Heterogeneous Fault-Tolerant Aggregate Signcryption with Equality Test for Vehicular Sensor Networks

1  Introduction

In the past few years, the application of Internet of Things (IoT) devices has grown at a great lick, including Industrial Internet of Things (IIoT), intelligent supply chain, electronic medical, smart home and other aspects [1]. Among them, internet of vehicles is one of the most important applications, and the VSN is also one of the key research directions in the academic world. Through wireless communication technology, vehicle equipments effectively use all the dynamic data and information of vehicles in the information network platform. And diverse functional services will be provided by vehicle equipments in the operation control of vehicles.

In the environment of the VSN, massive private data generated by vehicles are transmitted in open channels, such as driving operations inside vehicles, information transmission between vehicles and between vehicles and the Internet. In this case, data confidentiality and transmission efficiency are crucial. At the same time, most IoT rely on cloud computing [2] for massive data processing and services, and strict authentication is required for data use. In this case, data confidentiality and user access are necessary. Therefore, maintaining high transmission efficiency and confidentiality of data is a very important challenge.

In 1976, Diffie [3] researched public key cryptography, and then proposed the concept of digital signature. Digital signature technology combines the identity information of the signer with the signed message, indicating that the signer has signed the message. The verifier can verify that the information is really signed by the signer. Moreover, forging a signature by imitating the signer is difficult. Later, certificate-based signature [4], identity-based signature [5–7] and certificateless signature (CLS) schemes [8–10] emerged successively. However, traditional digital signature has higher computational overhead and lower efficient, so it is not suitable for massive data.

Boneh et al. [11] conducted several research studies to raise verification efficiency and reduce storage capacity. Finally, an aggregate signature scheme was proposed in 2003. This scheme uses the properties of bilinear pairs to generate a short signature, which is more flexible, but it requires different messages to be signed and different participants, which has too many restrictions, higher resource cost and lower availability. Cheon et al. [12] proposed an aggregate signature based identity (IBAS) in 2004. Two certificateless aggregate signature schemes (CLAS) were proposed by Gong et al. [13]. After that, schemes for improvement were put forward in abundance. For example, PFCBAS and CL-DVAAS were proposed respectively by Verma et al. [14] and Deng et al. [15]. These two schemes do not need pair operation, which further improves the verification efficiency. In 2021, Han et al. [16] further improved the existing scheme and proposed an efficient pairing-free CLAS (eCLAS), which reduced the length of signature and the computation cost of verification process. Aggregate signature algorithm is convenient, and it greatly improves the efficiency of verification and effectively reduce the storage capacity. However, aggregate signatures still have two problems: first, the confidentiality of aggregate signatures is low; second, the invalidity of aggregate signatures will lead to the negation of all signatures.

To address the first problem of aggregate signature, Selvi et al. [17] first gave an aggregate signcryption scheme in 2009. Aggregate signcryption aggregates multiple signcrypted ciphertext into a single aggregate signcryption, and the recipient only needs to verify the aggregate signcryption. This means increases the confidentiality of aggregate signature and effectively controls the computation and communication costs [18–21]. In 2011, Lu et al. [22] presented certificateless aggregate signcryption (CLAS), which is based on bilinear mapping and verifiably meets confidentiality and unforgeability. Later, Ren et al. [23] gave a provably secure aggregate signcryption scheme based on identity, which greatly reduced communication overhead, but did not achieve complete aggregation. In 2020, Kim et al. [24] presented a certificateless aggregate signcryption. According to the security requirements and computer resource constraints of IoT, this scheme reduces the computation overhead, communication overhead and storage space, and solves the key aging problem. However, the majority of the existing aggregate signcryption schemes do not support fault tolerance function, and invalid signature will cause that all the aggregated signcrypted ciphertext fail to pass verification.

To address the second issue of aggregate signature, Hartung et al. [25] first presented the concept of fault-tolerant aggregate signatures in 2016, emphasizing fault-tolerant and not mentioning aggregate signature too much, but the scheme was not flexible enough to be applied in practice. In 2019, Wang et al. [26] proposed an improved fault-tolerant aggregate signature scheme with improved flexibility, but there are still defects, that is, all signatures may still be negated due to a certain or very few invalid signatures. Xiong et al. [27] proposed SECLS, a secure certificateless signature scheme. The scheme supports invalid signature recognition and batch verification. Zhao et al. [28] gave CLFTAS, certificateless fault-tolerant aggregate signature. These two schemes further made up for the defects of fault-tolerant aggregate signature, but when all signatures are valid, the two schemes have higher computation overhead and lower verification efficiency. Xiong et al. [29] proposed an efficient batch verification scheme, while focusing on invalid signature identification. In addition, most aggregate signature schemes do not consider unbounded scheme and do not support the case that the dynamic growth of the total number of signatures.

To ensure the availability of data and searchability, Boneh et al. [30] combined the function of a keyword search with public key encryption, and then presented PKE-KS. This scheme not only ensures data confidentiality, but also ensures data searchability. However, there is a problem: data can be searched if the keyword and data are encrypted using the same public key. Xiong et al. [31], Huang et al. [32] and Chen et al. [33] respectively gave solutions can solve the privacy problems caused by cloud servers (CSs), to achieve access control. Xiong et al. [34] and Mei et al. [35] respectively proposed solutions to the privacy problems of Internet of vehicles and blockchain. In 2010, Yang et al. [36] combined the function of equality test with public key encryption, and then presented PKE-ET. This scheme is not affected by the public key in the encryption process and can carry out equality test discretionarily between ciphertexts. Since then, many scholars have conducted in-depth studies in this field [37–39]. In 2020, Xiong et al. [40] improved this method and applied it to the IIoT environment, which realized data access control in a heterogeneous environment and further improved data security and confidentiality. After that, Xiong et al. [41] ameliorated the scheme further. Xiong et al. [42] revocable scheme and Wu et al. [43] key agreement scheme focus on key security.

For the sake of resolving the above problems, and considering heterogeneity in actual IoT environment, different entities may have different cryptographic environments, so it is necessary to design a fault-tolerant aggregate signcryption scheme that supports a heterogeneous environment.

As shown in Fig. 1, a vehicle in the PKI system (because the vehicle interior is the on-board unit with computing power and communication ability, so the vehicle can be called on-board unit (OBU)) signcrypts message by using the administrator’s ID and its own private key to form an individual signcryption, then sends it to the roadside unit (RSU). RSU implements fault-tolerant aggregate of multiple signcryptions and sends aggregate signcryption to CS. At the same time, CS receives trapdoor generated by the administrator in the IBC system. When a user wants to use some data in the IBC system, he encrypts the keywords with his own ID and the corresponding trapdoor, and then sends the encrypted messages to CS. CS determines user’s access rights by executing an equality test on the encrypted messages. If the user has right to access these data, CS will return the corresponding data to him.

Figure 1: System model

The detailed contributions of our paper are given below:

(1)   The paper constructs a heterogeneous fault-tolerant aggregate signcryption scheme with an equality test (HFTAS-ET). Aggregate signcryption function improves communication data confidentiality and reduces communication overhead. Fault-tolerant function not only tolerates invalid signatures and reduces the verification cost, but also realizes one verification pass when all signcryptions are valid. At the same time, it realizes an unbounded scheme when the number of signcryptions increases dynamically. The scheme supports heterogeneous environment to ensure its flexibility of the scheme, and provides the function of an equality test to control access rights of data in a heterogeneous environment ensuring the confidentiality and availability of data.

(2)   The security of the scheme is verified by strict theoretical analysis. Through detailed functional and performance comparisons, we have concluded that our scheme has better performance and higher efficiency than existing schemes.

(3)   This scheme is applicable to the VSN.

2  Preliminaries

2.1 Bilinear Pairing

Suppose G and GT are two cyclic groups and their prime orders both are p. P is a generator of G. Define a map e:G×G→GT satisfies the following three conditions:

(1)   Bilinearity: ∀m,n∈G and ∀x,y∈Zp∗, there exists e(xm,yn)=e(m,n)xy.

(2)   Nondegeneracy: ∃m,n∈G, such that e(m,n)≠1.

(3)   Computability: ∀m,n∈G, there is a viable calculation to compute e(m,n).

2.2 Mathematical Assumption

G and GT are two cyclic groups and their prime orders are both p. P is a generator of G. There is a bilinear map e:G×G→GT. For a random number x∈Zp∗, given (P,xP) to calculate e(P,P)1/x is called Bilinear Diffie-Hellman Inversion Problem (BDHIP).

BDHIA holds if there do not exist probabilistic polynomial-time adversary 𝒜 computing BDHIP with probability at least ε. This is called Bilinear Diffie-Hellman Inversion Assumption (BDHIA).

G is a cyclic group and its prime orders is p. P is a generator of G. For a random number x∈Zp∗, given (P,xP) to calculate (1/x)P is called Computational Diffie-Hellman Inversion Problem (CDHIP).

CDHIP holds if there do not exist probabilistic polynomial-time adversary 𝒜 computing CDHIP with probability at least ε. This is called Computational Diffie-Hellman Inversion Assumption (CDHIA).

2.3 Cover-Free Families

In our scheme, d-cover-free families (d-CFFs) is the basis of fault tolerance.

D-cover-Free Family: There exists two sets, one is 𝒳={x1,…,xm}, where ∣𝒳∣=m, and the other is 𝒟={D1,…,Dn}, where Di⊆𝒳, 1≤i≤n and ∣𝒟∣=n. These two sets form a set system ℱ=(𝒳,𝒟). A d-cover-free family (d-CFF(m, n)) can be represented a set system as follows: ∀Di0∈𝒟 and other Di1,…,Did∈𝒟, there exists Eq. (1).

Di0⊈∪k=1dDik(1)

If the characteristic vectors of subsets in 𝒟 are regared as columns of ℳ, then ℱ can be represented as a binary incidence matrix ℳ with m rows and n columns. Precisely, if xi∈𝒟, ℳi,k=1, and otherwise ℳi,k=0. ℳ is d-CFF when the corresponding set system is d-CFF.

Nested Family: (ℳ(λ))λ is regarded as a string of incidence matrices of d-CFFs (ℱλ)λ=((𝒳λ,𝒟λ))λ, and ℳ(λ)’s number of rows and columns is r(λ) and c(λ), respectively.

If 𝒳λ⊆𝒳λ+1, r(λ)≤r(λ+1), c(λ)≤c(λ+1), then ℳ(λ+1)=(ℳ(λ)𝒴𝒵𝒲), where 𝒴, 𝒵 and 𝒲 are all 0–1 matrices adapted to the size of ℳ, and 𝒵 consists of some rows of ℳ(λ), several rows of all ones and several rows of all zeros, then (ℳ(λ))λ can be regared as a nested family of d-CFFs incidence matrices.

3  System Model

3.1 Formal Definition

Our scheme contains eight algorithms:

(1)   Setup: It is executed by the private key generator (PKG) according to a number k called security parameter, which generates a collection of system public parameters and master secret key MSK.

(2)   PKI-Gen: It is executed by PKG according to input a randomly number chosen by a sender si in PKI system and further produces the corresponding secret key SKsi and public key PKsi.

(3)   IBC-Gen: It is executed by PKG according to input the ID of a receiver in IBC system and further produces the corresponding secret key SKr.

(4)   Trapdoor: Given secret key SKr as input, the receiver generates the corresponding trapdoor tpd.

(5)   Signcrypt: It is excuted by OBUs. The sender generates a signcryption σi using the sender’s secret key SKsi, a message Mi and the receiver’s identity ID for computation.

(6)   Aggregate: After receiving n senders, n corresponding signcryptions {σi}i=1n, the RSU aggregates all individual signcryptions into a single aggregate signcryption φ by the fault-tolerant aggregate algorithm on the basic of d-CFF.

(7)   Unaggregate: Given the fault-tolerant aggregate signcryption φ, the secret key of a receiver SKr, and the public key of n senders {SKsi}i=1n, PKG verifies the signcryption and outputs messages.

(8)   Test: After receiving signcryption σA and trapdoor tpdA of receiver A, signcryption σB and trapdoor tpdB of the receiver B, CS executed an equality test and produces the corresponding result.

In this scheme, the identity of the administrator is exclusively denoted by IDadmin. The scheme is performed as a signcryption scheme and the Signcrypt algorithm produces a signcryption of the message M, when ID=IDadmin. Otherwise, the scheme is performed as a general IBE scheme, the Signcrypt algorithm does not run digital signature and only produces encrypted ciphertext of M.

3.2 Security Model

Setup: After obtaining a security parameter k, challenger 𝒞 produces the system parameters by executing the Setup algorithm. Then, 𝒞 performs the PKI−Gen algorithm and gets public key and secret key pairs of n senders, {(PKsi#,SKsi#)}i=1n. Afterward, 𝒞 delivers them to adversary 𝒜1.

Phase I: 𝒜1 performs the following queries.

(1)   Key Generation Queries: After receiving the ID of the required query from 𝒜1, 𝒞 executes the IBC−Gen algorithm to get the result SKr, and finally sends it to 𝒜1.

(2)   Aggregate Queries: After receiving the {σi}i=1n of the required query from 𝒜1, 𝒞 executes the Aggregate algorithm to get the result φ, and finally sends it to 𝒜1.

(3)   Unaggregate Queries: After receiving the signcryption φ and receiver’s ID of the required query from 𝒜1, 𝒞 executes the Unsigncrypt algorithm to get the result, and finally sends it to 𝒜1.

Challenge: 𝒜1 sends a receiver’s identity ID# and some message M1,0#,M1,1#,{Mi}i=2n∈{0,1}∗ to 𝒞. In Phase I, 𝒜1 is not allowed to query the secret key of ID#. After that, 𝒞 chooses a number b∈{0,1}∗ at random, and sends φ# to 𝒜1 by executing Signcrypt and Aggregate algorithm.

Phase II: 𝒜1 is permitted for additional queries in Phase I. And the restriction is that the secret key of ID# and the plaintext of φ# can not be queried during this process.

Guess: 𝒜1 exports its own guess of b′.

Definition 1: If all IND-CCA2 adversaries 𝒜1 with the advantage that Adv(𝒜1)=|2Pr[b′=b]−1| can be ignored, then our HFTAS-ET scheme is deemed to be IND-CCA2 secure.

Setup: After obtaining a security parameter k, challenger 𝒞 produces the system parameters by executing the Setup algorithm. Then, 𝒞 performs the PKI−Gen algorithm and gets public key and secret key pairs of n senders, {(PKsi#,SKsi#)}i=1n. Afterward, 𝒞 delivers them to adversary 𝒜2.

Phase I: 𝒜2 performs the following queries.

(1)   Key Generation Queries: After receiving the ID of the required query from 𝒜2, 𝒞 executes the IBC−Gen algorithm to get the result SKr, and finally sends it to 𝒜2.

(2)   Trapdoor Queries: After receiving the required query from 𝒜2, 𝒞 executes the Trapdoor algorithm to get the result tpd, and finally sends it to 𝒜2.

(3)   Aggregate Queries: After receiving the {σi}i=1n of the required query from 𝒜2, 𝒞 executes the Aggregate algorithm to get the result φ, and finally sends it to 𝒜2.

(4)   Unaggregate Queries: After receiving the signcryption φ and receiver’s ID of the required query from 𝒜2, 𝒞 executes the Unsigncrypt algorithm to get the result, and finally sends it to 𝒜2.

Challenge: 𝒜2 sends a receiver’s identity ID# and some message M1#,{Mi}i=2n∈{0,1}∗ to 𝒞. In Phase I, 𝒜2 is not allowed to query the secret key of ID#. After that, 𝒞 chooses a number b∈{0,1}∗ at random, and sends φ# to 𝒜2 by executing Signcrypt and Aggregate algorithm.

Phase II: 𝒜2 is permitted for additional queries in Phase I. And the restriction is that the secret key of ID# and the plaintext of φ# cannot be queried during this process.

Guess: 𝒜2 exports its own guess of M1′.

Definition 2: If all OW-CCA2 adversaries 𝒜2 with the advantage that Adv(𝒜2)=|Pr[M1′=M1#]| can be ignored, then our HFTAS-ET scheme is deemed to be OW-CCA2 secure.

Setup: After obtaining a security parameter k, challenger 𝒞 produces the system parameters by executing the Setup algorithm. Then, 𝒞 performes the PKI−Gen algorithm and gets public key of a sender, PKs#. Afterward, 𝒞 delivers it to adversary 𝒜3.

Queries: 𝒜3 performs the following queries:

(1)   Key Generation Queries: After receiving the ID of the required query from 𝒜3, 𝒞 executes the IBC−Gen algorithm to get the result SKr, and finally sends it to 𝒜3.

(2)   Signcryption Queries: After receiving a plaintext M and a receiver’s ID of the required query from 𝒜3, 𝒞 executes the Signcryption algorithm to get the result σ, and finally sends it to 𝒜3.

Forgery: 𝒜3 exports a receiver’s ID# and a ciphertext of σ# that isn’t generated by the oracle of Signcryption. 𝒜3 wins if σ# is valid.

Definition 3: If all EUF-CMA adversaries 𝒜3 with the advantage that Adv(𝒜3)=|Pr[𝒜3wins]| can be ignored, then our HFTAS-ET scheme is deemed to be EUF-CMA secure.

4  Construction

4.1 The Construction

(1) Setup: Given a random number k as security parameter, PKG produces cyclic groups G and GT, which can be utilized to construct a bilinear map e:G×G→GT. P is a generator of G. Calculate E=e(P,P). Choose system master secret key MSK=(m1,m2), where m1,m2∈Zp∗. Calculate P1=m1P, P2=m2P. Pick these hash functions: H1:{0,1}∗→Zp∗, H2:GT×{0,1}∗→Zp∗, H3:GT→{0,1}∗, H4:GT→Zp∗, H5:{0,1}∗×Zp∗×GT3→{0,1}∗. The system parameters: <G,GT,e,P,P1,P2,E,H1,H2,H3,H4,H5>. Set the special function F(ID), the answer is 1 if ID=IDadmin, otherwise, the answer is 0.

(2) PKI-Gen: PKG input a number asi∈Zp∗ randomly chosen by the sender si in PKI system and produces the corresponding secret key SKsi=(1/asi)P and public key PKsi=asiP.

(3) IBC-Gen: PKG input ID of a receiver in IBC system and produces the corresponding secret key SKr=(SKr1,SKr2), where SKr1=(1/[H1(ID)+m1])P and SKr2=(1/[H1(ID)+m2])P.

(4) Trapdoor: Input the secret key SKr of a receiver, and output the corresponding trapdoor tpd=SKr2.

(5) Signcrypt: Given the SKsi of the sender, the plaintext Mi and the ID of a receiver, the sender calculate the corresponding signcryption according to the following steps:

   (a) Randomly pick (u1i,u2i)∈Zp∗.

   (b) Set k1i=Eu1i, k2i=Eu2i.

   (c) Calculate ti=H2(Mi,k1i⋅k2i).

Output the ciphertext σi=(α1i, α2i, α3i, α4i, α5i), where α1i=(Mi||u2i)⊕H3(k1i), α2i=(u2i⋅H1(Mi))⊕H4(k2i), α3i=u1i(H1(ID)P+P1), α4i=u2i(H1(ID)P+P2), and α5i=F(ID)(u1i+ti)SKsi.

(6) Aggregate: When receiving n signcryptions N={σi=(α1i,α2i,α3i,α4i,α5i)}i=1n from n senders {si}i=1n within its coverage, the RSU aggregates all individual signcryptions into a single aggregate signcryption by the following fault tolerant aggregation algorithm:

   (a) The α5i part of each ciphertext is extracted and denoted as Q, i.e., Q={α51,…,α5n}. Then construct the corresponding binary incidence matrix ℳ with r rows and n columns, while meeting d-CFF.

   (b) In the matrix ℳ, every column represents a signcryption, and every row represents a sub-validation. If ℳi,j=1, the i-th sub-validation (i.e., ε[i]) contains the j-th signcryption information α5j. Assuming that ε[j] is composed by {α5i}i=1ω of {σi}i=1ω, i.e., ε[j]=∑i=1ωα5i for (1≤j≤r).

   (c) Create a new position ε[0] that satisfies the full aggregation of α5i part in all signcryptions until that signcryption, i.e., ε [ 0 ]=∑i=1nα5i.

   (d) The core of aggregate signcryption ε=(ε[0],ε[1],…,ε[r]).

The fault-tolerant aggregate signcryption: φ=(α11,…,α1n,α21,…,α2n,α31,…,α3n,α41,…,α4n, ε[0], ε[1],…,ε[r])

Unbounded-fault-tolerant aggregate (N1, N2)

Let N1,N2 are two sets of α5i in two exclusive mergeable signcryptions. Assume that the dimension of Nk is nk, where k=1,2 and n1≤n2. Let Q1={α51,…,α5n1}, Q2={α51,…,α5n2}, and corresponding core of aggregate signcryption be ε1=(ε1[0],ε1[1],…,ε1[r]), ε2=(ε2[0],ε2[1],…,ε2[r]).

Let λk satisfies c(ℳ(λk−1)) <nk≤c(ℳ(λk)), and rk=r(ℳ(λk)) where k={1,2} and λ1≤λ2. ℳ is a submatrix of ℳ(λ2) and made up of the first n2 columns. Note that ℳ=(ℳ(λ1)𝒴𝒵𝒲), for matrices 𝒴,𝒵,𝒲 meeting the “nesting” attribute.

If one or both of the two sets Nk contain only one individual signcryption, εk is an individual α5k, then εk is expanded into a vector in the manner of Eq. (2), where j is the index of individual signcryption of Qk.

εk[i]={α5ki=0||(ℳ[i,j]=1&&1≤i≤rk)⊥other(2)

Aggregate the corresponding positions of ε1 and ε2 based on ℳ, if they are both vectors. Considering special row type of Z, there are three kinds of row index i: Type0(a row of zeros); Type1(a row of ones); Type2(a repeated row r of ℳ(λ1)). Expand ε1 to make it have the equal dimension as ε2, which is ε1[i] is itself if 1≤i≤n1 and ε1[i]=⊥ if n1+1≤i≤n2. After that, execute as the following.

(i)   for i=0, aggregate α5i part in all signcryptions to ensure that one verification pass in the case that all signcryptions are valid, as shown in Eq. (3).

ε[0]=ε1[0]+ε2[0](3)

(ii)   for i=1,…,r1, aggregate the corresponding signcryptions, as shown in Eq. (4).

ε[i]=ε1[i]+ε2[i](4)

(iii)   for i=r1+1,…,r2, as shown in Eq. (5).

ε[i]={ε2[i]Type0ε1[0]+ε2[i]Type1ε1[r]+ε2[i]Type2(5)

Aggregate with {α1i,N1,α2i,N1,α3i,N1,α4i,N1}i=1n1 of N1 and {α1i,N2,α2i,N2,α3i,N2,α4i,N2}i=1n2 of N2 to constitute the unbounded-fault-tolerant aggregate signcryption: φ=(α11,N1,…,α1n1,N1,α11,N2, …,α1n1,N2, α21,N1,…,α2n1,N1,α21,N2,…,α2n1,N2, α31,N1,…,α3n1,N1,α31,N2,…,α3n1,N2, α41,N1,…, α4n1,N1,α41,N2, …, α4n1,N2, ε[0],ε[1],…,ε[r2])

Output φ.

(7) Unaggregate: After receiving the fault-tolerant aggregate signcryption φ, the secretkey of a receiver SKr, and the public key of n senders {SKsi}i=1n, ε[j] is one of the values ε, where 0≤j≤r, and ε[j]=∑i=1ωα51i. The algorithm executes as follows:

for 1≤i≤ω,

   (a) k1i=e(α3i,SKr1), k2i=e(α4i,SKr2).

   (b) Mi||u2i=α1i⊕H3(k1i).

   (c) ti=H2(Mi,k1i⋅k2i).

      (i) When F(ID)=1, verify if α2i⊕(u2i⋅H2(Mi))=H4(k2i) and only if e(Σi=1ωα3i,SKr1)=e( ε [ 0 ],∑i=1ωPKsi)E−∑i=1tωi. If hold, all the signcryptions are valid. Meanwhile, create a new set called “The Valid Set” and add all the signcryptions to it. Then output {Mi}i=1n. Otherwise, at least one signcryption is invalid.

      (ii) When F(ID)=0, verify that α2i⊕(u2i⋅H2(Mi))=H4(k2i). If it holds, output Mi; if not, output ⊥.

(8) Sign: After receiving a sender’s signcryption σA=(α1A,α2A,α3A,α4A,α5A) and a receiver’s signcryption σB=(α1B,α2B,α3B,α4B,α5B). The signer calculates the following:

   (a) MA′=H5(α1A||α2A||α3A||α4A||α5A), MB′=H5(α1B||α2B||α3B||α4B||α5B).

   (b) Randomly pick (u1A′,u1B′)∈Zp∗.

   (c) Set k1A′=Eu1A′, k1B′=Eu1B′.

   (d) Calculate tA=H2(MA′,k1A′) and tB=H2(MB′,k1B′).

   (e) Generate σA’s signature σA′=F(ID)(u1A′+tA)SKsi, σB’s signature σB′=F(ID)(u1B′+tB)SKsi.

(9) Test: After receiving a sender’s ciphertext σA=(α1A,α2A,α3A,α4A,α5A), the signature σA′ and the corresponding tpdA, a receiver’s ciphertext σB=(α1B,α2B,α3B,α4B,α5B), the signature σB′ and the corresponding tpdB. The algorithm is executed as follows:

   (a) Verify if k1A′=e(σA′,PKsi)E−tA,k1B′=e(σB′,PKsi)E−tB. If hold, execute the algorithm according to the procedure below.

   (b) k2A=e(α4A,tpdA), k2B=e(α4B,tpdB).

   (c) ZA=α2A⊕H4(k2A), ZB=α2B⊕H4(k2B).

   (d) Check k2AZB=k2BZA. If it holds, it means that MA=MB.

4.2 The Identification of Invalid Signcryptions

Given the fault-tolerant aggregate signcryption φ=(α11,…,α1n,α21,…,α2n,α31,…,α3n,α41, …, α4n,ε[0],ε[1],…,ε[r]), the secretkey of a receiver SKr, and the public key of n senders {SKsi}i=1n, the verification result e(Σi=1ωα3i,SKr1)≠e(ε[0],∑i=1ωPKsi)E−∑i=1ωti.

(1)   Verify if e(Σi=1ωα3i,SKr1)=e(ε[j],∑i=1ωPKsi)E−∑i=1ωti, for each 1≤j≤r.

(2)   Let inve denote the number of the equation does not hold, 1≤inve≤r.

(3)   Let invs denote the number of invalid signcryption, 1≤invs≤n.

(4)   For each ω signcryptions in ε[x], 1≤x≤inve, verify if α2y⊕(u2y⋅H2(My))=H4(k2y), for 1≤y≤ω.

(5)   If not hold, this signcryption are not valid. Meanwhile, create a new sete called “The Invalid Set” and add the invalid signcryption to it. Then output Miinvs. Otherwise, the signcryption is considered valid and appended to “The Valid Set”.

5  Security Analysis

Theorem 1: Suppose that BDHIA holds. Our scheme HFTAS-ET is secure against IND-CCA2.

Proof. Suppose there is a challenger 𝒞 that can solve BDHIP problem and whose advantage is at least ε. The goal of 𝒞 is to compute e(P,P)(1/a), where a∈Zp∗ by knowing an instance (P,aP) of BDHIP. Suppose 𝒜1 can successfully break the HFTAS-ET scheme. A game was placed between challenger 𝒞 and adversary 𝒜1. The details of the operation are as given below:

Setup: 𝒞 chooses θ∈{1,…,ρH1}, Lθ∈Zp∗ and λ1,…,λθ−1,λθ+1,…,λρ∈Zp∗ at random, where ρH1 indicates the query times of ℋ1. Compute Li=Lθ−λi, where i=1,…,θ−1,θ+1,…,ρ. 𝒞 calculate the generator P∈G1 and two parameters F=aP, G=a′P by using its input, where a,a′∈Zp∗, and thus it knows ρ−1 pairs (λi,Ui=(1/(a+λi))P), (λi,Vi=(1/(a′+λi))P) for i∈{1,…,ρ}∖θ. Choose P1=−F−LθP=(−a−Lθ)P and P2=−G−LθP=(−a′−Lθ)P, where s1 and s2 are respectively set to s1=−a−Lθ∈Zp∗ and s2=−a′−Lθ∈Zp∗. (Li,−Ui)=(Li,(1/(Li+s1))P), (Li,−Vi)=(Li,[1/(Li +......s2)]P), where i∈{1,…,ρ}∖θ.

𝒞 sends system parameters, P1=−F−LθP=(−a−Lθ)P, P2=−G−LθP=(−a′−Lθ)P, as well as g=e(P,P) to 𝒜1. Afterward, 𝒞 returns {(PKsi#,SKsi#)}i=1n which is n senders’ public/secret-key pair generated by PKI-Gen algorithm.

Phase I: 𝒞 simulates the original empty ℋ1, ℋ2, ℋ3 and ℋ4 oracles by preserving LH1, LH2, LH3, and LH4 lists. Assume that each query of ℋ1 is different, and the identity ID# is delivered to ℋ1 at some point. When any other query uses ID, 𝒜1 will query ℋ1(ID) in advance. 𝒞 responds to 𝒜1 according to the following procedure:

(1)   ℋ1-Queries: π indexes these queries, and it is originally set to 1. After receiving a query with IDπ, 𝒞 gives Lπ and π to 𝒜1. Meanwhile, (IDπ,Lπ) is appended to LH1.

(2)   ℋ2-Queries: After receiving a query with (Mi,ki), 𝒞 judges whether (Mi,ki) exists in LH2. If so, 𝒞 delivers h2i to 𝒜1. Otherwise, 𝒞 selects h2i at random in Zp∗ and sends it to 𝒜1. In addition, 𝒞 get h3i=ℋ(k1i) and h4i=ℋ(k2i) by simulating the random oracle, where k1i⋅k2i=ki. Finally, 𝒞 calculates δi=k1i⋅e(P,P)h2i and adds (Mi,ki,k1i,k2i,δi,h2i) into LH2.

(3)   ℋ3-Queries: After receiving a query with k1i, 𝒞 judges whether k1i exists in LH3. If so, 𝒞 delivers h3i to 𝒜1. Otherwise, 𝒞 selects h3i at random in Zp∗ and sends it to 𝒜1. Meanwhile, (k1i,h3i) is appended to LH3.

(4)   ℋ4-Queries: After receiving a query with k2i, 𝒞 judges whether k2i exists in LH4. If so, 𝒞 delivers h4i to 𝒜1. Otherwise, 𝒞 selects h4i at random in Zp∗ and sends it to 𝒜1. Meanwhile, (k2i,h4i) is appended to LH4.

(5)   Key Generation Queries: After receiving a query with IDπ, 𝒞 searches the LH1 list. If π=θ, 𝒞 aborts. Otherwise, 𝒞 knows ℋ1(IDπ)=Lπ and delivers SKr1=[1/(Lπ+s1)]P, SKr2=[1/(Lπ+s2)]P to 𝒜1.

(6)   Aggregate Queries: After receiving a query with {σi=(α1i,α2i,α3i,α4i,α5i)}i=1n, 𝒞 simulates random oracle to obtain ε[0]=∑i=1nα5i and ε[j]=∑i=1ωα5i for 1≤j≤r on the basis of Aggregate step, and return φ=(α11,…,α1n,α21,…,α2n,α31,…,α3n,α41,…,α4n,ε[0],ε[1],…,ε[r]).

(7)   Unaggregate Queries: When receiving the query with φ=(α11,…,α1n,α21,…,α2n,α31,…,α3n,α41,…,α4n,ε[0],ε[1],…,ε[r]) and IDi of a receiver, 𝒞 judges whether i equals θ. If not, 𝒞 returns {Mi}i=1n based on Unaggregate. Otherwise, Eq. (6) holds.

log∑i=1nSKsi∗(ε[ 0 ]−∑i=1nh2i⋅SKsi#)=log(LiP+P1)∑i=1nα3i(6)

where h2,i=ℋ2(Mi,k1i⋅k2i).

Then, 𝒞 calculates δ=e(ε[0],LiP+P1) and searches LH2. If not found, φ is rejected. Otherwise, 𝒞 checks Eq. (7).

e(∑i=1nα3i,∑i=1nSKsi#)e(LiP+P1,ε[0])=e(LiP+P1,∑i=1nh2i⋅SKsi#)(7)

If it holds, return {Mi}i=1n; else, for 1≤j≤r, 𝒞 verifies Eq. (8)

e(∑i=1ωα3i,∑i=1ωSKsi#)e(LiP+P1,ε[j])=e(LiP+P1,∑i=1ωh2i⋅SKsi#)(8)

And return the valid set to 𝒜1.

Challenge: After receiving the receiver’s ID#, M1,0#,M1,1#,{Mi}i=2n∈{0,1}∗, the 𝒞 performs algorithm in the following step:

(1)   If IDi≠ID#, 𝒞 will abort.

(2)   Otherwise, 𝒞 respectively selects b and μ in {0,1}∗ and Zp∗ at random. φ#=(α11,…,α1n,α21,…,α2n,α31,…,α3n,α41,…,α4n, ε[0],ε[1],…,ε[r]) is the ciphertext to be challenged. α1i,α2i∈{0,1}∗, α3i=−μP, α4i∈G1, where 1≤i≤n. And ε[j]∈G1, where 1≤j≤r. And give σ# to 𝒜1. Let κ=μ/a and s1=−a−Lθ, so that for 1≤i≤n, we have Eq. (9).

α3i=−μP=−κaP=(Lθ+s1)κP=κLθP+κP1(9)

Phase II: 𝒜1 is permitted for additional queries in Phase I. And the restriction is that the secret key of ID# and the plaintext of φ# can not be queried during this process.

Guess: 𝒜1 exports its own guess b′∈{0,1}∗. 𝒞 randomly chooses a set (Mi,ki,k1i,k2i,δi,h2i) or (k1i,h3i) from LH2 list or LH3 list and gets f(y)=∑i=1ρ−1ciyi which is a polynomial in P=f(a)P^. Then outputs k1i=e(P,P)κ=e(P^,P^)f(a)2μ/a. If δ#=e(P^,P^)1/a, the BDHIP can be derived via Eq. (10).

e(P,P)1/a=δ#c02e(∑t=0ρ−2ct+1(atP^),c0P^)e(P,∑t=0ρ−2ct+1(atP^))(10)