Anonymous Multi-Receiver Certiﬁcateless Hybrid Signcryption for

Broadcast Communication

Alia Umrani

∗ a

, Apurva K Vangujar

∗ b

and Paolo Palmieri

Department of Computing & IT, University College Cork, Cork, Ireland

Keywords:

mKEM-DEM, Hybrid Signcryption, Certiﬁcateless, Multireceiver, Pseudo-Identity, Conﬁdentiality,

Authentication, Anonymity.

Abstract:

Conﬁdentiality, authentication, and anonymity are fundamental security requirements in broadcast communi-

cation achievable by Digital Signature (DS), encryption, and Pseudo-Identity (PID) techniques. Signcryption,

particularly hybrid signcryption, offers both DS and encryption more efﬁciently than “sign-then-encrypt”, with

lower computational and communication costs. This paper proposes an Anonymous Multi-receiver Certiﬁ-

cateless Hybrid Signcryption (AMCLHS) scheme for secure broadcast communication. AMCLHS combines

public-key cryptography and symmetric key to achieve conﬁdentiality, authentication, and anonymity. We pro-

vide a simple and efﬁcient construction of a multi-recipient Key Encapsulation Mechanism (mKEM) to create

a symmetric session key. This key, with the sender’s private key, is used in Data Encapsulation Mechanism

(DEM) to signcrypt the message, ensuring conﬁdentiality and authentication. The scheme generates identical

ciphertext for multiple recipients while maintaining their anonymity by assigning a PID to each user. Secu-

rity notions are demonstrated for indistinguishability against chosen-ciphertext attack using the elliptic curve

computational difﬁe-hellman assumption in the random oracle model and existential unforgeability against

chosen message attack under elliptic curve difﬁe-hellman assumption. The AMCLHS scheme operates in a

multireceiver certiﬁcateless environment, preventing the key escrow problem. Comparative analysis shows

that our scheme is computationally efﬁcient, provides optimal communication cost, and simultaneously en-

sures conﬁdentiality, authentication, anonymity, non-repudiation, and forward security.

1 INTRODUCTION

Conﬁdentiality, authentication, and anonymity are the

basic security requirements in broadcast communica-

tion (Peng et al., 2020). The current solution to pro-

vide for these security requirements are encryption

and Digital Signature (DS). However, the traditional

”sign-then-encrypt” approach results in high compu-

tational costs. Signcryption, on the other hand, al-

lows both the encryption and DS operations to be per-

formed simultaneously, providing both the conﬁden-

tiality and authentication more efﬁciently. Signcryp-

tion was ﬁrst proposed by Zhang et al. as a novel

cryptographic primitive (Zheng, 1997). Malone-Lee

proposed the ﬁrst Identity (ID)-based signcryption

https://orcid.org/0000-0003-1885-3629

https://orcid.org/0000-0002-8194-4593

https://orcid.org/0000-0002-9819-4880

∗

Alia Umrani and Apurva Vangujar are supported by

PhD scholarships funded by the Science Foundation Ireland

Centre under Grant No. SFI 18/CRT/6222

scheme that provides forward security and public ver-

iﬁability (Malone-Lee, 2002). However, in ID-based

schemes, the public key generator generates the user’s

private key, leading to the issue of private key es-

crow. To solve the key escrow problem, Al-Riyami

et al. proposed a Certiﬁcateless Public Key Cryptog-

raphy (CLPKC) (Al-Riyami and Paterson, 2003). In

CLPKC, the Key Generation Center (KGC) only gen-

erates a partial private key (ppk) of the user. The

user then combines ppk and a secret value to gen-

erate the actual private and public key pair. There-

fore, the KGC does not have knowledge of the user’s

complete private key. Following that, Barbosa and

Farshim proposed the ﬁrst certiﬁcateless signcryption

scheme (Barbosa and Farshim, 2008). The signcryp-

tion methods mentioned above are designed for single

receiver, which are not suitable for broadcast commu-

nication. When sending the same message to multi-

ple recipients, the user encrypts a message for each

individual recipient, increasing computation time and

communication lag. To address this, Selvi et al. pro-

Umrani, A., Vangujar, A. and Palmieri, P.

Anonymous Multi-Receiver Certiﬁcateless Hybrid Signcryption for Broadcast Communication.

DOI: 10.5220/0012353400003648

Paper published under CC license (CC BY-NC-ND 4.0)

In Proceedings of the 10th International Conference on Information Systems Security and Privacy (ICISSP 2024), pages 733-744

ISBN: 978-989-758-683-5; ISSN: 2184-4356

733

posed the ﬁrst multireceiver certiﬁcateless signcryp-

tion scheme (Selvi et al., 2008). Generally, the con-

struction of signcryption can be achieved through two

methods: (i) Public key signcryption: With public

key signcryption, both message encryption and sign-

ing take place in a public key setting (Selvi et al.,

2008). (ii) Hybrid signcryption: Hybrid signcryption

provides the advantages of combining symmetric key

encryption with asymmetric key signature while en-

suring integrity, authentication, and non-repudiation

(Selvi et al., 2009). Hybrid signcryption is generally

efﬁcient in resource constrained environments than

pure asymmetric signcryption because, in asymmet-

ric signcryption alone, large messages are sent with

the large public key values. For more reading, we

refer to Dent’s work (Dent, 2005b; Dent, 2005a) on

Hybrid signcryption schemes.

In this paper, we propose a multi-receiver anony-

mous certiﬁcateless hybrid signcryption based on

multi-recipient Key Encapsulation Mechanism-Data

Encapsulation Mechanism (mKEM-DEM) for broad-

cast communication. For conﬁdentiality, we prove

Indistinguishability against Chosen-Ciphertext At-

tack (ind-cca2-I) for Type-I adversary, and (ind-

cca2-II) for Type-II adversary using Elliptic Curve

based Computational Difﬁe-Hellman (ECCDH) as-

sumption. For unforgeability, we prove Existen-

tial Unforgeability against Chosen Message Attack

(euf-cma-I) for Type-I adversary, and (euf-cma-II)

for Type-II adversary, respectively, based on Elliptic

Curve Discrete Logarithm (ECDL) assumption. Ad-

ditionally, to ensure anonymity, each user is assigned

a Pseudo-Identity (PID) and we further demonstrate

the security for non-repudiation and forward secu-

rity. Finally, we compare our scheme with exist-

ing multireceiver certiﬁcateless hybrid signcryption

schemes, demonstrating its efﬁciency in terms of

computation cost, communication cost, and security

requirements. In comparison to existing schemes, our

scheme demonstrates higher efﬁciency, with the sign-

cryption cost increasing linearly with the number of

designated receivers, while the unsigncryption cost

remains constant. Our scheme simultaneously satisfy

all the security requirements in terms of conﬁdential-

ity, unforgeability, anonymity, non - repudiation, and

forward security.

1.1 Our Contributions

The objective of this paper is to provide an anony-

mous certiﬁcateless hybrid signcryption scheme by

utilizing mKEM and DEM. Our main contributions

are as follows:

1. We propose an Anonymous Multireceiver Certiﬁ-

cateless Hybrid Signcryption (AMCLHS) scheme

based on mKEM-DEM. The AMCLHS scheme

uses a combination of PKC and symmetric key to

signcrypt a message in broadcast communication.

2. The AMCLHS scheme achieves anonymity for

each receiver by assigning a PID to each user

(sender and receiver) and enables the sender to

signcrypt an identical message for multiple re-

ceivers while keeping their real identities anony-

mous from each other.

3. The scheme operates in a multireceiver certiﬁ-

cateless environment, preventing the key escrow

problem. We achieve conﬁdentiality by demon-

strating security against ind-cca2-I and ind-cca2-

II and unforgeability by demonstrating euf-cma-

I and euf-cma-II, respectively. The security is

proven using ECCDH and ECDL assumptions un-

der the Random Oracle Model (ROM).

The remainder of the paper is as follows: The related

work is provided in Sec. 2. Sec. 3 describes the

mathematical assumptions and deﬁnitions. In Sec. 4,

we introduce the AMCLHS framework and security

model of the scheme in Sec. 5. Sec. 6 introduces the

proposed AMCLHS scheme and in Sec. 7, we pro-

vide the security analysis under the hard assumption.

Sec. 8 provide the performance analysis and compar-

ison of the proposed scheme. Lastly, in Sec. 9, we

conclude the work.

2 RELATED WORK

2.1 Certiﬁcateless Signcryption

Signcryption was ﬁrst introduced by Zheng et al.

in 1997 combining the signature and encryption to

provide authentication and conﬁdentiality more efﬁ-

ciently than sign-then-encrypt (Zheng, 1997). Several

ID-based signcryption schemes have been proposed,

however, the key issue is the presence of a key es-

crow problem. To address this, Barbosa and Farshim

proposed the ﬁrst certiﬁcateless signcryption scheme

that provides both conﬁdentiality and authentication

and is secure under the ROM (Barbosa and Farshim,

2008). Chen et al. and Cui et al. proposed a certiﬁ-

cateless signcryption scheme for the Internet of Med-

ical Things without pairings and the Internet of Vehi-

cles (IoVs), respectively. The schemes provides con-

ﬁdentiality and authentication and proves security un-

der ECDL and Computational Difﬁe-Hellman (CDH)

assumptions (Chen et al., 2023; Cui et al., 2022).

Similarly, a certiﬁcateless signcryption scheme with-

out ROM was proposed by ZHOU et al. that achieves

ICISSP 2024 - 10th International Conference on Information Systems Security and Privacy

734

conﬁdentiality and unforgeability however, does not

provide anonymity (ZHOU, 2018). Kasyoka et al.

proposed a certiﬁcateless signcryption for wireless

sensor networks (Kasyoka et al., 2021). Addition-

ally, Cui et al. presented a pairing-free certiﬁcate-

less signcryption scheme for the IoVs (Cui et al.,

2022). Li et al. proposed a signcryption scheme

for resource-constrained smart terminals in cyber-

physical power systems (Li et al., 2022). However, all

the aforementioned schemes are designed for single

receivers, which are not suitable for broadcast com-

munication. Yu et al. introduced the ﬁrst multire-

ceiver signcryption scheme based on ID-based PKC,

enabling message encryption for n designated re-

ceivers (Yu et al., 2007). The security of the scheme

is based on CDH assumption under the ROM. Later

on, several multireceiver certiﬁcateless signcryption

schemes were proposed. In 2022, Niu et al. proposed

a privacy-preserving mutual heterogeneous signcryp-

tion scheme based on 5G network slicing, where the

sender is in a public key infrastructure environment,

and the receiver is in a certiﬁcateless environment

(Niu et al., 2022a). The proposed scheme is secure

against ind-cca2 and euf-cma under the hardness as-

sumptions of CDH and Discrete Logarithm (DL). In

addition, numerous multireceiver certiﬁcateless sign-

cryption schemes have been introduced in edge com-

puting, Internet of Things (IoT), and IoT-enabled mar-

itime transportation systems (Peng et al., 2020; Qiu

et al., 2019; Yang et al., 2022; Yu et al., 2022).

The above schemes based on large and resource-

constrained environment are proven secure in pub-

lic key settings, however, they may become computa-

tionally expensive when dealing with large messages,

compared to hybrid settings. On the other hand, hy-

brid signcryption is generally more efﬁcient than pub-

lic key signcryption alone because it uses the com-

bination of symmetric key and PKC. A message is

encrypted using a symmetric key algorithm, which is

faster and more efﬁcient (Dent, 2005b; Dent, 2005a).

2.2 Certiﬁcateless Hybrid Signcryption

Dent et al. proposed the ﬁrst hybrid signcryption

scheme with insider and outsider security (Dent,

2005a; Dent, 2005b). Following that, Li et al.

proposed the ﬁrst certiﬁcateless hybrid signcryption

scheme (Li et al., 2009). Wu et al. proposed a cer-

tiﬁcateless hybrid signcryption scheme for IoT (Wu

et al., 2022). The scheme utilizes PKC to gener-

ate a symmetric key and is used to signcrypt the

message. While the scheme provides conﬁdential-

ity, authentication, forward security, and public ver-

iﬁcation under CDH and Decisional Bilinear Difﬁe-

Hellman (DBDH) assumptions, it incurs high com-

putational cost due to Bilinear Pairing (BP) opera-

tion. Yin et al. proposed a certiﬁcateless hybrid sign-

cryption scheme for wireless sensor network (WSN)

(Yin and Liang, 2015). Similarly, Gong et al. pre-

sented a lightweight and secure certiﬁcateless hybrid

signcryption scheme for the IoT (Gong et al., 2022).

It ensures data conﬁdentiality, integrity, and authen-

ticity. The scheme utilizes BP for initialization and

key construction and proves security under CDH and

DBDH assumptions. Hongzhen et al. presented cer-

tiﬁcateless signcryption scheme for Vehicular Ad hoc

Networks (VANETs) without BP (Hongzhen et al.,

2021). Moreover, Zhang et al. introduced a certiﬁ-

cateless hybrid signcryption scheme suitable for the

IoT (Zhang et al., 2022). The scheme is constructed to

achieve both conﬁdentiality and unforgeability under

DL, CDH, DBDH, and BDH assumptions. In 2017,

Niu et al. proposed a heterogeneous hybrid sign-

cryption for multi-message and multi-receiver (Niu

et al., 2017). The scheme proves security against

ind-cca and euf-cma attacks under the ROM based

on the hardness assumptions of DBDH and variants

of DBDH and Computational BDH. In 2022, Niu et

al. presented a broadcast signcryption scheme based

on certiﬁcateless cryptography for WSN (Niu et al.,

2022b). The scheme aims to ensure the conﬁdential-

ity and integrity of the data transmitted, while protect-

ing by the privacy of the receiver’s ID under ECDH

and ECDL assumptions. The scheme uses a trusted

third party to outsource the encryption operation and

assumes that the trusted third party is always avail-

able. However, it may not be realistic in some scenar-

ios, for instance, if the trusted third party is ofﬂine,

the scheme may not work properly. Moreover, the

scheme incurs higher computational costs compared

to the AMCLHS scheme.

3 PRELIMINARIES AND

ASSUMPTIONS

1. Elliptic Curve Based Computational

Difﬁe-Hellman (ECCDH) Assumption. The

security assumption of ECCDH is according to

(Cohen et al., 2005).

Deﬁnition 3.1. The ECCDH assumption holds

given (P,xP,yP) ∈ G, where x,y ∈ Z

∗

, it is

computationally infeasible for any Probabilis-

tic Polynomial-Time (PPT) algorithm to compute

xyP.

2. Elliptic Curve Discrete Logarithm (ECDL)

Assumption. The security assumption of ECDL

Anonymous Multi-Receiver Certiﬁcateless Hybrid Signcryption for Broadcast Communication

735

is adopted from (Cohen et al., 2005).

Deﬁnition 3.2. Given P and Q ∈ G, it is hard to

ﬁnd an x ∈ Z

∗

for any PPT algorithm with non-

negligible probability such that Q = xP.

3. The Multi-Recipient Key Encapsulation

Mechanism (mKEM) and Data Encapsulation

Mechanism (DEM). The notion of mKEM was

ﬁrst proposed by N.P Smart (Smart, 2004) and

has a KEM like construction which takes multiple

receiver’s public keys pk

where 1 ≤ i ≤ t and

t < n as input and generates a single symmetric

session key K and an encapsulation C of K.

Deﬁnition 3.3. The mKEM construction below is

according to the (Smart, 2004):

(a) mKEM. It consists of four algorithms deﬁned

as follows (Setup, KeyGen, mKEM.Encaps,

mKEM.Decaps):

• Setup. On input the security parameter 1

the algorithm outputs PP.

• KeyGen. Taking PP as input, the algorithm

outputs (pk,sk) for each user.

• mKEM.Encaps. On input PP and a set of re-

ceiver public keys pk

where 1 ≤ i ≤ t, this

algorithm outputs a symmetric session key K

and an encapsulation C

of K where K is used

in DEM.

• mKEM.Decaps. Taking PP, receiver’s private

key sk

, and an encapsulation C

as input, this

algorithm outputs K. The correctness holds if

K = mKEM.Decaps(PP,sk

(b) DEM: It consists of two algorithms

(Enc

,Dec

) (Niu et al., 2017) deﬁned as

follows:

• Enc

. On input (K,m), this algorithm outputs

a ciphertext C

• Dec

. Taking (K, C

) as input, this algorithm

outputs m

′

. The correctness of DEM holds if

′

= m.

4. KEM-DEM Hybrid Signcryption Scheme.

Deﬁnition 3.4. The construction of KEM-

DEM hybrid signcryption scheme is given

by (Dent, 2005a). It consists of four al-

gorithms (Setup,KeyGen,Gen − Enc, Dec − Ver)

deﬁned as follows:

(a) Setup. It takes as input a security parameter 1

and outputs PP.

(b) KeyGen. Taking PP as input, this algorithm

outputs a public and private key pair for sender

(pk

,sk

) and receiver (pk

,sk

lowing algorithms:

• Encaps. On input (PP,sk

,pk

,m), it outputs

a symmetric session key K and an encapsula-

tion C

• Enc

. It takes K as input and outputs C

. The

receiver outputs ciphertext CT = (C

(d) Dec − Ver. In this phase, the receiver runs fol-

lowing algorithms:

• Decaps. On input (sk

), it outputs K. If

K =⊥, the sender stops. Otherwise, the re-

ceiver runs next algorithmic step.

• Dec

. On input (C

,K), outputs m. If m =⊥,

the receiver stops. Else, it runs next step.

• Ver. Taking (pk

,m,C

) as input, it outputs

either valid or not. If valid, outputs m, else ⊥.

4 AMCLHS FRAMEWORK

4.1 Framework

The framework of the AMCLHS scheme

consists of four entities: KGC, a Registra-

tion Authority (RA), and n users such as

n = (PID

,{PID

,... ,PID

}). As-

sume, a sender with PID

sends an arbitrary length

message m to t designated receivers with PID

where

1 ≤ i ≤ t. The role of each entity is deﬁned below:

• KGC. The KGC is a trusted authority that is re-

sponsible for generating public parameters (PP),

master secret key (msk) of KGC, master public

key (mpk) of KGC, and partial private key (ppk)

for each user taking part in communication.

• RA. The RA is a semi-trusted authority that gen-

erates its private key sk

and public key pk

RA is also responsible for user registration, ID

veriﬁcation, and PID assigning.

• Sender. The sender with PID

encrypts a m us-

ing the set of designated receiver’s public key pk

signs with its private key sk

and sends the sign-

crypted ciphertext CT to t designated receivers.

• Receiver. The designated receiver with PID

and

, decrypt the CT, and verify the signature using

sender’s public key pk

4.2 Deﬁnition of AMCLHS

The AMCLHS scheme represents a hybrid approach,

leveraging both mKEM and DEM components. Be-

fore signcrypting the message, RA veriﬁes user’s real

identity ID

, registers, and assigns a PID to each cor-

responding user. For signcryption, this framework

ﬁrstly utilizes mKEM that takes a set of receiver’s

ICISSP 2024 - 10th International Conference on Information Systems Security and Privacy

736

public keys as input, and generates a symmetric ses-

sion key K and an encapsulation C

of that key. The

mKEM also takes a sender’s private key to generate

the signature S which is encapsulated in C

and veri-

ﬁes in the unsigncryption phase as given in Def. 4.1.

Following this, the DEM and session key K are jointly

used to symmetrically encrypt m, producing a cipher-

text C

. This ciphertext is then represented as a sign-

crypted ciphertext pair CT = (C

). For decryp-

tion, the process starts with the decapsulation of C

using mKEM and the receiver’s private key to retrieve

K. After this, the message m is decrypted from C

us-

ing K. Once the m is decrypted, the receiver veriﬁes

the signature S using Ver algorithm by taking sender’s

public key and C

as input. Hence, the AMCLHS

scheme introduces an effective and secure mechanism

for data signcryption and unsigncryption, employing

both symmetric and asymmetric key strategies in a

unique hybrid methodology.

Deﬁnition 4.1. In the AMCLHS scheme, the sender

with PID

sends an arbitrary length m to t designated

receivers denoted with PID

where 1 ≤ i ≤ t. The

AMCLHS scheme follows the Defs. 3.3 and 3.4. The

proposed scheme consists of eight polynomial time al-

gorithms as follows:

1. Setup. On input the security parameter 1

, the

KGC generates (PP, msk,mpk). Next, RA gen-

erates sk

and pk

2. Pseudo-Identity. Takes Real Identity (ID

) and

as input and outputs a PID.

3. Partial Private Key. For each PID, the KGC

takes (mpk,msk) as input, it outputs the partial

private key (ppk).

4. Secret Value. On input the PID, each user gener-

ates a secret value (sv).

5. Private Key. Taking (ppk,sv) as input, each user

generates the sk.

6. Public Key. On input the sv, each user outputs the

pk.

7. Signcryption. To signcrypt the m and generate the

CT, the sender runs this algorithm in two phases.

In Phase 1, the sender runs mKEM.Encaps and in

Phase 2, the sender runs Enc

according to the

Def. 3.3. The phases are deﬁned as follows:

• Phase 1 (mKEM.Encaps) Taking PP, sk

, a

plaintext m and a set pk

for 1 ≤ i ≤ t, this al-

gorithm outputs C

and K

• Phase 2 (Enc

) On input (K,m), this algo-

rithm outputs C

and sets signcrypted cipher-

text CT = (C

8. Unsigncryption. To unsigncrypt the CT and re-

trieve m, the receiver runs this algorithm in three

phases. Phase 1 consists of mKEM.Decaps, Phase

2 consists of Dec

, and Phase 3 consists of Ver al-

gorithm according to the Def. 3.3.

• Phase 1 (mKEM.Decaps). Taking (sk

) as

input, this algorithm outputs K.

• Phase 2 (Dec

). On input (K,C

), this algo-

rithm outputs m

′

. If m

′

̸= m, the receiver rejects

the m. If m

′

= m, the receiver veriﬁes the sig-

nature in Phase 3.

• Phase 3 (Ver). Taking (m

′

,pk

) as input,

this algorithm veriﬁes the signature S. If it is

valid, accept the m, or else return ⊥.

5 SECURITY MODEL

We deﬁne the security Game-I for ind-cca2-I and ind-

cca2-II in Sec. 5.1, to evaluate the security against

Type-I adversary (A

) and Type-II adversary (A

respectively. Moreover, in Sec. 5.2, we introduce

the security Game-II for euf-cma-I and euf-cma-II to

evaluate the security against A

and A

and are de-

ﬁned as follows:

1. A

. A

is an honest-but-curious user who cannot

access msk but can replace the pk of any ID with

the value of his/her own choice. A

is not allowed

to ask a ppk query q

ppk

for any of the target ID.

2. A

. A

, also known as malicious KGC, cannot

make public key replace query q

for the target

ID. A

is not allowed to make sv extract queries

. If the q

has been done for the target ID, then

the q

is not allowed for the same ID.

5.1 Game-I

The Game-I is interaction between the Challenger C

and A in three phases. In each phase, the A asks

a polynomially bounded number of hash and public

and private key queries. Finally, A provides a target

plaintext pair (m

) to C . C picks β ∈ {0,1}

∗

ran-

domly and responds with a challenge CT

∗

. A returns

′

∈ {0,1}

∗

and wins the Game-I if β = β

′

Deﬁnition 5.1. The ind-cca2 requires that there exists

no PPT Adversary A which could distinguish cipher-

texts. The advantage of A is deﬁned as the probability

that A wins the game.

1. Phase-1. The A asks polynomially bounded num-

ber of hash queries q

where l = {1,2,3}. The C

keeps a list L

of q

to record the responses.

Anonymous Multi-Receiver Certiﬁcateless Hybrid Signcryption for Broadcast Communication

737

• Setup. C generates (PP,msk,mpk, sk

,pk

)

and passes to A . Then A selects t target PID

where 1 ≤ i ≤ t.

2. Phase-2. The A proceeds to make a series of

queries, subject to the restrictions deﬁned in Sec.

5. The queries include public key retrieve query

, partial private key query q

ppk

, secret value ex-

tract query q

, public key replace query q

, sign-

cryption query q

, and unsigncryption query q

usc

An initially empty list L

is maintained by the C

to store public and secret information. The C re-

sponds to each query as follows:

• q

. Upon receiving such query for PID, the C

searches L

for pk. If it does not exist, C runs

the secret value algorithm to generate a sv for

PID, and performs the public key algorithm to

return the pk to A.

• q

ppk

. Given PID, the C checks if PID = PID

∗

If it does, the C aborts. Otherwise, it fetches

the ppk from L

. If it does not exist, C runs a

partial private key algorithm to return ppk and

updates L

• q

. Upon q

, the C checks L

for sv. If it

does not exist, C runs a secret value algorithm

and returns sv to A.

• q

. Given PID as input, the C replaces pk with

′

and updates L

• q

. On input (m, PID

,PID

), the C checks if

PID

= PID

∗

. If it is not, C performs normal

signcryption operation by taking values from

. Otherwise, it performs the signcryption al-

gorithm to generate CT.

• q

usc

. Upon receiving (CT, PID

,PID

) as in-

put, the C checks if PID

= PID

∗

. If it is not,

C performs normal unsigncryption operation.

Otherwise, C performs the unsigncryption al-

gorithm to answer m.

3. Challenge. The A outputs a target plaintext

). The C picks β ∈ {0,1}

∗

at random, sets

challenge CT

∗

, and sends CT

∗

to A.

4. Phase-3. The A can make further queries except

that the CT

∗

is not allowed to appear in the q

usc

5. Guess. Finally, A responds with its guess β

′

∈

{0,1}

∗

. If β = β

′

, A wins the Game-I. The advan-

tage of A

is deﬁned as:

Adv

IND−CCA2

=| Pr



β = β

′



− 1/2 | (1)

The advantage of A

is deﬁned as:

Adv

IND−CCA2

=| Pr



β = β

′



− 1/2 | (2)

5.2 Game-II

Game-II consists of two phases. In each phase, the A

asks a polynomially bounded number of hash, pk and

sk queries. In the end, A outputs the forged cipher-

text. A wins if unsigncryption does not return ⊥.

Deﬁnition 5.2. An AMCLHS scheme is euf-cma se-

cure if every PPT A has a negligible advantage in

winning the Game-II.

1. Phase-1. Phase-1 remains same as in Def. 5.1

except that A selects a target identity as PID

∗

2. Phase-2. The A asks a number of queries with the

restrictions deﬁned in Sec. 5. The queries include

, q

ppk

, q

, and q

usc

and are deﬁned

in Phase-2 in Def. 5.1. C maintains an initially

empty list L

to store the pk and sk information.

3. Forgery. A outputs the forged CT under a tar-

geted PID

∗

. A wins if unsigncryption does not

return ⊥.

6 THE PROPOSED AMCLHS

SCHEME

In this section, we focus on the construction of the

proposed AMCLHS scheme, built upon the mKEM-

DEM framework, according to the Def. 4.1. The

structure of the scheme is shown in Fig. 1.

1. Setup. The KGC initializes the system by tak-

ing the security parameter 1

as input. It chooses

a group G of large prime order q, derived from

an elliptic curve E over a ﬁnite ﬁeld F

. The

KGC selects a generator point P ∈ G and gener-

ates four hash functions. The ﬁrst hash function

is H

: {0, 1}

ℓ

−→ G, where ℓ is a positive inte-

ger. The second is H

: {0,1}

∗

× G −→ G. The

third hash function is H

: G −→ {0, 1}

, where k

denotes the plaintext box length. The fourth is

: {0,1}

∗

× G × G × G −→ Z

∗

. The KGC gen-

erates PP = {G, E, P,q,H

}, randomly

selects x

∈ Z

∗

as the master secret key msk, and

calculates the master public key mpk = x

P. It

then publish PP and mpk, while keeping msk se-

cret. Subsequently, the RA selects v ∈ Z

∗

at ran-

dom as its secret key sk

and calculates its pub-

lic key pk

= vP. The RA publicizes pk

and

keeps sk

as a secret.

2. Pseudo-Identity. This algorithm is run by each

user and RA as follows:

• User. Each user chooses a random ID

∈ {0,1}

ℓ

and computes R = αP where α ∈ Z

∗

. Tak-

ICISSP 2024 - 10th International Conference on Information Systems Security and Privacy

738

ing (ID

,α) as input, it computes PID = ID

⊕

(αpk

) and sends (PID

,R) to RA.

• RA. On input (PID,R), RA veriﬁes ID

PID ⊕ H

(Rv). If it holds, RA accepts the reg-

istration request, conﬁrms and assigns PID =

⊕ H

(αpk

) to each corresponding user

ID. Else, RA discards the PID and cancels the

registration request.

3. Partial Private Key. Taking (PID,mpk,msk) as

input, the KGC computes Q

PID

= H

(PID∥mpk)

as a public component. Taking Q

PID

, the KGC

computes ppk as d = x

PID

4. Secret Value. Each user with PID chooses a ran-

dom x ∈ Z

∗

randomly as a sv.

5. Private Key. On input (d,x), each user with PID

sets sk = (d,x).

6. Public Key. Taking x as input, each user with PID

computes pk = xP.

7. Signcryption. The sender with PID

and sk

runs

following phases to signcrypt a m and sends CT

to receivers with PID

and pk

1 ≤ i ≤ t:

• Phase 1 (mKEM-Encaps).

(a) Randomly chooses r ∈ Z

∗

and computes U =

rP.

(b) Taking pk

and Q

PID

as input, computes

= d

PID

and Z

= x

= (Z

) and K = H

(ψ

(d) Computes a hash f

= H

(m,ψ

,pk

) and

Signature S

= r

−1

( f

∥wd

) where w =

mod q which is the x-coordinate of U.

(e) Sets C

= ( f

) and outputs (C

,K).

• Phase 2 (Enc

(a) Computes C

= Enc

(m). Sets CT

) and sends to t designated receivers.

8. Unsigncryption. Each designated receiver with

PID

takes (sk

,pk

) as input for i

receiver and

runs the following phases to unsigncrypt the CT

and generate m:

• Phase 1 (mKEM-Decaps).

(a) Taking (x

) as input, computes Z

′

PID

and Z

′

= pk

(b) Computes ψ

′

= (Z

′

) and K = H

(ψ

′

). If

K =⊥, the receiver aborts else, decrypts m as

follows:

• Phase 2 (Dec

(a) Calculates m

′

= Dec

). If m

′

= m, veriﬁes

the S

else rejects.

• Phase 3 (Ver).

(a) Inputs (C

,pk

), outputs f

′

,ψ

′

,pk

(b) If f

′

= f

, veriﬁes S

by checking if U = rP

and w

′

= x

mod q. If w

′

= w, the receiver

will accept the signcrypted m else returns ⊥

and aborts.

PP, msk, mpk

, pk

PID

, . . .,PID

r1,

. . . ,d

, . . . , ID

r1,

ri,

rt,

CT = C

If K is valid,

decrypts m and verifies S

1 2

KGC

SENDER RECEIVERS

Figure 1: Our Proposed AMCLHS Scheme.

7 SECURITY ANALYSIS

The security analysis of the proposed AMCLHS

scheme is based on the security model deﬁned in Sec.

5. The message conﬁdentiality is based on Theorems

7.1 and 7.2 which demonstrates that the scheme

is secure against ind-cca2 A

and A

in Def. 5.1.

Similarly, unforgeability is based on Theorems 7.3

and 7.4 and follows that the scheme is secure against

euf-cma A

and A

in Def. 5.2.

Conﬁdentiality

Theorem 7.1. Suppose that the ind-cca2-I has a non-

negligible advantage ε in winning the game then,

there is C that can solve the ECCDH with the non-

negligible advantage ε

′

Proof. Given a random instance (P,xP,yP) ∈ G of the

ECCDH assumption, the C has to compute xyP as

Def. 3.1 by interacting with the A

as follows:

1. Phase-1. A polynomially bounded number of

queries q are made by an A

. The C keeps a list L

of q

to record the responses.

• Setup. The C runs this algorithm to generate

PP = {G,E,P,q,H

, H

}. The C sets

new value for the mpk = θP and sends PP and

mpk to the A

. The A

selects t target identities

denoted by PID

∗

where 1 ≤ i ≤ t.

• H

-Query. Upon H

query, C determines if the

tuple (Q

PID

,mpk,PID

) exists in L

or not. If

it already exists, C returns Q

PID

to A

. Else,

if PID

̸= PID

∗

, C sets Q

PID

= H

(PID

∥mpk).

Anonymous Multi-Receiver Certiﬁcateless Hybrid Signcryption for Broadcast Communication

739

If PID

= PID

∗

, C chooses γ ∈ Z

∗

, computes

PID

= γP, adds in L

and sends Q

PID

to A

• H

-Query. Upon H

and H

queries,

the C determines if the tuple (K,ψ

(m,ψ

, f

) exists in L

and L

. If it does, C

returns K and f

to A

. Else, the C chooses

K ∈ {0, 1}

and f

∈ Z

∗

randomly, updates both

tuples. The C sends ψ

and f

to A

2. Phase-2. The A

asks queries including q

, q

ppk

, q

, and q

usc

. The C maintains an initially

empty list L

to store the public and secret infor-

mation. The C responds to the queries as follows:

• q

. Upon pk

query for PID

, C checks if pk

exists in L

. If it exists, C returns pk

to A

Otherwise, C chooses x

∈ Z

∗

and computes

= x

P, adds the tuple (PID

,−,pk

) in L

and returns pk

to A

• q

ppk

. Upon q

ppk

, if PID

= PID

∗

, the C aborts.

Otherwise, if it exists in L

, C sends d

to A

if it does not, C randomly chooses Q

PID

= γP

from L

and return d

= mpkQ

PID

to A

. The C

then updates the tuple (PID

,pk

) in L

• q

. Upon receiving q

, C checks if it exists

in L

, if it does, C sends x

to A

. If not, C

performs the q

and return x

to A

• q

. Upon q

, C replaces the pk

with pk

′

for

PID

and updates the tuple (PID

,pk

′

,−).

• q

. Upon receiving the query with PID

, PID

and m, the C checks if PID

= PID

∗

. If not, the

C performs the normal signcryption operation

by taking values from L

. Otherwise, the C

performs the signcryption as follows:

– If pk

is replaced, A

provides another value.

– Chooses r ∈ Z

∗

and computes U = rP.

– Gets Q

PID

from L

and computes Z

PID

, Z

= x

, ψ

= (Z

), K =

(ψ

), and updates L

– Computes f

= H

(m,ψ

,pk

) and up-

dates L

– Computes S

, C

= ( f

), C

= Enc

(m)

and returns CT

= (C

) to A

• q

usc

. Upon q

usc

with PID

, PID

and a CT, the

C checks whether PID

= PID

∗

. If not, the C

performs the normal unsigncryption operation.

Otherwise, the C unsigncrypts m as follows:

– If pk

is replaced, A

provides another value.

– Searches the lists L

and L

for (K,ψ

′

)

and H

(m,ψ

′

, f

′

– If the record does not exist, C returns ”fail-

ure”. If it exists, the C computes K ̸=⊥ and

′

= Dec

– Checks if f

′

= f

, if it holds then checks if U =

rP and w

′

= x

mod q holds or not. If yes, the

C answers m else, returns ⊥.

3. Challenge. The A

chooses equal length plaintext

message pair (m

) and sends the target plain-

text to the C . The A

takes a sender PID

and a

target PID

. Moreover, the A

can not ask for the

sk of the target PID

. If PID

̸= PID

∗

, the C re-

turns ⊥. Otherwise, it chooses β ∈ {0,1}

∗

and

performs the following steps to generate a CT

∗

• Chooses r

∗

∈ Z

∗

and computes U

∗

= r

∗

• Computes Z

∗

= d

PID

, Z

∗

= x

, and

∗

= (Z

∗

). Computes K

∗

= H

(ψ

∗

• f

∗

= H

(m,ψ

∗

,pk

). Computes S

∗

∗−1

( f

∗

∥wd

) and C

∗

= ( f

∗

• C

∗

= Enc

∗

(m) and computes CT

∗

4. Phase-3. A

may issue further polynomially

bounded queries as in Phase-1, however, A

can-

not send the q

ppk

of the target PID

, or the unsign-

cryption query for CT

∗

5. Guess. The A

will respond with the guess bit

β ∈ {0,1}

∗

. A

wins the game if β

′

= β. The C

will win the game by evaluating

θZ

−d

−U)

= θγP

using mpk = θP, Q

PID

= γP which is the solution

to the ECCDH assumption.

Next, we evaluate the advantage of C winning the

Game-I (ind-cca2-I) by calculating the probability of

aborting the game during the following events:

1. In q

ppk

, the game aborts for PID

= PID

∗

. The

probability is Pr(E

ppk

) = 1/q

ppk

2. In q

usc

, the game aborts due to invalid m. The

probability is Pr(E

usc

) = q

usc

3. In the challenge phase, C aborts if the adversary

queries against the identity PID

̸= PID

∗

. The

probability is Pr(E

) = (1 − 1/qH

Moreover, the C fetches L

to retrieve Q

PID

and L

retrieve Z

and evaluates

θZ

−d

−U)

= θγP with proba-

bility (1/q

+ 1/q

). Therefore, the probability of

the C winning the game with advantage ε

′

is:

′

≥ ε





1 −

ppk





1 −

usc



(3)

Theorem 7.2. Suppose that the ind-cca2-II has a

non-negligible advantage ε in winning the game then,

there is a C that can solve the ECCDH assumption

with the non-negligible advantage ε

′

ICISSP 2024 - 10th International Conference on Information Systems Security and Privacy

740

Proof. Given a random instance (P,xP,yP) ∈ G of the

ECCDH assumption, the C has to compute xyP as

Def. 3.1 by interacting with A

as follows:

1. Phase-1. A polynomially bounded number of

queries q are made by an A

• Setup. The C generates PP and mpk as in The-

orem 7.1 and sends PP and mpk to the A

• H

-Query. The response of H

query to A

same as in Theorem 7.1.

• H

-Query. This query remains the same as

in Theorem 7.1 and the C sends ψ

and f

to A

2. Phase-2. A

asks a number of queries including

, q

. The C responds as follows:

• q

. Upon pk

for PID

, the C checks if pk

ex-

ists in the L

as (PID

,pk

). If it exists, C

returns pk

to C . Otherwise, C chooses x

∈ Z

∗

= x

P, adds the tuple (PID

,−,pk

) in L

and returns pk

to A

• q

. Upon q

, C checks if PID

= PID

∗

. If it

holds, the C aborts because, in this case, the

PID

is a target ID. Otherwise, it checks if x

already exists in the L

. If it exists, the C re-

turns x

to A

. Otherwise, C runs q

, computes

= x

P, adds the tuple (PID

,pk

) in L

and returns x

to A

• q

. The q

query from A

and the response

from C will be similar to the Theorem 7.1.

• q

usc

. The q

usc

query from A

and the response

from C will be same as in Theorem 7.1.

3. Challenge. The A

chooses target plaintext

and sends to the C . A

takes a PID

and a

target PID

. Moreover, the A

can not ask for the

sk of the receiver PID

. If PID

̸= PID

∗

, the C

returns ⊥. Otherwise, it chooses β ∈ {0,1}

∗

and

performs the following steps to generate a chal-

lenge CT

∗

• Chooses r

∗

∈ Z

∗

and computes U

∗

= r

∗

• Computes Z

= d

PID

, Z

= x

, and

∗

= (Z

∗

). Computes K

∗

= H

(ψ

∗

• Computes f

∗

= H

(m,ψ

∗

,pk

). Computes

∗

= r

∗−1

( f

∗

∥wd

) and C

∗

= ( f

∗

• C

∗

= Enc

∗

(m) and CT

∗

= (C

∗

4. Phase-3. The A

may issue further queries as in

Phase-1 however, A

cannot send the q

for the

target PID

∗

and the q

uns

for CT

∗

5. Guess. The A

will respond with the guess bit

β ∈ {0,1}

∗

. The adversary wins the game if

′

= β. The C will win the game by obtaining

θγP, which is the solution to the ECCDH assump-

tion. The C obtains it by evaluating

θZ

−d

−U)

= θγP

since mpk = θP, Q

PID

= γP.

Next, we will analyse the advantage of the C in win-

ning the game. The C advantage is based on the oc-

currence of the events in which the game aborts. The

C aborts under the following events:

• The q

where the game aborts for PID

= PID

∗

The probability is Pr(E

) = 1/q

• The q

usc

where the game aborts due to invalid m.

The probability is Pr(E

usc

) = q

usc

• In the challenge phase, A

queries

for PID

∗

̸= PID

∗

. The probability is

Pr(E

) = (1 − 1/qH

Moreover, the C fetches L

to retrieve Q

PID

and

to retrieve Z

and evaluates θγP with probability

(1/q

+ 1/q

). Therefore, the probability of the C

winning the game with advantage ε

′

is:

′

≥ ε





1 −





1 −

usc



(4)

Unforgeability

Theorem 7.3. Suppose that the euf-cma-I adversary

has a non-negligible advantage ε in winning the

game then, there is C that can solve the ECDL with

the non-negligible advantage ε

′

Proof. Given a generator point P ∈ G and a new gen-

erator Q = φP in the same group, the C has to ﬁnd φ

by interacting with A

1. Phase-1. A

makes same queries as in the Phase-1

of Theorem 7.1.

• Setup. The C runs setup algorithm to generate

PP = {G,E,P,q,H

, H

}. The C sets

mpk = θP and sends PP and mpk to the A

The A

selects a target identity as PID

∗

2. Phase-2. The queries and responses are the same

as in Phase-2 of Theorem 7.1 except the response

to q

ppk

is as follows:

• q

ppk

. Upon q

ppk

, if PID = PID

∗

, the C aborts.

Otherwise, if it exists in L

, the C sends d

, if it does not, the C randomly chooses φ ∈

∗

and computes d

= φQ

PID

. The C returns

= φQ

PID

to A

and updates L

3. Forgery. Taking the targets PID

∗

and PID

, A

outputs a forged CT

∗

= (C

∗

) on m

∗

where

∗

= ( f

∗

) and C

∗

= Enc

∗

(m) which is the

valid signcrypted ciphertext and is not the result

of signcryption oracle.

Anonymous Multi-Receiver Certiﬁcateless Hybrid Signcryption for Broadcast Communication

741

• Case-1 (PID ̸= PID

∗

): The C returns ⊥.

• Case-2 (PID = PID

∗

): The C extracts the L

for the record (PID

∗

,pk

∗

) and L

for the

record (m

∗

,ψ

∗

, f

∗

According to Forking Lemma, C replays the

with the same random tape but distinct at-

tributes from H

and H

. It implies that, h

∗

(mpk,PID

∗

) and h

′∗

= H

(mpk,PID

∗

), and

∗

̸= h

′∗

i.e. Q

∗

PID

̸= Q

′∗

PID

. Similarly, h

∗

,ψ

∗

, pk

∗

,pk

∗

), h

′∗

= H

∗

,ψ

∗

,pk

∗

, pk

∗

)

and h

∗

̸= h

′∗

i.e. f

∗

̸= f

′∗

. Finally, the A

out-

puts another forged CT

′∗

= (C

∗

) on the same

∗

where C

∗

= ( f

′∗

) and C

∗

= Enc

∗

(m). Fi-

nally, C will have two valid signatures:

∗

= r

∗−1

( f

∗

∥wd

∗

) (5)

′∗

= r

′∗−1

( f

′∗

∥wd

′∗

) (6)

where r

∗

= r

′∗

and d

∗

= d

′∗

. From the Equations

8 and 9 above, C can extract φ as follows:

φ = r

∗−1

( f

′∗

− f

∗

) + (S

∗

−

′∗

)(r

∗−1

(wx

∗

PID

− Q

′∗

PID

))

−1

Given that, the C solves the ECDL assumption

Q = φP with the advantage ε

′

≥ ε





1 −

ppk





1 −

usc



(7)

Theorem 7.4. Suppose that the euf-cma-II adversary

has a non-negligible advantage ε in winning the

game then, there is C that can solve the ECDL as-

sumption with the non-negligible advantage ε

′

Proof. Given a P ∈ G and a new generator Q = πP in

the same group where π ∈ Z

∗

. The C has to ﬁnd π by

interacting with the A

such that Q = πP.

1. Phase-1. The queries are similar to Theorem 7.2.

• Setup. The C generates (PP, mpk) as in Theo-

rem 7.3 and sends to the A

2. Phase-2. The queries and responses are same as

in Phase-2 of Theorem 7.2, except the response to

is as follows:

• q

. Upon q

, the C checks if PID = PID

∗

If it holds, C aborts because, in this case, the

PID is a target ID. Otherwise, it checks if x

exists in L

. If it exists, the C returns x

to A

Otherwise, computes pk

= πP where x

= π ∈

∗

and adds in L

and returns x

to A

3. Forgery. Taking the target PID

∗

and PID

, A

outputs a forged CT

∗

= (C

∗

) on m

∗

where

∗

= ( f

∗

) and C

∗

= Enc

∗

(m) which is the

valid signcrypted ciphertext and is not the result

of signcryption oracle.

• Case-1 (PID ̸= PID

∗

). The C returns ⊥.

• Case-2 (PID = PID

∗

). The C extracts the L

for the record (PID

∗

,pk

∗

) and L

for the

record (m

∗

,ψ

∗

, f

∗

According to the Forking Lemma, the C replays

the A

with the same random tape but distinct at-

tributes from H

and H

. It implies that, h

∗

(mpk,PID

∗

) i.e. , h

′∗

= H

(mpk,PID

∗

) and

∗

̸= h

′∗

i.e. Q

∗

PID

̸= Q

′∗

PID

. Similarly, h

∗

,ψ

∗

,pk

∗

,pk

∗

), h

′∗

= H

∗

, ψ

∗

,pk

∗

,pk

∗

and h

∗

̸= h

′∗

i.e. f

∗

̸= f

′∗

. In the end, the A

out-

puts another forged CT

′∗

= (C

∗

) on the same

∗

where C

∗

= ( f

′∗

) and C

∗

= Enc

∗

(m). Fi-

nally, C will have two valid signatures:

∗

= r

∗−1

( f

∗

∥wd

∗

) (8)

′∗

= r

′∗−1

( f

′∗

∥wd

∗

′∗

) (9)

where r

∗

= r

′∗

and x

∗

= x

′∗

. From the Eq. 8 and 9

above, the C can extract π as follows:

π = r

∗−1

( f

′∗

− f

∗

) + (S

∗

−

′∗

)(r

∗−1

(wmpk(Q

∗

PID

− Q

∗

PID

′

))

−1

Given that, the C solves the ECDL assumption

Q = πP with the advantage ε

′

≥ ε





1 −





1 −

usc



(10)

Anonymity. Each user utilizes the PID to communi-

cate instead of the ID

where the sender sends same

m to multiple receivers while ID

of the receiver re-

mains private from each other. The PID is assigned

by RA after verifying each user’s ID

using its private

key v. If ID

is not veriﬁed, then the corresponding

PID will be discarded. Additionally, since only RA

knows its private key, no else could falsely verify the

. In case of a dispute, RA can expose the ID

Non-Repudiation. In our scheme, message m

is signed by the sender with its sk

as S

−1

( f

∥wd

). The receiver veriﬁes m using pk

= S

−1

( f

P∥wpk

−1

PID

). Since the sender signs

m with its sk

that only the sender knows, it cannot

deny sending m, thus proving non-repudiation.

Forward Security. In the proposed AMCLHS

scheme, the symmetric session key K and its encap-

sulation C

is generated using the (sk, pk) using a

randomly generated secret value x ∈ Z

∗

and a ppk.

In this case, even if the sk is exploited, the A cannot

extract the past sessions since the x is randomly gen-

erated and updated for each session.

ICISSP 2024 - 10th International Conference on Information Systems Security and Privacy

742

8 PERFORMANCE ANALYSIS

We compare the computational cost, communica-

tion cost, and security requirements of the AM-

CLHS scheme with existing multireceiver signcryp-

tion schemes. M shows point multiplication opera-

tion, E shows exponentiation in Z

∗

, and n represents

the number of users. The computational overhead is

compared with (Niu et al., 2017; Niu et al., 2022b;

Peng et al., 2020) as shown in Table 1. The over-

head for signcryption is calculated for multiple recip-

ients as outlined in our scheme, whereas the overhead

for unsigncryption is determined on a per-receiver ba-

sis. Among the multireceiver signcryption schemes,

Niu et al. have the highest computational overhead,

utilizing a total of (2n + 4)BP + 1M + (2n + 2)E op-

erations (Niu et al., 2017). Peng at al. require to-

tal (2n + 5)M operations (Peng et al., 2020) and Niu

et al. require a total of (4n + 6)M operations (Niu

et al., 2022b). Contrasting with existing solutions, our

proposed scheme delivers high efﬁciency with only

(2n + 5)M total operations. It uniquely pairs a lin-

ear signcryption cost with a constant unsigncryption

cost per receiver, regardless of scale. This optimal

combination results in a predictable, scalable system

and setting a new performance standard. Given its

scalability and robustness, our scheme emerges as a

compelling choice for larger, more complex broadcast

communication scenarios, providing a signiﬁcant up-

grade over existing schemes.

Table 1: Comparison of Computational Overhead.

Schemes Signcryption Unsigncryption Total

Niu et al. (Niu et al., 2017) (2n)BP + 1M +(2n)E 4BP + 2E (2n + 4)BP + 1M + (2n + 2)E

Peng et al. (Peng et al., 2020) (2n + 1)M 4M (2n + 5)M

Niu et al. (Niu et al., 2022b) (2n + 4)M (2n + 2)M (4n + 6)M

Our scheme (2n + 2)M 3M (2n + 5)M

Table 2: Comparison of Communication Cost.

Schemes Ciphertext Length

Complexity of Communication

Signcryption Unsigncryption

Niu et al. (Niu et al., 2017) n|m| + |G| + 2n|G| O(n

) O(n)

Peng et al. (Peng et al., 2020) n|m| + (n + 2)|Z

∗

| O(n

) O(n)

Niu et al. (Niu et al., 2022b) n|(m + 2)| + 2|G| + 2|Z

∗

| O(n) O(n)

Our scheme n|m| + |Z

∗

| + |G| + |K| O (n) O(1)

The Table 2 shows the communication cost in

terms of the size of the ciphertext generated by each

scheme (Niu et al., 2017; Niu et al., 2022b; Peng

et al., 2020). The proposed AMCLHS scheme has the

optimal communication cost among the four schemes,

as it only requires n|m| + |Z

∗

|+ |G| +|K| bits to sign-

crypt a message. Moreover, our scheme has linear

communication cost in signcryption while the un-

Table 3: Comparison based on Security Requirements.

Schemes Conﬁdentiality Unforgeability Anonymity Non-repudiation Forward Security

Niu et al. (Niu et al., 2017) ✓ ✓ ✓ ✓ ✓

Niu et al. (Niu et al., 2022b) ✓ ✓ ✓ × ×

Peng et al. (Peng et al., 2020) ✓ ✓ ✓ × ×

Our scheme ✓ ✓ ✓ ✓ ✓

signcryption cost remains constant. In Table 3, we

present a comparative analysis of the security re-

quirements between our scheme and existing multire-

ceiver hybrid signcryption schemes (Niu et al., 2017;

Niu et al., 2022b; Peng et al., 2020). The com-

parison parameters are conﬁdentiality, unforgeabil-

ity, anonymity, non-repudiation, and forward security.

Our proposed scheme successfully achieves all secu-

rity requirements as shown in Table 3, offering supe-

rior efﬁciency with lower computational costs, setting

it apart from the others.

9 CONCLUSION

Our paper introduces a novel mKEM-DEM based

AMCLHS scheme for broadcast communication. The

proposed scheme generates a symmetric key using the

public and private key pair of the users. The mes-

sage is then signcrypted with the previously gener-

ated symmetric key and the private key of the sender.

We provide a detailed security analysis using EC-

CDH and ECDL assumptions and demonstrate that

the scheme is secure against ind-cca2 and euf-cma at-

tacks for Type-I and Type-II adversaries. Moreover,

in this scheme, each user is assigned a PID to en-

sure user anonymity. Lastly, we compare our scheme

with existing single receiver and multireceiver cer-

tiﬁcateless hybrid signcryption schemes in terms of

computation cost, communication cost, and security

requirements. We show that the proposed scheme

has less communication cost and is computationally

more efﬁcient, with the signcryption cost linear with

the number of designated receivers while the unsign-

cryption cost remains constant and simultaneously

achieves conﬁdentiality, unforgeability, anonymity,

non-repudiation, and forward security.

REFERENCES

Al-Riyami, S. S. and Paterson, K. G. (2003). Certiﬁcateless

public key cryptography. In Advances in Cryptology

- ASIACRYPT 2003, 9th International Conference on

the Theory and Application of Cryptology and Infor-

mation Security, Taipei, Taiwan, November 30 - De-

cember 4, 2003, Proceedings, volume 2894 of LNCS,

pages 452–473. Springer.

Barbosa, M. and Farshim, P. (2008). Certiﬁcateless sign-

cryption. In Proceedings of the 2008 ACM Sympo-

sium on Information, Computer and Communications

Security, ASIACCS 2008, Tokyo, Japan, March 18-20,

2008, pages 369–372. ACM.

Chen, X., He, D., Khan, M. K., Luo, M., and Peng, C.

(2023). A secure certiﬁcateless signcryption scheme

Anonymous Multi-Receiver Certiﬁcateless Hybrid Signcryption for Broadcast Communication

743

without pairing for internet of medical things. IEEE

Internet Things J., 10(10):9136–9147.

Cohen, H., Frey, G., Avanzi, R., Doche, C., Lange, T.,

Nguyen, K., and Vercauteren, F. (2005). Handbook

of elliptic and hyperelliptic curve cryptography. CRC

press.

Cui, B., Lu, W., and He, W. (2022). A new certiﬁcateless

signcryption scheme for securing internet of vehicles

in the 5g era. Security and Communication Networks.

Dent, A. W. (2005a). Hybrid signcryption schemes with in-

sider security. In Boyd, C. and Nieto, J. M. G., editors,

Information Security and Privacy, 10th Australasian

Conference, ACISP 2005, Brisbane, Australia, July 4-

6, 2005, Proceedings, volume 3574 of LNCS, pages

253–266. Springer.

Dent, A. W. (2005b). Hybrid signcryption schemes with

outsider security. In Zhou, J., L

opez, J., Deng, R. H.,

and Bao, F., editors, Information Security, 8th Inter-

national Conference, ISC 2005, Singapore, Septem-

ber 20-23, 2005, Proceedings, volume 3650 of LNCS,

pages 203–217. Springer.

Gong, B., Wu, Y., Wang, Q., Ren, Y., and Guo, C. (2022).

A secure and lightweight certiﬁcateless hybrid sign-

cryption scheme for internet of things. Future Gener.

Comput. Syst., 127:23–30.

Hongzhen, D., Qiaoyan, W., Shanshan, Z., and Mingchu,

G. (2021). A pairing-free certiﬁcateless signcryption

scheme for vehicular ad hoc networks. Chinese Jour-

nal of Electronics, 30(5):947–955.

Kasyoka, P. N., Kimwele, M. W., and Mbandu, A. S.

(2021). Efﬁcient certiﬁcateless signcryption scheme

for wireless sensor networks in ubiquitous healthcare

systems. Wirel. Pers. Commun., 118(4):3349–3366.

Li, F., Shirase, M., and Takagi, T. (2009). Certiﬁcateless

hybrid signcryption. In Bao, F., Li, H., and Wang,

G., editors, Information Security Practice and Expe-

rience, 5th International Conference, ISPEC, Xi’an,

China, April 13-15, 2009, Proceedings, volume 5451

of LNCS, pages 112–123. Springer.

Li, X., Jiang, C., Du, D., Wang, S., Fei, M., and Wu,

L. (2022). A novel efﬁcient signcryption scheme

for resource-constrained smart terminals in cyber-

physical power systems. CoRR, abs/2212.04198.

Malone-Lee, J. (2002). Identity-based signcryption. IACR

Cryptol. ePrint Arch., page 98.

Niu, S., Niu, L., Yang, X., Wang, C., and Jia, X. (2017).

Heterogeneous hybrid signcryption for multi-message

and multi-receiver. PloS one, 12(9):e0184407.

Niu, S., Shao, H., Hu, Y., Zhou, S., and Wang, C. (2022a).

Privacy-preserving mutual heterogeneous signcryp-

tion schemes based on 5g network slicing. IEEE In-

ternet Things J., 9(19):19086–19100.

Niu, S., Zhou, S., Fang, L., Hu, Y., and Wang, C. (2022b).

Broadcast signcryption scheme based on certiﬁcate-

less in wireless sensor network. Comput. Networks,

211:108995.

Peng, C., Chen, J., Obaidat, M. S., Vijayakumar, P., and He,

D. (2020). Efﬁcient and provably secure multireceiver

signcryption scheme for multicast communication in

edge computing. IEEE Internet Things J., 7(7):6056–

6068.

Qiu, J., Fan, K., Zhang, K., Pan, Q., Li, H., and Yang, Y.

(2019). An efﬁcient multi-message and multi-receiver

signcryption scheme for heterogeneous smart mobile

iot. IEEE Access, 7:180205–180217.

Selvi, S. S. D., Vivek, S. S., and Rangan, C. P. (2009). Cer-

tiﬁcateless KEM and hybrid signcryption schemes re-

visited. IACR Cryptol. ePrint Arch., page 462.

Selvi, S. S. D., Vivek, S. S., Shukla, D., and Rangan,

C. P. (2008). Efﬁcient and provably secure certiﬁcate-

less multi-receiver signcryption. In Provable Secu-

rity, Second International Conference, ProvSec 2008,

Shanghai, China, October 30 - November 1, 2008.

Proceedings, volume 5324 of LNCS, pages 52–67.

Springer.

Smart, N. P. (2004). Efﬁcient key encapsulation to multiple

parties. In Blundo, C. and Cimato, S., editors, Se-

curity in Communication Networks, 4th International

Conference, SCN 2004, Amalﬁ, Italy, September 8-10,

2004, Revised Selected Papers, volume 3352 of LNCS,

pages 208–219. Springer.

Wu, Y., Gong, B., Zhang, Y., et al. (2022). An improved ef-

ﬁcient certiﬁcateless hybrid signcryption scheme for

internet of things. Wireless Communications and Mo-

bile Computing, 2022.

Yang, Y., He, D., Vijayakumar, P., Gupta, B. B., and Xie,

Q. (2022). An efﬁcient identity-based aggregate sign-

cryption scheme with blockchain for iot-enabled mar-

itime transportation system. IEEE Trans. Green Com-

mun. Netw., 6(3):1520–1531.

Yin, A. and Liang, H. (2015). Certiﬁcateless hybrid

signcryption scheme for secure communication of

wireless sensor networks. Wirel. Pers. Commun.,

80(3):1049–1062.

Yu, X., Zhao, W., and Tang, D. (2022). Efﬁcient and prov-

ably secure multi-receiver signcryption scheme using

implicit certiﬁcate in edge computing. J. Syst. Archit.,

126:102457.

Yu, Y., Yang, B., Huang, X., and Zhang, M. (2007). Efﬁ-

cient identity-based signcryption scheme for multiple

receivers. In Autonomic and Trusted Computing, 4th

International Conference, ATC, Hong Kong, China,

July 11-13, 2007, Proceedings, volume 4610 of LNCS,

pages 13–21. Springer.

Zhang, W., Zhang, Y., Guo, C., An, Q., Guo, Y., Liu, X.,

Zhang, S., Huang, J., et al. (2022). Certiﬁcateless hy-

brid signcryption by a novel protocol applied to inter-

net of things. Computational Intelligence and Neuro-

science.

Zheng, Y. (1997). Digital signcryption or how to achieve

cost(signature) + cost(encryption). In Advances in

Cryptology - CRYPTO ’97, 17th Annual International

Cryptology Conference, Santa Barbara, California,

USA, August 17-21, 1997, Proceedings, volume 1294

of LNCS, pages 165–179. Springer.

Zhou, C. (2018). Certiﬁcateless signcryption scheme with-

out random oracles. Chinese Journal of Electronics,

27:1002–1008.

ICISSP 2024 - 10th International Conference on Information Systems Security and Privacy

744