Heterogeneous signcryption with proxy re-encryption and its application in EHR systems

Abstract

Electronic health record (EHR) systems provide the platform that enables digital documentation of patients health information. Practically, EHR systems aid in delivering quality medical healthcare and limiting medical errors. However, EHR systems are associated with known technical and security challenges such as interoperability, confidentiality, authentication, auditability, and access control. To overcome these challenges, we first propose a new heterogeneous signcryption with proxy re-encryption (HSC-PRE) scheme. Secondly, via an example design, we demonstrate how our scheme can be utilized to achieve a secure, interoperable, auditable and accessible EHR system using blockchain technology. The blockchain technology is required to assure interoperability and auditability while the HSC-PRE assures confidentiality, authentication and access control. Via comprehensive security analysis (in random oracle model (ROM)), we affirm that the HSC-PRE scheme is secure. Besides, it shows up efficient against other recent related schemes.

Appendix

1.1 Proof of Theorem 1

C has access to a DDH oracle and intend to employ \(\mathbb {A}\) as its subroutine to gain solution for GDH problem for a given instance (aP, bP, cP). Practically, C makes interaction with an \(\mathbb {A}\) as follows:

• Setup C initializes \(\phi \)=aP, \(Q_B\) = bp and \(P_{pub}\)=sP. The C has no knowledge of value a, b \(\in \) \(\mathbb {Z}_q^*\). Remarkably, a simulate as ephemeral private key whereas b simulate as private key which is linked with receiver’s challenge identity. For consistencies in the answer of hash queries, the C keeps record \(L_i\) (considering \(i = 1,2,3,4,5\)). Consequently, the C keeps additional record \(L_6\) ideally for some returned private or public keys. The C makes \(ID_\ell \) as an challenge identity and submits params, \(\phi \), \(Q_\gamma \), \(P_{pub}\) to \(\mathbb {A}\). We generally follow the irreflexivity standard [36] and additionally assume \(\mathbb {A}\) queries with \(ID_i\) (definite identity) in public key request and a key extraction query even before adopted in other queries subsequently.

• Phase 1 Here, an i signifying a counter is initialized to 1 while C answer adaptively A’s polynomially bounded queries:

  • Public key queries The \(\mathbb {A}\) first queries with \(ID_i\). The C initiates search in record \(L_6\) for a quintuple (\(ID_i\), \(d_i\), \(R_i\), \(x_i\), \(PK_i\)) and produces (\(R_i\), \(PK_i\)) as public key only when it exist. Alternatively, the C does:

    1. 1.

       If \(ID_i\) = \(ID_\ell \), C selects randomly \(\alpha _\ell \), \(x_\ell \) \(\in \) \(\mathbb {Z}_q^*\) and sets \(PK_\ell \) = \(x_\ell P\), \(R_\ell \) = bP - \(\alpha _\ell P_{pub}\). Here, \(\alpha _\ell \) signifies the value for an \(H_1\) query on (\(ID_\ell \), \(R_\ell \), \(PK_\ell \)). C updates \(L_6\) with (\(ID_\ell \), \(\perp \), \(R_\ell \), \(x_\ell \), \(PK_\ell \)) and \(L_1\) with (\(ID_\ell \), \(R_\ell \), \(PK_i\), \(\alpha _\ell \)). Observe bP as instance of GDH problem. Furthermore, \(\perp \) signifies unknown. Essentially, C remains uninformed of \(ID_\ell \)’s partial private key.

    2. 2.

       If \(ID_i\) \(\ne \) \(ID_\ell \), C selects randomly \(\alpha _i\), \(x_i\), \(d_i\) \(\in \) \(\mathbb {Z}_q^*\) and sets \(PK_i\) = \(x_iP\), \(R_i\) = \(d_iP\) - \(\alpha _iP_{pub}\). Here, \(\alpha _i\) signifies the value for an \(H_1\) query with (\(ID_i\), \(R_i\), \(PK_i\)). C updates \(L_6\) with (\(ID_i\), \(d_i\), \(R_i\), \(x_i\), \(PK_i\)) and \(L_1\) with (\(ID_i\), \(R_i\), \(PK_i\), \(\alpha _i\)).

  • Key extraction queries \(\mathbb {A}\) queries with \(ID_i\). C replies:

    1. 1.

       If \(ID_i\) = \(ID_\ell \), then \(ID_\ell \)’s private key is unknown. Hence, C fails and aborts. However, C selects randomly \(\alpha _\ell \) \(\in \) \(\mathbb {Z}_q^*\) and sets \(R_\ell \)=bP - \(\alpha _\ell P_{pub}\). Here, \(\alpha _i\) defines value for an \(H_1\) query on (\(ID_\ell \), \(R_\ell \), \(P_{pub}\)). C updates \(L_6\) with (\(ID_\ell \), \(\perp \), \(R_\ell \), \(\perp \), \(\perp \)) and \(L_1\) with (\(ID_\ell \), \(R_\ell \), \(P_{pub}\), \(\alpha _\ell \)).

    2. 2.

       If \(ID_i\) \(\ne \) \(ID_\ell \), C selects randomly \(\alpha _i\), \(d_i\) \(\in \) \(\mathbb {Z}_q^*\) and sets \(R_i\) = \(d_iP\) - \(\alpha _iP_{pub}\). Here, \(\alpha _i\) defines value for some \(H_1\) query on (\(ID_i\), \(R_i\), \(P_{pub}\)). The C updates \(L_6\) with (\(ID_i\), \(d_i\), \(R_i\), \(\perp \), \(\perp \)) and \(L_1\) with (\(ID_i\), \(R_i\), \(P_{pub}\), \(\alpha _i\)) and sends \(d_i\) to \(\mathbb {A}\).

  • \(H_1\) queries \(\mathbb {A}\) queries with (\(ID_i\), \(R_i\), \(PK_i\)) or (\(ID_i\), \(R_i\), \(P_{pub}\)), C checks up \(L_1\) for (\(ID_i\), \(R_i\), \(PK_i\), \(\alpha _i\)) or (\(ID_i\), \(R_i\), \(P_{pub}\), \(\alpha _i\)) respectively and outputs \(\alpha _i\) to \(\mathbb {A}\). For hash value which is undefined in \(L_1\), the C performs public key queries with (\(ID_i\), \(R_i\), \(PK_i\)) or key extraction queries with (\(ID_i\), \(R_i\), \(P_{pub}\)). Correspondingly hash value \(\alpha _i\), is submitted to the \(\mathbb {A}\).

  • \(H_2\) queries An \(\mathbb {A}\) queries with (\(ID_i\), \(\phi _i\), \(K_i\), \(PK_i\), \(R_i\)). The C checks up \(L_2\) for (\(ID_i\), \(\phi _i\), \(K_i\), \(PK_i\), \(R_i\), \(h_{2_i}\)) and accordingly submits \(h_{2}\) to the \(\mathbb {A}\) if only it does exist. Else the C randomly output \(h_{2}\) \(\in \) \(\mathbb {Z}_p^*\) as query feedback. The C updates \(L_2\) with (\(ID_i\), \(\phi _i\), \(K_i\), \(PK_i\), \(R_i\), \(h_{2}\)).

  • \(H_3\) queries An \(\mathbb {A}\) queries with (T, K, \(\phi \), \(Q_B\), \(ID_B\)), C replies:

    1. 1.

       It performs verification on whether or not DDH oracle return True whenever queried with (aP, bP, T) \(\in \) \(G^3\). After verification turns out True, C turns out T and terminates.

    2. 2.

       The C initiates a search in \(L_3\) for an entry (\(*\), K, \(\phi \), \(Q_B\), \(ID_B\), Z) where DDH (aP, bP, T) = True. (for \(ID_B\) = \(ID_\ell \)). C produces Z when there is an entry as such and appropriately substitute \(*\) with T.

    3. 3.

       C randomly turns out a Z at this juncture and and afterwards updates \(L_3\) (initially null) with respectively input and returned values.

  • \(H_4\) queries An \(\mathbb {A}\) queries with (K). The C initiates check in \(L_4\) for entry (K, \(h_4\)) and accordingly submits \(h_{4}\) to the \(\mathbb {A}\) if only it does exist. Else the C randomly output \(h_{4}\) \(\in \) \(\lbrace 0,1 \rbrace ^n\) as query feedback. The C updates \(L_4\) with (K, \(h_4\)).

  • \(H_5\) queries An \(\mathbb {A}\) queries with (\(T_{2_i}\), \(\phi _i\), \(Y_{1_i}\), \(ID_i\)). The C initiate checks in \(L_5\) for entry (\(T_{2_i}\), \(\phi _i\), \(Y_{1_i}\), \(ID_i\), \(\bar{Z}\)) and accordingly submits \(\bar{Z}\) to the \(\mathbb {A}\) if only it doe exist. Else the C randomly output \(\bar{Z}\) \(\in \) \(\mathbb {Z}_q^{*}\) as query feedback. The C updates \(L_5\) with (\(T_{2_i}\), \(\phi _i\), \(Y_{1_i}\), \(ID_i\), \(\bar{Z}\)).

  • Partial private key queries An \(\mathbb {A}\) queries with \(ID_i\), the C replies:

    1. 1.

       If \(ID_i\) = \(ID_\ell \) , C terminates.

    2. 2.

       Else \(ID_i\) \(\ne \) \(ID_\ell \) and as such C obtains \(d_i\) from \(L_6\).

  • Public key replacement queries An \(\mathbb {A}\) queries with \(ID_i\) for some valid public key replacement, the C updates \(L_6\) with (\(ID_i\), \(\perp \), \(\perp \), \(R_i\), \(PK_i\)). The new value is pertinent to the C for computations subsequently.

  • Private key queries: An \(\mathbb {A}\) queries with \(ID_i\), the C initiate search in \(L_6\) and turn out private key (\(x_i\), \(d_i\)) when \(ID_i\) \(\ne \) \(ID_\ell \). Else it resolves to abort when \(ID_i\) = \(ID_\ell \).

  • Proxy key generation queries An \(\mathbb {A}\) queries with two identities (\(ID_i\), \(ID_j\)). The C in replying, firstly, perform key extraction query on \(ID_i\) to gain \(d_i\), secondly, perform public key queries with \(ID_i\) to gain \(PK_i\) and subsequently choose \(h_2\), w, \(\in \) \(\mathbb {Z}_q^*\), sets \(\phi \) = wP - \(h_2\)(\(PK_i + Q_i\)), sets T= \(d_i\phi \). Furthermore, the C calls the \(H_3\) query to acquire Z, calls \(H_1\) query with (\(ID_j\), \(R_j\), \(P_{pub}\)) to acquire \(h_j\), set \(Q_j\) = \(R_j\)+\(h_jP_{pub}\) and finally outputs \(K_{ij}\) = (Z, \(Q_j\)) as answer to the query. Observe that, C fails anytime i = \(\ell \).

  • Signcryption queries Consider \(ID_A\) signifies sender identity while \(ID_B\) signifies receiver identity. Furthermore, consider m signifies message for signcryption. When an \(\mathbb {A}\) queries with (m, \(ID_A\), \(ID_B\)), the C replies:

    1. 1.

       If \(ID_A\) \(\ne \) \(ID_\ell \), then C accordingly replies \(\mathbb {A}\) with \(\sigma _{AB}\) using algorithm SC since it can gain the private key \(s_A\).

    2. 2.

       However, if \(ID_A\) = \(ID_\ell \), then C will query for public key with \(ID_\ell \), choose w, \(h_2\) \(\in \) \(\mathbb {Z}_q^*\) at random, \(K \in G_1\) , and compute \(\phi \) = aP = wP - \(h_2\)(\(PK_A + Q_A\)). Next, C picks \(d_B\) from \(L_6\) or makes a key extraction query on \(ID_B\) in case \(d_B\) is undefined in \(L_6\), computes T = \(d_B\phi \), defines \(H_3\)(T, K, \(\phi \), \(Q_B\), \(ID_B\)) as Z and computes \(C_1\) = Z + K. Consequently, the C gains \(h_4\) as hash value at the run of \(H_4\) query on \(H_4(K)\), computes \(C_2\) = \(m \oplus h_4\) returns \(\sigma _{AB}\) = (\(\phi \), \(C_1\), \(C_2\), w) to \(\mathbb {A}\). Observe that, we are able to make key extraction queries with \(ID_B\) owing to irreflexivity standard [36]. Furthermore, the C fails if either every defined hash values (\(h_2\), Z) or at best one was predefined.

  • Re-encryption queries An \(\mathbb {A}\) queries with (\(\sigma _{AB}\), \(ID_A\), \(ID_B\), \(ID_C\)) the C replies:

    1. 1.

       If \(ID_B\) \(\ne \) \(ID_\ell \), then the C accordingly replies \(\mathbb {A}\) with \(\sigma _{AC}\) using algorithm RE-Enc. Here, the C can gain proxy key \(K_{BC}\) via the proxy key generation queries with (\(ID_B\), \(ID_C\)).

    2. 2.

       However, if \(ID_B\) = \(ID_\ell \), then the C will query for public key with \(ID_A\), choose w, \(r_2\), \(h_2\) \(\in \) \(\mathbb {Z}_q^*\) at random and compute \(\phi \) = wP - \(h_2\)(\(PK_A + Q_A\)). Next, the C can call a key extraction query on \(ID_C\) to get \(d_C\) owing to irreflexivity standard [36]. C then sets \(T_2\) = \(d_cY_1\), where \(Y_1\) = \(r_2P\). C defines hash value Z from \(H_3\) query with \(H_3\)(T, K, \(\phi \), \(Q_B\), \(ID_B\)), obtain \(\bar{Z}\) from \(H_5\) query with (\(T_2\), \(\phi \), \(Y_1\), \(ID_A\)), sets \(Y_2\) = \(-Z\) - \(\bar{Z}\), computes V = \(Q_C\) + \(Y_1\) and \(C_1^{'}= C_1 + Y_2\). Finally, C returns \(\sigma _{AC}\) = (\(\phi \), \(C_1^{'}\), \(C_2\), V, w) to the \(\mathbb {A}\).

• Unsigncryption queries An \(\mathbb {A}\) queries with ciphertext (\(\sigma _{AB}\) = (\(\phi \), \(C_1\), \(C_2\), w), \(ID_A\), \(ID_B\)). The C in replying does public key queries with \(ID_A\) and the key extraction queries with \(ID_B\) and continues to run these steps:

  1. 1.

     If \(ID_B\) \(\ne \) \(ID_\ell \), then C accordingly replies \(\mathbb {A}\) with m using algorithm USC algorithm since it can gain the private key \(d_{B}\) via key extraction queries with \(ID_B\).

  2. 2.

     However, if \(ID_B\) = \(ID_\ell \), then \(d_B\) is undetermined. Following algorithm USC consistently, C initiates search for entry (T, K, \(\phi \), \(Q_B\), \(ID_B\), Z) in \(L_3\) for definite values of T for which DDH oracle whenever queried with (aP, bP, T) returned True. If entry like that exist, then accordingly values T and Z are retrieved. The C computes K = \(C_1\) - Z, obtains \(h_2\) via \(H_2\) query on (\(ID_A\), \(\phi \), K, \(PK_A\), \(R_A\)) and move on to verify whether wP = \(\phi \) + \(h_2(PK_A + Q_A)\) hold. In case it does hold, the C defines \(h_4\) from \(H_4(K)\) query and deduce m = \(h_4\) \(\oplus \) \(C_2\) which is accordingly sent to the \(\mathbb {A}\). Alternatively, it output \(\perp \) signifying an invalid ciphertext.

  3. 3.

     The C inserts Z \(\in \) \(\mathbb {Z}_q^*\) at random into \(L_3\) i.e (\(*\), K, \(\phi \), \(Q_B\), \(ID_B\), Z) at this juncture of simulation for unknown T \(\in \) \(G_1\). It computes K = \(C_1\) - Z and adds \(h_2\) \(\in \) \(\mathbb {Z}_q^*\) into \(L_2\) i.e (\(ID_A\), \(\phi \), K, \(PK_A\), \(R_A\)). The C continues to verify wP = \(\phi \) + \(h_2(PK_A + Q_A)\) for validity. If valid, the C defines \(h_4\) from \(H_4(K)\) query and returns m = \(h_4\) \(\oplus \) \(C_2\) to the \(\mathbb {A}\). Alternatively, it output \(\perp \) signifying an invalid ciphertext. Here, \(*\) is linked with receiver’s identity \(ID_B\). Observe the C fails when either all or at best one defined hash value shows predefined in step 2 and step 3.

• Decryption queries An \(\mathbb {A}\) queries with ciphertext (\(\sigma _{AC}\) = (\(\phi \), \(C_1^{'}\), \(C_2\), V, w), \(ID_A\), \(ID_B\), \(ID_C\)).The C in replying does public key queries with \(ID_A\) and continues to run these steps:

  1. 1.

     If \(ID_C\) \(\ne \) \(ID_\ell \), then C accordingly replies \(\mathbb {A}\) with m using algorithm DEC since it can gain the private key \(d_{C}\) via key extraction queries with \(ID_C\).

  2. 2.

     However, if \(ID_C\) = \(ID_\ell \), then \(d_C\) is undetermined. Following algorithm DEC consistently, the C initiates search in \(L_5\) for entry (\(T_{2_\tau }\), \(Y_{1_\tau }\), \(\phi \), \(ID_A\), \(\bar{Z}_\tau \)) indexed by \(\tau \) \(\in \) \(\lbrace 1,...,q_{H_5}\rbrace \). the C computes \(Y_1\) = V - \(Q_C\). For \(Y_1 \ne \) \(Y_{1_\tau }\), the C moves to the subsequent element of \(L_5\). The C compute K = \(C_1^{'}\) + \(\bar{Z}_\tau \), makes \(h_2\) = \(H_2\)(\(ID_A\), \(\phi \), K, \(PK_A\), \(R_A\)). The C proceeds to verify wP = \(\phi \) + \(h_2(PK_A + Q_A)\) for validity. If valid, the C defines \(h_4\) from \(H_4(K)\) query and additionally return m = \(h_4\) \(\oplus \) \(C_2\) to the \(\mathbb {A}\). Else, the C moves to the subsequent element of \(L_5\). If search through \(L_5\) yields no message the C returns \(\perp \).

• Challenge An \(\mathbb {A}\) picks two identities \(ID_A^{*}\), and \(ID_B^{*}\), coupled with two messages \(m_0\), and \(m_1\) ( \(|m_0|\)=\(|m_1|\)) for which it simply expects to be challenged. Supposing \(ID_B^{*}\) \(\ne \) \(ID_\ell \), then the C resolve to abort. Otherwise, the C picks \(w^*\), \(h_2^*\) \(\in \) \(\mathbb {Z}_q^*\), \(Z^*\), \(K^*\) \(\in G_1\), \(\beta \) \(\in \) \(\lbrace 0,1 \rbrace \), defines \(\phi ^{*}\) = aP = \(w^*P\) - \(h_2^*\)(\(PK_A^* + Q_A^*\)), defines \(C_1^*\) = \(Z^*\) + \(K^*\), defines \(H_4(K^*)\) as \(h_4^*\) and compute \(C_2^*\) = \(m_\beta ^{*}\) \(\oplus \) \(h_4^*\). The C returns \(\sigma _{AB}^*\) = (\(\phi ^*\), \(C_1^*\), \(C_2^*\), \(w^*\)) to \(\mathbb {A}\).

• Phase 2 An \(\mathbb {A}\) run adaptively sequences of polynomially bounded queries analogous to Phase 1 guided only by constraints listed in the IND-CCA2 game. The C responds to the \(\mathbb {A}\) analogous to Phase 1

• Guess An \(\mathbb {A}\) generates a guess \(\beta ^{'}\) which the C refuses to accept. The \(\mathbb {A}\) is adept to rightly guess if there exist in \(L_3\) an entry (\(T^*\), \(K^*\) \(\phi ^*\), \(Q_B^*\), \(ID_B^*\)) such that \(T^*\) = abP. Consequently, a T in \(L_3\) is an answer to the GDH. Lastly, we assert that such a T occurs with a probability of \(1/q_{H_1}\).

Analysis Here, we evaluate the likelihood of the C’s success via the listed independent events:

• \(E_1\) - \(\mathbb {A}\) decides not to be challenged on \(ID_\ell \).

• \(E_2\) - \(\mathbb {A}\) queries with \(ID_\ell \) for private key.

• \(E_3\) - \(\mathbb {A}\) queries with \(ID_\ell \) for partial private key.

• \(E_4\) - \(\mathbb {A}\) queries with (\(ID_\ell \), \(ID_j\)) for proxy key.

• \(E_5\) - During signcryption query, C aborts for reasons of collision on \(H_2\) and \(H_3\).

• \(E_6\) - During unsigncryption query C aborts, for reasons that it may dismiss a valid ciphertext at a stage during simulation.

So, Pr[\(\lnot E_1\)] = \({1}/q_{H_1}\), Pr[\(\lnot E_5\)] = (1 - \(q_{s}(q_{H_2}+q_{H_3})/2^\lambda )\), Pr[\(\lnot E_6\)] = \((1-q_{u}/2^\lambda )\). Observe that , \(\lnot E_1\) implies \(\lnot E_2\), \(\lnot E_3\) and \(\lnot E_4\). The likelihood that C did not terminate this game is: Pr\([\lnot E_1 \wedge \lnot E_5 \wedge \lnot E_6]\) = \(\bigg (\frac{1}{q_{H_1}}\bigg )\bigg (1\) - \(\frac{q_{s}(q_{H_2}+q_{H_3})}{{2^\lambda }}\bigg )\bigg (1-\frac{q_{u}}{2^\lambda }\bigg )\) The likelihood that value T is randomly selected from list \(L_3\) is the solution of the GDH problem is \(1/q_{H_1}\). Thus

Pr[C] = \(\bigg (\frac{\epsilon }{q_{H_1}^2}\bigg )\bigg (1 - \frac{q_{s}(q_{H_2}+q_{H_3})}{{2^\lambda }}\bigg )\bigg (1-\frac{q_{u}}{2^\lambda }\bigg )\)

in a time \(t^{\prime }\) \(\leqslant \) t \(+\) O(\(q_{pk}\) \(+\) \(q_s\) + \(q_e\) + \(q_u\) + \(q_d\)).

Proof of Lemma 1

The C interacts with \(F_{I}\) as follows:

• Setup The C gives params and \(Q_A\) = bP, \(P_{pub}\) to an \(F_{I}\) using algorithm Setup. We assert that \(b \in \mathbb {Z}_q^*\) simulate the sender’s partial private key. The C intends to leverage an \(F_{I}\) to provide some solution to ECDL problem for the instance \(Q_A\)= bP.

• Attack Notably, all hash queries are analogous to those in Theorem 1 excluding \(H_3\). Hence:

  1. 1.

     \(H_3\) queries An \(F_{I}\) queries with (\(T_{i}\), \(K_i\), \(\phi _i\), \(Q_{i}\), \(ID_i\)). The C checks up \(L_3\) for (\(T_{i}\), \(K_i\), \(\phi _i\), \(Q_{i}\), \(ID_i\), Z) and accordingly submits to \(F_{I}\), Z if it does exist. Else the C randomly output Z \(\in \) \(\mathbb {Z}_q^{*}\) as query feedback. The C updates \(L_3\) with (\(T_{i}\), \(K_i\), \(\phi _i\), \(Q_{i}\), \(ID_i\), Z).

• Forgery An \(F_{I}\) outputs (\(ID_A^*\), \(ID_B^*\), \(\sigma _{AB}^*\)) where \(\sigma _{AB}^*\) = (\(\phi ^*\), \(C_1^*\), \(C_2^*\), \(w^*\)) . Here, the \(F_{I}\) refuses to query for private key on \(ID_A^*\). If \(ID_A^*\) \(\ne \) \(ID_\ell \), the C resolves to abort. Alternatively, the \(F_{I}\) queries with (\(T^*=d_B\phi ^*\), \(K_i^*\), \(\phi _i^*\), \(Q_B^*\), \(ID_B^*\)) to gain \(Z^*\) from \(H_3\) query, obtains \(K^*\) = \(C_1^* - Z^*\) and queries with (\(ID_A^*\), \(\phi ^*\), \(K^*\), \(PK_A^*\), \(R_A^*\)) for \(h_2^*\) in the \(H_2\) query. \(F_{I}\) fails if either the hash values (Z, \(h_2\)) or one of them is predefined. Consequently, the validity of ciphertext \(\sigma _{AB}^*\) determines whether or not \(F_{I}\) wins the game. The \(F_{I}\) is adept to win when equation 1 is true.

  $$\begin{aligned} w^*P = \phi + h_2^*(PK_A^* + Q_A^*) \end{aligned}$$

  (1)

  Taking after the forking lemma [37] assumption, we derive equation 2 by selecting an \(h_2\).

  $$\begin{aligned} wP = \phi ^* + h_2(PK_A^* + Q_A^*) \end{aligned}$$

  (2)

  Subtracting equation 2 from equation 1, we get

  $$\begin{aligned} \frac{(w^* - w)P}{h_2^*-h_2}= (x_A + b)P \end{aligned}$$

  (3)

  From equation 3, we get b via;

  $$\begin{aligned} b = \frac{(w^* - w)}{h_2^*-h_2} - x_A \end{aligned}$$

  (4)

  In summary, b is a solution to the ECDL problem i.e, A C can leverage an \(F_{I}\) as subroutine to derive b from \(Q_A\) = bP. Observe that, C only gets \(x_A\) from public key queries with \(ID_A\).

Analysis Here, we evaluate the likelihood of the C’s success via the listed independent events:

• \(E_1\) - \(F_{I}\) decides not to be challenged on \(ID_\ell \).

• \(E_2\) - \(F_{I}\) queries with \(ID_\ell \) for private key.

• \(E_3\) - \(F_{I}\) queries with \(ID_\ell \) for public key replacement and partial private key.

• \(E_4\) - During unsigncryption query C aborts, for reasons that it may dismiss a valid ciphertext at a stage during simulation.

So, Pr[\(\lnot E_1\)] = \({1}/q_{H_1}\), Pr[\(\lnot E_4\)] = (1 - \(q_{u}(q_{H_2}+q_{H_3})/2^\lambda )\). Observe that, \(\lnot E_1\) implies \(\lnot E_2\) and \(\lnot E_3\). The likelihood that this game is not terminated by C is:

Pr\([\lnot E_1 \wedge \lnot E_4]\) = \(\bigg (\frac{1}{q_{H_1}}\bigg )\bigg (1\) - \(\frac{q_{u}(q_{H_2}+q_{H_3})}{{2^\lambda }}\bigg )\)

Hence,

Pr[C] = \(\bigg (\frac{\epsilon }{q_{H_1}^2}\bigg )\bigg (1 - \frac{q_{u}(q_{H_2}+q_{H_3})}{{2^\lambda }}\bigg )\).

in a time \(t^{\prime }\) \(\leqslant \) t \(+\) O(\(q_{pk}\) \(+\) \(q_s\) + \(q_e\) + \(q_u\) + \(q_d\)).

Proof of Lemma 2

We explain how C leverages an \(F_{II}\) as subroutine in solving an instance (P, \(\mu P\)) of ECDL problem. The proof follows after our Lemma 1 excluding replies to \(H_1\), \(H_3\) and public key queries. Since the \(F_{II}\) retains master secret key, it is fit to deduce partial private keys, and accordingly private keys of the receivers. The C gives \(F_{II}\), params, PK = \(\mu P\), \(\eta \), \(P_{pub}\) = \(\eta P\). \(\mu \) simulate the sender’s own secret value of C is in the unknown. \(\eta \) is identified as master secret key. \(PK^*\) is gained from the secret value and it is identified as the challenge public key.

• Attack We give the query-response for the following oracles:

  • Public key queries An \(F_{II}\) queries with \(ID_i\) for public key. Next, the C initiates search for (\(R_i\), \(PK_i\)) in \(L_6\) which is (\(ID_i\), \(d_i\), \(R_i\), \(x_i\), \(PK_i\)) and then output (\(R_i\), \(PK_i\)). Else, the C replies:

    1. 1.

       If \(ID_i\) = \(ID_\ell \). C chooses at random \(\alpha _\ell \), \(r_t\) \(\in \) \(\mathbb {Z}_q^*\) where \(\alpha _\ell \) is the hash value defined for \(H_1\)(\(ID_\ell \), \(R_\ell \), \(P_{pub}\)), \(d_\ell \) = \(r_t\) + \(\alpha _\ell \eta \) (mod q), \(R_\ell \) = \(r_t P\) and public key \(PK_\ell \) = (\(\mu P\), \(R_\ell \)). Here, C utilize \(\mu P\) as instance of ECDL problem. C inserts (\(ID_\ell \), \(d_\ell \), \(R_\ell \), \(\perp \), \(PK_\ell \)) into \(L_6\) and (\(ID_\ell \), \(R_\ell \), \(PK_\ell \), \(\alpha _\ell \)) in \(L_1\) and submits (\(R_\ell \), \(PK_\ell \)) to \(F_11\).

    2. 2.

       If \(ID_i\) \(\ne \) \(ID^\ell \), C selects at random \(\alpha ^i\), \(x_i\), \(r_i\) \(\in \) \(\mathbb {Z}_q^*\) sets \(PK_i\) = \(x_iP\), \(R_i\) = \(r_iP\) and \(d_i\) = \(r_i\) + \(\alpha _i \eta \) (mod q). Where \(\alpha _i\) is the hash value defined for \(H_1\)(\(ID_i\), \(R_i\), \(P_{pub}\)). C inserts (\(ID_i\), \(d_i\), \(R_i\), \(x_i\), \(PK_i\)) into \(L_6\) and (\(ID_i\), \(R_i\), \(PK_i\), \(\alpha _i\)) in \(L_1\) and submits (\(R_\ell \), \(PK_\ell \)) to \(F_{II}\).

  • \(H_3\) queries The \(F_{II}\) queries with (\(T_{i}\), \(K_i\), \(\phi _i\), \(Q_{i}\), \(ID_i\)). C checks up \(L_3\) for (\(T_{i}\), \(K_i\), \(\phi _i\), \(Q_{i}\), \(ID_i\), Z) and submits Z to \(F_{II}\) if it exists. Else C randomly outputs Z \(\in \) \(\mathbb {Z}_q^{*}\) as query response. C updates \(L_3\) with (\(T_{i}\), \(K_i\), \(\phi _i\), \(Q_{i}\), \(ID_i\), Z).

  • Private key queries: \(F_{II}\) queries with identity \(ID_i\), C searches \(L_6\) for private keys and outputs (\(x_i\), \(d_i\)) if \(ID_i\) \(\ne \) \(ID_\ell \). Else, the C aborts when \(ID_i\) = \(ID_\ell \).

• Forgery An \(F_{II}\) outputs (\(ID_A^{*}\), \(ID_B^{*}\), \(\sigma _{AB}^{*}\)) where \(\sigma _{AB}^{*}\) = (\(\phi ^{*}\), \(C_1^{*}\), \(C_2^{*}\), \(w^{*}\)) was not gained by signcryption query. Here, \(F_{II}\) did not initiate query on \(ID_A^{*}\) for the sender’s private key. If \(ID_A^{*}\) \(\ne \) \(ID_\ell \), the C resolves to abort. Otherwise, the \(F_{II}\) queries with (\(T^{*}=d_B\phi ^{*}\), \(K_i^*\), \(\phi _i^*\), \(Q_B^{*}\), \(ID_B^{*}\)) to acquire \(Z^{*}\) in the \(H_3\) query, obtains \(K^{*}\) = \(C_1^{*} - Z^{*}\) and queries with (\(ID_A^{*}\), \(\phi ^{*}\), \(K^{*}\), \(PK_A^{*}\), \(R_A^{*}\)) for \(h_2^{*}\) in the \(H_2\) query. \(F_{II}\) fails if either these hash values (Z, \(h_2\)) or one of them is predefined. Therefore, the validity of the ciphertext \(\sigma _{AB}^{*}\) determines whether or not \(F_{II}\) wins the game. The \(F_{II}\) is adept to win when equation 1 is true.

Analysis Now, we evaluate the likelihood of the listed independent events:

• \(E_1\) - \(F_{II}\) decides not to be challenged on \(ID_\ell \).

• \(E_2\) - \(F_{II}\) queries with \(ID_\ell \) for private key.

• \(E_3\) - During unsigncryption query, C aborts for reasons that it may dismiss a valid ciphertext at a stage during simulation.

For simplicity, we hereby exclude the analysis of C’s probability of success because its description is analogous to the Analysis in Lemma 1.