1 Introduction

Public key cryptography (PKC) is an important milestone in the history of cryptography. It has experienced three important stages: the traditional public key cryptography, Identity-based public key cryptography (ID-PKC) and certificateless public key cryptography (CL-PKC). In an ID-PKC scheme, user’s public key is constructed with his own identity information while the private key is generated by a trusted authority named Private Key Generator (PKG). Compared with traditional public key cryptography, ID-PKC simplifies the work of Public Key Infrastructure (PKI). However, since the private keys are all generated by PKG, ID-PKC has serious key escrow problem. PKG can decrypt all the messages transmitted between different users and forge any user’s signature.

CL-PKC was first proposed by Al-Riyami and Paterson [1] in 2003. To avoid the key escrow problem, they divided user private key into two parts, one part is still generated by a trusted authority named Key Generation Center (KGC) and the other is set by user himself. Confidentiality and unforgeability are two important characteristics of cryptography, and the traditional implementation method is the “encrypt-then-signature” mechanism. Signcryption is a concept that encrypts and signs the plaintext simultaneously. This primitive can not only streamline the calculation process, but also save the communication overhead. Currently this concept in many network environments is widely used to design more efficient cryptographic schemes.

In 2008, the first certificateless signcryption scheme was proposed by Barbosa and Farshim [2] and proved to be secure under the random oracle model. After that, lots of certificateless signcryption schemes have been proposed [3, 4]. However, most of these schemes were proved secure under random oracle model which may engender serious security problems in real implementation. It has been shown that when random oracles are instantiated with concrete hash functions, the resulting scheme may not be secure [5, 6]. In recent years, the standard model has been widely concerned and used in the security analysis of many signcryption schemes. Under the standard model, schemes’ security only relies on some hard problems, where these problems still have not been solved in mathematics, thus these schemes are more secure in practical use. Yu et al. [7] proposed the first identity-based signcryption scheme without random oracle model in 2009, but this scheme has some flaws in encryption design and indistinguishability proof. Based on Yu’s scheme, Li et al. [8] made great improvements and proposed a more secure identity-based signcryption scheme with less computation. In 2010, Liu et al. [9] proposed the first efficient and provably secure certificateless signcryption scheme in the standard model. Unfortunately, Miao et al. [10] pointed out that scheme [9] cannot satisfy the confidentiality and unforgeability requirements. Meanwhile, Weng et al. [11] found that Liu’s scheme cannot resist attacks from malicious-but-passive KGC. Jin et al. [12] optimized and enhanced Liu’s scheme with a new idea, and they showed that their improvements were really secure in the standard model. But Xiong [13] showed that Jin’s scheme cannot resist chosen ciphertext attacks, and was vulnerable to malicious-but-passive KGC. Then he utilized Bellare and Shoup’s one-time signature and Li’s signcryption scheme [8] to propose another certificateless signcryption scheme in the standard model. It is proved that Xiong’s scheme meet the confidentiality and unforgeability requirements. In 2015, Cheng et al. [14] modified Liu’s scheme to resist two types of adversaries attacks with less computations. Recently, Zhou et al. [15] proposed a more efficient scheme than [13] and [14] schemes, but their scheme has too many pairing operations and the comparison contains the offline computation. The offline computation can be performed with the public system parameter and communication user’s public key before the message to be signcrypted and the session-specific temporary information are given. Moreover, we find these certificateless signcryption schemes above in the standard model cannot satisfy known session-specific temporary information security (KSSTIS). Most of certificateless signcryption schemes use some randomized private temporary information to produce an encryption key and an encrypted ciphertext in each run of the signcryption stage. KSSTIS means if the compromise of this private input should not compromise the secrecy of the generated encryption key and the encrypted ciphertext).

In this paper, we proposed a provably secure certificateless signcryption scheme in the standard model. Under the Decisional Bilinear Diffie–Hellman and Computational Diffie–Hellman hard problems, our scheme satisfies the main security feature of indistinguishability against adaptive chosen ciphertext attack and existential unforgeability against adaptive chosen message attack. Also our scheme achieves the KSSTIS attribute. Compared with other similar schemes through efficiency analysis, our scheme has less exponentiation computation and pairing operation. The result is that our scheme has stronger security and needs less calculation costs for network communication.

This paper is organized by following parts: We provide some preliminaries in Sect. 2. In Sect. 3, we describe the formal model of certificateless signcryption scheme (CLSC), which includes the generic model and security model of CLSC. Section 4 describes our schemes in details. After that, the correctness and security analysis have been given in Sect. 5. Compared with other schemes by making security and efficiency analysis, we showed the performance of our scheme in Sect. 6. Section 7 is a conclusion of this paper.

2 Preliminaries

In this section, we firstly review some prior knowledge of bilinear maps and complexity assumptions. Let G 1, G 2 be two cyclic multiplicative groups with prime order p and let g be the generator of G 1. For a bilinear map \(\hat{e}:\) G 1 \(\times\) G 1 \(\to\) G 2, it must meet the following characteristics:

  1. 1.

    Bilinear: for all M, N \(\in\) G 1 and a, b \(\in\) \(Z_{p}^{ * }\), \(\hat{e}\)(M a, N b) = \(\hat{e}\)(M, N)ab;

  2. 2.

    Computability: for all (M, N)\(\in\) G 1 \(\times\) G 1, there is an efficient algorithm that can compute \(\hat{e}\)(M, N);

  3. 3.

    Non-degenerate: \(\hat{e}\)(g, g)\(\ne\) \(1_{{G_{2} }}\).

The security of our scheme depends on the hardness of following problems:

Definition 1

Randomly select a, b \(\in\) \(Z_{p}^{ * }\), let g be a generator of G 1. For a group G 1, the Computational Diffie–Hellman (CDH) is to compute g ab \(\in\) G 1 given a triple (g, g a, g b).

Definition 2

Randomly select a, b, c, z \(\in\) \(Z_{p}^{ * }\), let g be a generator of G 1. Decisional Bilinear Diffie–Hellman (DBDH) problem is to determine whether h 1 and h 2 is equal given two quintuples h 1 = (g, g a, g b, g c, \(\hat{e}(g,g)^{abc}\)) and h 2 = (g, g a, g b, g c,\(\hat{e}\)(g, g)z).

3 Formal Models of certificateless Signcryption Scheme

3.1 Generic Model

For a certificateless signcryption scheme (CLSC), it generally consists of the following five algorithms:

Setup Given a security parameter λ as an input, then KGC outputs system parameter params and master secret key α. The α is kept secretly by KGC and params will be published to all users.

User-Key-Generate (UKG) Given system parameter params and user identity ID, this algorithm is executed by the user himself to get user secret key x ID and public key PK ID .

Partial-Private-Key-Extraction (PPKE) Given system parameter params, master key α and user identity, this algorithm is executed by KGC to get user partial private key d ID , which will be sent to corresponding user.

Signcrypt While input system parameter params, plaintext m, sender’s private key pair (x s , d s ), receiver’s identity ID r and public key PK r , this algorithm is executed by the sender and outputs ciphertext c = Signcrypt(params, m, x s , d s , ID r , PK r ).

Unsigncrypt On input of system parameter params, ciphertext c, the receiver’s private key pair \((x_{r} ,d_{r} )\), sender’s identity ID s and public key PK s , the receiver firstly verifies the validity of the ciphertext c, if it is valid, the receiver recovers the plaintext m = Unsigncrypt(params, c, x r , d r , ID s , PK s ) and outputs plaintext m, otherwise he outputs character “\(\bot\)”.

3.2 Security Model

For a secure CLSC scheme, it should have the indistinguishability against adaptive chosen ciphertext attack and unforgeability against adaptive chosen message attack. Definition 3 is for confidentiality of ciphertext and Definition 4 is for unforgeability of messages.

The certificateless signcryption system includes two types of attackers named A I and A II . For A I , we treat him as an ordinary attacker that does not have the master secret key of KGC. A I can replace any user’s public key with a new public key \(PK_{u}^{\prime }\), and he does not need to provide the corresponding secret value of \(PK_{u}^{\prime }\). For A II , we treat him as a malicious-but-passive KGC A II attacker. As an attacker, A II can generate KGC’s master secret key maliciously but cannot replace user’s public key.

Definition 3

(Confidentiality) For attacker A i(i=I,II), if he doesn’t have non-negligible advantage to win the Game1 and Game2 within polynomial time respectively, we will say that the CLSC has the indistinguishability against adaptive chosen ciphertext attack (IND-CLSC-CCA2).

Game 1

Setup Challenger C firstly runs the setup algorithm defined in generic model to generate system parameters, then sends attacker A I the parameter params while secretly keeps the master secret key α.

Phase 1 This is a probing phase. During the simulation, attacker A I can perform the following polynomial times queries.

  1. 1.

    Public-key-generate query A I asks for user public key with identity ID u . Then C runs the UKG algorithm UKG(params, ID u ) → (PK u , x u ) and returns the result PK u to A I .

  2. 2.

    Partial-private-key-extraction query A I asks for user partial private key with identity ID u . Then C runs the PPKE algorithm PPKE(params, α, ID u ) and returns the result d u to A I .

  3. 3.

    Corruption query A I asks for user secret key with identity ID u . Then C runs the UKG algorithm UKG(params, ID u ) → (PK u , x u ) and returns the result x u to A I .

  4. 4.

    Public-key-replace (PKR) query A I can replace any user’s public key with any data in the valid range.

  5. 5.

    Signcrypt query A I submits two separate identities ID i , ID j to act as the sender and receiver, and along with plaintext m for Signcrypt query. C runs the Signcrypt algorithm c = Signcrypt(params, m, x i , d i , ID j , PK j ) and returns ciphertext c to A I .

  6. 6.

    Unsigncrypt query A I submits two separate identities ID i , ID j to act as the sender and receiver, and along with ciphertext c for a Unsigncrypt query. If the ciphertext is valid, then C runs the Unsigncrypt algorithm m = Unsigncrypt(params, c, x j , d j , ID i , PK i ) and sends plaintext m to A I , otherwise outputs character “\(\bot\)”.

Challenge A I outputs two messages m 0 and m 1 with the same length, two identities \(ID_{i}^{*}\) and \(ID_{j}^{*}\) on which he wishes to be challenged. Either \(ID_{i}^{*}\) or \(ID_{j}^{*}\) cannot be the identity that has been used for PPKE query. C randomly selects d \(\in\) {0,1} to compute c * = Signcrypt(params, m d , \(x_{i}^{ * }\), \(d_{i}^{ * }\), \(ID_{j}^{ * }\), \(PK_{j}^{ * }\)) and returns c to A I .

Phase 2 A I performs polynomial times queries as in phase 1. But A I is forbidden to perform PPKE query on \(ID_{i}^{*}\) and \(ID_{j}^{*}\). Meanwhile, A I cannot perform Unsigncrypt query on ciphertext c * under \(ID_{i}^{*}\) and \(ID_{j}^{*}\).

Guess A I outputs \(d^{\prime }\) as a guess at the end. If \(d^{\prime }\) = d, A I wins the Game 1.

The advantage of A I is defined to be \(Adv_{IND - CCA2} (A_{I} ) = |2\Pr [d^{\prime} = d] - 1|\).

Game2

Setup Challenger C runs the Setup algorithm defined in generic model to generate system parameters and sends attacker A II the parameter params and master secret key α.

Phase 1 During this phase, A II performs bounded times of polynomial queries just like Game 1. Notes that A II doesn’t need to perform PPKE and Public-key-replace queries.

Challenge A II outputs two messages m 0 and m 1 with the same length, two challenge identities \(ID_{i}^{*}\) and \(ID_{j}^{*}\). The identity \(ID_{j}^{*}\) cannot have been performed by Corruption query. C randomly selects d \(\in\) {0,1} and computes c * = Signcrypt(params, m d ,\(x_{i}^{ * }\),\(d_{i}^{ * }\),\(ID_{j}^{ * }\),\(PK_{j}^{ * }\)), then returns ciphertext c * back to A II .

Phase 2 A II performs polynomial queries just like in phase 1. But A II is not allowed to perform Corruption query on \(ID_{j}^{*}\). Meanwhile, A I cannot perform Unsigncrypt query on ciphertext c * under \(ID_{i}^{*}\) and \(ID_{j}^{*}\).

Guess A II also outputs \(d^{\prime }\) as a guess at the end. If \(d^{\prime }\) = d, A II wins the Game 2.

The advantage of A II is defined to be \(Adv_{IND - CCA2} (A_{II} ) = |2\Pr [d^{\prime} = d] - 1|\).

Definition 4

(Unforgeability) For attacker A i(i=I,II), if he doesn’t have non-negligible advantage to win the Game 3 and Game 4 within polynomial time respectively, we will say that the CLSC has the unforgeability against adaptive chosen message attack (EUF-CLSC-CMA).

Game3

Setup C runs the Setup algorithm defined in generic model to generate system parameters and sends attacker A I the parameter params while secretly keeps the master secret key α.

Probing A I performs bounded times polynomial queries just like Game 1 in Definition 3.

Forge A I outputs a signcryption ciphertext c * related to \(ID_{i}^{*}\), \(ID_{j}^{*}\) and one message m *. A I cannot perform Signcrypt query on message m * under \(ID_{i}^{*}\) and \(ID_{j}^{*}\) during the Probing phase. Similarly, \(ID_{i}^{*}\) cannot be an identity that has been performed by PKR query. In the end, if c * is a valid signature for triple (m *,\(ID_{i}^{*}\),\(ID_{j}^{*}\)) and the result of Unsigncrypt algorithm is not character “\(\bot\)”, we say A I wins the game.

Game4

Setup C runs the Setup algorithm defined in generic model to generate system parameters and sends attacker A II the parameter params and the master secret key α.

Probing A II performs bounded times polynomial queries just like Game 2 in Definition 3.

Forge A II outputs a signcryption ciphertext c * related to \(ID_{i}^{*}\), \(ID_{j}^{*}\) and one message m *. Notes that A II cannot perform Signcrypt query on message m * under \(ID_{i}^{*}\) and \(ID_{j}^{*}\) during the Probing phase. Similarly, \(ID_{j}^{*}\) cannot be an identity that has been performed by Corruption query. In the end, if c * is a valid signature for triple (m *,\(ID_{i}^{*}\),\(ID_{j}^{*}\)) and the result of Unsigncrypt algorithm is not character “\(\bot\)”, we consider A II wins the game.

4 Proposed CLSC Scheme

In this section, we will describe the details of the CLSC scheme that is provably secure in the standard model. The scheme consists of the following five algorithms: Setup, UKG (user key generate), PPKE (partial private key extraction), Signcrypt, and Unsigncrypt algorithms. Here, we assume the identity of all users is a string of length B u .

Setup Randomly select a number v as a secure system parameter, the execution process of this algorithm is as follows:

  1. 1.

    Let G 1, G 2 be two cyclic multiplicative group of prime order p (p is a big prime).\(\hat{e}:\) G 1 × G 1 → G 2 is a bilinear mapping and let g be a generator of G 1.

  2. 2.

    Randomly select \(u^{\prime }\), \(m^{\prime }\) \(\in\) G 1 and two vectors \(\vec{u} = (u_{i} )_{{B_{u} }}\), \(\vec{m} = (m_{j} )_{{B_{m} }}\) with length of B u and B m respectively. Select an integer α \(\in Z_{p}^{*}\), and let \(H:\{ 0,1\}^{*} \to \{ 0,1\}^{{B_{m} }}\) be a collision-resistant hash function (Similarly in schemes [6, 13, 14]).

  3. 3.

    Let α be the master secret key and define P pub  = g α. Then make public the system parameter params = {G 1, G 2,\(\hat{e}\), p, g, P pub , \(u^{\prime }\), \(m^{\prime }\),\(\vec{u}\),\(\vec{m}\), H}.

UKG Given system parameter params and user identity u \(\in \{ 0,1\}^{{B_{u} }}\), then user himself selects a random number x u \(\in Z_{p}^{ * }\) and computes PK u  = \(g^{{x_{u} }}\). So, he gets a tuple (x u , PK u ), in which x u is his secret key and PK u is his public key. We assume that in a communication system, sender A’s secret key/public key pair is (x A , PK A ); receiver B’s secret key/public key pair is (x B , PK B ).

PPKE Given system parameter params and user identity \(u \in \{ 0,1\}^{{B_{u} }}\). Let U \(\subset\) {1,2,…,B u } be a set that for every i \(\in\) U we have u i  = 1(i.e. the i-th bit of identity u equals bit 1). This algorithm outputs user partial private key d u  = (\(u^{\prime}\prod\nolimits_{i \in U} {u_{i} }\))α. We define sender A’s partial private key is d A  = (\(u^{\prime}\prod\nolimits_{{i \in U_{A} }} {u_{i} }\))α, and receiver B’s partial private key is d B  = (\(u^{\prime}\prod\nolimits_{{i \in U_{B} }} {u_{i} }\))α.

Signcrypt User A selects a random number \(k \in Z_{p}^{*}\) and computes S = g k, then executes the following steps:

  1. 1.

    Encrypt message M:

    $$\begin{aligned} R &= M \cdot PK_{B}^{{x_{A} }} \cdot \hat{e}\left( {d_{A} \cdot PK_{B}^{k} ,u^{\prime}\prod\limits_{{i \in U_{B} }} {u_{i} } } \right) \hfill \\ &= M \cdot PK_{B}^{{x_{A} }} \cdot \hat{e}\left( {d_{A} ,u^{\prime}\prod\limits_{{i \in U_{B} }} {u_{i} } } \right) \cdot \hat{e}\left( {PK_{B} ,u^{\prime}\prod\limits_{{i \in U_{B} }} {u_{i} } } \right)^{k} \hfill \\ \end{aligned}$$
  2. 2.

    Compute signature. Firstly, A computes m = H(R, S, u A , u B , PK A , PK B ). Let \(\bar{M} \subset\) {1,2,…,B m } be a set that for every j \(\in \bar{M}\) we have m[j] = 1. Then \(A\) computes signature \(T = d_{A} \cdot (m^{\prime}\prod\nolimits_{{j \in \bar{M}}} {m_{j} } )^{{k + x_{A} }}\).

  3. 3.

    Send the signcryption information σ = (R, S, T) to user B.

Unsigncrypt User B adopts the verify-then-decrypt method.

  1. 1.

    Firstly, user B computes m = H(R, S, u A , u B , PK A , PK B ). Let \(\bar{M} \subset\) {1,2,…,B m } be a set that for every j \(\in \bar{M}\) and m[j] = 1.

  2. 2.

    Verification: B checks whether the following formula is valid:

    $$\hat{e}(T,g) = \hat{e}\left( {P_{pub} ,u^{\prime}\prod\limits_{{i \in U_{A} }} {u_{i} } } \right) \cdot \hat{e}\left( {S,m^{\prime}\prod\limits_{{j \in \bar{M}}} {m_{j} } } \right)\hat{e}\left( {PK_{A} ,m^{\prime}\prod\limits_{{j \in \bar{M}}} {m_{j} } } \right)$$

    If the formula established, B proceeds to decrypt the ciphertext. Otherwise, B returns character “\(\bot\)”.

  3. 3.

    Decrypt the ciphertext: \(M = R/\left( {PK_{A}^{{x_{B} }} \cdot \hat{e}\left( {d_{B} ,u^{\prime}\prod\nolimits_{{i \in U_{A} }} {u_{i} } } \right) \cdot \hat{e}\left( {S^{{x_{B} }} ,u^{\prime}\prod\nolimits_{{i \in U_{B} }} {u_{i} } } \right)} \right)\).

Note: In order to improve computation efficiency, user’s private key consists of two parts in our scheme, but there are three parts in Zhou’s scheme [15], where the private key is used to encrypt and decrypt the message. At the unsigncryption stage, there is one exponentiation computation and one pairing operation related to the private key in our scheme, but one exponentiation computation and two pairing operations are related to the private key in Zhou’s scheme. Moreover, our scheme selects one randomized private input, but Zhou’s scheme chooses two random numbers, where the random values are used to generate the signcryption. At the signcryption stage, there are three exponentiation computation and three signcryption values related to the random value in our scheme, but six exponentiation computation and six signcryption values are related to the random numbers in Zhou’s scheme.

5 Analysis of Proposed Scheme

5.1 Correctness

From signcryption phase to verification phase, and in decryption phase, all operations in our scheme are correct. The proof of correctness is as follows.

In the verification phase:

$$\begin{aligned} \hat{e}\left( {T,g} \right) & = \hat{e}\left( {d_{A} \cdot \left( {m^{\prime}\prod\limits_{{j \in \bar{M}}} {m_{j} } } \right)^{{k + x_{A} }} ,g} \right) \\ & = \hat{e}\left( {g,\left( {u^{\prime}\prod\limits_{{i \in U_{A} }} {u_{i} } } \right)^{\alpha } \cdot \left( {m^{\prime}\prod\limits_{{j \in \bar{M}}} {m_{j} } } \right)^{{k + x_{A} }} } \right) \\ & = \hat{e}\left( {P_{pub} ,u^{\prime}\prod\limits_{{i \in U_{A} }} {u_{i} } } \right) \cdot \hat{e}\left( {S,m^{\prime}\prod\limits_{{j \in \bar{M}}} {m_{j} } } \right) \cdot \hat{e}\left( {PK_{A} ,m^{\prime}\prod\limits_{{j \in \bar{M}}} {m_{j} } } \right) \\ \end{aligned}$$

In the decryption phase:

$$\begin{aligned}&S^{{x_{B} }} = (g^{k} )^{{x_{B} }} = (g^{{x_{B} }} )^{k} = PK_{B}^{k} ;\\&R/\left( {PK_{A}^{{x_{B} }} \cdot \hat{e}\left( {d_{B} ,u^{\prime}\prod\limits_{{i \in U_{A} }} {u_{i} } } \right) \cdot \hat{e}\left( {S^{{x_{B} }} ,u^{\prime}\prod\limits_{{i \in U_{B} }} {u_{i} } } \right)} \right) = M \cdot PK_{B}^{{x_{A} }} \cdot \hat{e}\left( {d_{A} ,u^{\prime}\prod\limits_{{i \in U_{B} }} {u_{i} } } \right) \cdot \hat{e}\left( {PK_{B}^{k} ,u^{\prime}\prod\limits_{{i \in U_{B} }} {u_{i} } } \right)/\left( {PK_{A}^{{x_{B} }} \cdot \hat{e}\left( {d_{B} ,u^{\prime}\prod\limits_{{i \in U_{A} }} {u_{i} } } \right) \cdot \hat{e}\left( {PK_{B}^{k} ,u^{\prime}\prod\limits_{{i \in U_{B} }} {u_{i} } } \right)} \right) = M \cdot \hat{e}\left( {d_{A} ,u^{\prime}\prod\limits_{{i \in U_{B} }} {u_{i} } } \right)/\hat{e}\left( {d_{B} ,u^{\prime}\prod\limits_{{i \in U_{A} }} {u_{i} } } \right) = M \end{aligned}$$

5.2 Security Proof

5.2.1 Confidentiality

Theorem 1

The proposed CLSC scheme is indistinguishable against the adversary A I in the standard model assuming the DBDH problem is hard.

Proof

C receives a DBDH instance (g, g a, g b, g c,\(\hat{e}(g,g)^{z}\)), in which a, b, c, z \(\in Z_{p}^{ * }\), and he is required to distinguish \(\hat{e}(g,g)^{abc}\) ? = \(\hat{e}(g,g)^{z}\). C treats A I as a partner and replies the queries of A I as follows.□

Setup

  1. 1.

    C selects four positive integers v u , v m , c u and c m , where 0 ≤ v u  ≤ B u , 0 ≤ v m  ≤ B m , c u (B u  + 1) < p and c m (B m  + 1) < p.

  2. 2.

    C selects two elements \(x^{\prime }\), \(y^{\prime }\) from c u , where the range of \(x^{\prime }\) is {x 1,…,\(x_{{B_{u} }}\)} and the range of \(y^{\prime }\) is {y 1,…,\(y_{{B_{u} }}\)}. Similarly, C selects two elements \(e^{\prime }\), \(f^{\prime }\) from c m , where the range of \(e^{\prime }\) is {e 1,…,\(e_{{B_{m} }}\)} and the range of \(f^{\prime }\) is {f 1,…,\(f_{{B_{m} }}\)}.

  3. 3.

    Let P pub  = g a,\(u^{\prime} = g^{{y^{\prime} + x^{\prime} - c_{u} v_{u} }}\), \(m^{\prime }\) = \(g^{{f^{\prime} + \varepsilon^{\prime} - c_{m} v_{m} }}\) and compute u i  = \(g^{{x_{i} + y_{i} }}\), m j  = \(g^{{\varepsilon_{j} + f_{j} }}\)(1 ≤ i ≤ B u , 1 ≤ j ≤ B m ). Let vectors \(\vec{u}\) = (u i ) and \(\vec{m}\) = (m j ).

  4. 4.

    C sends parameter params to A I , where params = {g, P pub ,\(\vec{u}\),\(\vec{m}\), \(u^{\prime }\), \(m^{\prime }\)}.

  5. 5.

    C maintains three lists L u , L p and L r to preserve relevant information. L u is used to simulate UKG oracle, L p is used to simulate PPKE oracle and L r is used to simulate PKR oracle. All the lists are empty at the beginning.

In order to make the analysis of the simulation easier, we define several functions:

$$\begin{aligned} & F_{u} = \sum\limits_{i \in U} {x_{i} } - c_{u} v_{u} + x^{\prime},\quad J_{u} = \sum\limits_{i \in U} {y_{i} } + y^{\prime} \\ & K_{m} = \sum\limits_{{j \in \bar{M}}} {e_{j} } - c_{m} v_{m} + e^{\prime},\quad L_{m} = \sum\limits_{{j \in \bar{M}}} {f_{j} } + f^{\prime} \\ \end{aligned}$$

Then we have:

$$u^{\prime}\prod\limits_{i \in U} {u_{i} } = g^{{F_{u} + F_{u} }} ,\quad m^{\prime}\prod\limits_{{j \in \bar{M}}} {m_{j} } = g^{{K_{m} + L_{m} }}$$

PKG Query

While input params and user identity ID u , C randomly selects \(x_{u} \in Z_{p}^{ * }\) to compute \(PK_{u} = g^{{x_{u} }}\), then preserves (ID u , x u , PK u ) in list L u and sends PK u to A I .

PPKE Query

On input of params and user identity ID u , C randomly selects i b , i c from {1,2,…,q p } where q p is the number of PPKE queries which can be performed. For the i-th query, C executes the following judgments:

  1. 1.

    If i = i b , then let ID u  = ID B , \(u^{\prime}\prod\nolimits_{{i \in U_{B} }} {u_{i} } = g^{b}\) and d u  = d B  = \(\bot\);

  2. 2.

    If i = i c , then let ID u  = ID C , \(u^{\prime}\prod\nolimits_{{i \in U_{C} }} {u_{i} } = g^{c}\) and d u  = d C  = \(\bot\);

  3. 3.

    For other PPKE queries, C computes user partial private key d u as follows:

    $$\begin{aligned} d_{u} & = \left( {P_{pub} \cdot g^{ - 1} } \right)^{{F_{u} + J_{u} }} \left( {u^{\prime}\prod\limits_{i \in U} {u_{i} } } \right) \\ & = \left( {g^{a} \cdot g^{ - 1} } \right)^{{F_{u} + J_{u} }} \cdot g^{{F_{u} + J_{u} }} \\ & = (g^{a} )^{{F_{u} + J_{u} }} \\ & = \left( {u^{\prime}\prod\limits_{i \in U} {u_{i} } } \right)^{a} \\ \end{aligned}$$

In the above three cases, C sends d u to A I and preserves (ID u , d u ) into list L p .

PKR Query

A I firstly performs PKG query with identity ID u and gets a tuple (ID u , x u , PK u ). We assume that A I can replace PK u with any valid \(PK_{u}^{\prime }\) and preserve (ID u ,\(\bot\), \(PK_{u}^{\prime }\)) into L r .

Corruption Query

While input params and user identity ID u , A I asks for the user secret key. C checks whether there is a matching item of (ID u , x u , PK u ) in L u firstly. If exists, then C sends x u to A I . Otherwise, C performs PKG query to get and send x u to A I .

Signcrypt Query

Adversary A I submits a Signcrypt query for plaintext M with user identity ID 1 and ID 2. Suppose that A I has performed PKG query with ID 1 and ID 2 before this query. In this query, we consider two situations.

  1. 1.

    If ID 1 \(\notin\) {ID B , ID C }, C performs PPKE query and Corruption query with ID 1 firstly, then executes Signcrypt algorithm and sends the signcryption information σ = (R, S, T) to A I .

  2. 2.

    If ID 1 \(\in\) {ID B , ID C }, C returns character “\(\bot\)” and stops the challenge.

Unsigncrypt Query

Adversary A I submits an Unsigncrypt query for ciphertext σ with user identity ID 1 and ID 2.We also consider two situations. Suppose that A I has performed PKG query with ID 2 before this query. Then we have:

  1. 1.

    If ID 2 \(\notin\) {ID B , ID C }, C firstly verifies the validity of σ. If fails, he returns character “\(\bot\)”. Otherwise, C performs PPKE query and Corruption query with ID 2 and executes Unsigncrypt algorithm, then returns message M to A I .

  2. 2.

    If ID 2 \(\in\) {ID B , ID C }, C returns character “\(\bot\)” and stops the challenge.

All the processes above are just the first round of queries. At the end of this phase, A I outputs two challenge identities \(ID_{1}^{*}\) and \(ID_{2}^{*}\), two different messages M 0 and M 1 with equal length. If \(ID_{1}^{*} ,ID_{2}^{*} \notin \left\{ {ID_{B} ,ID_{C} } \right\}\), C stops the challenge. Otherwise, C selects a random number \(k \in Z_{p}^{ * }\) and ω \(\in\) {0,1}, then computes S * = g k and the ciphertext. C computes \(R^{ * } = M_{\omega } \cdot (PK_{1}^{ * } )^{{x_{2} }} \hat{e}((PK_{2}^{ * } )^{k} ,u^{\prime}\prod\nolimits_{{i \in U_{2}^{ * } }} {u_{i} } ) \cdot u^{ * }\), in which \(u^{ * } = \hat{e}(d_{2}^{ * } ,u^{\prime}\prod\nolimits_{{i \in U_{1}^{ * } }} {u_{i} } )\) \(= \hat{e}((g^{c} )^{a} ,g^{b} ) = \hat{e}(g,g)^{abc}\) (\(u^{ * }\) is the candidate answer for the DBDH problem), then computes m * = H(R *, S *,\(u_{1}^{ * }\),\(u_{2}^{ * }\),\(PK_{1}^{ * }\),\(PK_{2}^{ * }\)) and \(T^{ * } =\) \(P_{pub} \cdot \left( {S^{*} \cdot PK_{1}^{*} } \right)^{{K_{m} + L_{m} }}\). Finally, C sends ciphertext σ * = (R *, S *, T *) to A I .

A I performs the second round queries the same as the first round. After the simulation, A I outputs \(\omega^{\prime }\) as a guess of ω. If \(\omega^{\prime }\) = ω, C outputs u * as a solution to the DBDH problem. Otherwise, the DBDH problem cannot be resolved.

Theorem 2

The proposed CLSC scheme is indistinguishable against the adversary A II in the standard model assuming the DBDH problem is hard.

Proof

C receives a DBDH instance (g, g a, g b, g c,\(\hat{e}(g,g)^{z}\)), in which a, b, c, z \(\in Z_{p}^{ * }\), and he is required to distinguish \(\hat{e}(g,g)^{abc}\) ? = \(\hat{e}(g,g)^{z}\). C treats A II as a partner and replies the queries of A II as follows.□

Setup Query

C does the same steps as the proof of Theorem 1 to get params = {g,\(\vec{u}\),\(\vec{m}\), \(u^{\prime }\), \(m^{\prime }\), P pub  = g α}. We also define \(u^{\prime}\prod\nolimits_{i \in U} {u_{i} } = g^{{F_{u} + J_{u} }}\), \(m^{\prime}\prod\nolimits_{{j \in \bar{M}}} {m_{j} } = g^{{K_{m} + L_{m} }}\). C maintains three lists L u , L p and L r .

PKG Query

While input params and identity ID u , C randomly selects i b from {1,2,…,q p }, where q p is the number of PKG query which can be performed. For the i-th query, C executes the following judgments:

  1. 1.

    If i = i b , let x u  = x B  = \(\bot\), ID u  = ID B , PK u  = PK B  = g b. Preserve (ID B ,\(\bot\), PK B ) into list L u .

  2. 2.

    For other PKG queries, C randomly selects number x u \(\in Z_{p}^{ * }\) to compute PK u  = \(g^{{x_{u} }}\). Preserve (ID u , x u , PK u ) into list L u .

C sends PK u to A II and updates L u .

Corruption Query

On input of params and identity ID u , if ID u  = ID B , C terminates the challenge. Otherwise, C checks whether there is a matching item of (ID u , x u , PK u ) in L u , If exists, C sends x u to A II . Otherwise, C performs PKG query to get and send x u .

Signcrypt Query

Adversary A II submits a Signcrypt query for plaintext M with user identity ID 1 and ID 2. Suppose that A II has performed PKG query with ID 1 and ID 2 before this query. We consider two situations.

  1. 1.

    If ID 1 ≠ ID B , A II performs Corruption query with ID 1 firstly, then executes Signcrypt algorithm and sends the signcryption information σ = (R, S, T) to A II .

  2. 2.

    If ID 1 = ID B , C randomly selects a number \(k \in Z_{p}^{ * }\) to compute S = g k, then computes R = \(M \cdot \hat{e}(d_{1} \cdot S^{{x_{2} }} ,u^{\prime}\prod\nolimits_{{i \in U_{2} }} {u_{i} } )\), m = H(R, S, u 1, u 2, PK 1, PK 2) and signature \(T = d_{1} \cdot (g^{k} )^{{K_{m} + L_{m} }} \cdot (PK_{1} )^{{K_{m} + L_{m} }}\). C returns signcryption information σ = (R, S, T) to A II .

Unsigncrypt Query

Adversary A II submits a Unsigncrypt query for ciphertext σ with user identity ID 1 and ID 2. We also consider two situations. Suppose that A II has performed PKG query with ID 1 and ID 2 before Unsigncrypt query. Then we have:

  1. 1.

    If ID 2 ≠ ID B , C verifies the validity of σ. If it is invalid, C returns character “\(\bot\)”. Otherwise, C performs PPKE query and Corruption query with ID 2 and executes Unsigncrypt algorithm, then returns message M to A II .

  2. 2.

    If ID 2 = ID B , C returns character “\(\bot\)” and stop the challenge.

All the above processes are the first round of queries. At the end of this phase, A II outputs two challenge identities \(ID_{1}^{*}\) and \(ID_{2}^{*}\), two different messages M 0 and M 1 with equal length. If \(ID_{2}^{*} \ne ID_{B}\), C stops the challenge. Otherwise, C randomly selects a number \(k \in Z_{p}^{ * }\) and ω \(\in\) {0,1}, then computes S * = g a and \(u^{\prime}\prod\nolimits_{{i \in U_{2}^{*} }} {u_{i} } = g^{c}\), then computes the ciphertext R * = \(M_{\omega } \cdot (PK_{2}^{ * } )^{{x_{1} }} \cdot \hat{e}(d_{2}^{ * } ,u^{\prime}\prod\nolimits_{{i \in U_{1}^{ * } }} {u_{i} } ) \cdot u^{ * }\) in which \(u^{ * } = \hat{e}((S^{ * } )^{{x_{2}^{ * } }} ,u^{\prime}\prod\nolimits_{{i \in U_{2}^{ * } }} {u_{i} } ) =\) \(\hat{e}(PK_{2}^{*} ,u^{\prime}\prod\nolimits_{{i \in U_{2}^{*} }} {u_{i} } )^{a}\) \(= \hat{e}(g^{b} ,g^{c} )^{a} = \hat{e}\left( {g,g} \right)^{abc}\) (\(u^{ * }\) is the candidate answer for the DBDH problem), computes m * = H(R *, S *,\(u_{1}^{ * }\),\(u_{2}^{ * }\),\(PK_{1}^{ * }\),\(PK_{2}^{ * }\)) and \(T^{ * } =\) \(d_{1}^{ * } \cdot (S^{ * } \cdot PK_{1}^{ * } )^{{K_{m} + L_{m} }}\). Finally, C sends ciphertext σ * = (R *, S *, T *) to adversary A II .

A II performs the second round queries just like the first round. After the simulation, A II outputs \(\omega^{\prime }\) as a guess of ω. If \(\omega^{\prime }\) = ω, C outputs u * as a solution to the DBDH problem. Otherwise, the DBDH problem is not resolved.

In terms of Theorems 1 and 2, we hold that there exist algorithms that can resolve the DBDH problem with non-negligible advantages if adversary A i(i=I,II) decrypts the signcryption by analyzing ciphertext. To date, no satisfactory algorithms have been found that resolve the DBDH problem in probabilistic polynomial time. So our scheme has the indistinguishability against adaptive chosen ciphertext attack.

5.2.2 Unforgeability

Theorem 3

The proposed CLSC scheme is unforgeable against the adversary A I in the standard model assuming that the CDH problem is hard.

Proof

Challenger C receives a CDH instance (g, g a, g b), where a, b \(\in Z_{p}^{ * }\), and he is required to compute g ab. C treats A I as a partner and replies the queries of A I as follows.□

Setup Query

A I does the same steps as the proof of Theorem 1 to get params = {g,\(\vec{u}\),\(\vec{m}\), \(u^{\prime }\), \(m^{\prime }\), P pub  = g α}. Similarly, we define \(u^{\prime}\prod\nolimits_{i \in U} {u_{i} } = g^{{F_{u} + J_{u} }}\) and \(m^{\prime}\prod\nolimits_{{j \in \bar{M}}} {m_{j} } = g^{{K_{m} + L_{m} }}\). C also maintains three lists L u , L p and L r . Let \(m^{\prime}\prod\nolimits_{{j \in \bar{M}}} {m_{j} = g^{{K_{m} + L_{m} }} } = g^{a}\).

PKG Query, Corruption Query and PKR Query

The same as the proof of Theorem 1.

PPKE Query

On input of params and user identity ID u , C executes the following calculation to get user partial private key d u :

$$\begin{aligned} d_{u} & = \left( {P_{pub} \cdot g^{ - 1} } \right)^{{F_{u} + J_{u} }} \left( {u^{\prime}\prod\limits_{i \in U} {u_{i} } } \right) \\ & = \left( {g^{a} \cdot g^{ - 1} } \right)^{{F_{u} + J_{u} }} \cdot g^{{F_{u} + J_{u} }} \\ & = (g^{a} )^{{F_{u} + J_{u} }} \\ & = \left( {u^{\prime}\prod\limits_{i \in U} {u_{i} } } \right)^{a} \\ \end{aligned}$$

C returns d u to A I and updates list L p .

Signcrypt Query

A I submits a Signcrypt query for plaintext M with user identity ID 1 and ID 2. Suppose that A I has performed PKG query before this query. We can get ID 1’s partial private key d 1 and secret key x 1 with his identity by PPKE query and Corruption query respectively. C randomly selects a number k to compute S * = g k, then runs the Signcrypt algorithm to get R and T, where \(T = d_{1} \cdot (m^{\prime}\prod\nolimits_{{j \in \bar{M}}} {m_{j} } )^{{k + x_{1} }}\). C finally sends σ = (R, S, T) to A I .

Unsigncrypt Query

Adversary A I submits a Unsigncrypt query for ciphertext σ with user identity ID 1 and ID 2. During this phase, C firstly verifies the validity of σ. If it is invalid, C returns character “\(\bot\)”. Otherwise, C performs PPKE query and Corruption query with ID 2, finally executes Unsigncrypt algorithm and returns message M to A I .

After the query phase, A I chooses message M *, \(ID_{1}^{ * }\) and \(ID_{2}^{ * }\) to generate a signcryption message σ * = (R *, S *, T *), where S * = g b. C executes the Unsigncrypt algorithm. If Unsigncrypt(σ *,\(x_{2}^{ * }\),\(d_{2}^{ * }\), \(ID_{1}^{ * }\),\(ID_{2}^{ * }\)) ≠ \(\bot\), C returns the decrypted message M * to A I . In the end, C computes and outputs the candidate answer \(g^{ab} = T^{*} /\left[ {d_{1}^{*} \cdot (m^{\prime}\prod\nolimits_{{j \in \bar{M}}} {m_{j}^{*} } )^{{x_{1}^{*} }} } \right] = T^{*} /(d_{1}^{*} \cdot g^{{ax_{1}^{*} }} )\) to the CDH problem.

Theorem 4

The proposed CLSC scheme is unforgeable against the adversary A II in the standard model assuming the CDH problem is hard.

Proof

Challenger C receives a CDH instance (g, g a, g b), where \(a,b \in Z_{p}^{ * }\), and he is required to compute g ab. C treats A II as a partner and replies the queries of A II as follows.□

Setup Query

The same as the proof of Theorem 3.

PKG Query

On input of params and identity ID u , C randomly selects i b from {1,2,…,q p }, where q p is the number of PKG query which can be performed. For the i-th query, C executes the following judgments:

  1. 1.

    If i = i b , let x u  = x B  = \(\bot\), ID u  = ID B , PK u  = PK B  = g b. Preserve (ID B ,\(\bot\), PK B ) into list L u .

  2. 2.

    For other PPKE queries, C randomly selects a number \(x_{u} \in Z_{p}^{ * }\) to compute PK u  = \(g^{{x_{u} }}\) and preserves (ID u , x u , PK u ) into list L u .

C sends PK u to A II and updates L u .

Corruption Query

The same as the proof of Theorem 2.

Signcrypt Query

A II submits a Signcrypt query for plaintext M with user identity ID 1 and ID 2. Suppose that A II has performed PKG query with ID 1 and ID 2 before this query. If ID 1 = ID B , C stops the challenge. Otherwise, C gets ID 1’s secret key x 1 with his identity by Corruption query, then C randomly selects a number \(k \in Z_{p}^{ * }\) to compute S = g k and executes the Signcrypt algorithm to get R and T, where T = d 1 · \((m^{\prime}\prod\nolimits_{{j \in \bar{M}}} {m_{j} } )^{{k + x_{1} }}\), finally C sends σ = (R, S, T) to A II .

Unsigncrypt Query

While input ID 1, ID 2 and σ, if ID 2 = ID B , C stops the challenge. Otherwise, C verifies the validity of σ. If it is invalid, C returns character “\(\bot\)”. Otherwise, C performs PPKE query and Corruption query with ID 2, and executes Unsigncrypt algorithm to return message M to A II .

After the query phase, A II chooses message M *, \(ID_{1}^{ * }\) and \(ID_{2}^{ * }\) to generate a signcryption message σ * = (R *, S *, T *). If \(ID_{2}^{ * } \ne ID_{B}\), C terminates the simulation. Otherwise, C executes the Unsigncrypt algorithm and returns the decrypted message M * to A II . Finally, C computes and outputs the candidate answer \(g^{ab} = T^{*} /\left[ {d_{1}^{*} \cdot (m^{\prime}\prod\nolimits_{{j \in \bar{M}}} {m_{j}^{*} } )^{k} } \right] = T^{*} /\left( {d_{1}^{*} \cdot g^{ak} } \right)\) to the CDH problem.

In terms of Theorems 3 and 4, we believe that there exist algorithms can resolve the CDH problem with non-negligible advantages if an adversary A i(i=I,II) generate a valid signcryption message σ * by analyzing ciphertext. To date, no satisfactory algorithms have been found that resolve the CDH problem in probabilistic polynomial time. So our scheme has the unforgeability against adaptive chosen message attack.

5.2.3 KSSTIS

For our scheme, assuming that at the \(j - th\) communication, the private temporary information \(k\) and signcryption σ = (R, S, T) is leaked. For adversary \(A_{I}\), he can not obtain the related information about private key \((d_{A} ,x_{A} )\) or \((d_{B} ,x_{B} )\). \(A_{I}\) cannot compute \(\hat{e}(d_{A} ,u^{\prime}\prod\nolimits_{{i \in U_{B} }} {u_{i} } )\) or \(\hat{e}(d_{B} ,u^{\prime}\prod\nolimits_{{i \in U_{A} }} {u_{i} } )\) under the assumption of CBDH problem and cannot compute \(PK_{B}^{{x_{A} }}\) or \(PK_{A}^{{x_{B} }}\) under the assumption of CDH problem. So, it is hard to obtain the message \(M = R/PK_{B}^{{x_{A} }} \hat{e}(d_{A} ,u^{\prime}\prod\nolimits_{{i \in U_{B} }} {u_{i} } ) \cdot \hat{e}(PK_{B}^{k} ,u^{\prime}\prod\nolimits_{{i \in U_{B} }} {u_{i} } )\) for \(A_{I}\). For adversary \(A_{II}\), in our scheme, he can obtain the partial private key \(d_{A}\) or \(d_{B}\), and then he can compute \(\hat{e}(d_{A} ,u^{\prime}\prod\nolimits_{{i \in U_{B} }} {u_{i} } )\) or \(\hat{e}(d_{B} ,u^{\prime}\prod\nolimits_{{i \in U_{A} }} {u_{i} } )\). But \(A_{II}\) cannot compute \(PK_{B}^{{x_{A} }}\) or \(PK_{A}^{{x_{B} }}\) without \(x_{A}\) or \(x_{B}\) under the assumption of CDH problem. So, it is also hard to compute M for \(A_{II}\). Hence, our scheme can achieve the KSSTIS attribute. But in Xiong’s scheme [13], when the adversary obtains the private temporary information \(k\) of the \(j - th\) communication, he can obtain \(\sigma_{1} = m \cdot upk_{R,1}^{{k_{{}} }}\) easily, and it is easy for the adversary to obtain the message \(m = {\raise0.7ex\hbox{${\sigma_{1} }$} \!\mathord{\left/ {\vphantom {{\sigma_{1} } {upk_{R,1}^{{k_{{}} }} }}}\right.\kern-0pt} \!\lower0.7ex\hbox{${upk_{R,1}^{{k_{{}} }} }$}}\) with the public key upk R,1. The same situation happens in Cheng’s scheme [14]. When the adversary obtains the private temporary information \(s\) of the \(j - th\) communication, he can obtain \(R_{1} = \phi (M||R) \cdot \hat{e}(pk_{R,2} ,pk_{R,3} )^{s}\), pk R,2 and pk R,3 easily, and the message \(M||R = \phi^{ - 1} (R_{1} /\hat{e}(pk_{R,2} ,pk_{R,3} )^{s} )\) can be easily obtained. For Zhou’s scheme [15], when the adversary obtains the ephemeral key \(r_{m} ,r_{m'}\) of \(j - th\) communication, he can obtain \(\sigma_{1} = \phi (M||T) \cdot \hat{e}(UPK_{r,1} ,UPK_{r,1} )^{{r_{m} }} \cdot \hat{e}(g_{1} ,g_{1} )^{{r_{m'} }}\), UPK r,1 and g 1 easily, and the message \(M||T = \phi^{ - 1} (\sigma_{1} /\hat{e}(UPK_{r,1} ,UPK_{r,1} )^{{r_{m} }} \cdot \hat{e}(g_{1} ,g_{1} )^{{r_{m'} }} )\) can be easily obtained.

5.2.4 Malicious-but-Passive KGC Attack

The malicious-but-passive KGC is malicious at the setup stage and may compute master public/secret key pair maliciously so that he can carry out the attack more easily [16]. The paper [16] pointed that certificateless schemes using the same key structure as [1] are not secure by giving this attack, where the key structure consists of the user private key usk ID  = \(Q_{{_{ID} }}^{sx}\)(Q ID  = H(ID), s is the system master secret key and x is the user secret key) and user public key upk ID  = g sx (g is a generator of G 1). The malicious-but-passive KGC selects a random number \(\alpha\) and computes g = \(Q_{{_{ID} }}^{\alpha }\), then he can obtain the user private key usk ID  = \((upk_{ID} )^{{\alpha^{ - 1} }}\). For our scheme, the key structure consists of the user private key usk U  = (x u , (\(u^{\prime}\prod\nolimits_{i \in U} {u_{i} }\))α)(\(\alpha\) is the system master secret key and x u is the user secret key) and user public key upk ID  = \(g^{{x_{u} }}\). The malicious-but-passive KGC selects a random number \(\varsigma\) and computes g = \((u^{\prime}\prod\nolimits_{i \in U} {u_{i} } )_{{_{{}} }}^{\varsigma }\), then he can obtain the value \((u^{\prime}\prod\nolimits_{i \in U} {u_{i} } )_{{_{{}} }}^{{x_{u} }}\), but he cannot computer the user secret key x u , so our scheme can resist the malicious-but-passive KGC attack.

6 Performance Analysis

In recent years, many signcryption schemes have been proposed in the standard model. In this part, we analyze the efficiency and performance by comparing our scheme with schemes [13,14,15]. The efficiency of signcryption scheme in the standard model relies on the amount of exponentiation computation and the number of pairing operations. So, we mainly focused on these two operations. In addition, public key length, private key length and ciphertext length also are considered in this part. Let Exp G1, Exp G2 denote the exponentiation computation in group G 1, G 2 respectively, where the computation cost of Exp G1 is the same as that of Exp G2. Let Pi denotes the pairing operation. |G 1| and |G 2| denote the length of a group element. The comparisons are shown in Table 1.

Table 1 Comparisons of different schemes in the standard model
Full size table

We can see from Table 1 that our scheme is more efficient in terms of public key length, private key length and ciphertext length. What’s the most important, we use less exponentiation computation and pairing operation. It should be noted that we put more calculations in offline phase, for instance, we can calculate \(\hat{e}(P_{pub} ,u^{\prime}\prod\nolimits_{i \in U} {u_{i} } )\) in advance and store it together with system parameters, which can reduce the calculation costs in communication phase. In addition to efficiency improvement, our scheme also enhances the security, since the scheme achieves confidentiality, unforgeability and KSSTIS attribute.

7 Conclusions

In this paper, we have proposed a provably secure certificateless signcryption in the standard model. With the help of DBDH and CDH hard problems, our scheme has the ability of indistinguishability against adaptive chosen ciphertext attack and existential unforgeability against adaptive chosen message attack. Moreover, our scheme satisfies known session-specific temporary information security, which most of signcryption schemes in the standard model cannot achieve this security attribute. Performance analysis shows that our scheme is more efficient than other schemes in terms of computation and security. Thus, our scheme is more suitable for resource-constrained wireless communication networks.