An Attribute-Based End-to-End Policy-Controlled Signcryption Scheme for Secure Group Chat Communication

Abstract

Secure instant communication is an important topic of information security. A group chat is a highly convenient mode of instant communication. Increasingly, companies are adopting group chats as a daily office communication tool. However, a large volume of messages in group chat communication can lead to message overload, causing group members to miss important information. Additionally, the communication operator’s server may engage in the unreliable behavior of stealing information from the group chat. To address these issues, this paper proposes an attribute-based end-to-end policy-controlled signcryption scheme, aimed at establishing a secure and user-friendly group chat communication mode. By using the linear secret sharing scheme (LSSS) with strong expressive power to construct the access structure in the signcryption technology, the sender can precisely control the recipients of the group chat information to avoid message overload. To minimize computational cost, a signcryption step with constant computational overhead is designed. Additionally, a message-sending mechanism combining “signcryption + encryption” is employed to prevent the operator server from maliciously stealing group chat information. Rigorous analysis shows that PCE-EtoE can resist adaptive chosen-ciphertext attacks under the standard model. Simulation results demonstrate that our theoretical derivation is correct, and that the PCE-EtoE scheme outperforms existing schemes in terms of computational cost, making it suitable for group chat communication.

1. Introduction

Information security [1,2] has become increasingly vital as digital communication platforms proliferate. Instant messaging apps, such as WeChat, QQ, WhatsApp [3], and Telegram [4], each have more than one billion active users. They have gradually replaced the traditional SMS service, providing users with various conveniences in their daily life and work, including personal messaging and group chat communication. These apps not only meet people’s basic communication needs, but also extend to social and business functionalities [5]. Most companies conduct their businesses through group chats. With hundreds of millions of messages exchanged every day, users are increasingly concerned about the security and ease of use in group chat communication. However, there are the following problems in group chat communication: (1) whether the source of the message is true, and whether the message is confidential [6]; (2) a large number of group messages may cause information overload, leading users to miss critical information in the group; and (3) the communication operator of the group chat communication may extract information, resulting in information leakage within the group [7]. For companies, this may lead to the leakage of commercial secrets and cause significant losses [8].

At present, there are two main types of secure instant communication [9]: end-to-server encrypted communication and End-to-End encrypted communication. Figure 1a shows the end-to-server encrypted communication pattern: the sender encrypts the message using the shared key and then sends it to the server. After the server receives the ciphertext message, it decrypts it using the shared key and obtains the plaintext after determining the source of the message. Then, it encrypts the message using the shared key of the server and the receiver and transmits the ciphertext of the message to the receiver. Figure 1b shows the end-to-end encrypted communication mode. The sender performs double-layer encryption, and the server decrypts the source to obtain the first-level ciphertext, which is then encrypted, and then this ciphertext message is transmitted to the receiver. The biggest problem with end-to-server encrypted communication is that it relies too much on the operator’s server for security. Communication operators can obtain the plaintext of the message, but dishonest communication operators may extract keywords in the communication and resell the data for profit, which poses commercial threats to companies that rely on group chat communication to build workflows. The mode of end-to-end encrypted communication uses a double-layer encryption method, so that the server cannot access the plaintext of the message and can only forward the message. However, only encrypting the message cannot guarantee its authenticity. Signcryption, as a technology that can encrypt and sign messages in the same logical step, can ensure the authenticity and confidentiality of data simultaneously. We consider signcryption as the first layer of encryption in end-to-end encrypted communication, which differs from the mere application of two layers of encryption, and provides the receiver with the ability to verify the authenticity of the message [10,11].

Group chat communication [12], from the sender’s perspective, follows a one-to-many communication mode. Attribute-based signcryption technology can not only realize one-to-many encrypted transmission and provide access control, but also allow users to verify that the attributes meet the policy to determine the authenticity of the data. Currently, in most group chats, all group members generally receive a large amount of information, but only some of this information is directly related to their specific roles, responsibilities, or current tasks. The ubiquity and non-differentiation of this information flow may make it difficult for users to filter out the information that is truly important to them, thus distracting users, reducing work efficiency, and increasing the risk of missing critical information. The access control function can mitigate this message overload problem. However, attribute-based signcryption technology verifies and decrypts the ciphertext using a decryption key, and the key distribution is carried out by a third party. If the third party is unreliable, decryption will fail. Susilo [13] proposed a policy-controlled signcryption scheme, which is still an specially attribute-based signcryption scheme, but the ciphertext is verified by credentials, making it more flexible than using a key. Users can verify the credentials to ensure their correctness. However, directly applying the policy-controlled signcryption proposed by Susilo [13] to group chat communication results in the problem of high computational cost. Attribute-based cryptographic schemes often require high computational cost, especially as the computational cost for the sender increases linearly with the number of attributes in the policy. When the strategy is too complex, it will impose a significant computational burden on the sender in group chat communication. The previous discussion focused on text message protection in group chat communication. Image message protection is also important in group chat communication. Many researchers [14,15,16,17,18] used many hash methods to protect image information, and this scheme also protects image information in group chat communication. By converting the picture to a binary file and applying policy-controlled signcryption technology, the security protection of image information in group chat communication was completed, ensuring that only recipients in the group who met the sender’s requirements could receive the image information.

In order to solve the above problems, in this paper, we propose an attribute-based end-to-end policy-controlled signcryption scheme for group chat communication, which has constant signcryption computation consumption. The scheme constructs a strong expressive access policy to ensure that only recipients conforming to the access policy can receive information in the group, alleviating the problem of message overload in group chat communication. The scheme employs the ECDH key agreement protocol and double-layer ciphertext protection, ensuring that the operator server cannot access the plaintext of the group chat information, thereby preventing information leakage to the operator.

Our contributions can be listed as follows:

• Lightweight: We propose a lightweight signcryption scheme for communication. The computational cost for the sender in the group chat is constant, and the sender only requires three power operations and one linear mapping operation during the signcryption process. Although the computational cost for the receiver still increases with the number of attributes, it is lower than that of existing schemes. In the experiment, end devices with varying computing resources were used for testing, and the computing times for both the signcryption and un-signcryption operations were within a reasonable range.
• Strong expressive capability: The signcryption scheme for communication (PCE-EtoE) that we propose demonstrates strong expressive capability. Compared with the monotone Boolean function access structure in PCEA [13], the PCE-EtoE scheme uses LSSS to design an access structure with strong expressive power, capable of describing complex access policies including “and”, “or” and other predicates.
• Mitigate message overload: Our proposed PCE-EtoE scheme effectively prevents users from receiving unnecessary information that is irrelevant to their needs. In PCE-EtoE, the sender in group communication can construct a complex and fine-grained access policy, ensuring that only receivers conforming to the policy can receive the group chat information.This scheme not only ensures controllable message flow but also enhances the efficiency of the messages received, thereby avoiding message overload and preventing users from missing key information.
• Security: In the defined security model, PCE-EtoE ensures message confidentiality through indiscernibility under chosen plaintext attacks (IND-CPA). Additionally, the scheme employs double encryption technology (encryption + signcryption), which prevents the communication operator from decrypting the second-level ciphertext, thereby ensuring that the communication operator cannot steal the content of the group chat communications.

In the next two sections, we will provide a brief review of the related work and preliminaries. The security model of the PCE-EtoE scheme is presented in Section 3. Section 4 describes the proposed PCE-EtoE scheme. The security and functional analysis of PCE-EtoE is provided in Section 5. Section 6 offers a comparative analysis of the theoretical performance and practical performance of PCE-EtoE. The conclusion is presented in the final section.

2. Related Work

The proposed PCS-EtoE mainly involves attribute-based signcryption and end-to-end encrypted communication. Therefore, in this section, we review related work in these areas.

Hong  et al. [19] proposed a key policy KP-ABCS scheme that can perform outsourced decryption and introduced key updates to prevent key leakage. However, due to the lack of public verification and high implementation costs, the scheme is not practical. Rao and Dutta [20] proposed the first KP-ABSC scheme with constant-size ciphertext, which achieves constant ciphertext size and reduces storage costs to some extent, but its computational overhead is too large. Yu and Cao [21] proposed attribute-based signcryption with a hybrid access policy, which combines key policy (KP) and ciphertext policy (CP). However, the threshold value is used in expressions, and the expression ability is poor. Xu et al. [22] proposed CP-ABSC supporting multi-authority, which can protect users’ attribute privacy. Although outsourced decryption is used in the scheme, the overall overhead of the scheme is too large, and users may still incur excessive computational overhead due to the large number of attributes during signcryption. Zhao et al. [23] proposed an efficient multi-authority attribute-based signcryption scheme, which realizes multi-authority access control and protects the privacy of the signcryption. Even if the ciphertext is not associated with the signing key, the information of the data owner cannot be obtained from the ciphertext. However, the computational cost is still linear with the number of attributes. Wang  et al. [24] proposed an attribute-based signcryption scheme with a ciphertext policy and declaration predicate mechanism (CP2-ABSC), but it still incurs too much computational overhead and has poor practicability. Susilo et al.’s [13] PCEA is a special ABSC that can use credentials for un-signcryption, solving user decryption failures caused by unreliable operations of a TA or KCGS (Key and Credential Generation Server) in some cases. However, the computational overhead is too large and there are too many mapping operations, making it unsuitable for direct application in group chat communication scenarios. The schemes proposed in [21,22,24] over-rely on outsourced computing services provided by operators, which cannot prevent dishonest behavior in outsourced decryption. In the scenario of end-to-end group chat communication using attribute-based signcryption to protect ciphertext, over-reliance on outsourced computing provided by operators threatens the confidentiality of information sent by users. It also increases the computational cost for the communication operator. In the above-mentioned schemes, the computational cost of signcryption increases linearly with the number of attributes or authorities to varying degrees. Since real-time messages need to be exchanged frequently in group chat communication, the above schemes are not suitable.

In end-to-end encrypted communication, Cohn-Gordon et al. [25] designed an asynchronous key exchange protocol to ensure that all members can maintain end-to-end encrypted communication without overlapping online time. Gupta et al. [26] proposed an end-to-end encryption layer based on ciphertext-policy attribute-based encryption (CP-ABE) for data confidentiality and integrity in Message Queuing Telemetry Transport (MQTT). However, additional signature operations are required to enable the receiver to determine the origin of the data. Dhinesh et al. [27] analyzed and discussed end-to-end encryption (E2EE) implementations of various messaging applications. All these messaging applications use the encrypt-then-sign approach, which is significantly less computationally efficient than signcryption.

Table 1. Comparison of features for the existing ABSC scheme and the proposed PCE-EtoE.

Scheme	Access Structure	Functionality
		CM	LC	CC	NR	RO
[24]	Access Tree	×	×	×	✓	×
[19]	MBF	×	×	×	×	×
[20]	LSSS	✓	×	×	×	×
[21]	MBF and Threshold	×	×	×	✓	×
[22]	MBF	×	×	×	×	×
[23]	LSSS	✓	×	×	✓	×
[13]	MBF	×	×	×	✓	×
PCE-EtoE	LSSS	✓	✓	✓	✓	✓

Note: CM: complex message flow control; LC: lightweight computational cost; CC: constant computational cost of signcryption; NR: no reliance on outsourced computation; RO: resist operator stealing information; MBF: monotone Boolean function.

summarizes the features of representative ABSC schemes and the proposed PCE-EtoE in terms of access structure and functionality. Compared with existing schemes, our PCE-EtoE supports more key features. In particular, PCE-EtoE supports the control of complex message flow, does not rely on outsourced computation, and is resistant to operator data theft. Without the help of outsourced computation, the cost of signcryption is constant, which is highly practical in group chat communication. In contrast, the computational cost of signcryption in other schemes increases linearly with the number of attributes. Later, we will show that in the secure model, the PCE-EtoE satisfies IND-CPA under the Decisional Bilinear Diffie–Hellman (DBDH) problem.

3. Preliminaries

3.1. Symmetric Bilinear Mapping

Let $\varphi$ be the group generation algorithm. When given the security parameter $\lambda$, it outputs the parameters $(G_1,p,G_T,\widehat{e},g)$, where p represents a large prime number, $G_1$ and $G_T$ are two cyclic groups of order p, g is the generator of $G_1$, and $\widehat{e}:G_1\times G_1\to G_T$ denotes a bilinear map if and only if the following three conditions are met:

• Bilinearity: $\forall (u,v\in G_1$,$a,b\in Z_p)$: $\widehat{e}(u^a,v^b)=\widehat{e}{(u,v)}^{ab}$;
• Non-degeneracy: $\exists u,v\in G_1$: $\widehat{e}(u,v)\ne 1$;
• Computability: $\exists \widehat{e}:\forall u,v\in G_1$;$\widehat{e}(u,v)\in G_T$.

3.2. Decisional Bilinear Diffie–Hellman Assumption

In this section, we introduce the DBDH (Decisional Bilinear Diffie–Hellman) assumption, which is the decisional version of the BDH problem and is extensively utilized in designing cryptographic protocols. The details are as follows:

• Given cyclic groups $G_1$ and $G_2$ of order p as prime numbers.
• Randomly select the generator $g\in G_1$ and the random numbers $c_1,c_2,c_3\in Z_p$.
• $g,g^{c_1},g^{c_2},g^{c_3},\widehat{e}{(g,g)}^{c_1{c}_2{c}_3}$ and $T\in G_2$ to send A.

The core of the DBDH problem is to determine whether T is equal to $e{(g,g)}^{c_1{c}_2{c}_3}$, if so, A outputs 1; otherwise, output 0.

The DBDH assumption states that if no polynomial time algorithm can solve the DBDH problem with a non-negligible advantage, then the DBDH assumption holds in the $G_1$ and $G_2$ groups.

4. Security Model

The security model of the proposed scheme is defined based on a game between the challenger and the attacker, described as follows:

(1)

Initialization: The challenger runs the Setup, KCGSKeyGen, and UserKeyGen algorithms, generating $P{K}_{KCGS}$, $S{K}_{KCGS}$, $P{K}_{U_{id}}$, $S{K}_{U_{id}}$ and system parameters $param$, and provides $P{K}_{KCGS}$ and $S{K}_{KCGS}$ to the attacker. The attacker chooses a set of access policies $POL$ to send to the challenger.

(2)

Phase 1: The attacker can request to query the credential of any ciphertext not utilized in the un-signcryption challenge.

(3)

Challenge: The attacker submits two randomly chosen messages, $m_1$ and $m_2$, of equal length to the challenger. The challenger randomly selects $\delta \in \{0,1\}$ and performs the signcryption operation on the message $m_{\delta }$ according to the access policy $POL$ submitted by the attacker.

(4)

Phase 2: The same as phase 1,the attacker can request to query the credential of any ciphertext not utilized in the un-signcryption challenge.

(5)

Guess: The attacker outputs the guess $\widehat{\delta }$. Thus, the advantage of the attacker in this game is defined as $Pr[\delta =\widehat{\delta }]-{\displaystyle \frac{1}{2}}$.

Definition 1. 

If the attacker cannot win the game with a non-negligible advantage in polynomial time, then the PCE-EtoE scheme is indistinguishable under chosen plaintext attacks (IND-CPA).

5. The Proposed PCE-EtoE Scheme

In this section, we provide a detailed description of the proposed PCE-EtoE scheme. To fully understand the proposed PCE-EtoE scheme, we present its framework in Figure 2, which involves four participating entities as follows:

• Sender: Complete the transmission of messages in the group chat. Control the specific flow of information in the group chat to ensure that the flow of dissemination of group chat messages is effectively managed.
• Receiver: Only receive relevant and valid information in the group chat.
• Key and Credential Generation Server (KCGS): KCGS is responsible for generating public parameters and creating credentials and keys for users (sender and receiver). KCGS is a semi-honest server, which may tamper with part of the content in the credential.
• Communication Operator’s Server (COS): It is responsible for generating the elliptic curve parameters, completing the key agreement for the secondary encryption key between the users and COS, and forwarding the ciphertext information.

5.1. Overview

In this section, we provide a comprehensive review of the PCE-EtoE scheme.

Table 2. Definitions of symbols used in the scheme.

Symbol	Description	Symbol	Description
$P{K}_{KCGS}$	Public key of KCGS	POL	Access policy
$S{K}_{KCGS}$	Private key of KCGS	$E{S}_{se},E{S}_{re},E{S}_{RE}$	Secondary ciphertext
S	User’s attributes	Enc	AES encryption
$Cr{e}_U$	User’s credential	Dec	AES decryption
$P{K}_{U_{id}}$	Public key of user	$\sigma$	First-class ciphertext
$S{K}_{U_{id}}$	Private key of user	$T{S}_{max}$	Maximum time difference
$K_{S_i,C}$	The shared key of the $sende{r}_i$ and the COS	$T{S}_{now}$	Current timestamp
$K_{R_i,C}$	The shared key of the $receive{r}_i$ and the COS	M	Group chat messages
$T{S}_m$	The timestamp of the text message	TS	Timestamp of the image message

presents the symbols used in the scheme and their meanings. As shown in Figure 3, our proposed scheme consists of six stages: Setup, Key and Credential Generation, key agreement, Message Sending, Message Forwarding, and Message Receiving.The first two and Message Sending are randomized.

(1)

Setup: Public Parameter Generation (Setup): The setup is aimed at initializing the system. Setup is a probabilistic polynomial time (PPT) algorithm where the security parameter l is input, and the public parameter $param$ is the output.

(2)

Key and Credential Generation:

(a) KCGS Key Generation (KCGSKeyGen): KCGSKeyGen is aimed at constructing the KCGS’s public and private keys. KCGSKeyGen is a PPT algorithm that outputs public key of KCGS $P{K}_{KCGS}$ and private key of KCGS $S{K}_{KCGS}$ after inputting public parameters.

(b) User Credential Generator (CreGen): CreGen is aimed at completing the construction of a user’s credential. CreGen is a PPT algorithm that outputs user’s credential $Cr{e}_U$ after inputting public parameters, user’s attributes S, and public key of KCGS $P{K}_{KCGS}$.

(c) User Key Generation (UserKeyGen): UserKeyGen is aimed at constructing the user’s public and private keys. UserKeyGen is a PPT algorithm that outputs public key of user $P{K}_{U_{id}}$ and private key of user $S{K}_{U_{id}}$ after inputting public parameters and public key of KCGS $P{K}_{KCGS}$.

(3)

Key Agreement: Key agreement is aimed at completing the secure negotiation of a shared key between the sender and receiver. Input the user’s public key for secondary encryption, $P{K}_{KCGS}$, and finally, output the shared key of the user and the COS ($K_{S_{i}C}$ or $K_{R_{i}C}$).

(4)

Message Sending (MesSen): Message Sending is aimed at completing the secure transmission of messages. Input access policy $POL$, group chat message M, public key of KCGS $P{K}_{KCGS}$, private key of user $S{K}_{U_{id}}$, shared key, and finally, output secondary ciphertexts $E{S}_{se}$.

(5)

Message Forwarding (MesForw): Message Forwarding is aimed at accomplishing the secure forwarding of messages. Input secondary ciphertexts $E{S}_{se}$, the set of shared key ${\left\{K_{R_{i}C}\right\}}_{i<qc}$ ($qc$ is the number of people in the group chat), and finally, output timestamp $T{S}_m/TS$ and secondary forwarding ciphertext $\left\{E{S}_{RE}\right\}$.

(6)

Message Receiving (MesRec): Message Receiving is aimed at completing the secure receiving of messages. Input the secondary forwarding ciphertext for the specified receiver $E{S}_{r{e}_i}$, the receiver’s certificate $Cr{e}_U$, the public key of the sender $P{K}_{U_{id}}$, and output group chat message M or ⊥.

The proposed PCE-EtoE is formally defined as

$$\underset{PCE-EtoE}{\mathsf{\Pi }}=\left[\begin{array}{c}\mathrm{param}\leftarrow \mathrm{Setup}\left(1^t\right)\hfill \\ \left(P{K}_{KCGS},{\mathrm{SK}}_{\mathrm{KCGS}}\right)\leftarrow \mathrm{KCGSKeyGen}\left(param\right)\hfill \\ Cr{e}_U\leftarrow CreGen(param,S,P{K}_{KCGS})\hfill \\ \left(S{K}_{U_{id}},P{K}_{U_{id}}\right)\leftarrow \mathrm{UserKeyGen}(param,P{K}_{KCGS})\hfill \\ (0/1)\leftarrow \mathrm{CreVer}\left(Cr{e}_U\right)\hfill \\ K_{R_i/S_{i}C}\leftarrow \mathrm{key}\mathrm{Agreement}(y_{R_i/S_{i}C},y_C)\hfill \\ E{S}_{se}\leftarrow \mathrm{MesSen}(\mathrm{POL},M,P{K}_{KCGS},P{K}_{U_{id}},S{K}_{U_{id}},K_{S_{i}C})\hfill \\ \left(T{S}_m/TS,\left\{E{S}_{RE}\right\}\right)\leftarrow \mathrm{MesForw}(E{S}_{se},{\left\{K_{R;C}\right\}}_{i<q})\hfill \\ (M/\perp )\leftarrow \mathrm{MesRec}(E{S}_{r{e}_i},{\mathrm{Cre}}_{\mathrm{U}},{\mathrm{PK}}_{\mathrm{CS}})\hfill \end{array}\right]$$

5.2. Setup

5.2.1. Public Parameter Generation

Input the security parameter l; KCGS randomly selects the prime $p=poly\left(1^l\right)$. Setup selects a random generator $g\in G_1$, then randomly selects $a\in Z_N$ and computes $g^a$. A bilinear mapping function ($\widehat{e}:G_1\times G_1\to G_T$) is then created.

5.2.2. Selection of Hash Functions

Define four hash functions, the first is the attribute hash function $H_1:S\to G_1$. The second is the collision-resistant hash function $H_2:{\{0,1\}}^{*}\to Z_N$. The third is also the collision-resistant hash function $H_3:m\to {\{0,1\}}^{ml},ml=M.length$. The last is the file hash function: $H_4:m\to G_1$.

The Setup algorithm outputs the system public parameters, denoted as $param=(l,g,\widehat{e},H_1,H_2,H_3,g_a,g_b)$.

The above procedure is shown in Algorithm 1.

Algorithm 1 Setup

Input: l Output:  $param$ 1: select $p=poly\left(1^l\right)$, $g\in G_1$, $a\in Z_N$ 2: compute $g^a$ 3: choose $\widehat{e}:G_1\times G_1\to G_T$ 4: choose hash functions $H_1:S\to G_1$, $H_2:{\{0,1\}}^{*}\to Z_N$, $H_3:m\to {\{0,1\}}^{ml}$, $H_4:m\to G_1$ 5: return $param=(l,g,\widehat{e},H_1,H_2,H_3,g_a,g_b)$

5.3. Key and Credential Generation

5.3.1. KCGSKeyGen

Input the system parameter $param$, KCGS randomly selects $\alpha ,\beta \in Z_n/0$, uses $S{K}_{KCGS}=(\alpha ,\beta )$ as the private key of KCGS, computes $U=g^{\alpha }$ and $W=g^{\beta }$, and uses $P{K}_{KCGS}=(U,W)$ as the public key of KCGS. KCGSKeyGen outputs $S{K}_{KCGS}$ and $P{K}_{KCGS}$.

5.3.2. CreGen

The set of attributes $S=\{S_1,S_2,\cdots ,S_i\}$, the system parameter $param$, and the public key of KCGS $P{K}_{KCGS}$ are input. KCGS randomly selects $t\in Z_N/0$ and computes $CK=g^{\alpha }{g}^{at}$, $CL=g^t$. KCGS computes $A_i=H_1\left(S_i\right),S{K}_i=A_i^t,S_i\in S$, where $S_i$ denotes the i-th attribute in S. KCGS takes the $Cr{e}_U=\{CK,CL,S{K}_i\}$ as a credential for the user. CreGen outputs $Cr{e}_U$.

5.3.3. CreVer

The users send their identity $ID$ to KCGS. KCGS matches the corresponding attribute set according to the identity $ID$ and runs CreGen to obtain $Cr{e}_U$. The user checks the validity of $\left\{S{K}_i\right\}$, $CK$, and $CL$ in $Cr{e}_U$ as follows:

$$\widehat{e}(S{K}_i,g)=\widehat{e}(A_i,CL)$$

(1)

$$\widehat{e}(CK,g)=\widehat{e}(U,g)\widehat{e}(g^a,CL)$$

(2)

If (1) and (2) hold, then the validity of $Cr{e}_U$ holds.

5.3.4. UserKeyGen

Input the system parameter $param$ and $P{K}_{KCGS}$; KCGS then randomly selects $\mu ,\gamma \in Z_n/0$, uses $S{K}_{U_{id}}=(\mu ,\gamma )$ as the private key of the user, computes $Y_1=g^{\mu \gamma }$ and $Y_2=W^{\mu \gamma }$, and uses $P{K}_{U_{id}}=(Y_1,Y_2)$ as the public key of the user. UserKeyGen outputs $S{K}_{U_{id}}$ and $P{K}_{U_{id}}$.

The above procedure is shown in Algorithm 2.

Algorithm 2 Key and Credential Generation

Input: $param$,S Output: $S{K}_{KCGS}$, $P{K}_{KCGS}$, $Cr{e}_U$/⊥, $S{K}_{U_{id}}$, $P{K}_{U_{id}}$   1: KCGS select $\alpha ,\beta \in Z_n/0$   2: Let $S{K}_{KCGS}=(\alpha ,\beta )$   3: Compute $U=g^{\alpha }$, $W=g^{\beta }$   4: Let $P{K}_{KCGS}=(U,W)$ // KCGSKeyGen’s procedure   5: KCGS select $t\in Z_N/0$   6: Compute $CK=g^{\alpha }{g}^{at}$, $CL=g^t$   7: for i $\in S$ do   8:    $A_i=H_1\left(S_i\right),S{K}_i=A_i^t$   9: end for 10: Let $Cr{e}_U=\{CK,CL,\left\{S{K}_i\right\}\}$ // CreGen’s procedure 11: KCGS select $\mu ,\gamma \in Z_n/0$ 12: Let $S{K}_{U_{id}}=(\mu ,\gamma )$ 13: Compute $Y_1=g^{\mu \gamma }$, $Y_2=W^{\mu \gamma }$ 14: Let $P{K}_{U_{id}}=(Y_1,Y_2)$ // UserKeyGen’s procedure 15: if $\widehat{e}(S{K}_i,g)=\widehat{e}(A_i,CL)$&& $\widehat{e}(CK,g)=\widehat{e}(U,g)\widehat{e}(g^a,CL)$ then 16:    return $S{K}_{KCGS}$, $P{K}_{KCGS}$, $Cr{e}_U$/,$S{K}_{U_{id}}$, $P{K}_{U_{id}}$ 17: else 18:    return $S{K}_{KCGS}$, $P{K}_{KCGS}$, ⊥, $S{K}_{U_{id}}$, $P{K}_{U_{id}}$ 19: end if// CreVer’s procedure

5.4. Key Agreement

The key agreement in our scheme involves interaction between the user and server ends of the Communication Operator Server (COS). The agreement process is established using the Elliptic Curve Diffie–Hellman (ECDH) algorithm. Given the parameters $z,n\in F_q$, where $4z^3+27\ne 0$, the group $E\left(F_q\right)$ is defined as follows:

$$E\left(F_q\right)=\{Q=(x,y)|y^2=x^3+zx+nmodq,x,y\in F_q\}\bigcup \{\infty \}$$

where ∞ is the point at infinity.

The framework for key agreement in group chat communication is shown in Figure 4. The process of key agreement between group chat user $Sende{r}_a$ and the Communication Operator Server (COS) is detailed below:

(1)

$Sende{r}_a$ computes the public key $y_{S_a}=g^{x_{S_a}}modq$ according to the published elliptic curve $E\left(F_q\right)$ and sends $y_{S_a}$ to the Communication Operator Server (COS).

(2)

After receiving $y_{S_a}$, the COS computes $y_C=g^{x_C}modq$ and $K_{S_{a}C}=y_{S_a}^{x_C}modq$, and then sends $y_C$ to $Sende{r}_a$. Here, $K_{S_{a}C}$ is the shared key between $Sende{r}_a$ and COS.

(3)

After $Sende{r}_a$ obtains $y_C$, it computes the shared key $K_{S_{a}C}=y_C^{x_{S_a}}modq$.

The shared key obtained after key agreement is used as the second-level encryption key in secure group chat communication. After establishing the shared keys between the COS and all users in the group chat, all the shared keys and their corresponding user identities are stored in the shared key table.

5.5. Message Sending (MesSen)

The sender sets the access policy $POL$ to control the flow of messages, e.g.,:

$$(Sales\text{\_}department\mathbf{and}First-level\text{\_}manager)\mathbf{or}\left(Purchasing\text{\_}department\mathbf{and}Ordinary\text{\_}staff\right).$$

5.5.1. LSSS Generation

The Boolean access policy $POL$ is transformed into a linear secret sharing scheme ($LSSS$) shared matrix [28], and matrix M serves as the shared generator matrix of $POL$ with n rows and l columns. The function p maps each row of matrix M onto the attribute names in the $POL$. Finally, (M,p) is used to represent the access policy.

5.5.2. Attribute Code Generation

The sender randomly selects a column vector $v=(s,y_1,\cdots ,y_l)$, where $s\in Z_p,y_1,\cdots ,y_l\in Z_p$. s is the secret value to be shared, and $y_1,\cdots ,y_l$ are randomly selected group elements in the integer group. The sender computes $C_s=g^s$ and ${\lambda }_i=v\times M_i$, where $M_i$ represents the i-th row in matrix M, and ${\lambda }_i$ represents the partial secret value corresponding to the i-th attribute value in the access policy. Mark $P_i$ as the attribute value in $POL$, for example, $P_1$=‘A department’. $\left\{P_i\right\}$ is the set of attributes in $POL$. Generate Attribute Code ($ATC$) based on $P_i$ and compute $B_i=H_1\left(P_i\right)$ for each $P_i$. Randomly select $d_1,d_2,\cdots ,d_i\in Z_p$ and then count $A{C}_i=g^{a{\lambda }_i}{B}_i^{d_i}$ and $S{T}_i=g_i^d$ to obtain $ATC=\{\left\{A{C}_i\right\},\left\{S{T}_i\right\},C_s\}$; store $ATC$ as a special label in the user’s device to avoid repetitive computation.

5.5.3. Signcryption

Upon inputting message M, its type is determined. If the message is an image file (e.g., jpg, png), the image data are converted into a binary file $M_{bin}$ and given the label T. Randomly select $\overline{r},j\in Z_p$, compute partial signatures ${\sigma }_1=g^{\overline{r}}$ and ${\sigma }_2=Y_1^{\overline{r}}$, and then calculate

$$\begin{array}{cc}\hfill △& ={\sigma }_1\left|\right|{\sigma }_2\left|\right|P{K}_{KCGS}\left|\right|P{K}_{U_{id}}\left|\right|j\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill w& =\widehat{e}(C_s,U)\hfill \end{array}$$

(4)

$$\begin{array}{cc}\hfill \xi & =j⨁H_2\left(w\right||H_2(△))\hfill \end{array}$$

(5)

If the message type is text type, it will use (3), (4), and (5) to compute

$$\begin{array}{cc}\hfill C{T}_M& =M⨁H_3\left(w\right||H_2(△))\hfill \end{array}$$

(6)

$$\begin{array}{cc}\hfill \theta & =△\left|\right|\xi \left|\right|\left\{A{C}_i\right\}\left|\right|\left\{S{T}_i\right\}\left|\right|M\hfill \end{array}$$

(7)

$$\begin{array}{cc}\hfill {\sigma }_3& =H_4{\left(\theta \right)}^{\mu \gamma }\hfill \end{array}$$

(8)

Then, we derive $\sigma$={$C{T}_M$,${\sigma }_1$,${\sigma }_2$,${\sigma }_3$,$H_2(△)$,$ATC$,$T{S}_m$,$P{K}_{U_{id}}$} from (6), (7), and (8) ($P{K}_{U_{id}}$ is the public key of the sender).

If the message type is a picture type, it will use (3), (4), and (5) to compute

$$\begin{array}{cc}\hfill C{T}_{M_{bin}}& =M_{bin}⨁H_3\left(w\right||H_2(△))\hfill \end{array}$$

(9)

$$\begin{array}{cc}\hfill \theta & =△\left|\right|\xi \left|\right|\left\{A{C}_i\right\}\left|\right|\left\{S{T}_i\right\}\left|\right|M\hfill \end{array}$$

(10)

$$\begin{array}{cc}\hfill {\sigma }_3& =H_4{\left(\theta \right)}^{\mu \gamma }\hfill \end{array}$$

(11)

Then, we derive $\sigma$={$C{T}_{M_{bin}}$,${\sigma }_1$,${\sigma }_2$,${\sigma }_3$,$H_2(△)$,$ATC$,$T{S}_m$,$P{K}_{U_{id}}$,T} from (9), (10), and (11).

5.5.4. Secondary Encryption

To ensure that the COS can verify the origin of the message, $\sigma$ is encrypted using the shared key $K_{S_{i}C}$ of the sender and the COS, denoted as follows:

$$E{S}_{se}=Enc(\sigma ,K_{S_{i}C})$$

(12)

Then, the secondary ciphertext $E{S}_{se}$ is sent to the COS. The above procedure is shown in Algorithm 3.

Algorithm 3 Message Sending

Input:  $\mathrm{POL},M,P{K}_{KCGS},P{K}_{U_{id}},S{K}_{U_{id}},K_{S_{i}C}$ Output: $E{S}_{se}$   1: LSSS(POL)->(M,p) // LSSS Generation’s procedure   2: Select $s\in Z_p,y_1,\cdots ,y_l\in Z_p$, Let $v=(s,y_1,\cdots ,y_l)$, Compute $C_s=g^s$   3: for i $\in [0,M.RowNumber]$ do   4:    ${\lambda }_i=v\times M_i$   5: end for   6: Select $d_1,d_2,\cdots ,d_i\in Z_p$   7: for i $\in [0,P.Number]$ do   8:    Compute $B_i=H_1\left(P_i\right)$, $A{C}_i=g^{a{\lambda }_i}{B}_i^{d_i}$, $S{T}_i=g_i^d$   9: end for 10: Let $ATC=\{\left\{A{C}_i\right\},\left\{S{T}_i\right\},C_s\}$ // Attribute Code Generation’s procedure 11: Select $\overline{r},j\in Z_p$ 12: Compute ${\sigma }_1=g^{\overline{r}}$, ${\sigma }_2=Y_1^{\overline{r}}$, △$={\sigma }_1\left|\right|{\sigma }_2\left|\right|P{K}_{KCGS}\left|\right|P{K}_{U_{id}}\left|\right|j$, $w=\widehat{e}(C_s,U)$ 13: Compute $\xi$$=j⨁H_2\left(w\right||H_2(△))$ 14: Compute $C{T}_M/C{T}_{M_{bin}}=M/M_{bin}⨁H_3\left(w\right||H_2(△))$, $\theta =△\left|\right|\xi \left|\right|\left\{A{C}_i\right\}\left|\right|\left\{S{T}_i\right\}\left|\right|M$, ${\sigma }_3=H_4{\left(\theta \right)}^{\mu \gamma }$ // Signcrpyt ’s procedure 15: Compute $E{S}_{se}$=Enc($C{T}_{M_{bin}}$,${\sigma }_1$,${\sigma }_2$,${\sigma }_3$,$H_2(△)$,$ATC$,$T{S}_m$,$P{K}_{U_{id}}$,T,$K_{S_{i}C}$) 16: return $E{S}_{se}$

5.6. Message Forwarding (MesForw)

The COS first checks whether $|TS-T{S}_{now}|<T{S}_{max}$. If false, a packet loss delay message is displayed to the user and prompts information resend. If true, proceed with the following steps.

After receiving $E{S}_{se}$, the COS decrypts it as follows:

$$\sigma =Dec(E{S}_{se},K_{S_{i}C})$$

(13)

Then, the COS executes Algorithm 4 using the set of shared keys of the receiver and the COS ${\left\{K_{R_{i}C}\right\}}_{i<qc}$ as input.

Algorithm 4 COS Forwarding

Input: $\left\{K_{R_{i}C}\right\}$,$I{D}_{U_i}$ Output: $T{S}_m$,$E{S}_{RE}$ 1: for i $\in [1,\mathrm{qc}]$ do 2:    $E{S}_{r{e}_i}=Enc(\sigma ,K_{R_{i}C})$ 3:    $E{S}_{RE}.append(E{S}_{r{e}_i},I{D}_{U_i})$ 4: end for 5: return  $E{S}_{RE}$,$T{S}_m$

Then, the COS retrieves the $E{S}_{RE}$ and forwards the contained $E{S}_{r{e}_i}$ to the user, who is identified $I{D}_{U_i}$.

5.7. Message Receiving (MesRece)

5.7.1. Secondary Decryption

The receiver verifies if $|T{S}_m-T{S}_{now}<T{S}_{max}|$ is true; if not, they resend the receive request to the COS. If it is true, the user performs the following actions.

After receiving $E{S}_{se}$, the receiver in the group chat uses the shared key $K_{R_{i}C}$ between the receiver and the COS to decrypt it as follows:

$$\sigma =Dec(E{S}_{r{e}_i},K_{R_{i}C})$$

(14)

After successful decryption, the preliminary source of the message is confirmed to be the COS.

5.7.2. Un-Signcrypt

The receiver inputs $Cr{e}_U$ and computes

$$\widehat{e}({\sigma }_1,g)=\widehat{e}({\sigma }_2,Y_1)$$

(15)

which may hold or not. If (15) is not true, the receiver rejects the message. Otherwise, proceed with the following calculation. There exists constants ${\{{\omega }_i\in Z_N\}}_{i\in I}$ satisfying ${\Sigma }_{i\in I}{\omega }_i{\lambda }_i=s$ in time polynomial in the size of the share-generating matrix M. Therefore, if $\left\{{\lambda }_i\right\}$ are valid shares of any secret (s) according to (M, p), then calculate

$$\begin{array}{cc}\hfill \phi & ={\displaystyle \frac{\widehat{e}(C_s,CK){\mathsf{\Pi }}_{i\in I}\widehat{e}{(S{K}_i,S{T}_i)}^{{\omega }_i}}{{\mathsf{\Pi }}_{i\in I}\widehat{e}{(CL,A{C}_i)}^{{\omega }_i}}}\hfill \end{array}$$

(16)

$$\begin{array}{cc}\hfill \widehat{j}& =\xi ⨁H_2\left(w\right||H_2(△))\hfill \end{array}$$

(17)

$$\begin{array}{cc}\hfill M& =C{T}_M⨁H_3\left(w\right||H_2(△))\hfill \end{array}$$

(18)

$$\begin{array}{cc}\hfill \widehat{\theta }& ={\sigma }_1\left|\right|{\sigma }_2\left|\right|P{K}_{U_{id}}\left|\right|\widehat{j}\left|\right|\xi \left|\right|\left\{A{C}_i\right\}\left|\right|M\left|\right|\left\{S{T}_i\right\}\hfill \end{array}$$

(19)

Finally, it uses (16), (17), (18), and (19) to verify whether $\widehat{e}(H_4\left(\widehat{\theta }\right),Y_1)=\widehat{e}({\sigma }_3,g)$ is true. If it is true, the ciphertext $\sigma$ is valid, and the message M is received; otherwise, the receiver rejects the message and returns the symbol ⊥.

The above procedure is shown in Algorithm 5.

Algorithm 5 Message Receiving

Input: $E{S}_{r{e}_i}$, ${\mathrm{Cre}}_{\mathrm{U}}$, ${\mathrm{PK}}_{\mathrm{CS}}$ Output: $M/\perp$ 1: if  $|T{S}_{m-T{S}_{now}}<T{S}_{max}|$   then 2:    Compute $\sigma$ = Dec($E{S}_{r{e}_i},K_{R_{i}C}$) // Secondary decryption’s procedure 3:    if $\widehat{e}({\sigma }_1,g)=\widehat{e}({\sigma }_2,Y_1)$ then 4:    Compute $\phi ={\displaystyle \frac{\widehat{e}(C_s,CK){\mathsf{\Pi }}_{i\in I}\widehat{e}{(S{K}_i,S{T}_i)}^{{\omega }_i}}{{\mathsf{\Pi }}_{i\in I}\widehat{e}{(CL,A{C}_i)}^{{\omega }_i}}}$ 5:    Compute $\widehat{j}=\xi ⨁H_2\left(w\right||H_2(△))$ 6:    Compute $M=C{T}_M⨁H_3\left(w\right||H_2(△))$ 7:    Compute $\widehat{\theta }={\sigma }_1\left|\right|{\sigma }_2\left|\right|P{K}_{U_{id}}\left|\right|\widehat{j}\left|\right|\xi \left|\right|\left\{A{C}_i\right\}\left|\right|M\left|\right|\left\{S{T}_i\right\}$ // Un-signcrypt’s procedure 8:    return M 9: else 10:    return ⊥ 11: end if

6. Security and Functional Analysis

6.1. Correctness

In this section, we analyze the correctness of the proposed scheme. We need to check that the user can use ${\Sigma }_{i\in I}{\omega }_i{\lambda }_i$ of the LSSS matrix to recover s, provided that the user’s credentials meet the requirements of the access policy. The detailed derivation process is as follows:

$$\begin{array}{cc}\hfill \phi & ={\displaystyle \frac{\widehat{e}(C_s,CK){\mathsf{\Pi }}_{i\in I}\widehat{e}{(S{K}_i,S{T}_i)}^{{\omega }_i}}{{\mathsf{\Pi }}_{i\in I}\widehat{e}{(CL,A{C}_i)}^{{\omega }_i}}}\hfill \\ \hfill & ={\displaystyle \frac{\widehat{e}(g^s,g^{\alpha }{g}^{at}){\mathsf{\Pi }}_{i\in I}\widehat{e}{(A_i^t,g^{d_i})}^{{\omega }_i}}{{\mathsf{\Pi }}_{i\in I}\widehat{e}{(g^t,g^{a{\lambda }_i}{B}_i^{d_i})}^{{\omega }_i}}}\hfill \\ \hfill & ={\displaystyle \frac{\widehat{e}(g^s,g^{\alpha }{g}^{at}){\mathsf{\Pi }}_{i\in I}\widehat{e}{(A_i^t,g^{d_i})}^{{\omega }_i}}{{\mathsf{\Pi }}_{i\in I}\widehat{e}{(g^t,g^{a{\lambda }_i})}^{{\omega }_i}\widehat{e}{(g^t,B_i^{d_i})}^{{\omega }_i}}}\hfill \\ \hfill & \stackrel{\mathrm{if}{B}_i=A_i}{=}{\displaystyle \frac{\widehat{e}(g^s,g^{\alpha }{g}^{at})}{{\mathsf{\Pi }}_{i\in I}\widehat{e}{(g^t,g^{a{\lambda }_i})}^{{\omega }_i}}}\hfill \\ \hfill & ={\displaystyle \frac{\widehat{e}(g^s,g^{\alpha }t)\widehat{e}{(g,g)}^{\alpha s}}{\widehat{e}{(g^t,g^a)}^s}}\hfill \\ \hfill & =\widehat{e}{(g,g)}^{\alpha s}\hfill \end{array}$$

6.2. Confidentiality

Theorem 1. 

If the assumptions of the DBDH hard problem hold, there is no attacker who can break the PCE-EtoE scheme with a non-negligible advantage in polynomial time.

Proof of Theorem 1. 

The challenger $\mathcal{B}$ chooses four random numbers $\widehat{a},\widehat{b},\widehat{c},\widehat{\theta }\in Z_N$, and then chooses the random number $\delta \in \{0,1\}$. If $\delta =0$, the challenger $\mathcal{B}$ sets $Z=\widehat{e}{(\widehat{g},\widehat{g})}^{\widehat{a}\widehat{b}\widehat{c}}$. If $\delta =1$, then let $Z=\widehat{e}{(\widehat{g},\widehat{g})}^{\widehat{\theta }}$. Finally, the challenger $\mathcal{B}$ sends the tuple $({\widehat{g}}^{\widehat{a}},{\widehat{g}}^{\widehat{b}},{\widehat{g}}^{\widehat{c}},Z)$ to simulator $\mathcal{C}$, and then simulator $\mathcal{C}$ interacts with attacker $\mathcal{A}$ instead of challenger $\mathcal{B}$. The detailed steps are as follows:

(1)

Initialization: Simulator $\mathcal{C}$ first sets $g=\widehat{g}$, randomly selects $x_1\in Z_N$, sets $U={\widehat{g}}^{\widehat{a}}$ and $W={\widehat{g}}^{\widehat{b}+x_1}$ in $P{K}_{KCGS}$, and sets $\widehat{h}=\widehat{a}\widehat{b}$ and $Y_1={\widehat{g}}^{\widehat{h}}$ and $Y_2={\widehat{g}}^{\widehat{h}+x_1}$ in $P{K}_{U_{id}}$. Finally, the two public keys and system parameters are provided to attacker $\mathcal{A}$, and the list H is initialized.

(2)

Phase 1: Attacker $\mathcal{A}$ can query simulator $\mathcal{C}$ for the private key, and the simulator queries the list $H1$, returns the result if it exists, selects the random number F if it does not exist, and updates the list $H1$. An attacker can submit a user set S to simulator $\mathcal{C}$ to query for any credential that is not used to challenge the ciphertext of un-signcryption. For the credential query submitted by $\mathcal{A}$, the simulator selects $t\in [1,n-1]$. For each attribute $i\in S$, the simulator queries the list $H2$ if it contains the attribute; if it does not, it randomly selects $k_i,q\in [1,n-1]$ and adds the element $(i,k_i,{\widehat{g}}^{\widehat{b}{k}_i})$ to the list and updates it. Choose random numbers $x_2,x_3,x_4\in Z_N$; let $CL={\widehat{g}}^{{\displaystyle \frac{\widehat{a}th+x_4}{q}}},CK={\widehat{g}}^{\widehat{a}t{\displaystyle \frac{x_3}{x_2}}+\widehat{c}t{\displaystyle \frac{x_3}{x_2}}+\widehat{b}{\displaystyle \frac{x_4}{x_2}}}$; randomly choose $c_1\in Z_N$; let $c_2=c-c_1$; and calculate $S{K}_i={\widehat{g}}^{{\displaystyle \frac{-c_2\widehat{a}\widehat{b}th}{k_i}}}$. Finally, simulator $\mathcal{C}$ sends the un-signcryption’s credential to $\mathcal{A}$.

(3)

Challenge: Attacker $\mathcal{A}$ submits two randomly chosen messages $m_0$ and $m_1$ of the same length to simulator $\mathcal{C}$, where $m_0$ and $m_1$ have the same POL. The simulator $\mathcal{C}$ first randomly selects $\delta \in \{0,1\}$, and then sets $w={\displaystyle \frac{\widehat{e}{(g^{\widehat{a}},g^{c_1})}^{t{x}_3}\widehat{e}{({\widehat{g}}^{c_1},{\widehat{g}}^{\widehat{c}})}^{t{x}_3}}{Z^{th}}}$, randomly selects a column vector $v=(s,y_1,\cdots ,y_l)$, where $s\in Z_N,y_1,\cdots ,y_l\in Z_N$. Calculate ${\lambda }_i=v\times M_i$, where ${\Sigma }_{i\in I}{\omega }_i{\lambda }_i=s$ exists. Compute $A{C}_i=g^{{\displaystyle \frac{{\lambda }_i{c}_1\widehat{b}{k}_i}{s}}},S{T}_i=g^{{\displaystyle \frac{k_i}{{\omega }_i}}}$. Let $C_s={\widehat{g}}^{x_2{c}_1}$ and then perform signcryption, choose $\widehat{r},\widehat{j}\in Z_N$ at random, compute ${\sigma }_1={\widehat{g}}^{\widehat{r}},{\sigma }_2=Y_1^{\widehat{r}}$, and then compute as follows:

$$\begin{array}{cc}\hfill △& ={\sigma }_1\left|\right|{\sigma }_2\left|\right|P{K}_{KCGS}\left|\right|P{K}_{U_{id}}\left|\right|\widehat{j}\hfill \\ \hfill w& =\widehat{e}(C_s,U)\hfill \\ \hfill \xi & =\widehat{j}⨁H_2\left(w\right||H_2(△))\hfill \\ \hfill C{T}_M& =m_{\delta }⨁H_3\left(w\right||H_2(△))\hfill \\ \hfill \theta & =△\left|\right|\xi \left|\right|\left\{A{C}_i\right\}\left|\right|\left\{S{T}_i\right\}\left|\right|m_{\delta }\hfill \\ \hfill {\sigma }_3& =H_4{\left(\theta \right)}^{\widehat{h}}\hfill \end{array}$$

Finally, the simulator sends the ciphertext $\sigma =\{C{T}_M,{\sigma }_1,{\sigma }_2,{\sigma }_3,H_2(△),\left\{A{C}_i\right\},\left\{S{T}_i\right\},TS\}$ to attacker $\mathcal{A}$.

(4)

Phase 2: Similar to phase 1, attacker $\mathcal{A}$ can submit a user attribute set S to the simulator to query any credential not used for the un-signcryption challenge ciphertext.

(5)

Guess: Attacker $\mathcal{A}$ outputs a guess $\widehat{\sigma }$ of $\sigma$. If $\widehat{\sigma }=\sigma$, and then simulator $\mathcal{C}$ outputs 0, indicating that the guess is $Z=\widehat{e}{(\widehat{g},\widehat{g})}^{\widehat{a}\widehat{b}\widehat{c}}$. Otherwise, simulator $\mathcal{C}$ outputs 1, indicating that the guess is $Z=\widehat{e}{(\widehat{g},\widehat{g})}^{\widehat{\theta }}$. If $Z=\widehat{e}{(\widehat{g},\widehat{g})}^{\widehat{a}\widehat{b}\widehat{c}}$, then input $\sigma$ and $Cr{e}_U$, and compute

$$\begin{array}{cc}\hfill {\phi }_1& ={\displaystyle \frac{{\mathsf{\Pi }}_{i\in I}\widehat{e}{(S{K}_i,S{T}_i)}^{{\omega }_i}}{{\mathsf{\Pi }}_{i\in I}\widehat{e}{(CL,A{C}_i)}^{{\omega }_i}}}\hfill \\ \hfill & ={\displaystyle \frac{\widehat{e}{(\widehat{g},\widehat{g})}^{-c_{2}t\widehat{a}\widehat{h}\widehat{b}}}{\widehat{e}{(\widehat{g},\widehat{g})}^{c_1\widehat{b}{x}_4+c_1\widehat{a}t\widehat{h}\widehat{b}}}}\hfill \\ \hfill & =\widehat{e}{(\widehat{g},\widehat{g})}^{-(c_1\widehat{b}{x}_4+c_1\widehat{a}t\widehat{h}\widehat{b})}\hfill \end{array}$$

and because

$${\phi }_2=\widehat{e}(C_s,CK)=\widehat{e}{(\widehat{g},\widehat{g})}^{(\widehat{a}+\widehat{c})t{x}_3+c_1\widehat{b}{x}_4}$$

we can obtain the following:

$$\phi ={\phi }_1\times {\phi }_2={\displaystyle \frac{\widehat{e}{(\widehat{g},\widehat{g})}^{(\widehat{a}+\widehat{c})t{x}_3}}{\widehat{e}{(\widehat{g},\widehat{g})}^{\widehat{a}\widehat{b}\widehat{c}t\widehat{h}}}}={\displaystyle \frac{\widehat{e}{({\widehat{g}}^{\widehat{a}},g^{c_1})}^{t{x}_3}\widehat{e}{({\widehat{g}}^{c_1},{\widehat{g}}^c)}^{t{x}_3}}{Z^{t\widehat{h}}}}.$$

The above demonstrates the validity of the signcryption ciphertext $\sigma$. Since attacker $\mathcal{A}$’s advantage is denoted as $\epsilon$, the probability that attacker $\mathcal{A}$ can correctly guess $\sigma$ in this case is

$$Pr[\mathcal{C}({\widehat{g}}^{\widehat{a}},{\widehat{g}}^{\widehat{b}},{\widehat{g}}^{\widehat{c}},Z=\widehat{e}{(\widehat{g},\widehat{g})}^{\widehat{a}\widehat{b}\widehat{c}})=0]={\displaystyle \frac{1}{2}}+\epsilon$$

If $Z=\widehat{e}{(\widehat{g},\widehat{g})}^{\widehat{\theta }}$, since $\widehat{\theta }$ is randomly chosen in $Z_N$, the probability that attacker $\mathcal{A}$ guessed correctly in this case is

$$Pr[\mathcal{C}({\widehat{g}}^{\widehat{a}},{\widehat{g}}^{\widehat{b}},{\widehat{g}}^{\widehat{c}},Z=\widehat{e}{(\widehat{g},\widehat{g})}^{\widehat{\theta }})=0]={\displaystyle \frac{1}{2}}$$

In summary, the advantages of Simulator $\mathcal{C}$ are as follows:

$${\displaystyle \frac{1}{2}}(Pr[\mathcal{C}({\widehat{g}}^{\widehat{a}},{\widehat{g}}^{\widehat{b}},{\widehat{g}}^{\widehat{c}},Z=\widehat{e}{(\widehat{g},\widehat{g})}^{\widehat{\theta }})=0]+Pr[\mathcal{C}({\widehat{g}}^{\widehat{a}},{\widehat{g}}^{\widehat{b}},{\widehat{g}}^{\widehat{c}},Z=\widehat{e}{(\widehat{g},\widehat{g})}^{\widehat{a}\widehat{b}\widehat{c}})=0])-{\displaystyle \frac{1}{2}}={\displaystyle \frac{\epsilon }{2}}$$

The above can be proven as follows: under the DBDH assumption, the proposed scheme satisfies IND-CPA security.

□

6.3. Resist Communication Operator Theft

Theorem 2. 

If the COS cannot obtain the message of plaintext in the group chat communication, it is claimed that PCE-EtoE has the capability to resist communication operator theft.

Proof of Theorem 2. 

Sender A in the group chat first signcrypts the message and encrypts it with AES to obtain the ciphertext $E{S}_{se}$. Then, A sends $E{S}_{se}$ to the $COS$, which decrypts $E{S}_{se}$ with $K_{S_{A}C}$ to obtain $\sigma$. According to Theorem 1, the COS cannot construct a valid credential $Cr{e}_U$ to un-signcrypt $\sigma$; thus, the plaintext M of the message cannot be obtained. Therefore, it can be demonstrated that PCE-EtoE has the capability to resist communication operator theft. □

6.4. Mitigate Message Overload

Theorem 3. 

If the receiver in a group chat can only receive messages related to itself, PCE-EtoE is said to have the capability to mitigate message overload.

Proof of Theorem 3. 

Suppose sender A in a group chat formulates $POL$ = $(S_A$ and $(S_B$ or $S_C\left)\right)$, and the attribute stored in KCGS for receiver B is $(S_A,S_D)$. A performs the steps of sending the message, the COS performs the steps of forwarding the message, and B receives the ciphertext $E{S}_{r{e}_B}$. The receiver first performs AES decryption with the shared key to obtain the ciphertext $\sigma$ and uses the credentials $Cr{e}_U$ generated by $(S_A,S_D)$ to un-signcrypt $\sigma$, but B cannot calculate the correct $\widehat{e}{(g,g)}^{\alpha s}$ (i.e., it cannot correctly un-signcrypt). The receiver then rejects the message, avoiding the reception of irrelevant messages. This demonstrates that PCE-EtoE has the capability to mitigate message overload. □

7. Performance Evaluation

7.1. Theoretical Performance

We evaluate the performance of the PCE-EtoE scheme in comparison to various existing schemes. The symbols used in this section are defined in

Table 3. Definitions of symbols used in performance evaluation.

Symbols	Description
$E,E_T$	Exponentiation operations in groups $G_T/G$
$l_s,l_e$	Numbers of signature/encryption attributes involved
P	Bilinear mapping operation

.

In attribute-based cryptography, bilinear mapping operations and exponentiation are the most computationally intensive. The cost of other operations, such as hashing, XOR, and constant operations, is negligible.

Table 4. Comparison of theoretical computation cost for signcryption and un-signcryption.

Scheme	User Signcryption	User Un-Signcryption
[24]	$(2l_s+2l_e+3)E+2E_T+P$	$(l_{s}log{l}_s+l_{e}log{l}_e+1)E_T+(2l_s+2l_e+1)P$
[19]	$(2l_s+2l_e+1)E$	$(l_s+2)E+l_{s}P$
[20]	$(2l_s+9)E+E_T$	$(2l_e+2)E+6P$
[21]	$(2l_s+7)E+E_T$	$2l_{e}E+E_T+8P$
PCEA [13]	$(10+l_s)E+l_{s}P$	$(12+2l_s)P+E_T$
[22]	$(l_s+5)E+E_T$	$(l_s+2)E+(l_s+3)P+E_T$
[23]	$(2l_s+10)E+E_T$	$(2l_e+2)E+6P$
PCE-EtoE	$3E+P$	$(4+2l_s)P$

compares the computational cost of signcryption and un-signcryption operations in the proposed PCE-EtoE scheme to various existing schemes, and

Table 5. Comparison of theoretical computation cost for CreGen and CreVer.

Scheme	User Signcryption	User Un-Signcryption
PCEA [13]	$4l_{s}E$	$(1+4l_s)P$
PCE-EtoE	$(2+l_s)E$	$(3+2l_s)P$

compares the computational cost of credential generation and verification in the proposed PCE-EtoE scheme to existing schemes.

It can be inferred from Table 4 that in schemes [19,20,21,22,23,24], when performing the signcryption operation, the computation required is linear with the number of attributes, while in our proposed scheme, the computation requires only a constant $3E+P$, which does not increase with the number of attributes. Although the un-signcryption operation of PCE-EtoE does not achieve a constant computational cost, it is the lowest among the schemes, being slightly lower than that of [22,23] and significantly lower than that of other schemes. Since only PCEA uses certificates for un-signcryption, the computational costs of credential generation and verification are compared solely with the PCEA scheme in Table 5. It can be observed from Table 5 that the computational cost of certificate generation in PCE-EtoE is lower than that of PCEA by $(3l_s-2)E$, and the computational cost of certificate verification in PCE-EtoE is also lower than that of PCEA by $(3l_s-2)E$.

7.2. Actual Performance

As shown in Figure 5, we used a variety of terminal devices in terms of hardware to ensure the wide applicability and performance of the scheme. Specifically, we used the following equipment:

Dell Computer: Equipped with a 12th-generation Intel i7-1700 processor, with a main frequency of 2.10 GHz and 16 GB of memory.

Raspberry Pi 4 Model B: Powered by a 1.5 GHz quad-core Cortex-A72 CPU with 4 GB of RAM.

By testing on these two significantly different devices, we were able to fully evaluate the performance of the solution in different hardware environments, thus ensuring its reliability and stability in diverse application scenarios. In terms of software, the programming language used was Java 1.8, the IDE environment was IDEA 2020, and the cryptography open-source libraries used were JPBC 2.0.0, Crypto, and Security. The test curves used were Type A and secp256r1.

We performed signcryption and un-signcryption tests on text messages of different sizes using DELL computers and Raspberry Pi devices.

For the DELL computers, we chose 10 KB, 1 MB, 10 MB, 100 MB, and 200 MB text messages for our experiments. Figure 6a shows the signcryption computation time for different file sizes on DELL computers. The computation time was relatively low for smaller files (10 KB and 1 MB) and significantly increased for larger files (100 MB and 200 MB). However, as the number of attributes in the access policy increased, the computation time for the signcryption operation remained essentially unchanged. When the text message size was 200 MB, the signcryption time remained approximately 3.5 s regardless of the number of attributes. Figure 6b shows the un-signcryption time for different text message sizes on DELL computers. The un-signcryption time for 100 MB and 200 MB messages was much higher than for 10 KB and 1 MB files. When the text message size was 200 MB and the number of attributes in the access policy was 100, the decryption time was about 1.8 s.

On the Raspberry Pi device, due to limited computing resources, we selected 10 KB, 1 MB, 50 MB, and 70 MB text messages for experiments. Figure 7a shows the signcryption computation times for different text message sizes on the Raspberry Pi. The computation times were relatively low for 10 KB and 1 MB messages but significantly increased for 50 MB and 70 MB messages. However, as the number of attributes in the access policy increased, the computation time for the signcryption operation remained essentially unchanged. When the size of a text message was 70 MB, the signcryption time was approximately 17.5 s regardless of the number of attributes. Figure 7b shows the un-signcryption time for different text message sizes on a Raspberry Pi. The time for the un-signcryption of 50 MB and 70 MB messages was much higher than for 10 KB and 1 MB files. When the text message size was 70 MB and the number of attributes in the access policy was 100, the decryption time was about 16 s. The computing resources of the Raspberry Pi are insufficient for handling large files. Message size significantly affects the computation time of signcryption and un-signcryption, particularly as file size increases. The tests indicate that increasing the number of attributes in the access policy has a minimal effect on the signcryption and un-signcryption times, particularly for large files. This phenomenon may be attributed to the fact that the impact of increasing the number of attributes on computation time is overshadowed by the overall data processing time.

We performed signcryption and un-signcryption tests of differently sized picture messages on DELL computers and Raspberry Pi devices, respectively. Images with pixel sizes of 2500 × 25,000, 10,000 × 10,000, and 25,000 × 25,000 were selected for testing. Figure 8a and Figure 9a show the calculation time for the signcryption of picture-type messages by PCE-EtoE, and the actual calculation cost is consistent with the theoretical analysis: $3E+P$. The change in signcryption time is only related to the size of the image and not to the number of attributes. The signcryption time for a 2500 × 25,000 picture is 0.08 s on a DELL computer and 1.4 s on a Raspberry Pi. Figure 8b and Figure 9b show the calculation time for the un-signcryption of picture-type messages by PCE-EtoE, and the actual calculation cost is consistent with the theoretical analysis: $(4+2l_s)P.$ For the same image size, the number of attributes and the un-signcryption time are linearly related. On a DELL computer, when the image pixel size is 2500 × 25,000 and the number of attributes is 100, the un-signcryption time is 0.65 s, and on a Raspberry Pi, it is 11 s.

In order to compare the actual performance of PCE-EtoE and related schemes, OMDAC-ABSC [22], NMAS-ABSC [23], and PCEA [13] were selected as comparison schemes. Since a single message in group chat communication is generally smaller than 5 KB, we tested the relevant algorithms for 5 KB messages on a Dell computer for all schemes. In Figure 10, the OURS label represents PCE-EtoE. As shown in Figure 10a,b, the signcryption’s time cost of PCE-EtoE is much lower than that of other schemes, and the signcryption’s time cost of a single message is less than 0.1 s, which is suitable for group chat communication scenarios. The un-signcryption’s cost time of PCE-EtoE is slightly lower than that of other schemes. When the access policy attribute set by the sender is 50, the message un-signcryption’s time cost of the receiver is less than 0.4 s, which is also suitable for group chat communication scenarios. As shown in Figure 10c,d, the time cost of CerVer and CerGen in the PCE-EtoE scheme is lower than that of PCEA.

To investigate the execution efficiency of each stage and step in the PCE-EtoE scheme, Figure 11 shows the percentage of each step in the total execution time. Statistics were collected for the percentage of the execution time of Setup, Key and Credential Generation, key agreement, Message Sending, Message Forwarding, and Message Receiving. The parameters in the experiment were as follows: $POL$ = (Department A $\mathbf{and}$ manager) $\mathbf{or}$ (Department B $\mathbf{and}$ supervisor). The size of the message sent by the sender was 5 KB, and the size of the group was 100 people.

As seen in Figure 11, the initialization step takes the largest percentage of the total execution time, about 27.4%. However, this step only needs to be executed once upon system startup. The message decryption time accounts for a relatively small percentage of 8.9%, while the Message Sending step takes about 22.35%. Attribute Code Generation in Message Sending consumes a significant amount of time. If a sender transmits multiple messages to the same receiver in a group chat, the Attribute Code Generation is executed only once.

Using the same parameters as in Figure 11, Figure 12 explores the time required for Message Sending and Message Forwarding by the operator when multiple messages are sent to the same receiver in a group chat, excluding network delay and user input time.

As shown in Figure 12a, the time required for sending messages increases linearly with the number of messages. When 500 messages are sent, the time taken is only 16.892 s. As indicated in Figure 12b, when the number of messages forwarded by the carrier server exceeds 350, the time increases rapidly, though it remains at the millisecond level. This does not place a significant computational burden on the communication opertor’s server.

As shown in

Table 6. The time complexity of the algorithm.

Algorithms	Setup	KCGSKeyGen	CreGen
Time complexity	$O\left(1\right)$	$O\left(1\right)$	$O\left(n\right)$
Algorithms	CreVer	UserKeyGen	Key Agreement
Time complexity	$O\left(n\right)$	$O\left(1\right)$	$O\left(1\right)$
Algorithms	MesSen	MesForw	MesRece
Time complexity	$O\left(1\right)$	$O\left(n\right)$	$O\left(n\right)$

, to explore the theoretical time complexity of the PCE-ETOE scheme, the theoretical time complexity of each algorithm is analyzed. The time complexity of the algorithms Setup, KCGSKeyGen, UserKeyGen, and MesSen is $O\left(1\right)$. The time complexity of CreGen, CreVer, key agreement, MesForw, and MesRece is $O\left(n\right)$, which is within acceptable limits.

We evaluate the transmission rate (TR) for both Message Sending and Receiving within our scheme in a real-time environment. The TR is calculated using the following formula:

$$MessageSending’sTR={\displaystyle \frac{Message’sSize}{Timeofsigncryption+Networkdelay}}$$

$$MessageReceiving’sTR={\displaystyle \frac{Message’sSize}{Timeofun-signcryption+Networkdelay}}$$

In the real-time environment, we transmit individual messages of no more than 50 KB and perform the experiment with 50 messages per test interval. As shown in Figure 13a, as the number of messages increases, the transmission rate (TR) for Message Sending remains between 1421.8 Kb/s and 1489.27 Kb/s. Similarly, Figure 13b shows that as the number of messages increases, the transmission rate (TR) for message reception remains between 947.07 Kb/s and 994.91 Kb/s. Both the transmission rate for Message Sending and the transmission rate for Message Receiving fall within a reasonable range.

8. Conclusions

To address the issues of the Communication Operator Server’s unreliable behavior and message overload during group chat communication, we propose an attribute-based end-to-end policy-controlled signcryption scheme (PCE-EtoE), which features lightweight computational overhead, making it suitable for frequent group chat communications. Using LSSS to construct access structures ensures that only relevant recipients receive the information, thereby filtering out irrelevant information and mitigating message overload. When sending messages, the dual encryption mode of “signcryption + encryption” is used to prevent the communication operator’s server from stealing group chat content. We provide theoretical proofs for the scheme’s confidentiality, correctness, and resistance to communication operator theft. We evaluated the performance of the PCE-EtoE scheme against previous schemes through theoretical comparisons and actual simulations. Testing on different end devices confirmed that the PCE-EtoE scheme is more lightweight in terms of computational cost. However, the PCE-EtoE scheme does not support the fast retrieval of group chat messages. In the future, we aim to develop an efficient index structure within the PCE-EtoE scheme to facilitate the fast retrieval of historical group chat messages.