Identity-Based Proxy Signcryption Protocol with Universal Composability

Proxy signcryption means that the proxy signcrypter obtains the delegate authorization from the original signcrypter and then signcrypts the specified message on behalf of the original signcrypter. In this paper, we construct an identity-based proxy signcryption protocol (IBPSP) based on the universally composable (UC) framework. In the random oracle model, we prove that this protocol has the semantic security under the gap bilinear Diffie-Hellman and computational Diffie-Hellman assumptions. At the same time, an ideal functionality of the identity-based proxy signcryption protocol is defined in theUC security framework, and we also prove the equivalence between the universally composable identity-based proxy signcryption protocol and its IND-CCA2 and UF-CMA security. Analysis shows this IBPSP has both low computation complexity and semantic security together with UC security.


Introduction
Proxy signature [1] has the authenticity of signature but cannot guarantee the confidentiality of message.Gamage et al. [2] proposed the first proxy signcryption scheme, which can simultaneously realize two functions of public key encryption and proxy signature.Later, Li and Chen [3] constructed an identity-based proxy signcryption scheme by integrating identity-based cryptosystem and proxy signcryption, but this scheme does not meet the unforgeability and forward security.Chen et al. [4] devised a provably secure identity-based proxy signcryption scheme under the computational Diffie-Hellman and bilinear Diffie-Hellman assumptions.Ming et al. [5] constructed an identitybased proxy signcryption scheme without random oracles and proved its confidentiality and unforgeability.Zhou [6] devised secure identity-based generalized proxy signcryption without random oracles from bilinear pairings which has the properties of public verification in the proxy signcryption mode.
The UC security framework [7] can meet the requirement of modular design of protocols.The salient property of UC definitions of security is that they guarantee security even when a secure protocol is composed of an arbitrary set of protocols, or when the protocol is used as a component of an arbitrary system.It is an essential property in a complex and unpredictable environment.Moreover, UC definitions can guarantee security even when an unbounded number of protocol instances are carried out concurrently in an adversarially controlled manner; furthermore, they can guarantee nonmalleability with respect to arbitrary protocols.In the UC framework, a protocol is abstracted as an ideal functionality which is considered as a trusted third party (TTP) for specific tasks.Every player can deliver a command to the ideal functionality in a secure and authentic manner, and the ideal functionality executes the command according to its specification.Informally, one protocol can securely carry out a given ideal functionality if no adversary can obtain more advantages from an attack on an instance of real execution of the protocol than from an attack on an ideal process where the parties only submit their inputs to 2 Security and Communication Networks a TTP with appropriate functionality.In other words, it is required that an instance of real execution can be simulated in the ideal process.A protocol is said to securely realize ideal functionality if any effect caused by an adversary attacking the protocol can be achieved by an adversary attacking the ideal functionality.i.e., when devising the complex protocols, one can allow the involved parties to have secure access to ideal functionalities; when implementing the protocol, each ideal functionality is replaced by one protocol securely realizing the ideal functionality.Any ideal functionality can be UC realized as long as a majority of parties are supposed to be honest.
Canetti [8] corrected the ideal functionality definition of digital signature in 2001.Wang et al. [9] defined the ideal functionality of the identity-based signature protocol and simultaneously proved the equivalence between identitybased signature with UC security and classical identity-based signature with EUF-CMA security in an adaptive adversary model.Tian et al. [10] devised composable group communication and solved the composable security problem of multicast group communication.Tian et al. [11] devised secure multiparty computation with the universal composability and realized a fair and secure two-party computation protocol.Thus, they solved the fair and secure two-party computation problem, although Katz deemed that this problem could not be realized.Zhang et al. [12] devised a key exchange protocol and proved its security in the UC security framework.Yuan and Liu [13] devised a universally composable group ownership transfer protocol for RFID tags.Zhao et al. [14,15] proposed a universally composable group signature protocol and group blind protocol.Li et al. [16] devised self-certified blind signcryption with UC security.Hu et al. [17] proposed a gateway-oriented password-authenticated key exchange protocol with universal composability.
Identity-based proxy signcryption is appropriate for applications in electronic governments and electronic commerce [18], such as online proxy auctions or contract signing by an authorized proxy signer.Consider an application such as a bank account owned by a busy boss.So as to withdraw money from their saving account, the boss must sign a withdrawal slip which can only be verified by the bank teller.In this case, when the boss is unable to sign personally, they can delegate their signing power to a proxy signer who can legitimately conduct transactions on their behalf.It is an interesting research problem of how to construct a secure identity-based proxy signcryption protocol applying to a more complex network environment.In this paper, we construct a novel identity-based proxy signcryption protocol (IBPSP) with universal composability, whose semantic security is based on the intractability of the gap bilinear Diffie-Hellman (gap BDH) and computational Diffie-Hellman (CDH) problems.In the random oracle model, we prove its indistinguishability against adaptive chosenciphertext attacks (IND-CCA2) and existential unforgeability against adaptive chosen-message attacks (UF-CMA).At the same time, we define the ideal functionality of IBPSP and illustrate the equivalence between the universally composable IBPSP and its IND-CCA2 and UF-CMA security.

Preliminaries
In this section, we briefly introduce bilinear pairings and several computational problems together with the universally composable (UC) framework.

Bilinear Pairings.
Let G 1 denote one cyclic addition group with prime order q and let G 2 denote one cyclic multiplication group with the same prime order.In addition, P is a generator of additive group G 1 and  :

UC Framework.
The UC framework [8] consists of a real-life model, ideal model, and hybrid model.In the UC framework, Z represents the external environment that consists of arbitrary protocols running concurrently with the given protocol.Z generates the inputs to all parties, reads all outputs, and interacts with the adversary in an arbitrary way throughout the computation.A protocol  is said to securely realize an ideal functionality F if, for any real-life adversary A interacting with the protocol, there exists a simulator S such that no Z can distinguish with nonnegligible probability whether it interacts with A and parties running the protocol  or with S and parties interacting with F in the ideal process.
Let  ,A,Z (, , ) denote the output of Z when interacting with the adversary A and parties  1 , ...,   running protocol  on security parameter k, input z, and random input  =  Z ,  A ,  1 , ...,   (z and  Z for Z,  A for A, and   for party   ).Let  ,A,Z (, ) be the random variable describing  ,A,Z (, , ) when r is uniformly chosen.Here  ,A,Z is the ensemble { ,A,Z (, )} ∈,∈{0,1} * . ( Let  F,S,Z (, , ) denote the output of Z after interacting with the adversary S and ideal functionality F on security parameter k, input z, and random input  =  Z ,  S ,  F (z and  Z for Z,  S for S, and  F for F).Let  F,S,Z (, ) be the random variable describing  F,S,Z (, , ) when r is uniformly chosen.Here  F,S,Z is the ensemble { F,S,Z (, )} ∈,∈{0,1} * . ( Definition 1 (indistinguishability).Two binary distribution ensembles X and Y are indistinguishable (written X≈Y), if, for any  ∈ , there exists  0 ∈  such that, for all  >  0 and for all a, we have Definition 2 (UC simulation).Let F denote an ideal functionality and let  denote a probabilistic polynomial time protocol.We say that  securely realizes F if, for any adversary A, there exists an ideal-process adversary S such that, for any environment Z, we have Theorem 3 (universal composition).Let F and G be ideal functionalities.Let  be a protocol in the F-hybrid model and let  be a protocol which securely realizes F in the G-hybrid model.Then for any adversary A in the G-hybrid model, there exists an adversary S in the F-hybrid model such that, for any environment Z, we have Setup is an initialization algorithm that takes a security parameter k as input.The PKG runs this algorithm and outputs the master key s along with a set of system parameters .

Formal Definition of IBPSP
Extract is an extraction algorithm that takes  and an identity I i (i is a, p, b) of some user as input.The PKG runs this algorithm and outputs the public key   and private key   of this user.Keep in mind that I a is the identity of the original signcrypter, I p is the identity of the proxy signcrypter, and I b is the identity of the receiver.
PKeyGen is a proxy key generation algorithm that takes < ,   ,   > as input.The original signcrypter with identity I a generates an authorization certificate   and then interacts with the proxy signcrypter with identity I p .Finally, this algorithm outputs a proxy signcryption key S ap for the proxy signcrypter.
ProxyS is a proxy signcryption algorithm that takes < , ,   ,   ,   ,   ,   ,   ,   > as input.The proxy signcrypter with identity I p runs this algorithm and outputs a ciphertext  on message m to the receiver with identity I b .
Uns is an unsigncryption algorithm that takes < , ,   ,   ,   ,   ,   ,   ,   ,   > as input.The receiver with identity I b runs this unsigncryption algorithm and outputs a plaintext m or a symbol ⊥.

Security Model.
In this section, we describe the formal security model of the universally composable IBPSP.A universally composable IBPSP must satisfy the confidentiality (IND-CCA2 security) and unforgeability (UF-CMA security).Keep in mind that we do not allow the queries when the identities of the original signcrypter, proxy signcrypter, or receiver are the same.
For the confidentiality of the universally composable IBPSP, we adopt the IND-CCA2 security model.Now, we describe the interactive game IND-IBPS-CCA2 played between an adversary A and a challenger C.

IND-IBPS-CCA2:
First of all, C runs the initialization algorithm to obtain a set of system parameters  and the master key s.Then C keeps the secrecy of s but returns  to A.
Phase 1.A makes a sequence of a polynomial bounded number of queries in an adaptive fashion.
Extraction queries: A submits a query of identity I i to the extraction oracle.C returns the private key S i and public key Y i by a call to the extraction algorithm.
Proxy key queries: A submits a query of the trituple <   ,   ,   > to the proxy key generation oracle.C returns the proxy key S ap by a call to the proxy key generation algorithm.
Proxy signcryption queries: A submits a query of the quaternion <   ,   ,   ,  > to the proxy signcryption oracle.C returns the ciphertext  on message m by a call to the proxy signcryption algorithm.
Unsigncryption queries: A submits a query of the quaternion <   ,   ,   ,  > to the unsigncryption oracle.C returns a plaintext m or a symbol ⊥ by a call to the unsigncryption algorithm.
Challenge.At the end of Phase 1, the adversary outputs two messages <  0 ,

Concrete Protocol
In this section, we devise a concrete example of the universally composable IBPSP; its algorithm details are described as follows.
4.1.Setup.In this system initialization algorithm with the input 1 k , the PKG obtains the master key s and a set of system parameters  by carrying out the steps as below.
Let G 1 denote a cyclic addition group with prime order q and let G 2 denote a cyclic multiplication group with the same prime order.Moreover, P is a generator of addition group G 1 and  :  1 ×  1 →  2 is a bilinear map.The PKG chooses four cryptography hash functions: Then the PKG selects a random  ∈  *  as the system master key and calculates the system public key  = .Finally, the PKG keeps the secrecy of master key s but publishes a set of the system parameters

Extract.
In this extraction algorithm with the input  and an identity I i (i is a, b, p) of some user, the PKG carries out the following calculations to achieve this user's public key and private key.Concretely speaking, the PKG calculates the public and private key for the original signcrypter with identity I a as follows: In the same manner, the PKG calculates the public and private key for the proxy signcrypter with identity I p as follows: We also readily obtain the public and private key for the receiver with identity I b as follows: After that, the original signcrypter delivers the trituple <   , ,   > to the proxy signcrypter with identity I p .Upon receiving <   , ,   >, the proxy signcrypter verifies whether the equality holds as below: If the verification is true, the proxy signcrypter calculates the proxy signcryption key Finally, the ciphertext  =< ,   , ,   ,   > is sent to the receiver.
Finally, this receiver checks whether the verification equality holds as follows: If the above verification is true, this illustrates that  is valid; otherwise, it is invalid.
It is easy for us to verify the correctness of our concrete protocol instance using three equalities as follows:

Analysis of Semantic Security
In this section, we describe the proof process of the confidentiality and unforgeability of our protocol instance in the random oracle model.

Theorem 6. If no probabilistic polynomial time adversary A wins IND-IBPS-CCA2 in
Proof.Assume the algorithm C obtains a random instance < , , ,  > of the gap BDH problem, and the purpose of C is to determine  = (, )  ∈  2 .For this purpose, C runs the adversary A as a subroutine and acts as the role of its challenger in the following interactive game.
At the start of the game, C runs the system initialization algorithm with the security parameter k and obtains a set of system parameters  with  = .Then C delivers  to the adversary.In the whole game, C maintains five lists  1 ∼  4 and L ap which are empty in the beginning;  1 ∼  4 are used to trace the h i (i=1,2,3,4) oracle and L ap is used to trace the extraction oracle and proxy key generation oracle.Phase 1.A submits a series of a polynomial bounded number of queries in an adaptive fashion.h 1 queries: C first selects an identity   (1 ≤  ≤  1 ) as the target identity in the challenge phase.Bear in mind that l 1 is the query time to the h 1 oracle.Let  be the probability of   =   , and the value of  will be determined later.A submits a query of identity I i to the h 1 oracle.If there is a matching tuple in the list L 1 , C returns the public key Y i as the answer; otherwise, C considers two cases as the response to this query.

Security and Communication Networks
Case 1.If it is the th query, C sets   = ℎ 1 (  ) = .It then delivers public key Y i to the adversary and records <   ,   , −, − > to the list L 1 .
Case 2. If it is not the th query, C uses a random   ∈  *  of its choice to calculate   = ℎ 1 (  ) =   .It then returns   as the answer and records <   ,   ,   , − > to the list L 1 .h 2 queries: A submits a query to the h 2 oracle.If there is a matching tuple in the list L 2 , C returns f as the answer; otherwise, C returns a random  ∈  *  of its choice and records <   ,   ,  > to the list L 2 .h 3 queries: A submits a query to the h 3 oracle.If there exists a matching tuple in the list L 3 , C returns  as the answer; otherwise, C returns a random  ∈ {0, 1}  of its choice and records <   , ,   ,  > to the list L 3 .h 4 queries: A submits a query to the h 4 oracle.If there is a matching tuple in the list L 4 , C delivers  to the adversary; otherwise, C returns a random  ∈  *  of its choice and stores < ,   ,   ,   ,   , ,  > to the list L 4 .
Extraction queries: A submits a query of identity   to the extraction oracle.C terminates this simulation if   =   ; otherwise, C calculates   =    =    and then returns <   ,   > and stores <   ,   ,   ,   > into the list L 1 .
Proxy key queries: A submits a proxy key query of the trituple <   ,   ,   >.Let us assume the adversary has made the h 1 and h 2 oracle queries along with key extraction queries before the proxy key query.If   =   , C terminates this simulation; otherwise, C makes use of a random   ∈  *  of its choice to calculate If the verification equality (, ) = (,   )  holds, C calculates the proxy key S ap using the equality as below and delivers S ap to the adversary.Eventually, C stores <   ,   ,   ,  > into the list L ap .Proxy signcryption queries: Assume the adversary has made various hash oracle queries together with the extraction and proxy key generation query before a proxy signcryption query.A requests a query of <   ,   ,   ,   ,  > to the proxy signcryption oracle.C considers two cases as the response to this proxy signcryption query.It is very effortless for the adversary to verify the validity of the ciphertext  using the equality as below.
Unsigncryption queries: Assume A has queried various hash oracles together with the extraction oracle and proxy key generation oracle before an unsigncryption query.
A requests an unsigncryption query of the quaternion <   ,   ,   ,   ,  >.C considers two cases as the response to this unsigncryption query.According to the detailed description in the interactive game, we have that the probability of C not terminating the simulation in the first phase or second phase is    +  .And the probability of C not terminating the simulation in the challenge phase is 1-.Thus, the probability of C not terminating the simulation is    +  (1-) whose value is maximized at Referring to the method of the probability analysis in [20], we obtain that the probability of C not terminating the simulation is at least At the same time, the probability of the adversary querying the h 3 oracle is 1/l 3 .Hence, the probability of C in solving the gap BDH problem is at least If the adversary succeeds with probability , C can solve the gap BDH problem with probability   .It contracts with the initial gap BDH assumption.Therefore,  must be negligible if the gap BDH problem is hard.

Theorem 7. If no probabilistic polynomial time adversary A 𝑝 (or A 𝑜 ) wins UF-IBPS-CMA-I (or UF-IBPS-CMA-II)
with nonnegligible advantage  by making l i queries to the h i (i=1,2,3,4) oracle, l e queries to the extraction oracle, l ap queries to the proxy key generation oracle, and l usc queries to the unsigncryption oracle, then there exist two cases.(1) In UF-IBPS-CMA-I, there exists an algorithm C which can solve the CDH problem with the advantage  1 , where (2) In UF-IBPS-CMA-II, there is an algorithm C which can solve the CDH problem with the advantage  2 , where Proof.Give a random instance < , ,  > of the CDH problem, and the aim of C is to determine the value of  ∈  1 .In order to achieve this aim, the algorithm C runs the adversary A  or A  as a subroutine and acts as the role of the challenger of A  or A  in the interactive game.
Initial.C obtains a set of system parameters  with  =  by a call to the initialization algorithm and delivers  to A  or A  .In the interactive game, C needs to maintain five lists  1 ∼  4 and L ap which are empty in the beginning, and these lists make use of tracing the relevant random oracles.
Queries.These are the same as those in Phase 1 in Theorem 6.
Forgery.At the end of these queries, the response to the forgery is described as follows.
Theorem 10.In the UC framework,   satisfies the existential unforgeability against adaptive chosen-message attacks.
Proof.Assume there exists a forger.Here we construct an environment Z and an adversary A such that, for any adversary A, Z cannot tell with nonnegligible probability whether it interacts with  IBPSP and A in the real-life model or with F IBPSP and S in the ideal model.
Z proceeds as below.On receiving a request on proxy signcryption of A, Z activates   and outputs the ciphertext  to A. On receiving a request on unsigncryption of A, Z activates   and outputs < ,  > to A.
A proceeds as follows.A first invokes the forger.As the forger requests to signcrypt a message m, A requests Z to signcrypt a message m and outputs the ciphertext   to the forger.On receiving a request on unsigncryption of the forger, A requests Z to unsigncrypt   and outputs <   ,  > to A and simultaneously delivers   to the forger.Once the forger receives   and  = 1, then the forgery   is valid and at this time Z outputs  = 1.Clearly, if the forger wins UF-IBPS-CMA-I or UF-IBPS-CMA-I with probability , then the forger can succeed in forging valid proxy signcryption.Assume that such a forger exists with nonnegligible probability ; then the probability that Z outputs  = 1 is nonnegligible.However, the probability that Z outputs  = 1 is always equal to zero in the ideal model.In other words, if such a forger exists, Z can always tell with nonnegligible probability whether it interacts with  IBPSP and A or with F IBPSP and S. It contracts with the initial assumption in Theorem 10.As mentioned above, such a forger cannot exist; that is to say,  IBPSP satisfies the existential unforgeability against adaptive chosen-message attacks in the UC framework.

Efficiency Analysis
In this section, we compare our protocol with similar protocols in terms of computational complexity together with UC security and semantic security (see Table 1).In Table 1, E is one exponent operation, P is one pairing operation in G 2 , M is one scalar multiplication operation in G 1 , and H is one hash operation.Moreover, "√" means that one cryptography protocol satisfies the relevant security and "×" means that one cryptography protocol does not satisfy the relevant security.
Let   denote the time cost of one hash operation.According to the literature [21], we can summarize and deduce the time cost of all operations as follows: P ≈ 1440  , E ≈ 21  , M ≈ 29  , and H ≈   .We can readily obtain that the time cost of our protocol is 10323   .Following the comparison analysis, there are 13253   and 14640   in protocols [4,19], respectively.
From the comparison in Table 1, we obtain that the computation cost of our IBPSP is lower than those of other protocols.It is known from Table 1 that our IBPSP has both semantic security and UC security, but other protocols cannot guarantee the security in the UC framework.All the protocols in Table 1 satisfy the semantic security in the random oracle model.

Summary
The UC security framework provides the theory basis for the design of protocols in a complex and unpredictable environment.In this paper, we construct an IBPSP with universal composability and prove its semantic security in the random oracle model.We also define the ideal functionality of the IBPSP and prove the equivalence between IBPSP with universal composability and its IND-CCA2 and UF-CMA security.Our IBPSP can guarantee security even when it is composed of an arbitrary set of protocols, or when it is used as a component of an arbitrary system.What is more, our IBPSP can guarantee security even when it concurrently runs with an unbounded number of protocol instances.

Case 1 .
If   ̸ =   , C returns obtains a ciphertext  by a call to the actual proxy signcryption algorithm and delivers this ciphertext to the adversary.Case 2. If   =   , C selects two randoms ,   ∈  *  and calculates   =    −   =  (  ,   ) .

Case 1 .
If   ̸ =   , C returns a result by a call to the actual unsigncryption algorithm.Case 2. If   =   , C goes over the list L 3 to seek the tuple <   ,   , ,  > for different R such that O  returns 1 when the adversary made a query on < ,   ,   ,  >.If there exists this case, C calculates  =  ⊕   = ℎ 4 (,   ,   ,   ,   , ) .
checks whether the verification equality holds as below: (, ) =  (, ℎ 2 (  ,   )   +   )   (  ,   ) .(26)If the verification is true, C returns m; otherwise, C returns ⊥.Challenge.As the adversary decides to end the first phase, it outputs m 0 and m 1 with the same length along with the quaternion <   Analysis of probability.In the following, we analyze the success probability of C in solving the gap BDH problem.

determine the value of 𝑒(𝑃, 𝑃) 𝑎𝑏𝑐 ∈ 𝐺 2 with the help of O 𝐷𝐵𝐷𝐻 .
1 ×  1 →  2 is a bilinear map with the properties as below:

-IBPS- CMA-II.
Phase 2. A makes another sequence of queries in an adaptive fashion as in the first phase.C answers these queries as in the first phase.However, the adversary cannot extract the private key of identity   * and cannot make the unsigncryption query on  * .At the end of the game, the adversary outputs a guess   ∈ {0, 1}.If  =   , this shows that the adversary wins IND-IBPS-CCA2 above.For the unforgeability of the universally composable IBPPSP, we adopt the UF-CMA security model.Keep in mind that, in the security models, A  is in possession of the private key of the proxy signcrypter and A  owns the private key of the original signcrypter.This is an interactive game performed between an adversary A  and a challenger C.First of all, C generates a set of system parameters  and the master key s by a call to Setup(1 k ).It then keeps the secrecy of s but delivers  to the adversary.Queries.A  makes a series of a polynomial bounded number of queries in an adaptive manner as in the first phase in IND-IBPS-CCA2.Moreover, C answers these queries as in the first phase in IND-IBPS-CCA2.Forgery.At the end of queries, A  outputs a forged ciphertext <   This is an interactive game performed between an adversary A  and a challenger C.First of all, C obtains the master key s and a set of system parameters  by a call to Setup(1 k ).It then returns  to the adversary but keeps the secrecy of s.Queries.A  adaptively makes a series of a polynomial bounded number of queries as in Phase 1 in IND-IBPS-CCA2.C answers these queries as in Phase 1 in IND-IBPS-CCA2.Forgery.At the end of queries, A  outputs a forged ciphertext <   * ,   * ,   * ,  * > to C. In queries, A  cannot extract the private key of identity   * .If the verification equality holds, this shows that A  wins UFDefinition 5 (unforgeability).A universally composable IBPSP is said to have UF-CMA-I security if no probabilistic polynomial time adversary A  wins UF-IBPS-CMA-I with nonnegligible advantage.In a similar manner, a universally composable IBPSP is said to have the UF-CMA-II security if probabilistic polynomial time adversary A  wins UF-IBPS-CMA-II with nonnegligible advantage.Hence, a universally composable IBPSP is UF-CMA secure if it is both UF-CMA-I and UF-CMA-II secure.
* .C selects a random  ∈ {0,1} and obtains a challenge ciphertext  * on message   by a call to the proxy signcryption algorithm.Finally, C returns  * as the answer.UF-IBPS-CMA-I: * ,   * ,   * ,  * > to C. In queries, A  cannot issue the private key query of identity   * .If the unsigncryption verification equality holds, this indicates that A  wins UF-IBPS-CMA-I.UF-IBPS-CMA-II: The original signcrypter selects a random   ∈   * and calculates   =      = ℎ 2 (  ,   )   .
) 4.3.PKeyGen.In this proxy key generation algorithm with the input < ,   ,   >, the original signcrypter with identity I a generates an authorization certificate   which includes the identity information of the original signcrypter and proxy signcrypter together with other restriction contents.
In this proxy signcryption algorithm with the input < , ,   ,   ,   ,   ,   ,   ,   >, the proxy signcrypter with identity I p obtains a ciphertext  on message m and delivers it to the receiver with identity I b .Concretely speaking, the proxy signcrypter selects a random   ∈  *  to set   =    and then continues to calculate  =  (,   ) (  ,   , )  = ℎ 4 (,   ,   ,   ,   , )  =   +     .

Table 1 :
) As the queries are over, A  outputs a forged ciphertext  In queries, A  cannot extract the private key of identity   * and  * should not be the response of any proxy signcryption oracle query made by A  .C considers two cases as the response to this query Case 1.If   * =   and   * =   , C terminates this simulation.>and* =  from the list L 1 .Then C outputs the solution of the CDH problem instance Comparison of computational efficiency and security.canobtainthe same information with A. That is to say, when S makes the proxy signcryption, S can perfectly simulate   that is corrupt.Event 4:   and   are both corrupt.In this case, S can obtain all their input information; i.e., S can generate real data to simulate the execution of protocol.