Research Article  Open Access
P. Thorncharoensri, W. Susilo, Y. Chow, "Secure and Efficient Communication in VANETs Using LevelBased Access Control", Wireless Communications and Mobile Computing, vol. 2022, Article ID 8736531, 19 pages, 2022. https://doi.org/10.1155/2022/8736531
Secure and Efficient Communication in VANETs Using LevelBased Access Control
Abstract
In recent years, the development of vehicular adhoc networks (VANETs) has received much attention in intelligent transportation systems (ITS). Unlike traditional adhoc networks, VANETs are emerging with unique characteristics that share similar technology with autonomous vehicles (AVs) and automated driving systems (ASDs). Communication between vehicles and the surrounding infrastructure unit, such as a roadside unit (RSU), must be secured, concise, and authentic. Hence, an access control system for the adhoc environment is required. We introduced a levelbased controlled signcryption (LBS) scheme, which can be easily constructed and implemented into an access control system for VANETs environment. Our encrypted message has a short and constant size, which is better when compared with other attributebased signcryption or encryption. Confidentiality, privacy, and authenticity are also provided in our scheme to ensure secure and authentic communication. Therefore, our scheme has addressed communication cost, scalability, security, and privacy issues in VANETs. This primitive can be applied to simplify attributebased access control, as the only attribute required is an integer representing the security level. Our objective is to improve the quality and security of VANET communication. Moreover, an optional privacy mechanism in our scheme provides flexibility in controlling node privacy in VANETs.
1. Introduction
Vehicular adhoc networks (VANETs) are a key enabling technology in the development of autonomous vehicle technology and intelligent transportation systems (ITS). A VANET is a form of communication network that connects vehiclestovehicles and vehicles to roadside infrastructure. For example, Figure 1 shows communication between roadside units (RSUs) and vehicles. It also shows that vehicles can access information at the edge of an ITS server or the Internet. VANETs together with ITS and the Internet deliver a wide range of services, such as route guidance, traffic conditions (e.g., average vehicle density and speed), safety alerts, proximity advertisements, locationbased positioning information, and entertainment. In general, vehicles in VANETs need to connect wirelessly to ITS applications and the Internet via RSUs. Vehicles exchange information with edge ITS servers to access a variety of local environmental data. For example, a subject’s location positioning data are obtained through realtime point cloud data from LiDAR devices and cameras. This crucial information is particularly important for vehicles to be aware of any hidden outofsight vehicles/subjects that cannot be observed by the vehicle itself [1].
This is the fundamental information distribution system for autonomous vehicles (AVs). Despite the fact that VANETs and AV networks share similarities in communication and security issues, research in both areas have typically been conducted separately [2]. Secure broadcast communication plays a significant role in both systems. Whether using purely cellular, purely adhoc, or a hybrid architecture [3], VANETs need a confidential, efficient, concise, and precise communication protocol and access control.
To date, many security mechanisms have been proposed for VANETs. Insight on security issues related to VANETs can be found in surveys conducted by Malhi et al. [4] and Engoulou et al. [5]. The security challenges described in Malhi et al. [4] are the dependence on infrastructure, RSU range of communication, high mobility, difficulty in trust management, huge amount of data, scalability, and high cost. Our work aims to provide an efficient primitive for access control and secure communication, which will solve many of the security challenges related to the communication aspect of VANETs. For example, an efficient primitive should be able to work efficiently in architectures for high mobility, and it should provide a high degree of scalability for secure network access and have low communication overhead to reduce the amount of data in the network. An attributebased access control where an integer representing the security level is the only attribute in the system will help simplify the hierarchical structure of a VANET. We call this levelbased access control. The purpose of clustering protocols in VANETs aims to improve the performance of target tracking, traffic estimation, misbehaviour detection, privacy preservation, and certificate revocation, which makes significant contribution toward the dependence on infrastructure issue [6]. By providing an optional privacy mechanism in our primitive, it is easy to construct secure revocable local cluster communication.
Other than secure, fast, and efficient communication in VANETs, authentication, integrity, confidentiality, access control, and privacy are security requirements that are important in VANETs. Nevertheless, security requirements are application dependent. For example, message broadcasts from an RSU and message broadcasts from/to neighbouring vehicles may need to use two different primitives to satisfy VANET security requirements. To emphasise the importance of broadcast communication in VANETs, a survey on the qualityofservice (QoS) in relation to broadcast protocols is summarised [7]. It is an unavoidable fact that broadcast protocols play a significant role in VANETs for delivering emergency messages for the safety of vehicles or for reducing adhoc communication overhead. Due to the nature of VANETs that comprise of transient nodes and often unexpected changes in network topology, levelbased access control can significantly improve broadcast performance.
Let us illustrate this based on the following example. The Bell–LaPadula model can be used for simple but efficient access control in sharing resources and communication in a VANET (or adhoc network) environment. However, based on the aforementioned reason, we argue that multilevel security can help to make communication in VANETs simple but secure. For example, let us consider a VANET with a number of security levels, such as topsecurity level, highsecurity level, operator security level, and general user level. An ambulance, which is a node in the VANET, wants a roadside unit to arrange the best route to a hospital. The roadside unit, which has the operator security level, only needs to know that the ambulance is a highsecurity level node in order for it to help manage the route and traffic. Assuming that all vehicles on the road are autonomous vehicles, the roadside unit may request that other vehicles make way for the ambulance due to its highsecurity level.
1.1. Related Work
There are three areas of work that closely relate to our work. These are reviewed in this section.
First, there is attributebased and policybased cryptography. Sahai and Waters were the first to propose attributebased encryption in [8]. However, the implementation is not flexible and is only limited to particular systems. Later, Goyal et al. formalised and demonstrated a more general keypolicy design for attributebased encryption in [9]. An attributebased encryption (ABE) scheme is a cryptographic primitive that only allows users who satisfy the finegrained access structure to decrypt the ciphertext. A ciphertext is generated by encrypting a message along with a public string . By using a decryption key associated with a Boolean predicate function , the ciphertext can be decrypted only when is true. Their ABE scheme can be classified as a keypolicy attributebased encryption (KPABE). Basic KPABE uses threshold gates to express the access policy.
In later work on ABE schemes, logic gates (AND/OR) and threshold gates were used to construct the policy in ABE. A ciphertextpolicy attributebased encryption (CPABE) scheme was first proposed by Bethencourt et al. [10]. This primitive allows the policy to be constructed with a combination of numerical comparison and logic gates. Attributebased access control benefited from this primitive in practice. Hence, their work is used for comparison with our work in a later section. Following their work, much research on CPABE has been published within the last decade. Recently, a CPABE scheme for a complex constructed attribute with multiauthorities was proposed by Rouselakis and Waters [11]. Their scheme supports any string for the attribute in the policy, and it can combine multiple trusted authorities in a single policy. This is an efficient and practical scheme that can cover a wide range of users, on the condition that the attributes and the policy must not be complicated. Hence, this work was also included for comparison with our scheme. Another CPABE scheme, which is constructed without a bilinear function, was proposed by Yao and others [12]. Their scheme achieves significantly fast computation, which is suitable in the Internet of thing (IoT) and wireless sensor network (WSN). Therefore, our work is also compared with this primitive in the comparison section of this study. Moreover, Xue et al. proposed a comparable attributebased encryption scheme (CABE) in [13]. The CABE scheme provides a new way for attribute comparison which is an inspiration for our work. It allows the system to test whether an attribute is equal to, more than, or less than the given policy.
Similar to attributebased cryptography, Bagga and Molva [14] introduced the notion of policybased cryptography (policybased encryption and policybased signature schemes). The policy in CPABE proposed by Bethencourt et al. [10] is conceptually similar to policybased encryption. However, the access structure and complexity of the policy are more comprehensive, which can easily be used in an access control system. Due to the nature of applications in our work, we only applied the concept of a policy tree implementing integer comparison. With only an integer attribute in the policy (no AND/OR logic gates), our scheme achieves a constant size ciphertext.
Bellare and Fuchsbauer later formally defined the security definition of policybased signatures [15]. Like the attributebased signature, a signer in the policybased signature can sign on a message only if he/she meets the policy’s requirement (or attributes). From a signer’s point of view, both attributebased and policybased signatures ensure message integrity and authenticity properties. The authenticity and integrity of the message can be validated by only a verifier. Nevertheless, the signature cannot be generated or forged by other beside the signer who met the policy requirements. A variant policycontrolled signature scheme was proposed in [16], where authenticity was done in a reversed manner and limited to only the attributecredential holder (verifier). In contrast to attributebased and policybased signatures, policycontrolled signatures guarantee that only verifiers, who hold credentials that satisfy the policy or attributes, can verify the authenticity and integrity of the message and the nonreputability of the signer.
Closely related work on an attributebased signature (ABS) scheme was presented in 2008 by Maji et al. [17]. They also proposed an ABS scheme in the standard model in [18]. In this primitive, a signer reveals nothing about their identity in the signing process. It shows only their specific attributes. Many variant ABS schemes were put forward based on Maji et al.’s works. These are presented in [19–26]. Shahandashti and SafaviNaini [19] and Li et al. [27] independently published their work on the same topic of ABS with threshold predicate. Escala and others [22] also presented an ABS scheme with threshold predicate. Their scheme was equipped with a revocation method. They also formalised the adaptive unforgeability property for their ABS scheme. Additionally, a constant size ABS with threshold predicate was proposed by Herranz et al. [21]. Later, an ABS scheme with arbitrary circuits, which is supposed to be more efficient than the ABS schemes proposed by Maji et al. [18, 25], was presented by Sakai et al. [26]. This is true only when we increase the gate numbers. Their construction is based on the combination of a witness indistinguishable, an extractable noninteractive proof system and an existentially unforgeable signature scheme.
As mentioned above, many ABE and ABS schemes were proposed in the last decade. It seems that a simple solution for the aforementioned problems can easily be achieved by applying attributebased or policybased cryptography to encrypt a message and its signature. Only qualified users, who hold the proper credentials, can recover the message from an encrypted message. However, this is not entirely true since authentication of the signature can be transferred to a third party. Since the products after the decryption process are the signature and the message, they can be verified by any party. From the aforementioned scenario, signcryption’s ability to authenticate and decrypt should be limited to verifiers who hold credentials that satisfy the security level.
The second related topics is the hierarchical identitybased signature and encryption scheme (HIBS and HIBE). HIBE is a concept that combines an identitybased encryption (IBE) scheme and a hierarchical system. In the hierarchical system, a user’s identity at the security level is able to generate a secret key for the identity of its descendants. It also can decrypt a ciphertext meant for its descendants but not for other identities. Hence, it can provide a similar solution to the aforementioned problems about multilevel security. Our work has a slightly similar aspect; however, it differs in key generation and distribution. For example, every level in our scheme only has a single branch, but it can generate multiple private keys for the branch. Following the introduction of HIBE, there has been much subsequent work in this area [28, 29]. As a natural conversion from the HIBE scheme, the hierarchical identitybased signature (HIBS) scheme also inherits its properties. The ancestor’s identity can generate a secret key for the identity of its descendants, and it can generate the signature of behalf of its descendants as well. However, it cannot generate a signature on a message on behalf of other identities.
Boneh et al. was the first to propose a HIBE scheme with a constant size ciphertext in [30]. Our work on a constant size ciphertext was inspired by their work. Zhang et al. [28] proposed a compact size HIBE with a constant size private key. Their scheme’s distinct feature is having a constant size for both private key and ciphertext. Our scheme achieves this feature as well. A review of existing HIBS schemes can be found in [29]. Chen et al. provided a performance comparison between four HIBS schemes. Our work uses a similar approach for comparison with various schemes. In general, the benefit of using HIBE and HIBS in the network system that applied the identitybased public key system is to mitigate the bottleneck in the communication. Moreover, it is also to limit the key escrow. Nevertheless, similar to ABS schemes, HIBS only provides authenticity and message integrity for a signer, but not nonrepudiation and authorisation for a verifier.
The final related area of work is signcryption and attributebased signcryption. Zheng was the first to proposed the signcryption scheme in [31]. This primitive provides both authenticity and secrecy. The first attributebased signcryption (ABSC) scheme with threshold predicate was presented by Gagné et al. [32]. The primitive is a solution to the problems mentioned earlier, but is much less efficient when compared to our scheme in term of communication overhead and computation. Following the above work, several researchers proposed some works [33–35] to improve ABSC schemes in terms of applications and concrete construction in the standard model, efficient constructions, and formal security models, respectively. Pandit et al. [33] provided an ABSC scheme in a standard model. Their scheme proved to be secure in the INDCCA in the adaptivepredicate model. The ABSCbased linear codes secret sharing scheme was introduced by Song et al. in [34]. The access control system based on ABSC scheme was proposed by Zheng et al. in [35]. They showed that the key agreement scheme, an important tool for the access control system, can be constructed efficiently with ABSC. Rao [36] proposed an attributebased online/offline signcryption scheme, which reduced the computation signing time when needed. A certificateless threshold signcryption scheme proposed by Yu et al. in [37] allows toutofn senders to work together to generate the signcryption for applications such as petition, voting. Wang et al. [38] proposed an efficient signcryption with a designated equality test. It allows a trusted third party to check the validity of ciphertext with a given message. Later on, Le et al. put forward a signcryption scheme in the standard model in [39], which adopted the concept of the designated equality test by Wang et al. in [38]. Nevertheless, in Wang et al.’s scheme [38], a signature on a message can easily be extracted from a signcrypted ciphertext. Hence, a signcrypted ciphertext can be linked to the sender identity. Recently, Yu et al. [40] introduced a lightweight hybrid ABSC scheme for IoT systems. Their schemes allow a lowpower and lowcomputation device to pass the heavy computation in the signing and encrypting process to the edge node before returning the partial output. However, its communication cost (ciphertext size) is linear to the attributes; hence, it is only suitable for a simple access control system for the IoT system. The features comparison between signcryption, HIBE, ABE, ABSC, and our LBS schemes are given in Table 1.

Finally, the access control schemes for adhoc networks or the Internet of Things are reviewed. There are many access control systems that have been proposed recently [41–44]. Vijayakumar et al. [41] proposed an access control scheme that can be secure against attacks such as message reply attack, Sybil attack, masquerading attack, integrity attacks, and collusion attacks. Wazid et al. [42] proposed an access control scheme that is secured in the fog computing environment. Recently, Xia et al. [43] introduced an efficient authentication and key agreement scheme for a secure and anonymous access control system. It allows users to identify themselves without revealing their identity. This anonymous property is intriguing the optional anonymity in our scheme. Our scheme is designed to easily apply with the access control system, which allows users to securely and privately transmit their broadcast messages or private data to other users. It also reduces the process of encryption and signing in the existing access control schemes mentioned above. To further the benefits from privacypreserving in our scheme, we believe that our scheme can integrate with AIenabled blockchainbased access control proposed by Bera [44]. Hence, the anonymity in intrusion detection systems that detect and mitigate malicious attacks for the Internet of Everything (IOE) environment can be constructed. Moreover, our scheme can be designed for the access control system in an adhoc environment, such as VANETs, since a node can prove itself to another node that it holds a valid credential. Moreover, the proof cannot be replicated and transferred to other parties. Hence, it provides another privacy protection layer on top of it.
1.2. Our Contributions
To tackle the secrecy and privacy issue in communication over VANETs or AV networks, we propose a levelbased controlled signcryption (LBS) scheme for levelbased access control systems. This primitive provides access control with a hierarchical structure or a simple multilevel access control. Levelbased access control can be viewed as a simplified version of attributebased access control where the only attribute is an integer representing the security level. Our aim is to flexibly and efficiently allow nodes to communicate with other nodes securely and privately. Hence, we provide an optional privacy mechanism in the signcrypting (sign with encrypt) and unsigncrypting (verify with decrypt) processes. The security of this primitive is also formalised in this study. The notion of LBS schemes allows receivers, who hold a credential of a certain security level specified by the sender, to verify the authenticity of the ciphertext and to decrypt it. Moreover, with optional privacy, higher levels of confidentiality can be provided in the LBS scheme. LBS with optional privacy provides privacy between two or more parties when required. Nodes in VANETs can securely, confidentially, and flexibly send messages to an individual node, a group of node, or all nodes (message broadcasts are often use in VANETs to get the current routing in the network). Hence, the LBS scheme is suitable for mass encryption with authenticity and privacy.
We organized our study as follows. Some preliminaries and definitions are defined in the next section. In Section 3, the formal definition of levelbased controlled signcryption is presented. The security model is described as well in the same section. The construction detail of LBS scheme is described with its security proofs in Section 4. Finally, a comparison of our concrete scheme with ABS schemes and the conclusion of this study are presented in the last two sections.
2. Preliminaries
2.1. Notation
The rest of this study will use the following notations. We said that a function is negligible, if , and for all sufficiently large , . is a deterministic polynomial function. Let represent a series of numbers (or indexes), e g., if is integer, then . Let be a polynomial function. The security parameter is denoted by , and the polynomial time is denoted by . We say that if .
A process that randomly selects the element from a set is denoted by . Let be a collisionresistant hash function that maps a string to . Let be a collisionresistant hash function that maps a string to .
2.2. Bilinear Pairing
Let us define , , and cyclic multiplicative groups. The generators of and groups are and , respectively. is defined as a prime number and the order of all generators. is denoted as an efficient algorithm that maps . We call this function a bilinear mapping function.
The bilinear mapping function has the following properties:(1)Bilinearity: (2)Nondegeneracy: : (3)Computability:
is defined as an existing function mapping to in a onetime unit. It is also true in another way around.
2.3. Complexity Assumptions
Definition 1 (Computational Diffie–Hellman (CDH) problem). With a triple as input and as output, we said that an algorithm with an advantage probability breaks the CDH problem ifNote that the probability is taken over the random bits used by and the arbitrarily selected random integers .
Assumption 1. Computational Diffie–Hellman assumption.
The CDH assumption is intact if the probabilistic polynomial timebound (PPT) algorithm with time complexity and a probability advantage of at least breaking the CDH problem does not exist.
Definition 2 (Decisional bilinear Diffie–Hellman (DBDH) problem). With a random quadruple and a random integer as input, determine if or not. An algorithm solves the DBDH problem in within , if runs in time , andNote that the above probability is taken over the random bits used by , random integers , a random group .
Assumption 2. Decisional bilinear Diffie–Hellman assumption.
The DBDH assumption in holds only if no PPT algorithm solving the DBDH problem does not exist.
3. LevelBased Signcryption Schemes with Optional Privacy (LBS)
There are three main players in the levelbased signcryption (LBS) scheme. A sender generates a ciphertext that can only be verified and decrypted by a receiver who holds a credential that satisfies the levelbased security policy. This scenario can be used to ensure communication among authorised users. It can be used for message broadcasts in VANETs. It can also be used in secure group chats. However, if a sender wants to limit verification of the ciphertext to a particular receiver, the sender needs to place a personal receiver’s public key in the signcryption. We called this “optional privacy.” The “optional privacy” scenario is useful for sending private messages between the sender and the receiver. This solution can also be applied to a group of receivers where they share a group secret key, which is not affected by a member’s secret key. The last player is a trusted authority . In this levelbased security system, a credential is generated by , where it associated the credential with the given security level.
Notations on security level and levelbased policy are defined as follows: is a security level that specified in the levelbased security policy. is defined as a levelbased security policy that contains a security level as a security clearance of a verifier. Let us consider the following example. means is the minimum security level, and the policy is set such that is the minimum level that can decrypt the ciphertext. Note that other types of index or symbol, such as A, B, C, and D, also can be used to indicate the security level in . We assume that the security levels are in ascending order, which means that the higher the number, the higher the security clearance.
An LBS scheme is a sextuple (, , , , , ).
System parameter generation : with a security parameter as input, , a probabilistic function, generates the system parameter as follows:
key generator : With as input, , a probabilistic function, generates the private key and the public parameter of a trusted authority as follows:
Signer key generator : with and as input, , a probabilistic function, generates the private key and the public parameter of a signer as follows:
Verifier credential generator : with , , and an assertion indicating the security level of a verifier as input, , a probabilistic function, generates a verifier’s credential as follows:
Signcryption : with , , , , a message , and a levelbased security policy as input, , a probabilistic function, generates a sender’s ciphertext , that is,
Unsigncryption : with , , , , , and as input, , a deterministic function, returns with the decisional output , that is,
Signcryption with optional privacy : with , , , , , a message , and a levelbased security policy as input, , a probabilistic function, generates a sender’s ciphertext as follows:
Unsigncryption with optional privacy : with , , , , , , and as input, , a deterministic function, determines the validity of the input and returns the decisional output , that is,
3.1. Unforgeability
The unforgeability property in LBS provides an assurance that an attacker allowed to access the credential queries that cannot generate a valid levelbased signcryption , which seems to be signed by the sender on a new message . The attacker is allowed to access the signing oracle and the verifying oracle . The and is also known to the attacker; however, a signer’s secret key is restricted. Even the attacker can arbitrarily select a message , the entire credentials, and a levelbased security level policy as input, a valid signcryption on a new message cannot be generated. We called this a security against existential unforgeability under the adaptive chosen message and credentials exposure attack .
Let us define some notations before given a formal definition. Let be the adaptively chosen message and credentials exposure adversary. We assume that is an adversary who attacks the unforgeability of the LBS scheme. is defined as a simulator who run the attack simulation with . Note that is defined as the credentials of the entire security level, for example, if the system has 15 security levels, then . The and oracles that describe the ability of adversaries to break the unforgeability of an LBS scheme are illustrated as follows. : at most times, when a query for a signcryption on its choice of message and a signer corresponding to is issued, runs the algorithm to generate a signcryption on a message corresponding to , , and . Finally, responses to the query with . : at most times, when a query for credential corresponding to the arbitrarily chosen security level is issued, responses with the corresponding credentials .

The formalisation of unforgeability is now defined in the following statements. For a levelbased signcryption, an adversary is associated with the experiment given in Algorithm 1. has two functions, namely, stage and stage. Using an adaptive strategy, , in the stage, arbitrarily chooses a message and makes queries to the signing oracle and the credential oracle . The query processes are allowed repeatedly according to ’s strategies. At the end of this stage, outputs a message and a levelbased security policy along with some state information to be used in the state. In the second stage, takes as input and outputs a valid levelbased signcryption . wins the above experiment if(1) results a forged signcryption on a new message corresponding to and (2)(3) never makes a request for a levelbased signcryption with to the oracle
denotes the probability that successfully passes the winning condition in the above simulation.
Definition 3. Under a chosen message and credentials exposure attack model, an LBS scheme is secure existential unforgeability, if the PPT adversary success in the attack the nonnegligible (within ) probabilitydoes not exist. Let runs at most times and makes at most signing queries and credential queries.
3.2. Indistinguishability
The indistinguishable property is modelled on the indistinguishability of ciphertext in the selectivecredential exposed model. The attack models can be divided into two different models, which are the chosen plaintext attack and the (active) chosen ciphertext attack. The first attack model aims to prevent a group of corrupted credential holders (malicious receivers) from verifying and decrypting a levelbased ciphertext on a message with a levelbased security policy , where these malicious receivers do not have enough credentials to satisfy the security level indicated in . In the second attack model, an attacker has the added power to query for verification of any signature because excepted for the challenge signature, he/she does not have credentials that satisfy the levelbased security policy to verify it by himself/herself.
Before describing the formal definition of these models, some definitions are first defined. is defined as the adaptive chosen plaintext (or ciphertext) and chosen levelbased security policy distinguisher.
3.2.1. Chosen Plaintext Attack (INDCPA)
The signcryption oracle , credential generator oracle , and verification oracle are used to describe the abilities of breaking the chosen plaintext attack in the selectivecredential exposed model . The and oracles are described as follows: : at most times, when a query for the credential corresponding to the arbitrarily chosen security level is issued, responses with the corresponding credentials .(i): at most times, can arbitrarily choose a message and make a query for a ciphertext . responses with the result of the algorithm generating a ciphertext corresponding to a message , , , and .

Formalisation of indistinguishability under the adaptive chosen plaintext attack model of an LBS scheme is described as follows. The experiment that is associated with an adversary of a levelbased signcryption scheme is illustrated in Algorithm 2. has two functions that are stage and stage. Using an adaptive strategy, in the stage, arbitrarily chooses a message and makes queries to the signing oracle and the credential oracle . The query processes are allowed repeatedly according to ’s strategies. outputs two messages , a levelbased security policy and some state information used in the state at the end of the stage. Based on a previously set bit , the experiment runs with a message as an input and outputs a valid levelbased ciphertext . In the second stage (Phase 2), takes as input and outputs a guess bit (1 or 0). Note that still can make queries to the oracle before outputting a guess, and if the following conditions are not satisfied, the experiment will be aborted.(1) never issues a query for a levelbased ciphertext with and as input to the oracle(2)With a restriction that , can only make a request for credentials with a security level to the oracle
Let be the success probability of breaking the indistinguishability under the adaptive chosen plaintext attack in the selectivecredential exposed model of an LBS scheme.
Definition 4. An LBS scheme is secure indistinguishability under a chosen plaintext attack in the selectivecredential exposed model if the PPT distinguisher success in the attack with a nonnegligible (within ) probabilitydoes not exist. Note that runs at most times and makes at most signcryption queries and credential queries.
3.2.2. Chosen Ciphertext Attack (INDCCA)
Before formalising this attack, we first give some definitions and outline the oracles. Let be indistinguishability under a chosen plaintext attack in the selectivecredential exposed model. The signing oracle , credential generator oracle , and unsigncryption oracle are used to describe the abilities of breaking of an LBS scheme. The and oracles have been depicted in Section 3.2.1. The oracle, however, is described as follows.
: with a ciphertext and a levelbased security policy as input, can request up to queries for the decryption and verification of a ciphertext . returns a decisional result that is either regrading the authenticity of ciphertext or a message .

Formalisation of indistinguishability under the adaptive chosen ciphertext attack model of an LBS scheme is described as follows. The experiment in Algorithm 3 depicts an adversary of a levelbased signcryption scheme. There are two functions that are a stage and a stage, which can execute. In the first stage, , with some elastic and pliable strategies, chooses a message and issues a request to the credential queries , the signing queries , and the unsigncryption queries . The query processes are allowed repeatedly according to ’s strategies. outputs two messages , a levelbased security policy , and some state information used in the state at the end of the stage. The experiment runs with a message as an input and outputs a valid levelbased ciphertext . In the stage (Phase 2), takes as input and outputs a guess bit (1 or 0). Note that can still make queries to and oracles before outputting a guess. However, if the following conditions are not satisfied, the experiment will be aborted.(1) never issues a query for a levelbased ciphertext with and or as input to the oracle(2) never issues a query with as input to the oracle(3)With a restriction that , can only make a request for credentials with a security level to the oracle
Let be the success probability of breaking indistinguishability under the adaptive chosen ciphertext attack in the selectivecredential exposed model of an LBS scheme.
Definition 5. An LBS scheme is secure indistinguishability of ciphertext under a chosen ciphertext attack in the selectivecredential exposed model if a distinguisher success in the attack with a nonnegligible (within ) probabilitydoes not exist. Note that runs at most times and makes at most signcryption queries, credential queries, and unsigncryption queries.
4. The LevelBased Signcryption (LBS) Scheme
In this section, we present our concrete construction of the LBS scheme. The scheme is described as follows. : with as the input, randomly selects a prime . select three groups , , and of the prime order . constructs a bilinear mapping function that maps and to . The above mapping function is defined as . Choose a random generator , . Construct a hash function , such that . Finally, the system parameter is composed of . is returned as a response of the queries. : the total security level is denoted by . Given as input, computes a private key and a public key randomly for each security level as follows: choose random integers . Let denote a public key. Then, returns , as the trusted authority’s private key and as the trusted authority’s public key. Note that , , and are the symbols that represent the set of vectors , , and , respectively. : on input of a system parameter and a public key of the trusted authority, randomly generates a private key and a public key as follows: first, choose a random integer . Let . Let be the signer’s private key and be the signer’s public key. At the end, outputs . : denotes a list that contains the generated credentials. A security level of a verifier, for example, ‘D″ or “5” is denoted by . Given , , , and , randomly generates a credential with the following processes. arbitrary chooses . Then, generates a credential at a security level of by computed . stores in and returns as a credential of to the verifier.
: given , , , , and a message , an encryptor computes a ciphertext as follows:
The levelbased ciphertext is . publishes .
: a receiver possesses a credential , where . Given , , , , decrypt as follows:(1)Compute(2)Check whether or not the following equation holds.(3)If the equation in (1) holds, then decrypt the ciphertext as follows.
: in optional privacy, the security policy needs to be set to the lowest level to cover all possible users, since the ciphertext is intended for a single receiver or a group with a shared secret key. Given , , , , , , , and a message , an encryptor who possesses a credential for a security level assertion , where , computes a ciphertext as follows:
The levelbased ciphertext is . publishes .
: a receiver who possesses a credential for a security level assertion , where . Given , , , , decrypts as follows:(1)Compute(2)Check whether or not the following equation holds.(3)If the equation in (1) holds, then decrypt the ciphertext as follows.
Note that , , , , , and are precomputed and can be reused in the signcryption or signcryption process of other signcryption. Hence, only one pairing computation is needed in the unsigncryption algorithm. The optional privacy process has similar computation costs, where the computation of the bilinear paring component in , and can be precomputed once and saved or reused later.
4.1. Completeness
The signcryption and unsigncryption algorithms can be verified its completeness with the following equations.
4.2. Unforgeability
Theorem 1. Under the adaptive chosen message and credential exposure attack model, the levelbased signcryption scheme is existentially unforgeable if and only if the CDH assumption is intact under the random oracle model.
Proof. We start with the assumption that a forger algorithm that can win the existential unforgeability model described in Section 3.1 exists. Using this , we can construct an adversary algorithm to break the CDH problem.
We now begin with the construction of oracles. First, on input , , and as an instance of the CDH problem, runs , sets , and obtains . then runs to obtain ’s publicprivate keys and sets as the signer’s public key . The following algorithms are the construction of queries that are later used in the simulation.
oracle: given a string as input, if it is a request for a hash value of , checks whether or not is in the queried list. If it exists in the list, then return the corresponding value; otherwise, randomly chooses and then returns . Note that keeps in the list, and this list can only be accessed by .
queries: given as input, executes for the credential , where . outputs .
queries: given and a message as input, generated a levelbased signcryption with the following equations.Note that has access to the list via . uses this advantage to update to the list in . then responds with