An ECC-Based Blind Signcryption Scheme for Multiple Digital Documents

The popularity of the Internet has comprehensively altered the traditional way of communication and interaction patterns, such as e-contract negotiations, e-payment services, or digital credential processes. In the field of e-form systems, a number of studies investigate the ability of the blind signature to fulfill the basic properties of blindness and untraceability. However, most literatures exploring the blind signaturemechanisms only address research and technology pertaining to single blind signature issues. Further, most of the topics only deal with signing rather than encryption.Thus, we propose a new blind signature scheme formultiple digital documents based on elliptic curve cryptography (ECC). Our scheme incorporates the design of signcryption paradigm into the blind signature scheme to strengthen high levels of security.This innovative method also enhances computational efficiency during processing multiple electronic documents since the ECC provides a shorter key length and higher processing speed than other public-key cryptosystems on equivalent secrecy. The analysis results show that the present scheme achieves better performance at low communication overheads as well as with higher level of security. By helping the design of the intrinsic properties, the proposed cryptosystem can be applied to many areas to protect sensitive data in ubiquitous computing environments.


Introduction
Information and communications technology has strongly influenced the way of people's daily lives, particularly the channel we use.The Internet appears to be benefitting the development of data transmission or exchange in areas of delivering valuable information such as e-contract negotiations, e-voting or e-payment systems, and information market applications.As people's activities on the unfettered network and communication increase, digital information distribution applications become more available.This also means that by manipulating certain data in the query it could possibly lead to unauthorized access and usage of private information to the open Internet connection and potentially cause data leakage and access issues.For example, if an agreement's contents cannot be appropriately maintained secrecy in an electronic contract, some crucial information and sensitive business rules can easily be intercepted by unauthorized people, and the incidents involving the compromise of such data may result in a loss of individuals or business partners and revenue.To ensure that digital communication containing sensitive information remains relatively accessible and secure to the masses, the need of proper security measures should be applied for such data access.A number of techniques can be adopted when implementing privacy and unlinkability mechanisms within such an electronic document application, each with its own contributions to the protection of proprietary information, such as public-key cryptography [1], digital signatures [2,3], and blind signatures [4][5][6][7][8][9].
Blind signature which was first described by Chaum [10,11] has been extensively employed for protecting digital information privacy, and the mechanism makes sensitive data contents anonymous, resistant to forgery, and indisputable.Any blind signature scheme must satisfy two core properties, that is, blindness and untraceability [10,12,13].Blindness property in an interactive signature protocol allows that the signed messages are transmitted between a user and a signer, and 2 Security and Communication Networks the message contents are unknown from the signer.Untraceability or unlinkability property ensures that the signer cannot link back any message-signature pair later even if the signature is revealed to the public.Chaum's blind signature scheme is based on the integer factorization problem (IFP) and the security relies on the hardness of RSA assumption.This scheme can be considered secure if the underlying hash function is chosen appropriately.In order to enhance the security and efficiency of blind signatures, there have been several constructions of various schemes since the appearance of the blind signature [12][13][14][15][16][17][18][19][20].Some works suggest that technical security requirements are based on the discrete logarithm problem (DLP) other than the IFP.There are also combination strategies [7,9] which simultaneously involve both solving the DLP and tackling the IFP for attaining a high security level.As we probably know by now, the DLP hardness assumption is that, if a hash function is collisionresistant, then it is hard.In this setting, the associated security parameters must be chosen carefully so that the DLP remains hard in certain groups.It is interesting to note that either the DLP or the IFP over a prime field appears to be of roughly the same degree of difficulty [21,22].As the computing power increases and the algorithmic skills are constantly improved, there is also the chance that the DLP and IFP for the underlying combinatorial hard problem could be solved deterministically in subexponential time.
More recently, Vanstone [23] has proved that elliptic curve cryptosystems based on the elliptic curve discrete logarithm problem (ECDLP) provide greater efficiency than those cryptographic algorithms for the IFP and DLP.This fact makes solving the ECDLP in subexponential time impracticable.Due to the strength of smaller key size operations for the ECDLP, it is expected that a secure and efficient solution can be achieved under the algorithmic technique assumption.Subsequently, several variations of ECC-based blind signatures [4,8,[24][25][26][27] are consequently proposed, and they have shown their schemes to be remarkably useful in practical applications between the security and the performance.It is worth pointing out that a newly unveiled blind signcryption concept (by combining blind signature and signcryption algorithm) is obtained from Shamsherullah et al. [28] and Sadat et al. [29]; their research is focused on customized designs on electronic payment systems and a proxy approach, respectively, offering strong security requirements to facilitate the progress of communicating and accessing information in complex networks.
From the above literature review, these existing cryptographic protocols are mainly interesting to construct stronger models for blind digital signatures to satisfy basic security guarantees, and their algorithms focus on disguising a message then followed by a digital signature and maintaining a verification along with a blinding factor to the resulting message.Although the strategy can guarantee the blindness and untraceability properties for the message, specific authorized subjects (e.g., project participants) are not assigned to verify this signature correctly since anyone can use signer's public key to verify the signature without identity authentication during the verification phase.In the meantime, different participants interact with each other in establishing communication sessions and the session data can leave an identifier stolen more vulnerable to identity theft or protocol attacks (e.g., the man-in-the-middle attack).Moreover, most of the current studies deal with blind signatures in a single message at a time or a batch of multiple signatures on multiple documents [2,30] instead of managing large number of digital documents by making a single signature just once [31].In the case of handling voluminous amount of documents, gradually performing blind signature processes on multiple electronic documents takes more time than going through the same steps in a single digital document.Another concern is that in batch processing the messages are signed to completion in consequence and the rest of these messages will not be affected by the tampering attempt if some of message contents have been compromised.This situation will raise security risks about information disclosure.
Unlike the approaches of one signature at a time or a batch mode, our proposal handles multiple digital documents by creating one-time signature that links all chunked messages to form the avalanche effect in cryptography to protect data from unauthorized access or alteration.In this paper, we also study methods to extend the functionality of member signatures while distinguishing the involvement of designated representatives from unauthorized persons, where the proposed scheme can enable a verifiable action for particular authorized people and authenticates the information correctly at a later time to verify the identities of given users to prevent identity breaches from the verification stage.This is particularly useful in an off-line scenario, where the signatures are able to be self-certified without needing an Internet connection once participants have been registered in the system as existing legitimate entities.In addition, we introduce the concept of ECC-based signcryption technique instead of using a more general class blind signature scheme, which along with its form can greatly minimize the computational load and communication overheads for tackling multiple electronic messages.The signcryption scheme which was first introduced by Zheng [32] is a new cryptographic paradigm that fulfills the integration of encryption and digital signature synchronously at a low-overhead functionality providing program.Research has proven its benefit in improving efficiency in several applications such as threeparty communication environments [33], key management for wireless sensor networks [34], and multiple receivers for firewalls [35].Yu and He [36] suggest a new efficient DLPbased blind signcryption protocol to enhance security goals such as anonymity, untraceability, and unlinkability.Ullah et al. [37] also present an ECC-based blind signcryption scheme that is capable of supplying the properties of confidentiality, integrity, unforgeability, and nonrepudiation for low-power or resource-constrained devices.On top of that, instead of using elliptic curve cryptography, Ch et al. [38,39] and Nizamuddin et al. [40] introduce an alternative paradigm for signcryption measurements that are based on the notion of hyperelliptic curve cryptography, and their papers propose a more lightweight signcryption model having public verifiability and forward secrecy to reduce the number of bits and obtain better performance than the existing ECC-based schemes.However, all three of the methods do not use a blinding technique but a nonblind cryptographic primitive to offer the support of public verifiability, and hyperelliptic curve cryptography in genus 2 that requires many more field operations in each group operation has the potential to be competitive with its genus 1 elliptic curve cryptography counterpart [41,42].As for multidocument cryptographic processing using signcryption technique, Tsai and Su [31] present a variant of a threshold signcryption protocol by assigning a group of signatures to share a secret link for multiple documents.Their work handles large number of digital documents via a group of participants splitting a secret and each of the members is allocated a share of the secret, whereas the proposed scheme manages multiple documents by one single person employing a blind signcryption technique along with these messages to enable effective protection measures, for example, the anonymity and untraceability properties.It is only natural to consider the signcryption technique from digital information perspective-thus, by combining a signcryption approach with a blinding procedure to carry out the blind digital signature protocol, this type of scheme not only essentially yields strong security requirements of a blind signature manner to detect dishonest adversaries, but also efficiently improves the computation and transmission costs of blind signature processing.
Our research contributions aim to improve adoption of the security requirements and to increase the speed of information transmission for multiple blind signcrypted messages.To achieve these objectives, we design a secure and efficient blind signcryption scheme based on elliptic curve cryptography that empowers the combination strategy to verify the authenticity of legitimate entities in the network without disclosing the contents of the signcrypted messages.The proposed scheme has the security attributes for multiple messages, namely, blindness, untraceability, authenticity, confidentiality, correctness, integrity, nonrepudiation, unforgeability, and the avalanche effect of encrypted messages.The comparative evaluation of the study has better performance in terms of computational cost and communication overheads.Additionally, this innovative method offers the useful property of a self-certified identity in off-line scenarios.It can be adapted to mobile computing environments for efficient and secure data transmission.The paper is organized as follows.In the next section, we briefly introduce the RSA-based blind signature form, ECC-based blind signature protocol, and signcryption manner, respectively.In Section 3, we propose an original essay to construct a signcryptioncombined scheme for blind digital signatures.In Section 4, we evaluate the performance of the proposed solution and prove its security features.Finally, Section 5 concludes the paper.

Conceptual Basis
This section first gives a brief introduction to a RSA-based blind signature algorithm.We also sketch an ECC-based blind signature technique and the signcryption mechanism from their respective backgrounds, which will be recommended to our proposed scheme in Section 3.

Blind
Signature Based on RSA.The concept of blind signature, first devised by Chaum [10] in 1983, is based on RSA algorithm and the hardness of IFP.According to Chaum's concepts, there are two participants, namely, the signer  and the requester , involved in the signature scheme.Given a message  to be signed, let (, ) be the signer's public key and the corresponding private key is .The blind signature scheme consists of the following five phases: (i) Initializing Phase. chooses two distinct primes ,  and computes  =  ⋅ , () = ( − 1) ⋅ ( − 1).
(ii) Blinding Phase. takes an arbitrary number  ∈ [0, ] and calculates   ≡   (mod ).Then,  sends   to .In this phase,  blinds the message and  does not know the contents of the message.
(iii) Signing Phase. uses the private key  to compute   ≡ (  )  (mod ) and sends it back to .
(v) Verifying Phase.Anyone can verify the validity of message-signature pair (, ) by checking that   ≡ (mod ).

Blind Signature Based on ECC.
In 2010, Jeng et al. [4] proposed a fast blind signature scheme, based on the ECDLP.This scheme does not compute modular exponentiation consecutively.Instead, a user can obtain a signature and verify it only through scalar multiplication of points on elliptic curves, for example, point addition and point doubling.ECC requires much lesser numbers for its operations; hence the scheme is very efficient.Let an elliptic group   (, ) be formed as  2 =  3 ++(mod ), where 4 3 +27 2 ̸ = 0 mod  such that   (, ) is appropriate for cryptography.And then a base point  on   is determined whose order is a very large value  such that  ⋅  = .The protocol is described below.
(i) Initialization. randomly selects a secret key   and generates the corresponding public key   as   ≡   ⋅ (mod).Likewise,  chooses a random number   as the secret key, and the corresponding public key is   ≡   ⋅ (mod).
(iv) Unblinding. removes the blind signature (, ) by applying the secret key   , along with 's public key   to yield   ≡ −⋅    ( mod ).And then  calculates   =   ⋅ (  − 1).(v) Verification.Anyone can use 's public key   to verify the authentication of the signature (  ,   , ) by checking whether the given formula  ≡   −   ⋅   (mod) has been satisfied.

Signcryption Mechanism.
Signcryption, first presented by Zheng [32] in 1997, is a new cryptographic technique that fulfills digital signature and public-key encryption simultaneously in a single step at lower computational costs and communication overheads than signing and encrypting separately.Due to its advantages, both confidentiality and authenticity are seamlessly accomplished, and it is widely used for email transmission, files delivery, and data communication.
A generic signcryption scheme Σ = (Gen, SC, USC) typically consists of the following three phases: key generation (Gen), signcryption (SC), and unsigncryption (USC).Gen generates a pair of keys for any user : (SDK  , VEK  ) ← Gen(, ), where  is the security parameter, SDK  is the private signing/decryption key of user , and VEK  is his/her public verification/encryption key.For any message  ∈ , the signcrypted text  is obtained as  ← SC(, SDK  , VEK  ), where  denotes the sender and  is the receiver.SC is generally a probabilistic algorithm while USC is most likely to be deterministic where  ∪ {⊥} ← USC(, SDK  , VEK  ) in which ⊥ denotes the invalid result of unsigncryption.Signcryption schemes can be trusted by providing two different mathematical functions as mentioned above; one is the signature and the other is the encryption.The choice of confidentiality and authenticity would be made based on the level of security desired by any digital signature scheme in conjunction with a public-key encryption scheme.

The Proposed Scheme
In this section, we introduce a secure and efficient blind signature scheme, which embeds the signcryption technique in the mutual authentication procedure for singular or multiple electronic message contents based on the ECDLP.Solving the ECDLP circumstance becomes computationally infeasible if any antagonist attempts to gather some secret information from captured participants to perform a specific action (e.g., counterfeit identity).In addition, our study uses interleaving structural features, that is, the ECC-based hard problem and the shift permutation problem, to raise the levels of security for the transmission of such information.Particularly, owing to the difficulty of solving the ECDLP and the small key lengths in ECC, the security strength and efficiency of the proposed solution will certainly lead to very promising results.
Our scheme comprises the following six phases: initial setup and registration phase, mutual identity verification phase, blind signcryption phase, unblinding phase, signature verification phase, and decryption phase.The operational context diagram of the proposed scheme is shown in Figure 1, and "Abbreviations" section summarizes the notations and the denotations thereof about the mechanism used.There are three participants in our blind signature protocol, namely, a requester , a signer , and a verifier , respectively.Then, an authentication server AS is responsible for generating the system parameters and issuing secure electronic identities to users.

Initial Setup and Registration Phase.
During the initial and registration stage, we first specify the domain's parameters to set up the system configuration.The default arguments that are made up of several key fields are as follows.
(i) A secure elliptic curve (  ) is defined over a finite field   , where  is a large prime number such that the number is greater than 283 bits; that is, a 283-bit key in ECC is considered to be as secured as 3072-bit key in RSA [43,44].Next, an order  will be selected, together with the base point  on the elliptic curve (  ), and the proper choice satisfies  ⋅  = , where  is the point at infinity.
(ii) To generate a public-private key pair, the AS randomly chooses a secret value of  AS , from [2,  − 2] as the private key, and the associated public key can be derived from (1).
(iii) Then, the AS publishes PK AS to all users as well as the system parameters, ((  ), , and ), and keeps  AS as a secret.
(iv) Each user, that is, , , and , must register on the dedicated server (AS) as a legitimate participant before proceeding to related services.
(v) Next, all the users select random values   ,   ,   as their private keys in the same way.Accordingly, the paired public keys of all users are generated with (2).
(vi) After creation, all participants have their own unique pair of keys.The message of private keys with identifies id  , id  , and id  will be transmitted to the AS via a secure channel.In addition, the AS will apply the hash function, ℎ 1 (⋅), to produce a random nonsecret salt value, , for verifying the identity of a user thereafter.
The hash value can be used to determine the critical issue of identity assurance in an off-line status as a self-certification approach, and the associated hash values are obtained from (3).
(vii) In the meantime, the AS still needs the corresponding data points   ,   ,   on the elliptic curve to generate the relative certificates.Each data point containing a random numerical value, , is calculated according to (4).
(viii) The certificates associated with each participant are therefore computed by (5).
(ix) When the setup process prepares all the appropriate parameters for the actions that were run, the AS securely sends the messages, ( user ,  user , and ca user ), to each user and also makes the global system parameters publicly known including PK  , PK  , PK  , ℎ 1 (⋅), and ℎ 2 (⋅).

Mutual Identity Verification Phase.
When finishing the registration process, each entity is able to effectively communicate with the related parties.The user authentication agreement between the requester  and the signer  operates as below.
(i) In the request, the message (ca  ,   ,   , PK  , PK AS ) is sent from  to , and vice versa (i.e., the message (ca  ,   ,   , PK  , PK AS ) also reaches the targeted recipient from  to ).According to the message from the requester , the signer  first checks whether the received message is original or not.If the message digest has not been altered, the signer  goes on the identity verification process.Otherwise, the signer  rejects the requester 's authentication request.The authenticity of the received message must satisfy the constraint equation (6).
(ii) If the message is genuine, the requester  is a valid user and the signer  continues the mutual verification context, or else the signer  revokes the procedure.Next, the signer  applies the public key from the AS to the message so as to authenticate the requester 's identity.The discriminant validity is constructed as (7), and the authenticity of  is verified by (8).
(iii) The signer  compares    with    .If    =    which implies the identity verification is valid, the signer  is then convinced that the requester  is a legal entity.The requester  can also verify the signer 's identity, and it works in much the same way as the signer  does.That is, the requester  verifies whether    is identical to    or not.
Security and Communication Networks

Blind Signcryption Phase.
The blind signcryption phase is a single continuous action rather than a three-stage process.
In order to facilitate a more overt understanding of the context and later comparison with other existing methods between the operational baseline conditions, we logically divide the implementation into three substeps and this progress can be considered as the core part of the proposed scheme.Each one of these operations is closely aligned to an integration activity.

Encryption Substep.
The purpose of the encryption stage is to avoid suffering the leak of sensitive information against the wishes of those who intend to snoop.We follow additional steps to increase operational security, and especially of that data is traveling across networks.
(i) To ensure the safe and secure delivery of digital information to the signer  through the Internet, the requester  first partitions a data message into a sequence, V, of different plaintext blocks V  (≥1), and the separate blocks in each data segment can be expressed as (9).
(ii) Secondly, the requester  uses the ℎ 1 (⋅) hash function to produce a specific hash value  known as a message digest for the sequence V of V  , and the operation can be uniformly implemented by (10).At the same time, the one-way function  2 (⋅) that takes the sequence of data blocks as inputs is applied to transform the plaintext messages into a series, , of elliptic curve points   (≥1).The data transformation can be done with (11).
(iii) Thirdly, in order to make the relationship between the plaintext messages and the representative points on the elliptic curve as complex as possible, the requester  defines a set, , of binary sequences   by (12), that is, the sequences whose terms are either 0 or 1.Also, each entry   in the binary will match exactly the number of the aforementioned data points   .
(iv) Fourthly, the requester  generates a random number as a permutation value, and the given decimal integer  which will be converted into its binary form and can be mapped onto  is organized by (13).The permutations which are controlled by the encoded binary sequence  start with the most significant bit of  1 first toward the least significant bit of   end and do the following operations.When the current binary digit is 1 and the right side digit is 0, the corresponding data points are shifted to the right by one position.
The operation shifts the place of relative point right by three bits if the two consecutive bits are equal to 1.
In contrary, when the upper bit of the matching data is 0 and the lower bit is either 1 or 0, the left operations shift bits in transition, marching them to the left one bit or the left three bits, respectively.The sequence of left (≪) or right (≫) shifts corresponds to the function as (14).
(v) After that, the requester  needs the essential arguments including the arbitrary integer , the hash value , a randomly chosen number , and a public key PK  from the verifier , to systematically transform the foregoing plaintext messages to corresponding ciphertext points.Equations ( 15) through (18) summarize the encryption operations.There is a specified point  which is calculated from the product of  and the base point , and it serves to detect that the received ciphertext has not been tampered with while in transit.In such a way, each ciphertext block  0 ,  1 ,  2 , . . .,   (≥1) is combined with the previous ciphertext block before being computed.Note that the starting point  0 included in the ciphertext data segments contains two secret parameters  and  representing a permutation value and an integrity check value, respectively, and the two significant factors will exhibit the avalanche effect, which causes a drastic variation in the ciphertext if either the plaintext, for example,   , or the value of characteristics, for example, ,   , PK  , is changed slightly.
(vi) Lastly, the requester  applies a publicly known hash function ℎ 2 (⋅) as (19) to the encrypted message  to create a unique message digest  after obtaining the sequence of ciphertext blocks   .
Security and Communication Networks 7

Blinding Substep.
The core goal of blindness is to protect the messages from the signer without knowing its contents.For the blindness property, the requester  uses the public and private key pair as a blinding factor (  ⋅PK  ) with the message digest  to blind the message, and the blinding operation is computed by (20).Then the blinded message  is passed to the signer .
3.4.Unblinding Phase.To unblind the received signature of the message-signature pair, the requester  first takes the blind signature , the previously generated message digest , the private key   , and the public key PK  of the signer to extract the blinded signature   as expressed by (23).Also, the requester  computes the nonce message digest value   and the unblind operation is governed by (24).Then both   and   along with the triple (, , ) are sent to the verifier  to testify that its blinded allegation-signature-request message is authentic.
3.5.Signature Verification Phase.After receiving the message-signature tuple (  ,   , , , ), the verifier  uses the signer's public key PK  to verify the authentication of the alleged signature and the passing message digest by checking whether (25) holds.If the resulting message-signature pair (  ,   ) is accepted as valid, the verifier  then can proceed to decrypt the sequence  of ciphertext blocks.
3.6.Decryption Phase.Decryption is the reverse process, converting the ciphertext message back into its original form.In this case, the encrypted messages contain the transformed data points   and the related sequence entries   thereof and the random generated permutation value  along with the message digest .Besides, the number of data segments is repeatedly carried over from previous data blocks.Thus the verifier  needs these things to get the original messages back.
(i) First, the conversion function  2 (⋅) having the random permutation value and the hashed message pair (, ) can be explicitly specified by assigning the verifier's private key,   , the verification point , and the initialization block  0 arguments.If (26) can properly express the causal relationship implied by this assignment process, this means that the measurement corresponds accurately to its corresponding latent variables.
(ii) Next, the verifier  uses another conversion function  2 (⋅) which maps an elliptic curve point to a message block, to acquire the specific pair (, ).By taking the input arguments, the return operation from ( 27) yields its untransformed information.
(iii) Once both the permutation value  and the correct message digest  are collected, this makes the obtained references suitable for decryption of messages.The verifier  applies the permutation sequence  (from ( 13)) in binary format to the associated message sequence  previously defined in ( 12) and then performs bit shifting operations to find the number of matching permutation values in corresponding bit positions in the two binary sequences.The bit-reverse operation is similar to the forward bit shifting trick (from ( 14)), but it is intended for operating in the opposite direction on individual bits.Equation (28) indicates that it uses the relevant rules regarding reversals for bit patterns to locate the bit offset in an ordered sequence of bits.While the underlying permutations with respect to the sequence of message blocks are interpreted, the ciphertext blocks can be easily deciphered back into the plaintext messages.
(iv) After that, the process of reverting the ciphertext units   to the plaintext segments of data points   is progressively carried out by (29).And all the corresponding plaintext data sets can be recovered from the relevant ciphertext blocks as an expression of the sequence form  = { 1 ,  2 , . . .,   }.
(v) Finally, the verifier  reuses the conversion function  2 (⋅) to convert the data points into the numeric values, as expressed in (30), and all the separated elements in the sequence V are then concatenated to form one continuous text message as the original plaintext.

Security Analysis and Performance Evaluation
In this section, we will first describe the security analysis of the proposed scheme and then show that our solution can reach greater efficiency with respect to the performance assessments.
4.1.Security Analysis.The security of our scheme is based upon the difficulty of solving the ECDLP.In the meanwhile, the signature approach has applied the signcryption technique within the functionality of blind signature, which thereby strengthens the overall security of electronic communications.Apart from providing the crux properties of blindness and untraceability, some additional characteristics like authenticity, confidentiality, correctness, integrity, nonrepudiation, and unforgeability as formalized requirements from previous works [5,6,16,[18][19][20] are incorporated in the proposed scheme to make it stronger as well as more useful for various applications.We examine these security requirements of our scheme as follows.
4.1.1.Blindness.Blindness means that the signer cannot view the content of the message while he/she signs the message.The blinded message of our scheme is generated as  = ⋅  ⋅ PK  in (20).The signer  or an opponent is unable to derive the message  without the parameters, namely, the message digest  and the blinding factor (  ⋅ PK  ).Since finding the blinding factor in this equation leads to encounter calculating the number of points on the elliptic curve over fields, it becomes extremely difficult to break the value of knowing desired points when tackling the ECDLP.The other parameter value  is not an easy attempt that reverses a hash function.Therefore, the present approach is able to fulfill the blindness property because the signer  signs the blinded message and knows nothing about the content of the message.

Untraceability.
Untraceability is also an essential security requirement in any blind signature scheme.The signer is unable to link the signature with the message when the message-signature pair has been revealed to the public.In this experiment, the message-signature pair (, (, )) is produced from ( 20), (21), and (22).The signer  only has the information about his or her own private key   and a random number , for each blind signature requested.Without the knowledge of the secret factors, a unique message digest  and 's private key   , from the requester , the signer , or the verifier  cannot trace the association between the message and the blind signature.Hence, this scheme can achieve the untraceability or unlinkability property of a blind signature.

Authenticity.
Authenticity is the property that has two purposes.One ensures that a message received is the exact same message which was sent, and the other verifies that all communication participants are who they really claim to be.With regard to message authentication, the current scheme can provably provide the authenticity ability of electronic documents or data while maintaining the privacy of the signature, and these messages are able to be adequately protected from inappropriate or malicious modifications through a valid corresponding checksum at the verifier side as described in (25).As for identity verification, the identities of all parties can be reliably verified during an interactive communication model using the identity authentication    ?
=    of (8).If a third party impersonates a legitimate user to gain unauthorized access to the message data, it is computationally impractical for solving the ECDLP in elliptic curves (e.g., to obtain  AS from PK AS ).Surely the proposed model renders the property of authenticity.

Confidentiality.
Confidentiality specifies that the contents of the message are required to be kept confidential from unauthorized persons, entities, or processes.In this study, all messages first are encrypted and disguised (blinded) by the requester , signcrypted by the signer , and then passed through a permutation process before conveying them to the verifier .If there is an opponent that succeeds in intercepting the messages during transmission, the opponent should be unable to decrypt the transmitted ciphertext in a very strong form of cascaded encryption technique.The message-related attributes, especially a set of messages of different types, cannot easily be derived without reference values for cryptanalysis works.For example, the value of , a verification point, as shown in (15), which depends parametrically on  (a random number) and  (a base point), can be difficult to find by other means.The attacker has to encounter calculating the number of points on the elliptic curve over fields, and it becomes extremely hard to break the value of knowing desired points when tackling the ECDLP.Accordingly, the present method can secure the contents of the message to reach the property of confidentiality.

Correctness.
Correctness indicates that everyone with the signer's public key can check the correctness of a signature.As we mentioned in Section 1, the signature of the signer is revealed to public leading to an identity leak issue.The public delegate as a verifier will learn the identity of the signer on each session from a unique electronic binding between an identity and a public key via a digital certificate.As a result, the public verifying may put various confidential messages at risk.In our design, the correctness of the signature of a message signed through the signature verification procedure can be checked by the verifier  as a major role using 's public key via an authentication form.To verify the correctness of the signature from the signer , the verifier  has to check whether (25) is valid.If the equation holds, then (  ,   ) is accepted as a valid signature of the message.During the course of the verification, the verifier  can successfully achieve the identity authentication from the signer  through the secret value   which is 's private key and embedded into (22).Consequently, the proposed design conforms to the correctness property.
4.1.6.Integrity.Integrity denotes that the information cannot be altered during the transmission, neither accidentally nor maliciously.If an antagonist attempts to alter a certain piece of data, for example, portions of ciphertext   , being communicated between the sender and the recipient, it is not easy to tamper with the message segments.Such tampering requires at least two or more secret parameters like a permutation value  and an integrity check value  in ( 16), and they are barely obtained from a conversion function of elliptic curve points that maps the messages to the curve.Furthermore, each portion of the ciphertext that is given the corresponding coordinate position and is embedded in the encoded text as given in ( 17) is quite dependent on all message blocks.Once there is an intentional act to make any change to a particular message, it should result in dramatically different consequences with respect to the avalanche effect.Thus, the proposed solution provides the integrity property.
4.1.7.Nonrepudiation.Nonrepudiation denotes that the signer cannot deny having signed a message that has a valid signature.In our case, the blinded message  has been electronically signed by the signer  that purported to sign the document, and the signature containing specific values usually accompanies the document to send back the requester . cannot repudiate having signed  since the signature was created with 's private key   and a randomly selected number .In addition, through the signature validation process as represented by (25), the verifier  can later confirm that the signature of the message has been entitled by the designated signer  because  has to use the corresponding public key as 's PK  during the verification.So, the proposed method offers the nonrepudiation property.=   −   ⋅ PK  as defined in (25), to determine a received message tuple, (  ,   , , , ), corresponding to that signature against the forgery.For these parameters, the adversary or the dishonest signer then has to encounter the hardness of solving the ECDLP and the difficulty of inverting the one-way hash function.The proposed scheme indeed satisfies the property of unforgeability.
We have described the multifaceted characteristics of the proposed scheme in terms of security requirements; it has been pointed out that distinguishing attributes do fit well within blind signatures.In Table 1, we present a comparison of the above-mentioned two latest schemes in Section 1, based on security properties for blind signcryption techniques.The symbol "√" on a security requirement means that it is satisfied with the feature, while the symbol "×" indicates that it does not provide satisfaction in a specified manner.As seen from Table 1, due to the eight essential properties, the present method offers enhanced security functions in related applications of blind signcryption whereas the existing successful schemes suffer from some weaknesses including blindness, untraceability, and correctness.

Performance Evaluation.
The subsection following the next investigates a detailed quantitative measure comparing the performance of our proposed algorithm with the two aforesaid algorithms in blind signcryption systems.We will examine theoretical results of the three different strategies for solving the cryptological operations involved with respect to the costs of computation and communication incurred by each task according to the concept of modular arithmetic operations [31,45].The notations including scalar multiplication, point addition, hash construction, and modular The execution time of an ECC point hash operation ≈23 MUL  ℎ The execution time of a basic hash function operation ≈0.4 MUL arithmetic that we used to evaluate the performance are shown in Table 2. Table 3 summarizes the comparison results between our scheme and the existing similar blind signcryption schemes in terms of computational costs.Compared to the three related algorithms by evaluating one single electronic document processing, the proposed scheme requires two public-key encryption and decryption operations for each task, which lead to a performance penalty.This is more timeconsuming work regarding the computational complexity of dealing with both the ECDLP computation and the permutation procedure simultaneously.As we can see, if we compare the outcomes with the same baseline measures as shadow areas in Table 3, the proposed scheme has much lower computational complexity, even with encryption and decryption latency-time tradeoffs, than the other two blind signcryption approaches.In spite of imposing more sophisticated manipulation techniques, this nature makes the proposed solution bear strongly secure structure and effectively prevent unwanted network intrusions.
As the number of electronic documents is gradually increased, maintaining the efficiency and security of blind signcryption protocols becomes critical to the continuity of the related operations.To estimate different performance levels for these blind signcryption schemes in the context of multiple documents (e.g., a multipage document), we repeatedly conduct the required steps to complete each blind signcryption process.Table 4 yields the performance comparison for the proposed signcryption-combined blind signature scheme against the two exemplary blind signcryption protocols in terms of number of documents.As shown in Table 4, Yu et al. 's DLP-based method causes the substantial increase in computational cost on each associative multiplication operation.Although our scheme reaches a slightly higher computational complexity for dealing with one single digital document about 121 MUL in the total cost than Ullah et al. 's approach due to the mutual authentication operation (i.e., 2 ECMUL + 1 ECADD + 2 MUL + 1 INVS ≈ 305 MUL ), the computational costs of the two existing methods potentially take more time to execute cryptographic-related operations with a dramatic increase in managing vast numbers of documents from 2 to 10.The performance penalty associated with the relative inefficiency of these blind signcryption based algorithms is closely correlated if every single digital document has to go through all of the time-consuming steps involved.Unlike the classic approaches that handle a single electronic document each task, our solution consumes lower costs to perform the security-related operations for processing relatively large amounts of digital documents and always runs in weakly polynomial time.Put another way, the proposed scheme requires only one-time operation to blind signcryption, unblinding, signature verification, and decrypt processes for multiple document messages whereas the existing mechanisms need to keep reiterating the procedure several times to manipulate large quantities of data in a paginated form for blinding, signing, unblinding, and signature verification actions.Through the contiguously tabular analysis, we believe that our proposed signcryption-embedded approach significantly outperforms the other existing methods in carrying out several levels of cryptographic operations on large numbers of documents.This much efficient cryptosystem is good to use in various kinds of blind signature applications.

Conclusions
This paper presents a new alternative scheme of blind signatures for electronic messages and documents processing based on both the ECDLP and the bit-level permutation problem difficulties.To make the relationship between the content of the messages and the message-signature pair thereof as perplexed as possible, we embed the signcryption technique into the functions of blind signature besides the cryptographic primitives and explore the constructive solution to tackle the tricky challenges such as identity, privacy, anonymity, and security.
We have seen how the concept of aggregate signcryption like blind signature and encryption can be used to build a signcryption-combined blind signature scheme and also indicated that the proposed scheme is capable of being more beneficial and requires less number of multiplication operations compared to the two existing solutions in physically secure and efficient implementations for digital information protection.At the security analysis, the work investigates the related security requirements from a blind signature design methodology and these strong security properties are fully satisfied with the relevant parameters.In addition, the study evaluates the performance effects of different levels in carrying out large numbers of digital messages, and the experimental results give lower computational costs and communication overheads.By providing the above-mentioned abilities of the security structure and the computation efficiency, the proposed scheme not only speeds up current blind signature techniques and digital information application programs, but also extends the field for a new protocol method using these secure yet efficient structure primitives.This facilitates much faster blind signatures and electronic messages processing as with many distributions that take place at scale, combining high performance with robust security for constructing various anonymous applications including electronic payment systems, voting services, credential-based access control processes, and digital content protection platforms.

Figure 1 :
Figure 1: The proposed operational context diagram.
(22)3.3.Signing Substep.Upon receipt of the resulting message , the signer  haphazardly selects an integer  ∈ [2,  − 2]to determine a secret element  as(21)and combines the private key   with  to obtain the blind signature  using(22).The message-signature pair (, (, )) is then forwarded back to the requester .Since  is a random number and a pair consisting of a secret value and a signature (, ) is arbitrary too, this implies that each individual construction yields a completely different signature and it is not possible to forge any valid signature on messages.

Table 1 :
Comparison of the proposed scheme and the two existing similar methods.
4.1.8.Unforgeability.Unforgeability refers that only the signer can give a valid signature for the associated message, and he/she should not be able to generate more signatures than the number of valid signing executions (a.k.a.nonreusability) in an interactive signature agreement.If an adversary impersonates the signer  to forge a legally blind signature, he/she can intercept or eavesdrop the blinded message  but is unable to obtain a valid pair (, (, )) to execute the signature generation process without a designated signer, , holding private key   .Similarly, if the signer  attempts to willfully create two more valid signatures after interacting with the requester  once, it is practically impossible for  to guess a random signature (, ).Besides, the verifier  can use the signature verification procedure  − ℎ 2 () ⋅

Table 2 :
The computational complexity symbols and the meanings.

Table 3 :
Comparison between the proposed scheme and the two existing blind signcryption schemes based on a task in one electronic document.

Table 4 :
Performance comparison between the proposed scheme and the other two schemes across multiple documents.Annotation: to strengthen the security protection mechanisms, the mutual identity verification phase to authenticate the communicating parties to each other is required to prevent the identity forgery or fraud, and the cost of each authentication thus takes 305 MUL time to calculate the complexity (i.e., 2 ECMUL + 1 ECADD + 2 MUL + 1 INVS ).