Leakage-Resilient Anonymous Multi-Recipient Signcryption Under a Continual Leakage Model

A multi-recipient signcryption (MRSC) scheme possesses the functionalities of both multi-recipient public-key encryption and digital signature to ensure both integrity and confidentiality of transmitted messages. Moreover, an anonymous MRSC (AMRSC) scheme retains the functionalities of an MRSC scheme while offering privacy-preserving, namely, a recipient’s identity or public key being hidden to other recipients. In the past, numerous MRSC and AMRSC schemes based on various public-key cryptographies (i.e., public key infrastructure (PKI)-based, identity (ID)-based and certificateless (CL)) were proposed. Recently, an attacker can realize side-channel attacks to acquire partial bits of private keys participated in cryptographic computations. However, up to date, no MRSC or AMRSC scheme can resist side-channel attacks so that these schemes might suffer from such attacks and could be broken. To resist such attacks under a continual leakage model, we propose the <inline-formula> <tex-math notation="LaTeX">$first$ </tex-math></inline-formula> PKI-based leakage-resilient AMRSC (PKI-LR-AMRSC) scheme in this paper. In the proposed scheme, an attacker is permitted to continually acquire partial bits of private keys partook in computations of the PKI-LR-AMRSC scheme, and formal security proofs are given to show that the proposed scheme still retains the original security of AMRSC schemes. As compared with the relevant AMRSC schemes, our PKI-LR-AMRSC scheme not only resists side-channel attacks but also reduces the cost of executing the multi-signcryption and unsigncryption algorithms. In particular, the point is that the computational complexities of our scheme respectively require only <inline-formula> <tex-math notation="LaTeX">$O(t)$ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$O(1)$ </tex-math></inline-formula> in executing the Multi-signcryption algorithm and the Unsigncryption algorithm, where <inline-formula> <tex-math notation="LaTeX">$t$ </tex-math></inline-formula> is the number of recipients.


I. INTRODUCTION
As compared with unicast communication, multicast communication provides an efficient way to send massive contents to multiple recipients. Indeed, several multicast applications (e.g. digital content distribution, multimedia conference and pay-per-view TV) typically need a secure mechanism (e.g., multi-recipient encryption, termed as MRE scheme) to ensure that unauthorized recipients cannot decrypt these multicast contents [1], [2], [3], [4], [5], [6]. Moreover, based on his own signcryption scheme [7], Zheng [8] proposed a The associate editor coordinating the review of this manuscript and approving it for publication was SK Hafizul Islam . multi-recipient signcryption (MRSC) scheme that possesses the functionalities of multi-recipient encryption and digital signature to ensure both integrity and confidentiality of transmitted contents. Furthermore, for protecting recipient's identity from concealing to other recipients, anonymous MRE (AMRE) schemes [9], [10] and anonymous MRSC (AMRSC) scheme [11] were proposed to combine privacy-preserving property into the original MRE or MRSC schemes.
Indeed, in all traditional cryptographic schemes based on various public-key cryptographies, there is an important prerequisite that a user's private key cannot be disclosed to an attacker, even part of it. However, recently, an attacker can realize side-channel attacks [12], [13], [14] to acquire partial bits of private keys participated in each cryptographic computation. If an attacker can acquire partial bits of a private key participated in each computation, the entire private key will be eventually guessed by attackers so that these traditional cryptographic schemes will be broken. Therefore, the design of cryptographic schemes withstanding side-channel attacks is an essential security topic. Fortunately, leakage-resilient cryptography is a novel alternative answer and numerous leakage-resilient cryptographic schemes have been proposed that will be reviewed later.
In the past, there are numerous MRSC and AMRSC schemes based on various public-key cryptographies, namely, public key infrastructure (PKI)-based, identity (ID)-based [15] or certificateless (CL) [16]. However, up to date, no MRSC or AMRSC scheme can resist side-channel attacks. In this paper, we will propose the first PKI-based leakage-resilient AMRSC (PKI-LR-AMRSC) scheme under a continual leakage model.
As mentioned earlier, Zheng [8] proposed the first PKI-MRSC scheme based on the discrete logarithm problem, that possesses the functionalities of multi-recipient encryption and digital signature to ensure both integrity and confidentiality of transmitted messages. Based on Zheng's scheme, Yavuz et al. [17] presented a new PKI-MRSC scheme suited for satellite multicast with highly dynamic property. Afterwards, numerous improved PKI-MRSC schemes [18], [19], [20], [21] were proposed to offer various properties, namely, multi-message multi-recipient signcryption, ciphertext verifiability or publicly verifiability. Based on bilinear pairing groups, several PKI-MRSC schemes [22], [23] were proposed. For achieving better performance, several efficient PKI-MRSC schemes [24], [25], [26], [27] based on elliptic curve or hyperelliptic curve cryptography have been proposed. Moreover, Wang et al. [11] proposed a PKI-AMRSC scheme to combine privacy-preserving property into the original PKI-MRSC scheme.
Based on the ID-based public-key setting, Duan and Cao [28] proposed the first ID-MRSC scheme. To enhance the security of Duan and Cao's scheme, Tan [29] presented an improvement. Afterwards, several ID-MRSC schemes [30], [31], [32] were proposed to discuss the security of previous schemes and present related modifications. Indeed, in these ID-MRSC schemes mentioned above, their security proofs are based on the random oracle model. On the other hand, Zhang and Xu [33] proposed a secure ID-MRSC scheme without random oracles. Also, Selvi et al. [34] proposed an efficient ID-MRSC scheme using a pre-shared system key. However, Selvi et al.'s scheme has a drawback that the system becomes insecure if the pre-shared system key is compromised. For achieving better performance, Khullar et al. [35] presented an efficient ID-MRSC scheme based on elliptic curve cryptography. Moreover, Lal and Kushwah [36] proposed the first ID-AMRSC scheme to provide privacy-preserving property. Afterwards, numerous improved ID-AMRSC schemes [37], [38], [39] were proposed to enhance security or offer ciphertext verifiability property.
Based on the certificateless (CL) public-key setting, Selvi et al. [40] proposed the first CL-MRSC scheme. However, Miao et al. [41] presented a forgery attack on Selvi et al.'s scheme. Moreover, Wang et al. [42] proposed a new CL-MRSC scheme that offers multi-message multi-recipient signcryption to multicast various contents to multiple recipients. For achieving better performance, Win et al. [43] proposed an efficient CL-MRSC scheme based on elliptic curve cryptography. Furthermore, Pang et al. [44] presented an efficient CL-AMRSC scheme to offer verifiability for partial private key and privacy-preserving property. Afterwards, numerous improved CL-AMRSC schemes [45], [46], [47] were proposed to offer the public channel transmission of partial private key, provide multi-message multi-recipient signcryption, or suit for edge computing environments.

B. LEAKAGE-RESILIENT ENCRYPTION SCHEMES
As mentioned earlier, leakage-resilient cryptography is an alternative answer to withstand side-channel attacks. Let's first introduce two leakage models of leakage-resilient cryptography, namely, bounded and continual (or unbounded). Indeed, in both models, the leaked bit length of a private key participated in each cryptographic computation is bounded and related to a security parameter. The bounded leakage model has an impractical restriction in the sense that the total bits of a private key disclosed to attackers are bounded to a fixed amount during system lifecycle [48], [49]. In the continual leakage model, an attacker is permitted to continually acquire partial bits of private keys participated in each computation so that this model has the leakage-unbounded property and is more acceptable [50], [51], [52], [53], [54], [55], [56], [57]. Numerous leakage-resilient encryption schemes under the continual leakage model based on PKI-based, ID-based or certificateless (CL) cryptographies are reviewed as follows.
Under the continual leakage model, Kiltz and Pietrzak [58] proposed the first PKI-based leakage-resilient encryption scheme. For reducing ciphertext size and computation cost, Galindo et al. [59] presented an improvement on Kiltz and Pietrzak's scheme. Moreover, Brakerski et al. [60] presented the first leakage-resilient ID-based encryption scheme. In Brakerski et al.'s scheme, an attacker is permitted to acquire partial bits of a user's private key only, but not the system secret key of the private key generator (PKG). Therefore, Yuen et al. [61] presented a modification on Brakerski et al.'s scheme to improve performance and security. In addition, Li et al. [62] presented a new leakage-resilient ID-based encryption scheme in the standard model to eliminate the usage of hash functions. Later, Li et al. [63] considered the broadcast property to propose an ID-based broadcast encryption with continuous leakage resilience. To overcome the shortcomings in the ID-based public key systems, a certificate-based encryption with leakage resilience was proposed by Guo et al. [64]. Furthermore, Xiong et al. [65] proposed the first leakage-resilient certificateless encryption scheme which is only secure in the bounded leakage model. Hence, under the continual leakage model, Wu et al. [66] presented a new leakage-resilient certificateless encryption scheme. Based on Wu et al.'s scheme, Tseng et al. [67] further proposed a new leakage-resilient revocable certificateless encryption to outsource the revocation functionality to an authority who can eliminate the revocation computation load of the key generation center (KGC) in the certificateless cryptography. In addition, several attribute-based encryption schemes were proposed, such as, key-policy attribute-based encryption against continual auxiliary input leakage [68] and hierarchical attribute-based encryption with continuous leakage-resilience [69].

C. CONTRIBUTIONS
As mentioned earlier, up to date, there exists no leakage-resilient MRSC or AMRSC scheme based on PKI-based, ID-based or certificateless cryptographies. In this paper, the first PKI-based leakage-resilient AMRSC (PKI-LR-AMRSC) scheme under a continual leakage model is proposed. Based on the security notions of PKI-AMRSC schemes, we present new security notions of PKI-LR-AMRSC schemes by adding two leak queries (i.e., Multi-signcryption leak query and Unsigncryption leak query) used to simulate an attacker's leakage ability. In the new security model, an attacker is permitted to continually acquire partial bits of users' private keys participated in each computation. Therefore, we use the key update method in [50], [51], [53], and [56] to split each user's private key into two parts which have to be updated before executing the Multi-signcryption or Unsigncryption algorithm in the proposed PKI-LR-AMRSC scheme. Due to the multiplicative blinding technique of the key update method, the leaked bits of the two parts participated in two computations are mutually independent so that our scheme has the leakageunbounded property. Also, under the generic bilinear group (GBG) model [70], security analysis of the proposed scheme is proved to possess three security properties, namely, existential unforgeability, indistinguishability of encryptions and anonymous indistinguishability of encryptions. As compared with the previously proposed MRSC or AMRSC schemes, our scheme has three merits as presented below. (1) It is the first PKI-based leakage-resilient AMRSC scheme.
(2) It has the leakage-unbounded property. (3) A recipient requires only constant computations for decrypting ciphertext.

D. ORGANIZATION
The rest of this paper is organized as follows. In Section 2, preliminaries are introduced. In Section 3, the new framework and security notions of PKI-LR-AMRSC schemes are presented. Our PKI-LR-AMRSC scheme is proposed in Section 4. In Section 5, security theorems and their formal proofs of our scheme are shown. Comparisons are demonstrated in Section 6. Conclusions and future work are drawn in Section 7.

A. BILINEAR GROUPS
Let {p, G 0 , G 1 ,ê, g 0 , g 1 } be a parameter set of bilinear groups. G 0 = g 0 and G 1 = g 1 are two multiplicative groups of a prime order p, where g 0 and g 1 are generators of G 0 and G 1 , respectively. Moreover,ê: G 0 × G 0 → G 1 represents a bilinear map that have three properties as presented below.
Note that the reader may refer to [15] for details about the parameter set of bilinear groups.

B. GENERIC BILINEAR GROUP MODEL
In 2005, Boneh et al. [70] introduced a security proof method for cryptographic schemes, called the generic bilinear group (GBG) model. In this method, a challenger first sets a parameter set {p, G 0 , G 1 ,ê, g 0 , g 1 } of bilinear groups. And, at the end of this method, if an attacker discovered a collision of G 0 /G 1 , the discrete logarithm problem on G 0 /G 1 would be resolved.
In the GBG model, two random injective mappings ξ 0 : Z * p → G 0 and ξ 1 : Z * p → G 1 are used, respectively, to encode each element of both G 0 and G 1 to a distinct bit string, where the sets G 0 and G 1 collect, respectively, the encoded bit strings of G 0 and G 1 with | G 0 | = | G 1 | = p and G 0 ∩ G 1 = φ. Additionally, in the GBG model, to execute three group operations, namely, multiplication of G 0 , multiplication of G 1 and bilinear map, the attacker must, respectively, issue three queries O 0 , O 1 and Oˆe that have the following behaviors for a, b ∈ Z * p .

C. SECURITY ASSUMPTIONS
The security of the proposed PKI-LR-AMRSC scheme is based on two assumptions as presented below.
-Discrete logarithm assumption: Let {p, G 0 , G 1 ,ê, g 0 , g 1 } denote a parameter set of bilinear groups. Given g a 0 ∈ G 0 or g a 1 ∈ G 1 for unknown a ∈ Z * p , no algorithm with non-negligible probability can discover a in polynomial time. -Hash function assumption: Assume that H : {0, 1} * → {0, 1} l is a secure hash function, where l is a positive integer. H must satisfy three properties below.

D. CONCEPT OF ENTROPY
For measuring the security influence by leaked bits of private keys participated in cryptographic computations, we introduce the entropy to evaluate the uncertainty for guessing these private keys. Here, a private key is viewed as a finite random variable. Let D and Pr[D = d] respectively denote a private key (finite random variable) and the probability of D = d. Two kinds of min-entropies are introduced as follows.
1. Min-entropy of D: 2. Average conditional min-entropy of D under a condition C: In the following, two consequences (Lemmas 1 and 2) about the security influences by leaked bits of private keys were proved in literatures [50], [71].
Lemma 1: Let f : D → {0, 1} τ denote a leakage function for a finite random variable D, where τ is the maximal leaked bit length. Under the condition of this leakage function, Lemma 2: Assume that D 1 , D 2 ,. . . , D n are finite random variables. Let a polynomial PD ∈ Z p [D 1 , D 2 ,. . . , D n ] has degree e. Let P j denote the probability distribution of

III. FRAMEWORK AND SECURITY NOTIONS A. FRAMEWORK
Traditional public-key cryptography is based on the construction of the public key infrastructure (PKI). An PKI architecture consists of two trusted third parties, namely, certificate authority (CA) and registration authority (RA). A user ID u first generates a private/public key pair (PRK u , PUK u ) and sends the public key PUK u to the RA to request the certificate of PUK u . The RA forwards PUK u to the CA after verifying the user's credential. The CA generates and sends the certificate of PUK u to the user. Indeed, the functionalities of both the RA and the CA can be combined into one role, i.e., CA.
Definition 2: The PKI-LR-AMRSC scheme is LR-EUF-ACMA-secure if no probabilistic polynomial-time (PPT) attacker A with a non-negligible advantage can win the following LR-EUF-ACMA security game with a challenger C.
-Setup. The challenger C takes as input a security parameter to perform the System setup algorithm to generate and publish a parameter set {p, G 0 , G 1 ,ê, g 0 , g 1 } of bilinear groups and two symmetric cipher functions E ck () and D ck (), where ck is a cipher key. -Query. The attacker A adaptively issues four queries to C as defined below.

IV. THE PROPOSED PKI-LR-AMRSC SCHEME
The proposed PKI-LR-AMRSC scheme consists of four algorithms as presented below.
NRS with current private key (PRK r,j−1,1 , PRK r,j−1,2 ) takes as input ID s and CT = (U 1 , U 2 , . . . , U t ), C, R, ρ, σ , and performs the following steps to obtain the message M and verify CT signed by the sender ID s using the public key PUK s .

V. SECURITY ANALYSIS
According to the LR-EUF-ACMA, LR-IND-CCA and LR-ANON-CCA security games defined in Section 3.2, three theorems are established that the proposed PKI-LR-AMRSC scheme are LR-EUF-ACMA-secure, LR-IND-CCA-secure and LR-ANON-CCA-secure against attackers under the GBG model (i.e., discrete logarithm assumption) and the hash function assumption, respectively.
Theorem 1: Under the GBG model and hash function assumption, the proposed PKI-LR-AMRSC scheme is LR-UF-ACMA-secure.
Proof: In the LR-UF-ACMA security game played by an attacker A and a challenger C, there are three phases as given below.
-Setup. C performs the System setup algorithm to set Also, C constructs four lists L 0 , L 1 , L U and L M as follows.
• L 0 and L 1 are created to record elements of G 0 and G 1 , respectively.
• L M is created to record the details of the Multisigncryption algorithm with the form ( R, S, T , H 1 ( T ), H 2 ( T ), w, ck, C, ρ, σ ) for each nominated recipient ID r ∈ NRS.
-Query: A adaptively issues various queries to C at most λ times as defined below.
(2) Transform R to get R in L 0 and compute S = R · PUK r . • Unsigncryption leak query: For this Unsigncryption query with input CT and a nominated recipient ID r with the current private key (PRK r,j,1 , PRK r,j,2 ), A may request this leak query only once. Assume that A issues this query along with f USC,j and h USC,j . C returns leaked partial bits f USC,j = f USC,j (PRK r,j,1 ) and h USC,j = h USC,j (PRK r,j,2 ). -Forgery. A outputs a tuple (ID s , PUK s , M * , NRS, CT * = ( U 1 , U 2 , . . . , U t ), C, R, ρ, σ ) to C. It is said that A wins the security game if a recipient ID r ∈ NRS can obtain the message M * while verifying CT signed by ID s by using the public key PUK s . Note that the Multi-signcryption query on (IDs, M * , NRS) has never been issued. In the following, let us first evaluate the advantage Adv A−w that A wins the LR-UF-ACMA security game without requesting any leak query. Based on the evaluation of Adv A−w , we can evaluate the advantage Adv A that A wins the LR-UF-ACMA security game with requesting the Multisigncryption leak query and Unsigncryption leak query.
To evaluate Adv A−w , the numbers and the maximal degrees of elements in L 0 and L 1 are first countered as follows.
• There are 3 and 1 elements that are initially recorded in L 0 and L 1 , respectively.
• Let λ o denote the total times of issuing O 0 , O 1 and Oˆe queries. Then, at most λ o elements are recorded in L 0 or L 1 .
• Let λ ms denote the times of issuing the Multisigncryption query. Then, at most 3λ ms elements are recorded in L 0 or L 1 . (2) In L 0 , the maximal degree is 3 due to the following argumentations.
• In the Setup phase, g 0 , X and Y have degree 1.
• In the O 0 query, G 0,q,n,k has the maximal degree of G 0,q,n,i and G 0,q,n,j .
• In the Setup phase, g 1 has degree 1.
• In the O 1 query, G 1,q,n,k has the maximal degree of G 1,q,n,i and G 1,q,n,j .
• In the Oˆe query, G 1,q,n,k has degree 6 since both G 0,q,n,i and G 0,q,n,j have degree 3 in L 0 and G 1,q,n,k = G 0,q,n,i · G 0,q,n,j . Evaluation of Adv A−w : If one of the following two circumstances occurs, A wins the LR-UF-ACMA security game. Circumstance 1: A discovers a collision in L 0 or L 1 , with its probability denoted by Pr[C − 1]. Let's first measure the collision probability in L 0 . Assume that the amount of all variates in L 0 is a. Then choose a random values r i ∈ Z * p for i = 1, 2, . . . , a. Assume that G 0,j and G 0,k are two distinct polynomials in L 0 and compute G 0,l (r 1 , r 2 , . . . , r i ) = G 0,j − G 0,k . If G 0,l (r 1 , r 2 , . . . , r i ) = 0, the collision in L 0 occurs. By Lemma 2, the probability is at most 3/p since L 0 has the maximal polynomial degree 3 and no partial bits (τ = 0) are leaked to attackers. Additionally, there are |L 0 | 2 different pairs of ( G 0,j , G 0,k ) so that the collision probability in L 0 is (3/p) |L 0 | 2 . By similar arguments, the collision probability in L 1 is (6/p) |L 1 | 2 . Since |L 0 | + |L 1 | 3λ, we have R, ρ, σ ), with its probability denoted by Pr[C −2]. C transforms PUK s , R, ρ and σ to obtain their polynomials PUK s , R, ρ and σ . A valid tuple must satisfy the equality g 0 · σ = PUK s + R· ( X + Y · ρ), namely, f = g 0 · σ − PUK s + R· ( X + Y · ρ) = 0. Since f has degree at most 3, the probability is at most 3/p by Lemma 2, namely, Pr[C − 2] = 3/p. By the arguments above,    Theorem 3: Under the GBG model and hash function assumption, the proposed PKI-LR-AMRSC scheme is LR-ANON-CCA-secure.

By Lemma 2, Adv
Proof: In the LR-ANON-CCA security game played by an attacker A and a challenger C, there are four phases as given below.
-Setup. The phase is the same with the Setup phase in the proof of Theorem 1. The advantage that A wins the game is defined as Adv A = |Pr[b = b ]−1/2|. Let Adv A−w denote the advantage that A wins the LR-ANON-CCA security game without requesting any leak query. Also, let Adv A denote the advantage that A wins the LR-ANON-CCA security game with requesting the Multisigncryption leak query and Unsigncryption leak query.  By similar argumentations in the proof of Theorem 2, we can obtain Adv A−W = O(λ 2 /p) and Adv A Adv A−W · 2 2τ O((λ 2 /p) · 2 2τ ). Table 1 lists the comparisons among the proposed PKI-LR-AMRSC scheme with PKI-MRSC, PKI-AMRSC, ID-AMRSC and CL-AMRSC schemes [11], [27], [39], [44] in terms of the public-key setting, the cost of multisigncryption algorithm, the cost of unsigncryption algorithm, recipient anonymity, the ability of withstanding side-channel attacks, and leakage-unbounded property. For recipients of the schemes in [11], [27], [39], and [44], a sender computes a key k r by using each recipient ID r 's public key (for r = 1, 2, . . . , t), and produces a Lagrange polynomial of degree

VI. COMPARISONS
where t is the number of recipients and ck is a cipher key selected by the sender. Afterwards, each recipient ID r may use her/his private key to compute the corresponding key k r and the encryption key ck = f (k r ). Hence, the required costs of the multi-encryption and unsigncryption algorithms, respectively, are quadric and linear with t. In our scheme, the required cost of the multi-encryption algorithm is linear with t, whereas the required cost of the unsigncryption algorithm is constant. That is, the computational complexities of our scheme, respectively, require only O(t) and O(1) in executing the Multi-signcryption algorithm and the Unsigncryption algorithm. The point is that the proposed scheme is the first LR-AMRSC scheme withstanding side-channel attacks and possesses leakage-unbounded property even though some bilinear pairing operations are required. Additionally, Table 2 lists the comparisons between our LR-AMRSC scheme with PKI-MRSC, PKI-AMRSC, ID-AMRSC and CL-AMRSC schemes [11], [27], [39], [44] in terms of public key size and ciphertext size. Indeed, all schemes have O(t) complexity.
Next, let's discuss the computational cost saving for the Multi − signcryption algorithm. We first refer to the literature [72] to define T m , T e and T h as the cost of performing an exponentiation operation, a multiplication operation and a hash operation, respectively. Following the simulation results [73], we have T m = 2.758 ms, T e = 0.4746 ms and T h = 0.0126 ms. Hence, our scheme requires 5T m + 5T e + 2T h + t(T e + 3T h ) = 16.1882 + t · 0.5124 ms for t recipients on the Multi − signcryption algorithm. According to similar analysis of computational cost saving [74], we compute the computational cost saving of performing the Multi-signcryption algorithm as [(t · 16.1882 + t · 0.5124) -(16.1882 + t · 0.5124)]/(t · 16.1882 + t · 0.5124) for t = 1, 2, 4, 6, 8 and 10 in Table 3.

VII. CONCLUSION AND FUTURE WORK
Indeed, up to date, there exists no multi-recipient signcryption (MRSC) or anonymous MRSC (AMRSC) schemes with leakage-resilient property. In the paper, we have proposed the first PKI-based leakage-resilient AMRSC (PKI-LR-AMRSC) scheme under the continual leakage model. A new security model of PKI-LR-AMRSC schemes was defined, which consists of three security games, namely, LR-EUF-ACMA, LR-IND-CCA and LR-ANON-CCA. In these security games, both the Multisigncryption leak query and the Unsigncryption leak query are used to simulate an attacker's leakage ability. In the proposed scheme, an attacker is permitted to continually acquire partial bits of users' private keys participated in cryptographic computations (i.e., Multisigncryption and Unsigncryption algorithms) by the Multisigncryption leak query and the Unsigncryption leak query. According to the LR-EUF-ACMA, LR-IND-CCA and LR-ANON-CCA security games, three theorems have been demonstrated to show that the proposed PKI-LR-AMRSC scheme are LR-EUF-ACMA-secure, LR-IND-CCA-secure and LR-ANON-CCA-secure against attackers, respectively. In the future, we expect that the research of leakage-resilient MRSC and AMRSC schemes based on ID-based or certificateless cryptography would become a significant topic. YUH-MIN TSENG (Member, IEEE) is currently the Vice President and a Professor at the Department of Mathematics, National Changhua University of Education, Taiwan. He has published over 100 scientific journal articles on various research areas of cryptography, security, and computer networks. His research interests include cryptography, network security, computer networks, and leakage-resilient cryptography. He is a member of IEEE Computer Society, IEEE Communications Society, and the Chinese Cryptology and Information Security Association (CCISA). He serves as the editor for several international journals.
SEN-SHAN HUANG received the Ph.D. degree from the University of Illinois at Urbana-Champaign, in 1997, under the supervision of Prof. Bruce C. Berndt. He is currently a Professor at the Department of Mathematics, National Changhua University of Education, Taiwan. His research interests include number theory, cryptography, and leakage-resilient cryptography.
JIA-YI XIE received the B.S. and M.S. degrees in mathematics from the National Changhua University of Education, Taiwan, in 2020 and 2022, respectively. Her research interests include applied cryptography, information security, network security, and leakage-resilient cryptography.