Our contribution.

Motivated by these concerns, we employ MPKC to construct an efficient quantum attack-resistent certificateless multi-receiver signcryption scheme, which combines the certificateless cryptosystem and MPKC. The new scheme not only has the advantage of the certificateless cryptosystem, which avoids the problem of key management, but also resists quantum attack only with light-weight computation like the multivariate quadratic polynomial operations. In our scheme, multivariate quadratic polynomial operations, which have lower computation complexity than bilinear pairing operations, are employed in signcrypting a message for a certain number of receivers. Therefore, our scheme is more efficient than the existing CLMSC schemes, and it is suitable for mobile terminals with low computing power. Security analysis shows that our scheme is a secure MPKC-based multi-receiver signcryption scheme, and it also has the important security properties such as message confidentiality, unforgeability, non-repudiation, perfect forward secrecy, perfect backward secrecy and public verifiability.

Definition 1.

(MQ). Given a tuple P =  (p₁, p₂, …, p_g) of g multivariate quadratic polynomials with n unknowns defined over G, and the image y = (p₁(z), p₂(z), …, p_g(z)) of an element z randomly chosen from Gⁿ(Gⁿ denotes the nth extension of G), the problem to find an element x of Gⁿ such that y = (p₁(x), p₂(x), …, p_g(x)) is called the MQ problem [16].

Solving a set of randomly chosen quadratic equations with several variables over a finite field is considered as an NP hard problem [17].

Definition 2.

(IP). Given P and Q be two public sets of n quadratic equations with n variables over G, if P and Q are isomorphism, then ( denotes composition of mappings), where T and V are two invertible affine transformations on . Finding (T, V) for P, Q such that is called the IP problem [18].

Definition 3.

Confidentiality under the attack of Type 1. A certificateless multi-receiver signcryption scheme is Type-1-CCA2 secure if no probabilistic polynomial-time attacker A has a non-negligible advantage in winning the IND-CLMSC-CCA2-1 game [11].

For A, there are the following constraints. A can not have access to the master key w. No Extract Secret Key query is allowed on any of the challenge identities. No De-signcrypt query is allowed on the challenge ciphertext.

Definition 4.

Confidentiality under the attack of Type 2. A certificateless multi-receiver signcryption scheme is Type-2-CCA2 secure if no probabilistic polynomial-time attacker A has a non-negligible advantage in winning the IND-CLMSC-CCA2-2 game [11].

For A, there are the following constraints. No Extract Secret Key query is allowed on any of the challenge identities. No Replace Public Key query is allowed on any of the challenge identities. No De-signcrypt query is allowed on the challenge ciphertext.

Definition 5.

Unforgeability under the attack of Type 1. A certificateless multi-receiver signcryption scheme is Type-1-sEUF-CMA-1 secure if no probabilistic polynomial-time attacker A has a non-negligible advantage in winning the EUF-CLMSC-CMA-1 game [11].

For A, there are the following constraints. A can not have access to the master key w. No Extract Secret Key query is allowed on any of the challenge identities.

Definition 6.

Confidentiality under the attack of Type 2. A certificateless multi-receiver signcryption scheme is Type-2-sEUF-CMA-2 secure if no probabilistic polynomial-time attacker A has a non-negligible advantage in winning the EUF-CLMSC-CMA-2 game [11].

For A, there are the following constraints. No Extract Secret Key query is allowed on any of the challenge identities. No Replace Public Key query is allowed on any of the challenge identities.

Setup.

Given a security parameter s as input, KGC returns a big positive integer q and a small positive integer p. Let G be a finite field of order q and characteristic two, and define two non-collision hash functions H₁: and H₂: , where Gⁿ is the nth extension of G and G^n+p is the (n+p)th extension of G. The positive integer n is the number of variables in the equation (1) and l_m is the bit length of the message m. Then KGC selects a positive integer g to denote the number of equations. At last, KGC publishes the public parameters params denoted by.

Key Extract.

Each user runs this algorithm to compute his/her full public and secret keys. The user U randomly chooses T_u and V_u, where T_u is an invertible affine transformation on and V_u is an invertible affine transformation on . Then, compute the public key F_u of user U, that is, , which should be sent to KGC. The secret key of user U is ().

Signcrypt.

Suppose that Alice, whose identity is ID_A, wants to signcrypt a message m to t different receivers denoted by L =  {ID₁, ID₂, …, ID_t}. Alice performs the following steps:

1. Alice chooses randomly, and computes , and .
2. For all IDi, i = 1, 2, …, t, compute and.
3. Return ciphertext .

De-signcrypt.

Each receiver ID_i, i = 1, 2, …, t, uses his/her secret key to decrypt σ.

1. IDi extracts his/her corresponding ciphertext information (S, Y, Z, Wi) according to his/her position in L.
2. IDi computes and checks whether the equation holds. If it holds, IDi continues to decrypt σ as follows; otherwise, IDi outputs ⊥.
3. IDi computesand .
4. Check whether the equations and hold. If both of them hold, output ; otherwise, output ⊥.

Theorem 1.

The De-signcrypt algorithm is correct.

Proof.

Upon receiving a ciphertext σ, each receiver ID_i, i = 1, 2, …, t, extracts his/her own corresponding ciphertext information (S, Y, Z, W_i) from σ. According to the Signcrypt algorithm, we have , so the receiver ID_i can compute . It is worth noting that only the sender, Alice, can generate the correct Y such that because only she knows her secret key. The receiver, ID_i, can decrypt the ciphertext by computing and . ID_i can judge whether m′ is correct by checking whether and hold. Note that only ID_i can obtain correctly because only he/she knows his/her secret key . Therefore, the De-signcrypt algorithm of our scheme is correct.

2.1 Security of MPKC.

In the last twenty years, many MPKC schemes were proposed, and they are mainly based on four basic MPKC schemes including the Matsumoto Imai (MI) cryptosystem, the Hidden Field Equation (HFE) cryptosystem, the Oil Vinegar (OV) cryptosystem and the Stepwise Triangular System [20]. Although most of them have been broken, some variants of the basic MPKC schemes, such as Rainbow and PMI+ [20], have survived known attacks like the linearization equation attack, the rank attack and the differential attack. In 2011, Hashimoto et al. [21] proposed two types of fault attacks which further weaken the security of the MPKC schemes. They detailed the fault attack on the MPKC schemes such as UOV, Rainbow, TTS and HFE, and most of the MPKC schemes were proven insecure. However, the PMI+ cryptosystem is one of the few approved cryptosystems which survived the linearization equation attack, the rank attack, the differential attack and even the fault attacks. PMI+ uses the Plus (+) method of external perturbation to prevent attacks without significantly decreasing the efficiency of the system [20]. So in our work, we used PMI+ which is based on the IP problem to construct our scheme.

Cryptosystems based on the IP problem belong to a major category of MPKC. Faugère et al. [22] gave an upper bound on the theoretical complexity of the “IP-like” problem, and presented a new algorithm to solve the IP problem when S and T are linear mappings. Bouillaguet et al. [23] proposed an improved algorithm combining the linear algebra techniques, together with Gröbner bases and statistical tools. To date, the best algorithm for the IP problem is exponential. For the IP problem used in our scheme, the attacking complexity of the best algorithm will be Ο(n^3.5⋅q^n/2) [24], where n is the number of variables and q is the cardinality of the finite field. So the IP problem will be computationally hard if we can choose the parameter properly.

With the knowledge of the most efficient attacks on the IP problem, in order to strengthen the security of our scheme, we suggest that the parameters of our scheme should satisfy the following conditions: the transformations T and V should be affine; the polynomials in P and Q should be homogeneous. In our method, for example, if we choose n = 16 and q = 2⁹, the attacking complexity should be greater than Ο(n^3.5⋅q^n/2) = 16^3.5•(2⁹)^16/2 = 2⁸⁶. Usually, it is considered to be a computationally secure MPKC scheme if the attacking complexity is greater than 2⁸⁰ [24]. Therefore, our scheme is a secure MPKC-based scheme.

Although we used PMI+ for the construction of the proposed multi-receiver signcryption scheme, there are still some other multivariate cryptosystems suitable for the construction of our scheme, such as the internally perturbed HFE cryptosystem (IPHFE) [25]. Different from PMI+, IPHFE is build by using the idea of internal perturbation. Vivien et al. [26], [27] and Ding et al. [28], [29] analyzed the security of IPHFE, and their work showed that IPHFE with appropriate parameters can withstand all known attacks. So IPHFE can be substituted for PMI+ in our construction. Due to space limitations, we do not introduce the detailed realization of the construction based on IPHFE.

2.2 Message Confidentiality. Theorem 2.

Confidentiality under the attack of Type 1. In the random oracle model, if an IND-CLMSC-CCA2-1 adversary A has a non-negligible advantage ε against the security of our scheme when performing queries to random oracles H_i (i = 1, 2), q_ske Extract Secret Key queries, q_pke Extract Public Key queries, q_pkr Replace Public Key queries, q_sc Signcrypt queries and q_dsc Designcrypt queries, then there exists an algorithm C that can solve the MQ problem with advantage defined as:(2)where t is the number of receivers in the challenge set and G₂ denotes the bit length of the element over Gⁿ.

Proof.

We show how to build an algorithm C that solves the MQ problem with the help of an adversary A. Let C receive a random instance {f(x), Y₀ =  f(X₀)} of the MQ problem, and the goal of C is to compute X₀. To solve this problem, C acts as A’s challenger in the IND-CLMSC-CCA2-1 game.

Setup.

C sets as the system public key, chooses an invertible affine transformation T₀ on , and chooses an invertible affine transformation V₀ on randomly. So the system partial secret key is , and the partial public key is . C sends the system parameters , the system public key and the system partial secret key to A. Then A outputs a set of target identities, denoted by . To handle A’s queries, C maintains a list L_i for each H_i (i = 1, 2) query.

Phase1.

C simulates A’s queries as follows:

H₁ queries.

A can perform an H₁ query on the input of (m, ID_i, X, L) and then C checks the list L₁. If an entry corresponding to (m, ID_i, X, L) is present in L₁, then C retrieves the hash value h_i from L₁ and returns h_i. Otherwise, it returns a random number and stores the entry (h_i, m, ID_i, X, L, ∇, Δ) in L₁, where the symbols ∇ and Δ denote the signature information and the encryption information of the message m, respectively.

H₂ queries.

A can perform an H₂ query on the input of (ID_s, S, X) for ID_i and then C checks the list L₂. If an entry corresponding to ID_i is present in L₂, then C retrieves Z_i from L₂ and returns Z_i. Otherwise, it returns a random number Z_i and stores the entry (Z_i, ID_s, S, X, ID_i, Λ, □, ◊, b_i = 0) in L₂, where the symbols Λ, □ and ◊ denote the public key F_i, the secret parameters T_i and V_i, respectively. The bit b_i is a flag bit used to denote whether the public keys have been replaced or not.

Extract Secret Key queries.

A can perform an Extract Secret Key query on the input of ID_i. C first checks whether holds. If holds, then C aborts the query. Otherwise, C retrieves the entry (Z_i, ID_s, S, X, ID_i, F_i, T_i, V_i, b_i = 0) from L₂. If b_i = 0, then C returns the secret key ; otherwise, the public key of the identity ID_i has been replaced and in this case, C asks A for the new secret parameters (T_i, V_i), computes the new secret key and returns it to A.

Extract Public Key queries.

A can perform an Extract Public Key query on the input of ID_i and then C checks L₂. If an entry corresponding to ID_i is present in L₂, then C retrieves F_i from L₂ and returns F_i. Otherwise, C chooses , returns the public key and updates the entry corresponding to ID_i in L₂ with T_i, V_i and F_i.

Replace Public Key queries.

When A performs a Replace Public Key query on the input of , C searches the corresponding entry in L₂. If the entry is found, then C replaces the public key in the entry corresponding to ID_i in L₂ with and sets the flag bit b_i to 1. Otherwise, C generates the public key using the Extract Public Key query and then replaces the public key of ID_i with .

Signcrypt queries.

A can perform a Signcrypt query on the input of (m, ID_s, L = {ID_R1, ID_R2, …, ID_Rt}). If ID_s =  ID_Ri, , or if and at least one , then C aborts the query. Otherwise, C knows the secret key of the sender and performs the computations as the signcryption algorithm to return the ciphertext. If , C does not know the secret key of the sender and in this case, it generates the ciphertext as follows:

First, C retrieves the entry (⋅, ID_s, F_s, T_s, V_s, b_s) from L₂ and chooses and . C computes , extracts Y = h_s by calling the oracle H₁ with the input and computes the signature S. Then, C retrieves the corresponding entry in L₂ and then computes W_i = F_i(S||X) and Z = Z_s⊕m. C updates the corresponding entry in L₁. Note that if b_i = 1, then the public key of the receiver has been replaced and in this case, the challenger asks A for (T_i, V_i) and uses it in place of the old value stored in the entry. Finally, add in L₂ (C fails if H₂ is already defined on any of such entries, but this happens only with probability ). At last, C sends to A.

Designcrypt queries.

When A submits a ciphertext , a receiver’s identity ID_R and a sender’s identity ID_s, C extracts (S, Y, Z, W_i, L) from σ. If , then C knows the secret key of ID_R and hence designcrypts σ using the De-signcrypt Algorithm. Otherwise, C searches all entries (Y, ⋅, ID_s, ⋅, L, ⋅, Z) in L₁, and if no such entries exist, the symbol ⊥ is returned to indicate that the ciphertext is invalid. Meanwhile, C searches the entry (Z_i, ID_s, S, X, ID_s, F_s, T_s, V_s, b_s) in L₂, and if it is not found, C rejects the ciphertext σ. If the ciphertext σ passes the above verification, C computes ,, and . If andhold, and passes the verification, then C returns m; otherwise, C rejects σ. Note that a valid ciphertext is rejected with probability at most

Challenge.

A outputs two messages m₀ and m₁ together with an arbitrary sender’s identity on which A wishes to be challenged. C selects a bit and sends m_b to the t target identities denoted by . C chooses and , sets and then computes ,and . Then, C responds with the ciphertext

Phase2.

A performs new queries as in Phase 1. However, A is not allowed to ask Designcrypt queries on σ^* for

Guess.

At the end of the game, A returns his/her guess result. C ignores the answer to A’s guess. According to the above discussion, we know that as long as the simulation of the attacker’s environment is perfect, the probability that A asks the value of W_i = F_i(X^*||S^*), i = 1, 2, …, t, by the H₁ oracle is the same as the probability in a real attack. C fetches a random entry (h_i, m, ID_i, X, L, S, W_i) from L₁. With probability (as L₁ contains no more than t⋅q_sc+ elements by our construction), the chosen entry contains the right element . C returns X₀ as a solution to the MQ problem.

Now, we analyze the probability of C’s success. Let E be the event that A outputs the correct bit b^* = b.

Simulation fails if any of the following events occurs:

E₁: Extract Secret Key query is executed for some chosen challenge identity.

E₂: Both the sender and at least one of receivers belong to the challenge set in some Signcrypt query.

E₃: The H₂ oracle collides in Signcrypt queries.

E₄: C rejects a valid ciphertext in some Designcrypt query.

According to the above discussion, we know that Pr[E] = ε, where E implies that E₁ and E₂ never occur, that is, . Also, we have since A conducts a total of q_sc Signcrypt queries and there are at most t⋅q_sc+ entries in L₂. represents the probability of rejection of valid ciphertexts.

The event E₅ implies that C chooses the correct entry from L₁ in the Guess Phase. And we know that So, the advantage of C is defined as:(3)

Therefore, we obtain(4)

Theorem 3.

Confidentiality under the attack of Type 2. In the random oracle model, if an IND-CLMSC-CCA2-2 adversary A has a non-negligible advantage ε against the security of our scheme when performing queries to random oracles H_i (i = 1, 2), q_ske Extract Secret Key queries, q_pke Extract Public Key queries, q_sc Signcrypt queries and q_dsc Designcrypt queries, then there exists an algorithm C that can solve the MQ problem with an advantage defined as:(5)where t is the number of receivers in the challenge set and G₂ denotes the bit length of the element over Gⁿ.

The attacker has access to the master key, but cannot perform public key replacement under the attack of Type 2. The proof is similar to that of Theorem 2.

2.3 Unforgeability. Theorem 4.

Unforgeability under the attack of Type 1. In the random oracle model, if an SUF-CLMSC-CMA-1 adversary A has a non-negligible advantage ε against the security of our scheme when performing queries to random oracles H_i (i = 1, 2), q_ske Extract Secret Key queries, q_pke Extract Public Key queries, q_pkr Replace Public Key queries, q_sc Signcrypt queries and q_ver Verify queries, then there exists an algorithm C that can solve the IP problem with an advantage defined as:(6)where t is the number of receivers in the challenge set and G₂ denotes the bit length of the element over Gⁿ.

Proof.

We show how to build an algorithm C that solves the IP problem with the help of an adversary A. Let C receive a random instance of the IP problem, and the goal of C is to compute (T_s, V_s). To solve this problem, C acts as A’s challenger in the SUF-CLMSC-CMA-1 game.

Setup.

C sets as the system public key, and chooses an invertible affine transformation T₀ on and an invertible affine transformation V₀ on randomly. So the system partial secret key is , and the partial public key is . C sends the system parameters , the system public key and the system partial secret key to A. Then A outputs a set of target identities, denoted by . To handle A’s queries, C maintains a list L_i for each H_i (i = 1, 2) query.

Attack.

C simulates A’s queries as follows:

H₁ queries.

A can perform an H₁ query on the input of (m, ID_i, X, L) and then C checks the list L₁. If an entry corresponding to (m, ID_i, X, L) is present in L₁, then C retrieves h_i from L₁ and returns h_i. Otherwise, it returns a random number and stores the entry (h_i, m, ID_i, X, L, ∇, Δ) in L₁, where the symbols ∇ and Δ denote the signature information and the encryption information for message m, respectively.

H₂ queries.

A can perform an H₂ query on the input of (ID_s, S, X) for ID_i and then C checks the L₂. If an entry corresponding to ID_i is present in L₂, then C retrieves Z_i from L₂ and returns Z_i. Otherwise, it returns a random number Z_i and stores the entry (Z_i, ID_s, S, X, ID_i, Λ, □, ◊, b_i = 0) in L₂, where the symbols Λ, □ and ◊ denote the public key F_i, the secret parameters T_i and V_i, respectively. The bit b_i is a flag bit used to denote whether the public keys have been replaced or not.

Extract Secret Key queries.

A can perform an Extract Secret Key query on the input of ID_i, and C first checks whether holds. If holds, then C aborts the query. Otherwise, C retrieves the entry (Z_i, ID_s, S, X, ID_i, F_i, T_i, V_i, b_i = 0) from L₂. If b_i = 0, then C returns the secret key . Otherwise, the public key of the identity ID_i has been replaced and in this case, C asks A for the new secret parameters (T_i, V_i), computes the new secret key and returns it to A.

Extract Public Key queries.

A can perform an Extract Public Key query on the input of ID_i and then C checks L₂. If an entry corresponding to ID_i is present in L₂, then C retrieves F_i from L₂ and returns F_i. Otherwise C chooses T_i∈_R G^n+p and V_i∈_R Gⁿ, returns the public key and updates the entry corresponding to ID_i in L₂ with T_i, V_i and F_i.

Replace Public Key queries.

When A performs a Replace Public Key query on the input of , C searches the corresponding entry in L₂. If the entry is found, then C replaces the public keys in the entry corresponding to ID_i in L₂ with and sets the flag bit b_i to 1. Otherwise, C generates the public key using Extract Public Key query and then replaces the public key of ID_i with .

Signcrypt queries.

A can performs a Signcrypt query on the input of (m, ID_s, L = {ID_R1, ID_R2, …, ID_Rt}). If ID_s = ID_Ri,, or if and at least one , then C aborts the query. If , then C knows the secret key of the sender and performs the computations as the Signcrypt algorithm to return the ciphertext . If , C does not know the secret key of the sender and hence it generates the ciphertext as follows:

First, C retrieves the entry (⋅, ID_s, F_s, T_s, V_s, b_s) from L₂ and chooses and . C computes , extracts Y = h_s by calling the oracle H₁ with the input (m, ID_s, X, L) and computes the signature S. Then, C retrieves the corresponding entry in L₂ and then computes W_i = F_i(S||X) and Z = Z_s⊕m. C updates the corresponding entry in L₁. Note that if b_i = 1, then the public key of the receiver has been replaced and in this case, the challenger asks A for (T_i, V_i) and uses it in place of the old value stored in the entry. Finally, add in L₂ (C fails if H₂ is already defined on any of such entries, but this happens only with probability ). At last, C sends to A.

Verify queries.

When A submits a ciphertext , a receiver’s identity ID_R and a sender’s identity ID_s, C extracts (S, Y, Z, W_i, L) from σ. If , then C knows the secret key of ID_R and hence designcrypts σ using the De-signcrypt Algorithm. Otherwise, C searches all entries (Y, ⋅, ID_s, ⋅, L, ⋅, Z) in L₁, and if no such entries exist, the symbol ⊥ is returned to indicate that the ciphertext is invalid. Meanwhile, C searches the entry (Z_i, ID_s, S, X, ID_s, F_s, T_s, V_s, b_s) in L₂, and if it is not found, C rejects the ciphertext σ. If the ciphertext σ passes the above verification, C computes , and . If and hold, and passes the verification test, then C accepts σ; otherwise, C rejects σ. Note that a valid ciphertext is rejected with probability at most

Forge.

After a polynomial-bounded number of queries, the adversary A outputs forged ciphertext (a receiver list L = {ID_R1, ID_R2, …, ID_Rt}, and at least one ) and the sender’s identity

According to the above discussion, we know that as long as the simulation of the attacker’s environment is perfect, the probability that A asks the value of (T_s, V_s) by the H₂ oracle is the same as the probability in a real attack. C fetches a random entry (Z_i, ID_s, S, X, ID_i, F_i, T_i, V_i, b_i) from L₂. With probability (as L₂ contains no more than t⋅q_sc+elements by our construction, and C chooses ID_s with probability 1/t), the chosen entry contains the right element (T_s, V_s). C returns (T_s, V_s) as the solution to the IP problem.

Now, we analyze the probability of C’s success. Let E be the event that the forged ciphertext passes verifications.

Simulation fails if any of the following events occurs:

E₁: Extract Secret Key query is executed for some chosen challenge identity.

E₂: Both sender and at least one of receivers belong to the challenge set in some Signcrypt query.

E₃: The H₂ oracle collides in Signcrypt queries.

E₄: C rejects a valid ciphertext in Verify queries.

According to the above discussion, we know that Pr[E] = ε, where E implies that E₁ and E₂ never occur, that is, . Also, we have , since A conducts a total of q_sc Signcrypt queries and there are at most t⋅q_sc+ entries in L₂. represents the probability of rejection of valid ciphertexts.

The event E₅ implies that C chooses the correct entry from L₂ in the last Verify Phase. And we know that . So, the advantage of C is defined as:(7)

Therefore, we obtain(8)

Theorem 5.

Unforgeability under the attack of Type 2. In the random oracle model, if an SUF-CLMSC-CMA-2 adversary A has a non-negligible advantage ε against the security of our scheme when performing queries to random oracles H_i (i = 1, 2), q_ske Extract Secret Key queries, q_pke Extract Public Key queries, q_sc Signcrypt queries and q_ver Verify queries, then there exists an algorithm C that can solve the IP problem with an advantage defined as:(9)where t is the number of receivers in the challenge set and G₂ denotes the bit length of the element over Gⁿ.

The attacker has access to the master key, but cannot perform public key replacement under the attack of Type 2. The proof is similar to that of Theorem 4.

2.4 Backward Secrecy.

Each time Alice sends a message m to receivers, she chooses randomly as the session key. Even though she sends the same message m, the corresponding ciphertext σ will be different in different sessions. So the new receiver who joins the group later does not have the previous value which is computed for the message m, and thus he/she can not obtain the previous message m. Therefore, our scheme is backward secure.

2.5 Forward Secrecy.

Forward secrecy means that the members who have quitted the group are not able to know the later session keys. In our scheme, the session key r is randomly chosen in each session. When some member of the group quits the group, the sender will compute the partial key for the rest members again, which guarantees that the members who have quitted the group cannot obtain the plaintext message from the later ciphertext. So our scheme is forward secure.

2.6 Non-repudiation.

According to Theorem 4 and Theorem 5, our scheme is unforgeable. Suppose that Alice signcrypts a message m. If others want to repudiate her signature S, they have to solve the MQ problem to get the secret key of Alice, and it is computationally infeasible because the MQ problem is an NP-hard problem. Therefore, only Alice knows her secret key and others can not repudiate her behavior of signcrypting the message m. So our scheme is non-repudiation.

2.7 Public Verifiability.

The proposed scheme provides public verifiability of ciphertext source, which is an important requirement in broadcast communications. Any third party can be convinced of the sender of the ciphertext σ by recovering in the second step of the de-signcryption phase and checking whether the equation holds. This is in fact due to the unforgeability of the signature. This verification procedure does not involve the knowledge of messages or the receiver’s secret key but only the ciphertext σ. Hence, our scheme supports public verifiability.