Multi-Receiver Signcryption Scheme with Multiple Key Generation Centers through Public Channel in Edge Computing

Lipeng Wang,Zhi Guan,Zhong Chen,Mingsheng Hu

1 School of Information Science and Technology,Zhengzhou Normal University,Zhengzhou 450044,China

2 School of Computer Science,Peking University,Beijing 100871,China

Abstract:The emerging edge computing technology for the Internet of Things has been playing an important role in our daily life.It is promising to utilize a multi-receiver signcryption scheme to protect the transmission data when an edge device broadcasts its sensing data to many different end devices at a time.There are several things to consider when we design a signcryption scheme.First existing schemes need to maintain a secure channel to generate the user private key,which may increase economic costs.Second the system private key of those schemes is kept secret by a single key generation center(KGC),and the single point of failure of KGC may compromise the whole system.For this,we propose a multi-receiver multimessage signcryption scheme without the secure channel.Firstly the scheme allows KGC to send secrets through the public channel,which reduces maintenance costs.Secondly,to eliminate the single point of failure,the scheme utilizes multiple KGCs to manage the system private key,and updates the secret of each KGC periodically to resist advanced persistent threat attacks.We demonstrate that the proposed scheme can achieve expected security properties.Performance analysis shows that it is with shorter ciphertext length and higher efficiency.

Keywords:internet of things;signcryption;edge computing;unforgeability;confidentiality

I.INTRODUCTION

The Internet of Things(IoT)aims to help create a world where everything is connected,in which terminal devices collect and transmit the surrounding data through the public/private channel to collectors.The IoT comprising computer and communication technology creates smart life for us,and is considered as the third landmark in the development of information technology after Internet[1].However,as the number of IoT devices increases,the total amount of data generated by these devices grows accordingly,and may consume more storage.Cloud computing is a promising approach to store the IoT data,and has many advantages,such as the low cost,high resource utilization[2].Although cloud computing has been widely adopted in many fields,its application in IoT is still limited due to the high latency between the cloud and IoT devices.To facilitate cloud computing in IoT scenarios,there is a high demand to reduce the transmission delay and increase the system efficiency.

The edge computing technology emerges and has become popular in recent years.In edge computing,edge nodes,which serve as bridges between cloud servers and end devices,can reduce the response time and save bandwidth,due to the fact that those edge nodes can process the IoT data closer to where it is created[3].In actual IoT scenarios,an edge node may need to broadcast a piece of information to many different devices at a time.For example,a light sensor sends over its sensing data to other streetlamps to perform switching operations.There is a high demand for an IoT node making some information widely known.Figure 1 demonstrates the typical network architecture in edge computing,which consists of end devices(sensors),edge devices and the cloud[4].

Figure 1.Multicast communication network architecture in edge computing.

Figure 2.System framework of the proposed scheme.

In edge computing,considering efficiency and costeffectiveness,it is preferable for a device to send many different messages to their corresponding recipients through a multicast channel than through multiply unicast channels.However,when the IoT data are transmitted through the public multicast network,they may be vulnerable to a wide range of security attacks,and two of the major threats are data eavesdropping and data tampering.For this,the transmission data should meet confidentiality and authentication simultaneously.To fulfill the above two security requirements,encryption and digital signature can be utilized to protect data.Nevertheless,both techniques are complex and with the high computation cost.We should handle performance issues when to apply the two techniques.

The multi-message multi-receiver signcryption(MMSC)scheme can allow users to perform encryption and signature operations in one logical step,which can be computation-friendly.In 2003,Al-Riyami and Peterson[5]proposed the certificate-less public key cryptography(CL-PKC),which allows a participant to generate his public key and private key with the help of the key generation center(KGC).In CL-PKC,a participant first generates his own secret,and then calculates his private key with the secret and a partial private key,which is generated by the KGC.It should be noted that the private key and the public key are not held in escrow.Therefore,CL-PKC avoids the key escrow problem.The certificate-less MMSC scheme inspired by CL-PKC allows a user to send many different messages to their corresponding recipients at a time,and does not need to maintain a key center to store those participants’ keys.When adapted to the IoT scenario with limited computational capacity,the certificate-less MMSC scheme has several advantages.First it avoids the key escrow problem.Second,the scheme can prevent a malicious KGC from faking the public key.What’s more,the scheme is with lower power consumption and computational costs[6,7].The certificate-less MMSC scheme has been the promising data security technology in IoT.

For the certificate-less MMSC scheme,the private key is generated by the participant himself and the KGC.Each participant in the scheme,which does not require certificates to guarantee the authenticity of public keys,can obtain his secret from the KGC through a secure channel.However,the channel may be compromised by cyber attacks,and leak the user secrets.In addition,to maintain the secure channel requires additional computational costs[8].Therefore,it is necessary to design a new certificate-less MMSC scheme to eliminate the secure channel.

The MMSC scheme utilizes the KGC to generate the public key and the private key for a participant.The KGC is critical for the scheme because it holds the system private key.However,in the IoT scenario,due to limited computational power and inadequate security measures,the KGC is vulnerable to network attacks.The situation may become even worse if those attackers launch advanced persistent threat(APT)attacks on the KGC and obtain the system private key.In order to counter those threats,multiple key generation centers(KGCs)can be used to collaboratively manage the system private key through a secret sharing protocol,in which the system private key is split into several shares and each one is stored in a different KGC.Even if a certain number of KGCs are compromised,the attacker cannot restore the system private key.What is more,to resist APT attacks,each KGC can update its share periodically.By taking the above measures,we can improve the KGC security.

Motivated by these concerns,we propose a multireceiver multi-message signcryption scheme with multiple key generation centers(MMSC-MKGC)to solve the problem of “could we build a provably secure signcryption scheme to resist APT attacks with high efficiency and low maintenance costs”.

Contributions.Contributions of the paper are as follows.

1.Based on the elliptic curve cryptography,we propose a novel MMSC-MKGC scheme to guarantee data confidentiality and unforgeability,which does not need to maintain a secure channel and reduces maintenance costs.

2.To resist APT attacks,the system private key is divided into several shares,each of which is stored in the different KGC.Anyone with fewer than the threshold number of shares learns nothing about the system private key.To improve security,each KGC should update its own share periodically.

3.We demonstrate that the proposed scheme achieves expected security properties and is efficient in computational complexity.Finally,we implement the proposed scheme and obtain performance evaluation results,which show that the proposed scheme is with higher efficiency.

II.RELATED WORK

The first signcryption scheme was proposed in 1997,and can perform encryption and digital signature in a single logical step[9].The scheme can effectively improve the overall efficiency and decrease computational costs in comparison with those traditional signature-then-encryption schemes.Initially,the signcryption scheme was implemented based on the public key infrastructure(PKI).However,PKI needs a certificate management center to manage public keys,which may consume a significant amount of storage and power.Even worse,with the number of participants increasing,effective management of PKI is becoming more complex and cumbersome.To overcome these limitations,the identity-based cryptography(IBC)was introduced by Shamir[10].In IBC,a publicly known string representing a participant is used as his public key.The first identity-based signcryption scheme(IBSC)with anonymity was proposed in 2018,in which a malicious third party cannot deduce the participant’s identity[11].In 2017,Karati et al.proposed an IBSC for industrial IoT(IIoT)with higher efficiency[1].IBSC depends on the private key generator(PKG)to generate and manage private keys,which may introduce the single point of failure nevertheless.Afterwards,CL-PKC was proposed to improve the system security.In CL-PKC,a participant should generate his private key and public key in corporation with the KGC.Because those keys are not held in escrow,CL-PKC avoids the key escrow problem.

Most of existing CL-PKC schemes are based on elliptic curve or bilinear pairings.Compared with elliptic curve operations,bilinear pairing operations are with more time-consuming,and may increase computational costs.We will further discuss them in the following part.

Several certificate-less schemes based on bilinear pairing operations have been proposed for secure communication systems.In order to protect data integrity and confidentiality,Li et al.[12]proposed a signcryption scheme,which can be adapted into the blockchain scenario.Wang et al.[13]introduced a signcryption algorithm based on bilinear pairing operations,which utilizes blockchain to protect personally identifiable information from unauthorized disclosure.However,the above schemes consist of time-consuming pairingbased operations,which cannot be adapted to those resource-constrained scenarios.

To avoid the drawbacks of those certificate-less schemes based on bilinear pairing operations,more efficient solutions were proposed.Li et al.[14]proposed a certificate-less signcryption scheme without pairings.Zhou et al.[15]gave a corresponding attack strategy on the above scheme,and then proposed a new signcryption scheme based on elliptic curve.Li et al.[16]designed a signcryption scheme,capable of resisting collusion attacks.In case that adversaries glean the user secrets though side-channel attacks,Qin et al.[17]proposed a certificate-less signcryption scheme to protect the confidential data.Cui et al.[18]proposed a public verifiable signcryption scheme,which meets confidentiality,authentication,non-repudiation,and unforgeability.Note that the above signcryption schemes implemented with elliptic curve operations are based on the intractability of the discrete logarithm(DL)problem.

For the IoT scenario,there are growing requirements of personalized services,which means that we need to transmit many different messages to their corresponding recipients at a time.In 1999,the first MMSC scheme was proposed,which allows a sender to broadcast multiple messages via a multicast channel[19].The first MMSC scheme based on IBC was proposed in 2006,which meets confidentiality and authenticity simultaneously[20].However,the scheme needs to perform bilinear pairing operations to signcrypt a message for multiple recipients.An anonymous certificate-less MMSC scheme was proposed,which is based on the elliptic curve cryptography(ECC)[21].Pang et al.[8]proposed a MMSC scheme based on the public key cryptography,which does not need to manage those users’ certificates to avoid the key escrow problem.Zhou et al.[22]proposed a MMSC scheme,in which the ciphertext no longer contains the identity list to protect the user’s privacy.

For most of existing certificate-less MMSC schemes,the security channel is essential to extract the private key for a participant.To maintain the secure channel consumes additional computational power in the IoT scenario.For this,Pang et al.[8]proposed the first signcryption scheme without a secure channel,which makes the system lighter and safer.However,the scheme depends on a single KGC to maintain the system private key,and the KGC is vulnerable to those APT attacks.Thus,it is necessary to guarantee the security of the KGC when we design a multi-receiver multi-message signcryption scheme.

III.PRELIMINARIES

3.1 Elliptic Curve

The elliptic curveE(Fp)over a finite fieldFpis defined asy2=x3+ax+b(modp),wherea,b ∈Fpandpis a large prime.All the points in the elliptic curve form an addition group,denoted asG.The group has a generatorPwith the orderq.

The scalar multiplication operation in the elliptic curve is denoted askP=P+P+...+P,which means that the pointPis addedktimes.

3.2 Hard Problems

In the elliptic curve cryptography,there are some difficult mathematical problems.The following two problems will be used in the paper.

Discrete Logarithm Problem(DLP):GivenP,αP ∈G,find an integerwherepis a large prime.

The DLP is considered as a computationally hard problem.If an algorithmλcan solve the DLP in polynomial time with the advantageAdvDLP(λ)=Pr[λ(P,αP)=α],AdvDLP(λ)is negligible.

ComputationalDiffie-HellmanProblem(CDHP):GivenαP,βP ∈ G,find an elementαβP ∈Gwhereare unknown andpis a large prime.

The CDHP is considered as a computationally hard problem.If an algorithmλcan solve the CDHP in polynomial time with the advantageAdvCDHP(λ)=Pr[λ(P,αP,βP)=αβP],AdvCDHP(λ)is negligible.

IV.SYSTEM FRAMEWORK AND SECURITY MODEL

4.1 System Framework

Figure 2 demonstrates the system framework of the proposed scheme.The scheme contains three different types of participants:

Figure 3.Execution time over the threshold t.

Figure 4.Execution time over the number of KGCs.

Figure 5.Execution time over the number of recipients for the SignCrypt step.

Figure 6.Execution time over the number of recipients for the DeSignCrypt step.

Figure 7.Execution time over the number of KGCs for the UpdateKey step.

Figure 8.Execution time over the threshold number t for the UpdateKey step.

KGCs: KGCs help generate private keys for those participants and are cooperated to manage the system private key.In actual scenarios,an attacker may compromise all those KGCs to exploit the secret information.Here we assume that the number of KGCs that can be compromised by the attacker within one epoch is less than a specific thresholdt.When a new epoch begins,those compromised key servers in the previous epoch are“released”by the attacker,which means that the attacker should regain secrets in those compromised key servers[23].

Sender: The user who can generate the ciphertext with his identity,his private key,those recipients’public keys and system public parameters as inputs.

Receiver: The user who receives and decrypts the ciphertext to obtain the plaintext.

In IoT scenario the receiver or the sender may be a device with limited computational power,which isa key point in the scheme design.The sender should utilize a lightweight MMSC scheme to encrypt many different messages and then transmit them to corresponding recipients at a time.For simplicity,we list the main notations as Table 1,which will be used in the paper.

Table 1.Notations in the proposed scheme.

4.2 Algorithm Model

The proposed scheme contains the following seven steps: Setup,SetSecret,ExtractPpk,SetPrik,Set-Pubk,SignCrypt and DeSignCrypt.

Setup(1λ): This step is to generate the system private key and public parameters.On input the security parameterλ,KGC generates the system private keys,the public keyKiand the system public parameterPparamswith the step.Then,KGC publicizesPparams,Ki,and keepsssecret.

SetSecret(IDi,Pparams): This step is for the user to produce his secrets and other public parameters.On input the identityIDiand the system public parameterPparams,the user can extract his secretxiand the public parameterXi.

ExtractPpk(IDi,Xi,s,Pparams): This step is for KGC to produce the partial private key,which is used to generate the user’s private key.With the user identityIDi,the public parameterXi,the system private keysand the system public parameterPparams,KGC can obtain the partial private keyuiand the partial public keyYi.

SetPrik(ID,ui,Y,xi,Xi,Ki,Pparams): This step is for the user to obtain his private key.WithρidentitiesID={ID1,ID2,...,IDρ},ui,Y={Y1,Y2...,Yt},xi,Xi,Ki,IDiandPparams,the user can obtain his private keySKi=〈xi,yi〉.

SetPubk(Y,ID):This step is to produce the public key for a user.WithYand user identitiesIDas inputs,the user can obtain his public keyPKi=〈Xi,Zi〉with the step.

SignCrypt(M,SKa,ID,PKb,Pparams): This step is to produce the ciphertext.For the senderaand the receiverb,withρmessagesM={m1,m2,...mρ},user identitiesID,the private keySKa,the identityIDa,the public keyPKb.andPparamsas inputs,the sender runs the step to obtain the ciphertextCm.

DeSignCrypt(Cm,PKa,ID,SKb,Pparams): This step is for the receiverbto obtain the plaintext.With the ciphertextCm,the public keyPKaof the sendera,user identitiesID,the private keySKbandPparamsas inputs,the sender runs the step to obtain his plaintextm.

To ensure correctness,those operations should satisfy that if

for eachi ∈{1,2,...,ρ}.

4.3 Security Model

In IoT scenario,the system should provide data confidentiality and unforgeability.Data confidentiality means that only authorized recipients can obtain the plaintext from the given ciphertext.An illegal recipient cannot get any useful information without the correct private key.Data unforgeability means that the signcryption data cannot be forged by illegal participants.

First,the proposed MMSC-MKGC scheme should accomplish message confidentiality.Specifically,indistinguishability against adaptive chosen ciphertext attack(IND-CCA2).Second,the new scheme should accomplish unforgeability.Specifically,existential unforgeability against adaptive chosen messages attack(EUF-CMA).

According to the security model defined in the literature[14],we utilize two types of adversaries in the proposed signcryption scheme.The first type of adversary,which is denoted asAI,can replace the user public key,butAIdoes not know the system private keys.The second type of adversary,which is marked asAII,knows the system private keys,but is not allowed to replace the system private key.

We extend the security notions presented in the literature[14]to suit the new MMSC-MKGC scheme for both IND-CCA2 and EUF-CMA.For confidentiality and unforgeability,we define four games to describe adversary attacks on the above two security notions,and provide the corresponding security definitions.

4.3.1 Message Confidentiality

To achieve IND-CCA2,we define two games to simulate attacks on the message confidentiality.The two games describe a set of interactions between a challenger and an adversary.The proposed MMSCMKGC scheme is IND-CCA2 secure given that it meets Definition 1 and Definition 2.

Game 1.The game describes interactions between the adversary AI and the challenger C.For simplicity,the adversary is re-marked as AI-1.The detailed interactions are provided in Lemma 1.

Definition 1.For the adversary AI-1,if the advantage to win the above game within time τ meets AdvIND-CCA2(AI-1)≤ω,the proposed scheme can accomplish message confidentiality under the Game 1,where τ denotes the polynomial time and ω represents a negligible probability advantage.

Game 2.The game describes a set of interactions between the adversary AII and the challenger C.For simplicity,the adversary is re-marked as AII-1,and Lemma 2 provides the detailed interactions.

Definition 2.For the adversary AII-1,if the advantage to win the above game within time τ meets AdvIND-CCA2(AII-1)≤ ω,the proposed scheme can achieve confidentiality under the Game 2,where τ denotes the polynomial time and ω represents a negligible probability advantage.

4.3.2 Message Unforgeability

To achieve EUF-CMA,we define two games to simulate attacks on the message unforgeability.These games describe a set of interactions between a challenger and an adversary.The proposed MMSCMKGC scheme is EUF-CMA secure given that it meets Definition 3 and Definition 4.

Game 3.The game describes interactions between the adversary AI and the challenger C.The adversary is re-marked as AI-2,and the detailed interactions are provided in Lemma 3.

Definition 3.For the adversary AI-2,if the advantage to win the above game within time τ meets AdvEUF-CMA(AI-2)≤ω,the scheme can achieve unforgeability under the Game 3,where τ is the polynomial time and ω represents a negligible probability advantage.

Game 4.The game describes interactions between the adversary AII and the challenger C.For simplicity,the adversary is re-marked as AII-2.Lemma 4 provides detailed interactions.

Definition 4.For the adversary AII-2,if the advantage to win the above game within time τ meets AdvEUF-CMA(AII-2)≤ω,the scheme can achieve unforgeability under the Game 4,where τ is the polynomial time and ω represents a negligible probability advantage.

V.PROPOSED SCHEME

5.1 MMSC Scheme with Multiple Key Generation Centers

We present a new multi-receiver multi-message signcryption scheme with multiple key generation centers(MMSC-MKGC)in the part.In the new scheme,the sender can encrypt multiple messages for many different recipients,and each receiver can decrypt the ciphertext to obtain his corresponding plaintext.A set of KGCs maintain the system private key through a secret sharing protocol.Moreover,the new scheme allows participants to extract their private keys through the public channel,which can reduce maintenance costs[8].

Setup(1λ): For a given security parameterλ,the system selects five secure one-way hash functions,which are as follows:

5.2 Key Updating Strategy for Multiple KGCs

Next,we will describe the key updating strategy for those KGCs in our proposed scheme.As mentioned above,the system private key is split into several shares,which are distributed in multiple KGCs.To resist APT attacks,each KGC should update its share periodically.

UpdateKey: Each KGCi(1≤i ≤n)should update its share with the following steps.

The KGCs in our proposed scheme are responsible for generating the user public key and private key.If the entire KGCs fail,existing participants can not perform the Updatekey step and other users can not join the system any more.Even so,existing participants can still perform the SignCrypt step and the DeSign-Crypt step normally.It needs to be noted that the probability of a single point of failure for the KGCs in our scheme is relatively low,and system security can still be guaranteed.

5.3 Correctness Analysis

VI.SECURITY ANALYSIS

Based on the security model described in Section IV,we prove confidentiality and unforgeability of the proposed scheme in this part.Because the system private key is

and does not change during the UpdateKey phase,we assume that the system public key isP0=sP,andP0does not change.

6.1 Confidentiality Analysis

6.2 Unforgeability Analysis

Proof.This proof is provided in the appendix.

6.3 Security Analysis of KGCs

A compromised key server is an adversary,and can extract the system secret.Several compromised KGCs can even launch more severe attacks in collusion.For the security of KGCs in our proposed scheme,each KGCi(1≤i ≤n)should update its secret during each epoch.When a participant tries to obtain his private key,he has to collect at leasttsecret shares from those KGCs.Based on the assumption in Section 4.1,we present that the adversary,who collectstsecret shares at different epochs,cannot reconstruct the system private keysin the section.

According to the Lagrange interpolation theorem,we can obtain

Then we can get

VII.EVALUATIONS

7.1 Functional Comparison

Table 2 gives comparison of security attributes.To compare the ciphertext length,we define the following symbols.Lmrepresents the plaintext length.|Gp|represents length of an element in the cyclic groupGwith orderp.denotes length of a integer in.|ID|denotes length of the identity.ndenotes the number of recipients.

In Table 2,we choose those comparison schemes proposed in the past three years,which are based on the elliptic curve cryptography.All the schemes provide confidentiality and unforgeability,which can transmit multiple messages to their corresponding recipients at a time.We will not consider those schemes based on bilinear pairings,because bilinear pairings has been considered the expensive operation.With data growing,those schemes are not communication efficient and not applicable to the resource constrained IoT environment.

Table 2.Comparison of funtions.

Table 3.Scheme symbolic representation.

Those multi-message multi-receiver signcryption schemes[2,4,24,22],need to maintain a secure channel to exchange secrets.In addition,the above schemes cannot resist network attacks on those key servers.Both our scheme and the scheme[8]do not need to establish a secure channel when to send the secret information,which can reduce maintenance costs.What is more,our scheme can cope with those attacks on KGC.The ciphertext length of our scheme is equal to or less than that of schemes[2,4,8,24,22],which means that our scheme is more storage-friendly.

7.2 Computational Complexity

In order to analyze computational complexity,Table 3 defines some symbols to represent execution time of different operations.All the data in Table 3 are taken from the literature[8].Other operations,which are not listed,will not be discussed here because they take little time as to be negligible.Comparison of computational complexity for the SignCrypt step and the DeSignCrypt step is shown in Table 4.

For the SignCrypt step,schemes[8,2,24,4]need to perform the symmetric encryption operation to en-crypt one message.Our scheme can perform encryption and signature in a single step,which is more efficient.What is more,our scheme is with lower computational costs than schemes[8,2,22].For the Sign-Crypt step,with the number of recipients increasing,schemes[24,4]are more efficient,but our scheme has more security attributes as depicted in Table 2.For the DeSignCrypt step,schemes[8,2,4]and our scheme present a similar computational complexity.It should be noted that the scheme[24]is based on the shamir secret sharing protocol,and may become less efficient with the number of recipients increasing.

Table 4.Comparison of computational complexity.

7.3 Performance Evaluation

In the section,we evaluate the performance of our proposed scheme on a personal computer.Configurations are as follows: CPU: Intel(R)Core(TM)i5-7500 3.40GHz;RAM: 8.00GB;Storage: 128GB SSD +1TB SATA;OS:Windows 7 64;IDE:MyEclipse 1.5.We also utilize Java 1.7 and JPBC 2.0.0 to implement our scheme.In addition,we choose the Koblitz elliptic curve parameters“Secp256k1”,where the size ofpandqare both 256bits[2].Parameters of Secp256k1 are optimized on finite fields,which can reduce the requirements for storage and bandwidth.

Since the number of KGCs in our proposed scheme may affect the Setup step and the user key generation phase,we will focus on them in the following part.The user key generation phase,which is denoted as the KeyGen phase for simplicity,includes four steps in our proposed scheme: SetSecret,ExtractPpk,Set-Prik,SetPubk.Figure 3 gives execution time over the thresholdt.Figure 4 describes execution time over the number of KGCs.Each of the number of senders and the number of recipients is set to one.The test is repeated 100 times to get the average result.We do not consider the network delay so as to focus on the execution time.

As can be seen from Figure 3 and Figure 4,asnandtincrease,the consumed time of the Setup phase and the KeyGen phase also increases.That is because the degree of the polynomialgi(x)equals the thresholdt,and a participant needs to collecttshares ofwito extract his private key.In addition,each KGC needs to collectn-1 shares ofgi(j)to synthesize its secretsj.For the KeyGen phase,a recipient needs to collecttshares from KGCs to calculate his private key,so this phase consumes more time than the Setup phase.

We also compare our scheme with two other signcryption schemes[2,8].The scheme[2]is an efficient and provably secure multi-receiver signcryption scheme,which was proposed by Cong et al..Another signcryption scheme was proposed by Pang et al.[8],which does not need the secure channel to extract the user private key.We mainly focus on the execution time over the number of recipients.nis set to 3,andtis set to 2.Each test will be repeated 100 times to get the average result.Figure 5 gives the execution time over the number of recipients for the SignCrypt step and Figure 6 describes the relationship between execution time and the number of recipients for the DeSignCrypt step.

It can be seen from Figure 5 and Figure 6 that as the number of recipients increases,the execution time of all the three schemes increases linearly for the Sign-Crypt step and the DeSignCrypt step.For the Sign-Crypt step,it takes about 5ms for a sender to encrypt a message for a single recipient in our scheme,about 15ms in the scheme[8],and about 20ms in the scheme[2].For the DeSignCrypt step,each recipient takes about 5ms to decrypt a message in our proposed scheme,about 8ms in the scheme[8],and about 20ms in the scheme[2].We can see that the schemes[2,8]consume more time than the proposed scheme.It is because the two schemes rely on a third-party symmetric encryption scheme to encrypt messages,while our scheme is realized with light-weight XOR operations.

To maintain multiple KGCs will consume more computing and network resources,especially in the UpdateKey step.We evaluate execution time over the number of KGCsnand the threshold numbertfor the UpdateKey phase.The results are shown in Figure 7 and Figure 8.We can see that the execution time increases linearly overnandt.Compared withn,thas a more obvious impact on the execution time.When to choose their values,it is necessary to strike the right balance between costs,security,and efficiency.

VIII.CONCLUSION

Based on the elliptic curve cryptography,we propose a multi-receiver multi-message signcryption scheme,during which the system private key is split into several shares and distributed in multiple KGCs.Each KGC should update its share periodically to resist APT attacks.Based on the computational Diffie-Hellman problem and the discrete logarithm problem,confidentiality and unforgeability of the new scheme are analyzed in the random oracle model.Performance analysis shows that the proposed scheme has the shorter ciphertext length and higher efficiency.

In the future,we will consider designing a novel scheme with anonymity to protect the user identities.Furthermore,we will extend our work to improve the efficiency and make it consume less power.

ACKNOWLEDGEMENT

This work was supported by National Key Research and Development Program of China(2020YFB1005404),National Natural Science Foundation of China(62172010),Henan Province Higher Education Key Research Project(22A520048).

APPENDIX