Secure Encapsulation Schemes Using Key Recovery System in IoMT Environments

Abstract

Recently, as Internet of Things systems have been introduced to facilitate diagnosis and treatment in healthcare and medical environments, there are many issues concerning threats to these systems’ security. For instance, if a key used for encryption is lost or corrupted, then ciphertexts produced with this key cannot be decrypted any more. Hence, this paper presents two schemes for key recovery systems that can recover the lost or the corrupted keys of an Internet of Medical Things. In our proposal, when the key used for the ciphertext is needed, this key is obtained from a Key Recovery Field present in the cyphertext. Thus, the recovered key will allow decrypting the ciphertext. However, there are threats to this proposal, including the case of the Key Recovery Field being forged or altered by a malicious user and the possibility of collusion among participating entities (Medical Institution, Key Recovery Auditor, and Key Recovery Center) which can interpret the Key Recovery Field and abuse their authority to gain access to the data. To prevent these threats, two schemes are proposed. The first one enhances the security of a multi-agent key recovery system by providing the Key Recovery Field with efficient integrity and non-repudiation functions, and the second one provides a proxy re-encryption function resistant to collusion attacks against the key recovery system.

1. Introduction

In the era of the Fourth Industrial Revolution, as various countries and companies around the world have heavily invested in Information Technology (IT), the emergence of Internet of Things (IoT) environments has increasingly enabled a convenient and broad diversity of services to be distributed to consumers via various types of smart devices. There are various systems such as the Internet of Medical Things (IoMT), Intelligent Transportation Systems (ITS), smart home appliances, and connected cars that have been implemented on those smart devices and deploy a vast number of services to consumers [1,2]. Therefore, many current types of research have applied those IoT technologies to various environments.

Although the development of IoT has increased device convenience, it has also been accompanied by increasing threats to national, corporate, and personal information security [3]. According to the security threats, such as personal information leakage cases, encryption has rapidly become important to secure personal information [4]. Therefore, the importance of security issues in IoT environments has also increased. Furthermore, there is discussion regarding security issues related to key management, in which problems may arise where ciphertexts cannot be decrypted if the keys are lost or corrupted.

In general, key recovery is a system that provides the ability to reveal the key to an authorized user under specific conditions specified in advance [5]. This paper presents schemes to recover lost or corrupted keys using an encapsulation-based key recovery system. When a user needs a key that was used to create a ciphertext, a newly defined field known as Key Recovery Field (KRF) can be used to recover the key. If key is lost or corrupted, the recovered key can be used to decrypt the ciphertext. Because security is necessary for key management and recovery in various environments using IoT, there is much research on key recovery systems for use with IoT. Guo et al. [6] proposed a secure group key distribution scheme for untrusted wireless networks. Guo et al. used the Self-healing Group Key Distribution (SGKD) protocol to ensure group communication security and improve communication efficiency. Instead of requiring the group manager to resend the missing key to update the message, Guo et al. proposed a scheme for group members to recover the lost session key from the current broadcast message.

Lee et al. [7] proposed an efficient and secure key distribution and key recovery mechanism suitable for the characteristics of the IoT environment. The proposed system added the key recovery function required to prevent the reverse function of the encryption and key recovery, providing security to both due to the communication device could not unilaterally recover the key. In addition, it is efficient because there is little information sent during key recovery, which is suitable for IoT environments.

Sung [8] proposed a scheme to support secure sensor data for cloud computing to activate services at the IoT application level. Sung proposed key management that enables continuous key authentication for the privacy of sensing information in such a cloud computing environment and enables secure recovery if the key is lost or corrupted.

Losing a key in an IoMT environment will prevent access to information such as previous medical treatment data and information on medications being taken, and impede accurate medical examination and treatment. Therefore, key management is important in IoMT environments [9]. There are four agents in a key recovery system in IoMT. The key Generation Center (KGC) can generate some parameters of a network participant’s public key pair. The Medical Institutions (Med) have all the medical treatment data, The key Recovery Center (KRC) can recover the complete key. The key Recovery Agent or Key Recovery Auditor (KRA) can share the KRC’s key recovery operations or monitor other agencies. If the patient loses the key used for the ciphertext, the key can be recovered with the help of remains the KRF, Med, KRC, and KRA.

However, the problem remains that the KRF may be forged or altered by a malicious user. To solve this problem, we propose our first scheme, which efficiently provides integrity and non-repudiation functions for the KRF and enhances the security of a multi-agents key recovery system.

The main contributions of our proposed scheme-I as follows:

• It provided a key recovery system based on secure encapsulation against various types of attacks and provides the ability to securely recover a lost or corrupted key.
• It uses signcryption to ensure KRF integrity and non-repudiation. In addition, it provides both digital signing and encryption at the same time to increase computational efficiency.
• It uses values that only authorized KRAs hold to prevent unauthorized KRAs and group-based authentication attacks. If some KRAs do not perform the key recovery properly, key recovery may be performed by other authenticated KRAs to prevent a single point of failure.

Furthermore, the Med, KRA, and KRC may collude and behave maliciously. To solve this problem, we propose scheme 2, which provides a proxy re-encryption function and enhances the security of a key recovery system against various types of attacks such as collusion attacks and the key escrow problem.

The main contributions of our proposed scheme-II as follows:

• It prevents the Med, KRC, and KRA from behaving maliciously to recover keys without authorization and prevents unauthorized entities from obtaining keys.
• It uses a partial private key generation scheme to prevent the KGC from generating private keys for all participants.

The remaining parts of the paper are organized as follows. Section 2 describes related work, and Section 3 describes system model for the proposed schemes. Section 4 describes scenarios and detailed protocols for the proposed scheme-I, and Section 5 describes scenarios and detailed protocols for the proposed scheme-II. Section 6 analyzes whether the proposed schemes satisfy the security requirements. Finally, Section 7 discusses our conclusions.

2. Related Work

This section reviews and discusses existing works related to key recovery systems and encryption schemes.

2.1. Encapsulation Key Recovery Systems

A key recovery system is an important part of an encryption system. If a private key or session key used for a ciphertext is lost or corrupted, or a Law Enforcement Agency (LEA) wishes to intercept suspicious ciphertexts lawfully, it must be possible to recover the key. There have been several proposals related to such key recovery systems. Kanyamee et al. [10] proposed a highly available distributed session key recovery system. It provides high availability and attack detection for secure session key management and group authentication while using Multi-Key Recovery Agents (M-KRA) to solve the single point of failure problem encountered in the traditional KRA approach. However, many problems remain, such as the risks of forgery, counterfeiting, and collusion attacks for user-generated KRFs, which can cause problems for the key recovery service.

Lim et al. [11] proposed an encapsulation-based M-KRA key recovery system. They attempted to solve the problem that the M-KRA must communicate directly with one or more KRAs in existing M-KRA scheme, and the user must directly perform a complex key recovery process. Their scheme provides secure session key management and recovery using a new type of M-KRA to solve this problem. However, problems may arise in the key recovery service the forgery or modification of KRFs and non-repudiation problems related to user-generated KRFs.

Kyusuk et al. [12] proposed an identity-based key escrow scheme to prevent malicious key use by LEAs. If an LEA maliciously obtains the key, it can read the encrypted data to the desired user. In other words, an LEA can intercept and obtain the users’ keys to read all encrypted data. To solve this problem, the scheme prevents LEAs from obtaining a key by themselves after generating a user’s key pair with the KGC generated master key and the user’s ID. However, since it is a single KRA, it is vulnerable to problems such as a single point of failure weakness and group authentication attacks, causing problems with the key recovery service.

Huadpaknam [13] proposed the Security Key Recovery System with Channel Quality Awareness (SKRS-CQA) for smart grid applications. If a Smart Meter Unit (SMU) loses the keys used for correcting to the smart grid, it needs to be recovered. To solve this problem, key recovery proposed, providing improved reliability, system availability, and data confidentiality. In addition, system reliability was improved by using amplification and forwarding relay protocols and a cooperative communication network with optimal power allocation.

2.2. Multi-Agent Key Recovery

A single agent key recovery system is associated with service overload and security problems. Therefore, we use a multi-agent (at least two agents) key recovery system. The multi-agents receive a ciphertext that contains a key from the user or the KRC. Later, KRAs send pieces of the key to the KRC to allow the KRC to recover the complete key. However, various attacks and security breaches are possible, and efforts have been made to deal with these issues [14]. In our key recovery system using signcryption, we security by increasing availability and enhance security.

2.3. Signcryption

Encryption and digital signatures are two encryption tools that can ensure confidentiality, integrity, and non-repudiation. Until 1997, cryptographic systems used separate components to provide these security functions. In public key schemes, the traditional scheme is to digitally sign the message and then perform encryption (signature-then-encryption). However, there are two problems: the operation efficiency is low and the cost is high. To solve this signcryption was proposed In 1997 Zheng [15] proposed the first signcryption scheme. Signcryption simultaneously performs digital signature and encryption. Signcryption compared to the traditional signature-then-encryption scheme, can effectively improve computational efficiency, by reducing computational cost and communication overhead. In addition, many other signcryption schemes have been proposed throughout the years, each of them having its problems and limitations while offering different levels of security and computational cost [16,17].

2.4. Secret Sharing

Secret sharing schemes are ideal for sensitive information. These pieces of information should kept highly confidential, as their exposure could be disastrous. However, it is also critical that they should not be lost. Traditional encryption schemes are not suitable for achieving a high level of confidentiality and stability at the same time. When storing encryption keys, the user has to choose between keeping a single copy of the key in one location or multiple copies of the key in multiple locations for maximum security. The secret sharing scheme proposed by Shamir and Blakley [18,19] in 1979 is a scheme of dividing the secret value into several pieces so that the secret value can be recovered only when more than a certain number of pieces are collected. Such a scheme is called Shamir’s (k, n) threshold scheme. This scheme divides the secret value into n pieces and entities may recover the secret value only when more than k pieces are collected. In another type of secret sharing scheme, there is one dealer and n players. The dealer gives a share of the secret to the players, but only when specific conditions are fulfilled will the players reconstruct the secret from their shares. The dealer accomplishes this by giving each player a share so that any group of t (for threshold) or more players can together reconstruct the secret but no group of fewer than t players can. In addition, many other secret sharing schemes have been proposed throughout the years with as in the care of signcryption, each of them having its problems and limitations while offering different levels of security and computational costs [20,21].

2.5. Proxy Re-Encryption

A Proxy Re-Encryption (PRE) scheme is a scheme that converts the ciphertext so that a proxy server can decrypt the ciphertext encrypted with user A’s public key using user B’s private key. In 1998, Blaze et al. [22] proposed the first two-way proxy re-encryption scheme. This scheme was designed using the ElGamal encryption scheme [23]. In 2007, Green et al. [24] proposed an ID-based proxy re-encryption scheme using ID-based encryption for the first time to solve the certificate management problem of the existing Public Key Infrastructure (PKI) based proxy re-encryption. ID-based encryption is a scheme of using the user’s identity as a public key [25]. In this scheme, the user’s identity itself is owned, so unlike in PKI-based environments there is no need to issue and manage certificates. In addition, since the KGC generates a private key corresponding to the identities and issues them to the users, it has the advantage of performing verification of the user through KGC in case of a dispute. However, the KGC issues all users’ private keys, which causes a key escrow problem in which KGC knows the private keys. Therefore, to solve this problem, a Certificateless Public Key Cryptography (CL-PKC) system was developed. The CL-PKC scheme was proposed by Al-Riyami et al. [26], and it solves the key escrow problem by issuing partial private keys to the users by combining the user’s identity and a random number. Building on these feature, in 2010, Sur et al. [27] proposed Certificateless Proxy Re-Encryption (CL-PRE) using CL-PKC. CL-PRE is currently a representative form of secure PRE because it can perform the purpose of proxy re-encryption without suffering the PKI certificate management problem or IBE key escrow problem [28,29,30].

3. System Model

This section describes the system models, system objects, and security requirements of the proposed schemes.

3.1. Common Proposed Key Recovery System Model

In this section, we present the two key recovery system models proposed in this study. Before describing each proposed model, we present the common elements of the proposed models.

3.1.1. Common Design Goals of Proposed Schemes

The two key recovery system models presented in this research were designed in different forms. However, the basic goal of both models is encapsulated key recovery. The first model proposed in this study is a key recovery system using signcryption. This process involves recovering the session key used for communication by using the encapsulated key recovery field. The second model proposed in this study is a key recovery system using proxy re-encryption. The basic goal is the same as the first model described above. However, the design and additional goals of the two models differ from each other, The similarities and differences between the two models can be seen in Figure 1, which will be described in detail below.

3.1.2. Common Objects of Proposed Schemes

The composition of the two system models proposed in this study can be seen in Figure 1. In Figure 1, the difference between M-KRA and KRA methods is shown for the types of participants in the two models. The remaining differences are detailed in each model’s respective section.

• Key Generation Center ($KGC$): Every participant $Part$ must perform the $KCG$ and key generation and communication steps to generate keys. All $Part$ can generate a private key through the private key generation step with $KGC$, and a public key corresponding to the private key can be generated. The $KGC$ publishes the public parameter $params$ for performing encrypted communication with $Part$.
• Devices ($Dev$): $Dev$ are medical devices and monitoring devices. Devices perform communication in the system managed by the $Med$. In this model, $Dev$s must perform communication in the format designated by $Med$, and the basic format follows the form of $(C\Vert KRF)$, in which the ciphertext and $KRF$ are concatenated. Devices participating in the communication need $Med$’s public parameters in order to make the session key used for message encryption into $KRF$. Furthermore, the generated $KRF$ should be designed to only be controlled by $KRC$ and $KRA$.
• Medical Institution ($Med$): $Med$ is a medical institution that manages device authorization control and data on medical devices. When a device requests $KRF$ key recovery, the $Med$ verifies that it is the lawful owner of the $KRF$. In this paper, the step of confirming whether the $KRF$ is a lawful owner is omitted. In addition, the $Med$ sends the $KRF$ to $KRC$ to help recover the key.

3.2. Proposed Scheme-I(Key Recovery System Using Signcryption)

This section describes additional elements of the key recovery system model using signcryption, excluding the common elements of the two models proposed in Section 3.1.

3.2.1. Design Goals of Proposed Scheme-I

The model of the key recovery system using signcryption is a key recovery system that is used when a device key is lost or corrupted as shown in Figure 2. The device requests key recovery from Med and sends KRF. The Med receiving the KRF verifies that it is a lawful device of KRF. If it is a lawful device, it requests KRC to recover the key and sends KRF. After receiving KRF, KRA decrypts the KRF and sends the obtained KRF pieces to the M-KRA. Then, after receiving the pieces of KRF, M-KRA decrypts them and sends the session key pieces to KRC. It collects the session key pieces, generates a complete session key, and sends it to the device.

3.2.2. Objects of Proposed Scheme-I

The system objects of the key recovery system using signcryption is shown in Figure 2. In addition, M-KRA additionally exists, and its roles are as follows:

• Participants: $Part$ represents all participants ($Dev,Med,KRC,M$-$KRA$) who use the encrypted communication provided by $KGC$. $Part$ can perform encrypted communication only by using $params$ provided by $KGC$.
• Key Recovery Center ($KRC$): $KRC$ is an organization in charge of key recovery and plays a central role in key recovery. The key recovery process is performed according to $Med$’s request for key recovery, and $KRF$ is converted into a form that can be recovered using $KRC$’s private key. In this model, to reduce the burden of $KRC$’s key recovery operation, the help of M-$KRA$ is needed.
• Multi-Key Recovery Agents (M-$KRA$): M-$KRA$ is the agent that helps some operations of key recovery by reducing the burden on $KRC$. The $KRA$ included in the M-$KRA$ determines whether the $KRF$ is suitable for recovery to prevent abuse of the $KRF$’s authority. When receiving a key recovery request from $KRC$, M-$KRA$ perform the $KRF$ recovery process using their private key. Furthermore, M-$KRA$ send the obtained session key pieces to $KRC$.

3.2.3. Security Requirements of Proposed Scheme-I

The security requirements of the key recovery system using signcryption are as follows:

• KRF integrity: No participant in key recovery can maliciously transform $KRF$ information from the device and $KRF$ information required for key recovery cannot be changed.
• Data confidentiality: It should be possible for only authorized devices to decrypt encrypted data.
• Non-repudiation: The device should not be able to reject the fact that it generated the $KRF$. In addition, the fact that device-generated $KRF$ should be clear after transmission, exchange, communication, and processing.
• Attack on group authentication detection: If a malicious third-party $KRA$ pretends to be a lawful member of the key recovery group, $KRA$ should be detected through group verification.
• Single point of failure protection: In M-$KRA$, some $KRA$s should be able to recover session keys even if another $KRA$ fails to operate properly.

3.3. Proposed Scheme-II (Key Recovery System Using Proxy Re-Encryption)

This section describes additional elements of the key recovery system model using proxy re-encryption, excluding the common elements of the two models proposed in Section 3.1.

3.3.1. Design Goals of Proposed Scheme-II

The model of the key recovery system using proxy re-encryption is a key recovery system that is used when a device key is lost or corrupted as shown in Figure 3. The device requests key recovery from Med and sends KRF. The Med receiving the KRF verifies that it is a lawful device of KRF. If it is a lawful device, it generates a re-encryption key. Then, it requests key recovery from KRC and sends the obtained KRF and the re-encryption key. After receiving the KRF and re-encryption key, the KRA partially calculates KRF and sends the partially calculated KRF to KRA. After receiving the partial calculated KRF, KRA performs some calculations and sends partial calculated KRF to KRC. After receiving KRF, KRC sends it to the Med. The Med decrypts it, generates a session key, and sends it to the device.

3.3.2. Objects of Proposed Scheme-II

The system objects of the key recovery system using proxy re-encryption is shown in Figure 3.

• Participants ($Part$): $Part$ represents all participants ($Dev,Med,KRC,KRA$) who use the encrypted communication provided by $KGC$. $Part$ can perform encrypted communication only by using $params$ provided by $KGC$.
• Key Recovery Center ($KRC$): $KRC$ is an organization in charge of key recovery and plays a central role in key recovery. The key recovery process is performed according to $Med$’s request for key recovery, and $KRF$ is converted into a form that can be recovered using $KRC$’s public key. However, in this model, key recovery can only be completed with the help of $KRA$ to prevent abuse of privileges by $KRC$.
• Key Recovery Auditor ($KRA$): $KRA$ is a monitoring agency that judges whether a key can be recovered by auditing the validity of key recovery. The $KRA$ determines whether $KRF$ is suitable for recovery to prevent abuse of authority through collusion between the $Med$ and the $KRC$. If the key recovery request is deemed to be lawful, $KRA$ will perform the $KRF$ recovery process with its private key and sends it over to the $KRC$.

3.3.3. Security Requirements of Proposed Scheme-II

The security requirements of the key recovery system using proxy re-encryption are as follows:

• KRF integrity: No participant in key recovery can maliciously transform $KRF$ information from the device and $KRF$ information required for key recovery cannot be changed.
• Data confidentiality: It should be possible for only authorized devices to decrypt encrypted data.
• Med applied for support: The session key used for communication must be encrypted and stored in $KRF$. In the event of an emergency when it is necessary to view the device’s data, the encrypted session key must be able to recover the encrypted message according to the procedure determined by $Med$ as needed.
• Collusion attack resistance: Fewer than three participants among the $Med$, $KRC$, and $KRA$ should not be allowed to obtain keys even if they are maliciously colluding.
• Key escrow problem: $KGC$ can generate private keys for all participants, but the complete private key must not be known.

4. Proposed Scheme-I (Key Recovery System Using Signcryption)

In this section, we propose a key recovery scheme using signcryption. This scheme is a scheme for recovering the lost or corrupted device’s key. This is mainly composed of a setup phase, a key pair generation phase, a session key exchange and encryption phase, a KRF generation phase, and a session key recovery phase as shown in Figure 4.

4.1. System Parameters

The system parameters used in the proposed scheme-I are as follows.

• p: Prime number
• q: Prime factor of p-1
• $\mathbb{G}$: Cyclic group on prime p
• g: Random generator, $g\in \mathbb{G}$
• H: Hash function, ${\{0,1\}}^{*}\times \mathbb{G}\to {\mathbb{Z}}_p^{*}$
• $s{k}_M$: Master private key, $s{k}_M\in {\mathbb{Z}}_p^{*}$
• $p{k}_M$: Master public key, $p{k}_M=g^{s{k}_M}$
• $De{v}_A$: Monitoring devices
• $De{v}_B$: Medical devices
• $Par{t}_i$: Network Participant i, ($De{v}_A,De{v}_B,Med,KRC,KRA\in Par{t}_i$)
• $w_i,t_i,z_i,v_i$: Random numbers, $w_i,t_i,z_i,v_i\in {\mathbb{Z}}_p^{*}$
• $s{k}_i$:$Par{t}_i$’s private key, $s{k}_i=(d_i,z_i,v_i)$
• $p{k}_i$:$Par{t}_i$’s public key, $p{k}_i=(X_i,Z_i,V_i)$
• $a,b$: Secret value of $De{v}_A$ and $De{v}_B$, $a,b\in {\mathbb{Z}}_p^{*}$
• $PS{K}_A,PS{K}_B$: Partial session key of $De{v}_A$ and $De{v}_B$
• $SK$: Session key between $De{v}_A$ and $De{v}_B$
• x: Random number, $x\in {\mathbb{Z}}_p^{*}$ with $x\ne p-1$
• $R_{KR{A}_i}$: Random number of $KR{A}_i$, $R_{KR{A}_i}\in {\mathbb{Z}}_p^{*}$
• $SGN$: Group authentication values assigned to agents (Shared Group Number)
• $c,r,s$: Signcryption values
• $c_i,r_i,s_i$:ith signcryption pieces
• $T{T}_i$: Value containing the value to be recovered when some KRAs fail the key recovery operation
• $T{c}_i,T{r}_i,T{s}_i$:ith $T{T}_i$ pieces
• $\mathcal{M}$: Message space, $\mathcal{M}\in {\{0,1\}}^n$
• M: Plaintext message between $De{v}_A$ and $De{v}_B$ ($M\in \mathcal{M}$)
• C: Ciphertext message (Encrypted M)
• $KRF$: Key recovery field, $E_{p{k}_{KRC}}(KR{F}_1\left|\right|KR{F}_2\left|\right|\cdots \left|\right|KR{F}_n\left|\right|H\left(SGN\right))$
• $KR{F}_i$:ith key recovery field piece, $E_{p{k}_{KR{A}_i}}(c_i\left|\right|r_i\left|\right|s_i\left|\right|SGN\left|\right|T{T}_i)$

4.2. Setup Phase

In this phase, the KGC takes the security parameters as an input the security parameter $1^{\lambda }$ and generates public parameters.

• Step 1: The KGC selects $\lambda$-bit large prime p, where q is a large prime factor of $p-1$ and group $\mathbb{G}$ of prime order p. In addition, a random generator $g\in \mathbb{G}$ is selected.
• Step 2: A master private key $s{k}_M\in {\mathbb{Z}}_p^{*}$ is randomly selected and a master public key $p{k}_M\in g^{s{k}_M}$ is computed.
• Step 3: KGC selects Hash function H.
• Step 4: Then, public parameters $params=(G,n,p,q,g,S,H)$ are published.

4.3. Key Pair Generation Phase

In this phase, $Par{t}_i$ receives a partial private key from KGC and uses it to generate full private key $s{k}_i$ and public key $p{k}_i$.

• Step 1: KGC generates parameters $w_i,t_i\in {\mathbb{Z}}_p^{*}$ for participant $Par{t}_i$ through the following operation and sends them to $Par{t}_i$ through a secure channel.

  $$\begin{array}{c}{X}_i=g^{x_i}\end{array}$$

  (1)

  $$\begin{array}{c}{d}_i=x_i+sH(I{D}_i,w_i)modq\end{array}$$

  (2)
• Step 2: Participant $Par{t}_i$ who receives $X_i,d_i$ from KGC, selects Random numbers $z_i,v_i\in {\mathbb{Z}}_p^{*}$ and sets $Par{t}_i$’s private key $s{k}_i$.
• Step 3: Participant $Par{t}_i$ generates $Z_i,V_i$ and sets public key $p{k}_i$.

  $$\begin{array}{c}{Z}_i=g^{z_i}\end{array}$$

  (3)

  $$\begin{array}{c}{V}_i=g^{v_i}\end{array}$$

  (4)

4.4. Session Key Exchange and Encryption Phase

In this phase, the key recovery system uses signcryption to ensure integrity and non-repudiation and performs encryption of the session key simultaneously as shown in Figure 5.

• Step 1:$De{v}_A$ selects $a\in {\mathbb{Z}}_p^{*}$ and calculate partial session key $PS{K}_A=g^a$. $De{v}_B$ also selects $b\in {\mathbb{Z}}_p^{*}$ and calculates partial session key $PS{K}_B=g^b$. After that, $De{v}_A$ and $De{v}_B$ exchange $PS{K}_A$ and $PS{K}_B$ with each other.
• Step 2:$De{v}_A$ and $De{v}_B$ calculate the session key $SK={\left(PS{K}_B\right)}^a={\left(PS{K}_A\right)}^b$ using the exchanged values $PS{K}_A$ and $PS{K}_B$.
• Step 3:$De{v}_A$ generates random number $x\in {\mathbb{Z}}_p^{*}$ and $k=p{k}_{KRC}^{x}modp$, which is then divided in half into $k_1$ and $k_2$.

  $$k=(k_1\Vert k_2)$$

  (5)
• Step 4:$De{v}_A$ generates $c,r$ and s using $k_1,k_2,s{k}_A,p{k}_A$ and $SK$.

  $$c=E_{k_1}\left(SK\right)$$

  (6)

  $$r=H_{k_2}(g^{x}modp,SK)$$

  (7)

  $$s=x/(r+s{k}_A)modq$$

  (8)
• Step 5:$De{v}_A$ divides $c,r$ and s to $c_i,r_i$ and $s_i$.

  $$c=c_1\oplus c_2\oplus \dots \oplus c_n$$

  (9)

  $$r=r_1\oplus r_2\oplus \dots \oplus r_n$$

  (10)

  $$s=s_1\oplus s_2\oplus \dots \oplus s_n$$

  (11)

  where n is the number of KRA and $c_i=\{c_1,\cdots ,c_n\},r_i=\{r_1,\cdots ,r_n\},s_i=\{s_1,\cdots ,s_n\}$.

4.5. KRF Generation Phase

In this phase, when the key is lost or corrupted, the necessary KRF is generated to recover the key as shown in Figure 6.

• Step 1:$De{v}_A$ requests $SGN$ to M-KRA.
• Step 2: Each of the KRAs requested for $SGN$ from $De{v}_A$ randomly selects $R_{KR{A}_i}\in {\mathbb{Z}}_p^{*}$. After that, each KRA generates an $SGN$ by sharing $R_{KR{A}_i}$ generated through a secure channel with each other.

  $$SGN=R_{KR{A}_1}\oplus R_{KR{A}_2}\oplus ,\dots ,\oplus R_{KR{A}_n}$$

  (12)
• Step 3: M-KRA send $SGN$ to $De{v}_A$.
• Step 4:$De{v}_A$ generates $T{c}_i,T{r}_i,T{s}_i$ using $c_i,r_i,s_i$ and $SGN$. Then, $T{T}_i$ is generated using $T{c}_i,T{r}_i$, and $T{s}_i$.

  $$T{c}_i=c_i\oplus SGN$$

  (13)

  $$T{r}_i=r_i\oplus SGN$$

  (14)

  $$T{s}_i=s_i\oplus SGN$$

  (15)

  $$T{T}_i=(T{c}_i\Vert T{r}_i\Vert T{s}_i)$$

  (16)
• Step 5:$De{v}_A$ generates $KRF$ using $KR{F}_i$.

  $$\begin{array}{c}KR{F}_i=E_{p{k}_{KR{A}_i}}(c_i\Vert r_i\Vert s_i\Vert SGN\Vert T{T}_i)\end{array}$$

  (17)

  $$\begin{array}{c}KRF=E_{p{k}_{KRC}}(KR{F}_1\Vert KR{F}_2\Vert \dots \Vert KR{F}_n\Vert H\left(SGN\right))\end{array}$$

  (18)
• Step 6: Then, the generated $KRF$ is attached to the ciphertext C.

  $$\begin{array}{c}(C\Vert KRF)\end{array}$$

  (19)

4.6. KRA Fault Recovery Phase

In this phase, if some KRAs fail to operate properly, the selected KRA or KRAs will instead perform key recovery as shown in Figure 7.

• Step 1:$De{v}_A$ refers to the total number of KRAs n and the number of KRAs required for key recovery as $mr$.
• Step 2:$De{v}_A$ calculates the number of KRAs t required to distribute $T{T}_i$.

  $$t=n-mr$$

  (20)
• Step 3:$De{v}_A$ selects a KRA or KRAs to replace the failed $KR{A}_i$ as follows:

  $$\begin{array}{c}j=i-mr\end{array}$$

  (21)

  $$\begin{array}{c}KR{A}_i\to \left\{\begin{array}{c}KR{A}_{i+1},KR{A}_{i+2},\dots ,KR{A}_{i+t}(i\leqq mr)\\ KR{A}_{i+1},\dots ,KR{A}_n,KR{A}_1,\dots ,KR{A}_j(i>mrandi\ne n)\\ KR{A}_1,KR{A}_2,\dots ,KR{A}_t(i=n)\end{array}\right\}\end{array}$$

  (22)
• Step 4:$De{v}_A$ distributes $T{T}_i$ to selected KRA or KRAs.
• Step 5: If $KR{A}_i$ fail to operate properly, the selected KRA or KRAs obtain $c_i,r_i$ and $s_i$ of failed KRA using the distributed $T{T}_i$ and $SGN$.

  $$\begin{array}{cc}\hfill T{T}_i\oplus SGN& =(T{c}_i\Vert T{r}_i\Vert T{s}_i)\oplus SGN\hfill \\ \hfill & =(T{c}_i\oplus SGN\Vert T{r}_i\oplus SGN\Vert T{s}_i\oplus SGN)\hfill \\ \hfill & =(c_i,r_i,s_i)\hfill \end{array}$$

  (23)

4.7. Session Key Recovery Phase

This phase describes how to recover a key if the $De{v}_B$ requests key recovery as shown in Figure 8.

• Step 1: When $De{v}_B$ requests $KRF$ decryption from Med to recover $SK$, and sends $KRF$.
• Step 2: Then Med requests $KRF$ decryption from KRC to recover $SK$, and sends $KRF$.
• Step 3: KRC upon receiving a request for $KRF$ decryption, obtains $KR{F}_i$ pieces after $KRF$ decrypt with $s{k}_{KRC}$.

  $$\begin{array}{c}{D}_{s{k}_{KRC}}(E_{p{k}_{KRC}}(KR{F}_1\Vert \dots \Vert KR{F}_n\Vert H\left(SGN\right)\left)\right)\end{array}$$

  (24)
• Step 4: The obtained $KR{F}_i$ pieces are sent to each M-KRA to request decryption.
• Step 5: The requested M-KRA obtain $c_i,r_i,s_i,SGN,T{T}_i$ values with $s{k}_{KR{A}_i}$.

  $$\begin{array}{c}{D}_{s{k}_{KR{A}_i}}(E_{p{k}_{KR{A}_i}}(c_i\Vert r_i\Vert s_i\Vert SGN\Vert T{T}_i\left)\right)\end{array}$$

  (25)
• Step 6: Among the obtained values, $c_i,r_i,s_i,SGN$ values are encrypted with $p{k}_{KRC}$ and sends to the KRC.

  $$\begin{array}{c}{E}_{p{k}_{KRC}}(c_i\Vert r_i\Vert s_i\Vert SGN)\end{array}$$

  (26)
• Step 7: KRC compares $SGN$ obtained by decrypting the received ciphertext with $s{k}_{KRC}$ and $H\left(SGN\right)$. If they match, $c_i,r_i,s_i$ pieces are collected and $c,r,s$ are recovered.
• Step 8: KRC recovers the k value using the received ciphertext, public parameters, and recovered $c,r,s$.

  $$\begin{array}{c}k=H\left({(p{k}_A·g^r)}^{s·s{k}_{KRC}}modp\right)\end{array}$$

  (27)
• Step 9: Then, KRC divides k by $k_1,k_2$.
• Step 10: KRC recovers the $SK$ using the obtained $k_1$ and c.

  $$\begin{array}{c}{D}_{k_1}\left(C\right)=D_{k_1}\left(E_{k_1}\left(SK\right)\right)=SK\end{array}$$

  (28)
• Step 11: KRC compares the calculated $H_{k_2}\left(SK\right)$ and r values using the obtained $k2$.
• Step 12: If it matches, KRC sends the recovered $SK$ to Med.
• Step 13: Then, Med sends $SK$ to $De{v}_B$ and the message is decrypted using the received $SK$.

  $$\begin{array}{c}{D}_{SK}\left(C\right)=D_{SK}\left(E_{k_1}\left(M\right)\right)=M\end{array}$$

  (29)

5. Proposed Scheme-II (Key Recovery System Using Proxy Re-Encryption)

In this section, we propose a proposed scheme-II. This scheme is a scheme recovering the lost and corrupted device’s key. This system was designed based on the scheme of Yang et al. [31]. It consists of a setup phase, a key pair generation phase, a Med enforcement phase, and a session key recovery phase, as shown in Figure 9.

5.1. System Parameters

The system parameters used in the proposed scheme-II are as follows:

• q: Prime number
• $H_1$: Hash functions, ${\{0,1\}}^{*}\times \mathbb{G}\to {\mathbb{Z}}_q^{*}$
• $H_2$: Hash functions, $\mathbb{G}\to {\{0,1\}}^{l_1+l_2}$ for some bit-length $l_1,L_2\in \mathbb{N}$
• $H_3-H_5$: Hash functions, ${\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$
• $H_6$: Hash functions, $\mathbb{G}\to {\mathbb{Z}}_q^{*}$
• $Par{t}_i$: System participant i, ($De{v}_A,De{v}_B,Med,KRC,KRA\in Par{t}_i$)
• s: Master secret key of KGC, $s\in {\mathbb{Z}}_q^{*}$
• $s{k}_i$:$Par{t}_i$’s private key, $s{k}_i=(d_i,y_i,z_i)$
• $p{k}_i$:$Par{t}_i$’s public key, $p{k}_i=(X_i,Y_i,Z_i)$
• $KRF$: Key recovery field, $KRF=(KR{F}_1,KR{F}_2,KR{F}_3,KR{F}_4)$

5.2. Setup Phase

In this phase, the KGC takes the security parameter $1^{\lambda }$ as an input and generates public parameters.

• Step 1:$KGC$ selects $\lambda$-bit large prime q and group $\mathbb{G}$ of prime order q. In addition, a random generator $g\in \mathbb{G}$ is selected.
• Step 2:$KGC$ randomly selects master secret key $s\in {\mathbb{Z}}_q^{*}$, and compute $S=g^s$.
• Step 3:$KGC$ selects Hash function $H_1,H_2,H_3,H_4,H_5,H_6$.
• Step 4: The message space $\mathcal{M}$ and public parameters $params=(\mathbb{G},l_1,l_2,q,g,S,H_1,$$H_2,$$H_3,$$H_4,H_5,H_6)$ are published.

5.3. Key Pair Generation Phase

In this phase, $Par{t}_i$ receives a partial private key from $KGC$ and uses it to generate full private key $s{k}_i$ and public key $p{k}_i$.

• Step 1:$KGC$ generates parameters $x_i\in {\mathbb{Z}}_q^{*}$ for participant $Par{t}_i$ through the following operation and sends them to $Par{t}_i$ through a secure channel.

  $$X_i=g^{x_i}$$

  (30)

  $$d_i=x_i+s{H}_1(I{D}_i,X_i)\mathrm{mod}q$$

  (31)
• Step 2:$Par{t}_i$ who receives $X_i,d_i$ from KGC, selects Random numbers $y_i,z_i\in {\mathbb{Z}}_q^{*}$ and sets $Par{t}_i$’s private key $s{k}_i$.

  $$s{k}_i=(d_i,y_i,z_i)$$

  (32)
• Step 3:$Par{t}_i$ generates $Y_i,Z_i$ and sets public key $p{k}_i$.

  $$Y_i=g^{y_i}$$

  (33)

  $$Z_i=g^{z_i}$$

  (34)

  $$p{k}_i=(X_i,Y_i,Z_i)$$

  (35)
  After that, $Par{t}_i$ publishes public key $p{k}_i$.

5.4. Session Key Exchange and KRF Generation Phase

In this phase, a session key is exchanged between $De{v}_A$ and $De{v}_B$, and a $KRF$ is generated. Furthermore, in the $KRF$ generation phase, after generating $KRF$, the ciphertext C is communicated with $KRF$ as shown in Figure 10.

• Step 1:$De{v}_A$ selects $a\in {\mathbb{Z}}_q^{*}$ and calcultate partial session key $PS{K}_A$.

  $$PS{K}_A=g^a$$

  (36)
  $De{v}_B$ also selects $b\in {\mathbb{Z}}_q^{*}$ and calculates partial session key $PS{K}_B$.

  $$PS{K}_B=g^b$$

  (37)
  After that, $De{v}_A$ and $De{v}_B$ exchange $PS{K}_A$ and $PS{K}_B$ with each other.
• Step 2:$De{v}_A$ and $De{v}_B$ calculate the session key $SK={\left(PS{K}_B\right)}^a={\left(PS{K}_A\right)}^b$ using the exchanged values $PS{K}_A$ and $PS{K}_B$.
• Step 3:$De{v}_A$ generates the ciphertext message $C=E_{SK}\left(M\right)$ using the generated session key $SK$.
• Step 4: After that, $De{v}_A$ selects a random value $t,c\in {\mathbb{Z}}_q^{*}$ and $\sigma \in {\{0,1\}}^{l_2}$, and generates $KRF$ using $SK,p{k}_{Med},p{k}_{KRC}$ and $p{k}_{KRA}$ as follows:

  $${\pi }_i=X_i·S^{H_1(I{D}_i,X_i)}$$

  (38)

  $$V_i={\pi }_i^{H_6\left(Y_i\right)}·Y_i$$

  (39)

  $$\tau =H_5(SK,\sigma ,I{D}_{Med},p{k}_{Med})$$

  (40)

  $$\alpha =Y_{Med}^c$$

  (41)

  $$\beta =Z_{Med}^c$$

  (42)

  $$KR{F}_1=g^t$$

  (43)

  $$KR{F}_2=Y_{KRC}^{\tau }=g^{\tau ·y_{KRC}}$$

  (44)

  $$KR{F}_3=(SK\Vert \sigma )\oplus H_2\left(g^c\right)$$

  (45)

  $$KR{F}_4={(\alpha ·\beta )}^{H_4\left(V_{KRA}^{\tau }\right)·H_4\left(V_{Med}^{\tau }\right)}$$

  (46)

  $$KRF=(KR{F}_1,KR{F}_2,KR{F}_3,KR{F}_4)$$

  (47)
  After that, $De{v}_A$ and $De{v}_B$ communicate with each other using $(C\Vert KRF)$.

5.5. Med Enforcement Phase

In this phase, $Med$ will start recovering the encrypted session key between $De{v}_A$ and $De{v}_B$ at the request of $De{v}_A$ as shown in Figure 11.

• Step 1:$De{v}_A$ sends $KRF$ to $Med$ to recover the session key $SK$.
• Step 2:$Med$ generates the re-encryption key $R{K}_{Med\to KRC}$.

  $${\gamma }_{KRC}=X_{KRC}·S^{H_1(I{D}_{KRC},X_{KRC})}$$

  (48)

  $$K_{Med-KRC}=H_3({\gamma }_{KRC}^{z_{Med}},Z_{KRC}^{z_{Med}},I{D}_{Med},p{k}_{Med},I{D}_{KRC},p{k}_{KRC})$$

  (49)

  $$R{K}_{Med\to KRC}=(d_{Med}{H}_6\left(Y_{Med}\right)+y_{Med})·K_{Med-KRC}$$

  (50)
• Step 3:$Med$ requests key recovery by sending the $(KR{F}_1,KR{F}_2^{{}^{\prime }},KR{F}_4,KR{F}_6,R{K}_{Med\to KRC})$ to the $KRC$.

5.6. Session Key Recovery Phase

In this phase, $KRC$ receives a key recovery request from $Med$. $KRF$ calculates $KR{F}_2^{\prime }$ using its private key, and then requests key recovery from $KRA$ as shown in Figure 12.

• Step 1: After receiving $(KR{F}_1,KR{F}_2,KR{F}_4,R{K}_{Med\to KRC})$, $KRC$ calculates $KR{F}_2$ as $KR{F}_2^{{}^{\prime }}$ using its $s{k}_{KRC}$ as follows:

  $$\begin{array}{cc}\hfill KR{F}_2^{{}^{\prime }}& =KR{F}_2^{1/y_{KRC}}\hfill \\ \hfill & =Y_{KRC}^{\tau /y_{KRC}}\hfill \\ \hfill & =g^{\tau ·y_{KRC}/y_{KRC}}\hfill \\ \hfill & =g^{\tau }\hfill \end{array}$$

  (51)
  After that, $KRC$ sends the generated $(KR{F}_1,KR{F}_2^{{}^{\prime }},KR{F}_4,R{K}_{Med\to KRC})$ to the $KRA$.
• Step 2: After receiving $(KR{F}_1,KR{F}_2^{{}^{\prime }},KR{F}_4,R{K}_{Med\to KRC})$, $KRA$ re-encrypts $KR{F}_2^{{}^{\prime }}$ as $KR{F}_2^{{}^{\prime \prime }}$ using its $R{K}_{Med\to KRC}$ as follows:

  $$\begin{array}{cc}\hfill KR{F}_4^{{}^{\prime }}& =KR{F}_4^{1⁄H_4\left(KR{F}_2^{{}^{\prime }{d}_{KRA}·H_4\left(Y_{KRA}\right)+y_{KRA}}\right)}\hfill \\ \hfill & ={(\alpha ·\beta )}^{H_4\left(V_{KRA}^{\tau }\right)·H_4\left(V_{Med}^{\tau }\right)⁄H_4\left(c_2^{{}^{\prime }{d}_{KRA}{H}_4\left(Y_{KRA}\right)+y_{KRA}}\right)}\hfill \\ \hfill & ={(\alpha ·\beta )}^{H_4\left(V_{Med}^{\tau }\right)}\hfill \end{array}$$

  (52)

  $$KR{F}_2^{{}^{\prime \prime }}={KR{F}_2^{{}^{\prime }}}^{R{K}_{Med\to KRC}}$$

  (53)
  After that, $KRA$ sends $(KR{F}_2^{{}^{\prime \prime }},KR{F}_4^{{}^{\prime }})$ to the KRC.
• Step 3:$KRC$ re-decrypts $KR{F}_4^{{}^{\prime }}$ to obtain $KR{F}_4^{{}^{\prime \prime }}$ using $s{k}_{KRC}$ as follows:

  $$K_{Med-KRC}=H_3(Z_{Med}^{d_{KRC}},Z_{Med}^{z_{KRC}},I{D}_{Med},p{k}_{Med},I{D}_{KRC},p{k}_{KRC})$$

  (54)

  $$\begin{array}{cc}\hfill KR{F}_4^{{}^{\prime \prime }}& ={KR{F}_4^{{}^{\prime }}}^{1⁄H_4\left({KR{F}_2^{{}^{\prime \prime }}}^{1⁄K_{Med-KRC}}\right)}\hfill \\ \hfill & ={(\alpha ·\beta )}^{H_4\left(V_{Med}^{\tau }\right)⁄H_4\left({KR{F}_2^{{}^{\prime \prime }}}^{1⁄K_{Med-KRC}}\right)}\hfill \\ \hfill & =(\alpha ·\beta )\hfill \end{array}$$

  (55)
  After that, $KRC$ sends $KR{F}_4^{{}^{\prime \prime }}$ to $Med$.
• Step 4:$Med$ decrypts $KR{F}_4{}^{\prime \prime }$ to obtain $SK$ as follows:

  $$\begin{array}{cc}\hfill g^c& ={KR{F}_4^{{}^{\prime \prime }}}^{1⁄(y_{Med}+z_{Med})}\hfill \\ \hfill & ={(\alpha ·\beta )}^{1⁄(y_{Med}+z_{Med})}\hfill \\ \hfill & ={(Y_{Med}·Z_{Med})}^{1⁄(y_{Med}+z_{Med})}\hfill \\ \hfill & =g^{c·(y_{Med}+z_{Med})/(y_{Med}+z_{Med})}\hfill \end{array}$$

  (56)

  $$(SK\Vert \sigma )=KR{F}_3\oplus H_2\left(g^c\right)$$

  (57)
  After that, $Med$ sends $SK$ to $De{v}_A$.
• Step 5:$De{v}_A$ decrypts the message M using the obtained $SK$.

  $$M=De{c}_{SK}\left(C\right)$$

  (58)

6. Analysis of the Proposed Schemes

This section explores whether the abovementioned security requirements are satisfied by the two proposed schemes, as shown in

Table 1. Comparison of proposed schemes.

	[6]	[7]	[8]	[10]	[11]	[12]	[13]	Proposed Scheme-I	Proposed Scheme-II
KRF integrity	-	-	-	×	×	×	×	∨	∨
Non-repudiation	-	-	-	×	×	×	×	∨	×
Attack on group authentication detection	-	∨	-	∨	×	×	∨	∨	-
Single point of failure protection	×	×	×	∨	∨	×	×	∨	×
Data confidentiality	∨	∨	∨	∨	∨	∨	∨	∨	∨
Med applied for support	-	-	-	-	-	-	-	∨	∨
Collusion attacks resistance	∨	×	×	×	×	×	×	×	∨
Key escrow problem	×	×	×	∨	×	×	×	∨	∨
∨: Provided/×: Not provided/-:Not considered

.

6.1. Proposed Scheme-I (Key Recovery System Using Signcryption)

• KRF integrity: The device, $Med$, $KRA$, and $KRC$ participating in key recovery should not be able to transform a device key that generates a $KRF$ maliciously. To solve this problem, this includes the session key hash in parameter r of the $KRF$. Therefore, $KRF$ data cannot be forged. Only the device can access the $KRF$ session key generated by the device.

  $$\begin{array}{cc}\hfill r& =?r^{\prime }\hfill \\ \hfill H_{k_2}(g^{x}modp,SK)& =?H_{k_2}(g^{x}modp,S{K}^{\prime })\hfill \end{array}$$

  (59)
• Data confidentiality: In the proposed scheme-I, communication between devices is performed through a session key. Therefore, if the session key for the corresponding communication is unknown, the malicious user will not be able to obtain the message. In addition, as the $KRF$ generated in the communication process contains the public keys of $KRC$ and $M-KRA$, third-party besides $KRC$ and $KRA$ cannot know the contents of the corresponding $KRF$.
• Non-repudiation: If the device generates and uses the wrong $KRF$, $KRC$ cannot recover the key. To solve this problem, the device should not be able to reject the fact that it generated $KRF$. Therefore, this includes the private key $s{k}_A$ of the device in parameter s of the $KRF$. The device cannot deny that it generated the $KRF$.

  $$\begin{array}{cc}\hfill k& ={(p{k}_A·g^r)}^{s·s{k}_{KRC}}\hfill \\ \hfill & ={(g^{s{k}_A}·g^r)}^{s·s{k}_{KRC}}\hfill \\ \hfill & ={(g^{s{k}_A}·g^r)}^{x/(r+s{k}_A)·s{k}_{KRC}}\hfill \\ \hfill & =g^{s{k}_{KRC}x}=p{k}_{KRC}^x\hfill \end{array}$$

  (60)
• Attack on group authentication detection: Malicious key recovery by third-party $KRA$s should not be possible. Therefore, a lawful $KRA$ group member applies an XOR operation on the values from $R_{KR{A}_1}$ to $R_{KR{A}_n}$ to generate a shared group value of $SGN$ between groups. The device receives it from a lawful group member and hashes the $SGN$ to include $H\left(SGN\right)$ in the $KRF$. When $KRC$ recovers the complete key, it hashes and compares the $SGN$ sent by the $M-KRA$ with the $SGN$ contained in the $KRF$ to ensure it was received from a lawful $KRA$.

  $$\begin{array}{cc}\hfill H\left(SGN\right)& =?H\left(SG{N}^{\prime }\right)\hfill \end{array}$$

  (61)
• Single point of failure protection: As both the $KRC$ and all $KRA$s participate in session key recovery, it should be possible to recover the key even if some $KRA$s fail. Therefore, a special value $TT$ is generated. If some $KRA$s fail to recover the session key pieces, other $KRA$s recover the session key pieces instead of the failed $KRA$ and send them to the $KRC$. $TT$ includes all $c_i,r_i,s_i$ pieces and the $SGN$ produced by the XOR operation. The other $KRA$ (not the corresponding $KRA$) decrypts $T{T}_i$ and sends it to the $KRC$, allowing the $KRC$ to recover the complete session key.

  $$\begin{array}{cc}\hfill T{T}_i& =(T{c}_i\Vert T{r}_i\Vert T{s}_i)\hfill \end{array}$$

  (62)

  $$\begin{array}{cc}\hfill T{T}_i\oplus SGN& =((c_i\oplus SGN)\Vert (r_i\oplus SGN)\Vert (s_i\oplus SGN))\hfill \\ \hfill & =((c_i\oplus SGN)\oplus SGN\Vert (r_i\oplus SGN)\oplus SGN\Vert (s_i\oplus SGN)\oplus SGN)\hfill \\ \hfill & =(c_i\Vert r_i\Vert s_i)\hfill \end{array}$$

  (63)
• Med applied for support: $Med$ should be able to view the encrypted data by acquiring the encrypted session key in the event of an emergency where it is necessary to view the device’s data. Therefore, $Med$ sends $KRF$ to $KRC$, and $KRC$ decrypts $KRF$ to obtain $KRF$ pieces. The acquired $KRF$ pieces are sent to $M-KRA$ and requested for recovery. Then, $M-KRA$ obtains session key pieces by decrypting the acquired $KRF$ pieces. The obtained session key pieces are sent to $KRC$, and $KRC$ recovers the complete session key. After that, it sends the complete session key to the $Med$, allowing message decryption.
• Key escrow problem: The proposed scheme-I is based on a CL-PKC scheme. Therefore, as $KGC$ can generate only a part of the private key during the private key generation process, the key escrow problem caused by $KGC$ in ID-based encryption has been solved.

6.2. Proposed Scheme-II (Key Recovery System Using Proxy Re-Encryption)

• KRF integrity: In this proposed scheme-II, $KRF$ is encrypted with the public keys of $Med$ and $KRA$. Therefore, during the key recovery process, $Med$, $KRC$ and $KRA$ cannot be forged or modified $KRF$ by alone.

  $$KRF=(KR{F}_1,KR{F}_2,KR{F}_3,KR{F}_4)$$

  (64)

  $${\pi }_{Med}=X_{Med}·S^{H_1(I{D}_{Med},X_{Med})}$$

  (65)

  $$V_{Med}={\pi }_{Med}^{H_6\left(Y_{Med}\right)}·Y_{Med}$$

  (66)

  $$KR{F}_4={(\alpha ·\beta )}^{H_4\left(V_{KRA}^{\tau }\right)·H_4\left(V_{Med}^{\tau }\right)}$$

  (67)
• Data confidentiality: As the $KRF$ generated in the communication process contains the public key of the Med and the secret values of $KRC$ and $KRA$, third-party besides the $Med$, $KRC$, and $KRA$ cannot know the contents of the corresponding $KRF$. In addition, even if all three of the $Med$, $KRC$, and $KRA$ do not participate, each $Med$, $KRC$, and $KRA$ cannot know the contents of the $KRF$.
• Med applied for support: $Med$ can perform recovery of $SK$ as needed. $KRF$ is created using the public key of $Med$. $Med$ can perform the key recovery process when it is determined that the key recovery is necessary for $Dev$ that it manages. For this, $Med$ can create $R{K}_{Med\to KRC}$ and request and execute the key recovery process through $KRC$ and $KRA$.
• Collusion attack resistance: Fewer than three participants among the $Med$, $KRC$, and $KRA$ must be prevented from maliciously acting together, thus preventing recovery of the key, and unauthorized entities must be prevented from obtaining the key. Therefore, the $Med$ requires the cooperation of the $KRC$ and $KRA$ to decrypt $KRF$. Thus, even if the $Med$ has colluded with a single participant among the $KRC$ and $KRA$, the completed key recovery cannot be achieved without the assistance of the third participant as follows:

  $$KRF=(KR{F}_1,KR{F}_2,KR{F}_3,KR{F}_4)$$

  (68)

  $$KR{F}_3=(SK\Vert \sigma )\oplus H_2\left(g^c\right)$$

  (69)
  In order to obtain $SK$ from the above $KRF=(KR{F}_1,KR{F}_2,KR{F}_3,KR{F}_4)$, $KR{F}_3$ must be decrypted. In order to decrypt $KR{F}_3$, $Med,KRC$ and $KRA$ need to know c or $g^c$. However, c and $g^c$ know only $Dev$. Therefore, it is necessary to obtain $g^c$ by decrypting $KR{F}_4$.

  $$KR{F}_4={(\alpha ·\beta )}^{H_4\left(V_{KRA}^{\tau }\right)·H_4\left(V_{Med}^{\tau }\right)}$$

  (70)
  Here, $KR{F}_4$ contains $\alpha ·\beta =Y_{Med}^c·Z_{Med}^c$, so the attackers are $H_4\left(V_{KRA}^{\tau }\right)$ and $H_4\left(V_{Med}^{\tau }\right)$ should be computed.

  $${\pi }_i=X_i·S^{H_1(I{D}_i,X_i)}$$

  (71)

  $$V_i={\pi }_i^{H_6\left(Y_i\right)}·Y_i$$

  (72)
  Since $V_i$ can be created using a public key, anyone can create it. However, since $\tau$ only knows $Dev$, attackers must use $KR{F}_2$ to calculate $H_4\left(V_{KRA}^{\tau }\right)$ and $H_4\left(V_{Med}^{\tau }\right)$.

  $$KR{F}_2=Y_{KRC}^{\tau }=g^{\tau ·y_{KRC}}$$

  (73)
  Here, a $KRC$’s private key $y_{KRC}$ is required to obtain $g^{\tau }$ from $KR{F}_2$. Therefore, KRC is required in the key recovery process.

  $$KR{F}_2^{\prime }=g^{\tau }=KR{F}_2^{1/y_{KRC}}=g^{\tau ·y_{KRC}/y_{KRC}}$$

  (74)
  Next, since the attacker does not know $\tau$, he has to perform the following operation to calculate $H_4\left(V_{KRA}^{\tau }\right)$. In the end, the $KRA$’s private keys $d_{K}RA$ and $y_{K}RA$ are required, so $KRA$ is also required.

  $$\begin{array}{cc}\hfill KR{F}_4^{{}^{\prime }}& =KR{F}_4^{1⁄H_4\left(KR{F}_2^{{}^{\prime }{d}_{KRA}·H_4\left(Y_{KRA}\right)+y_{KRA}}\right)}\hfill \\ \hfill & ={(\alpha ·\beta )}^{H_4\left(V_{KRA}^{\tau }\right)·H_4\left(V_{Med}^{\tau }\right)⁄H_4\left(c_2^{{}^{\prime }{d}_{KRA}{H}_4\left(Y_{KRA}\right)+y_{KRA}}\right)}\hfill \\ \hfill & ={(\alpha ·\beta )}^{H_4\left(V_{Med}^{\tau }\right)}\hfill \end{array}$$

  (75)
  Furthermore, an attacker who acquires $(\alpha ·\beta )$ must compute $g^c$ to obtain $(SK\Vert \sigma )$ from $KR{F}_3=(SK\Vert \sigma )\oplus H_2\left(g^c\right)$.

  $$\begin{array}{cc}\hfill g^c& ={(\alpha ·\beta )}^{1⁄(y_{Med}+z_{Med})}\hfill \\ \hfill & ={(Y_{Med}·Z_{Med})}^{1⁄(y_{Med}+z_{Med})}\hfill \\ \hfill & ={(g^{c·y_{Med}}·g^{c·z_{Med}})}^{1⁄(y_{Med}+z_{Med})}\hfill \\ \hfill & =g^{c·(y_{Med}+z_{Med})/(y_{Med}+z_{Med})}\hfill \end{array}$$

  (76)
  In order to acquire $g^c$ using $KR{F}_4^{{}^{\prime }}$, $Med$’s private keys $y_{Med}$ and $z_{Med}$ are required, so $Med$ is also required. As a result, in order to obtain $SK$ by decrypting $KRF$, all of $Med,KRC$, and $KRA$ must participate.
• Key escrow problem: The proposed scheme-II is based on a CL-PKC scheme. Therefore, as $KGC$ can generate only a part of the private key during the private key generation process, the key escrow problem caused by $KGC$ in ID-based encryption has been solved.

7. Conclusions

This paper proposed key recovery systems based on key encapsulation secured from various attacks in IoMT environments in schemes II and II.

In the key recovery system, the session key used in the ciphertext is recovered via the KRF and used. However, the KRF can be forged and KRF owners can deny the fact that they generated the KRF. Furthermore, unauthorized KRAs can access the M-KRA and interfere with key recovery. To solve this problem, the key recovery system using signcryption includes the session key hash in the KRF. Therefore, the KRF data cannot be forged. In addition, this system includes the private key of a device in special value of the KRF. A device cannot deny that it generated the KRF. Furthermore, the system ensures the security requirements mentioned in Section 3, including KRF integrity and non-repudiation, are fulfilled.

Additionally, there is a problem that the key can be recovered by collusion attacks and key or message leakage among the Med, KRC, and KRA. To solve this problem, the Med must have the help of the KRC and KRA to recover the key by a proxy re-encryption function. In addition, the KRC or KRA would also need mutual help to recover a complete session key. That is, by limiting the information and processing capabilities of the three participants, the key recovery system can be expected to be secure against various attacks. Furthermore, because the KGC generates the private keys of all participants, there is the problem that the KGC’s authority is strong. To solve this, a partial private key generation scheme is used. The KGC generates a partial private key and sends it to the participants. Participants who receive partial private keys use them to generate complete private keys and solve the KGC key escrow problem.

Future research is to check whether unexpected problems occur when the proposed schemes are implemented in actual systems. Furthermore, additional research is needed that can examine the amount of computations, time, and cost incurred when recovering keys. In addition, further research is needed to determine whether the proposed schemes are secure against other types of security threats.