result.(v)Stage 5: In the end, the adversary outputs a guess bit , and outputs a bit .This has completed the description of ; it is clear that the adversary plays a perfectly simulated decryption for unless the cipher is decrypted to and test is returned by the correct answer from the decryption oracle for every query. However, the probability of this event is since in that case the key is random and independent of the opinion of the adversary for each such query. (i)If , we can know that random key is used for computing the cipher and the view of is identical to that in . Accordingly, .(ii)If , we can know that the key is the correct key embedded in the cipher and the view of is equal to that in . Accordingly, . Thus, Hence,

Lemma 2 is proved. Next, we show that the adversary playing essentially conducts an IND-RCCA attack on the signcryption scheme DEM; we claim the following.

Lemma 8. There is a probabilistic adversary , and its running time is equal to that of , and the following conclusion holds:

Proof. This can be shown by constructing an adversary who attacks the signcryption scheme . The adversary simulates the environment for adversary ; their interactions can be described as follows:(i) Stage 1: The adversary queries receiver’s key generation algorithm , queries sender’s key generation algorithm , and sends a public key pair to .(ii) Stage 2: The adversary inputs a public key pair and makes continuous queries to a decryption oracle algorithm: . In the end, adversary is responded with or reject symbol .(iii) Stage 3: The adversary inputs a pair public key and sends to the adversary ; queries to the encryption oracle algorithm and then receives a challenge ciphertext