Privacy-Enhancing Group Signcryption Scheme

In the last decades, several signcryption schemes have been developed for different privacy-enhancing purposes. In this paper, we propose a new privacy-enhancing group signcryption scheme that provides: unforgeability, confidentiality, ciphertext and sender anonymity, traceability, unlinkability, exculpability, coalition-resistance, and unforgeable tracing verification. It is important to notice that the proposed scheme allows a signer to anonymously signcrypt a message on the group’s behalf (i.e., sender’s anonymity). The security analysis of the scheme is also provided. Our proposal is proven to be strongly existentially unforgeable under an adaptive chosen message attack, indistinguishable under an adaptive chosen ciphertext attack, and to provide ciphertext anonymity under an adaptive chosen ciphertext attack. Furthermore, the scheme is extended to work in a multi-receiver scenario, where an authorized group of receivers is able to unsigncrypt the ciphertext. The experimental results show that our scheme is efficient even on computationally restricted devices and can be therefore used in many IoT applications. The Signcrypt protocol on smart cards takes less than 1 s (including communication overhead). The time of the Unsigncrypt protocol on current ARM devices is negligible (less than 40 ms).


I. INTRODUCTION
A signcryption scheme [45] combines a digital signature and a public-key encryption scheme with a lower computational and communication overhead than traditional singthen-encrypt scheme. Most of the traditional signcryption protocols are based on the Diffie-Hellman problem. These schemes guarantee data confidentiality and integrity, as well as signature unforgeability. In signcryption protocols, users' privacy is basically achieved by ciphertext anonymity which means that the ciphertext reveals no information about who created it nor about whom it is intended to [45]. In other words, the problem is to hide sender's and receiver's identity to an outsider. The use of bilinear pairing in a signcryption protocol allows achieving ciphertext anonymity property at the expense of speed, e.g., see [14], [37], [39]. However, many schemes require an even stronger anonymity. For instance, in the case of e-voting, the voter's (sender's) identity has to be hidden also to the receiver as well as in The associate editor coordinating the review of this manuscript and approving it for publication was Pierluigi Gallo . the case of video streaming applications where anonymous users (senders) broadcast live video to the Internet. In other words, we should be able to identify malicious users, e.g., users who broadcast a video with prohibited content, while keeping honest-user identity hidden. Group signatures can help us with that. In fact, group signatures allow providing data authenticity without disclosing users' identities. In particular, a user can anonymously sign a message on behalf of the group. Therefore, our scheme uses group signature and bilinear maps in order to provide ciphertext anonymity plus sender anonymity.

II. STATE OF THE ART
Most of the standard (i.e., one-to-one) signcryption protocols propose a bilinear pairing strategy in order to reach stronger anonymity property. In fact, the use of bilinear pairing in a signcryption protocol allows achieving ciphertext anonymity property at the expense of speed. Libert and Quisquater [28], [45] propose a scheme based on pairing which is only partially anonymous. In fact, an outsider cannot identify who was the sender but knows who the receiver is, and the receiver needs sender's public-key to VOLUME 9, 2021 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ unsigncrypt the message. Therefore, the scheme does not achieve sender's anonymity. Later, Chaudhari and Das [14] introduce a pairing-based scheme where the sender and the receivers identities are protected against an outsider, i.e., the scheme guarantees ciphertext anonymity. This proposal can be suitable for a multi-receiver environment, where only authorized receivers can decrypt the ciphertext and verify the signature. However, this scheme does not also provide sender's anonymity. Finally, Braeken and Touhafi [10] propose a fast signcryption scheme based on the elliptic curve discrete logarithm problem. As in any non-pairing scheme, the anonymity is only partially achieved, i.e. the sender's identity is known by the receiver.
Most of the multi-receiver (i.e., one-to-many) signcryption schemes generate different encryptions of the same message, that is one ciphertext for each authorized receiver. These ciphertexts are then concatenated in one, which is broadcasted. Therefore, if some part of the ciphertext goes wrong during transmission, only some authorized receivers can decrypt the message correctly while the rest cannot. This leads to the unfair decryption problem [38]. Pang et al. [37] present a pairing-based scheme where each receiver needs the whole ciphertext for decryption. However, the identity of the sender is disclosed by an authorized receiver after decryption. Moreover, in order to hide receivers' identity to an outsider, the Lagrange interpolation polynomial was also considered [24]. The unique ciphertext can be decrypted by any authorized receiver who owns a root of the interpolation polynomial. Later, this method was used in several anonymous multi-receiver signcryption schemes [27], [38], [44]. Unluckily, Li and Pang [26] pointed out that any scheme based on Lagrange interpolation polynomial methodology cannot achieve the receiver's anonymity and, accordingly, ciphertext anonymity. In fact, every authorized receiver can determine whether the other is one of the authorized receivers. To our knowledge, no current signcryption scheme could combine ciphertext anonymity and fair decryption.
Ring signcryption schemes were presented more recently. Huang et al. [20] propose to combine pairing-based signcryption scheme with ring signature. In this case, a sender can anonymously signcrypt a message on behalf of the group. However, the receiver's identity is not hidden to an outsider. Saraswat et al. [39] also present an anonymous proxy signcryption scheme based on pairing and ring signature. This scheme works in a different scenario, and it is only required ciphertext anonymity. Li et al. [25] also propose a scheme where sender's and receiver's identities are hidden to an outsider. Their scheme is designed to be efficient on the sender side and suitable for wireless body area networks.
At last, only a few articles dealt with group signcryption schemes. Mu and Varadharajan [33] propose a distributed signcryption scheme based on ElGamal encryption and Schnorr's digital signature. The scheme is then extended to a group signcryption protocol. However, Kwak et al. [23] proves that Mu-Varadharajan does not provide exculpability security property, i.e., the group manager can signcrypt on the behalf of other group members. Furthermore, Kwak and Moon develop a new distributed signcryption scheme with sender anonymity and extend it to a group signcryption scheme [22]. However, Bao et al. [3] demonstrate that Kwak's and Moon's scheme is insecure. In particular, the scheme does not provide unforgeability, coalition-resistance, and traceability security properties. Then Kwak et al. overcome the aforementioned security flaws in [23]. They present a new encrypted group signature scheme based on Ateniese-Camenisch-Joye-Tsudik (ACJT) group signature [2], Bresson-Chevassut-Essiari-Pointcheval (BCEP) group key agreement protocol [11], and ElGamal cryptosystem [16]. The scheme is defined by the authors as an ''encrypted group signature scheme'' and follows the traditional sign-then-encrypt mechanism. At first, the user generates the ACJT group signature on the message. Then the user encrypts it, together with the message, by using the symmetric cipher. The encryption key is encrypted by ElGamal cryptosystem and delivered to the targeted group, where each member knows the decryption key. Moreover, the decryption key is distributed within the group by BCEP protocol. The scheme provides data confidentiality and unforgeability similarly to a signcryption scheme. Unfortunately, this scheme does not provide lower computational and communicational overhead due to its sequential sign-then-encrypt nature. Furthermore, the scheme is not suitable for constrained devices in the Internet of Thing (IoT) since it is based on Integer Factorization (IF) problem which is not portable to Elliptic Curve (EC) constructions. The ACJT scheme has also high computational requirements as shown in [30]. Plain Kwak et al. [23] encrypted group signature scheme is then used by Cho and Toshiba [15] to build a verifiable group sygncryption scheme with deduplicable properties for data stored in a cloud service provider. It is remarkable that our scheme can be an efficient alternative to be deployed in Cho-Toshiba's scheme. At last, Mohanty et al. [32] present a signcryption protocol based on the Diffie-Hellman problem. The scheme tries to provide also the user's anonymity. In particular, the identity of the sender is hidden to the receiver and an outsider. In order to achieve this kind-of-anonymity, the scheme requires an active group manager who is involved in the signcryption phase. This manager's involvement can lead to privacy leakage and slow down the computation, and therefore, it is normally avoided. However, the scheme presents several security flows as discussed in Appendix E. Table 1 shows a comparison of existing signcryption schemes. Observe that in the table two anonymity types are considered: 1) ciphertext anonymity, i.e., sender's identity is hidden to an outsider as well as receiver's identity to an outsider, and 2) sender anonymity, i.e., sender's identity is hidden not only to an outsider but also to the receiver. The level of privacy achieved by the below schemes depends on how many anonymity types they cover. Note that the property ''receiver's identity is hidden to the sender'' is not contemplated in the previous list because it is normally supposed that the sender knows the identity of the receiver of its message. Main features of related work on anonymous signcryption schemes: scheme, security assumption, anonymity property, multi-receiver scenario support and number of bilinear pairings used in the corresponding scheme. ''DH'' stands for ''Diffie-Hellman problem'', ''pair. '' for ''bilinear Diffie-Hellman problem'', ''interp-pair. '' for ''bilinear Diffie-Hellman problem combined with Lagrange interpolation polynomial method'', ''ring-pair. '' for ''bilinear Diffie-Hellman problem combined with ring signature'', ''EC'' for ''Elliptic curve discrete logarithm problem'', ''group-pair. '' for ''bilinear Diffie-Hellman problem combined with group signature'', ''group-DH'' for ''Diffie-Hellman problem combined with group signature'', ''S-to-R'' for ''sender's identity is hidden to the receiver'', similarly for ''S-to-O'' and ''R-to-O'' where ''O'' stands for ''outsider''. The number of pairings is given depending on who is computing it. For instance, ''3S+7R'' stands for ''3 pairings computed by the sender and 7 by the receiver''; ''n'' is the number of users in the ring. In Table 1, we consider only provable secure signcryption schemes. In particular, Mu and Varadharajan sheme [33] does not provide exculpability, and Kwak et al. [22] scheme does not provide traceability, coalition-resistance and unforgeability. Furthermore, we also prove that the Mohanty et al. [32] scheme presents security flows, i.e., it does not provide unforgeability, confidentiality, exculpability nor traceability. See Appendix E for more details. The security of the stateof-the-art schemes is depicted in detail in Table 2.

A. CONTRIBUTION AND PAPER STRUCTURE
In [19], we proposed a novel group signature scheme based on the weak Boneh-Boyen signature [9] and the efficient proofs of knowledge [13]. This scheme has fast signature generation and provides all the main privacy-enhancing signature features, i.e., anonymity, unlinkability, traceability, and coalition-resistance. The present article extends this work, where the proposed signature is included in our signcryption scheme. Accordingly, the new signcryption scheme holds all the properties of the aforementioned group signature scheme. Our lightweight privacy-preserving group signcryption scheme can find use in particular in IoT environments, where many computationally and memoryconstrained devices are employed.
Our novel signcryption scheme guarantees ciphertext and sender anonymity. This is achieved by combining the Elliptic Curve Integrated Encryption Scheme (ECIES) [18] with our group signature [19]. Furthermore, our signcryption scheme supports the multi-receiver scenario and guarantees fair decryption to all authorized receivers.
The main properties of the scheme are summarized below. Privacy-enhancing main features: • ciphertext anonymity, i.e., sender and receiver identity is hidden to an outsider; • sender anonymity, i.e., the sender's identity is hidden not only to an outsider but also to the receiver. In this way, instead of sender authentication, group authentication is provided to achieve message integrity and verification of the sender; • traceability, i.e., the manager is able to trace which user signcrypt the message.
• unlinkability, i.e., two or more signcryptions cannot be addressed to the same or different senders; Other features: • the Signcrypt algorithm is fast: it requires no bilinear pairing and only 6 exponentiations; • the Unsigncrypt algorithm is efficient: it requires only 2 pairings; • the group manager is able to identify the signer by opening the signcryption; • the scheme is compatible with current revocation techniques such as [13]; • the scheme can be adapted to a multi-receiver scenario; VOLUME 9, 2021 • the scheme is built by using primitives with formal security proofs; • security analyses of the scheme are provided. The rest of this article is organized as follows. Section III discusses some preliminaries. Section IV lists the signcryption properties and security models. Section V shows the basic structure of the proposed scheme and lists the integrated cryptographic primitives with their functionalities. Section VI presents the proposed scheme. Section VII shows how the scheme can be adapted to a multi-receiver scenario. Section VIII provides the security analysis of the scheme. Section IX discusses possible use cases for our proposal. Section X shows the comparison with closely-related signcrytion schemes. Section XI reports the experimental results. The final section contains the conclusions.

III. PRELIMINARIES
In this section, at first, we outline the used notation and the security assumptions needed to understand our scheme and our security proofs. At second, we briefly introduce bilinear pairing maps and weak Boneh-Boyen (wBB) signature which are used throughout all sections. Then we review the protocols on which our scheme is based, namely our lightweight group signature [19], a Non-Interactive Zero-Knowledge Proof of Knowledge (NIZKPK) [7], the Elliptic Curve Integrated Encryption Scheme (ECIES) [18], and the BCEP group key agreement protocol [11]. At last, we refresh the structure of a signcryption protocol.
From now on, the symbol '':'' means ''such that'', ''|x|'' is the bitlength of x and ''||'' denotes the concatenation of two binary strings. We write a ← $ A when a is sampled uniformly at random from A. A secure hash function is denoted as H : {0, 1} * → {0, 1} κ , where κ is a security parameter. We describe the proof of knowledge protocols (PK) using the notation introduced by Camenisch and Stadler (CS) [12]. The protocol for proving the knowledge of discrete logarithm of c with respect to g is denoted as PK{α : c = g α }.

A. HARD PROBLEMS
In this section, we describe some security assumptions used in the proposed scheme. Let G 1 , G 2 , and G T be groups of prime order q, g be a generator of G 1 , and g 2 be a generator of G 2 . In the first assumption, G 1 is taken equal to G 2 and, therefore, g = g 2 .

1) DECISIONAL DIFFIE-HELLMAN (DDH) PROBLEM
Given g, g a , g b , g c for some a, b, c ∈ Z q , determine whether c ≡ ab mod q. See [41] for more details on the DDH assumption.
Definition 2 (p-SDH Assumption): Let B be an algorithm with advantage in solving the p-SDH problem. If for any t-time algorithm the advantage Adv p-SDH B is negligible (≤ ), we say that the (p, t, )-SDH assumption holds.
See [9] for more details on p-SDH assumption.

B. BILINEAR PAIRING
Let G 1 , G 2 , and G T be groups of prime order q. A bilinear map e : G 1 × G 2 → G T must satisfy: • bilinearity: e(g x , g y 2 ) = e(g, g 2 ) xy for all x, y ∈ Z q ; • non-degeneracy: for all generators g ∈ G 1 and g 2 ∈ G 2 , e(g, g 2 ) generates G T ; • computability: there exists an efficient algorithm G(1 k ) to compute e(g, g 2 ) for all g ∈ G 1 and g 2 ∈ G 2 . By definition (q, G 1 , G 2 , G T , e, g, g 2 ) is a bilinear group if it satisfies all above properties. In this article, we consider the case G 1 = G 2 that is when e is an asymmetric bilinear map and DDH assumption hold. Moreover, having G 1 = G 2 permits to obtain the shortest possible signature (check [9] for more details).

C. WEAK BONEH-BOYEN SIGNATURE
The wBB signature scheme is a pairing-based short signature scheme. This signature was proven existentially unforgeable against a weak (non-adaptive) chosen message attack under the Strong Diffie-Hellman assumption [9]. The scheme can be used to efficiently sign messages and can be also integrated with the zero-knowledge proofs [13]. In this way, the knowledge of signed messages can be proven anonymously, and unlinkably. The wBB signature is briefly depicted below: • (pk s , sk, par) ← KeyGen(1 κ ): on the input of the system security parameter κ, the algorithm generates a bilinear group par = (q, G 1 , G 2 , G T , e, g, g 2 ), computes pk s = g sk 2 where sk ← $ Z q , and outputs sk as the private key and (pk s , par) as the public key.
• (σ ) ← Sign(m, par, sk): on the input of the message m ∈ Z q , the system security parameters par and the secret key sk, the algorithm outputs the signature of the message σ = g 1 sk+m . • (1/0) ← Verify(σ, m, pk s , par): on the input of the system security parameters par, the public key pk s , a signature σ and a message m, the algorithm returns 1 if and only if e(σ, pk s ) · e(σ m , g 2 ) = e(g, g 2 ) holds, i.e. the signature is valid, and 0 otherwise.

D. LIGHTWEIGHT GROUP SIGNATURE
In our previous article [19], we develop a fast group signature based on wBB proposal. Our signature allows a signer to generate an anonymous signature σ (sk i , m) on a message m, where sk i is the signer's private key. The protocol works as follows: • (pk, sk m , par) ← Setup(1 κ ): on the input of the security parameter κ, the algorithm generates the bilinear group with parameters par = (q, G 1 , G 2 , G T , e, g ∈ G 1 , g 2 ∈ G 2 ) satisfying |q| = κ. It also generates the manager's private key sk m ← $ Z q and computes the public key pk = g sk m 2 . It outputs the (pk, par) as a public output and the sk m as the manager's private output. g = g r : the generator raised to a randomly chosen randomizer r ← $ Z q . sk i = sk r i : the signers' private key raised to the randomizer. -s k i = sk i −id i : the randomized private key raised to the signer identifier.
}(m): proof of knowledge of r and id i signing the message m.
• 0/1 ← Verify(σ (sk i , m), m, pk, bl): on the input of the message m, its signature σ (sk i , m), a blacklist bl, and the public key pk, the algorithm checks the proof of knowledge signature π and checks that the signature is valid with respect to the manager's public key using the equation e(s k i g , g 2 ) ?
= e(sk i , pk). The collector also performs the revocation check sk i ? =s k i id i for all id i values stored on the blacklist bl. If the revocation check equation holds for any value on the blacklist, the signature is rejected. Otherwise, the signature is accepted if all other checks pass. In the above algorithm, the manager knows the signer's private key sk i . In our signcryption protocol, we overcome this issue and we achieve the exculpability feature of the signature. Therefore, the manager is not able to signcrypt a message on behalf of any group signer. Note that traceability of malicious signers remains possible.

E. NON-INTERACTIVE ZERO-KNOWLEDGE PROOF OF KNOWLEDGE (NIZKPK) OF AN AUTHENTICATOR
The following NIZKPK [7] allows two entities, namely the manager and the sender, to jointly compute a Boneh-Boyen signature σ = g 1/(K +m) of a sender's private message m and the manager's secret key K . Let C m be a commitment on the message m created by the sender. Let Keygen, Enc, and Dec be an additively homomorphic semantically secure encryption scheme. Let ⊕ denote the homomorphic operation on ciphertexts and e ⊗ r denote ''adding'' a ciphertext e to itself r times, where r is an integer. The NIZKPK scheme is briefly depicted below: • On the input of the system security parameter κ, the manager generates (pk h , sk h ) ← KeyGen(1 κ ) in such a way that the message space is of size at least 2 κ q 2 , where |q| = κ.
• The manager computes e 1 = Enc(pk h , K ) and sends e 1 , pk h to the sender.
• The manager and the sender engage in an interactive zero-knowledge proof that e 1 encrypts to a message m ∈ [0, q].
• The manager and the sender perform an interactive zeroknowledge proof in which the sender shows that e 2 has been correctly computed using the message in the commitment C m , and that r 1 , r 2 are in the appropriate ranges.
• The manager decrypts x = Dec(sk h , e 2 ) and sends σ * = g 1/x to the sender.
• The sender computes σ = (σ * ) r 1 and verifies that it is a correct wBB signature on m. Note that the manager obtains no information on m. Belenkiy et al. [7] prove that this construction is a secure two-party computation of Boneh-Boyen signature. Moreover, they show how NIZKPK can be efficiently implemented using Paillier cryptosystem [36] for their delegatable anonymous credentials scheme. We refer to [7] for more details. Note that NIZKPK can be easily adapted to work with our signcryption scheme.

F. ELLIPTIC CURVE INTEGRATED ENCRYPTION SCHEME (ECIES)
ECIES [18] is an efficient and provable-secure encryption scheme based on the elliptic curve discrete logarithm problem. Let G denote a group of prime order q with generator g. Then the public system parameters are par = (G, g, q). The scheme needs a symmetric encryption scheme SYM = (E k , D K ), a message authentication code MAC k , and a key derivation function KDF. The ECIES scheme is briefly depicted below: • (pk, sk) ← KeyGen(par): on the input of the system parameters par, the protocol randomly chooses the secret key v ← $ Z q and computes the public key pk = g v .
• (e) ← Enc(par, pk, m): on the input of the public key pk and a message m, the protocol randomly chooses x ← $ Z q and computes u = g x and t = pk x . Then it VOLUME 9, 2021 computes the keys (k 1 , k 2 ) = KDF(t) which are used for encrypting the message c = E k 1 (m) and for generating the message authentication code r = MAC k 2 (c) of ciphertext c. The algorithm outputs e = u||r||c.
• (⊥ /m) ← Dec(par, sk, e): on the input of the secret key sk and the ciphertext c, the protocol parses e as u||r||c, and computes t = u sk and (k 1 , k 2 ) = KDF(t).
If r = MAC k 2 (c), then the algorithm returns m = D k 1 (c), otherwise invalid ⊥. In addition to proving that the algorithm is secure, Smart [41] provides several specifications on the choice of SYM and KDF. Our signcryption scheme builds on the ECIES scheme and takes into consideration Smart's recommendations.

G. BCEP GROUP KEY AGREEMENT PROTOCOL
The BCEP group key agreement protocol [11] is an efficient and provable-secure group key agreement protocol. The scheme security is based Computational Diffie-Hellman (CDH) problem. Furthermore, the scheme requires the employment of a secure signature scheme. Let G denote a group of prime order q with generator g. The BCEP algorithm is run between a User (U i ) (in user group G U ) and a Server S which will be renamed in our protocol as a Receiver and the Receiver Group Manager, respectively. The BCEP scheme is briefly depicted below: Then the user generates the signature σ i on the value y i and sends (σ i , y i ) to the server.
• The server generates a random x s ← $ Z q and computes y s = g x s . The server verifies the signature (σ i , y i ) for each user U i and computes α i = y x s i . Then the server initializes the counter c = 0, as a bit-string of length 1 , and computes the shared secret value k = H 0 (c||α 1 || . . . ||α n ), where the H 0 : {0, 1} * → {0, 1} 0 is a secure hash function with output length 0 and n is the number of users.
• Finally, the server computes , 1} 0 is a secure hash function, where 1 is the maximal bit-length of a counter c used to prevent replay attacks. The server signs the message m i = c||k i ||y s and sends (m i , σ s ) to each user.
• Each user U i verifies the signature (m i , σ s ) and computes α i = y x i s in order to recover the shared secret key k and the session key sk as depicted below: where H 2 : {0, 1} * → {0, 1} 2 is a secure hash function with output length 2 that need not be equal to 0 . This algorithm is integrated without modifications in our multi-receiver group signcryption protocol. See Section VII for more details.

H. SIGNCRYPTION SCHEME ARCHITECTURE
In this section, we briefly refresh the structure of a signcryption protocol. A traditional signcryption protocol consists of at least four basic algorithms: Setup, KeyGen, Signcrypt, Unsigncrypt. In particular, for a fixed security parameter, these algorithms work as follows: (pk s , par) ← Setup(1 κ ): on the input of the security parameter κ, the algorithm outputs the public system security parameters par and the group public key pk s . (sk s , pk s , pk r , sk r ) ← KeyGen(par): on the input of par, generates sender's secret and public keys (sk s , pk s ), and receiver's key pair (pk r , sk r ). (c, σ ) ← Signcrypt(par, sk s , pk r , m): on the input of par, sk s and pk r and a message m, outputs a ciphertext c and a signature σ .
(1/0, m) ← Unsigncrypt(par, c, σ, pk s , sk r ): on the input of par, c, σ , pk s and sk r , verifies the signature σ and decrypts the ciphertext c. It returns 1 and m iff the signature is valid and 0 otherwise.

IV. SECURITY MODEL AND REQUIREMENTS
In this section, the signcryption security model and security requirements are presented. At first, basic and privacyenhancing properties of a group sygncryption scheme are listed and delineated. Then Strong Existential Unforgeability (sUF), Indistinguishability (IND), and Ciphertext anonymity (ANON) are described in detail.

A. SECURITY REQUIREMENTS
In general, a group signcryption protocol should have the following security properties: • Correctness: Valid signcryptions generated by group members are always accepted via a verification process, while invalid signcryptions always fail verification.
• Unforgeability: Only valid group members are able to signcrypt a message on behalf of the group.
• Confidentiality: No one can recover the signcrypted message, except for either the receiver or the members belonging to the receiving group.
• Sender's Anonymity: Identifying the sender of a valid unsigncrypted message is computationally hard for anyone except the group manager.
• Ciphertext Anonymity: The ciphertext reveals no information about who created it nor about whom it is intended to, i.e., the sender's identity is hidden not only to an outsider but also to the receiver.
• Unlinkability: No one can tell if two signcryptions were from the same signer or not.
• Traceability: The group manager can find the true signer, for any valid verified message.
• Exculpability: No one, even the group manager, can signcrypt on the behalf of other group members.
• Coalition-resistance: A colluding subset of group members cannot generate valid signcryptions in such a way that the group manager is unable to link to one of the colluding group members.
• Unforgeable tracing verification: The group manager cannot falsely accuse a signer of creating signcryptions he/she did not create.

B. SECURITY MODEL
We mainly focus on sUF, IND and ANON proofs since it is known that the notion of security for a signcryption protocol combines unforgeability of the signature and indistinguishability of the encryption scheme [28], [37], [39], [45]. Moreover, the notion of ciphertext anonymity [45] is also considered since it is an important privacy-enhancing property characterizing our proposal.

1) STRONG EXISTENTIAL UNFORGEABILITY (sUF)
We consider the notion of Strong Existential Unforgeability under adaptive Chosen Message Attack (sUF-CMA) [9], [45]. In an asymmetric settings, the sender and the receiver do not share the same secret key, therefore, the system needs to be protected not only from an outsider but also from an insider. In case of sUF-CMA, the attacker is given the private key of the receiver [45]. This proves that a receiver cannot forge a signcryption ciphertext that should be from the sender. Therefore, sUF-CMA is defined by using the following game between a Challenger C and an Adversary A: Setup: C runs algorithms Setup and KeyGen to generate the public system security parameters par, sender's key pair (pk s , sk s ) and receiver's key pair (pk r , sk r ). A is given (par, pk s , pk r , sk r ). Signcryption-Queries: A requests signcryption of at most q s messages of its choice m 1 , . . . , m q s ∈ {0, 1} * . C responds to each query with a ciphertext and a signature (c i , σ i ) ← Signcrypt(par, sk s , pk r , m i ) (note that A does not need to have access to an unsigncryption oracle as it can compute the unsigncryption algorithm itself using sk r ). Output: A eventually outputs a pair (c, σ ) and wins the game if:

was not the output of a signcryption query
Signcrypt (par, sk s , pk r , m i ) during the game. We define Adv sUF A to be the probability that the adversary A wins in the above game, taken over the coin tosses made by A and C.

Definition 3: A forger A is said to (t, q s , )-break a signcryption scheme if A runs in time at most t, A makes at most q s signcryption queries and q s unsigncryption queries, and Adv sUF
A is at least . A signcryption scheme is (t, q s , )-secure against strongly existentially unforgeable under adaptive chosen message attack if there exists no forger that (t, q s , )-breaks it.
Definition 3 follows Boneh proposal (see Definition 1 in [9]) and is modified to work in a signcryption environment [45]. Note that the proposed group signcryption protocol is based on wBB signature [9].

2) INDISTINGUISHABILITY (IND)
We consider the notion of INDistinguishability under adaptive Chosen Ciphertext Attack (IND-CCA2) [41], [45]. In an asymmetric settings, the sender and the receiver do not share the same secret keys and, therefore, the system need to be protected not only from an outsider but also from an insider. In case of IND-CCA2, the private key of the sender is given to the attacker [45]. In this way, it is proven that the signcryption scheme protects the confidentiality of the messages even if the sender's secret key is leaked to an attacker.
IND-CCA2 is defined by using the following game between a challenger C and an adversary A: Setup: C runs algorithms Setup and KeyGen to generates the public system security parameters par, sender's key pair (pk s , sk s ) and receiver's key pair (pk r , sk r ). A is given (par, pk s , sk s , pk r ).

Queries-1:
A requests unsigncryption of at most q s ciphertexts c 1 , . . . , c q s , under pk s and pk r . C responds to each query with 1 and a signed message (1, m i ) ← Unsigncrypt (par, pk s , sk r , c i , σ i ) if the obtained signed plaintext is valid and with 0 otherwise (note that A does not need to have access to a signcryption oracle as it can compute the signcyption algorithm using sk s ). Challenge: A outputs two equal-length messages m 0 and m 1 ∈ {0, 1} * on which it wishes to be challenged. Then, hidden from A view, C chooses b ← {0, 1} and computes the challenge ciphertext (c * , σ * ) ← Signcrypt(par, sk s , pk r , m b ) Queries-2: A may request at most q s signcryption and unsigncryption queries as in Queries-1 phase but with the restriction that A cannot query for c * .
, the guess is correct. We define Adv IND A to be the probability that the adversary A wins in the above game, and it is defined as Definition 4: An adversary A is said to (t, q s , µ, m, )-break a signcryption scheme if A runs in time at most t, A makes at most q s = q s + q s signcryption queries and q s unsigncryption queries, the size of the decryption queries is at most µ bits, the size of the challenge messages m 0 and m 1

is at most m bits, and Adv IND
A is at least . A signcryption scheme is (t, q s , µ, m, )-secure against indistinguishability under adaptive chosen ciphertext attack if there exists no adversary that (t, q s , µ, m, )-breaks it.
Definition 3 uses 1) the same notation proposed in [9] for consistence purposes, 2) Smart indistinguishability definitions (see Section 3 in [41]), and 3) is slightly modified to work in a signcryption environment [45]. Note that the proposed group signcryption protocol is based on Gayoso et al. encryption scheme [18] which was proven to be secure by Smart [41].

3) CIPHERTEXT ANONYMITY (ANON)
We consider the notion of ciphertext ANONymity under adaptive Chosen Ciphertext Attack (ANON-CCA) [45]. This property is satisfied if ciphertexts reveal no information about who created them nor about whom they are intended to. Therefore, the system needs to be protected from an outsider and ANON-CCA is defined by using the following game between a challenger C and an adversary A: Setup: C runs algorithms Setup and KeyGen to generates the public system security parameters par, sender's key pair (pk s , sk s ), and two distinct receiver's key pair (pk r 0 , sk r 0 ) and (pk r 1 , sk r 1 ). A is given par, pk r 0 and pk r 1 .

Queries-1:
A requests signcryption of at most q s messages of its choice m 1 , . . . , m q s ∈ {0, 1} * for the key pairs (pk r 0 , sk r 0 ) and (pk r 1 , sk r 1 ). C responds to each query with a ciphertext and a signature (c i j , σ i ) ← Signcrypt(par, sk s , pk r j , m i ), where j = 0, 1. Then, proceeding adaptively, A requests unsigncryption of at most q s ciphertexts c 1 , . . . , c q s , under pk s and pk r j with j = 0, 1. C responds to each query with 1 and a signed message (1, m i ) ← Unsigncrypt (par, pk s , sk r j , c i j , σ i ) if the obtained signed plaintext is valid and with 0 otherwise. Challenge: A eventually outputs two sender's private keys sk s 0 and sk s 1 , and a message m ∈ {0, 1} * on which it wishes to be challenged. Then, hidden from A view, C chooses b, d ← {0, 1} and computes the challenge ciphertext (c * , σ * ) ← Signcrypt(par, sk s b , pk r d , m).

Queries-2:
A may request at most q s signcryption and unsigncryption quieries as in Queries-1 phase but with the restriction that A cannot query for (c * , pk s j ), where j = 0, 1.
the guess is correct. We define Adv ANON A to be the probability that the adversary A wins in the above game, and it is defined as Definition 5: An adversary A is said to (t, q s , µ, m, )-break a signcryption scheme if A runs in time at most t, A makes at most q s = q s + q s signcryption queries and q s unsigncryption queries, the size of the decryption queries is at most µ bits, the size of the challenge messages m 0 and m 1 is at most m bits, and Adv ANON A is at least . A signcryption scheme is (t, q s , µ, m, )-secure against anonymity under adaptive chosen ciphertext attack if there exists no adversary that (t, q s , µ, m, )-breaks it.
Definition 5 uses the same notation proposed in [9] for consistence purposes and 3) is slightly modified to work in a signcryption environment [45].

V. ARCHITECTURE
Three types of entities interact in our signcryption scheme: a Sender Group Manager, a Sender, and a Receiver. Moreover, a Receiver Group Manager is involved in the multi-receiver scenario.
• Sender Group Manager (SGM), shortly Manager: the Sender Group Manager generates system security parameters and cryptographic keys, enrolls new senders and traces malicious ones.
• Group Sender, shortly Sender: the Sender signcrypts the data and sends them to the receiver.
• Receiver Group Manager (RGM): the Receiver Group Manager generates group public and secret keys, enrolls new receivers, and distributes the decryption keys between them all. RGM is needed only in the multireceiver scenario.
• Receiver: the Receiver receives the signcrypted data, and decrypts and checks the validity of the signature of the plaintext. Table 3 shows the main variables with their definition used throughout the our scheme. The signcryption scheme consists of the following five algorithms (which are sketched in Figure 1): • (par, (pk s , sk m ), (pk r , sk r )) ← Setup(1 κ ): this algorithm works in two phases. At first, on the input of security parameter κ, the Manager generates and publishes the public system parameters par = (q, G 1 , G 2 , G T , e, g, g 2 , H, SYM ), chooses and publishes the public key shared by all senders pk s , and chooses the manager's private key sk m which is kept secret. In particular, H is a predefined hash function and SYM is a predefined secure symmetric encryption scheme. At second, on the input of the public system parameters par, the Receiver generates a secret key sk r and publishes the receiver's public key pk r .
• (δ i , rd) ← Join(par, sk i , sk m ): on the input of the public system parameters par, the manager's private key sk m and the sender's secret key sk i , this protocol outputs the sender group member credential δ i and the revocation database rd. The Join algorithm is run as an interactive protocol between the Manager and the Sender.
• (σ, c) ← Signcrypt(par, m, sk i , δ i , pk r ): on the input of the public system parameters par, the message m, the receiver's public key pk r , the sender's key sk i and the credential δ i , the Signcrypt algorithm outputs the signature σ on the message m, and the ciphertext c of m. This algorithm is run by the Sender.
• (m, 0/1) ← Unsigncrypt(par, sk r , pk s , c, σ ): on the input of the public system parameters par, receiver's private key sk r , the public key pk s , the ciphertext c and the signature σ , the Unsigncrypt algorithm decrypts the ciphertext c and returns the message m, then verifies the signature σ and returns 1 and the message m iff the signature is valid and 0 otherwise. This algorithm is run by the Receiver.
• (pk i ) ← Open(rd, σ ): on the input of the manager's revocation database rd and a signature σ , the algorithm outputs the sender's public key pk i which is linkable with sender's identity. The Open algorithm is run by the Manager.

A. CRYPTOGRAPHIC PRIMITIVES INTEGRATION
We use several cryptographic primitives in the following parts of the scheme: • Group signature (GS): It allows a signer to generate anonymous signatures on messages. In particular, we use the lightweight group signature presented by Hajny et al. [19] which is based on the weak Boneh-Boyen (wBB) signature [9].
• Encryption scheme: Integration of ECIES scheme [18] allows us to establish a session key and encrypt the signer's data.
• Proofs of Knowledge (PK): Thanks to PK, the Sender can prove the possession of its secret key and therefore generate the group signature within the Signcrypt algorithm. Furthermore, PK is also used to prove the possession of secret keys of both Manager and Sender within the Join phase. To do so, we use the Schnorr protocol [42].
• Homomorphic encryption (HE): We use the Paillier encryption scheme [36] to securely compute the group sender credential as shown in [7]. HE is run in the Join phase between the Manager and the Sender. HE ensures that no secret values of both parties, which are needed for forging the sender credential, are shown to the counterparty.
• Group key agreement (GKA): The BCEP group key agreement protocol [11] is used in the Join phase to generate and distribute the decryption key in the receiver group. This protocol is applied in the multi-receiver scenario.

VI. PROPOSED SCHEME
In this section, our group-to-one signcryption scheme is presented in detail. This scheme allows any sender from a group to signcrypt a message in the group's behalf and send it to one receiver. Regarding the group signature scheme, we slightly modify the original group signature scheme proposed by Hajny et al. [19]. In our variant, we employ the Paillier encryption [36] to provide exculpability property as shown by Belenkiy et al. [7]. This property was not provided in the original scheme and guarantees that the group manager cannot sign on the behalf of other group members. Moreover, the group signature scheme [19] uses Weak Boneh-Boyen signature [9] and its efficient proof of knowledge [13] to sign messages. The wBB signatures were proven to be existentially unforgeable against a weak (non-adaptive) chosen message attack under the p-SDH assumption [9]. For the encryption, we take inspiration from the ECIES scheme proposed by Gayoso et al. [18]. In our proposal, a Key Derivation Function (KDF) is needed. In particular, KDF is defined as KDF : Z q × Z q → {0, 1} λ , where λ is the bitlength of a SYM key. The concrete algorithms can be found below.

A. SETUP ALGORITHM
The Setup algorithm consists of two phases: Setup_SGM: The Manager performs the following steps: 1) Choose a bilinear map e : G 1 × G 2 → G T , where G 1 , G 2 , and G T are groups of the same prime order q, g a generator of G 1 , and g 2 a generator of G 2 . 2) Define a secure hash function H : where |m| is the length of the plaintext message.
3) Choose a symmetric encryption scheme SYM = (Enc SYM , Dec SYM ). 4) Choose sk m ← $ Z q as the manager's private key, and set pk s = g sk m 2 as the sender's group public key. 5) Generate an RSA-modulus n of size at least 2 3κ q 2 , where κ is a security parameter. Furthermore, let h = n + 1 and g be an element of the order φ(n) mod n 2 . 6) For simplicity of this exposition, we assume the existence of an RSA modulus n such that neither the Sender nor the Manager knows its factors. This modulus can be provided by a Trusted Third Party (TTP). Alternatively, the Sender and the Manager can generate their own modules and use them in the protocol as proposed in [4]. Furthermore, let h and g be two elements in Z * n such that log g h is unknown and g ∈ h . 7) Publish the public system security parameters par = (pk s , q, G 1 , G 2 , G T , e, g, g 2 , H, SYM , n, h, g, n, g, h) and keep (sk m , φ(n)) secret. Setup_R: This algorithm is run by the Receiver. With public system parameters par, the Receiver performs the following steps: 1) Randomly choose a private key sk r ← $ Z q .
2) Compute and publish its public key pk r = g sk r .

B. JOIN ALGORITHM
This algorithm is run by the Sender and the Manager. Figure 2 shows the Join algorithm in Camenisch and Stadler (CS) notation, where the secure two-party computation of the Sender i credential δ i takes place. This algorithm allows computing δ i = g 1/(sk m +sk i ) without that the Manager reveals it private key sk m and the Sender its secret key sk i . With public system security parameters par, Manager's secret key sk m and Sender's secret key sk i as input, the Manager and the Sender perform the following steps (see in Appendix E.4 of [7] for more details): 1) the Manager computes where r ← $ Z φ(n) , where r ← $ Z φ(n) , and sends (e 1 , c) to the Sender, 2) the Manager and the Sender run the following PK protocol with each other: PK {(sk m , r, r ) : e 1 /h n/2 = h sk m g r mod n 2 ∧ c = g sk m h r mod n} 3) the Sender chooses r 1 ← $ Z q and r 2 ← $ {0, . . . , 2 κ q}, computes e 2 = (e 1 /h n/2 ) r 1 h (n/2+sk i )r 1 +r 2 q gr mod n 2 and the commitment c = g sk i hr mod n, withr ← $ [0, n2 κ ], his/her public key pk i = g sk i 2 , and sends (e 2 , pk i , c ) to the Manager, 4) the Manager and the Sender run the following protocol with each other: PK {(sk i , r 1 , r 2 , sk i , u,r) : where sk i = sk i r 1 and u = −rr 1 . 5) The Manager decrypts x = Dec(e 2 ) − n/2, computes σ * = g 1/x and sends it to the sender. 6) The sender computes δ i = (σ * ) r 1 and verifies that it is a correct signature on sk i , i.e. δ i = g 1 skm+sk i holds.
C. SIGNCRYPT ALGORITHM With the public system security parameters par, the message m, the receiver's public key pk r , the sender's secret key sk i and the credential δ i , the Sender i generates the ciphertext c and the signature σ of m as follows: 1) Randomly choose randomizers r, ρ r , ρ sk i ← $ Z q , and compute g = g r and j = pk r r . 2) Generate a symmetric key k enc = KDF(j).
3) Encrypt the message c = Enc SYM (m, k enc ) by the symmetric encryption scheme.   = e(δ i , pk s ) hold.

4) Compute the values δ
The full notation of the Signcrypt and the Unsigncrypt algorithms is depicted in Figure 3. = e(δ i , g 2 ) holds for any of pk j in its database, where j in {0, . . . n} and n is the number of sender group members. If there exists an pk j for which this equation holds, pk j is linked with the sender's real identity.

F. REVOKE ALGORITHM
Our scheme is compatible with standard revocation algorithms for randomized proofs, see [13] for more details.

VII. MULTI-RECEIVER SCENARIO
The proposed signcryption scheme can be easily adapted to a multi-receiver scenario. A sketch of the multi-receiver scenario is depicted in Figure 4. In this case, the Sender signcrypts the message and sends it to a group of receivers instead of one receiver. Therefore, we need to create a group of authorized receivers and a way to securely distribute the group secret key (unsigncryption key) to all group members. To do so, we adopt the solution of Kwak et al. [23] which involves the BCEP [11] protocol to distribute the unsigncryption key to the targeted group of receivers.
In particular, Setup_SGM, Join, Signcrypt, Unsigncrypt, and Open algorithms remain unchanged. In fact, these algorithms either belong to the group of senders or receive the same input as in the group-to-one scenario. On the contrary, the group of receivers requires the addition of Setup-RGM and Join-R algorithms to Setup and Join algorithms, respectively. The main task of these new protocols is to distribute the group secret key between the members of the receiver group.
The concrete algorithms of our multi-receiver scheme can be found below.

A. SETUP ALGORITHM
The Setup algorithm consists of two phases: Setup_SGM: This algorithm is run by the Manager. The algorithm is equal to Algorithm Setup_SGM in Section VI.
Setup_RGM: RGM performs the following steps: • on the input of the system public parameters par, RGM chooses random x ← $ Z q and computes y = g x , • then computes sk G = H(IV , y), where IV is an initial vector. The value x is the manager's secret key, sk G is the group secret key, while pk G = g sk G is the group public key.

B. JOIN_S ALGORITHM
This algorithm is equal to Algorithm Join in Section VI.

C. JOIN_R ALGORITHM
A Receiver belonging to the authorized group computes y i = g x i , where x i ← $ Z q . Then it sends y i and the signature σ i on y i to RGM. Note that σ i is generated by a secure signature scheme such as either RSA or Elliptic Curve Digital Signature Algorithm (ECDSA). If the Receiver belongs also to the sender group, and if it is permitted by the system, then the Receiver can signcrypt the value y i and send it to RGM.

VOLUME 9, 2021
The RGM checks whether the signature is valid or not. If it is valid, then RGM computes the member's key α i = y x i and regenerates the group secret key sk G = H(IV , y, α 1 , · · · α n ), where n is the number of group members. The RGM sends (sk Gi , IV , y, σ RGM ) to all members, where sk Gi = sk G ⊕ H(IV , α i ) and σ RGM is a signature on the triplet (sk Gi , IV , y). Each group member then can verify the signature σ RGM , compute α i = y x i and recover the shared group secret key sk G . In this way, the RGM can securely share the group secret key sk G with all group members, while the pk G = g sk G is made public.

VIII. SECURITY ANALYSIS
In this section, we prove that the proposed scheme satisfies all group signcryption security features listed in Section IV-A. Firstly, we focus on proving that our scheme satisfies correctness, confidentiality (IND-CCA2), unforgeability (sUF-CMA) and ciphertext anonymity (ANON-CCA). These are the main features of any signcryption protocol as shown in [45]. Then we remark that our group signcryption scheme also guarantees sender anonymity, unlinkability, traceability, and coalition-resistance. Finally, we show that our scheme provides exculpability and unforgeable tracing verification properties.

Theorem 1: The decryption process in Section VI-D is correct.
Proof: Since a symmetric cryptographic scheme is used to encrypt the message, at first we show that the receiver can reconstruct the sender's key. In fact, j = g sk r = (g r ) sk r = pk r r = (g sk r ) r = j k enc = KDF(j ) = KDF(j) = k enc and, therefore, Dec SYM (c, k enc ) = Dec SYM (c, k enc ) = m. Accordingly, the decryption process is correct.
Theorem 2: The verification process in Section VI-D is correct.
Proof: See Appendix A for proof.

B. STRONG EXISTENTIAL UNFORGEABILITY (sUF)
Boneh and Boyen [9] prove that the wBB signature scheme is strong existentially unforgeable against an adaptive chosen message attack under the p-SDH assumption. The sUF-CMA of our scheme follows from the unforgeability of wBB signature (see Lemma 9 in [9]) and uses the same proof technique. We consider an attacker who makes up to q s adaptive signcryption and unsigncryption queries, and reduce the forgery to the resolution of a random p-SDH instance for p = q s . Theorem 3: Suppose the (p, t , )-SDH assumption holds in (G 1 , G 2 ). Then the signcryption scheme proposed in Section VI is (t, q s , )-secure against existential forgery under adaptive chosen message attack with q s ≤ p and t ≤ t − (pT ) where T is the maximum time for an exponentiation in G 1 , G 2 and Z q .
Proof: See Appendix B for proof.

C. INDISTINGUISHABILITY (IND)
Smart [41] analyzes the security of a generic ECIES scheme, in particular, he focuses on the indistinguishability under adaptive chosen ciphertext attacks. The IND-CCA2 of our scheme follows the same proof technique of ECIES indistinguishability (see Section 4 in [41]). We consider an attacker who makes up to q s adaptive signcryption and unsigncryption queries. Lemma 4: For any adversary A running in time t and making at most q s = q s + q s unsigncryption queries, the advantage of winning the IND-CCA2 game is is the maximal probability of solving the DDH assumption in time t . where T is the maximum time for an exponentiation in G 1 , G 2 and Z q . Proof: We prove this theorem using Lemma 4 which allows bounding the advantage of winning the IND-CCA2 game. Since Adv DDH B = q 2 s p , where q s is the number of queries that A makes (as proven by Shoup [43], Theorem 4), the claimed bound is obvious by construction.
It is important to notice that our proof theoretically works for any SYM and KDF schemes which are separately proven to be secure. In fact, the security of our sygncryption scheme relies on the security of chosen SYM and KDF schemes. For instance, Smart [41] suggests using SHA-1 as the KDF function.

D. CIPHERTEXT ANONYMITY (ANON)
Ciphertext anonymity property is satisfied if ciphertexts reveal no information about who created them nor about whom they are intended to [45]. In particular, this exactly covers that sender's and receiver's identities are hidden to outsiders.
We consider an attacker who makes up to q s adaptive signcryption and unsigncryption queries.

Lemma 6: For any adversary A running in time t and making at most q s = q s + q s signcryption and unsigncryption queries, the advantage of winning the ANON-CCA game is Adv ANON
where Adv DDH B (t , q), Adv SDH B (t , p) and Adv SYM B (t , |κ|) are defined as in Lemma 4. Proof: See Appendix D for proof. Theorem 7: Suppose the (q, t , )-DDH and (p, t , )-SDH assumptions hold in G 1 and (G 1 , G 2 ), respectively. Then the signcryption scheme proposed in Section VI is (t, q s , )-secure against anonymity under adaptive chosen ciphertext attacks with q s ≤ p and t ≤ 4t + 2t + 4q 2 where T is the maximum time for an exponentiation in G 1 , G 2 and Z q . Proof: We prove this theorem using Lemma 6 which allows bounding the advantage of winning the ANON-CCA game. Since Adv DDH B = q 2 s p , where q s is the number of queries that A makes (as proven by Shoup [43], Theorem 4), the claimed bound is obvious by construction.

E. SENDER'S ANONYMITY, UNLINKABILITY, TRACEABILITY, AND COALITION-RESISTANCE
It is important to notice that sender's anonymity, unlinkability, traceability, and coalition-resistance are privacy-enhancing features achieved thanks to the usage of our previously proposed group signature [19].
This group signature is integrated with the zero-knowledge proofs, i.e., the Sender i proves the knowledge of its secret key sk i and the credential δ i . In particular, without the knowledge of the secret key sk i and a randomizer r, these proofs are provably unlinkable. Moreover, traceability is guaranteed since the Manager knows the senders' public keys pk j = g −sk j 2 , for j ∈ {1, . . . n} where n is the number of senders. Therefore, the Manager is able to efficiently link all proofs by computing e(δ i , pk j ) ? = e(δ i , g 2 ). Regarding sender's anonymity, any sender can sign the message on behalf of a group, therefore, its identity is hidden inside the group. In order to break the coalition-resistance property, a subset of senders needs to generate a new valid group sender credential δ i = g 1/(sk m +new) for a secret key new without the knowledge of Manager secret key sk m and with new different from sk i for any Sender i in the colluding group. This is equivalent to solve p-SDH problem. We refer to [13] for more details.

F. EXCULPABILITY AND UNFORGEABLE TRACING VERIFICATION
The exculpability is guaranteed by NIZKPK scheme [7]. The NIZKPK allows to generate the secret group member credential δ i = g 1/(sk m +sk i ) for a Sender i without disclosing the sender's secret key sk i and its credential δ i . In particular, without the knowledge of sk i and δ i , no one, neither the Manager, can generate signcrypted messages on the behalf of any Sender i. In case of unforgeable tracing verification, Opening algorithm guarantees that the Manager cannot falsely accuse a signer of creating signcryption that it did not create. On the input of the signer's proof (δ i ,δ i ), public system parameter g 2 , and sender's public key from Manager's revocation database pk j ← rd, everyone can verify whether the following equation holds:

IX. APPLICATION
In this section, we present two use cases: (A) deduplication of big data in cloud computing and (B) anonymous statistical survey of attributes. Note that our many-to-one group signcryption scheme is suitable for Use case (A) while our multi-receiver group signature for Use case (B). See Sections VI and VII, respectively, for more details.

A. DEDUPLICATION OF BIG DATA IN CLOUD COMPUTING
The cloud is fast becoming a suitable strategy in the big data context. The 2021 State of the Cloud Survey [17] estimated that 92 percent of enterprises had either a multi-cloud strategy or a hybrid strategy. Data deduplication is a process that allows controlling the growth of data on the cloud by eliminating duplicate copies. Cho and Toshiba [15] propose a verifiable hash convergent group signcryption which requires the involvement of a group signcryption scheme in the data deduplication process. In their proposal, a group of users is able to eliminate redundant encrypted data owned by different users.
Our scheme can be also adapted to work in this scenario and allows any user to anonymously upload and download encrypted data. Whereas Cho and Toshiba considered a multi-receiver signcryption scheme, we think that a many-to-one group signcryption (presented in Section VI) is more suitable for this application. Our scheme needs the involvement of a Hash Convergent Encryption (HCE). HCE allows data encrypted by different users to generate the same ciphertext. We consider Bellare-Keelveedhi-Ristenpart HCE algorithm [8] following Cho and Toshiba proposal [15]. In an HCE, the message is encrypted with a message-derived key k.
This key is the hash of the message m and a public parameter p. The message m is then encrypted γ = Enc(p, k, m) and a tag is created from a tag generation algorithm t = T (γ ). The tag is used to check whether the deduplicated file is fake or not. The message m can be recovered through the decryption process m = Dec(k, c). VOLUME 9, 2021 The participants of this system are the Group Manager, the User, and the Server. Note that the Group Manager, the User, and the Server take the role of the Manager, the Group Sender, and the Receiver in our scheme. In this case, the Server can verify the users' ownership of the ciphertext, i.e. it can partially unsigncrypt the ciphertext.
• Setup: the Group Manager of group G a initiates Seput_SGM algorithm and establishes the public parameters par, the group public key pk s , and its secret key sk m . Then the Server initiates Seput_R and establishes its public pk r and secret sk r keys. See Section VI for more details.
• Join: the User i with the Group Manager runs Join_S algorithm to join group G a .
• Upload protocol: given a file f , the User i runs HCE scheme which generates a ciphertext γ and a tag t = T (γ ). On the input message γ , the User i runs the Signcrypt algorithm that outputs a ciphertext c and a signature σ . The user then uploads (c, t, σ ) to the Server which checks the validity of the file and the signature by running the Unsigncrypt protocol and, if σ and t are valid, obtains the ciphertext γ . If γ is already stored in the cloud, it adds σ to the existing file, otherwise it stores (γ , t, σ ).
• Download protocol: when the User i wants to download ciphertext γ from the Server, it sends a download request to the Server. The request consists in the file name, σ and t. The Server checks the validity and ownership of the file and if the verification is valid, return γ to the User i which decrypts it and recover the file f . Due to the confidentiality, anonymity, and unlinkability of the group signcryption scheme, the Server obtains no information beyond the stored ciphertext γ .

B. ANONYMOUS STATISTICAL SURVEY OF ATTRIBUTES
A group signcryption protocol is a suitable candidate to perform an anonymous statistical survey of attributes [23]. In this kind of surveys [34], [35], a service provider wants to collect users' personal information attributes such as gender, age, and job. In particular, the service provider has interest in running statistics on these sensitive data for marketing purposes. On the other hand, users desire to use the service anonymously. In fact, disclosing their personal information may enable the service provider to recover their identity.
The participants in this system are an attribute authority, users, a service provider and trustees. It is assumed that the attribute authority is a TTP that can assure the validity of the users' encrypted attributes. Note that the attribute authority, users, and trustees are respectively SGM, Senders, and Receivers in our group signcryption scheme. Therefore, the survey runs as follows: • Setup: the parameters of the group signcryption scheme are set up through the Setup algorithm of Section VII by the attribute authority.
• Registration: to join the system, a user conducts the Join_S protocol with the attribute authority, where the user joins the group based on a corresponding attribute value. Then the trustees run the Join_R algorithm.
• Offer: during the service, the user sends their signcrypted attribute (i.e., its encrypted group ID) to the service provider for decryption by a certain trustee. The Sincrypt algorithm is used in this step. Users select one trustee and warn the service provider with which trustee is designated.
• Generate: the service provider gives the trustees the collected signcryptions. The trustees decrypt the ciphertexts to reveal the group IDs and then verify the signatures. The revealed groups indicate the statistics of the attributes. The Unsincrypt algorithm is used in this step. Due to the confidentiality, anonymity, and unlinkability of the group signcryption scheme, the service provider obtains no information beyond the statistics. The correctness of the statistics is guaranteed by the unforgeability of the scheme.

X. COMPARISON
In this section, we compare the efficiency of our scheme with Kwak et al. proposal [23]. As shown in Tables 1 and 2, Kwak et al. scheme is the only provable-secure scheme in addition to our achieving sender and ciphertext anonymity. In Table 4, the number of exponentiations and pairings are depicted. Our scheme is more efficient than Kwak's scheme since their scheme performs ca. 3× more exponentiations than our scheme. This is due to the fact that Kwak's scheme is 1) based on the sign-then-encrypt approach, and 2) the underlying operations are run over RSA group, which is significantly larger than the EC group. Furthermore, the RSA construction of Kwak's scheme is less efficient and less practical on constrained devices in the IoT environment. These devices have limited memory and computational power, and therefore, multiplicative groups, such as RSA, are practically ineffective on these devices. On the contrary, the additive groups over elliptic curves are currently dominant. In fact, many of these constrained devices support only 3072-bit RSA which is equivalently strong to 256-bit EC while others do not support RSA at all. In contrast to Kwak's scheme, our scheme requires two operations of bilinear pairing in Unsigncrypt protocol. However, considering the higher computational power of the Receiver, the impact on efficiency is minimal, see Section XI for more details.

XI. EXPERIMENTAL RESULTS
This section provides the whole protocol implementation and the implementation aspects discussion. Current IoT net-  works consist of many resource-constrained devices with limited computational and storage capabilities. In order to cover the vast majority of possible use cases, we decided to employ these devices in our testing scenario. The main purpose is to demonstrate the efficiency and the practical potential of our scheme. In particular, we consider ARM-platform (Raspberry Pi) and smart card platforms (Java Card & MultOS). Their specifications are described in Sections XI-A and XI-B, while the testing scenario and evaluations are presented in Section XI-C.

A. SMART CARD SELECTION
Smart cards (SCs) are closed platforms. This means that it is not usually possible to upgrade cryptographic libraries on the card. SC cryptographic support differs according to: 1) the SC platform (e.g., Java Card, MultOS and Basic Card), 2) the version of the operating system, and 3) the SC implementation itself.
For our tests, the newest cards in the market (for each card platform one representative) were selected and their HW/SW properties and cryptographic support were compared. The technical specification of tested SCs is shown in Table 5. Current SCs usually have only 8-bit, 16-bit (or 32-bit in really special cases) processors, and small Random Access Memory (RAM) and Electrically Erasable Programmable Read-Only Memory (EEPROM). These limited resources make the development of novel cryptographic protocols very difficult. On the other hand, SCs are equipped with a co-processor, which allows developers to accelerate specific cryptographic operations and algorithms. Note that our proposal requires 1) a symmetric encryption algorithm to encrypt data, and 2) algebraic operations over finite field and a secure hash algorithm to generate a signature. These simple requirements are not of easy support for current SCs. The cryptographic support in accordance with our signcryption scheme requirements is shown in Table 6. It is important to note that there is no one smart card platform that supports bilinear pairing operations nowadays. In particular, MultOS and Basic Cards are the only platforms which allow accessing to modular and elliptic curve operations.
EC support and speed are crucial for our implementation, and therefore we compared the speed of individual SC platforms. Figure 5 depicts the EC scalar multiplication ecMul (which is the most computationally demanding operation of Signcrypt protocol) cost for Brainpool curves for different elliptic curve sizes. MultOS (ML4) card is 75% faster than Basic card (ZC7.6) and 35% faster than the fastest Java Card (J3D081). Sm@rtCafe implementation shows a bit worse results than JCOP SC implementation.
Furthermore, we also provided benchmarks of the employed cryptographic algorithms. The SHA-1 algorithm is used for creating non-interactive proof of knowledge (signing part) and as a part of the key derivation function KDF for key establishment (encryption part). We use Triple Data Encryption Standard (3DES) algorithm to provide data confidentiality. The reason for this choice is the missing support of a more secure Advanced Encryption Standard (AES) algorithm on MultOS cards. Figure 6 shows the speed of SHA-1 and 3DES algorithms across platforms. The Java Card reports a bit better results than MultOS cards. However, we can assume that our data will not exceed 200 B, and therefore the difference between SCs is minimal (except for the ML3 card, which reports much worse results in encryption), i.e. around 20 ms for SHA-1 and 40 ms for 3DES.

B. ARM PLATFORM AND SOFTWARE SELECTION
ARM processors are widely used in smartphone, tablet, smartwatch and other IoT mobile devices. Raspberry Pi is an ARM-based single-board computer that runs Linux and has various communication interfaces, e.g., General Purpose Input/Output (GPIO) pins, Ethernet, HDMI, USB ports and Bluetooth and WiFi adapters. These features allow a Raspberry Pi to be a part of many services in the IoT ecosystems. The technical specification of tested Raspberry Pi devices is shown in Table 7.
In public repositories, e.g., GitHub, there are several libraries with pairing-based cryptography support. The choice of the cryptographic library is crucial during the application development on resource-constrained devices. Since we are interested in the best performance, and therefore, the fastest pairing calculation, we focused on libraries implemented in C/C++ programming language. The selected libraries (Pairing Based Cryptography (PBC) [29], Multiprecision Integer and Rational Arithmetic Cryptographic Library (MIRACL) [31], University of Tsukuba Elliptic Curve and Pairing Library (TEPLA) [21], Efficient LIbrary for Cryptography (RELIC) [1] and MCL [40]) were installed on an embedded device, i.e., ARM-based microcomputer (Raspberry Pi 3 Model B). The benchmarks were run by using the 256-bit Barreto-Naehrig (BN) paring-friendly curve and averaged over 10-runs. The results are presented in Figure 7. We choose the MCL library, since it has support for the ARM architecture (32-bit and also 64-bit version) and has the best computational speed results among the compared libraries.
Furthermore, Table 8 shows the comparison of the most time consuming operations for our protocol which are performed on the tested ARM devices.

C. TESTING SCENARIO AND SYSTEM PARAMETERS
In our testing scenario, receivers are represented by Raspberry Pi devices, and senders by SCs or Raspberry Pi devices. Normally, senders are represented by very resource-restricted devices (i.e., with processing and memory restrictions). For instance, a sender can be a user who owns a smartphone, a smart meter, an on-board unit built in cars (each of these devices can be represented by Raspberry Pis which are using the same ARM processors) or an access card (which is a SC). Accordingly, we choose a smart card platform that follows these constrained assumptions. Furthermore, the SC is a tamper-resistant device which securely allows the storage and the processing of sensitive data such as cryptographic keys. In case of SC application development, we use only standard MultOS Application Programming Interface (API) and free public development environment (Eclipse IDE for C/C++ Developers, SmartDeck 3.0.1, MUtil 2.8). The application is written in MultOS assembly code and C language.
Conversely, receivers can be servers, PCs, or embedded devices that are less constrained and, therefore, can be represented by a more powerful device. Tested SCs and Raspberry Pi hardware and software specifications are depicted in Tables 5 and 7, respectively. The Raspberries run Raspbian 9.0.3 operating system and C/C++ application. The application provides the communication with sender's smart card through Personal Computer/Smart Card (PC/SC) interface and executes Unsigncrypt (and Signcrypt) protocols. We use OpenSSL 1.1.1c library to perform cryptographic operations (i.e., hash and cipher), and MCL [40] library to perform operations over elliptic curves (i.e., EC point addition, EC scalar point multiplication and bilinear pairing). The application for Raspberry Pi was developed in NetBeans IDE 8.2 development environment. The code was remotely built and executed on the targeted devices, i.e. Raspberry Pi B+/ZeroW/3B+/4B.
The signcryption scheme implementation follows the restrictions of current smart cards (see Table 6), and the most recent security requirements defined by National Institute of Standards and Technology (NIST), see [5] and [6] for more details. The security level of our implementation is 112 bits. This restriction is due to the use of the 3DES cipher algorithm since the more secure AES-128 algorithm is not supported by our MultOS smart card. However, replacing  3DES with AES-128 algorithm directly increases the scheme security to 128 bits, since our signcryption scheme already uses 256-bits elliptic curves with embedding degree 12 (i.e. Barreto-Naehrig curve) and SHA-1 hash algorithm. Table 9 shows the system parameters set in details.
Our implementation considers only the single-receiver (i.e., many-to-one) scenario with messages of 64 bites (8 bytes), where MultOS card acts as a Sender and Raspberry Pi acts as both a Sender and a Receiver. A sketch of our implementation with the involved smart card is depicted in Figure 8. MultOS ML4 smart card supports only T=0 transport protocol. Since we need to transfer 299 bytes in total and T=0 protocol allows us to transfer data payload of a maximum of 255 bytes, we need to    to process Signcrypt algorithm compared to Raspberries. However, in our implementation the SC is fast enough (under 1 s including communication overhead) to be used in a real scenario.

XII. CONCLUSION
In this article, we presented a new privacy-enhancing group signcryption scheme that provides: unforgeability, confidentiality, ciphertext and sender anonymity, traceability, unlinkability, exculpability, coalition-resistance, and unforgeable tracing verification. The scheme is also compatible with current revocation techniques such as [13]. This is achieved by deploying our group signature scheme combined with an elliptic curve integrated encryption scheme. Our scheme is then extended to work in a multi-receiver scenario. In this case, a group of senders can send a signcrypted message to a group of receivers instead of only one receiver.
Moreover, the security analysis of the scheme is also provided. Our proposal is proven to be strongly existentially unforgeable under an adaptive chosen message attack, indistinguishable under an adaptive chosen ciphertext attack, and to provide ciphertext anonymity under an adaptive chosen ciphertext attack. The used signature has also sender's anonymity, traceability, unlinkability, and coalitionresistance privacy features. Moreover, the integration of NIZKPK in the key generation process (i.e., Join algorithm) allows achieving exculpability and unforgeable tracing verification properties.
The experimental results show that our scheme is efficient even on computationally restricted devices and can be therefore used in many IoT applications. The Signcrypt protocol on SCs takes less than 1 s (including communication overhead). The Unsigncrypt protocol complexity time on current ARM devices is negligible (less than 40 ms).

APPENDIX A THEOREM 2 PROOF -CORRECTNESS
Once the message is correctly decrypted, we need to show thatt is equal to t. This can be proven as follows: Therefore, e = H(g , δ i ,δ i , t, m) = H(g , δ i ,δ i ,t, m). In order to accept the signature, the receiver also needs that e(δ i g , g 2 ) ? = e(δ i , pk s ) holds. For a valid signature, we have that e(δ i g , g 2 ) = e(δ i , pk s ) e(δ −sk i r i g r , g 2 ) = e(δ r i , g sk m 2 ) e(g −sk i r skm+sk i g r , g 2 ) = e(δ r i , g sk m 2 ) e(g skmr+sk i r−sk i r skm+sk i , g 2 ) = e(δ r i , g sk m 2 ) e(δ sk m r i , g 2 ) = e(δ r i , g sk m 2 ) e(δ i , g 2 ) sk m r = e(δ i , g 2 ) sk m r .
Therefore, the correctness of the message and the signature is proven.

APPENDIX B THEOREM 3 PROOF -STRONG EXISTENTIAL UNFORGEABILITY
We prove that if A can (t, q s , )-break the signcryption scheme, then there exists an algorithm B such that, by interacting with A, solves the p-SDH problem in time t with advantage . Let (g, d 1 , d 2 , . . . , d p , g 2 , h) be a random instance of the p-SDH problem in (G 1 , G 2 ), where d i = g x i ∈ G 1 for i = 1, . . . , p and h = g x 2 ∈ G 2 for some unkown x ∈ Z q . Let g = d 0 and x = sk m for convenience. The goal of B is to compute the pair (c, g 1/(x+c) ) ∈ Z q × G 1 for some value c ∈ Z q {x} of its choice.
B interacts with A as follows:

A. QUERY
A outputs a list of q s ≤ p messages m 1 , . . . , m q s ∈ Z q . We can suppose that q s = p for simplicity. If less queries are made, we can always reduce the value of p to p = q s .
Therefore, A obtains p signature proofs of knowledge on its input messages.
Let f be the univariate polynomial defined as f (X ) = X + sk i . B chooses θ ∈ Z q and computes Therefore, A receives key sk i , parameters par = (q, G 1 , G 2 , G T , e, g 1 , g 2 , H, SYM ) and public key pk s = h.
If f (x) = 0, then x = −sk i and B can easily recover the secret key x and solve the p-SDH problem. If f (x) = 0, then g 1 and g 2 are independently and uniformly distributed random generators for the respective groups due to the action of φ. In this case, B has to apply both Signcrypt and Unsigncrypt algorithms and generate a valid signature σ j on each message m j , for j = 1, . . . , p. To do so, by following Signcrypt algorithm, B chooses at random r, ρ r , ρ sk i , encrypts m j and creates the signature: σ j = (g ,δ i , δ i , e, s r , s sk i ) where all the computations are made using g 1 instead of g. In fact, if g 1 is used, then δ i = g 1/f (x) 1 = g θ and B can compute each other component of the signature easily. This is repeated for each message m j , where j = 1, . . . , p.
Observe that σ j is a valid signature on m j under par, since The fact that e = H(g , δ i ,δ i ,t, m j ) follows straightforward from the correctness of our scheme, see Theorem 2. These are exactly the verification steps performed by B when it applies Unsigncrypt algorithm and, therefore, links each message m j to its signature σ j . Since each message admits only a unique signature proof of knowledge, the output distribution is trivially correct.

C. OUTPUT
A returns for a user's identity sk * a forgery (c * , σ * ) such that σ * is a valid signature and c * ∈ {c 1 , . . . , c p }. The signature σ * is a vector σ * = (g ,δ i , δ i , e, s r , s sk i ) computed using the parameters par. We suppose that sk * = sk i since A can choose sk * knowing sk i . By construction and uniqueness of the proof, we know that the component δ i is equal to δ * := x+sk * where f (x) = x +sk i . If x = −sk * , then B can easily recover the secret key x and solve the p-SDH problem. Otherwise, note that the polynomial f can be rewritten as f (x) = x + sk * + γ * where γ * = sk i − sk * ∈ Z q . Therefore, the ratio f (x)/(x + sk * ) can be written as f (x)/(x + sk * ) = 1 + γ * x+sk * and the expression of δ * becomes Taking roots of order θ and γ * mod q, B can compute and obtain the pair (sk * , ω) as the solution to the submitted instance of the p-SDH problem. The claimed bound is obvious by the construction of the reduction. VOLUME 9, 2021

APPENDIX C LEMMA 4 PROOF -INDISTINGUISHABILITY
We wish to use A to attack the security of the DDH problem, the underlying SYM and proposed group signature (GS) schemes. During the proof the bitlength of the messages is bounded by µ.
Game 1: Following the definition of IND-CCA2 game (Section IV-B2), the below game is used to break the encryption scheme. C and A do as follows: Setup: C runs algorithms Setup and KeyGen to generate the public system security parameters par, the senders' public key pk s , the manager's private key sk m , the sender's i private key sk s (:= sk i ) and the receiver's key pair (sk r , pk r ). A is given (par, pk s , sk s , pk r ). Queries-1: A requests unsigncryption of at most q s ciphertexts c 1 , . . . , c q s , under pk s and pk r . C responds to each query with 1 and a message (m i , 0/1) ← Unsigncrypt(par, pk s , sk r , c i , π i ) if the obtained plaintext is valid and with 0 otherwise. Challenge: A outputs two equal-length messages m 0 and m 1 ∈ {0, 1} * on which it wishes to be challenged. Then, hidden from A view, C chooses b ← {0, 1} and computes the challenge signcryption (c * , σ * ) ← Signcrypt(sk s , pk r , m b ).

Queries-2:
A may request at most q s signcryption and unsigncryption queries as in Queries-1 phase but with the restriction that A cannot query for c * . Guess: A produces its guess b of b. A is successful if b = b, i.e. the guess is correct.

Therefore, Adv IND
A (t, q s ) = 2Pr[b = b] − 1 represents the probability that A wins in the above game in time t with at most q s signcryption and unsigncryption queries.
Since A is not allowed querying the unsigncryption protocol for the target cipher c * , namely Type Q ⊥ query, A cannot have access to Dec SYM for the key k enc corresponding to c * . In case a Type Q ⊥ query is made, Dec SYM will output γ ∈ {0, 1}. Let Type Q v be any valid query different from Type Q ⊥ .
Game 2: In this game, we prove that if A can (t, q s , µ, m, )-break the signcryption scheme, then there exists an algorithm B such that, by interacting with A, solves the DDH problem in time t with advantage . Let g, g a , g b , g c be a random instance of DDH problem in G 2 , where a, b, c ∈ Z q . The goal is to determine whether c ≡ ab mod q.
Therefore, Game 2 is the same as Game 1 but B has as input the following values: (sk r = b, pk r = g b ), r = a, i.e. g = g a , and j = g c (see Figure 3 for more details on the protocol). In this way, k enc and k enc are equal if and only if c ≡ ab mod q. In other words, A believes that c is equal to ab mod q if A is successful in the game, i.e. b = b .
We have three different situations depending on chosen DDH problem instance and query type.

1) When a valid DDH problem instance is given as input,
A runs B as if one wants to mount an attack against the proposed signcryption protocol. Therefore, 2) If a non-valid DDH problem instance is given as input and A makes a Type Q ⊥ query, A runs B as if one wants to mount an attack against SYM . Therefore, where the inequality appears since B makes 0 signcryption queries in order to break SYM . 3) If a non-valid DDH problem instance is given as input and A makes a Type Q v query, the game is the same of breaking GS and, therefore, breaking the p-SDH problem. The proof follows straightforward from the sUF-CMA (Theorem 3) of the signcryption scheme. Indeed, the fact that k enc = k enc does not affect the computation of σ * and Verify phase of Unsigncrypt algorithm since m 0 and m 1 are known. Therefore, we have where the inequality appears since B only requires one round of signcryption and unsigncryption queries, i.e. q s ≤ q s signcryption and unsigncryption queries in order to break GS. Finally, combining Equations 2, 3 and 4, we obtain and the claimed bound directly follows from the last inequality.

APPENDIX D LEMMA 6 PROOF -CIPHERTEXT ANONYMITY
The proof of this lemma follows the same structure of Lemma 4. Since it would be redundant to rewrite the same proof two times, we just sketch it emphasizing the main difference.
As in Lemma 4, we wish to use A to attack the security of DDH problem, the underlying SYM and the proposed GS schemes. During the proof, the bitlength of the messages is bounded by µ.
Game 1: In this case, we consider ANON-CCA game (Section IV-B3), where

Adv ANON
is the probability that the adversary A wins the ANON-CCA game for our proposed signcryption scheme. As above, A can do two different queries: Type Q ⊥ query, which is A querying for (c * , σ * ), and Type Q v query, that is any valid query.
Game 2: As above, if A can (t, q s , µ, m, )-break the signcryption scheme, then there exists an algorithm B such that, by interacting with A, solves the DDH problem in time t with advantage . Let g, g a , g b , g c be a random instance of DDH problem in G 2 , where a, b, c ∈ Z q . The goal is to determine whether c ≡ ab mod q. As in Lemma 4, we have three different situations, where only the first one is slightly different from the previous proof: 1) When a valid DDH problem instance is given as input, A runs B as if one wants to mount an attack against the proposed signcryption protocol, therefore, Adv DDH B (t , q) =

+ Adv ANON
A (t, q s ) 4 (6) Observe that the denominator is 4, since this equality is derived from Equation 5. 2) If a non-valid DDH problem instance is given as input and A makes a Type Q ⊥ query, we have Equation 3. 3) If a non-valid DDH problem instance is given as input and A makes a Type Q v query, the game is the same of breaking GS and, therefore, we have Equation 4. Finally, combining Equations 3, 4 and 6, we obtain the claimed bound.

APPENDIX E SECURITY ISSUES OF THE MOHANTY SCHEME [32]
Mohanty et al. [32] propose a signcryption scheme for secure electronic cashes. The authors claim that their scheme is secure such that neither the group manager nor any other member of the group can produce a valid signcrypted text. In this section, we show that the scheme presents security flows, in particular, we prove that it does not provide confidentiality, unforgeability, exculpability, and traceability properties.
Four entities are involved in the protocol: a Group Manager (GM), a Key Generation Center (KGC), users, and a verifier. Let briefly summarize the protocol (see [32] for more details): • Setup: The KGC chooses two large primes p and q, a generator g of Z p and computes n = pq. Then KGC sends n and g to GM.
• Key Generation_KGC: The KGC chooses its private key M sk , its identity ID KGC and computes its public key M pk = g M sk . Then KGC sends (M pk , ID KGC ) to GM.
• Key Generation_GM: The GM chooses V and ID G and computes the group public and private key (G pbk , G prk ). Then GM publishes (n, g, M pk , ID GM , e, G pbk ) and keeps private (d, V , G prk ), where ed ≡ 1 mod φ(n).
• Key Generation_User: A user chooses its private parameter W and computes its public identity ID U = ID W GM . The GM receives ID U which is used to generate three values δ 1 , δ 2 , δ 3 with δ 3 = (ID GM ) δ 1 ·d These values are sent back to the user.
• Signcryption: The user signcrypts message M on behalf of the group. First the user chooses a private parameter β ← $ Z * n , then computes µ, key K and ciphertext σ as follows: µ = β + (δ 3 ) e·δ −1 1 mod n K = H(µ · β) mod n σ = (K · M ) + G pbk mod n = G δ 3 pbk · (ID GM ) W mod n 1 = g δ 3 mod n 2 = + M 1 mod n Then the user sends the signcrypted text (µ, σ, , 1 , 2 ) to the verifier. Note that ID GM , µ and G pbk are public values and therefore, the decryption process can be run by anyone.

E. UNFORGEABILITY
Unforgeability guarantees that only valid group members are able to signcrypt a message on behalf of the group. This requirement does not hold since anyone can generate a valid signcryption, since where , , ← $ Z * n . Note that ID GM and G pbk are publicly available values, and and can be chosen at random by any entity that plays the role of the signer. Therefore, (µ , σ , , 1 , 2 ) is a valid signature, which is untraceable by the GM. Since the unforgeability is broken, the coalitionresistance is broken as well.

F. EXCULPABILITY
Exculpability property provides that no one, even the group manager, can signcrypt on behalf of other group members. This requirement does not hold since the manager knows all secret values needed to generate signcrypted messages on behalf of the user. Namely, the manager knows values ID GM , δ 3 , ID U . Therefore, it is easy to generate a signature equivalent to Equation 7: µ = β + ID GM mod n K = H(µ · β) mod n σ = (K · M ) + G pbk mod n = G δ 3 pbk · ID U mod n 1 = g δ 3 mod n 2 = + M 1 mod n

G. TRACEABILITY
Traceability guarantees that the group manager can find the true signer, for any valid verified message. This requirement does not hold since any signer can compute value of Equation 7 as = G δ 3 pbk · ID GM mod n, where ← $ Z * n . This signature will be verified correctly, however, it will be untraceable by the GM (Equation 9):