on the rcca security of hybrid signcryption for internet...

Research ArticleOn the RCCA Security of Hybrid Signcryption forInternet of Things

Honglong Dai1 Ding Wang 12 Jinyong Chang 1 and Maozhi Xu1

1Peking University Beijing 100871 China2State Key Laboratory of Cryptology PO Box 5159 Beijing 100878 China

Correspondence should be addressed to Ding Wang wangdinggpkueducn

Received 31 August 2018 Accepted 28 October 2018 Published 12 November 2018

Guest Editor Weizhi Meng

Copyright copy 2018 Honglong Dai et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

With the rapid development of the Internet ofThings (IoT) a lot of sensitive information in our daily lives are now digitalized andopen to remote access The provision of security and privacy of such data would incur comprehensive cryptographic services andhas raised wide concern Hybrid signcryption schemes could achieve various kinds of cryptographic services (eg confidentialityauthenticity and integrity) with much lower cost than the combination of separate traditional cryptographic schemes with eachproviding a single cryptographic serviceThus hybrid signcryption schemes are very suitable for IoT environmentswhere resourcesare generally very constrained (eg lightweight sensors andmobile phones) To ensure that the overall hybrid signcryption schemeprovides adequate cryptographic service (eg confidentiality integrity and authentication) its parts of KEM (key encryptionmechanism) and DEM (data encryption mechanism) must satisfy some security requirements Chosen-ciphertext attack (CCA)security has been widely accepted as the golden standard requirement for general encryption schemes However CCA securityappears too strong in some conditions Accordingly Canetti et al (CRYPTO 2003) proposed the notion of replayable CCA security(RCCA) for encryption schemes which is a strictly weaker security notion thanCCA security and naturallymore efficientThis newsecurity notion has proved to be sufficient for most existing applications of CCA security eg encrypted password authenticationThis is particularly promising for IoT environments where security is demanding yet resources are constrained In this paper weexamine the RCCA security of the well-known SKEM+DEM style hybrid signcryption scheme by Dent at ISC 2005 Meanwhilewe also examine the RCCA security of the Tag-SKEM+DEM style hybrid signcryption scheme by Bjorstad and Dent at PKC 2006We rigorously prove that a hybrid signcryption scheme can achieve RCCA security if both its SKEM part and its DEM part satisfysome security assumptions

1 Introduction

With the booming development of wireless technologyInternet of Things (IoT) has seen its proliferation in variousapplications such as personal health government work andbattle surveillance How to ensure security and privacy ofthe sensitive data in these security-critical applications is achallenging issue because it would generally incur compre-hensive cryptographic services Hybrid signcryption schemescould achieve various kinds of cryptographic services (egconfidentiality authenticity and integrity) with much lowercost than the combination of separate traditional crypto-graphic schemes with each providing a single cryptographicservice [1] Thus hybrid signcryption schemes are very

suitable for IoT environments where resources are gener-ally very constrained (eg lightweight sensors and mobilephones)

The first signcryption scheme was proposed by Zheng [2]at CRYPTOrsquo97 The notion of confidentiality for a signcryp-tion scheme is analogous to an original encryption schemewhile the nonrepudiation service is analogous to a digitalsignature one [3] Since then various kinds of signcryptionschemes have been suggested At 2002 Lee [4] proposedidentity-based signcryption AtAsiaCCSrsquo08 Barbosa et al [5]proposed certificateless signcryption At IMACCrsquo13 Nakanoet al [6] presented two generic constructions of signcryptionin the standard model At 2017 Li et al [7] proposed asigncryption for cloud computing At PQCryptorsquo18 Sato et

HindawiWireless Communications and Mobile ComputingVolume 2018 Article ID 8646973 11 pageshttpsdoiorg10115520188646973

2 Wireless Communications and Mobile Computing

al [8] proposed lattice-based signcryption without randomoracles At the same time Datta et al [9] proposed thefunctional signcryption

In addition a number of signcryption schemes have beenproposed for the IoT environments (eg key establishmentover ATM networks [10] defense against fragment duplica-tion attack in 6LoWPAN networks [11] short signcryptionscheme for IoT [12] and provably secure signcryption forIoT [13]) Belguith et al [14] proposed privacy preservingattribute based signcryption for IoT

However in the traditional signcryption schemes thekeyed encapsulation encryption is generally notmade full useof and the length of messages is always related to the sign-cryption scheme Further the major weakness of asymmetricencryption schemes is that the computational efficiency isworse than these symmetric ones [15] Accordingly thenotion of hybrid signcryption is proposed Hybrid signcryp-tion uses a symmetric encryption scheme to improve theoverall performance and flexibility of asymmetric signcryp-tion Hybrid signcryption can simultaneously combine themain advantages of a public key encryption and a digitalsignature scheme with much lower cost when comparedwith traditional schemes [1 16] As sensor nodes in IoTare resource-constrained (eg limited battery power) anddeployed to run for years hybrid cryptography is particularlysuitable for data storage and transmission to achieve secureand efficient communication [17] At 2004 Dent [15] pro-posed a formal composition model for hybrid signcryptionand this model covers Zhengrsquos scheme [2] Later Bjorstadet al [18] proposed an improve signcryption scheme withtag-KEMs Li et al [19] proposed a certificateless hybridsigncryption scheme and Zhou [20] proposed an improvedcertificateless hybrid signcryption scheme Due to the usageof a symmetric encryption scheme to overcome the weak-ness and restricted message space of traditional asymmetricencryption schemes these hybrid signcryption schemes canmake the length of message independent of the security of theoverall signcryption scheme

Secure encryption is one of themost fundamental tasks incryptographic schemes while CCA security has been widelyaccepted as the golden standard requirement for encryptionschemes [21 22] However chosen-ciphertext attack securityappears to be too strong in many conditions there existmany encryption schemes that are not CCA secure but stillhave practical applications [23] Here we take a CCA securepublic key encryption scheme PKE as example We change itinto a public key encryption scheme PKErsquo which is equal topublic key encryption scheme PKE except that this encryptionoracle algorithm appends a bit 0 to each ciphertext and thedecryption oracle algorithm of PKErsquo discards this bit 0 of aciphertext Then one naturally obtains a different ciphertextdecrypted to the same message as the original one Howeverthis change takes no real consequence in most situationbecause the modified scheme PKE1015840 appears to be as secure asthe scheme PKE in most situations This example is also usedin [23]

Accordingly Canetti et al [23] proposed the RCCAsecurity notion at CRYPTO 2003 RCCA security is a strictlyweaker security notion than CCA security which has proved

to be abundant for most cryptographic primitives egencrypted password authentication [24] There are somestudies (eg [23 25]) about the RCCA security of hybridcryptography and there are also several studies (eg [2 3 15])about the CCA security of hybrid signcryption As far as weknow there is nowork about examining theRCCA security ofhybrid signcryption To fill the gap in this paper we considerthe RCCA security of hybrid signcryption and show thathybrid signcryption can achieve RCCA security (rather thanonly CCA security) based on certain conditions

11 Main Contributions In this paper we examine theRCCA security of the hybrid signcryption scheme Tag-SKEM+DEM [18] and the hybrid signcryption schemeSKEM+DEM [3] We will show the following (1) The hybridsigncryption scheme (SKEM+DEM) can be RCCA-secureif the scheme Tag-SKEM is RCCA-secure and the schemeDEM is RCCA-secure (2) The hybrid encryption scheme(Tag-SKEM+DEM) can be RCCA-secure if the signcryptionscheme Tag-SKEM is RCCA-secure and the scheme DEMis RCCA-secure Although our results might be expectedand somewhat straightforward we concretely confirm suchexpectations with a formal proof When giving our proofwe mainly use the hybrid game-based reduction techniquepresented in [26ndash28]

12 Related Works and Discussions It is obvious that if thehybrid signcryption scheme is going to provide an integrityand authentication service then its KEM part and DEMpart must satisfy some kind of security criterion Dent etal [15] examined the CCA security of hybrid signcryptionschemes (SKEM+DEM and Tag-SKEM+DEM) Chen et al[27] examined the RCCA security for hybrid encryptionscheme KEM+DEM Cui et al [29] gave two kinds ofRKA-secure signcryption schemes In 2017 Dai et al [30]considered the ECCA security for hybrid encryptions Tag-KEM+DEM and KEM+Tag-DEM Abe et al [26] provideda hybrid encryption scheme Tag-KEM+DEM and they pre-sented a useful way to get CCA secure hybrid encryptionsCramer et al [31] have shown that the hybrid encryptionscheme Tag-KEM+DEM is CCA secure if its KEM part isCCA secure and its DEM part is one-time secure

As for the scheme Tag-SKEM+DEM the ciphertext ofscheme DEM is a tag of the scheme Tag-SKEM one maythink that the security assumption of scheme SKEM couldbe weakened to chosen plaintext attack (CPA) security whenconsidering the RCCA security of signcryption As it isimpossible to make a simulation for the decryption oraclequery for an adversary when the adversary attacks the hybridsigncryption we leave it as an open problem that the securityof scheme SKEM and DEM could be relaxed to a weakersecurity (eg CPA) One may also think that with the RCCAsecurity of Tag-KEM and one-time security of DEM onecan get the RCCA security of hybrid signcryption schemeTag-KEM+DEM However the adversary cannot generateuseful challenge ciphers if the adversary does not changethe tag used for the scheme Tag-DEM In this paper whenproving our results we make a perfect simulation for theadversary who initiates a IND-RCCA experiment to hybrid

Wireless Communications and Mobile Computing 3

Table 1 The hybrid cryptology and their security notionlowast

Hybrid cryptology Security notion ReferenceKEM+DEM RCCA+RCCA997904rArrRCCA [27]KEM+DEM CCA+CCA997904rArrCCA [31]SKEM+DEM RCCA+RCCA997904rArrRCCA Section 32SKEM+DEM CCA+CCA997904rArrCCA [15]Tag-KEM+DEM CCA+one time security 997904rArrCCA [32]Tag-KEM+DEM RCCA+RCCA997904rArrRCCA [27]Tag-SKEM+DEM CCA+CCA997904rArrCCA [15]Tag-SKEM+DEM RCCA+RCCA997904rArrRCCA Section 34lowastKEM key encapsulation mechanism DEM data encapsulation mechanism

signcryption We summarise the hybrid cryptology and theirsecurity in Table 1

Organizations of the Paper In Section 2 we review somebasic notations and definitions In Section 3 we review thedefinition of general hybrid signcryption scheme SKEM+DEMand TagndashSKEM+ DEM and then we prove its RCCA security InSection 4 we review our main conclusions

2 Preliminaries

In this section we will review some useful notations andcryptographic primitives that will be used throughout thispaper

Notations We denote by 1120582 the security parameter and write119898 119877larr997888 119872 to denote the algorithm that picks an 119898 randomlyfrom the set 119872 PPT denotes probabilistic polynomial timewe write 119911 larr997888 119860(119909 119910 sdot sdot sdot ) to denote the algorithm that runsalgorithm A with inputs (119909 119910 sdot sdot sdot ) and then outputs 119911 Wedefine a function negl(120582) as negligible if for any constant 119888 gt0 there exits a 1198960 isin Z such that for all 120582 gt 1198960 negl(120582) lt 120582minus119888

21 RCCA Security Definition PKE = (Gen EncDec) is apublic key encryption (PKE) scheme that consists of threepolynomial-time algorithms

(i) Gen is key generation algorithm that inputs the secu-rity parameter 120582 and outputs a pair of publicprivatekeys (119901119896 119904119896)

(ii) Enc is PPT encryption algorithm that encrypts amessage 119898 into a ciphertext 119888

(iii) Dec is a deterministic decryption algorithm thatdecrypts a ciphertext 119888 and outputs either message 119898or a reject symbol perp

Now we define its RCCA security by describing the attackexperiment between a challenger and an PPT adversary A =(A1A2) with the following experiment

(i) Setup The adversary A queries Gen algorithm(119901119896 119904119896) larr997888 Gen(120582)

(ii) Stage 1 The adversary A1 queries a ciphertext 119888 toDec 119898 larr997888 Dec(119904119896 119888) and adversary A1 respondswith 119898

(iii) Challenge stage The adversary A1 queries a pairmessage (1198980 1198981) to Enc where |1198980| = |1198981| and thenthe challenger chooses a bit 119887 119877larr997888 0 1 computes thechallenge cipher Enc(119901119896119898119887) = 119888lowast and finally sendsthe challenge 119888lowast toA1

(iv) Stage 2The adversary A2 makes continuous queries119888 to Dec here we require that the cipher 119888 is notidentical to the challenge cipher 119888lowast The decryptionalgorithm runs 119898 larr997888 Dec(119904119896 119888) Finally if 119898 isin1198980 1198981 adversary A2 responds with 119905119890119909119905 or elseadversary A2 responds with 119898 or reject symbol perp

(v) Guess stageThe adversary A outputs 1198871015840 isin 0 1We let AdvINDminusRCCAPKEA (120582) = |Pr[119887 = 1198871015840] minus 12| in the above

experimentIf for any PPT adversary A the function AdvINDminusRCCAPKEA (120582)

is negligible we believe that PKE = (GenEnc Dec) is RCCA-secure

22 Signcryption Key Encryption Mechanism (SKEM) andIts RCCA Security Notions A signcryption key encryp-tion mechanism SKEM = (KEMGen119878 KEMGen119877 KEMEncKEMDec) is a asymmetric encryption scheme [3] whichconsists of the four algorithms with the following

(i) SKEMGen119878 is a PPT algorithm that inputs a securityparameter 1120582 and outputs the senderrsquos publicprivatekey (119904119896119878 119901119896119904)

(ii) SKEMGen119877 is a PPT algorithm that inputs a securityparameter 1120582 and outputs the receiverrsquos publicprivatekey (119904119896119877 119901119896119877)

(iii) SKEMEnc is a PPT encryption algorithm that inputsthe sendrsquos private key 119904119896119878 and the receiverrsquos public key119901119896119877 and outputs (K C) here K is a symmetric key andC is the key encapsulation of K

(iv) SKEMDec is a deterministic polynomial-timedecryption algorithm that inputs the senderrsquos publickey 119901119896119878 a key encapsulation c and the receiverrsquosprivate key 119904119896119877 and outputs either a key K or the errorsymbol perp

We now define its RCCA security by describing the attackexperiment this experiment is played by an adversary A =(A1A2) and the challenger


(i) SetupThe challenger queries a key generation oracleSKEMGen119878(120582) and SKEMGen119877(120582) The key generationoracle SKEMGen119878 runs (119901119896119878 119904119896119878) larr997888 SKEMGen119878(120582)and the key generation oracle SKEMGen119878 runs(119901119896119877 119904119896119877) larr997888 SKEMGen119877(120582) Finally the keygeneration oracle SKEMGen119878 and SKEMGen119877 sends(119901119896119877 119901119896119878) to adversary A

(ii) Stage 1 The adversary A1 inputs (119901119896119877 119901119896119878) andmakes queries to encapsulation oracle and decapsula-tion oracle For every decapsulation oracle algorithmquery the adversary A1 submits a ciphertext 120595 todecryption algorithm Dec K larr997888 Dec(119901119896119878 119904119896119877 120595)Finally responds the adversary A with K or perp

(iii) Challenge stage The challenger computes 120595lowast larr997888SKEMEnc(119904119896119878 119901119896119877 K1) chooses K0

119877larr997888 KK 120590 119877larr9978880 1 where KK is the key space |K0| = |K1| and sends(K120590 120595lowast) to adversary A1

(iv) Stage 2 The adversary A2 inputs (119901119896119877 119901119896119878) andmakes continuous queries 120595 to SKEMDec Here werequire that adversary A2 is not allowed to query(119901119896119878 119888lowast) to SKEMDec However we admit that adver-sary 1198602 can query SKEMDec on (1199011198961198781015840 119862) for any1199011198961198781015840 = 119901119896119878119894 and on (119901119896119878119894 119862) for any 119862 = 119862lowast Thedecryption oracle algorithm responds with K larr997888Dec(119904119896119877 119901119896119878 120595) Finally if K isin K0 K1 A2 isresponded with 119905119890119909119905 or elseA2 is responded with K

(v) Guess stage In the endA outputs a bit 1205901015840 isin 0 1In the attack experiment we let AdvINDminusRCCASKEMA (120582) = |Pr[120590 =1205901015840] minus 12| If for any PPT adversary A the functionAdvINDminusRCCASKEMA (120582) is negligible we say the signcryption schemeSKEM = (SKEMGen119877 SKEMGen119877 SKEMEnc SKEMDec) isRCCA-secure

23 Data Encryption Mechanism and Its IND-RCCA SecurityA signcryption data encryption mechanism DEM is a symmet-ric encryption scheme which consists of the following twoalgorithms DEMENC DEMDec

(i) DEMEnc 119888 larr997888 DEMEnc(K 119898) DEMEnc is a poly-nomial-time encryption algorithm DEMEnc encrypts119898 by using a key K and outputs the correspondingciphertext 119888

(ii) DEMDnc 119898 larr997888 DEMDec(K 119888) DEMDec is a polyno-mial-time decryption algorithm it inputs ciphertext120594 and decrypts the cipher 119888 by using the same key K

We define its INDndashRCCA security by describing the attackexperiment this experiment is played by an adversary A =(A1A2) and the challenger

(i) Setup 1Thechallenger chooses a key symmetric119870 119877larr997888119870119863

(ii) Challenge stage The adversary A queries (1198980 1198981)to DEMEnc |1198980| = |1198981| The challenger chooses119887 119877larr997888 0 1 computes the challenge cipher 119888lowast larr997888Enc(K 119898119887) and then sends the challenge cipher 119888lowast toadversary A

(iii) Setup 2The adversaryA2 continues to make queriescipher 119888 to Dec119898 larr997888 Dec(119888K) here 119888 is not equal tothe challenge cipher 119888lowast If119898 isin 1198980 1198981Dec respondsto adversary A with 119905119890119909119905 or else Dec responds toadversary A with 119898

(iv) Guess stage In the end the adversaryA outputs 1198871015840 isin0 1

WedefineAdvINDminusRCCADEMA (120582) = |Pr[119887 = 1198871015840]minus12| in the aboveexperiment

If for any PPT adversary A the function AdvINDminusRCCADEMA2(120582)

is negligible the scheme DEM is INDndashRCCA secure

3 The RCCA Security ofHybrid Signcryption Schemes

In this section we will recall the definition of hybrid sign-cryption which is adapted by Dent and An [15 33] Somedefinitions include the verification algorithm whose aim isto provide nonrepudiation However in their view nonre-pudiation is unnecessary for most cryptography applicationsand hence will not be discussed further Next we examinethe RCCA security for hybrid signcryption and consider theoutsider security (the adversary is third party neither sendernor receiver) of hybrid signcryption which is proposed byDent in [3]

31 SKEM+DEM Hybrid Signcryption Scheme and Its Relax-ing Chosen Cipher Attack Security SKEM = (SKEMGen119878SKEMGen119877 SKEMEnc SKEMDec) is signcryption key encap-sulation mechanism DEM = (DEMEncDEMDec) is dataencapsulation mechanism and hybrid signcryption schemeSKEM+DEM = (signcryptGen signcryptEnc signcryptDec) can be constructed from SKEM and DEM as follows

(i) signcryptGen(1120582) It runs receiverrsquos key genera-tion algorithm (119901119896119877 119904119896119877) larr997888 SKEMGen119877(1120582) andruns senderrsquos key generation algorithm (119901119896119878 119904119896119878) larr997888SKEMGen119878(1120582) Finally it outputs (119901119896119878 119904119896119878) and(119901119896119877 119904119896119877)

(ii) signcryptEnc(pk m) signcryptEnc is a PPTalgorithm that inputs the senderrsquos private key 119904119896119878a message m and the receiverrsquos public key 119901119896119877It chooses K larr997888 K119863 and computes 120594 larr997888SKEMEnc(119904119896119878 119901119896119877 K) here K119863 is the signcryptionscheme DEMrsquos key space Then it computes 120595 larr997888DEMEnc119870(119898) and the resulting signcryption is 119888 fl(120594 120595)

(iii) signcryptDec(sk c) the signcryptDecalgorithm inputs the senderrsquos public key 119901119896119878a cipher c and the receiverrsquos private key 119904119896119877It then parses cipher 119888 as 120595 120594 and runsK larr997888 TKEMDec(120595 119901119896119878 119904119896119877) 119898 larr997888 DEMDec119870(120594) Inthe end it outputs119898 or ldquorejectrdquo symbol perp


32 The RCCA Security of Hybrid Signcryption Schemes

Theorem 1 The hybrid signcryption scheme (SKEM + DEM)can be constructed from a signcryption scheme SKEM and ascheme DEM If the signcryption scheme SKEM is INDndashRCCAsecure and the signcryption scheme DEM is INDndashRCCA securethen hybrid signcryption scheme (SKEM + DEM) can achieveINDndashRCCA security For every given PPT adversary A thereexist probabilistic adversary A1 and adversary A2 such thatthe following conclusion holds

AdvRCCASKEM+DEMA (120582) le 2AdvRCCASKEMA1(120582) + AdvRCCADEMA2

(120582)

+ 11990211990410038161003816100381610038161198701198631003816100381610038161003816 (1)

Here we assume the adversary A1 at most makes the119902119904 queries to the encryption-decryption oracle the runningtimes ofA1 andA2 are equal to that of adversary A and119870119863is the signcryption scheme DEMrsquos key space

Proof Fix adversary A and 120582 A is a PPT INDndashRCCAadversary which attacks the hybrid signcryption schemeSKEM + DEM then we proved the theorem by the followingexperiments

Experiment0 This is an INDndashRCCA experiment on the sign-cryption scheme SKEM+DEM which is played by an adversaryA = (A1A2) and the challenger (We denote by 1198790 the eventof adversary A succeeding in this experiment)

(i) Setup The adversary A makes queries to key gen-eration algorithm (119901119896119877 119904119896119877) larr997888 SKEMGen119877(1120582)and makes queries to key generation algorithm(119901119896119878 119904119896119878) larr997888 SKEMGen119878(1120582) Finally it sends(119901119896119877 119901119896119878) to adversary A

(ii) Stage 1 The adversary A inputs a public key pair(119901119896119877 119901119896119878) and makes continuous queries to decryp-tion oracle algorithm For adversary A1015840s decryptionalgorithm query 119888 = (120595 120594) the adversary A1sends a cipher 119888 = (120595 120594) to the challenger C andthe challenger C runs decryption algorithm K larr997888SKEMDec(120595 119901119896119904 119904119896119877)119898 larr997888 DEMDec119870(120594) In theend the challenger responds toA1 with 119898

(iii) Challenge stageThe adversary A1 inputs (119901119896119877 119901119896119878)and queries (1198980 1198981) to an encryption oracleand the challenger chooses K1 larr997888 K119863 andchooses 119887 isin 0 1 Then the challenger computes120594 larr997888 SKEMEnc(119904119896119878 119901119896119877K1) and computes120595 larr997888 DEMEncK(119898119887) the signcryption 119888 fl (120594 120595)

(iv) Stage 2 The adversary A2 inputs (119901119896119877119894 119901119896119878119894) andmakes continuous queries 119888 = (120595 120594) to the challengerHere the adversary A2 is not admitted to query(119901119896119878 119888lowast) to the decryption oracle algorithm Butwe admit that adversary 1198602 can make a query tothe decryption oracle algorithm on (1199011198961198781015840 119862) for any1199011198961198781015840 = 119901119896119878119894 and on (119901119896119878119894 119862) for any cipher 119862 =119862lowast The challenger runs decryption oracle K larr997888SKEMDec(119901119896119878119894 119904119896119877119894 120595 120594) and 119898 larr997888 DEMDec119870119894 (120594)

If 119898 isin 1198980 1198981 the challenger responds to A2 with119905119890119909119905 or else responds toA2 with 119898(v) Guess stage In the end the adversary A outputs a

guessing bit 1198871015840 isin 0 1The following conclusion holds

AdvRCCASKEM+DEMA (120582) = 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816 =

1003816100381610038161003816100381610038161003816Pr [1198790] minus121003816100381610038161003816100381610038161003816 (2)

Experiment1 We now modify experiment 1198660 to obtain anew experiment 1198661 These two experiments are identicalexcept that we use a uniformly random key K0

119877larr997888 K119863 tocompute the challenge cipher 119862lowast = (120594lowast 120595lowast) in step 3 ofGame0 the challenge cipher 119862lowast = (120594lowast 120595lowast) is computed bythe encryption algorithm SKEMEnc(119904119896119878 119901119896119877K0) and 120595 larr997888DEMEnc119870(119898) Tomaintain consistency the challenger shoulduse the symmetric key K0 to answer the decryption oraclealgorithm query (119901119896119878 120594 ) Hence the distinction betweenexperiment 1198660 and experiment 1198661 mainly lies in how thescheme SKEM runs (Denote by 1198791 the sign of the adversaryA succeeding in this experiment) We have the followingconclusion

Lemma 2 There is an adversary A1 and its running timeis equal to the running time of adversary A the followingconclusion holds

1003816100381610038161003816Pr [1198791] minus Pr [1198790]1003816100381610038161003816 le 2AdvRCCASKEMA1(120582) + 1199021199041003816100381610038161003816K1198631003816100381610038161003816

(3)

Proof We prove the lemma by constructing an adversary A1who attacks the signcryption scheme SKEMThe adversaryA1simulates the environment for A their interactions can bedescribed as follows

(i) Setup The adversary A1 was given (119901119896119878 119901119896119877 K120590)and the adversary A1 sent (119901119896119878 119901119896119877) toA

(ii) Stage 1 The adversary A inputs (119901119896119878 119901119896119877) andmakes some queries c to the decryption oracle119898 larr997888Dec(119904119896119877 119901119896119878 119888) Finally A is reponded with 119898 orreject symbol perp

(iii) Challenge stageThe adversary A inputs (119901119896119878 119901119896119877)and queries (1198980 1198981) to an encryption oracle|1198980| = |1198981| The adversary A1 computes120594lowast larr997888 SKEMEnc(119904119896119878 119901119896119877 K1) and computes120595lowast larr997888 DEMEncK(119898119887) and finally the adversaryA1 sends the challenge cipher 119888lowast = (120595lowast 120594lowast) to theadversary A

(iv) Stage 2 The adversary A inputs (119901119896119878119894 119901119896119877119894) andmakes queries 119888 = (120595119894 120594119894) to decryption oraclealgorithm Here we require that A2 cannot query(119901119896119878 119888lowast) to the decryption oracle algorithm How-ever we admit that adversary 1198602 can query thedecryption oracle algorithm on (1199011198961198781015840 119862) for any1199011198961198781015840 = 119901119896119878119894 and on (119901119896119878119894 119862) for 119862 = 119862lowast Theadversary A1 runs

K119894 larr997888 SKEMDec (119901119896119878119894 119904119896119877119894 120594119894 120595119894) 119898 larr997888 DEMDec119870119894 (120595119894)

(4)


Finally if 119898 isin 1198980 1198981 A2 responds with 119905119890119909119905 orelseA2 is responded with 119898

(v) Guess stageThe adversary A outputs a guessing bit1198871015840 isin 0 1 andA1 outputs 1205901015840 = 1198871015840 in the end

This has completed the construction of A1 By descrip-tion we can see that the adversary A1 played a perfectlysimulated decryption for adversary A unless the cipher120595lowast is decrypted to K1 and test is returned by the correctanswer from the decryption oracle SKEMDec for every queryHowever the probability of this event is 1|K119863| since in thatcase the key K1 is uniformly random and independent of theopinion of the adversary A1 for each such query

(i) If 120590 = 0 we can obtain that cipher 120594 is computedby a random key K0 meanwhile the opinion of theadversary A is equal to that in Experiment0

(ii) If 120590 = 1 we can obtain that K1 is correspondingcorrect key embedded in the cipher 120595 meanwhilethe opinion of the adversary A is equal to that inExperiment1

Thus

AdvRCCASKEMA1(120582) = 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 1

21003816100381610038161003816100381610038161003816 =

1003816100381610038161003816100381610038161003816Pr [1198790] minus121003816100381610038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [1205901015840 = 1 | 120590 = 1] minus Pr [1205901015840 = 1 | 120590 = 0]10038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [119887 = 1198871015840 | 120590 = 1] minus Pr [119887 = 1198871015840 | 120590 = 0]10038161003816100381610038161003816

ge 12100381610038161003816100381610038161003816100381610038161003816Pr [1198790] minus Pr [1198791] minus 1199021199041003816100381610038161003816K1198631003816100381610038161003816

100381610038161003816100381610038161003816100381610038161003816

(5)

We can get the following conclusion


(6)

Lemma 2 is proved

In the stage of experiment1198661 rsquos encryption and decryptionoracle algorithms we use a uniformly random key K0 so thechallenger cipher 120595lowast is not be decrypted From this pointwe notice that the challenge cipher 120594lowast is generated by usinga random symmetric key K0 in experiment 1198661 Meanwhilethe other cipher 120594 = 120594lowast is decrypted by using random keyK0 which has no other role in experiment 1198661 Hence inexperiment 1198661 the adversary A plays an adaptive replayablechosen ciphertext attack against (RCCA) the signcryptionscheme DEM in substance so the following conclusion holds

Lemma 3 There is a probabilistic adversary A2 and itsrunning time is equal to the running time of the adversary Asuch that the following conclusion holds

1003816100381610038161003816100381610038161003816Pr [1198791] minus121003816100381610038161003816100381610038161003816 le AdvRCCADEMA2

(120582) (7)

Proof The symmetric key K0 was chosen uniformly ran-domly and independently so the challenge cipher 120594 doesnot reveal related information about which message wasencrypted Hence to gain success in experiment 2 theadversary must learn some information from the challengercipher 120594 We prove Lemma 3 by constructing a probabilisticadversaryA2 who attacks the signcryption scheme DEM andA2 provides an environment for the adversary A Now wedescribe their interactions

(i) Setup The adversary A2 runs receiver key gen-eration algorithm (119901119896119877 119904119896119877) larr997888 SKEMGen119877(1120582)runs sender key generation algorithm (119901119896119878 119904119896119878) larr997888SKEMGen119878(1120582) and sends (119901119896119877 119901119896119878) toA

(ii) Stage 1TheadversaryA inputs (119901119896119877 119901119896119878) andmakesqueries ciphertext 119888 to a decryption oracle algorithmK larr997888 SKEMDec(119901119896119878 119904119896119877 120594) 119898 larr997888 DEMDec(K 120594)If119898 =perp the decryption oracle algorithm responds toadversary A with 119898 or reject symbol perp

(iii) Challenge StageTheadversaryA inputs a public keypair (119901119896119877 119901119896119878) and sends (1198980 1198981) to the adversaryA2 the adversary A2 chooses K1

119877larr997888 K119863 runs 120595lowast larr997888SKEMEnc(119901119896119878 119904119896R K1) and sends the challenge 119888lowast =(120595lowast 120594lowast) to A We notice that the symmetric key K1was chosen as the encryption key of scheme DEM andembedded in cipher 120595lowast which is uniformly randomand independent of each other

(iv) Stage 2 The adversary inputs (119901119896119877 119901119896119878) and makescontinuous queries 119888 = (120595 120594) to decryption oraclealgorithm Here we require that adversaryA2 cannotquery (119901119896119878 119888lowast) to the decryption oracle algorithmHowever we admit adversary 1198602 can make a queryto the decryption oracle algorithm on (1199011198961198781015840 119862) forany cipher 1199011198961198781015840 = 119901119896119878119894 and on (119901119896119878119894 119862) for any119862 = 119862lowast The adversary A2 uses the secret key 119904119896119877 torun the decryption oracle algorithm and answer thedecryption query 119888 = (120595 120594) of adversary A with thefollowing

(a) If 120595119894 = 120595lowast hence 120594119894 = 120594lowast Then Theadversary A2 runs the decryption oracle K larr997888SKEMDec(119901119896119878 119904119896119877 120594) If K =perp the adversaryA2 responds to A with perp or else 119898 larr997888DEMDec(K 120594) If 119898 isin 1198980 1198981 the adversaryA2 responds toAwith 119905119890119909119905 or elseA2 respondstoA with 119898

(v) Guess Stage Finally adversary A outputs a bit 1198871015840 isin0 1 andA2 also outputs a bit 1198871015840

This has completed the description of the adversary A2By our construction it is obvious that the adversary A2plays a perfectly simulated decryption for A and wheneverA gets success so does A2 We have the following conclu-sion


(120582) (8)


We can know that the advantage ofA in experiment0 is

AdvRCCASKEM+DEMA (120582) = 1003816100381610038161003816100381610038161003816Pr [1198790] minus121003816100381610038161003816100381610038161003816

le 2AdvRCCASKEMA1(120582) + AdvRCCADEMA2

(120582) (9)

which is negligible we have provedTheorem 1

33 TheHybrid Signcryption SchemeTag-SKEM+DEMand ItsRCCA Security

Definition 4 (signcryption scheme Tag-SKEM) A sign-cryption scheme TagndashKEM = (Gen119877 Gen119878 TagndashKEMEncTagndashKEMDec) consists of the following three algorithms

(i) TagndashKEMGen119878(1120582)TagndashKEMGen119878(1120582) is a PPT algo-rithm that inputs a security parameter 1120582 and outputsa pair of publicprivate keys (119904119896119878 119901119896119878)

(ii) TagndashKEMGen119877(1120582)TKEMGen119878(1120582) is a PPT algorithmthat inputs a security parameter 1120582 and outputs a pairof publicprivate keys (119904119896119877 119901119896119877)

(iii) An encryption algorithm TagndashKEMEnc It runs(120596K) larr997888 TagndashKEMKey(119901119896119877 119904119896119878) TagndashKEMKey(sdot)is a PPT algorithm that inputs the private key ofsender 119904119896119878 and public key of receiver 119901119896119877 and outputsone-time key K and Intermediate state information120596 Choose 119903 119877larr997888 0 1120582 and compute 120595 larr997888TKEMEnc(120596 119903 119901119896119877 119904119896119878 120591) TagndashKEMEnc is a PPTalgorithm that encrypts the key K (embedded in 120596)into cipher 120595 along with a tag 120591 isin 119879 and returns acipher 120595 here 120591 is called a tag

(iv) An decryption algorithm TagndashKEMDec K larr997888TagndashKEMDec(119901119896119878 119904119896119877 120595 120591) TKEMDec is a deter-ministic decryption verification algorithm for a sign-cryption cipher which inputs the receiverrsquos privatekey 119904119896119877 the cipher c the senderrsquos public key 119901119896119878 anda tag 120591 the decryption oracle TagndashKEMDec returns akey K or reject symbol perp

Definition 5 (hybrid signcryption scheme Tag-SKEM+DEM)The signcryption scheme

TagndashSKEM = (Gen119877 Gen119878 TKEMEnc TKEMDec) (10)

is a asymmetric encryption scheme and the signcryptionscheme DEM = (DEMEnc DEMDec) is a correspondingsymmetric encryption scheme [18]

Then the hybrid signcryption scheme

TagndashSKEM + DEM

= (Gensigncryptunsigncrypt) (11)

can be constructed as follows

(i) Key generation algorithm Gen(1120582) Gen119877(1120582) is aprobabilistic receiverrsquos key generation algorithm that

inputs a 1120582 and outputs the receiverrsquos publicprivatekey pair (119901119896119877 119904119896119877) we write this as (119901119896119877 119904119896119877) larr997888Gen119877(1120582) Gen119878(1120582) is a probabilistic receiver key gen-eration algorithm which takes a as input a securityparameter 1120582 and as output a receiverrsquos publicprivatekey pair (119901119896119878 119904119896119878) we write this as (119901119896119878 119904119896119878) larr997888Gen119878(1120582)

(ii) An encryption algorithm signcrypt TagndashSKEMKey(sdot) is a probabilistic algorithm that inputs thereceiverrsquos public key 119901119896119878 and outputs a symmetrickey K isin K119863 and the internal state information120596 (120596K) larr997888 TagndashSKEMKey(119901119896119878) Here K119863 isthe scheme DEMrsquos key space Then choose 119903 119877larr9978880 1120582 and compute 120594 larr997888 DEMEnc119870(119898) 120595 larr997888TagndashSKEMEnc(119901119896119878 119904119896119877 120596 119903 120594) Finally output thesigncrypt cipher 119888 = (120595 120594)

(iii) A decryption algorithm unsigncrypt First itparses the cipher 119888 to obtain 120595 120594 Next it computesK larr997888 TagndashSKEMDec(119904119896119877 119901119896119877 120595 120594) to obtain asymmetric key K and computes 119898 larr997888 DEMDec119870(120594)Finally it outputs themessage119898 or ldquorejectrdquo symbolperp

34 The RCCA Security of Hybrid Signcryption Scheme Tag-SKEM+DEM

Theorem 6 The hybrid signcryption scheme (TagndashSKEM +DEM) is constructed from a scheme TagndashSKEM and a schemeDEM If the signcryption scheme TagndashSKEM is INDndashRCCA secureand the signcryption scheme DEM is INDndashRCCA secure thenthe hybrid signcryption scheme (TagndashSKEM + DEM) is alsoINDndashRCCA secure For every PPT adversary A there areprobabilistic adversary A1 and adversary A2 whose runningtimes are essentially equal to that of adversaryA such that forall 120582 ge 0 the following holds

AdvRCCATagminusSKEM+DEMA (120582) le 2AdvRCCATagminusKEMA1(120582)

+ AdvRCCADEMA2(120582) + 1199021199041003816100381610038161003816K1198631003816100381610038161003816

(12)

Here we assume the adversary at most makes the 119902119904queries to the encryption-decryption oracle algorithm andK119863 is the scheme DEMrsquos key space

Proof We prove the theorem by constructing a PPT adversaryA who attacks the hybrid signcryption scheme TagndashSKEM +DEM with the following experiments (We denote by 119879119894 theevent of the adversary A succeeding in the 119894-th game)Experiment0 This is the INDndashRCCA experiment on thesigncryption scheme Tag- SKEM+DEM and this experiment isplayed between an adversaryA and the challenger as follows

(i) Setup The adversary queries a key generationoracle The challenger runs receiver key generationalgorithm (119901119896119877 119904119896119877) larr997888 TagndashSKEMGen119877(1120582) runssender key generation algorithm (119901119896119878 119904119896119878) larr997888TagndashSKEMGen119878(1120582) and responds to the adversaryAwith (119901119896119877 119901119896119878)


(ii) Stage 1 The adversary A inputs (119901119896119877 119901119896119878) andmakes continuous queries to decryption oracle algo-rithmTheadversaryA sends a cipher 119888 to the decryp-tion oracle algorithm and the decryption oraclealgorithm runs K larr997888 TagndashSKEMDec(119901119896119878 119904119896119877 120594 120595)119898 larr997888 DEMDec(K 120594) If 119898 =perp the decryption oraclealgorithm responds to A1 with perp or else responds toA1 with 119898

(iii) Challenge stage The adversary A1 inputs a pub-lic key pair (119901119896119877 119901119896119878) and queries (1198980 1198981) to anencryption oracle algorithm and then the challengerruns (120596K) larr997888 TagndashSKEMKey(119901119896119877119904119896119878) K isin K119863Then the challenger computes DEMEnc119870(1198980) = 120594lowastTagndashSKEMEnc(119901119896119877 119904119896119878 120596 120594lowast) = 120595lowast and sends thechallenge cipher 119888lowast = (120595lowast 120594lowast) to the adversary A1

(iv) Stage 2 The adversary A2 inputs a public key pair(119901119896119877119894 119901119896119878119894) and makes continuous queries 119888 = (120595 120594)to the challenger Here we require that adversary A2is not admitted to query (119901119896119878 119888lowast) to the decryptionoracle However we admit that adversary 1198602 canmake a query to the decryption oracle on (1199011198961198781015840 119862)for any public key 1199011198961198781015840 = 119901119896119878119894 and on (119901119896119878119894 119862) forany cipher 119862 = 119862lowast The challenger runs decryptionoracle

K larr997888 TagndashSKEMDec (119904119896119877119894 119901119896119878119894 120595 120594) 119898 larr997888 DEMDec119870 (120594)

(13)

Finally if 119898 isin 1198980 1198981 A2 responds with 119905119890119909119905 orelseA2 responds with 119898

(v) Guess stage In the end the adversary A outputs aguess bit 1198871015840 isin 0 1

Naturally the following holds

AdvRCCATagminusSKEM+DEMA (120582) = 1003816100381610038161003816100381610038161003816Pr [1198790] minus121003816100381610038161003816100381610038161003816

= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

(14)

Experiment1 We now modify Experiment0 to obtain anew Experiment1 this experiment is equal to the aboveexperiment except that we just use a random key K0

119877larr997888 K119863to encrypt the message 1198980 in step 3 of experiment0 hencewe get the following conclusion

Lemma 7 There exists a probabilistic adversary A1 and itsrunning time is equal to that of adversary A such that thefollowing conclusion holds

1003816100381610038161003816Pr [1198791] minus Pr [1198790]1003816100381610038161003816 le AdvRCCATagminusSKEMA1(120582) + 1199021199041003816100381610038161003816K1198631003816100381610038161003816

(15)

Here we assume the adversary at most makes the 119902119904queries to the encryption-decryption oracle algorithm

Proof We prove the lemma by constructing an adversary A1who attacks signcryption scheme Tag-SKEM The adversaryA1 simulates an environment for adversary A their interac-tions can be described as follows

(i) Stage 1 The adversary A2 was given (119901119896119877 119901119896119878 K120590)and at the same time (119901119896119877 119901119896119878)was sent to adversaryA

(ii) Stage 2 The adversary A inputs a public key pair(119901119896119877 119901119896119878) and makes continuous queries c to adecryption oracle algorithm Dec The decryptionoracle algorithm runs119898 larr997888 Dec(119901119896119878 119904119896119877 119888) Finallyif119898 =perpA responds with 119898 or reject symbol perp

(iii) Stage 3 The adversary A inputs a pair public key(119901119896119877 119901119896119878) and queries (1198980 1198981) to the encryptionoracle |1198980| = |1198981| The adversary A1 requires theencryptions oracle of scheme Tag-SKEM to obtain(K120590 120595lowast) The adversary A1 chooses 119887 isin 0 1and computes DEMEncS(119870120590 119898119887) = 120594lowast Finally theadversary A1 sends challenge cipher 119888lowast = (120595lowast 120594lowast) tothe adversary A

(iv) Stage 4 The adversary A inputs (119901119896119877119894 119901119896119878119894) andmakes continuous calls 119888 = (120595119894 120594119894) to decryptionoracle queryHere we require that adversaryA2 is notadmitted to query (119901119896119878 119888lowast) to the decryption oraclealgorithm However we admit that adversary 1198602 canmake a query to the decryption oracle on (1199011198961198781015840 119862)for any 1199011198961198781015840 = 119901119896119878119894 and on (119901119896119878119894 119862) for any 119862 =119862lowast The adversary A1 runs its own decryption oracleTagndashSKEMDec(119901119896119878 119904119896119877 ) to answer the adversaryArsquos decryption query as follows

(a) Ifperp is returned then the adversaryA1 respondstoA with perp

(b) If perp is returned and 120594119894 = 120594lowast thenA1 uses119870120590 todecrypt the cipher 120594(1) If1198980 or 1198980 is returned then the adversary

A1 responds toA with 119905119890119909119905(2) Otherwise A1 responds to A with the

result

(c) If 119905119890119904119905 is returned and cipher 120594119894 = 120594lowast then theadversary A1 responds toA with 119905119890119909119905

(d) If K1 is returned then the adversary uses K1 todecrypt the cipher 120594(1) If1198980 or 1198980 is returned then the adversary

A1 responds to adversary A with 119905119890119909119905(2) Otherwise A1 responds to adversary A

with the result

(v) Stage 5 In the end the adversary A outputs a guessbit 1198871015840 isin 0 1 andA1 outputs a bit 1205901015840 = 1198871015840

This has completed the description of A1 it is clearthat the adversary A1 plays a perfectly simulated decryptionfor A unless the cipher 120595lowast is decrypted to K1 and test isreturned by the correct answer from the decryption oracleTagndashSKEMDec for every query However the probability ofthis event is 1|K119863| since in that case the key K1 is randomand independent of the opinion of the adversary A1 for eachsuch query


(i) If 120590 = 0 we can know that random key K0 is used forcomputing the cipher 120594 and the view ofA is identicalto that in Experiment0 Accordingly Pr[1198871015840 = 119887 | 120590 =0] = Pr[1198792]

(ii) If 120590 = 1 we can know that the key K1 is the correctkey embedded in the cipher 120595 and the view of A isequal to that in Experiment1 Accordingly |Pr[1198871015840 =119887 | 120590 = 1] minus Pr[1198791]| le 119902119863|K119863|

Thus

AdvRCCATagminusSKEMA1(120582) = 1003816100381610038161003816100381610038161003816Pr [1198790] minus

121003816100381610038161003816100381610038161003816

= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [1205901015840 = 1 | 120590 = 1] minus Pr [1205901015840 = 1 | 120590 = 0]10038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [119887 = 1198871015840 | 120590 = 1] minus Pr [119887 = 1198871015840 | 120590 = 0]10038161003816100381610038161003816


100381610038161003816100381610038161003816100381610038161003816

(16)

Hence

1003816100381610038161003816Pr [1198791] minus Pr [1198790]1003816100381610038161003816 le 2AdvRCCATagminusSKEMA1(120582) + 1199021199041003816100381610038161003816K1198631003816100381610038161003816

(17)

Lemma 2 is proved Next we show that the adversaryA playing Experiment1 essentially conducts an IND-RCCAattack on the signcryption scheme DEM we claim the follow-ing

Lemma 8 There is a probabilistic adversary A2 and itsrunning time is equal to that ofA and the following conclusionholds


(120582) (18)

Proof This can be shown by constructing an adversary A2who attacks the signcryption scheme DEM The adversary A2simulates the environment for adversaryA their interactionscan be described as follows

(i) Stage 1 The adversary A2 queries receiverrsquos keygeneration algorithm (119901119896119877 119904119896119877) larr997888 TagndashSKEMGen119877(1120582) queries senderrsquos key generation algorithm(119901119896119878 119904119896119878) larr997888 TagndashSKEMGen119878(1120582) and sends apublic key pair (119901119896119877 119901119896119878) toA

(ii) Stage 2 The adversary A inputs a public key pair(119901119896119877 119901119896119878) and makes continuous queries 119888 to adecryption oracle algorithm 119898 larr997888 Dec(119904119896119877 119901119896119878 119888)In the end adversaryA is responded with119898 or rejectsymbol perp

(iii) Stage 3 The adversary A inputs a pair publickey (119901119896119877 119901119896119878) and sends (1198980 1198981) to the adversaryA2 A2 queries (1198980 1198981) to the encryption oracle

algorithm and then receives a challenge ciphertext 120594lowastA2 runs (1205961198701) larr997888 TagndashSKEMKey(119901119896119877 119904119896119878) andthen computes the following

TagndashSKEMEnc119901119896 (120596 120594lowast) = 120595lowast (19)

In the end the adversary A2 submits the challengercipher 119888lowast = (120595lowast 120594lowast) to adversary A

(iv) Stage 4 The adversary A inputs a public key pair(119901119896119877119894 119901119896119878119894) andmakes continuous queries 119888 = (120595119894 120594119894)to decryption oracle algorithm Here we require thatadversary A2 is not admitted to query (119901119896119878 119888lowast) tothe decryption oracle However we admit that theadversary 1198602 is admitted to query the decryptionoracle algorithm on (1199011198961198781015840 119862) for any 1199011198961198781015840 = 119901119896119878119894 andon (119901119896119878119894 119862) for any cipher 119862 = 119862lowast The adversary A2uses (119901119896119878119894 119904119896119877119894) to decrypt the cipher 119888 = (120595119894 120594119894) Theadversary A2 runs the decryption oracle

K119894 larr997888 TagndashSKEMDec (119901119896119878 119904119896119877 120595119894 120594119894) 119898 larr997888 DEMDec119870119894 (120594119894)

(20)

The adversary A2 answers Arsquos decryption query 119888 =(120595119894 120594119894) with the following

(a) If K119894 =perp thenA2 responds toA with perp(b) If K119894 = K1 and 120594 = 120594lowast then A2 responds to A

with 10158401199051198901199091199051015840 (c) If K119894 = K1 and 120594 = 120594lowast then A2 responds to A

with 119898(d) If K119894 = K1 thenA2 uses K119894 to decrypt the cipher120594

(1) If 119898 isin 1198980 1198981 then adversary A2 sends10158401199051198901199091199051015840 to adversary A

(2) Otherwise adversaryA2 sends119898 to adver-sary A

Here we notice that the key K0 chosen by thesigncryption scheme DEMrsquos encryption oracle andembedded in the cipher 120594lowast is randomly chosen andindependent

(v) Stage 5 In the end the adversary A outputs 1198871015840 isin0 1 and the adversary A also outputs 1205901015840 = 1198871015840

We have described the construction of the adversary A2A2 plays a perfect simulation Experiment forA the view ofA is equal to that in Experiment0 and Experiment1 hencewe have


(120582) (21)

Putting all the facts together we have the following conclu-sion

1003816100381610038161003816100381610038161003816(Pr [1198790] minus12) minus (Pr [1198791] minus 1

2)1003816100381610038161003816100381610038161003816

le AdvRCCATagminusSKEM+DEMA (120582) + 1199021199041003816100381610038161003816K1198631003816100381610038161003816


AdvRCCATagminusSKEM+DEMA (120582)

le 2AdvRCCATagminusSKEMA1(120582) + 1199021199041003816100381610038161003816K1198631003816100381610038161003816

+ AdvCCATagminusDEMA2(120582)

(22)

We have provedTheorem 6

4 Conclusion

We have examined the RCCA security of two representativehybrid signcryption schemes ie SKEM + DEM [3] andTagndashSKEM+DEM [18] in this paperWe proved that the hybridsigncryption scheme SKEM+DEM is RCCA-secure if the sign-cryption scheme SKEM is RCCA-secure and the signcryptionscheme DEM is RCCA-secure Meanwhile we showed that thehybrid encryption scheme TagndashSKEM + DEM can be RCCA-secure if the signcryption scheme TagndashSKEM is RCCA-secureand the scheme DEM is RCCA-secure

Data Availability

Data sharing is not applicable to this article as no new datawas created or analyzed in this study

Conflicts of Interest

The authors declare that no conflicts of interest exist

Acknowledgments

This paper is supported by the National Key Researchand Development Plan of China under Grant No2016YFB0800600 and the National Natural ScienceFoundation of China (No 61802006 No 61602061 No61672059 No 61472016)

References

[1] A W Dent and Y Zheng Practical Signcryption a volume inInformation Security and Cryptography Springer 2010

[2] Y Zheng ldquoDigital signcryption or how to achieve cost(signatureprop encryption) ltlt cost(signature) + cost(encryption)rdquo in Pro-ceedings of the CRYPTO 1997 pp 165ndash179 1997

[3] A W Dent ldquoHybrid signcryption schemes with outsider secu-rity (extended abstract)rdquo in Proceedings of the ISC vol 3650 pp203ndash217

[4] J Lee ldquoIdentity-Based Signcryption IACR Cryptology ePrintArchive 2002098rdquo availabel online httpseprintiacrorg2002098pdf

[5] M Barbosa and P Farshim ldquoCertificateless signcryptionrdquo inProceedings of the ACM Symposium on Information Computerand Communications Security (ASIACCS rsquo08) pp 369ndash372ACM March 2008

[6] R Nakano and J Shikata ldquoConstructions of Signcryption inthe Multi-user Setting from Identity-Based Encryptionrdquo inProceedings of the IMACC 2013 Cryptography and Coding pp324ndash343 2013

[7] F Li B Liu and J Hong ldquoAn efficient signcryption for dataaccess control in cloud computingrdquo Computing vol 99 no 5pp 465ndash479 2017

[8] S Sato and J Shikata ldquoLattice-Based Signcryption WithoutRandomOraclesrdquo in Proceedings of the PQCrypto 2018 pp 331ndash351 2018

[9] PDatta RDutta and SMukhopadhyay ldquoFunctional Signcryp-tionrdquo Journal of Information Security and Applications vol 42pp 118ndash134 2018

[10] Y Zheng and H Imai ldquoCompact and unforgeable key estab-lishment over an ATM networkrdquo in Proceedings of the 199817th Annual IEEE Conference on Computer CommunicationsINFOCOM Part 1 (of 3) pp 411ndash418 April 1998

[11] M Nikravan A Movaghar and M Hosseinzadeh ldquoCorrectionto A lightweight signcryption scheme for defense againstfragment duplication attack in the 6LoWPAN networksrdquo Peer-to-Peer Networking and Applications pp 1ndash18 2018

[12] X Zhou Z Jin Y Fu H Zhou and L Qin ldquoShort signcryptionscheme for the Internet ofThingsrdquo Informatica An InternationalJournal of Computing and Informatics vol 35 no 4 pp 521ndash5302011

[13] K T Nguyen N Oualha and M Laurent ldquoLightweightcertificateless and provably-secure signcryptosystem for theinternet of thingsrdquo in Proceedings of the 14th IEEE InternationalConference on Trust Security and Privacy in Computing andCommunications TrustCom 2015 pp 467ndash474 Finland August2015

[14] S Belguith N Kaaniche M Mohamed and G Russello ldquoC-ABSC Cooperative Attribute Based SignCryption Scheme forInternet ofThings Applicationsrdquo in Proceedings of the 2018 IEEEInternational Conference on Services Computing (SCC) pp 245ndash248 San Francisco CA USA July 2018

[15] A Dent Hybrid cryptography 2004 Available from httpeprintiacrorg2004210

[16] Y Cui and G Hanaoka Applications of Signcryption SpringerGermany 2010

[17] S Prakash and A Rajput ldquoHybrid cryptography for securedata communication in wireless sensor networksrdquo Advances inIntelligent Systems and Computing vol 696 pp 589ndash599 2018

[18] T Bjorstad and A Dent ldquoBuilding better signcryption schemeswith tag-KEMsrdquo in Proceedings of the PKC 2006 pp 491ndash5072006

[19] F Li M Shirase and T Takagi ldquoCertificateless Hybrid Sign-cryptionrdquo in Proceedings of the ISPEC 2009 pp 112ndash123 2009

[20] C Zhou ldquoImproved certificateless hybrid signcryption schemerdquoApplication Research of Computers vol 30 no 1 pp 273-2722013

[21] R Cramer and V Shoup ldquoA practical public key cryptosystemprovably secure against adaptive chosen ciphertext attackrdquo inProceedings of the CRYPTO 1998 pp 13ndash25 1998

[22] R Canetti S Halevi and J Katz ldquoChosen-ciphertext securityfrom identity-based encryptionrdquo in Proceedings of the Eurocrypt2008 pp 207ndash222 2008

[23] R Canetti H Krawczyk and J B Nielsen ldquoRelaxing chosen-ciphertext securityrdquo in Proceedings of the CRYPTO pp 565ndash5822003

[24] R Canetti H Krawczyk and J Nielsen Relaxing ChosenCiphertext Security 2003 available online at httpeprintiacrorg

[25] M Yoshida and T Fujiwara ldquoOn the Security of Tag-KEM forSigncryptionrdquo Electronic Notes inTheoretical Computer Sciencevol 171 pp 83ndash91 2007


[26] M Abe R Gennaro and K Kurosawa ldquoTag-KEMDEM a newframework for hybrid encryptionrdquo Journal of Cryptology TheJournal of the International Association for Cryptologic Researchvol 21 no 1 pp 97ndash130 2008

[27] Y Chen and Q Dong ldquoRCCA Security for KEM+DEM StyleHybrid Encryptionsrdquo in Proceedings of the Inscrypt pp 102ndash1212012

[28] V Shoup ldquoOn formal models for secure key exchange IACRCryptology ePrint ArchiveReport 1999012rdquo Available onlinehttpeprintiacrorg1999012pdf

[29] HCui YMu andMHAu ldquoSigncryption secure against linearrelated-key attacksrdquo The Computer Journal vol 57 no 10 pp1472ndash1483 2014

[30] H Dai J Chang Z Hou and M Xu ldquoThe ECCA security ofhybrid encryptionsrdquo in Proceedings of the ISPEC pp 847ndash8592017

[31] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003

[32] M Abe R Gennaro K Kurosawa and V Shoup ldquoTag-KEMDEM A new frame-work for hybrid encryption and anew analysis of Kurosawa-Desmedt KEMrdquo in Proceedings of theEUROCRYPT pp 128ndash146 2005

[33] J H An Authenticated encryption in the public-key settingSecurity notions and analyses 2001 Available from httpeprintiacrorg2001079

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


al [8] proposed lattice-based signcryption without randomoracles At the same time Datta et al [9] proposed thefunctional signcryption

In addition a number of signcryption schemes have beenproposed for the IoT environments (eg key establishmentover ATM networks [10] defense against fragment duplica-tion attack in 6LoWPAN networks [11] short signcryptionscheme for IoT [12] and provably secure signcryption forIoT [13]) Belguith et al [14] proposed privacy preservingattribute based signcryption for IoT

However in the traditional signcryption schemes thekeyed encapsulation encryption is generally notmade full useof and the length of messages is always related to the sign-cryption scheme Further the major weakness of asymmetricencryption schemes is that the computational efficiency isworse than these symmetric ones [15] Accordingly thenotion of hybrid signcryption is proposed Hybrid signcryp-tion uses a symmetric encryption scheme to improve theoverall performance and flexibility of asymmetric signcryp-tion Hybrid signcryption can simultaneously combine themain advantages of a public key encryption and a digitalsignature scheme with much lower cost when comparedwith traditional schemes [1 16] As sensor nodes in IoTare resource-constrained (eg limited battery power) anddeployed to run for years hybrid cryptography is particularlysuitable for data storage and transmission to achieve secureand efficient communication [17] At 2004 Dent [15] pro-posed a formal composition model for hybrid signcryptionand this model covers Zhengrsquos scheme [2] Later Bjorstadet al [18] proposed an improve signcryption scheme withtag-KEMs Li et al [19] proposed a certificateless hybridsigncryption scheme and Zhou [20] proposed an improvedcertificateless hybrid signcryption scheme Due to the usageof a symmetric encryption scheme to overcome the weak-ness and restricted message space of traditional asymmetricencryption schemes these hybrid signcryption schemes canmake the length of message independent of the security of theoverall signcryption scheme

Secure encryption is one of themost fundamental tasks incryptographic schemes while CCA security has been widelyaccepted as the golden standard requirement for encryptionschemes [21 22] However chosen-ciphertext attack securityappears to be too strong in many conditions there existmany encryption schemes that are not CCA secure but stillhave practical applications [23] Here we take a CCA securepublic key encryption scheme PKE as example We change itinto a public key encryption scheme PKErsquo which is equal topublic key encryption scheme PKE except that this encryptionoracle algorithm appends a bit 0 to each ciphertext and thedecryption oracle algorithm of PKErsquo discards this bit 0 of aciphertext Then one naturally obtains a different ciphertextdecrypted to the same message as the original one Howeverthis change takes no real consequence in most situationbecause the modified scheme PKE1015840 appears to be as secure asthe scheme PKE in most situations This example is also usedin [23]

Accordingly Canetti et al [23] proposed the RCCAsecurity notion at CRYPTO 2003 RCCA security is a strictlyweaker security notion than CCA security which has proved

to be abundant for most cryptographic primitives egencrypted password authentication [24] There are somestudies (eg [23 25]) about the RCCA security of hybridcryptography and there are also several studies (eg [2 3 15])about the CCA security of hybrid signcryption As far as weknow there is nowork about examining theRCCA security ofhybrid signcryption To fill the gap in this paper we considerthe RCCA security of hybrid signcryption and show thathybrid signcryption can achieve RCCA security (rather thanonly CCA security) based on certain conditions

11 Main Contributions In this paper we examine theRCCA security of the hybrid signcryption scheme Tag-SKEM+DEM [18] and the hybrid signcryption schemeSKEM+DEM [3] We will show the following (1) The hybridsigncryption scheme (SKEM+DEM) can be RCCA-secureif the scheme Tag-SKEM is RCCA-secure and the schemeDEM is RCCA-secure (2) The hybrid encryption scheme(Tag-SKEM+DEM) can be RCCA-secure if the signcryptionscheme Tag-SKEM is RCCA-secure and the scheme DEMis RCCA-secure Although our results might be expectedand somewhat straightforward we concretely confirm suchexpectations with a formal proof When giving our proofwe mainly use the hybrid game-based reduction techniquepresented in [26ndash28]

12 Related Works and Discussions It is obvious that if thehybrid signcryption scheme is going to provide an integrityand authentication service then its KEM part and DEMpart must satisfy some kind of security criterion Dent etal [15] examined the CCA security of hybrid signcryptionschemes (SKEM+DEM and Tag-SKEM+DEM) Chen et al[27] examined the RCCA security for hybrid encryptionscheme KEM+DEM Cui et al [29] gave two kinds ofRKA-secure signcryption schemes In 2017 Dai et al [30]considered the ECCA security for hybrid encryptions Tag-KEM+DEM and KEM+Tag-DEM Abe et al [26] provideda hybrid encryption scheme Tag-KEM+DEM and they pre-sented a useful way to get CCA secure hybrid encryptionsCramer et al [31] have shown that the hybrid encryptionscheme Tag-KEM+DEM is CCA secure if its KEM part isCCA secure and its DEM part is one-time secure

As for the scheme Tag-SKEM+DEM the ciphertext ofscheme DEM is a tag of the scheme Tag-SKEM one maythink that the security assumption of scheme SKEM couldbe weakened to chosen plaintext attack (CPA) security whenconsidering the RCCA security of signcryption As it isimpossible to make a simulation for the decryption oraclequery for an adversary when the adversary attacks the hybridsigncryption we leave it as an open problem that the securityof scheme SKEM and DEM could be relaxed to a weakersecurity (eg CPA) One may also think that with the RCCAsecurity of Tag-KEM and one-time security of DEM onecan get the RCCA security of hybrid signcryption schemeTag-KEM+DEM However the adversary cannot generateuseful challenge ciphers if the adversary does not changethe tag used for the scheme Tag-DEM In this paper whenproving our results we make a perfect simulation for theadversary who initiates a IND-RCCA experiment to hybrid






2 Preliminaries

















































(120582)

+ 11990211990410038161003816100381610038161198701198631003816100381610038161003816 (1)











1003816100381610038161003816100381610038161003816Pr [1198790] minus121003816100381610038161003816100381610038161003816 (2)





(3)







(4)







Thus


21003816100381610038161003816100381610038161003816 =

1003816100381610038161003816100381610038161003816Pr [1198790] minus121003816100381610038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [1205901015840 = 1 | 120590 = 1] minus Pr [1205901015840 = 1 | 120590 = 0]10038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [119887 = 1198871015840 | 120590 = 1] minus Pr [119887 = 1198871015840 | 120590 = 0]10038161003816100381610038161003816


100381610038161003816100381610038161003816100381610038161003816

(5)



(6)

Lemma 2 is proved




(120582) (7)











(120582) (8)





(120582) (9)












TagndashSKEM + DEM










+ AdvRCCADEMA2(120582) + 1199021199041003816100381610038161003816K1198631003816100381610038161003816

(12)









(13)





= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

(14)





(15)










result




with the result






Thus


121003816100381610038161003816100381610038161003816

= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [1205901015840 = 1 | 120590 = 1] minus Pr [1205901015840 = 1 | 120590 = 0]10038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [119887 = 1198871015840 | 120590 = 1] minus Pr [119887 = 1198871015840 | 120590 = 0]10038161003816100381610038161003816


100381610038161003816100381610038161003816100381610038161003816

(16)

Hence


(17)




(120582) (18)










(20)











(120582) (21)



2)1003816100381610038161003816100381610038161003816






(22)


4 Conclusion


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia







2 Preliminaries

















































(120582)

+ 11990211990410038161003816100381610038161198701198631003816100381610038161003816 (1)











1003816100381610038161003816100381610038161003816Pr [1198790] minus121003816100381610038161003816100381610038161003816 (2)





(3)







(4)







Thus


21003816100381610038161003816100381610038161003816 =

1003816100381610038161003816100381610038161003816Pr [1198790] minus121003816100381610038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [1205901015840 = 1 | 120590 = 1] minus Pr [1205901015840 = 1 | 120590 = 0]10038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [119887 = 1198871015840 | 120590 = 1] minus Pr [119887 = 1198871015840 | 120590 = 0]10038161003816100381610038161003816


100381610038161003816100381610038161003816100381610038161003816

(5)



(6)

Lemma 2 is proved




(120582) (7)











(120582) (8)





(120582) (9)












TagndashSKEM + DEM










+ AdvRCCADEMA2(120582) + 1199021199041003816100381610038161003816K1198631003816100381610038161003816

(12)









(13)





= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

(14)





(15)










result




with the result






Thus


121003816100381610038161003816100381610038161003816

= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [1205901015840 = 1 | 120590 = 1] minus Pr [1205901015840 = 1 | 120590 = 0]10038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [119887 = 1198871015840 | 120590 = 1] minus Pr [119887 = 1198871015840 | 120590 = 0]10038161003816100381610038161003816


100381610038161003816100381610038161003816100381610038161003816

(16)

Hence


(17)




(120582) (18)










(20)











(120582) (21)



2)1003816100381610038161003816100381610038161003816






(22)


4 Conclusion


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






























(120582)

+ 11990211990410038161003816100381610038161198701198631003816100381610038161003816 (1)











1003816100381610038161003816100381610038161003816Pr [1198790] minus121003816100381610038161003816100381610038161003816 (2)





(3)







(4)







Thus


21003816100381610038161003816100381610038161003816 =

1003816100381610038161003816100381610038161003816Pr [1198790] minus121003816100381610038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [1205901015840 = 1 | 120590 = 1] minus Pr [1205901015840 = 1 | 120590 = 0]10038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [119887 = 1198871015840 | 120590 = 1] minus Pr [119887 = 1198871015840 | 120590 = 0]10038161003816100381610038161003816


100381610038161003816100381610038161003816100381610038161003816

(5)



(6)

Lemma 2 is proved




(120582) (7)











(120582) (8)





(120582) (9)












TagndashSKEM + DEM










+ AdvRCCADEMA2(120582) + 1199021199041003816100381610038161003816K1198631003816100381610038161003816

(12)









(13)





= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

(14)





(15)










result




with the result






Thus


121003816100381610038161003816100381610038161003816

= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [1205901015840 = 1 | 120590 = 1] minus Pr [1205901015840 = 1 | 120590 = 0]10038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [119887 = 1198871015840 | 120590 = 1] minus Pr [119887 = 1198871015840 | 120590 = 0]10038161003816100381610038161003816


100381610038161003816100381610038161003816100381610038161003816

(16)

Hence


(17)




(120582) (18)










(20)











(120582) (21)



2)1003816100381610038161003816100381610038161003816






(22)


4 Conclusion


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia








Thus


21003816100381610038161003816100381610038161003816 =

1003816100381610038161003816100381610038161003816Pr [1198790] minus121003816100381610038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [1205901015840 = 1 | 120590 = 1] minus Pr [1205901015840 = 1 | 120590 = 0]10038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [119887 = 1198871015840 | 120590 = 1] minus Pr [119887 = 1198871015840 | 120590 = 0]10038161003816100381610038161003816


100381610038161003816100381610038161003816100381610038161003816

(5)



(6)

Lemma 2 is proved




(120582) (7)











(120582) (8)





(120582) (9)












TagndashSKEM + DEM










+ AdvRCCADEMA2(120582) + 1199021199041003816100381610038161003816K1198631003816100381610038161003816

(12)









(13)





= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

(14)





(15)










result




with the result






Thus


121003816100381610038161003816100381610038161003816

= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [1205901015840 = 1 | 120590 = 1] minus Pr [1205901015840 = 1 | 120590 = 0]10038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [119887 = 1198871015840 | 120590 = 1] minus Pr [119887 = 1198871015840 | 120590 = 0]10038161003816100381610038161003816


100381610038161003816100381610038161003816100381610038161003816

(16)

Hence


(17)




(120582) (18)










(20)











(120582) (21)



2)1003816100381610038161003816100381610038161003816






(22)


4 Conclusion


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






(120582) (9)












TagndashSKEM + DEM










+ AdvRCCADEMA2(120582) + 1199021199041003816100381610038161003816K1198631003816100381610038161003816

(12)









(13)





= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

(14)





(15)










result




with the result






Thus


121003816100381610038161003816100381610038161003816

= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [1205901015840 = 1 | 120590 = 1] minus Pr [1205901015840 = 1 | 120590 = 0]10038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [119887 = 1198871015840 | 120590 = 1] minus Pr [119887 = 1198871015840 | 120590 = 0]10038161003816100381610038161003816


100381610038161003816100381610038161003816100381610038161003816

(16)

Hence


(17)




(120582) (18)










(20)











(120582) (21)



2)1003816100381610038161003816100381610038161003816






(22)


4 Conclusion


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia







(13)





= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

(14)





(15)










result




with the result






Thus


121003816100381610038161003816100381610038161003816

= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [1205901015840 = 1 | 120590 = 1] minus Pr [1205901015840 = 1 | 120590 = 0]10038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [119887 = 1198871015840 | 120590 = 1] minus Pr [119887 = 1198871015840 | 120590 = 0]10038161003816100381610038161003816


100381610038161003816100381610038161003816100381610038161003816

(16)

Hence


(17)




(120582) (18)










(20)











(120582) (21)



2)1003816100381610038161003816100381610038161003816






(22)


4 Conclusion


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





Thus


121003816100381610038161003816100381610038161003816

= 1003816100381610038161003816100381610038161003816Pr [119887 = 1198871015840] minus 121003816100381610038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [1205901015840 = 1 | 120590 = 1] minus Pr [1205901015840 = 1 | 120590 = 0]10038161003816100381610038161003816

= 1210038161003816100381610038161003816Pr [119887 = 1198871015840 | 120590 = 1] minus Pr [119887 = 1198871015840 | 120590 = 0]10038161003816100381610038161003816


100381610038161003816100381610038161003816100381610038161003816

(16)

Hence


(17)




(120582) (18)










(20)











(120582) (21)



2)1003816100381610038161003816100381610038161003816






(22)


4 Conclusion


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






(22)


4 Conclusion


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia













RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


on the rcca security of hybrid signcryption for internet...

Documents