Multi-message multi-receiver signcryption scheme based on blockchain

1.   Introduction

In the era of resource sharing and information exchange, it is common for a single user to send messages to multiple users. However, these messages are often different, and this type of communication is referred to as multi-message multi-receiver communication. Multi-message multi-receiver signcryption is a technique designed to achieve secure multicast communication, allowing a sender to simultaneously transmit identical messages to multiple recipients^[1]. In contrast to traditional one-to-one communication methods^[2], multi-receiver signcryption not only enhances computational efficiency, but also addresses the issue of receivers receiving inconsistent messages due to intentional deception or transmission errors. Widely regarded as a highly promising approach, multi-receiver encryption enables secure one-to-many communication and finds applications in various domains, including remote education, cloud data sharing and network conferences^[3]. In recent years, scholars have proposed solutions that combine machine learning algorithms for processing large amounts of data and parallel computing^[4,5]. By selecting appropriate machine learning algorithms and data analysis routines, computational efficiency can be significantly improved. However, in the research on multi-message multi-receiver communication data, how to enhance communication quality and adapt to the requirements of high-speed information transmission remains an important issue.

In multi-party communications, information security issues, such as confidentiality and integrity during transmission , need to be considered. Typically, cryptographic techniques are used to maintain these two properties. In the course of this research, the first two approaches to combining encryption and digital signature technology were signing before encryption and encrypting before signing. Subsequently, a complete cryptographic scheme was proposed by combining encryption with digital signature technology. Unfortunately, such schemes have relatively low efficiency in practice. Based on the aforementioned research, a new primitive called signcryption^[6] was proposed in 1997. It can complete signing and encryption in a single logical step, thereby improving the efficiency of message processing. Recently, the integration of signatures with various cryptographic systems such as Public Key Infrastructure (PKI)^[7], Identity-Based Cryptograph (IBC)^[8] and Certificateless Cryptograph (CLC)^[9] has seen significant advancements. References [10,11,12] are all signcryption schemes proposed based on CLC. Liu et al.^[13] proposed the first certificateless signcryption scheme based on RSA. They designed an efficient data access control scheme for Wireless body area networks using the proposed signcryption scheme. Zhang et al.^[14] proposed a certificateless signcryption scheme where they employed a pseudonym mechanism to address privacy protection issues in Vehicular Sensor Networks. They proposed a self-generation mechanism for vehicle pseudonyms and their corresponding keys, eliminating the need for additional tamper-resistant devices. Reference [15] proposed a signcryption scheme based on cloud storage. Notably, they introduced a security model for the non-transferability and sender identity privacy of the signcryption scheme, which is a first in the field. They also provided concrete simulation proofs to support their proposed model. However, a practical challenge arises when considering existing CLC, where the KGC utilizes system master key information to facilitate the generation of user-specific public and private key information. This raises concerns regarding the security of the KGC. Wang et al.^[16] have proposed the existence of an Advanced Persistent Threat (APT) attack on the KGC, wherein an attacker persistently targets the KGC with the goal of obtaining the system master key. Such an attack directly jeopardizes the security of the certificateless signcryption system. Additionally, apart from external attacks like APT on the KGC, there are inherent security issues associated with the KGC itself. According to the security model presented by Zhang et al. ^[17], the most formidable type of attacker is a malicious and active KGC. Although it may not replace the signer's public key information, this attacker can introduce trapdoor information during the system initialization phase, thereby adapting the system parameters in a computationally indistinguishable manner to undermine the system's security. To mitigate this potential security problem within the KGC, two approaches are commonly employed. First, enhancing the security of the algorithm itself is crucial to break existing linear relationships. Such attacks often exploit linear relationships present in the scheme's design, enabling a malicious KGC to manipulate certain controlled parameters and bypass the user's secret value, ultimately leading to the forgery of ciphertext information. Second, leveraging the tamper-evident nature of blockchain technology proves beneficial in preventing these security issues. By uploading the system parameters of the uncertificated signature system onto the blockchain^[18], the integrity of the data can be maintained since the blockchain is resistant to tampering and modifications once the data has been uploaded.

In order to avoid the occurrence of the strongest type of attacker attacks, this research proposes a certificateless multi-message multi-receiver signcryption scheme based on blockchain (CMMSB). CMMSB incorporates traditional cryptography and elliptic curve technology to establish a secure and trustworthy KGC, which generates system-related parameters through a smart contract and publicly stores all parameters except the system master key on the blockchain ^[19,20,21]. Additionally, the smart contract serves as the KGC and generates an encrypted partial private key for users upon their request, effectively addressing the security channel issue present in traditional schemes. Furthermore, the combination of on-chain and off-chain approaches enhances both the security and efficiency of the system. The proposed scheme is proven to be confidential and unforgeable based on the complexity of the Discrete Logarithm (DL) and Computational Diffie-Hellman (CDH) difficulty problems under the random oracle model. It also demonstrates resilience against Distributed Denial of Service (DDoS) attacks and MITM attacks, while possessing security attributes such as key escrow security and non-repudiation. Compared to existing approaches, the CMMSB scheme offers several notable advantages.

$1)$ In the proposed certificateless cryptographic scheme, the responsibilities of the traditional KGC are transferred to a smart contract on the blockchain. Key generation and management is decentralized across multiple nodes in the network. This eliminates the vulnerability of the second-class attacks present in traditional certificateless cryptographic schemes and makes the system more robust and secure.

$2)$By inputting a security parameter, the smart contract administers the generation of system-related parameters for the certificateless cryptographic system. To ensure system security, the smart contract securely stores these parameters on the blockchain while maintaining the tamper-evident nature of the technology.

$3)$Smart contracts are automatically executed and follow predefined logic and rules. Using smart contracts to replace traditional KGC, it means that there is no need for human intervention or reliance on third parties to perform key generation-related operations. This reduces the potential risks of errors and improper behavior.

$4)$ In order to address the issue of user identity leakage in blockchain-based solutions, we leverage traditional encryption techniques and elliptic curve technology to achieve user identity concealment. By employing this approach, blockchain nodes can generate the corresponding portion of a user's private key while ensuring the concealment of their identity. This solution effectively mitigates the risk of user identity exposure inherent in existing blockchain-based approaches. In this scheme, users encrypt their identity using a combination of their chosen private key and the master public key of the system. This process serves to safeguard their privacy, minimize the potential for hidden channel exposure and enhance communication concealment.

$5)$ During the phase of partial private key generation, the smart contract functions as the KGC and generates an encrypted partial private key. Importantly, even if a third-party attacker manages to acquire the partial private key, they are unable to exploit it for malicious purposes. Only the rightful owner, i.e., the corresponding user, possesses the capability to utilize the partial private key to derive the correct private key.

$6)$ Theoretical analysis confirms that the CMMSB scheme accomplishes secure communication with unforgeability and confidentiality, while imposing no additional communication overhead or computation time overhead. In comparison to similar schemes, the proposed scheme in this research achieves secure communication with unforgeability and confidentiality, demonstrates a shorter ciphertext length and offers notable advantages in terms of communication overhead and time overhead.

Section 2 of this paper introduces the current state of the art of certificateless signing and encryption. Section 3 introduces the basics of this paper, including the hard problem, system model and security model. Section 4 presents the multi-message multi-receiver signing scheme designed in this paper. Section 5 gives a proof of the security of the proposed scheme. Section 6 analyses the security features and performance of the scheme. Finally, the paper concludes with a summary of the entire study.

2.   Related work

Due to the high cost associated with managing certificates in traditional public key cryptography, the reliance on fully trusted certificate authorities poses significant challenges. As a result, contemporary multi-message multi-receiver signing schemes tend to favor alternatives such as IBC and CLC. These advanced cryptographic approaches provide more efficient and practical solutions by eliminating the need for traditional certificate authorities. In 2007, Baek et al.^[22] introduced the pioneering identity-based multi-receiver encryption (IBME) scheme, which requires only one pairing computation to encrypt a single message for multiple recipients. This scheme by Baek et al. departs from the traditional approach of repetitive encryption in multi-receiver encryption schemes, resulting in significantly enhanced encryption efficiency. Subsequently, scholars from both academia and industry have begun to devote themselves to the research of identity-based signcryption schemes. Scheme ^[23] proposed a multi-receiver signcryption scheme with decryption fairness to address the problems of receiver identity information leakage and signature unfairness in existing signature schemes. However, this scheme does not check the ciphertext legitimacy when unsigncrypt, and there is anonymity unfairness, ignoring the anonymity problem of the sender. The signcryption scheme proposed in literature ^[24] combines the identity information required by the receiver with the ciphertext information and achieves public verifiability based on the ciphertext information. Scheme ^[25] is a single communication mode, which is not efficient if multiple messages are sent. In 2014, Zhou et al.^[26] proposed a scheme that utilizes random re-encryption techniques. This scheme only requires one pairing computation to signcrypt multiple messages, resulting in high efficiency. Scheme ^[27] achieves a multi-message signcryption scheme based on bilinear pairing, which meets the security attributes of non-forgeability, confidentiality and non-repudiation; however, in order to meet the requirement of identity anonymity, the length of the ciphertext generated by this scheme is too long, resulting in inefficiency. Scheme ^[28] proposes an id-based multi-message and multi-recipient signcryption scheme with low computational and communication overheads to achieve authenticity and confidentiality. Scheme ^[29] makes use of existing signcryption techniques to generate a verifiable public ciphertext with a fixed length, and at the same time uses a broadcasting function to deliver the ciphertext to multiple recipients at the same time, with high transmission and computational efficiencies. However, it is important to note that these schemes primarily address the challenge of certificate management. One limitation of these schemes is that they heavily rely on the Private Key Generator (PKG) for private key generation. The trustworthiness of the PKG is crucial for ensuring the security of the system. In cases where the PKG is deemed fully trusted, the system can maintain its integrity. However, it is important to acknowledge that if the PKG lacks trustworthiness, it gains complete control over the user's private key, resulting in a key escrow problem. To address this issue, a CLC system has been proposed ^[9]. This system aims to resolve both the certificate management problem associated with the PKI system and the key escrow problem typically encountered in Identity-Based cryptosystems. In a CLC system, the user's private key comes from two parts, one is the secret value generated by the user's own choice, and the other is part of the private key generated by the KGC, and since the KGC does not have access to the user's complete private key, there is no key escrow problem. The advent of CLC has led to a significant surge in research on certificateless signatures within the field.

The field of multi-message multi-receiver signatures has also experienced a wave of research on certificateless signatures. Among the proposed schemes, certain ones ^[19,20,30] are built upon bilinear pairwise operations. It is worth noting that such operations impose a significant computational burden due to the extensive time required for their execution. To address this concern, researchers have begun investigating uncertificated multi-message multi-receiver signatures that eliminate the need for bilinear pairwise operations. Instead, they have focused on leveraging elliptic curves as the foundation for their research. Pang et al.^[31] proposed an anonymous certificateless signcryption scheme that does not rely on bilinear pairings. However, the communication efficiency of the scheme is not optimal. Then, Pang et al.^[32] introduced an efficient anonymous multi-message multi-receiver signcryption scheme based on Elliptic Curve Cryptography (ECC). They substantiated its security under a random prediction model. However, Peng et al.^[33] subsequently discovered a vulnerability in the certificateless multi-message multi-receiver signing scheme proposed by Pang et al.^[32]. This vulnerability allows an attacker to forge a user's legitimate private and public keys, posing a significant threat to the overall security of the scheme. Peng et al.^[33] proposed an efficient and provably secure multi-receiver encryption scheme for multicast communication in edge computing, aiming to achieve secure communication. Fu et al.^[34] proposed a practical anonymous multi-receiver certificateless signcryption scheme that can satisfy message confidentiality, source authentication and anonymity simultaneously and efficiently. Wang et al.^[35] designed a certificateless multi-receiver signature and encryption scheme based on elliptic curves, specifically tailored for multicast communication in smart grids. This scheme exhibits excellent timing performance and high computational efficiency. Zhou et al.^[36] presented a certificateless multi-receiver multi-message signing mechanism that does not rely on bilinear mapping. This innovative approach improves user anonymity and fulfills the sender's requirement for multi-message transmission. Notably, the scheme achieves high computational efficiency by eliminating the need for bilinear mapping and exponential operations in both the signing and declassification algorithms. Wang et al.^[16] introduced an elliptic curve-based multi-message multi-recipient signing scheme. This scheme employs multiple KGCs to oversee the system master key using a threshold secret sharing protocol. Additionally, the researchers periodically update the individual KGC sub-secret information to enhance its resilience against persistent attacks. Despite the numerous proposed schemes, the issue of key distribution remains unresolved. In many cases, a secure channel is established during the design phase to transmit a portion of the private key generated by the KGC to the intended user. However, finding a solution to establishing a secure or secret channel during the design phase has become a crucial problem that researchers need to address. The papers ^[37] and ^[38] discuss a method that addresses the key distribution problem by encrypting a portion of the key generated by the KGC using heterogeneous or traditional calculations. The encrypted key is then transmitted to the user through the public channel.

3.   Preliminaries

3.1.   Difficult problems

Discrete logarithm (DL) problem: Given a binary group $(P, aP)\in G_{p}^{2}$, known to $a\in Z_{p}^{*}$ be unknown, solve for $a$, where the large prime $p$ is the order of the cyclic group ${{G}_{p}}$ and $P$ is the generating element of ${{G}_{p}}$.

Computational Diffie-Hellman (CDH) problem: Given a ternary group $(P, aP, bP)\in G_{p}^{3}$, known to $a, b\in Z_{p}^{*}$ be unknown, solve for $abP$, where the large prime $p$ is the order of the cyclic group ${{G}_{p}}$ and the generating element of ${{G}_{p}}$.

3.2.   System model

The multi-receiver multi-message signcryption scheme based on CLC system consists of the following six algorithms :

1) Setup

Given security parameters $k$, KGC generates the master key $s$ and system parameters $params$. This algorithm can be defined as ${S\!etup} (k)\to (s, params)$.

2) PartKeyGen

Given the user identity ${\text{ID}}$ and some related information, KGC uses the known user information and the master key $s$ to generate a partial private key $psk$. This algorithm can be defined as ${\text{PartKeyGen}}$ $(params, {\text{ID}}, s)\to psk$.

3) KeyGen

Given system parameters $params$ and partial private key $psk$, users generate their own public key $pk$ and private key $sk$. This algorithm can be defined as ${\text{KeyGen}}\; (params, {\text{ID}}, psk)\to (pk, sk)$.

4) SignCrypt

The ciphertext sender ${\text{I}}{{{\text{D}}}_{S}}$ needs to send $n$ corresponding plaintext messages ${{m}_{i}}({{m}_{i}}\in M, 1\le i\le n)$ to $n$ ciphertext receivers ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}(1\le i\le n)$. Given the system parameters, the identity of the ciphertext sender ${\text{I}}{{{\text{D}}}_{S}}$, the receiver identity set ${\text{I}}{{{\text{D}}}_{R}}{\text{ = }}\!\!\{\!\!{\text{ I}}{{{\text{D}}}_{{{R}_{1}}}}{\text{, I}}{{{\text{D}}}_{{{R}_{2}}}}{\text{, }}\cdots {\text{, I}}{{{\text{D}}}_{{{R}_{n}}}}{\text{ }}\!\!\}\!\!{\text{ }}$ and the plaintext message set $M = \{{{m}_{1}}, {{m}_{2}}, \cdots, {{m}_{n}}\}$, the corresponding ciphertext set $C = \{{{c}_{{{R}_{1}}}}, {{c}_{{{R}_{2}}}}, \cdots, {{c}_{{{R}_{n}}}}\}$ is generated. This algorithm can be defined as ${\text{SignCrypt}}\; (params, {\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{R}}, M)\to C$.

5) UnSignCrypt

Given the system parameters $params$, the identity of the ciphertext sender ${\text{I}}{{{\text{D}}}_{S}}$, the private key information $s{{k}_{{{R}_{i}}}}$ of the ciphertext receiver and the ciphertext message ${{c}_{{{R}_{i}}}}({{c}_{{{R}_{i}}}}\in C, 1\le i\le n)$, the receiver calculates the corresponding plaintext message ${{{m}'}_{{{R}_{i}}}}(1\le i\le n)$. This algorithm can be defined as ${\text{UnSignCrypt}}\; (params, {\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, s{{k}_{{{R}_{i}}}}, {{c}_{{{R}_{i}}}})\to {{{m}'}_{{{R}_{i}}}}$.

6) VerifySign

According to the known system parameters $params$ and the public key information $p{{k}_{{{R}_{i}}}}$ of the ciphertext receiver, the receiver ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}$ verifies the result of the decryption, that is, the decrypted plaintext message ${{{m}'}_{{{R}_{i}}}}$. If the verification is successful, return True; otherwise, return False. This algorithm can be defined as ${\text{VerifySign}}\; (params, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, p{{k}_{{{R}_{i}}}}, {{{m}'}_{{{R}_{i}}}})\to ({\text{True}}|{\text{False}})$.

Correctness: The correctness of multi-receiver multi-message signcryption schemes based on certificateless cryptography mandates that the probability of these schemes failing to pass the verification equation, when generated in strict accordance with the given definition, can be considered negligible.

3.3.   Security model

The security model defined in references [12] and ^[13] involves two types of attackers, including Type Ⅰ attackers and Type $\Pi$ attackers.

1) The Type Ⅰ attackers are represented by ${{A}_{1}}$, which mainly refers to the malicious signcryptor (ciphertext sender in this paper). The strongest Type Ⅰ attacker possesses the capability to substitute the public key without providing the secret value. Consequently, they can obtain the plaintext message from the manipulated public key, even when the public and private keys have been replaced.

2) A category of attackers, referred to as "honest-but-curious" Type $\Pi$, possesses knowledge of the system master key but lacks the capability to obtain the secret value of the targeted user or manipulate the user's public key. In contrast, another type of attacker, known as "malicious-but-passive", possesses all the capabilities of the "honest-but-curious" Type $\Pi$ attackers. In addition, they have the capability to dynamically initialize system parameters by incorporating trapdoor information into the primary key and system parameters utilizing computational indistinguishable methods.

Set the ciphertext sender to be ${\text{I}}{{{\text{D}}}_{S}}$, the ciphertext receiver's number is $n$, respectively, ${\text{I}}{{{\text{D}}}_{R}} = \{{\text{I}}{{{\text{D}}}_{{{R}_{1}}}}, {\text{I}}{{{\text{D}}}_{{{R}_{2}}}}, \cdots, {\text{I}}{{{\text{D}}}_{{{R}_{n}}}}\}$, and the plaintext message set to be signed is $M = \{{{m}_{1}}, {{m}_{2}}, \cdots, {{m}_{n}}\}$. The precise definitions and corresponding game descriptions for the aforementioned two types of attackers, namely "confidentiality under adaptive chosen ciphertext attack" and "unforgeability under adaptive chosen message attack", are outlined as follows. In order not to lose generality, this part will be based on the receiver of the $i$-th ciphertext, ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}$, how does he handle the message ${{m}_{i}}$. The attackers that select the confidentiality of ciphertext attack are Type Ⅰ attacker ${{A}_{1-1}}$ and Type $\Pi$ attacker ${{A}_{2-1}}$ and the attackers that select the unforgeability of message attack are Type Ⅰ attacker ${{A}_{1-2}}$ and Type $\Pi$ attacker ${{A}_{2-2}}$.

Definition 1 Type Ⅰ attacker ${{A}_{1-1}}$ Confidentiality under chosen ciphertext attack.

If the Type Ⅰ attacker ${{A}_{1-1}}$ wins the following game with a negligible probability $Adv_{{{A}_{1-1}}}^{T}(k)$ in polynomial time by correlation calculation, the scheme satisfies confidentiality under ${{A}_{1-1}}$ adaptive chosen ciphertext attack.

Game 1 The interaction process between the attackers and the challengers in the game can be described as follows:

1) System initialization phase $k$, challenger $\cal T$ executes the system initialization Setup algorithm, outputs the system master key $s$ and system parameter $params$, and passes $params$ to attacker ${{A}_{1-1}}$. Furthermore, the master key $s$ is kept secretly.

2) Inquiry phase

i) Hash queries: Attacker ${{A}_{1-1}}$ can complete the query of any ${\text{Hash}}$.

ii) Key generation queries: Attacker ${{A}_{1-1}}$ selects the identity of a target user ${\text{ID}}$ and asks challenger $\cal T$ with ${\text{ID}}$ as input. Challenger $\cal T$ executes algorithm ${\text{KeyGen}}$ $(params, {\text{ID}}, psk)\to (pk, sk)$, then responds to ${{A}_{1-1}}$ queries with final result $(pk, sk)$. In the process of security proof, user key query includes both private key generation query and public key generation query, which are described separately. Then, we respond with $sk$ and $pk$.

iii) Public key replacement queries: Attacker ${{A}_{1-1}}$ can replace the public key $pk$ of target user ${\text{ID}}$ at any time.

iv) Signcryption queries: Attacker ${{A}_{1-1}}$ selects ciphertext sender ${\text{I}}{{{\text{D}}}_{S}}$.Then, as the sender's identity ${\text{I}}{{{\text{D}}}_{S}}$, plaintext message set $M$ and receiver identity set ${\text{I}}{{{\text{D}}}_{R}} = \{{\text{I}}{{{\text{D}}}_{{{R}_{1}}}}, {\text{I}}{{{\text{D}}}_{{{R}_{2}}}}, \cdots, {\text{I}}{{{\text{D}}}_{{{R}_{n}}}}\}$.Take the above parameters as input and ask the challenger. The challenger starts executing the algorithm, The final calculation result is ciphertext message $\cal T$ in response to ${\text{SignCrypt}}$ $(params, {\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{R}}, M)\to C$ query.

v) Unsigncryption queries: Attacker ${{A}_{1-1}}$ asks Challenger $\cal T$ with the input of sender's identity ${\text{I}}{{{\text{D}}}_{S}}$, receiver's identity ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}$ and ciphertext message $({{c}_{{{R}_{i}}}}\in C, 1\le i\le n)$. The challenger $\cal T$ first executes the algorithm ${\text{KeyGen}}$ $(params, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, ps{{k}_{{{R}_{i}}}})\to (p{{k}_{{{R}_{i}}}}, s{{k}_{{{R}_{i}}}})$ for the receiver ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}$. Through the above operations, the corresponding public key $p{{k}_{{{R}_{i}}}}$ and private key $s{{k}_{{{R}_{i}}}}$ are obtained. Then execute the algorithms ${\text{UnSignCrypt}}$ $(params, {\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, s{{k}_{{{R}_{i}}}}, {{c}_{{{R}_{i}}}})\to {{{m}'}_{{{R}_{i}}}}$ and ${\text{VerifySign}}$ $(params, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, p{{k}_{{{R}_{i}}}}, {{{m}'}_{{{R}_{i}}}})\to ({\text{True}}|{\text{False}})$. If the verification result is ${\text{True}}$, then ${{{m}'}_{{{R}_{i}}}}$ responds to query of ${{A}_{1-1}}$; otherwise, respond to ${{A}_{1-1}}$ queries with "$\bot$".

3) Challenge phase

Attacker ${{A}_{1-1}}$ selects ciphertext sender ${\text{I}}{{{\text{D}}}_{S}}$ and receiver ${\text{I}}{{{\text{D}}}_{R}}$, two equal-length messages ${{m}_{0}}$ and ${{m}_{1}}$ and pass these messages to the challenger $\cal T$.The challenger $\cal T$ selects a random number $i\in \{0, 1\}$ and executes the algorithm ${\text{SignCrypt}}\; (params, {\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{R}}, {{m}_{i}})\to {{c}_{i}}$ to return the calculation results ${{c}_{i}}$ to the attacker ${{A}_{1-1}}$.

4) Conjecture phase

The attacker ${{A}_{1-1}}$ can perform various operations in the query phase multiple times. However, in this process, it is not possible to initiate a private key generation query about the receiver ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}$. Moreover, it is not possible to initiate a decryption query on the ciphertext ${{c}_{i}}\in C$. If the attacker ${{A}_{1-1}}$ successfully guessed ${i}' = i$, that is, ${{A}_{1-1}}$ won the game. The probability is set to $Adv_{{{A}_{1-1}}}^{T}(k) = \left| \Pr [i = {i}']-\frac{1}{2} \right|$.

Definition 2 Type $\Pi$ attacker ${{A}_{2-1}}$ chooses the confidentiality under ciphertext attack

If the attacker ${{A}_{2-1}}$ passes the correlation calculation in a polynomial time range and wins the following games with a negligible probability of $Adv_{{{A}_{2-1}}}^{T}(k)$, the scheme satisfies confidentiality under the attacker ${{A}_{2-1}}$ adaptive chosen ciphertext attack.

Game 2 Both sides of the game are the attacker ${{A}_{2-1}}$ and the challenger $\cal T$, and the following is the interaction process between the two.

1) System initialization phase

Given a security parameter $k$, Challenger $\cal T$ executes the system initialization Setup algorithm, outputs the system master key $s$ and system parameter $params$ and passes $s$ and $params$ to attacker ${{A}_{2-1}}$.

2) Inquiry phase

Attacker ${{A}_{2-1}}$ selects the identity ${\text{ID}}$ of a target user and it can perform the same operation as the Definition 1 inquiry phase. However, since the type $\Pi$ attacker cannot perform public key replacement, the public key replacement query is excluded.

3) Challenge phase Attacker ${{A}_{2-1}}$ performs the same operation as the Definition 1 challenge phase.

4) Conjecture phase

Attacker ${{A}_{2-1}}$ performs the same operation as the Definition 1 challenge phase. If the attacker ${{A}_{2-1}}$ guesses ${i}' = i$, it means that ${{A}_{2-1}}$ wins the game. The probability is set to $Adv_{{{A}_{2-1}}}^{T}(k) = \left| \Pr [i = {i}']-\frac{1}{2} \right|$.

Definition 3 The unforgeability of Type Ⅰ attacker ${{A}_{1-2}}$ under selective message attack

If the attacker ${{A}_{1-2}}$ passes the correlation calculation in a polynomial time range and wins the following games with a negligible probability of $Adv_{{{A}_{1-2}}}^{T}(k)$, the scheme satisfies unforgeability under ${{A}_{1-2}}$ adaptive selection message attack.

Game 3 Both sides of the game are the attacker ${{A}_{1-2}}$ and the challenger $\cal T$, and the following is the interaction process between the two.

1) System initialization phase

Given a security parameter $k$, Challenger $\cal T$ executes the system initialization Setup algorithm, outputs the system master key $s$ and system parameter $params$ and passes $params$ to attacker ${{A}_{1-2}}$. At the same time, the secret custodian master key $s$.

2) Inquiry phase

Attacker ${{A}_{1-2}}$ selects the identity ${\text{ID}}$ of a target user and performs the same operation as the Definition 1 query phase.

3) Challenge phase

Attacker ${{A}_{1-2}}$ forges ciphertext message ${C}'$, and then performs various query operations in the query phase. In this process, the attacker cannot initiate a private key generation query about the receiver ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}$, nor can he initiate a signcryption query about the ciphertext and a reconciliation signcryption query. If the final result of the decryption is ${\text{True}}$ when the signature verification is performed. It shows that ${{A}_{1-2}}$ won the game. The probability is set to $Adv_{{{A}_{1-2}}}^{T}(k) = \left| \Pr [{\text{Forged signature can be verified}}]-\frac{1}{2} \right|$.

Definition 4 The unforgeability of Type $\Pi$ attacker ${{A}_{2-2}}$ under chosen ciphertext attack

If the attacker ${{A}_{2-2}}$ in the polynomial time range, through the relevant calculation with a probability of $Adv_{{{A}_{2-2}}}^{T}(k)$ can be ignored to win the following game, then the scheme satisfies unforgeability under ${{A}_{2-2}}$ adaptive selection message attack.

Game 4 Both sides of the game are the attacker ${{A}_{2-2}}$ and the challenger $\cal T$, and the following is the interaction process between the two.

1) System initialization phase

Given a security parameter $k$, Challenger $\cal T$ executes the system initialization Setup algorithm, outputs the system master key $s$ and system parameter $params$ and passes $s$ and $params$ to attacker ${{A}_{2-2}}$.

2) Inquiry phase

Attacker ${{A}_{2-2}}$ selects the identity ${\text{ID}}$ of a target user and performs the same operation as the Definition 2 query phase.

3) Challenge phase

Attacker ${{A}_{2-2}}$ forges ciphertext message ${C}'$ and then performs the same operation as the Definition 3 forgery phase. If the final result of the decryption is ${\text{True}}$ when the signature verification is performed. It shows that ${{A}_{2-2}}$ won the game. The probability is set to $Adv_{{{A}_{2-2}}}^{T}(k) = \left| \Pr [{\text{Forged signature can be verified}}]-\frac{1}{2} \right|$.

4.   Scheme of this article

4.1.   System model

As shown in Figure 1, the certificateless multi-message multi-receiver signcryption scheme based on blockchain includes the following entities.

1) System manager: Given a security parameter and initialize the smart contract.

2) Smart contract (SC-KGC) : According to the relevant information given by the user, it generates the corresponding partial key of the user.

3) Blockchain: Store the system parameters of the certificateless signcryption scheme to ensure the security of the certificateless system.

4) Ciphertext sender: The sender uploads the pseudonym identity and part of the public key information to SC-KGC to obtain the corresponding part of the private key. After having the necessary system parameters, signcryption generates the corresponding ciphertext information for the ciphertext receiver.

5) Ciphertext receivers: The receivers upload the pseudonym identity and part of the public key information to SC-KGC to obtain the corresponding part of the private key. For the received ciphertext information, decrypt the ciphertext information and verify whether the message is valid and legal.

To enhance the readability and comprehensibility of the proposed scheme in this paper, Table 1 provides an overview of the symbols used in the scheme. The contents are as follows.

4.2.   Scheme description

The proposed scheme encompasses five distinct stages: Initialization, partial private key generation, user key generation, signing and encryption and decryption and signature verification. Each stage serves a specific purpose in the overall functioning of the scheme. The following section provides a brief description of each stage.

1) Setup

i) Given a security parameter $k$, we define a additive cyclic group $G$ of order $p$, where $p$ is a prime number, and $P$ is its generator.

ii) Define 6 secure Hash functions.: ${{H}_{0}}:G\to {{\{0, 1\}}^{{{L}_{ID}}}}$, ${{H}_{1}}:{{\{0, 1\}}^{{{L}_{ID}}}}\times G\times G\to Z_{p}^{*}$, ${{H}_{2}}:{{\{0, 1\}}^{{{L}_{ID}}}}\times G\to Z_{p}^{*}$, ${{H}_{3}}:{{\{0, 1\}}^{{{L}_{ID}}}}\times G\to {{\{0, 1\}}^{{{L}_{m}}}}$, ${{H}_{4}}:{{\{0, 1\}}^{{{L}_{ID}}}}\times {{\{0, 1\}}^{{{L}_{ID}}}}\times {{\{0, 1\}}^{{{L}_{m}}}}\times G\times {{\{0, 1\}}^{{{L}_{ID}}}}\to Z_{p}^{*}$, ${{H}_{5}}:{{\{0, 1\}}^{{{L}_{ID}}}}\times {{\{0, 1\}}^{{{L}_{ID}}}}\times {{\{0, 1\}}^{{{L}_{m}}}}\times G\times Z_{p}^{*}\times {{\{0, 1\}}^{{{L}_{ID}}}}\to Z_{p}^{*}$, The length of the user identity ${\text{ID}}$ is represented by ${{L}_{ID}}$, the length of the plaintext message $m$ is represented by ${{L}_{m}}$ and the length of the elements in $Z_{p}^{*}$ represented by $|Z_{p}^{*}|$.

iii) Define the index function $F_{index}^{n}({\text{ID}})\to Z_{p}^{*}$. This function can take $n$ given user identification and return an index. This function can map the given $n$ user identities to the domain $\{1, 2, \cdots, n\}$ one by one.

iv) The system randomly generates the master key $s\in Z_{p}^{*}$, and then calculates the system public key ${{P}_{pub}} = sP$ for future public use.

v) The visibility of system parameters $params = \{G, p, P, {{P}_{pub}}, {{H}_{0}}, {{H}_{1}}, {{H}_{2}}, {{H}_{3}}, {{H}_{4}}, {{H}_{5}}, F_{index}^{n}()\}$ and function $PartKeyGen\; ()$ is set to publicly visible, enabling the users to complete the scheme under these initial parameters. The system master key is set to self-visible. Finally, the system master key is set to be visible only to itself.

The details of the smart contract are shown in Algorithm 1.

2) PartKeyGen

When the user ${{U}_{i}}$ invokes the function $PartKeyGen\; ()$, it will automatically generate a partial private key $xps{{k}_{i}}$ for the user ${{U}_{i}}$.

i) ${{U}_{i}}$ randomly selects ${{x}_{i}}\in Z_{p}^{*}$, then calculates ${{X}_{i}} = {{x}_{i}}P$ and ${\text{PI}}{{{\text{D}}}_{i}} = {\text{I}}{{{\text{D}}}_{i}}\oplus {{H}_{0}}({{x}_{i}}\cdot {{P}_{pub}})$.

ii) ${{U}_{i}}$ inputs $\{{\text{PI}}{{{\text{D}}}_{i}}, {{X}_{i}}\}$ and evokes the function $PartKeyGen\; ()$.

iii) The user ${U_i}$ sends $\{{\text{PI}}{{{\text{D}}}_{i}}, {{X}_{i}}\}$ to the KGC for calculating their partial private key. First, $SC-KGC$ checks if there is an inequality $CT{{R}^{i}}_{Add{{r}_{ID}}} < n$, where $CT{{R}^{i}}_{Add{{r}_{ID}}}$ is a counter maintained by $SC-KGC$, $Add{{r}_{ID}}$ is the address of the user on the Ethereum platform, $n$ is the reset threshold. If the access time is less than the threshold, $SC-KGC$ can calculate ${\text{I}}{{{\text{D}}}_{i}} = {\text{PI}}{{{\text{D}}}_{i}}\oplus {{H}_{0}}(s\cdot {{X}_{i}})$ to get the real identity of ${{U}_{i}}$, otherwise, $SC-KGC$ will reject the request immediately.

iv) $SC-KGC$ randomly selects ${{d}_{i}}\in Z_{p}^{*}$, then calculates ${{D}_{i}} = {{d}_{i}}P$ and $h_{1}^{i} = {{H}_{1}}({\text{I}}{{{\text{D}}}_{i}}, {{X}_{i}}+{{D}_{i}}, {{P}_{pub}})$.

v) $SC-KGC$ calculates $xps{{k}_{i}} = {{d}_{i}}+s\cdot h_{1}^{i}+{{H}_{2}}({\text{I}}{{{\text{D}}}_{i}}, s\cdot {{X}_{i}})\bmod p$, and returns the verification parameter ${{D}_{i}}$ and the partial private key $xps{{k}_{i}}$ back to ${{U}_{i}}$.

3) KeyGen

When the user ${{U}_{i}}$ receives the partial private key $xps{{k}_{i}}$ generated by the $SC-KGC$, the user generates their public-private key pair $(p{{k}_{i}}, s{{k}_{i}})$ for subsequent SignCrypt.

i) ${{U}_{i}}$ verifies whether the equality $xps{{k}_{i}}P = {{D}_{i}}+{{H}_{1}}({\text{I}}{{{\text{D}}}_{i}}, {{X}_{i}}+{{D}_{i}}, {{P}_{pub}})\cdot {{P}_{pub}}+{{H}_{2}}({\text{I}}{{{\text{D}}}_{i}}, {{x}_{i}}\cdot {{P}_{pub}})P$ holds. If the verification is successful, calculates ${{y}_{i}} = xps{{k}_{i}}-{{H}_{2}}({\text{I}}{{{\text{D}}}_{i}}, {{x}_{i}}\cdot {{P}_{pub}})$ and private key $s{{k}_{i}} = {{x}_{i}}+{{y}_{i}}$. Otherwise, ${{U}_{i}}$ rejects the response ${{D}_{i}}$ and $xps{{k}_{i}}$ from $SC-KGC$.

ii) ${{U}_{i}}$ computes and exposes the public key $p{{k}_{i}} = {{X}_{i}}+{{D}_{i}}$.

4) SignCrypt

It is assumed that the ciphertext sender is the user ${{U}_{S}}$, with an identity of ${\text{I}}{{{\text{D}}}_{S}}$. He needs to send the ciphertext messages ${\text{I}}{{{\text{D}}}_{S}}$ to n ciphertext receivers ${{U}_{{{R}_{i}}}}$, whose identity set is ${\text{I}}{{{\text{D}}}_{R}} = \{{\text{I}}{{{\text{D}}}_{{{R}_{1}}}}, {\text{I}}{{{\text{D}}}_{{{R}_{2}}}}, \cdots, {\text{I}}{{{\text{D}}}_{{{R}_{n}}}}\}$. The ciphertext received by each receiver is different. The ciphertext $\phi$ is related to the identity ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}$ of the ciphertext receiver and the plaintext message ${{m}_{i}}$ to be signed. It is worth noting that the set of plaintext messages is $m = \{{{m}_{1}}, {{m}_{2}}, \cdots, {{m}_{n}}\}$. The ciphertext sender ${{U}_{S}}$ randomly selects ${{\alpha }_{S}}\in Z_{p}^{*}$ and calculates ${{A}_{S}} = {{\alpha }_{S}}P$. Then, According to the following steps, signcryption generates ciphertext information corresponding to the receiver.

i) The position of the ciphertext in the domain is calculated based on the user's identity ${\rm{I}}{{\rm{D}}}$. Calculate the index location ${{J}_{{{R}_{i}}}} = F_{index}^{n}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}})$, where $1\le {{J}_{{{R}_{i}}}}\le n$.

ii) Calculate equations $h_{1}^{{{R}_{i}}} = {{H}_{1}}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, p{{k}_{{{R}_{i}}}}, {{P}_{pub}})$, ${{W}_{{{R}_{i}}}} = {{\alpha }_{S}}({{P}_{pub}}h_{1}^{{{R}_{i}}}+p{{k}_{{{R}_{i}}}})$ and ${{K}_{{{R}_{i}}}} = {{H}_{3}}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{W}_{{{R}_{i}}}})$.

iii) Calculate the equation ${{\tau }_{{{R}_{i}}}} = {{H}_{4}}({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{m}_{i}}, {{A}_{S}}, C{{T}_{1}})$ and ${{\mu }_{{{R}_{i}}}} =$ ${{H}_{5}}({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{m}_{i}}, {{W}_{{{R}_{i}}}}, {{\tau }_{{{R}_{i}}}}, C{{T}_{1}})$, where $C{{T}_{1}}$ is current timestamp, accompanied by time verification.

iv) Calculate the equation ${{v}_{{{R}_{i}}}} = {{\tau }_{{{R}_{i}}}}\cdot s{{k}_{S}}+{{\mu }_{{{R}_{i}}}}\cdot {{\alpha }_{S}}$. The ${{v}_{{{R}_{i}}}}$ is stored at the ${{J}_{{{R}_{i}}}}$ position of the set ${{J}_{{{R}_{i}}}}$, where $V[{{J}_{{{R}_{i}}}}]\leftarrow {{v}_{{{R}_{i}}}}$.

v) Calculate the equation ${{c}_{{{R}_{i}}}} = ({{m}_{{{R}_{i}}}}\parallel {\text{I}}{{{\text{D}}}_{S}})\oplus {{K}_{{{R}_{i}}}}$. The ${{c}_{{{R}_{i}}}}$ is stored at the ${{J}_{{{R}_{i}}}}$ position of the set ${{J}_{{{R}_{i}}}}$, where $C[{{J}_{{{R}_{i}}}}]\leftarrow {{c}_{{{R}_{i}}}}$.

5) UnSignCrypt

After receiving the ciphertext message $\phi = \{{{A}_{S}}, C, V, C{{T}_{1}}\}$, the ciphertext receiver ${{U}_{{{R}_{i}}}}$ obtains the system parameters $params = \{G, p, P, {{P}_{pub}}, {{H}_{0}}, {{H}_{1}}, {{H}_{2}}, {{H}_{3}}, {{H}_{4}}, {{H}_{5}}, F_{index}^{n}()\}$ from the smart contract. Then, receiver ${{U}_{{{R}_{i}}}}$ calculates ${{J}_{{{R}_{i}}}} = F_{index}^{n}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}})$ and utilizes this value to determine the storage location of the corresponding ciphertext, and extracts ${{c}_{{{J}_{{{R}_{i}}}}}}$ and ${{v}_{{{J}_{{{R}_{i}}}}}}$ from the sets $C$ and $V$ respectively, where $1\le {{J}_{{{R}_{i}}}}\le n$. Finally, decrypt the ciphertext message according to the following steps.

i) Check if there is an inequality $CT{{R}_{{\text{I}}{{{\text{D}}}_{{{R}_{i}}}}}} < n$, where $CT{{R}_{{\text{I}}{{{\text{D}}}_{{{R}_{i}}}}}}$ is a counter maintained by $CT{{R}_{{\text{I}}{{{\text{D}}}_{{{R}_{i}}}}}}$. If the above relationship equation exists, then ${{U}_{{{R}_{i}}}}$ continues to judge the freshness of the received ciphertext message $\phi = \{{\text{I}}{{{\text{D}}}_{S}}, {{A}_{S}}, C, V, C{{T}_{1}}\}$. If $\phi = \{{\text{I}}{{{\text{D}}}_{S}}, {{A}_{S}}, C, V, C{{T}_{1}}\}$, it indicates that $\phi = \{{\text{I}}{{{\text{D}}}_{S}}, {{A}_{S}}, C, V, C{{T}_{1}}\}$ does not expire and can decrypt the ciphertext message, where $C{{T}_{2}}$ is the current timestamp and $\Delta t$ is the predefined maximum transmission delay. Otherwise, ${{U}_{{{R}_{i}}}}$ discards the received ciphertext.

ii) Calculate ${{{W}'}_{{{R}_{i}}}} = s{{k}_{{{R}_{i}}}}\cdot {{A}_{S}}$ and ${{{K}'}_{{{R}_{i}}}} = {{H}_{3}}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{W}'}_{{{R}_{i}}}})$.

iii) Calculate ${{{m}'}_{{{R}_{i}}}}\parallel {\text{I}}{{{\text{D}}}_{S}} = {{c}_{{{J}_{{{R}_{i}}}}}}\oplus {{{K}'}_{{{R}_{i}}}}$.

iv) Calculate ${{{\tau }'}_{{{R}_{i}}}} = {{H}_{4}}({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{m}'}_{i}}, {{A}_{S}}, C{{T}_{1}})$ and ${{{\mu }'}_{{{R}_{i}}}} = {{H}_{5}}({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{m}'}_{i}}, {{{W}'}_{{{R}_{i}}}}, {{{\tau }'}_{{{R}_{i}}}}, C{{T}_{1}})$.

v) Verify whether the equation ${{v}_{{{J}_{{{R}_{i}}}}}}P = {{{\tau }'}_{{{R}_{i}}}}\cdot (p{{k}_{S}}+{{P}_{pub}}h_{1}^{S})+{{{\mu }'}_{{{R}_{i}}}}\cdot {{A}_{S}}$ exists. If not, it indicates that the message ${{{m}'}_{{{R}_{i}}}}$ is illegal and refuses to receive.

4.3.   Correctness analysis

Theorem 1. The message decrypted by the receiver is a correct and valid message.

Proof

1) Decryption correctness

Because there exists the following equation.

${{{W}'}_{{{R}_{i}}}} = s{{k}_{{{R}_{i}}}}\cdot {{A}_{S}} = ({{x}_{{{R}_{i}}}}+{{y}_{{{R}_{i}}}})\cdot {{\alpha }_{S}}P$ $= {{\alpha }_{S}}({{x}_{{{R}_{i}}}}+(xps{{k}_{{{R}_{i}}}}-{{H}_{2}}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{x}_{{{R}_{i}}}}\cdot {{P}_{pub}})))P$ $= {{\alpha }_{S}}({{x}_{{{R}_{i}}}}+({{d}_{{{R}_{i}}}}+s\cdot h_{1}^{{{R}_{i}}}+{{H}_{2}}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, s\cdot {{X}_{{{R}_{i}}}})-{{H}_{2}}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{x}_{{{R}_{i}}}}\cdot {{P}_{pub}})))P$ $= {{\alpha }_{S}}({{x}_{{{R}_{i}}}}+({{d}_{{{R}_{i}}}}+s\cdot h_{1}^{{{R}_{i}}}))P$ $= {{\alpha }_{S}}({{X}_{{{R}_{i}}}}+{{D}_{{{R}_{i}}}}+{{P}_{pub}}\cdot h_{1}^{{{R}_{i}}})$ $= {{\alpha }_{S}}(p{{k}_{{{R}_{i}}}}+{{P}_{pub}}h_{1}^{{{R}_{i}}})$ $= {{W}_{{{R}_{i}}}}$

Note that in the above formula, $h_{1}^{{{R}_{i}}} = {{H}_{1}}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, p{{k}_{{{R}_{i}}}}, {{P}_{pub}})$. Therefore ${{{W}'}_{{{R}_{i}}}} = {{W}_{{{R}_{i}}}}$ holds, then ${{{K}'}_{{{R}_{i}}}} = {{H}_{3}}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{W}'}_{{{R}_{i}}}}) = {{H}_{3}}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{W}_{{{R}_{i}}}}) = {{K}_{{{R}_{i}}}}$ holds. Eventually, we can get ${{{K}'}_{{{R}_{i}}}} = {{H}_{3}}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{W}'}_{{{R}_{i}}}}) = {{H}_{3}}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{W}_{{{R}_{i}}}}) = {{K}_{{{R}_{i}}}}$.

2) Signature verification correctness

Because of ${{{\tau }'}_{{{R}_{i}}}} = {{H}_{4}}({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{m}'}_{i}}, {{A}_{S}}, C{{T}_{1}}) = {{\tau }_{{{R}_{i}}}}$ and ${{{\mu }'}_{{{R}_{i}}}} = {{H}_{5}}({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{m}'}_{i}}, {{{W}'}_{{{R}_{i}}}}, {{{\tau }'}_{{{R}_{i}}}}, C{{T}_{1}}) = {{\mu }_{{{R}_{i}}}}$, the following equation holds.

${{{v}'}_{{{R}_{i}}}}P = ({{{\tau }'}_{{{R}_{i}}}}\cdot s{{k}_{S}}+{{{\mu }'}_{{{R}_{i}}}}\cdot {{\alpha }_{S}})P$

$= {{{\tau }'}_{{{R}_{i}}}}\cdot ({{x}_{S}}+{{y}_{S}})P+{{{\mu }'}_{{{R}_{i}}}}\cdot {{\alpha }_{S}}P$ $= {{{\tau }'}_{{{R}_{i}}}}\cdot ({{x}_{S}}+{{d}_{S}}+s\cdot h_{1}^{S})P+{{{\mu }'}_{{{R}_{i}}}}\cdot {{\alpha }_{S}}P$ $= {{{\tau }'}_{{{R}_{i}}}}\cdot ({{X}_{S}}+{{D}_{S}}+{{P}_{pub}}h_{1}^{S})+{{{\mu }'}_{{{R}_{i}}}}\cdot {{A}_{S}}$ $= {{{\tau }'}_{{{R}_{i}}}}\cdot (p{{k}_{S}}+{{P}_{pub}}h_{1}^{S})+{{{\mu }'}_{{{R}_{i}}}}\cdot {{A}_{S}}$

5.   Security proof

5.1.   Confidentiality

Theorem 2. The confidentiality of Type Ⅰ adversary ${{A}_{1-1}}$ under chosen ciphertext attack. Under the random oracle model, if there is an adversary ${{A}_{1-2}}$ who wins the game in Definition 1 with a non-negligible probability $\varepsilon$ in a polynomial time frame with at most ${{q}_{S}}$ signed secret queries and ${{q}_{{\text{SK}}}}$ private key generation queries. Then, there exist a challenger $\cal T$ can solve CDH problem with probability $Adv_{{{A}_{1-1}}}^{T}(k)\ge (1-\frac{{{q}_{SK}}}{{{2}^{k}}})\frac{\varepsilon }{{\text{e}}({{q}_{{\text{S}}}}+1)}$ in a polynomial time. Note that the probability $Adv_{{{A}_{1-1}}}^{T}(k)\ge (1-\frac{{{q}_{SK}}}{{{2}^{k}}})\frac{\varepsilon }{{\text{e}}({{q}_{{\text{S}}}}+1)}$ is non-negligible, where ${\text{e}}$ is the base of the natural logarithm, $k$ is security parameter.

Proof Assume that the algorithm $\cal R$ can solve the CDH problem, it works by solving with the input challenge instances $(P, aP, bP)$ to obtain $abP\in G$, where $a, b\in Z_{p}^{*}$ and $a, b$ are unknown. $\cal R$ selects ${{A}_{1-1}}$ as a sub-algorithm and acts as challenger $\cal T$ in the Definition 1 game. ${\text{I}}{{{\text{D}}}_{S}}$ and ${\text{I}}{{{\text{D}}}_{R}}$ in the process of signing and declassifying queries correspond to the identity of the ciphertext ender and the ciphertext receiver, respectively.

1) Init phase

$\cal T$ performs system initialization, sends $params = \{G, p, P, {{P}_{pub}}, {{H}_{0}}, {{H}_{1}}, {{H}_{2}}, {{H}_{3}}, {{H}_{4}}, {{H}_{5}}, F_{index}^{n}()\}$ to ${{A}_{1-1}}$, where ${{P}_{pub}} = aP$ ($a\in Z_{p}^{*}$ is master key and cannot be obtained by $\cal T$). $\cal T$ maintains lists ${{L}_{0}}, {{L}_{1}}, {{L}_{2}}, {{L}_{3}}, {{L}_{4}}, {{L}_{5}}, {{L}_{sk}}, {{L}_{pk}}$ that are initialized to empty, they are used to record the query results for ${{H}_{0}}, {{H}_{1}}, {{H}_{2}}, {{H}_{3}}, {{H}_{4}}, {{H}_{5}}$ private key generation and public key generation respectively.

2) Query phase

i) ${{H}_{4}}$ query: After the challenger $\cal T$ receives query ${{H}_{4}}({\text{I}}{{{\text{D}}}_{i}}, {\text{I}}{{{\text{D}}}_{j}}, {{m}_{j}}, {{A}_{i}}, C{{T}_{1}})$ from ${{A}_{1-1}}$, if $({\text{I}}{{{\text{D}}}_{i}}, {\text{I}}{{{\text{D}}}_{j}}, {{m}_{j}}, {{A}_{i}}, C{{T}_{1}}, {{\tau }_{j}})\in {{L}_{4}}$, then $\cal T$ sends ${{\tau }_{j}}$ to ${{A}_{1-1}}$. Otherwise, $\cal T$ randomly chooses ${{\tau }_{j}}\in Z_{p}^{*}$ and sends it to ${{A}_{1-1}}$.

ii) ${{H}_{5}}$ query: After the challenger $\cal T$ receives query ${{H}_{5}}({\text{I}}{{{\text{D}}}_{i}}, {\text{I}}{{{\text{D}}}_{j}}, {{m}_{j}}, {{W}_{j}}, {{\tau }_{j}}, C{{T}_{1}})$ from ${{A}_{1-1}}$, if $({\text{I}}{{{\text{D}}}_{i}}, {\text{I}}{{{\text{D}}}_{j}}, {{m}_{j}}, {{W}_{j}}, {{\tau }_{j}}, C{{T}_{1}}, {{\mu }_{j}})\in {{L}_{5}}$, then $\cal T$ sends ${{\mu }_{j}}$ to ${{A}_{1-1}}$ and adds $({\text{I}}{{{\text{D}}}_{i}}, {\text{I}}{{{\text{D}}}_{j}}, {{m}_{j}}, {{W}_{j}}, {{\tau }_{j}}, C{{T}_{1}}, {{\mu }_{j}})$ to ${{L}_{5}}$, where $({\text{I}}{{{\text{D}}}_{i}}, {\text{I}}{{{\text{D}}}_{j}}, {{m}_{j}}, {{W}_{j}}, {{\tau }_{j}}, C{{T}_{1}}, {{\mu }_{j}})\notin {{L}_{5}}$.

iii) ${{H}_{3}}$ query: After the challenger $\cal T$ receives query ${{H}_{3}}({\text{I}}{{{\text{D}}}_{j}}, {{W}_{j}})$ from ${{A}_{1-1}}$, if $({\text{I}}{{{\text{D}}}_{j}}, {{W}_{j}}, {{K}_{j}})\in {{L}_{3}}$, then $\cal T$ sends ${{K}_{j}}$ to ${{A}_{1-1}}$. Otherwise, $\cal T$ randomly chooses ${{K}_{j}}$ and sends it to ${{A}_{1-1}}$, then adds $({\text{I}}{{{\text{D}}}_{j}}, {{W}_{j}}, {{K}_{j}})$ to ${{L}_{3}}$, where $({\text{I}}{{{\text{D}}}_{j}}, {{W}_{j}}, {{K}_{j}})\notin {{L}_{3}}$.

iv) Public key generation query: After the challenger $\cal T$ receives public key generation query, if $({\text{I}}{{{\text{D}}}_{i}}, {{X}_{i}}+{{D}_{i}}, {{v}_{i}})\in {{L}_{pk}}$, then $\cal T$ sends $p{{k}_{i}} = {{X}_{i}}+{{D}_{i}}$ to ${{A}_{1-1}}$, where ${{v}_{i}}\in \{0, 1\}$. Otherwise, $\cal T$ randomly chooses ${{v}_{i}}\in \{0, 1\}$ and stipulates the existence of $\Pr [{{v}_{i}} = 1] = \delta = \frac{1}{{{q}_{{\text{S}}}}+1}$, then processed according to the value of ${{v}_{i}}$.

If ${{v}_{i}} = 0$, the challenger $\cal T$ randomly chooses ${{h}_{1}}, {{x}_{i}}, {{y}_{i}}\in Z_{p}^{*}$, calculates ${{X}_{i}} = {{x}_{i}}P$, $s{{k}_{i}} = {{x}_{i}}+{{y}_{i}}$, ${{D}_{i}} = {{y}_{i}}P-{{h}_{1}}{{P}_{pub}}$ and $p{{k}_{i}} = {{X}_{i}}+{{D}_{i}}$. $\cal T$ sends $p{{k}_{i}}$ to ${{A}_{1-1}}$ and adds $({\text{I}}{{{\text{D}}}_{i}}, p{{k}_{i}}, {{v}_{i}})$ to ${{L}_{pk}}$, adds $({\text{I}}{{{\text{D}}}_{i}}, s{{k}_{i}}, {{v}_{i}})$ to ${{L}_{sk}}$, adds $({\text{I}}{{{\text{D}}}_{i}}, p{{k}_{i}}, {{P}_{pub}}, {{h}_{1}})$ to ${{L}_{1}}$.

If ${{v}_{i}} = 1$, $\cal T$ knows two random numbers ${{\vartheta }_{1}}$ and ${{\vartheta }_{2}}$, calculates ${{X}_{i}} = {{\vartheta }_{1}}P$, ${{D}_{i}} = {{\vartheta }_{2}}P$ and $p{{k}_{i}} = {{X}_{i}}+{{D}_{i}}$. $\cal T$ sends $p{{k}_{i}}$ to ${{A}_{1-1}}$ and adds $({\text{I}}{{{\text{D}}}_{i}}, p{{k}_{i}}, {{v}_{i}})$ to ${{L}_{pk}}$. $\cal T$ randomly chooses ${{h}_{1}}\in Z_{p}^{*}$ and adds $({\text{I}}{{{\text{D}}}_{i}}, p{{k}_{i}}, {{P}_{pub}}, {{h}_{1}})$ to ${{L}_{1}}$, where ${{h}_{1}}\notin {{L}_{1}}$.

v) ${{H}_{0}}$ query: After the challenger $\cal T$ receives query ${{H}_{0}}({{x}_{i}}{{P}_{pub}}(s{{X}_{i}}))$ from ${{A}_{1-1}}$, if $({{x}_{i}}{{P}_{pub}}(s{{X}_{i}}), {{h}_{0}})\in {{L}_{0}}$, then sends ${{h}_{0}}$ to ${{A}_{1-1}}$. Otherwise, $\cal T$ randomly chooses ${{h}_{0}}\in Z_{p}^{*}$ and sends it to ${{A}_{1-1}}$, $\cal T$ adds $({{x}_{i}}{{P}_{pub}}(s{{X}_{i}}), {{h}_{0}})$ to ${{L}_{0}}$, where $({{x}_{i}}{{P}_{pub}}(s{{X}_{i}}), {{h}_{0}})\notin {{L}_{0}}$.

vi) ${{H}_{1}}$ query: After the challenger $\cal T$ receives query ${{H}_{1}}({\text{I}}{{{\text{D}}}_{i}}, p{{k}_{i}}({{X}_{i}}+{{D}_{i}}), {{P}_{pub}})$, if $({\text{I}}{{{\text{D}}}_{i}}, p{{k}_{i}}({{X}_{i}}+{{D}_{i}}), {{P}_{pub}}, {{h}_{1}})\in {{L}_{1}}$, then sends ${{h}_{1}}$ to ${{A}_{1-1}}$. Otherwise, $\cal T$ sends ${{h}_{1}}$ to ${{A}_{1-1}}$ after generates public key query of ${\text{I}}{{{\text{D}}}_{i}}$.

vii) ${{H}_{2}}$ query: After the challenger $\cal T$ receives query ${{H}_{2}}({\text{I}}{{{\text{D}}}_{i}}, s{{X}_{i}}({{x}_{i}}{{P}_{pub}}))$ from ${{A}_{1-1}}$, if $({\text{I}}{{{\text{D}}}_{i}}, s{{X}_{i}}({{x}_{i}}{{P}_{pub}}), {{h}_{2}})\in {{L}_{2}}$, then sends ${{h}_{2}}$ to ${{A}_{1-1}}$. Otherwise, $\cal T$ randomly chooses ${{h}_{2}}\in Z_{p}^{*}$ and sends it to ${{A}_{1-1}}$, $\cal T$ adds $({\text{I}}{{{\text{D}}}_{i}}, s{{X}_{i}}({{x}_{i}}{{P}_{pub}}), {{h}_{2}})$ to ${{L}_{2}}$, where $({\text{I}}{{{\text{D}}}_{i}}, s{{X}_{i}}({{x}_{i}}{{P}_{pub}}), {{h}_{2}})\notin {{L}_{2}}$.

viii) Private key generation query: After the challenger $\cal T$ receives private key generation query from ${{A}_{1-1}}$, if $({\text{I}}{{{\text{D}}}_{i}}, s{{k}_{i}})\in {{L}_{sk}}$, then sends $s{{k}_{i}}$ to ${{A}_{1-1}}$. Otherwise, $\cal T$ will get the information $({\text{I}}{{{\text{D}}}_{i}}, p{{k}_{i}}, {{v}_{i}})$ about the public key of ${\text{I}}{{{\text{D}}}_{i}}$ after generates public key generation query of ${\text{I}}{{{\text{D}}}_{i}}$. If ${{v}_{i}} = 0$, then $\cal T$ has generates private key $s{{k}_{i}}$ of ${\text{I}}{{{\text{D}}}_{i}}$. $\cal T$ searches $({\text{I}}{{{\text{D}}}_{i}}, s{{k}_{i}}, {{v}_{i}})$ from ${{L}_{sk}}$ and sends $s{{k}_{i}}$ to ${{A}_{1-1}}$. If ${{v}_{i}} = 1$, $\cal T$ ends the game.

ix) Public key replacement query: The adversary ${{A}_{1-1}}$ can generate the public key $p{{k}_{i}}^{\prime }$ of the ${\text{ID}}$ at any time and replace the original legal public key $p{{k}_{i}}$ with it.

x) Signcrypt query: After the challenger $\cal T$ receives signcrypt query ${\text{(I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{R}}{\text{ = }}\!\!\{\!\!{\text{ I}}{{{\text{D}}}_{{{R}_{1}}}}, {\text{I}}{{{\text{D}}}_{{{R}_{2}}}}, \cdots, {\text{I}}{{{\text{D}}}_{{{R}_{\rho }}}}{\text{ }}\!\!\}\!\!{\text{, }}\; M{\text{ = }}\!\!\{\!\!{\text{ }}{{m}_{1}}{\text{, }}{{m}_{2}}{\text{, }}\cdots {\text{, }}{{m}_{\rho }}{\text{ }}\!\!\}\!\!{\text{)}}$ from ${{A}_{1-1}}$, $\cal T$ searches $({\text{I}}{{{\text{D}}}_{S}}, p{{k}_{S}}, {{v}_{S}})$ from ${\text{I}}{{{\text{D}}}_{S}}$. If ${{v}_{S}} = 1$, $\cal T$ ends the game. If ${{v}_{S}} = 0$, $\cal T$ has generated private key $s{{k}_{S}}$ of ${\text{I}}{{{\text{D}}}_{S}}$. $\cal T$ executes public key query of ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}(1\le i\le n)$ to obtain $({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, p{{k}_{{{R}_{i}}}})$, then runs signcrypt algorithm to generate ciphertext $({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, C = \{{{c}_{{{R}_{1}}}}, {{c}_{{{R}_{2}}}}, \cdots, {{c}_{{{R}_{n}}}}\})$ and sends it to ${{A}_{1-1}}$.

xi) Unsigncrypt query: After the challenger $\cal T$ receives ${\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}$ from ${{A}_{1-1}}$ and ciphertext ${{c}_{{{J}_{{{R}_{i}}}}}}$ unsigncrypt query, executes public key query of ${\text{I}}{{{\text{D}}}_{S}}$ and proceed as follows.

If $({\text{I}}{{{\text{D}}}_{S}}, p{{k}_{S}}, {{v}_{S}})\in {{L}_{pk}}$ and ${{v}_{S}} = 0$, $\cal T$ executes private key query of ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}$ to obtain private key $s{{k}_{{{R}_{i}}}}$. $\cal T$ runs unsigncrypt algorithm to get ${{{m}'}_{{{R}_{i}}}}\parallel {\text{I}}{{{\text{D}}}_{S}} = {{c}_{{{J}_{{{R}_{i}}}}}}\oplus {{{K}'}_{{{R}_{i}}}}$, ${{{\tau }'}_{{{R}_{i}}}} = {{H}_{4}}({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{m}'}_{i}}, {{A}_{S}}, C{{T}_{1}})$ and ${{{\mu }'}_{{{R}_{i}}}} = {{H}_{5}}({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{m}'}_{i}}, {{{W}'}_{{{R}_{i}}}}, {{{\tau }'}_{{{R}_{i}}}}, C{{T}_{1}})$. If ${{v}_{S}} = 1$, $\cal T$ executes ${{H}_{3}}$, ${{H}_{4}}$ and ${{H}_{5}}$ queries to obtain $({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{W}_{{{R}_{i}}}}, {{K}_{{{R}_{i}}}})$, $({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{m}'}_{i}}, {{A}_{S}}, C{{T}_{1}}, {{{\tau }'}_{{{R}_{i}}}})$ and $({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{m}'}_{i}}, {{{W}'}_{{{R}_{i}}}}, {{{\tau }'}_{{{R}_{i}}}}, C{{T}_{1}}, {{{\mu }'}_{{{R}_{i}}}})$ from list ${{L}_{3}}$, ${{L}_{4}}$, ${{L}_{5}}$. Then $\cal T$ calculates ${{{m}'}_{{{R}_{i}}}}\parallel {\text{I}}{{{\text{D}}}_{S}} = {{c}_{{{J}_{{{R}_{i}}}}}}\oplus {{{K}'}_{{{R}_{i}}}}$. If there exists ${{{v}'}_{{{R}_{i}}}}P = {{{\tau }'}_{{{R}_{i}}}}\cdot (p{{k}_{S}}+{{P}_{pub}}h_{1}^{S})+{{{\mu }'}_{{{R}_{i}}}}\cdot {{A}_{S}}$, then sends ${{{m}'}_{{{R}_{i}}}}$ to ${{A}_{1-1}}$. Otherwise, the ciphertext is incorrect, $\cal T$ ends the game.

If $({\text{I}}{{{\text{D}}}_{S}}, p{{k}_{S}}, {{v}_{S}})\notin {{L}_{pk}}$, then the public key of ${\text{I}}{{{\text{D}}}_{S}}$ has been replaced before.

Use ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}$ and ${\text{I}}{{{\text{D}}}_{S}}$ as index values to obtain $({\text{I}}{{{\text{D}}}_{S}}, p{{{k}'}_{S}}, {{P}_{pub}}, {{h'}_{1}}^{S})\in {{L}_{1}}$, $({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{W}_{{{R}_{i}}}}, {{K}_{{{R}_{i}}}})\in {{L}_{3}}$, $({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{m}'}_{i}}, {{A}_{S}}, C{{T}_{1}}, {{{\tau }'}_{{{R}_{i}}}})\in {{L}_{4}}$ and $({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{m}'}_{i}}, {{{W}'}_{{{R}_{i}}}}, {{{\tau }'}_{{{R}_{i}}}}, C{{T}_{1}}, {{{\mu }'}_{{{R}_{i}}}})\in {{L}_{5}}$ from ${{L}_{1}}$, ${{L}_{2}}$, ${{L}_{3}}$ and ${{L}_{5}}$. Then $\cal T$ calculates ${{{m}'}_{{{R}_{i}}}}\parallel {\text{I}}{{{\text{D}}}_{S}} = {{c}_{{{J}_{{{R}_{i}}}}}}\oplus {{{K}'}_{{{R}_{i}}}}$. If there exists ${{{v}'}_{{{R}_{i}}}}P = {{{\tau }'}_{{{R}_{i}}}}\cdot (p{{k}_{S}}+{{P}_{pub}}h_{1}^{S})+{{{\mu }'}_{{{R}_{i}}}}\cdot {{A}_{S}}$, then $\cal T$ sends ${{{m}'}_{{{R}_{i}}}}$ to ${{A}_{1-1}}$. Otherwise, the ciphertext is incorrect, $\cal T$ ends the game.

3) Challenge phase

The attacker ${{A}_{1-1}}$ selects the identity ${\text{(I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}{\text{)}}$ of the ciphertext sender and the ciphertext receiver and two plaintexts $({{m}_{0}}, {{m}_{1}})$ of the same length. Then, he conveys information about the challenge to the challenger $\cal T$. When $\cal T$ receives the challenge information from ${{A}_{1-1}}$, he learns the identity information ${\text{(I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}{\text{)}}$ and plaintext information $({{m}_{0}}, {{m}_{1}})$. First, the public key generation query about ${\text{I}}{{{\text{D}}}_{S}}$ is executed to obtain the corresponding $({\text{I}}{{{\text{D}}}_{S}}, p{{k}_{S}}, {{v}_{S}})$ from ${{L}_{pk}}$. Then, according to the value ${{v}_{S}}$ of the query, different operations are performed. If the result shows ${{v}_{S}} = 0$, game over. Otherwise, $\cal T$ randomly selects $\tau \in \{0, 1\}$ and $b, v_{{{R}_{i}}}^{*}, \tau _{{{R}_{i}}}^{*}, \mu _{{{R}_{i}}}^{*}\in Z_{p}^{*}$. Then, $\cal T$ calculates ${{A}_{S}} = bP$ and $v_{{{R}_{i}}}^{*} = \tau _{{{R}_{i}}}^{*}\cdot s{{k}_{S}}+\mu _{{{R}_{i}}}^{*}\cdot {{\alpha }_{S}}$. $\cal T$ selects ${{{W}'}_{{{R}_{i}}}}\in G$ and finds ${{{K}'}_{{{R}_{i}}}}$ from ${{L}_{3}}$. At last, $\cal T$ calculates ${{c}_{{{R}_{i}}}} = ({{m}_{\tau }}\parallel {\text{I}}{{{\text{D}}}_{S}})\oplus {{{K}'}_{{{R}_{i}}}}$ and sends ciphertext information $\{{{c}_{{{R}_{i}}}}, p{{k}_{{{R}_{i}}}}\}$ to the attacker ${{A}_{1-1}}$.

4) The guessing phase

After receiving the message $\{{{c}_{{{R}_{i}}}}, p{{k}_{{{R}_{i}}}}\}$ from the challenger $\cal T$, the attacker ${{A}_{1-1}}$ guesses the value of ${\tau }'\in \{0, 1\}$. If ${\tau }' = \tau$, the solution $abP = \frac{1}{h_{1}^{S}}(\frac{v_{{{R}_{i}}}^{*}-\mu _{{{R}_{i}}}^{*}b}{\tau _{{{R}_{i}}}^{*}}-({{\vartheta }_{1}}+{{\vartheta }_{2}})){{A}_{S}}$ of the CDH problem can be output. Otherwise, $\cal T$ does not solve the CDH problem. Then, $\cal T$ simulates the attack in real scene. If the $\cal T$ never ends the game from beginning to end, and the attacker ${{A}_{1-1}}$ breaks the confidentiality of the scheme in this paper with an unnegligible advantage $\varepsilon$, the $\cal T$ outputs an effective solution to the CDH problem. Assuming that the attacker ${{A}_{1-1}}$ never makes a private key generation query about the identity ${\text{I}}{{{\text{D}}}_{S}}$ to be challenged, it is represented by event $E$. That is, $\Pr (E) = 1-\frac{{{q}_{{\text{SK}}}}}{{{2}^{k}}}$ exists. The signcryption phase of the algorithm is not ended by the event ${E}'$. That is, $\Pr ({E}') = {{(1-\delta)}^{{{q}_{{\text{S}}}}}}$ exists. The challenge phase algorithm is not ended with event ${E}''$. That is, $\Pr ({E}'') = \delta$ exists. Then, the whole simulation process ends normally, and the probability of non-stop is at least $\Pr (E\wedge {E}'\wedge {E}'') = (1-\frac{{{q}_{{\text{SK}}}}}{{{2}^{k}}}){{(1-\delta)}^{{{q}_{{\text{S}}}}}}\delta$. Because of $\delta = \frac{1}{{{q}_{{\text{S}}}}+1}$, when ${{q}_{{\text{S}}}}$ is large enough, there exists ${{(1-\delta)}^{{{q}_{{\text{S}}}}}}\to {{{\text{e}}}^{-1}}$. Where ${\text{e}}$ denotes the base of the natural logarithm, So there is $\Pr (E\wedge {E}'\wedge {E}'')\ge (1-\frac{{{q}_{SK}}}{{{2}^{k}}})\frac{\varepsilon }{{\text{e}}({{q}_{{\text{S}}}}+1)}$.

From what has been discussed above, $\cal T$ never terminates in the whole simulation process, and ${{A}_{1-1}}$ can break the confidentiality of the scheme in polynomial time with a non-negligible probability $\varepsilon$. Then $\cal T$ can solve the CDH problem with probability $Adv_{{{A}_{1-1}}}^{T}(k)\ge (1-\frac{{{q}_{SK}}}{{{2}^{k}}})\frac{\varepsilon }{{\text{e}}({{q}_{{\text{S}}}}+1)}$.

Theorem 3. Type $\Pi$ Attacker ${{A}_{2-1}}$ selects the confidentiality under ciphertext attack.

In the random oracle model, there is an attacker ${{A}_{2-1}}$ in the case of up to ${{q}_{S}}$ signcryption queries and ${{q}_{{\text{SK}}}}$ private key generation queries. He can win the game in Definition 2 in polynomial time under a non-negligible probability $\varepsilon$. If the above conditions hold, there is a challenger $\cal T$ that can successfully solve the CDH problem in polynomial time with the probability $Adv_{{{A}_{2-1}}}^{T}(k)\ge (1-\frac{{{q}_{SK}}}{{{2}^{k}}})\frac{\varepsilon }{{\text{e}}({{q}_{{\text{S}}}}+1)}$. Note that the probability $Adv_{{{A}_{2-1}}}^{T}(k)$ can not be ignored. The proof idea is the same as Theorem 2, which is no longer explained.

5.2.   Unforgeability

Theorem 4. Type Ⅰ attacker ${{A}_{1-2}}$ selects the unforgeability under message attack.

In the random oracle model, there is an attacker ${{A}_{1-2}}$. In the case of at most ${{q}_{S}}$ signature queries, the game in Definition 3 is won in polynomial time with a non-negligible probability $\varepsilon$. If the above situation exists, there is a challenger $\cal T$ that can successfully solve the DL problem in polynomial time with the probability of $Adv_{{{A}_{1-2}}}^{T}(k)\ge \frac{\varepsilon }{{\text{e}}({{q}_{{\text{S}}}}+1)}$. Note that the probability $Adv_{{{A}_{1-2}}}^{T}(k)$ can not be ignored. Where $e$ is the base of the natural logarithm, and $k$ is the safety parameter.

Assuming that the solver of the DL problem is an algorithm, its work is to use an input challenge instance.

Proof Assuming that the solver of the DL problem is algorithm $\cal R$, its work is to obtain the value of $a$ by solving the input challenge instance $(P, aP)$, where $a\in Z_{p}^{*}$ and unknown. $\cal R$ selects ${{A}_{1-2}}$ as a subroutine and act as a challenger $\cal T$ to the game in Definition 3.

1) Init phase

$\cal T$ performs system initialization, sends $params = \{G, p, P, {{P}_{pub}}, {{H}_{0}}, {{H}_{1}}, {{H}_{2}}, {{H}_{3}}, {{H}_{4}}, {{H}_{5}}, F_{index}^{n}()\}$ to ${{A}_{1-2}}$, where ${{P}_{pub}} = aP$ ($a\in Z_{p}^{*}$ is master key and cannot be obtained by $\cal T$). $\cal T$ maintains lists ${{L}_{0}}, {{L}_{1}}, {{L}_{2}}, {{L}_{3}}, {{L}_{4}}, {{L}_{5}}, {{L}_{sk}}, {{L}_{pk}}$ that are initialized to empty, they are used to record the query results for ${{H}_{0}}, {{H}_{1}}, {{H}_{2}}, {{H}_{3}}, {{H}_{4}}, {{H}_{5}}$ private key generation and public key generation respectively.

2) Query phase

${{H}_{0}}, {{H}_{1}}, {{H}_{2}}, {{H}_{3}}, {{H}_{4}}, {{H}_{5}}$ query, public key generation query, private key generation query and replacement public key query are the same as the query process in Theorem 2.

i) Signature inquiry: When the challenger $\cal T$ receives a signcryption query ${\text{(I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{R}}{\text{ = }}\!\!\{\!\!{\text{ I}}{{{\text{D}}}_{{{R}_{1}}}}, {\text{I}}{{{\text{D}}}_{{{R}_{2}}}}, \cdots, {\text{I}}{{{\text{D}}}_{{{R}_{\rho }}}}{\text{ }}\!\!\}\!\!{\text{, }}\; M{\text{ = }}\!\!\{\!\!{\text{ }}{{m}_{1}}{\text{, }}{{m}_{2}}{\text{, }}\cdots {\text{, }}{{m}_{\rho }}{\text{ }}\!\!\}\!\!{\text{)}}$ from ${{A}_{1-2}}$, the $({\text{I}}{{{\text{D}}}_{S}}, p{{k}_{S}}, {{v}_{S}})$ corresponding to ${\text{I}}{{{\text{D}}}_{S}}$ is viewed from ${{L}_{pk}}$. If there is ${{v}_{S}} = 1$, then challenger $\cal T$ ends the game. If there is ${{v}_{S}} = 0$, then $\cal T$ has generated the private key $s{{k}_{S}}$ of ${\text{I}}{{{\text{D}}}_{S}}$. First, $\cal T$ performs a public key query on ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}(i\in [1, n])$ to obtain $({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, p{{k}_{{{R}_{i}}}})$. In the second place, $\cal T$ performs a signcryption algorithm to generate ciphertext $({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, C = \{{{c}_{{{R}_{1}}}}, {{c}_{{{R}_{2}}}}, \cdots, {{c}_{Rn}}\})$ and sends it to ${{A}_{1-2}}$.

ii) Signature verification inquiry: When the challenger $\cal T$ receives the signature verification query of ${\text{I}}{{{\text{D}}}_{S}}$, ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}$, ciphertext ${{c}_{{{R}_{i}}}}$ and message ${{m}_{{{R}_{i}}}}$ from ${{A}_{1-2}}$, the public key generation query is performed on ${\text{I}}{{{\text{D}}}_{S}}$ to obtain $({\text{I}}{{{\text{D}}}_{S}}, p{{k}_{S}}, {{v}_{S}})$. Then, the following operations are performed according to the value of ${{v}_{S}}$.

If there is $({\text{I}}{{{\text{D}}}_{S}}, p{{k}_{S}}, {{v}_{S}})\in {{L}_{pk}}$ and ${{v}_{S}} = 0$, $\cal T$ performs the decryption algorithm and sends the final result to ${{A}_{1-2}}$.

If there is $({\text{I}}{{{\text{D}}}_{S}}, p{{k}_{S}}, {{v}_{S}})\in {{L}_{pk}}$ and ${{v}_{S}} = 1$, $\cal T$ performs a private key generation query on ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}$ to obtain the corresponding private key $s{{k}_{{{R}_{i}}}}$, and performs a public key generation query on ${\text{I}}{{{\text{D}}}_{S}}$ to obtain the corresponding public key $({\text{I}}{{{\text{D}}}_{S}}, p{{k}_{S}}, {{v}_{S}})$. Furthermore, ${{H}_{1}}$ query operation is performed to get $({\text{I}}{{{\text{D}}}_{S}}, p{{k}_{S}}, {{P}_{pub}}, h_{1}^{S})$ and $({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, p{{k}_{{{R}_{i}}}}, {{P}_{pub}}, h_{1}^{{{R}_{i}}})$ from the list ${{L}_{1}}$. Then $\cal T$ performs ${{H}_{3}}$, ${{H}_{4}}$ and ${{H}_{5}}$ queries to get $({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{W}_{{{R}_{i}}}}, {{K}_{{{R}_{i}}}})$, $({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{m}'}_{i}}, {{A}_{S}}, {\text{s}}, C{{T}_{1}}, {{{\tau }'}_{{{R}_{i}}}})$ and $({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{m}'}_{i}}, {{{W}'}_{{{R}_{i}}}}, {{{\tau }'}_{{{R}_{i}}}}, C{{T}_{1}}, {{{\mu }'}_{{{R}_{i}}}})$ from the list ${{L}_{3}}$, ${{L}_{4}}$, ${{L}_{5}}$ respectively. If ${{{v}'}_{{{R}_{i}}}}P = {{{\tau }'}_{{{R}_{i}}}}\cdot (p{{k}_{S}}+{{P}_{pub}}h_{1}^{S})+{{{\mu }'}_{{{R}_{i}}}}\cdot {{A}_{S}}$, $\cal T$ replies the plaintext ${{{m}'}_{{{R}_{i}}}}$ to ${{A}_{1-2}}$. Otherwise, $\cal T$ indicates that the ciphertext message is incorrect and ends the game.

If there is $({\text{I}}{{{\text{D}}}_{S}}, p{{k}_{S}}, {{v}_{S}})\notin {{L}_{pk}}$, it is shown that the public key of ${\text{I}}{{{\text{D}}}_{S}}$ has been replaced before. At the moment, ${\text{I}}{{{\text{D}}}_{{{R}_{i}}}}$ and ${\text{I}}{{{\text{D}}}_{S}}$ are used as index values. $\cal T$ obtains $({\text{I}}{{{\text{D}}}_{S}}, p{{{k}'}_{S}}, {{P}_{pub}}, h_{1}^{S})$, $({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, p{{k}_{{{R}_{i}}}}, {{P}_{pub}}, h_{1}^{{{R}_{i}}})$, $({\text{I}}{{{\text{D}}}_{S}}, p{{{k}'}_{S}}, {{v}_{S}})$ and private key $s{{k}_{{{R}_{i}}}}$ from ${{L}_{1}}$, ${{L}_{pk}}$ and ${{L}_{sk}}$. Then $\cal T$ performs ${{H}_{3}}$, ${{H}_{4}}$ and ${{H}_{5}}$ queries and gets $({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{W}_{{{R}_{i}}}}, {{K}_{{{R}_{i}}}})$, $({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{m}'}_{i}}, {{A}_{S}}, C{{T}_{1}}, {{{\tau }'}_{{{R}_{i}}}})$ and $({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{{m}'}_{i}}, {{{W}'}_{{{R}_{i}}}}, {{{\tau }'}_{{{R}_{i}}}}, C{{T}_{1}}, {{{\mu }'}_{{{R}_{i}}}})$ from Lists ${{L}_{3}}$, ${{L}_{4}}$, ${{L}_{5}}$ respectively. If ${{{v}'}_{{{R}_{i}}}}P = {{{\tau }'}_{{{R}_{i}}}}\cdot (p{{k}_{S}}+{{P}_{pub}}h_{1}^{S})+{{{\mu }'}_{{{R}_{i}}}}\cdot {{A}_{S}}$ is verified, $\cal T$ will reply plaintext message ${{{m}'}_{{{R}_{i}}}}$ to ${{A}_{1-2}}$. Otherwise, it indicates that the ciphertext message is incorrect, and $\cal T$ ends th game.

3) Forgery phase

After performing a limited number of the above queries, the attacker ${{A}_{1-2}}$ forges the ciphertext sender ${\text{I}}{{{\text{D}}}_{S}}$, and outputs about the ciphertext receiver ${\text{I}}{{{\text{D}}}_{R}}{\text{ = }}\!\!\{\!\!{\text{ I}}{{{\text{D}}}_{{{R}_{1}}}}{\text{, I}}{{{\text{D}}}_{{{R}_{2}}}}{\text{, }}\cdots {\text{, I}}{{{\text{D}}}_{{{R}_{\rho }}}}{\text{ }}\!\!\}\!\!{\text{ }}$ and a forged signature of the plaintext message $M = \{{{m}_{1}}, {{m}_{2}}, \cdots, {{m}_{\rho }}\}$. ${{A}_{1-2}}$ randomly selectes ${{\alpha }_{S}}\in Z_{p}^{*}$, and get ${{A}_{S}} = {{\alpha }_{S}}P$, and then calculates the $h_{1}^{{{R}_{i}}} = {{H}_{1}}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, p{{k}_{{{R}_{i}}}}, {{P}_{pub}})$, ${{W}_{{{R}_{i}}}} = {{\alpha }_{S}}(p{{k}_{{{R}_{i}}}}+{{P}_{pub}}h_{1}^{{{R}_{i}}})$, ${{K}_{{{R}_{i}}}} = {{H}_{3}}({\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{W}_{{{R}_{i}}}})$ and ${{c}_{{{R}_{i}}}} = ({{m}_{{{R}_{i}}}}\parallel {\text{I}}{{{\text{D}}}_{S}})\oplus {{K}_{{{R}_{i}}}}$.

If the forgery attack of attacker ${{A}_{1-2}}$ is successful, then the challenger $\cal T$ enters the ${\text{I}}{{{\text{D}}}_{S}}$ query the list ${{L}_{pk}}$ to get $({\text{I}}{{{\text{D}}}_{S}}, p{{k}_{S}}, {{v}_{S}})$. At the end of the above process, $\cal T$ calculates $h_{1}^{S} = {{H}_{1}}({\text{I}}{{{\text{D}}}_{S}}, p{{k}_{S}}, {{P}_{pub}})$. If there is ${{v}_{S}} = 1$, then $\cal T$ obtains the solution of DL problem $a = {{(h_{1}^{S}\tau _{{{R}_{i}}}^{*})}^{-1}}(\upsilon _{{{R}_{i}}}^{*}-\mu _{{{R}_{i}}}^{*}{{\alpha }_{S}}-\tau _{{{R}_{i}}}^{*}({{x}_{S}}+{{d}_{S}}))$. If there is ${{v}_{S}} = 0$, then $\cal T$ ends the game. It is shown that $\cal T$ fails to solve the DL problem.

It is assumed that the challenger $\cal T$ never ends the game in the signature query phase and is represented by the event $E$. It indicates the existence of $\Pr (E) = {{(1-\delta)}^{{{q}_{{\text{S}}}}}}$. That is to say, the probability of not ending the game throughout the inquiry phase is ${{(1-\delta)}^{{{q}_{{\text{S}}}}}}$ and the probability of not ending the game in the forgery phase is $\delta$. Therefore, the probability of never ending from beginning to end is at least ${{(1-\delta)}^{{{q}_{{\text{S}}}}}}\delta$ in the whole game process. Because of $\delta = \frac{1}{{{q}_{{\text{S}}}}+1}$, when ${{q}_{{\text{S}}}}$ is large enough, there exists ${{(1-\delta)}^{{{q}_{{\text{S}}}}}}\to {{{\text{e}}}^{-1}}$. Accordingly, the probability that the game will not end until the final step is completed is at least $\frac{1}{{\text{e}}({{q}_{{\text{S}}}}+1)}$.

In summary, if $\cal T$ never terminates in the whole simulation process. ${{A}_{1-2}}$ can break the unforgeability of the scheme in polynomial time with a non-negligible probability $\varepsilon$. It shows that $\cal T$ can solve the DL problem with probability $Adv_{{{A}_{1-2}}}^{T}(k)\ge \frac{\varepsilon }{{\text{e}}({{q}_{{\text{S}}}}+1)}$.

Theorem 5. Type $\Pi$ Attacker ${{A}_{2-2}}$ chooses unforgeability under message attack.

In the random oracle model, an attacker ${{A}_{2-2}}$ can obtain the victory of the game in Definition 4 in polynomial time with a non-negligible probability $\varepsilon$ in the case of at most ${{q}_{S}}$ signature queries. It is pointed out that there is a challenger $\cal T$ who can successfully solve the DL problem in polynomial time with the probability of $Adv_{{{A}_{2-2}}}^{T}(k)\ge \frac{\varepsilon }{{\text{e}}({{q}_{{\text{S}}}}+1)}$. Note that the probability $Adv_{{{A}_{2-2}}}^{T}(k)$ cannot be ignored, where $e$ is the base of the natural logarithm and $k$ is the security parameter.

The proof idea is the same as Theorem 4, which is no longer explained.

6.   Programme analysis

6.1.   Safety analysis

1) KGC leakage attack

In traditional certificateless signcryption schemes, the presence of a centralized KGC poses inherent vulnerabilities. If the KGC is illicitly compromised, it can have severe and far-reaching consequences. To overcome this limitation, the proposed solution introduces an alternative approach by leveraging smart contracts on the Ethereum blockchain to replace the original centralized and open KGC. This novel design mitigates the risks associated with unauthorized control over the KGC. By employing smart contracts on the Ethereum blockchain, the proposed solution offers enhanced security guarantees. An attacker attempting to manipulate the entire blockchain system would need to carry out a 51$%$ attack, which requires a significant amount of computational power. Statistical data reveals that the overall hash power on the Ethereum blockchain is approximately 314.96 TH/s, making it highly implausible for an attacker to acquire secret values or successfully compromise the blockchain system. Consequently, the proposed solution presented in this article effectively safeguards against attacks on the KGC, significantly improving the overall security of the certificateless signcryption scheme.

2) Internal privilege attack

It is assumed that the deployer of the smart contract acts as an attacker of the scheme and attempts to forge the legitimate signature of the user. However, due to the immutability of the blockchain, once the smart contract is deployed, it can only be destroyed. In addition, there is no way to modify the deployed contract code. Even if the deployer inside the smart contract knows the system master key of the scheme, it still cannot change the deployed smart contract. Therefore, this scheme can successfully defend against internal privilege attacks.

3) Replay attack

The replay attack is most likely to occur during the decryption phase. Assuming that the attacker continuously eavesdrops on the message communication between the ciphertext sender and the ciphertext receiver, all the signcryption ciphertexts generated or transmitted by the ciphertext sender may be intercepted by the attacker. If the current timestamp is not used, the attacker can replay the intercepted signcryption ciphertext to other unwanted ciphertext receivers for false identity decryption or other operations. Therefore, the improved scheme adds $C{{T}_{1}}$ to the ${{\tau }_{{{R}_{i}}}} = {{H}_{2}}({\text{I}}{{{\text{D}}}_{S}}, {\text{I}}{{{\text{D}}}_{{{R}_{i}}}}, {{c}_{{{R}_{i}}}}, {{A}_{S}}, {{X}_{{{R}_{i}}}}, C{{T}_{1}})$ of the partial ciphertext ${{V}_{{{R}_{i}}}}$. When the ciphertext receiver receives the ciphertext, it is necessary to check the timeliness of $C{{T}_{1}}$. Therefore, this scheme can resist potential replay attacks.

4) DDoS attack

In order to resist potential DDoS attacks, two counters $CT{{R}^{i}}_{Add{{r}_{ID}}}$ and $CT{{R}_{{\text{I}}{{{\text{D}}}_{{{R}_{i}}}}}}$ are added to the improved scheme. Moreover, each user using Ethereum has an address for trading. The counter $CT{{R}^{i}}_{Add{{r}_{ID}}}$ is used to check the frequency of the ciphertext sender. If the frequency of the user interface exceeds a predefined threshold, the current user interface will be blocked for some time. In the process of unsigncryption, $CT{{R}_{{\text{I}}{{{\text{D}}}_{{{R}_{i}}}}}}$ plays a similar role as $CT{{R}^{i}}_{Add{{r}_{ID}}}$. Therefore, this scheme can resist potential DDoS attacks.

5) MITM attack

Most of the existing schemes are designed under the assumption that the communication channel between the user interface and SC-KGC is secure, so the possible MITM attack is ignored. However, in the actual environment, such attacks often occur. In order to prevent attackers from intercepting and tampering with the messages transmitted in the channel, the improved scheme performs XOR processing on the user 's real identity ${\text{ID}}$. It makes ${\text{ID}}$ anonymized in the channel, unless the attacker can obtain the secret value ${{x}_{{\text{ID}}}}$ of the ID user or the system's master key $s$. In addition, some of the returned private key $xps{{k}_{i}}$ is protected by the correlation operation, where $xps{{k}_{i}} = {{d}_{i}}+s\cdot h_{1}^{i}+{{H}_{2}}({\text{I}}{{{\text{D}}}_{i}}, s\cdot {{X}_{i}})$. As a consequence, the proposed scheme can resist potential MITM attacks.

6) Key escrow security

In this paper, the KGC served by the smart contract SC-KGC is responsible for generating the user's partial key. The user inputs $({\text{PI}}{{{\text{D}}}_{i}}, {{X}_{i}})$ to call the partial key generation function, and SC-KGC generates the encrypted partial private key $xps{{k}_{i}}$ and its corresponding partial public key ${{D}_{i}}$. If SC-KGC wants to get the user's complete private key $s{{k}_{i}} = {{x}_{i}}+{{y}_{i}}$, the only way is to calculate ${{x}_{i}}$ from ${{X}_{i}}$. Howover, it is very difficult, similar to solving the DL problem. That is to say, SC-KGC cannot obtain the user 's complete private key through known information. Moreover, the partial private key $xps{{k}_{i}}$ generated by SC-KGC is only part of the user's partial private key ${{y}_{i}}$, and the user still needs to process after receiving $xps{{k}_{i}}$.

7) Non-repudiability

From Theorems 4 and 5, it can be seen that the scheme proposed in this paper is unforgeable for Type Ⅰ attacker ${{A}_{1-2}}$ selection message attack and Type $\Pi$ attacker ${{A}_{2-2}}$ selection message attack. It shows that third-party attackers cannot forge signcryption ciphertexts. After the ciphertext receiver receives the ciphertext information, the ciphertext is decrypted using the private key information and the sender's public information, and the decrypted message is verified. The ciphertext sender cannot deny the ciphertext he has signed, so the scheme in this paper has the characteristics of non-repudiation. The ciphertext sender cannot deny the ciphertext he has signed, so the scheme in this paper has the characteristics of non-repudiation.

8) Anonymity

In actual scenarios, third-party attackers usually use the captured ciphertext information to correlate with user identity information, and then launch Identity-Based traffic analysis attacks. In the scheme proposed in this paper, when the ciphertext sender generates a signcryption ciphertext, it will randomly generate a number ${{\alpha }_{S}}\in Z_{p}^{*}$ and calculate ${{A}_{S}} = {{\alpha }_{S}}P$. On this basis, the scheme will generate signcryption ciphertext. Because different values are randomly generated in each signcryption phase, each batch of ciphertext information is different. Furthermore, the signcryption phase not only processes the message, but also encrypts the identity and message of the ciphertext sender. The attacker cannot directly obtain the real identity of the ciphertext sender. Therefore, this scheme has anonymity.

6.2.   Performance analysis

This section will be explained from two parts. First, the security attribute analysis will be introduced. This part includes the theoretical basis of the signcryption scheme, the length of the generated ciphertext and the security. Second, the computational complexity of the scheme is analyzed. Next in importance, we give the computational complexity analysis of the scheme. The comparison of the time overhead obtained by simulation is shown. In order to facilitate comparison, this paper explains the required symbols, which are described in Table 2 below.

6.2.1.   Security analysis

Currently, cryptographic scheme research primarily focuses on discrete logarithm, elliptic curve, bilinear pairing operations and similar techniques. However, when considering equal security effectiveness, implementing discrete logarithm operations necessitates longer key lengths. As we primarily investigate the multi-message multi-receiver signcryption scheme for broadcasting purposes, which requires shorter ciphertext lengths, the scheme comparison in this section excludes schemes related to discrete logarithms. In addition, when comparing the length of ciphertext, the group order in the bilinear pair $e:{{G}_{1}}\times {{G}_{1}}\to {{G}_{2}}$ is set to $p$. That is, the total number of the elements in the set is $|{{G}_{p}}|$. The comparison results are shown in Table 3.

Figure 2 shows the change of ciphertext length when the number of receivers changes from 5 to 25. It can be found from the figure that the ciphertext length of the CMMSB scheme proposed in this paper is short and the overhead is small. Specifically, when setting the number of receivers and the number of senders masquerading identities, the ciphertext length of scheme ^[27] is 24,768 bits. The ciphertext length of the scheme ^[28] is 12,448 bit. The ciphertext length of scheme ^[29] is 8013 bits. The ciphertext length of the scheme ^[36] is 13,888 bit. The ciphertext length of the scheme ^[16] is 23,104 bits. The ciphertext length of CMMSB scheme is 13,216 bit. Compared with the schemes ^[28,29], the ciphertext length of the proposed CMMSB scheme is longer, but schemes ^[28,29] are unforgeable. Therefore, the CMMSB scheme proposed in this paper costs the least communication overhead under the premise of ensuring unforgeability and confidentiality.

6.2.2.   Computational complexity analysis

The computational complexity analysis mainly analyzes the time overhead of the signcryption scheme in both signcryption and decryption. Table 4 gives some values of related operations in the experimental environment: Intel G630, frequency 2.7 GHz, memory 4 GB (DDR3-1600 MHz), Windows 7 operating system. We used pbc 0.5.14 library and A-type elliptic curve parameters for computations and evaluated the average execution time of cryptographic operations. Due to the low computational overhead of modular addition, modular subtraction and hashing, it is not investigated here. We mostly count bilinear pairing operation, exponential operation, modular multiplication operation, modular inverse operation and time-consuming point addition and point multiplication operation on elliptic curve. The specific comparison results are shown in Table 5 and Figure 3.

Through Table 5 and Figure 3, it can be found that the CMMSB scheme proposed in this paper has the smallest computational complexity and the shortest time in the two stages of signcryption and decryption. Specifically, the computational complexity of the CMMSB scheme and the scheme ^[16] in the signcryption phase is the same and significantly smaller than the other two schemes. The computational complexity of the CMMSB scheme in the decryption phase is slightly less than that of the scheme ^[16]. It can be seen that the computational complexity of the scheme ^[36] and the CMMSB scheme at this stage is very small. However, due to the large difference in the signcryption stage, the computational complexity and time overhead of the CMMSB scheme are still small in the two stages of signcryption and decryption. On the whole, the CMMSB scheme proposed in this paper is slightly better than other schemes in terms of time overhead compared with the same type of scheme.

7.   Conclusions

We propose a certificateless multi-message multi-receiver signcryption scheme to establish secure communication among signcrypted messages. In this scheme, the blockchain-based smart contract algorithm functions as KGC within the CLC system. This approach effectively resolves the first type of forgery attack inherent in traditional KGC systems. To enhance communication concealment, the scheme incorporates encryption technology to obfuscate the user's identity. Furthermore, system-related parameters are disclosed on the blockchain during the specific design, mitigating the risk of potential attacks. By preventing unauthorized modification of system parameters, attackers are effectively thwarted. The performance evaluation of the proposed scheme encompasses various aspects, including the underlying mathematical basis, length of the signcryption ciphertext, unforgeability, confidentiality, as well as the computational costs of signcryption and decryption. The analysis demonstrates that our scheme exhibits significant advantages in terms of communication and time overhead. Furthermore, it guarantees both high security and concealment levels. In future work, we have two plans that address the importance of data security across various industries and the significant advancements in machine learning algorithms in recent years.

1). How to combine machine learning methods and algorithms to enhance data security. Moreover, how to use cryptography technology to ensure the security of communication and storage when protecting the privacy of user identity.

2). It is important to note that our proposed scheme has been proven secure under the random oracle model. Our next step is to extend the research and develop a multi-message multi-receiver scheme based on machine learning algorithms that can be proven secure in the standard model.

These plans will contribute to the advancement of data security by incorporating machine learning techniques and cryptographic protocols. Through academic research and experimentation, we aim to develop practical solutions that address the evolving challenges in ensuring data security and user privacy in various fields.

Use of AI tools declaration

This article does not use the Artificial Intelligence (AI) tools.

Acknowledgments

This work was supported in part by the National Natural Science Foundation of China (Nos. 62362059 and 62172337), the Industrial Support Plan Project of Gansu Provincial Education Department (No. 2023CYZC-09) and the Key Research and Development Program of Gansu Province (No. 23YFGA0081)

Conflict of interest

The authors declare there is no conflict of interest.