1 Introduction

The cloud system has seen paradigm shift in data outsourcing and computations. Thus, the cloud ecosystem has served as a means to data outsourcing in this era of ubiquitous and distributed computing. However, trust as a security property has been evasive over the years due to the peddling of data outsourced to the cloud. The user’s data needs to be encrypted before being uploaded to the cloud [1]. In spite of the encryption of user’s data before uploading to the cloud, there is no guarantee to the security and privacy of the outsourced encrypted or unencrypted data to the cloud system. Several research in this direction has been conducted with provable security.

Fig. 1
figure 1

Encrypted data download scenario

Full size image

With regard to public key encryption (PKE) [2], a disasterous phenomenon curtailed by key-insulation [3] has played a major role for the effective deployment of PKE constructions in an insecure environment. Thus, private keys for encryption/decryption can be exposed in an insecure environment and the approach to alleviate this menace requires the adoption of key-insulation in public key cryptosystem. It is not practical to download the entire data stored in the cloud before a search on the data is conducted. Thus, the user should be able to search on the data while the data is stored in the cloud. The user makes a request to the cloud system and the cloud system respond to the request by searching through the stored data. In this way, the entire data is not downloaded from the cloud system before a search is conducted ( see Fig. 1). The use of the helper in key-insulated cryptosystem enables the user update his decryption key with a time-stamp. Thus, helper serves as a physically secured device ( see Fig. 2) used to update the secret keys during user key updates. The helper serves as an attachment during user key update and it is designed such that the presence of the helper is required to ensure a successful key update process. Figure 2 depicts a typical scenario of our scheme using multiple helper to update decryption keys.

Public key encryption with keyword search (PKE-KS) [2] ensures that user’s can search on ciphertext stored in the cloud without the need to download the entire ciphertext before a search is conducted. In spite of this work by Boneh et al. [2], several key-insulated cryptosystem schemes on keyword search deployed using PKE [4,5,6], without random oracle model [7], and schemes deployed via identity-based encryption (IBE) [8, 9] have been constructed. The combination of identity (ID)-based key-insulated signcryption with equality test is yet to be unveiled. It is important to safeguard the privacy concerns of user’s data outsourced to the cloud system to attain a security property of digital signature with PKE. The adoption of key-insulated signcryption with equality test in this paradigm gives our scheme a novel approach to effectively secure user’s data that has been outsourced to the cloud. Therefore, the construction of ID-based parallel key insulated signcryption with equality test (ID-PKSET) in cloud computing is presented. Our scheme achieves multiple security enhancement in PKE with signcrypted key-insulated cryptosystem. The use of multiple helper instead of single and or double helper as shown in Fig. 2 is considered in our construction.

1.1 Paper organization

The remaining part of our work is organized as follows; Sect. 2 outlines our contribution, sect.  3 details the related work, sect.  4 outlines the preceedings of our construction and formulates ID-PKSET definitions. Section 5 outlines the security model, section 6 details the construction of our scheme and section 7 gives a comparative anlysis and section 7 concludes our work and outlines future improvement.

2 Our contribution

A recent work by Zhu et al. [10] attacked Chen et al.’s [11] scheme. They dispelled their security of EUF-CMA. Accordingly, the scheme could not attain the security of EUF-CMA. In this regard, a scheme to fulfill the primitive of identity based key-insulated cryptosystem with equality test in support for EUF-CMA property is yet to be unveiled.

In this paper, our contribution is in three folds; (1) We construct an ID-based key-insulated signcryption scheme with equality test. (2) Our scheme achieves the security property of EUF-CMA with an added ID-based security assumption. (3) Our method delegates the cloud server to perform equality test and support for key-insulation while resisting re-play attacks and message forgery.

3 Related work

Fig. 2
figure 2

System model of our scheme

Full size image

The untrusted nature of the cloud has called for the need to protect the integrity of outsourced data to cloud systems. There is a risk of private key exposure as a result of the deployment of cryptographic algorithms for harsh environments. Thus, the risk of private key exposure is equally disasterous for the effective utilization of cryptographic algorithms. Several schemes have deployed key-insulated constructions to reduce the exposure of decryption keys. Notably, Dodis et al. [4] were the first to introduce the concept of key-insulation in public key cryptosystem. Their proposed scheme had a total time period which was not known in advance. A combined effort of schemes in [4, 12, 13] has still not received the needed research attention. Several other schemes adopted the time based approach to construct key-insulated cryptosystems. Other directions of this primitive have been proposed; such as proxy re-encryption [14] which allowed a proxy to re-encrypt the ciphertext before transmission. A combination of key-insulated cryptosystem with certificateless encryption by He et al. [15] enabled the introduction of certificateless key-insulated cryptosystem. Moreover, a combination of identity-based scheme with support for key insulation by Hanaoka et al. [8] gave rise to identity based key insulated encryption using a single helper. The introduction of identity based key insulated cryptosystem without the use of random oracle model has also been proposed by Libert et al. [7]. These and many other related schemes has given rise to the need for further research into identity based key insulated cryptosystem.

3.1 Equality test

The concept of PKEKS unveiled by Boneh et al. [2] made it possible to encrypt a keyword with data. However, their scheme only supported an encryption scheme with same public key. The use of same public key in their scheme was a drawback to the successful implementation of the construction, hence Yang et al. [16] constructed public key encryption with equality test (PKE-ET) that supported encryption with same and different public key. With regard to the construction in [2], Yang et al.’s [16] work served as an improved version of Boneh et al.’s [2] work. Several schemes have been unveiled afterwards [17, 18]. Most of the schemes constructed were based on public key infrastructure (PKI). Therefore, there was the need to forego the inhibiting properties of using certificates generated by certificate authority (CA) in public key crptosystem. Hence, Ma et al. [19] proposed ID-based cryptographic primitive with equality test to curtail the problems associated with CA. Although, Ma et al. [19] had an excellent performance in terms of security improvement and the use of ID-based primitive to support keyword search, their scheme does not achieve the benefit of digital signature and key-insulation simultaneously. Therefore, the need to construct a scheme to fill this gab has become necessary.

3.2 Key-insulated signcryption cryptosystem

A signcryption cryptographic primitive proposed by Li et al. [12] attained the benefit of digitally signing a ciphertext and PKE. Their scheme served as improvement to previous schemes that were not based on signature-then-encrypt with high computational cost. Thus, the use of signature-then-encrypt inherits high computational cost. The deployment of signcryption ensures the attainment of less computational cost. In view of this, several schemes on signcryption have been constructed [20, 22] and a combination of digital signature and signcryption [21, 23] cryptosystems with its variants in proxy-signcryption [24,25,26], anonymous signcryption [11, 27] and ring signcryption [10, 28].

Key-insulated signcryption schemes have also been constructed [10, 11]. The scheme in [11] launched an attack on Chen et al.’s [26] construction to dispel the security feature of EUF-CMA. Up till now, no scheme have been constructed to fulfill the cryptographic primitive of key-insulated signcryption with equality test.

4 Outline of ID-PKSET

In ID-based parallel key-insulated signcryption with equality test (ID-PKSET), the scheme outlines the following; Setup, \(SET-Extract\), KeyGeneration, \(KeyUpdate-BaseKey\), TempKeyUpdate, \(SET-Trapdoor\), Signcrypt, Unsigncrypt, Test, where \(M_{\sigma }\) and \(CT_{\sigma }\) are the plaintext space and ciphertext space, respectively:

  1. 1.

    \(\mathbf{Setup}\): Given the secured paramenter \(\iota\), time period TP, helper keys \(\upsilon\). The algorithm returns PP, helper keys \((U_{n_{0}},...,U_{n_{\upsilon -1}})\) as well as temporal master key MTK.

  2. 2.

    \(\mathbf{SET}-Extract\): On input, MTK, arbitrary \(ID\in \{0,1\}^{*}\), system parameter PP, it returns a secret key \(sdk_{ID_{0}}\) to user associated with identity ID. PKG executes same function and forwards to corresponding user with the identity ID through a secured channel.

  3. 3.

    KeyGeneration: The key generation method on input received secret key \(sdk_{ID}\), public parameter PP, time period TP with identity ID. It finally outputs base key \(BSK_{0}\).

  4. 4.

    KeyUpdate-HelperKey\((BK_{0},bk_{j},t)\): On input base key \(BSK_{0}\) at a span \(bsk_{j}\) and index \(t_{s}\). The scheme outputs updated key \(UTK_{t_{s}}\).

  5. 5.

    TempKeyUpdate: On input \(sdk_{ID_{t_{s}-1}}\), index \(t_{s}\) of the next updated key \(UTK_{t}\). It output the secret key \(mdk_{ID_{t_{s}}}\) for a next span \(t_{s}\) corresponding to a user.

  6. 6.

    SET-Trapdoor: It selects as input MTK, arbitrary \(ID\in \{0,1\}^{*}\) index time span \(t_{s}\) and returns a \(SET-trapdoor stdr\) to the corresponding identity ID.

  7. 7.

    Signcrypt: It inputs PP, the index \(t_{s}\), identity \(ID \in \{0,1\}^{*}\) with plaintext \(M_{1} \in M_{\sigma }\), and return the ciphertext \(CT_{t_{s}}\) as \(CT_{t_{s}}=(t_{s},CT_{1})\), where \(CT_{t_{s}} \in CT_{\sigma }\).

  8. 8.

    Unsigncrypt: It takes current private secret key \(sdk_{ID_{t_{s}}}\) and ciphertext \(CT_{t_{s}}\) as input and returns plaintext \(M_{1} \in M_{\sigma }\) or generates \(\perp\) as invalid, if there is a mismatch of ciphertext is invalid.

  9. 9.

    Test: It takes ciphertext \(CT_{t_{s_{A}}}\) and \(CT_{t_{s_{A}}}\) outputted by two users: A and B. It outputs 1 of the message corresponding to \(CT_{t_{s_{A}}}\) and \(CT_{t_{s_{B}}}\) if they are equal. It outputs 0, otherwise.

5 Security model of ID-PKSET

Definition (IND-ID-CCA and EUF-CMA). ID-PKSET fulfil two security properties. Indistinguishable chosen ciphertext attack, acronym (IND-CCA2) and EUF-CMA [29,30,31]. However, ID-PKSET adds ID-Based indistinquishability as a feature to IND-CCA2 and coined as IND-ID-CCA2 in [29]. With IND-ID-CCA2 technique, the game between adversary A and challenger are outlined. We Let \(\Delta\)=(Setup, \(SET-Extract\), KeyGeneration, TempKeyUpdate, \(SET-Trapdoor\), Signcrypt, Unsigncrypt, Test) be the same scheme and a polynomial time algorithm A.

  1. 1.

    Setup: The challenger execute the parameter \(\iota\) and total time period TP with helper keys \((U_{n_{0}},...,U_{n_{\upsilon -1}})\) and achieves PP. It forwards the parameter PP to the adversary and keeps MTK.

  2. 2.

    Phase 1: Adversary issues query \((N_{1},N_{2},....,N_{m})\). The query is as follows:

    • Query \((ID_{i})\): The challenger execute H(.) to output \(sdk_{ID_{i}}\) corresponding to public key \((ID_{i})\). It forwards \(sdk_{ID_{i}}\) to A.

    • SET-Trapdoor: The challenger execute private unsigncryption on TempKeyUpdate. The algorithm run \(SET-Trapdoor\) to derive a trapdoor \(std_{i}\) using MTK. Finally, it forwards \(stdr_{i}\) to A.

    • Unsigncrypt queries: We execute the unsigncrypt algorithm to decrypt the ciphertext \(CT_{t_{a_{i}}}\) by executing the extract algorithm to derive \(sdk_{ID_{i}}\) relating to \((ID_{i})\). Finally, plaintext \(M_{i}\) is forwarded to A.

  3. 3.

    Challenge: When phase 1 is over, A submits two equal-length message \((m_{0},m_{1})\) and \(ID^{*}\) to be challenged by the challenger . However, both \((m_{0},m_{1})\) were not the signcrypt query and \(ID^{*}\) happens not to be the extract query used in phase 1. The challenger randomly picks \(b\in \{0,1\}\) relating to \(CT_{\sigma }^{*}\leftarrow \mathbf{signcrypt} (M_{b}, ID^{*},t_{s}^{*})\). The algorithm forwards a challenge \(SET-trapdoor\) \(stdr^{*}=(ID^{*},t_{s}^{*})\) by running the \(SET-trapdoor\) \(stdr^{*}\leftarrow stdr(dk,M_{b},t_{s}^{*})\) algorithm and returns \(stdr^{*}\) to A.

  4. 4.

    Phase 2: The adversary issues query \((N_{1},N_{2},....,N_{m})\). Each query is of the form: \(\bullet\) Query. The challenger reply similar to phase 1. This is because \(ID_{i}\ne ID^{*}\). \(\bullet\) \(SET-Trapdoor\) query. Where \(t_{s}\ne t_{s}^{*}\). The challenger respond as in phase 1. \(\bullet\) Unsigncryption Query. Where \((ID_{i}, CT_{t_{s}}\ne (ID^{*}, CT^{*}_{t_{s}}) )\)

  5. 5.

    Output: The adversary A forwards a guess \(b^{'}\) on b to win the game If \(b^{'}=b\)..

Adversary advantage is noted as:

\(Adv_{ID-PKSET}(\iota )=Pr[b^{'}=b]- \frac{1}{2}\) is negligible.

ID-PKSET attains IND-ID-CCA2 property if there exist no polynomial adversary achieves non-negligible advantage with IND-ID-CCA2. ID-PKSET attains security of EUF-CMA as depicted below:

  1. 1.

    Setup: Challenger executes security parameter \(\iota\) and total time period TP with helper keys \((U_{n_{0}},...,U_{n_{\upsilon -1}})\) and achieves PP. It forwards system parameter PP to adversary.

  2. 2.

    Adversarial Attack: Adversary does a polynomial bounded query same to definition A.

  3. 3.

    Forgery: The new tuple \((CT_{\sigma }^{*},ID^{*},t_{s}^{*})\) is made available. However, new tuple was not part of the signcryption oracle. The adversary wins the game if Unsigncrypt\((CT_{\sigma }^{*},ID^{*},t_{s}^{*})\) does not produce the symbol \(\perp\).

It is seen that ID-PKSET achieves EUF-CMA. It is expected that there are no polynomial adversary with a non-negligible advantage.

6 Construction

Our construction includes the following:

  1. 1.

    \(\mathbf{Setup}\): Given an input parameter \(\iota\), total time period TP, number of helper key \(\upsilon\). The public parameter PP is returned. The system set initial master key as MTK and associated multiple multiple helper key \((U_{n_{0}},...,U_{n_{\upsilon -1}})\).

    \(\bullet\) Multiplicative two groups of G and \(G_T\) generated with same order d with length \(\lambda\) bits and bilinear map \(e: G\times G \rightarrow G_{T}\). Arbitrary generator \(P \in G\) is selected by the system.

    \(\bullet\) The algorithm deploys keyed permutation \(F:\{0,1\}^{k}\times \{0,1\}^{n}\rightarrow Z^{*}_{p}\) for integer \(K=k(\iota )\) and \(L=n(\iota )\). A random value \(t_{1}\) set from \(\{0,1\}^{L}\). Message authentication code scheme MAC, \(MAC=GSV\), Thus: Generate, Sign, and Verify. The algorithm obtain \(t_{2}\) by executing \(G(\iota )\). Token key is set as \(MSTK = (t_{1},t_{2})\).

    \(\bullet\)The system adopts hash functions \(H_{1}:\{0,1\}^{ml}\rightarrow Z^{*}_{p}, H_{2}:\{0,1\}^{*}\rightarrow G, H_{3}:A \times G\times G_{T}\rightarrow \{0,1\}^{ml+l}\), where l is the random numbers length and ml message length. The system randomly picks \((s_{1}, s_{2})\in Z^{2}_{p}\) and set \(P_{1}=P^{s_{1}}\), \(P_{2}=P^{s_{2}}\). The public parameter PP=\((A, ml, {G}, {G}_{T}, e ,P, P_{1}, P_{2}, Un_{\upsilon }, MAC, H_{1}, H_{2}, H_{3})\) is published and a MTK=\((s_{1}, s_{2})\). A is known as Message Authentication Code (MAC) tag.

  2. 2.

    SET-extract: With a string \(ID \in \{0,1\}^{*}\), the parameter PP and MTK. The system compute \(J_{ID}=H_{2}(ID)\in {G}\), set temporal master key decryption \(msdk_{ID_{t_{s}}}=(J_{ID_{t_{s}}}^{s_{1}}, J_{ID_{t_{s}}}^{s_{2}})\) where \((s_{1}, s_{2})\) are known as secret key at the initial time index \(t_{s}\).

  3. 3.

    KeyGeneration: On input \(msdk_{ID_{t_{s}}}\), a randomly choosen \(Un_{\upsilon _{i}}\in \{0,1\}^{ml}\) and set: \(Un_{\upsilon _{0}}\) =\(P^{Un_{u_{i}}}\),    \(P_{3}\)=\(P^{s_{1}} \cdot ( \prod \limits _{\upsilon _{i} \in Un_{\upsilon -1}}^0 P^{H_{1}(\upsilon _{i})})^{r_{1}}\) \(P_{4}=(\prod \limits _{\upsilon _{i} \in Un_{\upsilon }}^0 g^{r_{i}})\), where \(r_{2}=F(Un_{\upsilon _{i}}, Un_{\upsilon -1})\).

    We therefore note that F is regarded as pseudorandom permutation.

    Therefore, we denote the base helper key as \(Un_{\upsilon _{0}}\)=\((P_{3}, P_{4})\) corresponding to the helper \(\{ Un_{\upsilon _{0}}, Un_{\upsilon -1} \}\)

  4. 4.

    Key update-helper: The algorithm on input helper key \(Un_{\upsilon _{i}}\) and a period index \(t_{s}\).The KeyUpdate-Helper computes the next \(t_{sth}\) key as:

    \(KUH_{t_{s}}\)=\((Un_{\upsilon _{t_{s}}}, Un^{'}_{\upsilon _{t_{s}}})\) with \(BKU_{\upsilon -1}\)=\((P_{3_{t_{s}}}, P_{4_{t_{s}}})\).

    \(P_{4_{\upsilon -1}}\)=\(P_{4_{\upsilon -1}}(Un_{\upsilon _{t_{s}}}), P_{3_{\upsilon -1}} (Un^{'}_{\upsilon _{t_{s}}} )\). Therefore,

    \(BKU_{\upsilon -1}\)=\((J_{ID_{t_{s_{4}}}}, J_{ID_{t_{s_{3}}}})\).

    The current index period decryption key is noted as:

    \(sdk_{ID_{\upsilon _{t_{s}}}}\)=\((J^{s_{1}}_{ID_{t_{s}}}, J^{s_{2}}_{ID_{t_{s}}} )\).

  5. 5.

    SET-Trapdoor: Given a string \(ID \in \{0,1\}^{*}\), MTK with index time \(t_{s}\) the algorithm computes: \(J_{ID}=H_{2}(ID) \in G\) and set the trapdoor \(stdr_{ID} = J_{ID_{t}}^{s_{1}}\). It is however noted that \(stdr_{ID}\) serves as the second element of msdk. \(msdk_{ID_{t_{s}}}\), \(stdr_{ID}\) and MSTK are distributed in a secure secure channel to authorized users.

  6. 6.

    Signcrypt: To signcrypt, a signer with a corresponding ID can signcrypt a message M with a public ID by choosing two random selected numbers \((r_{a},r_{b}) \in Z_{p}^{*}\) to computes:

    \(CT_{\sigma _{1}}\)=\(P^{r_{a}}\),       \(CT_{\sigma _{2}}\)=\(D^{r_{a}} \cdot H_{2}(e(P_{4}, J_{ID_{t_{s}}} )^{r_{a}} )\)

    \(CT_{\sigma _{3}}\)=\(P^{r_{b}}\),       \(CT_{\sigma _{4}}\)=\((M||r_{a})\oplus H_{3} (CT_{\sigma _{1}}||CT_{\sigma _{2}}||X||e(P_{3}, J_{ID_{t_{s}}} )^{r_{b}} )\).

    Where D=\(( (\prod \limits _{\upsilon _{i} \in Un_{\upsilon _{t_{s-1}}}}^0 P^{H_{1}(\upsilon _{i})} ) \cdot M )\)

    Therefore: \(CT_{\sigma }\)= \((CT_{\sigma _{1}}, CT_{\sigma _{2}}, CT_{\sigma _{3}}, CT_{\sigma _{4}} )\).

    However, \(X\leftarrow S(t_{2}, CT_{\sigma _{3}})\) is for a signcrypted algorithm of MAC. Corresponding tag X is used to affirm the signcrypted \(CT_{\sigma _{3}}\).

  7. 7.

    Unsigncrypt: The algorithm on input signcrypted ciphertext \(CT_{\sigma }\), decryption helper updated key \(sdk_{ID_{\upsilon _{t_{s}}}}\) and a token \(MSTK=(t_{1},t_{2})\). The system compute:

    \(CT_{\sigma _{4}} \oplus H_{3} (CT_{\sigma _{1}}||CT_{\sigma _{2}} || X||e (CT_{\sigma _{3}}, sdk^{s_{1}}_{ID} ) ) = M^{'}||r^{'}\),

    \(H_{3}(e(CT_{\sigma _{3}}, sdk^{s_{1}}_{ID_{t_{s}}} ) )\)=\(M^{'}||r^{'}\).

    On input \(X\leftarrow S(t_{2},CT_{\sigma _{3}} )\), where \(X=MAC_{t_{2}}(CT_{\sigma _{3}} )\),

    it verifies \(X^{'}\)=\(MAC_{t_{2}}(CT_{\sigma _{3}} )\). If \(X^{'}=X\), then a check on whether:

    \(CT_{\sigma _{1}}=P^{r^{'}_{a}}\) and \(CT_{\sigma _{2}}=D^{r_{a}} \cdot H_{2}(e(CT_{\sigma _{1}}, J^{s_{2}}_{ID} ) )\). Then the algorithm outputs M

  8. 8.

    Equality-test: Given a signcrypted ciphertext \(CT_{\sigma _{A}}\) with trapdoor \(stdr_{A}\) and another signcrypted ciphertext \(CT_{\sigma _{B}}\) with a trapdoor \(stdr_{B}\). Equality test of whether \(M_{A}=M_{B}\) is checked. This is done by computing:

    \(ET_{A}\)=\(\frac{CT_{\sigma _{2_{A}}}}{ H_{2}(e(CT_{\sigma _{1_{A}}}, stdr_{ID_{A}}))}\),       \(ET_{B}\)=\(\frac{CT_{\sigma _{2_{B}}}}{ H_{2}(e(CT_{\sigma _{1_{B}}}, stdr_{ID_{B}} ) ) }\).

    Thus, \(ET_{A}\)=\(D_{A}^{r_{a_{A}}} \cdot H_{2}( e(P_{A}^{r_{a}}, J^{s_{2}}_{ID_{t_{s_{A}}}} ) )\),       \(ET_{B}\)=\(D_{B}^{r_{a_{B}}} \cdot H_{2}( e(P_{B}^{r_{a}}, J^{s_{2}}_{ID_{t_{s_{B}}}} ) )\).

    Therefore, \(ET_{A}=D_{A}^{r_{a_{A}}}\) and    \(ET_{B}=D_{B}^{r_{a_{B}}}\)

    Algorithm outputs 1 or \(\perp\) if the equation holds or otherwise.

    \(e(CT_{\sigma _{A}}, ET_{B}) = e(CT_{\sigma _{B}}, ET_{A})\).

Consistency: \(e(CT_{\sigma _{A}}, ET_{B}) = e(CT_{\sigma _{B}}, ET_{A})\)

\((CT_{\sigma _{A}}, ET_{B})= e(J_{ID}^{r_{a_{A}}}, D_{B}^{r_{a_{B}}} )=(J_{ID},D_{B} )^{r_{a_{A}} r_{b_{B}}}\)

\((CT_{\sigma _{B}}, ET_{A})= e(J_{ID}^{r_{a_{B}}}, D_{A}^{r_{a_{A}}} )=(J_{ID},D_{A} )^{r_{a_{B}} r_{b_{A}}}\)

If \(D_{A}=D_{B}\), then the function outputs \(M_{A}=M_{B}\). Thus,

\(e(CT_{\sigma _{A}}, ET_{B})\)= \(e(CT_{\sigma _{A}}, ET_{A} )\). Then :

\(Test(CT_{\sigma _{A}}, stdr_{ID_{A}}, CT_{\sigma _{B}}, stdr_{B} )\) output 1.

We assume that \(Pr[ Test(CT_{\sigma _{A}}, stdr_{ID_{A}}, CT_{\sigma _{B}}, stdr_{B})=1 ]\) is negligible.

6.1 Security property of IND-CCA2

Our ID-PKSET is \((\epsilon _{SET}, t_{s}, q_{ks}, q_{ns}, q_{us} )-IND-CCA2\) secure if \((\epsilon _{mdbdh}, t_{s})-mDBHDH\) assumption holds. Thus, \(H_{1}\) and \(H_{2}\) serves as \((\epsilon _{H_{1}})\) and \((\epsilon _{H_{2}})\) are both collision resistant hash functions, such that:

\(\epsilon _{SET} \le \epsilon _{mdbdh} + \epsilon _{H_{1}} + \epsilon _{H_{2}} + \frac{q_{ks}+q_{us}+3 }{p} + \frac{q_{ns}}{p^{2}}\)

Where, \(t_{s}\) is noted as index period, \(q_{ks}\) as extract key queries, \(q_{ns}\) as signcryption queries and \(q_{us}\) as unsigncryption queries.

6.2 EUF-CMA unforgeability

Proof theorem: We outline the unforgeability against adaptive CMA derived from the security of Chow’s ID-based cryptosystem under CDH assumption. Thus, if the attacker can forge a valid signcrypted message of a message, then he must equally be able to forge Chow’s valid signature scheme. Thus, the adversary can equally forge ciphertext of a message M if we assume \(CT_{\sigma }=(CT_{\sigma _{1}}, CT_{\sigma _{2}}, CT_{\sigma _{3}}, CT_{\sigma _{4}})\) of a user with an identity ID, then \(CT_{\sigma _{4}}=(M||k)\oplus H_{2}(CT_{\sigma _{1}})||CT_{\sigma _{2}}||X||e(P_{3}, J_{ID_{t_{s}}})^{r_{b}}\) can be seen as the signature on message M||k where \(k=H_{2}(e(CT_{\sigma _{1}}, J_{ID}^{s_{2}})^{r_{b}}\). It is a known fact that the problem of CDH makes the primitive unforgeable.

Again, our scheme PKI-ID-SET is \((\epsilon _{SET}, t_{s}, q_{ks}, q_{ns}, q_{us} )-EUF-CMA\) secure assuming the work of Paterson and Sachuldt’s signature is \((\epsilon _{SET}, t^{'}_{s}, q_{ks}, q_{ns} )\) existentially unforgeable , whereby \(t^{'}_{s}=t_{s}+q_{ks}C_{ek}+ q_{ns}C_{sn}+q_{us}C_{un}\). Where \(q_{ks}\) represents key extract queries, \(q_{ns}\) as number of signcryption queries, \(q_{us}\) as number of unsigncryption queries, \(C_{ek}\) as key extract cost of ID-PKSET, \(C_{sn}\) also as cost of signcryption of ID-PKSET and finally \(C_{un}\) represents cost of unsigncryption of ID-PKSET. However, details of the security analysis proof similar to our work can further be accessed in the appendix section of the work by Li et al. [31]

7 Comparison

We outline the security strength of our proposed scheme with related signcryption schemes in terms of computational cost in Table 1. The current existing schemes on key-insulated signcryptions such as [10, 11] are compared with and other ID-based signcryption cryptosystem schemes [31,32,33] are also compared with in terms of their security strength. Thus, the security parameters for our comparison includes IND-ID-CCA2 with key exposure (IND-ID-SC-KI-CCA2), EUF-CMA with key exposure (EUF-CMA-KI-SC-CMA), support for key insulation, cloud delegation and token generation. Our method has a favourable security feature of IND-ID-KI-CCA2 and EUF-ID-SC-KI-CMA similar to [10, 33], but ID-PKSET has an added and extended security feature of key-insulation, delegated equality test and token key generation absent in [10, 11]. Therefore, it’s clear that the additional computational overheads makes our scheme practical and feasible when deployed in cloud computing environment. This is agreeable due to the cost of group exponentiation and group multiplication same to our scheme, even though our scheme has additional computational overheads. Therefore, the computational results and communicational overhead outlined in our scheme scientifically makes the scheme feasible with an added security and improvement on [10, 33].

Table 1 Security strength comparison of variant signcryption schemes
Full size table
Table 2 Computational running times
Full size table

Using [34], the pairing-based cryptographic repository were deployed to quantify time consumption of our scheme. The VC++ 6.0 program codes were executed using windows Operating System with capacity of i5-4460 CPU 3.20 Ghz and a RAM size of 4Gb. The average time of execution were extracted (see Table 2 ). Using [35] with other pairing based schemes of security level 1024-bit RSA, supersingular curve \(z^{2}=x^{3}+x\) using embedded degree 2. \(q=2^{159}+2^{17}+1\) regarded as 160-bit Solinas prime with \(p=12qr-1\) as 512-bit prime. With ECC-based approach, a security of Koblitz elliptic curve \(y=x^{3}+ax^{2}+b\) defined on \(F_{2^{163}}\) function adopted to provide same security level in ECC. Milliseconds (ms) and bytes were used to measure the units. Each respective execution times were calculated using Matlab program in Table 3. Computational results are outlined in Table 3. Computational results are outlined in Table 4.

Table 3 The performance computational cost and Communication overheads
Full size table

Computational cost of our method is outlined based on the running times in Table 2 to compare the computational cost and communication overheads in Table 4 with schemes in key-insulated signcryption cryptosystem. We compared the work of Yu et al. [10], the schemes [30, 31, 33] and the scheme [10] with ours.

Table 4 Computational cost comparison result (ms)
Full size table

It is clear that our scheme attains a remarkable security property in signcryption comparable to existing schemes. A security property of IND-ID-SC-CCA2, EUF-ID-SC-KI-CMA and key insulation are achieved in our scheme. However, ID-PKSET proposes additional security functionality to existing schemes such as secured delegation to cloud systems, equality test and a token key generation to enhance the security of our scheme. However, we achieve a computational equality test result of 95.246ms. Therefore, it is obvious that ID-PKSET achieves IND-ID-SC-CCA2, EUF-ID-KI-SC-CMA, key-insulated with multiple helper, cloud delegation, equality test and token generation simultaneously and thus an ideal scheme deployable in an insecure environment.

8 Conclusion and future work

Our paper proposed ID-based parallel key-insulated signcryption in cloud computing. Our construction achieves efficient and lesser computational cost. Even though other scheme on key-insulated cryptosystems with equality test exist [3, 36], ID-PKSET achieves remarkable property of signcryption cryptosystem using the random oracle model. Future direction of this work will invlove the construction of certificateless methodology to prevent the problem with key-escrow in PKE. The private key generator could be a bad actor and needs to be resisted.