Homomorphic signcryption with public plaintext-result checkability

Signcryption originally proposed by Zheng (CRYPTO 0 97) is a useful cryptographic primitive that provides strong confidentiality and integrity guarantees. This article addresses the question whether it is possible to homomorphically compute arbitrary functions on signcrypted data. The answer is affirmative and a new cryptographic primitive, homomorphic signcryption (HSC) with public plaintext ‐ result checkability is proposed that allows both to evaluate arbitrary functions over signcrypted data and makes it possible for anyone to publicly test whether a given ciphertext is the signcryption of the message under the key. Two notions of message privacy are also investigated: weak message privacy and message privacy depending on whether the original signcryptions used in the evaluation are disclosed or not. More precisely, the contributions are two ‐ fold: (i) two different


| Our Motivation
Rezeibagha et al. [10] introduced the concept of an additive homomorphic signcryption and gave a concrete construction, which is proven to be secure against chosen plaintext attacks (IND-CPA) and achieves weak unforgeability under the DDH assumption and the CDH assumption, respectively.However, the notion of homomorphic signcryption (HSC) proposed in [10], is only limited in additive operations and is not general to capture homomorphic evaluations for any function.Furthermore, Rezaeibagha et al.'s additive HSC scheme allows only private verification of the derived (homomorphically computed) signcryptions, that is, the verification can only be performed by the intended receiver.Moreover, it only achieves weak unforgeability, which requires that the adversary is not allowed to perform signcryption queries to the challenger.
In this article, we go beyond the additive homomorphic signcryption notion and introduce new primitive homomorphic signcryptions for any function, which allows computations for any function (arbitrary circuits) on the signcrypted data and provides public plaintext-result checkability for the derived signcryptions.We also investigate how to define the message privacy notion in the homomorphic evaluation setting.
Informally, an example of performing computations on signcrypted data can be described as follows (depicted in Figure 1).The sender (Alice) has a dataset m 1 , …, m k of size k, for instance, the weights of k persons.For convenience, we write m !≔ ðm 1 ; …; m k Þ.She independently signcrypts each data m i associated with a tag and an index using her secret key sk S and the receiver's (Bob) public key sk R .Namely, Alice signcrypts the triple ('weight', m i , i) for i = 1, …, k and obtains k independent signcryptions c 1 , …, c k , where i is the index of m i in the dataset and 'weight' serves as a tag that names the dataset.For simplicity, we write c ! ≔ ðc 1 ; …; c k Þ.However, restricted by limited computational resources and space, Alice uploads her signcryptions c ! to a powerful server and delegates the (expensive and complicated) computation of the function f to the server using an evaluation key ek.To compute a function f, the server employs the algorithm Evaluate that uses c ! and f to derive a signcryption c f,y on the triple: "weight"; y : ¼f ðm 1 ; …; m k Þ; 〈f 〉 ð Þ, where 〈f〉 is a string describing the function f uniquely.Note that Evaluate does not require access to the original dataset m !but only works on the signcryptions themselves.Then, the server may send the derived signcryption c f,y to Bob. Bob using his secret key sk R together with Alice's public key pk S can obtain the message y.Given the pair (y, c f,y ), anyone can check with the public verification key vk that the server correctly applied f to the dataset by verifying that c f,y is a valid signcryption on a given triple "weight"; f ðm !Þ; 〈f 〉 À � , without performing the expensive computations of the function f on the original dataset m !, to compute the value y.The verification on a pair (y, c f,y ) achieves public plaintext-result checkability by allowing anyone to test whether a derived signcryption c f,y is a signcryption of the result y which is the correct output of the computation f over Alice's data that is, y ¼ f ðm !Þ.We describe the precise definitions of the syntax and the security later.

| Our contributions
In this article, we introduce for the first time the notion of homomorphic signcryption with public plaintext-result checkability that can evaluate arbitrary circuits over signcrypted data.We also define security notions in terms of both unforgeability and message privacy.We give two definitions for HSC depending on whether the homomorphic computation process is performed publicly (i.e., by anyone who has access to the public information) or privately (i.e., only by the one knowing the secret evaluation key), while in both cases the plaintextresult-checkability is performed publicly.For each case of public or private evaluation, we provide a construction and prove its security regarding unforgeability as well as message privacy.
Next, let us briefly describe the two important propertiesnamely, public plaintext-result-checkability and message privacy, which our homomorphic signcryption enjoys.
Public Plaintext-Result Checkability.It is to be noted that in a traditional signcryption scheme, by employing the unsigncryption algorithm (that uses the receiver's secret key) on the signcrypted data, either the original message m ! or ⊥ is returned *.We notice that the signcryption allows a specific user having access to the receiver's secret key, to test whether a given signcryption originates from the given message under the sender's public key.
In our homomorphic signcryption primitive, we go beyond the plaintext-result checkability for a specified user, and provide a functionality of public plaintext-result checkability that anyone can test whether a (either derived or original) signcryption is the signcryption of a given message (possibly the outcome of a function) under the sender's public key.Looking ahead, we will see that such public plaintext-result checkability is achieved by a verification algorithm.
Message Privacy.Message privacy in the original (traditional) signcryption [1] means that even if the sender's private key is leaked to an attacker, the attacker cannot tell which message the signcryption challenge c* is corresponding to, m 0 or m 1 that are chosen by the attacker.In our proposed HSC, we achieve a notion of message privacy, which guarantees that even if we publish the pair (c f,y , y), where c f,y certifies y as the output of some computation f over a dataset m !, no information is revealed about the data m !, beyond what is revealed by y and f.Our definition for message privacy is presented in a way that given signcryptions on m !b (where b ∈{0, 1} and thus m !b is one of two different datasets m !0 ; m ! 1 ), the attacker cannot tell from which dataset the derived signcryptions c f,y came from, f ðm !0 Þ or f ðm ! 1 Þ for some function f known to the attacker.However, to achieve a formal definition of message privacy for our HSC is a challenging problem because the public verification algorithm is able to operate on the signcryptions of messages for any function of the adversary's choice, which makes it easy for an adversary to find a function f * such that In consequence to avoid such a trivial attack described above, we define two notions of message privacy-namely weak message privacy and standard message privacy for HSC with public verification.In the notion of weak message privacy, we assume that the original signcryptions c ! b on the dataset m !b are not published (while the final signcryption is published), in which case the homomorphic operation is public.In the standard message privacy, we require c ! b to be exposed to the adversary but the homomorphic operation is privately performed by the challenger, rather than being available to the adversary.

| Challenges in designing an HSC
To describe some challenges faced when designing an HSC scheme, let us consider a naive HSC scheme, which simply outputs the concatenation of a message x and a signature σ, that is, x‖σ as the signcryption of x; where σ is a signature on x using an HS scheme.The publicly homomorphic evaluation for HSC on different elements x‖σ proceeds by using the evaluation algorithm of HS to homomorphically compute the signature σ f,y for y ¼ f ð x !Þ in a straightforward manner.This appears to satisfy the unforgeability of HSC due to the unforgeability of HS.Furthermore, from the definition of the weak message privacy for HSC that the adversary will be given the derived signcryption σ f,y but not get access to the original signcryption x‖σ, it seems that the message x is not revealed.However, this is only true when the underlying HS is contexthiding, which means the derived signature σ f,y does not leak any information about x ! .In other words, if the underlying HS is unforgeable and context-hiding, then the concatenation of a message and the corresponding signature is a trivial way to build a weak message private HSC scheme.Nevertheless, if given an HS that satisfies the basic homomorphism requirement, but not context hiding (which is an additionally advanced requirement, since to achieve it, either an additional assumption, i.e., existence of NIZKPoK (non-interactive zeroknowledge proof of knowledge), or a context-hiding homomorphic trapdoor function is needed [7]), a challenging question is how to address the issue of maintaining no leakage on x !from σ f,y .In this article, we propose a construction of HSC with weak message privacy in a public evaluation setting from HS scheme without the context-hiding property.
A similar intuition can be given for HSC schemes with private evaluation.In this case, we might consider a scheme similar to the one described above, but in which we set the signcryption to be the ciphertext of x‖σ under a public key encryption (PKE) scheme, denoted as c x,σ .Then, the evaluation key will correspond to the private key for the PKE, and the evaluator simply decrypts, and evaluates the HRs using the appropriate function f to obtain a derived signature σ f,y , and then releases the result y ¼ f ð x !Þ concatenated with σ f,y .Note that despite given access to the original signcrytion c x,σ , the adversary still cannot learn the plaintext x since the employed PKE scheme is secure.Then as given above, this scheme appears to satisfy the normal message privacy for HSC with private evaluation.Unfortunately, such an assertion still relies on the context-hiding property of the underlying HS.The problem of building an HSC scheme with message privacy in a private evaluation setting arises when assuming the HS scheme is unforgeable but not context-hiding.

| Summary of our constructions
Let us now describe our solution for constructing HSC from an HS scheme without the context-hiding property.At first, we provide a construction of a homomorphic signcryption scheme with public plaintext-result-checkability in a public evaluation setting achieving unforgeability and weak message privacy, assuming the existence of HSsHS, PKE, indistinguishability obfuscation and statistical simulation-soundness non-interactive zero-knowledge proof (SSS-NIZK) for NP languages.The core idea of our construction is to apply the sequential composition method by signing the message using the underlying HS scheme first, then encrypting the concatenation of the message and the signature.The evaluation algorithm of the HS scheme naturally provides a way to homomorphically derive a signature σ f,y from the signature σ x ! of the data x !, which certifies that y is the correct output of the computation f over the signed data x ! .Nevertheless, the challenge is how to perform homomorphic evaluation over the encrypted signature (signcryption) c x !≔ Encðσ x !Þ of the data x !without the decryption key.We employ indistinguishability obfuscation to resolve this problem by embedding the secret decryption key in an obfuscated programme, whose functionality is to decrypt the input signcryption so as to recover the underlying signatures first, and then from them to derive the signature σ f,y that corresponds to the message y Anyone can verify the tuple (f, y, σ f,y ) using the HS's public verification algorithm, thus testing whether y is the correct output of the computation f over x ! .
For an outsider adversary, who does not know the receiver's secret key, unforgeability can be achieved from the existential unforgeability property of the underlying HS scheme directly.Moreover, it is shown that our construction achieves weak message privacy, which requires that given not only the signcryptions on a number of messages derived from two different datasets for some function known to the attacker but also access to an unsigncryption oracle and the secret signcryption key, the attacker is not able to tell which dataset the derived signatures came from.
We then show how to use an HS together with a public key functional encryption (FE) to construct a homomorphic signcryption scheme with public plaintext-result-checkability in a private evaluation setting with unforgeability and message privacy.Employing the same sequential composition method of signing then encrypting, we instantiate with an HS scheme as before, while the underlying encryption is replaced with a public functional encryption scheme.To perform homomorphic evaluation over the encrypted signature (signcryption) c x !≔ Encðσ x !Þ of the data x ! in case of having no access to the decryption key, we take advantage of the functional secret key for a function whose functionality is the following: if the message-signature pair ð x ! ; σ x !Þ (i.e.underlay in c x !) is verified, then it returns a function value y resulting from the function f applied on x !, as well as a signature σ y,f that is derived from the original signatures σ x !over the plaintext data x ! for a function f.This is achieved by employing the evaluation algorithm of HS and certifying the result value y.Furthermore, to publicly verify the validity of the signcryption c y,f on the data y, we use the function secret key for another function, whose functionality is to directly check the validity of (f, y, σ f,y ) by using the HS's public verification algorithm.
For an outsider adversary, unforgeability can be achieved from the unforgeability of underlying HS directly.Moreover, we define the notion of message privacy of HSC in a private evaluation setting, which requires that given not only the signcryptions on a number of messages derived from two different datasets for some function known to the attacker, but also the original signcryption on both two datasets and access to the signcryption and evaluation oracles, the attacker is not able to tell which dataset the derived signatures came from.We prove that message privacy is preserved based on the IND-CPA security of the base functional encryption scheme.
Implementation and practical aspects.Due to the building blocks that our constructions are based on, it is inevitable to discuss the practicality of obfuscation and function encryption.
As far as we know, there are several articles [11][12][13][14][15][16] investigating the practicality of programme obfuscation focussing on implementing and evaluating the performance of the obfuscators.Although the initial results required significant amounts of time to implement programme obfuscation [11,12,14], there are some recent advances that are very promising.More precisely, Cousins et al. [16] implemented obfuscation for conjunction programme satisfying distributional virtual black box (VBB) security.The obfuscation for a 64-bit conjunction programme takes 6.7 h and the evaluation takes only 3.5 s.Except software-only-based approaches to implement programme obfuscation, there are also some significant advances in hardware-based approaches.Nayak et al. [15] employed a hardware-based approach to implement it which achieves simulation-secure obfuscation for RAM programs, and improves performance significantly making an important step towards deploying obfuscation technology in practice.Furtheremore, Lewi et al. [13] also implemented the Boneh et al. [17] multi-input functional encryption scheme for 2-input comparison functions and 3-input DNF (3DNF) functions.Taking 3DNF function on 16-bit inputs with security parameter 80 as an example, it takes about 12 min to compute the encryption for three 16-bit inputs, yielding the overall ciphertexts with a size of 2.5 GB.Moreover, evaluating the 3DNF function value from the overall ciphertexts only takes 3 min.
Thus, in light of the promising future on the practicality of programme obfuscation and functional encryption, we believe that our proposed homomorphic signcryption schemes are very promising and advance significantly the area of signcryption.

| Application: certified data analysis
Working with sensitive data is often a balancing act between confidentiality and integrity concerns.One question on big data is how to release some socially beneficial results on private data, while minimising the information revealed about individuals.The nature of homomorphic signcryptions is that they provide public plaintext-result-checkability, confidentiality and integrity and they are very useful in a wide variety of settings involving data processing by untrusted entities.
As an example, consider the National Institute of Health (NIH) as the role of the curator which has some sensitive medical information from a set of subjects, which various research groups (analysts) wish to examine in detail to draw conclusions from.This separation between a curator and an analyst reflects a common application scenario in large-scale studies on sensitive data, where the raw data is often hosted by a single organisation, and the data may be used multiple times by different groups for different purposes.The curator signcrypts the collected data m ! and distributes the signcrypted data c ! to various analysts for processing, so that the underlying sensitive data is authenticated and remain confidential.Some of these groups may have the intention to lie about the outcomes of their analysis.However, using homomorphic signcryptions, they can publish their analysis strategy (a function f), the claimed outcome of the analysis y = f(x), and a signcryption c f,y that certifies the correctness of the outcome.This information can be released publicly and verified by anyone using a verification key published by the NIH.When performing the verification, the verifier neither needs to have access to the underlying data nor needs to communicate with the NIH or the research groups that performed the computation.Furthermore, if such signcryptions are made to be messaged private, then it is assured that they do not reveal additional information about the underlying data beyond the analysis results.We not only go beyond the plaintext-result checkability for a specified user, and provide a public verification algorithm to achieve public plaintext-result checkability such that anyone can test whether a given ciphertext is the signcryption of a given message under the sender's public key; but also beyond the additive homomorphic signcryption notion and present a homomorphic signcryption for any function.
Linearly Homomorphic Authenticated Encryption with Public Verifiability.Linearly homomorphic authenticated encryption with public verifiability (LAEPuV), introduced by Catalano et al. [19], is a primitive approach that allows to authenticate computations on encrypted data, with the additional property that the correctness of the computations can be publicly verified.Catalano et al. have also provided an instantiation for LAEPuV in the random oracle model based on Paillier's cryptosystem.Struck et al. [20] proposed some improvements on Catalano et al.'s instantiated scheme by avoiding false negatives during the verification algorithm.
Syntactically, our notion of homomorphic signcryption bears resemblance with the primitive of LAEPuV [19] on the aspect of allowing both the homomorphic operation on the encrypted data and the decryption of the ciphertext resulted from the homomorphic evaluation.However, using our homomorphic signcryption scheme, the data is signcrypted.The main difference between our homomorphic signcryption and LAEPuV relies on the verification algorithm.More precisely, in LAEPuV [19,20] the verification algorithm is defined as Verifyðvk; id; c; f Þ and requires that the condition Verifyðvk; id; c; f Þ ¼ 1 is equivalent to ∃m; s:t: Decrypt ðsk; id; c; f Þ ¼ m.Such a correctness requirement implies that if the verification is successful, the verifier is convinced that c is an encryption of some message, but without knowing to which message c corresponds to.In contrast, the verification algorithm in our homomorphic signcryption is defined as Verifyðpk; tag; m 0 ; c 0 ; f Þ, which is employed to check the matching of a message m 0 with the corresponding signcryption c 0 .This also explains why we have different security requirements from LAEPuV.The latter only considers IND-CCA security, since their verification algorithm does not need the message as input, and in some sense it resembles the security model of an encryption scheme.However in our case, the verification algorithm itself takes the message as input, thus, we should consider the plaintext checkable attack.Therefore, we define not only the privacy for the message but also the unforgeability for the signcryption.
Furthermore, although the two instantiations of LAEPuV [19,20] are very efficient (since the homomorphic operation on the encrypted message in LAEPuV is a linear function), their security is proved in the random oracle model.On the contrary, the security of our proposed signcryption primitive is proved in the standard model and can be employed for a more general function, that is, for any polynomial size circuit, which leads to sacrificing some efficiency.
Publicly Verifiable Computation.Intuitively, it seems that our homomorphic signcryption scheme implies a publicly verifiable computation (VC) scheme that protects the secrecy of the used dataset towards the server and the verifier.In fact, to the best of our knowledge, there are no verifiable computation schemes that simultaneously achieve input privacy and provide public verifiability for arbitrary functions.Our homomorphic signcryption as a building block provides an optional method to publicly achieve VC with input privacy.
VC schemes [21][22][23] based on fully homomorphic encryption naturally offer input-output privacy, because both the inputs and outputs are encrypted.However, they do not provide public verifiability.The VC schemes using homomorphic authenticators are more restrictive with respect to the supported function class, although some solutions even provide input privacy.Homomorphic authenticator-based VC schemes are all privately verifiable and do not provide input privacy with an exception of Fiore et al.'s [24] scheme.Fiore et al. [24] showed how to combine the homomorphic MACs of [25] with a FHE scheme to construct a VC scheme for multi-variate polynomials of degree 2 that offers input privacy; however, it is privately verifiable.
Another line on studying VC is based on functional encryption or functional signatures.Parno et al. [26] showed a public VC for a class of Boolean functions F , namely functions with one-bit output, that can be constructed from any attribute-based encryption (ABE) scheme for a related class of functions-namely, F ∪ F ¯where F ¯denotes the complement of the function F .If the underlying ABE scheme is attribute hiding, then the VC scheme provides input privacy since the function's input is encoded in the attribute.However, the constructions for attribute hiding ABE is under way.Another very interesting approach is to build VC from functional signatures (FS) introduced by Boyle et al. [27].Given an FS scheme with signature size δ(λ), and verification time t(λ) (where λ is the security parameter), we can get a VC scheme in the preprocessing model with proof size δ(λ) and verification time t(λ).However, this scheme provides no input privacy, since there is no encoded processing to be carried out on the input, which means that the input is sent as plaintext to the server.

Definition 1 (Functional Encryption)
A functional encryption scheme F E over a message space X ¼ fX λ g λ∈N and a function space F ¼ fF λ g λ∈N consists of four algorithms FE:Setup; FE:Enc; ð FE:KeyGen; FE:DecÞ defined as follows: � FE:Setupð1 λ Þ → ðmpk; mskÞ: on input the security parameter λ, the setup algorithm outputs a master public key mpk and a master secret key msk.� FE:KeyGenðmsk; f Þ → SK f : on input the master secret key msk and a function f ∈ F λ , the key generation algorithm outputs a functional key SK f .� FE:Encðmpk; xÞ → CT: on input the master public key mpk and a plaintext x ∈ X λ , the encryption algorithm outputs a ciphertext CT. � FE:DecðSK f ; CTÞ → y: on input the functional key SK f corresponding to the function f and the ciphertext CT, the decryption algorithm outputs a value y.

Correctness.
A functional encryption scheme F E is correct for a class of functions F if for any f ∈ F , any pair of master keys ðmpk; mskÞ ← FE:Setupð1 λ Þ, any functional key

| Homomorphic signature
In this subsection, we recall the syntax and security definition of homomorphic signatures as originally introduced by Boneh and Freeman [6].We denote the message space by M, and let f : M k → M denote a function that takes k messages and outputs a result message in M. Definition 2 (Homomorphic Signature [6]) A homomorphic signature scheme for the function family F is a tuple of probabilistic, polynomial-time algorithms HS ¼ ðSetup; Sign; Verify; EvaluateÞ as follows: � Setupð1 λ ; kÞ: Takes as inputs the security parameter λ and a maximum size k of a dataset whose messages can be signed.Outputs a public key pk and a secret key sk.The public key pk defines a message space M, a signature space Σ, and a set F of functions f : M k → M. � Signðsk; tag; m; iÞ: Takes as inputs a secret key sk, a tag tag ∈ f0; 1g λ , a message m ∈ M and its corresponding index i ∈ [k], and outputs a signature σ ∈ Σ. � Evaluateðpk; tag; f ; σ !Þ: Takes as inputs a public key pk, a tag tag ∈ f0; 1g λ , a function f ∈ F , and a tuple of signatures σ !∈ Σ k , and outputs a signature σ 0 ∈ Σ.
The tags are used to distinguish different datasets so that only signatures with matching tags can be employed to perform homomorphic evaluations.A tag is a bit-string of length λ that is randomly chosen from {0,1} λ .[6]) The F -homomorphic signature HS is correct, if for any tag tag ∈ f0; 1g λ , any

and any index i ∈ [k], we have
where ðpk; skÞ ← Setupð1 λ ; kÞ; σ i ← Signðsk; tag; m; iÞ for i ∈ [k].Note that the function f can also be a projection function P i , that is, P i (m 1 , …, m k ) = m i , which means that the correctness also must hold for original signatures.We use the notion of existential unforgeability under chosen dataset attacks in [6] to describe the unforgeable security definition of homomorphic signatures, which requires the adversary to query all the messages in a dataset at once.[6] -a randomly chosen dataset tag tag i ∈ 0; 1 f g λ ; -a signature vector σ

Definition 4 (Unforgeability
Context hiding, as a desirable privacy property for a homomorphic signature, requires that a signature that certifies y as the outcome of some computation f over original data should not reveal anything about the underlying data beyond the function value y.The full context hiding property of HS was first proposed by Ahn et al. [32] to capture a notion of privacy that the derived signature σ !(i.e., signature produced homomorphically from the signatures σ 1 , σ 2 , …, σ k corresponding to the data m 1 , m 2 , …, m k ) is required to have the same distribution with the fresh signature σ y generated by computing the signature of the message y = f(m 1 , m 2 , …, m k ), even if the original signatures (σ 1 , σ 2 , …, σ k ) are disclosed to the adversary.Then, Boneh et al. [6] defined a weak context-hiding property which captures the idea that the given signatures on a number of messages derived from two different datasets, the attacker cannot tell which dataset the derived signatures came from.They call it as a 'weak' context hiding since the original signatures on the dataset are not exposed to the adversary.Note that since the privacy property of homomorphic signature is not required in our article, here we omit its formal definition.

| Indistinguishability obfuscation
Here, we recall the notion of indistinguishability obfuscation which was originally proposed by Barak et al. [33].The formal definition we present below is from [34].
Definition 5 (Indistinguishability obfuscation [34]) We say that a signcryption scheme as above is F -homomorphic, or homomorphic with respect to F .For simplicity, we assume in our homomorphic signcryption systems all data sets are composed of exact k items.

| Unforgeability
The security model for homomorphic signcryptions in a public evaluation setting allows an adversary to get access to the signcryption oracle by submitting datasets of his choice which contains up to k messages and obtaining the signcryptions as responses along with a randomly selected tag tag for each dataset that is queried.Meanwhile, the adversary is allowed to have access to the unsigncryption oracle by issuing queries on the signcryptions of his choice and receiving the original message m back.The adversary wins the game if he outputs a message-signcryption pair (m*, c*) as well as a tag tag � and a function f* as a forgery.To win the game, the forgery should be one of the following two distinct types of forgeries.In a type 1 forgery, the signcryption c* is a valid signcryption of a message m* associated with the tag tag � , which has not been chosen as a tag for the dataset queried to the signcryption oracle earlier.This corresponds to the usual notion of a signcryption forgery.In a type 2 forgery, the pair (m*, c*) verifies for some dataset that has been queried to the signcryption oracle, but for which m* is not equal to the outcome of f* applied to the queried messages.
Remark 1 Our security model requires that all k messages in a dataset is signcrypted at once.

Remark 2 While the adversary can always compute the message m* by querying the unsigncryption oracle with c*, if the adversary is able to forge a valid signcryption c*, he always can obtain the message m* by
querying the unsigncryption oracle.Thus, we only require that for the type 1 forgery ðtag � ; m � ; c � ; f � Þ the corresponding tag tag � of message m* has never been chosen as a tag for the dataset queried to the signcryption oracle, while a signcrypted message c* might has been queried to the unsigncryption oracle.

| Weak message privacy
Our definition of message privacy for homomorphic signcryption is defined in a game.Given the access to the signcryption oracle as well as the unsigncryption oracle, the adversary has to come up with two equal-length messages m !� 0 and m !� 1 along with a sequence of functions f 1 , …, f s .One of ðm !� 0 ; m !� 1 Þ will be signcrypted at random, and the signcryption challenge b c � i will be generated by the homomorphic evaluation algorithm for the function f i from the original signcryption c � b on message m !� b .Only the derived signcryption b c � i for all i ∈ [s] will be given to the adversary and then, the adversary has to guess which message was signcrypted.We call it weak message privacy since we require that the original signcryptions on the dataset are not disclosed to the adversary.Note that there is no need for A to ask its unsigncryption oracle for any query c which is the same as any one of b c i (for i ∈ [s]) returned as the challenged signcryptions, since it already knows the answer

Definition 8 (Weak Message Privacy) An F -homomorphic signcryption scheme HSC in a public evaluation setting is weakly message private if for all k no PPT adversary
The adversary A wins the game if b = b 0 .
We also consider a selective variant of message privacy.The selectively weak message privacy game is equivalent to the above one with the exception that the attacker must declare the challenge messages m !� 0 ; m !� 1 at the very beginning before it sees the public parameters.

Definition 9 (Selectively Weak Message Privacy)
An F -homomorphic signcryption scheme HSC is selectively weak message private for all PPT adversaries A, if the advantage of A is negligible in the selective weak message privacy game.

| Construction of an HSC in a public evaluation setting
In this section, we present an HSC scheme in a public evaluation setting from the HS scheme without the context-hiding property based on indistinguishability obfuscation.Our construction relies on the following building blocks: � Generate two independent key-pairs of PKE, that is, the programme Prog V defined in Figure 2a and programme Prog E defined in Figure 2b;  Correctness.Correctness of our HSC scheme follows immediately from the correctness of the iO, PKE system, SSS-NIZK, HS scheme and the description of the programme template Prog V and Prog E .

Theorem 1 Assuming the underlying homomorphic signature scheme HS is existentially unforgeable against chosen message attacks as defined in Definition
The description of the programs Prog V and Prog E 4, the homomorphic signcryption scheme described above satisfies unforgeability against chosen message attacks as defined in Definition 7.

Proof: Let us fix a PPT adversary A Unf
HSC attacking the unforgeability security of the HSC scheme built above.We will use A Unf HSC to construct an adversary A Unf HS such that, if A Unf HSC wins in the unforgeability game for our HSC scheme given above with non-negligible probability, then A Unf HS breaks the underlying homomorphic signature scheme HS, which is assumed to be existentially unforgeable against chosen message attacks.
We now describe the constructed homomorphic signature adversary, A Unf HS .In the security game for the HS scheme, A Unf HS is given the verification key hpk, and access to a signing oracle O HS sig .He is considered to be successful in producing a forgery if he outputs a valid signature for a message that was not queried from O HS sig (type 1 forgery) or that was queried to the signing oracle, but for which m* does not equal f* applied to the messages queried (type 2 forgery).
A Unf HS interacts with A Unf HSC , playing the role of the challenger in the unforgeability game for our HSC scheme built above.This means that A Unf HS must simulate the signcryption oracle and the unsigncryption oracle.After receiving the challenge verification key hpk of the HS scheme, A Unf HS first generates crs ← NIZK:Setupð1 λ Þ, key-pairs and creates the obfuscated programme iOðProg V Þ and iOðProg E Þ for the programme Prog V depicted in Figure 2a and Prog E in Figure 2b, respectively.A Unf HS sets pp ≔ crs; pk S ≔ hpk and pk R ≔ ðpk 1 ; pk 2 ; ; iOðProg V Þ; iOðProg E ÞÞ.
To answer the i-th query to the signcryption oracle, that is, a k-message vector m !i ¼ fm i1 ; …; m ik g issued by A Unf HSC ; A Unf HS performs the following: � It sends the k-message vector m !i ¼ fm i1 ; …; m ik g to its own signing oracle O HS sig to get a tag tag i and a signature vector σ , and the NIZK proof π ij for the statement (1).

� It sets tag
for each j ∈ [k] and returns it back to A Unf HSC .
To answer the query, the signcryption c ı ¼ ðe to obtain the output σ*‖m*, and then outputs ðtag � ; m � ; σ � ; f � Þ as its message-forgery pair in the unforgeability game for the underlying HS scheme.
It is easy to see that A Unf HS exactly recreates the environment.Thus, if A Unf HSC produces a forgery in our HSC scheme with non-negligible probability 1/Poly(λ), then A Unf HS successfully forges in the underlying HS scheme with non-negligible probability 1/Poly(λ).But, this cannot be the case, since we have assumed that the HS scheme is existentially unforgeable against chosen-message attacks.We conclude that our HSC scheme as specified above satisfies the unforgeability security of Definition 7. □ Theorem 2 Assuming iO is a secure indistinguishability obfuscator, a IND-CPA secure public key encryption PKE, along with the statistical simulationsoundness and the zero-knowledge properties of a SSS-NIZK system, the homomorphic signcryption scheme described above is selectively weakly message private as defined in Definition 9 for datasets up to k.
Proof: We now show that our HSC scheme satisfies the selective weak message privacy of Definition 9. We prove that no poly-time attacker can break the weak message privacy of our HSC scheme if our underlying assumptions hold.We organise our proof into a sequence of hybrids.In the first hybrid, the challenger signcrypts the messages in m !� 0 and computes the signcryption on We then gradually change the signcryptions in multiple hybrid steps into the signcryptions on m !� 1 and f i ðm !� 1 Þ.We show that each successive hybrid experiment is indistinguishable from the former one.
Hyb 0 : In this hybrid the following game is played.
� The adversary A outputs the challenged message ðm !� 0 ; m Then, it creates the obfuscations iOðProg V Þ and iOðProg E Þ for the programme Prog V of Figure 2a and Prog E of Figure 2b.The challenger gives pp ≔ crs; pk S ≔ hpk; pk R ≔ ðpk 1 ; pk 2 ; iOðProg V Þ; iOðProg E ÞÞ together with sk S ≔ hsk to A. � For the unsigncryption queries c i ¼ ðe 1  i ; e 2 i ; π i Þ with corresponding tag tag i issued by A, the challenger checks that π i is a valid NIZK proof using the NIZK:Verify algorithm and the crs for the NP-statement (1).If the check fails, it outputs ⊥; Otherwise, it computes σ i km i ¼ PKE:Decðsk 1 ; e 1 i Þ and verifies that HS:Verifyðhpk; tag i ; m i ; . � The challenger randomly samples a tag tag � and generates σ 0 j ← HS:Sign hsk; tag � ; m � 0j ; j Then, for each j ∈ [k] it generates e 1 j ← PKE:Encðpk 1 ; σ 0 j km � 0j ; r 1 j Þ and e 2 j ← PKE:Enc ðpk 2 ; σ 0 j km � 0j ; r 2 j Þ, and the NIZK proof π j for statement (1), and sets c 0 j ¼ ðe Hyb 1 : This hybrid is identical to Hyb 0 with the exception that ðcrs; πÞ is simulated as ðcrs; πÞ ← Sim ∃ðu; r 1 ; r 2 Þ; s:t: Since the SSS-NIZK system is computationally zero knowledge, Hyb 1 is indistinguishable from Hyb 0 .Hyb 2 : This hybrid is identical to Hyb 1 , with the exception that the ciphertexts are generated as following.For all j ∈ ½k þ s�; e 1 j ¼ PKE:Encðpk 1 ; u 0 j ; r 1 j Þ, where for Since the PKE system is IND-CPA secure, Hyb 2 is indistinguishable from Hyb 1 .
Hyb 3 : This hybrid is identical to Hyb 2 , with the exception that the challenger generates the obfuscation of programme Prog 1 V which is defined in Figure 3a instead of an obfuscation for programme Prog V defined in Figure 2a as well as the obfuscation of programme Prog 1 E which is defined in Figure 3b instead of an obfuscation for programme Prog E defined in Figure 2b.Since iO is an indistinguishability obfuscator, Hyb 3 is indistinguishable from Hyb 2 .
Hyb 4 : This hybrid is identical to hybrid Hyb 3 with the exception that the ciphertexts are generated as follows.For (The NIZK is still simulated and the obfuscated programs are created for the programme Prog 1 V and Prog 1 E , respectively.)Since the PKE system is IND-CPA secure, Hyb 4 is indistinguishable from Hyb 3 .
Hyb 5 : The ciphertext and the crs are formed the same way as in Hyb 4 with the exception that the challenger generates the obfuscation of the programme Prog V defined in 2a and the programme Prog E defined in Figure 2b instead of the obfuscation for the programme Prog 1 V defined in Figure 3a and the programme Prog 1 E defined in Figure 3b.Since iO is an indistinguishability obfuscator, Hyb 5 is indistinguishable from Hyb 4 .
Hyb 6 : This hybrid is the same as in Hyb 5 with the exception that the crs is generated from an honest run of the NIZK:Setup algorithm and the NIZK proof components.This corresponds to the game when the signatures are generated on m !� 1 and � KGen S ð1 λ ; kÞ: It takes as inputs the security parameter λ and a maximum size k of a dataset, whose messages can be signcrypted.It outputs a sender's key-pair ðpk S ; sk S Þ and defines a message space M, a signcryption space C, and a set F of functions f : M k → M. � KGen R ð1 λ ; kÞ: It takes as inputs the security parameter λ and a maximum size k of a dataset, and outputs a receiver's key-pair ðpk R ; sk R Þ, together with a public verification key vk and a private evaluation key ek.� Signcryptðsk S ; pk R ; tag; m; iÞ: It takes as inputs the sender's private key sk S , the receiver's public key pk R , a tag tag ∈ f0; 1g λ , a message m ∈ M and its corresponding index i ∈ [k], and outputs a signcryption c ∈ C. � UnSigncryptðpk S ; sk R ; cÞ: It takes as inputs the sender's public key pk S , the receiver's secret key sk R , a signcryption c ∈ C and it outputs a message m ∈ M together with its corresponding tag tag.� Evaluateðek; pk S ; pk R ; tag; f ; c ! Þ: It takes as inputs an evaluation key ek, sender's public key pk S , receiver's public key pk R , a tag tag ∈ f0; 1g λ , a function f ∈ F , and a tuple of signcryptions c ! ∈ C k , and it outputs a derived signcryption c 0 ∈ C. � Verifyðvk; pk S ; pk R ; tag; m 0 ; c 0 ; f Þ: It takes as inputs a public verification key vk, sender's public key pk S , receiver's public key pk R , a tag tag ∈ f0; 1g λ , a message m 0 ∈ M, a function f ∈ F , and a derived signcryption c 0 ∈ C, and it outputs either 0 (reject) or 1 (accept).
Let fΦ i : M k → Mg be the function Φ i (m 1 , …, m k ) = m i that projects onto the i-th component and 12 -LI ET AL.Φ 1 ; …; Φ k ∉ F , which implies that the verification algorithm is only allowed to verify whether the derived signcryption from the homomorphic evaluation operation is a valid signcryption or not.
Correctness.For all ðpk S ; sk S Þ ← KGen S ð1 λ ; kÞ and.ðpk R ; sk R Þ ←KGen R ð1 λ ; kÞ, we have: We say that a signcryption scheme as above is F -homomorphic, or homomorphic with respect to F .Remark 3 We note that the Unsigncrypt algorithm is allowed to perform on both the original and the derived signcryptions, while the verification algorithm can only accept the derived signcryptions as inputs .
The reason for this limitation is to protect the secrecy of the message in the signcryption scheme.More precisely, if the public verification algorithm is allowed to operate on the original signcryption of a message, then it is trivial for any adversary to test the matching of the message and the challenged signcryption via the public verification algorithm.

| Message privacy
Contrary to the weak message privacy for HSC in a public evaluation setting in a private evaluation, the privacy notion is defined for the full message confidentiality, which captures the idea that given both the original signcryptions on the dataset and the signcryptions on a number of messages derived from one of two different datasets, the attacker cannot tell which dataset the derived signatures came from.

| Construction of an HSC in a private evaluation setting
In this section, we present an HSC scheme in a private evaluation setting from an HS scheme without context-hiding and a FE scheme.Our construction relies on the following building blocks: � An F -homomorphic signature scheme HS ¼ HS:Setup; ð HS:Sign,HS:Evaluate; HS:VerifyÞ with message of length |m| and a signature of length ℓ sig .� A general-purpose public-key multi-input functional encryption scheme MI F E ¼ ðMIFE:Setup; MIFE:Enc; MIFE:KeyGen; MIFE:DecÞ.
Theorem 3 Assuming the underlying homomorphic signature scheme HS is existentially unforgeable against chosen message attacks as defined in Definition 4, the homomorphic signcryption scheme described above satisfies unforgeability against chosen message attacks as defined in Definition 11.
Proof: Let us fix a PPT adversary A Unf HSC attacking our HSC scheme constructed above, we will use A Unf HSC to construct an adversary A Unf HS such that, if A Unf HSC wins in the unforgeability game for our HSC scheme given above with non-negligible probability, then A Unf HS breaks the underlying existential unforgeability of homomorphic signature scheme HS.
We now describe the constructed HS adversary, A Unf HS .After receiving the challenge verification key hpk of the HS scheme, FE ← MIFE:KeyGenðmsk 0 ; UÞ for the function U described in Figure 4a and sk G FE ← MIFE:KeyGenðmsk 1 ; GÞ for the function G described in Figure 4b.� For each j ∈ To answer the query submitted to the unsigncryption oracle, that is, a signcryption c ı ¼ ðβ; ct ı ; ct tag ı ; ct σ ı ; ct m ı ; ct f Þ with corresponding tag tag ı issued by A Unf HSC ; A Unf HS performs the following: To answer the query to the evaluation oracle, that is, ksigncryption vector c ! ȷ ¼ fc ȷ1 ; …; c ȷk g with corresponding tag tag ȷ and function f ȷ issued by A Unf HSC ; A Unf HS performs the following: together with a tag tag � or a tuple ðtag � ; m � ; c � ; f � Þ.We then analyse the following two cases.

Case 1: When
As it is required that tag � is different from all the tags associated with the dataset that has been queried to the signcryption oracle and the evaluation oracle, A Unf HS outputs ðm ! 0; σ ! 0Þ together with the tag tag � as a forgery, which is the forgery of HS of type 1 defined in Definition 4.

Case 2: When
HS outputs ðtag � ; m � ; σ; f � Þ as its message-forgery pair in the unforgeability game for the underlying HS scheme, which means that the adversary A Unf HS successfully outputs a forgery of HS scheme of type 2 defined in Definition 4.
Thus, if A Unf HSC produces a forgery in our HSC scheme with non-negligible probability 1/Poly(λ), then A Unf HS successfully forges in the underlying HS scheme with non-negligible probability 1/Poly(λ).But, this cannot be the case, since we have assumed that the HS scheme is existentially unforgeable against chosen-message attacks.We conclude that our HSC scheme as specified above satisfies the unforgeability security of Definition 11. □ Theorem 4 Assuming the underlying public key functional encryption scheme F E is secure, the homomorphic signcryption scheme described above is message private as defined in Definition 12 for datasets up to k. Proof: Let A MP be an adversary attacking our HSC scheme constructed above in the sense of message privacy.We construct an adversary A FE attacking the security of the MIFE, and then upper bound the advantage of A in terms of the advantages of these adversaries.
We now describe the constructed public-key multi-input functional encryption adversary, A FE .A FE interacts with A MP , playing the role of the challenger in the game of message privacy for HSC.This means that A FE must simulate the signcryption oracle and the evaluation oracle.
After receiving the master public key mpk 0 ; mpk 1 of the MIFE scheme, A FE samples a key pair of HS, ðhsk; hpkÞ ← HS:Setupð1 λ ; kÞ.A FE sends the function U defined in Figure 4a and the function G defined in Figure 4b   Thus, if A MP correctly guesses which message the challenger encodes in the game of message privacy of the HSC scheme with non-negligible probability ϵ(λ), then A FE correctly guesses which message the challenger encrypts in the underlying IND-CPA game for the MIFE scheme with nonnegligible probability ϵ(λ).□

| CONCLUSION
In this article, we investigate the question of how to homomorphically perform arbitrary computations on signcrypted data, going beyond the existing additive homomorphic operation.We augment the concept of homomorphic signcryption on two aspects, one of which is to provide public plaintext-result checkability such that anyone is able to publicly check whether a given ciphertext is the signcryption of the message under the key, thus no longer bound to the recipient.Another property that our homomospric signcryption schemes achieve is message privacy.The latter guarantees that the derived signcryption will not reveal any information about the underlying dataset, beyond what is revealed by the outcome of evaluation on the underlying dataset.We also propose constructions of a homomorphic signcryption scheme with public plaintextresult checkability both in a public evaluation setting and a private evaluation setting.We believe that homomorphic signcryptions that achieve both plaintext-result checkability and confidentiality are very useful in a wide variety of settings involving data processing by untrusted entities.
if the original signcryptions c ! b over messages m !b are exposed to an adversary and the homomorphic operation and verification process are public algorithms, it is trivial for an adversary to distinguish the original dataset only from the information of c ! b by performing a function f * on c ! b to get the derived signcryption b c on the message f * ðm !b Þ.By testing the matching of b c with
and the NIZK proof b π i for statement (1).It sets b c i ¼ ðb e 1 i ; b e 2 i ; b π i Þ and sends tag � ; b c 1 ; …; b c s ð Þ to A. � The adversary A outputs a bit b 0 and wins if b = b 0 .
The challenger generates a random bit b ∈{0, 1} and a random tag tag ∈ f0; 1g λ .It signcrypts the messages in m !� b using tag to obtain a vector c ! of k signcryptions, where c j ← Signðsk S ; pk R ; tag; m� bj ; jÞ for all j ∈ [k].Next, for each i ∈ [s] the challenger computes a derived signcryption b c i ← Evaluateðek; pk S ; pk R ; tag; f i ; c ! Þ.It sends tag and the derived signcryptions b c 1 ; …; b c s ð Þ as well as original signcryption vector c ! to A. � A adaptively performs signcryption and evaluation queries as before.� A outputs a bit b 0 .A wins the game if b = b 0 .

F I G U R E 4
Description of the function U hpk and G hpk LI ET AL.

Encðmpk 1 ;
b σ i Þ; b ct y i ← MI FE:Encðmpk 1 ; y i Þ, and b ct f i ← MIFE:Encðmpk 1 ; f i Þ.Then A FE sets b c i ¼ ð1; b ct i ; b ct tag 0 ; b ct b σ i ; b ct y i ; b ct f i Þ.A FE sendsthe tag tag 0 and the signcryptions ct � 1 ; …; ct � k ; b c 1 ; …; b c s to A MP .Finally, if A MP outputs b* to indicate that the challenged signcryptions are the encoded value of the message m !� b � , then A FE returns b* to indicate that ct � 1 ; …; ct � k are the encryptions of the messages ðx b � ;1 ; …; x b � ;k Þ.

1.6 | Related work Homomorphic Signcryption. Homomorphic
CTÞ ¼ f ðxÞ with all but a negligible probability over the internal randomness of the algorithms FE:Setup; FE:KeyGen, and FE:Enc.Adaptive security.A functional encryption scheme F E for a class of functions F is adaptively secure if for any probabilistic polynomial-time adversary A ¼ ðA 1 ; A 2 Þ, there exists a negligible function negl(λ) such that and any CT ← FE:Encðmpk; xÞ, it holds that FE:DecðSK f ; and a signature σ* ∈ Σ.The adversary wins if Verifyðpk; tag � ; m � ; σ � ; f Þ ¼ 1 and either 1. (a type 1 forgery) tag � ≠ tag i for all i, or 2. (a type 2 forgery) tag � It takes as inputs the public parameter pp, and outputs a receiver's key-pair ðpk R ; sk R Þ. � Signcryptðpp; sk S ; pk R ; tag; m; iÞ: It takes as inputs the public parameter pp, sender's private key sk S , receiver's public key pk R , a tag tag ∈ f0; 1g λ , a message m ∈ M and its corresponding index i ∈ [k], and outputs a signcryption c ∈ C. � UnSigncryptðpp; pk S ; sk R ; cÞ: It takes as inputs the public parameter pp, the sender's public key pk S , the receiver's secret key sk R , and a signcryption c ∈ C, and outputs a message m ∈ M. � Evaluateðpp; pk S ; pk R ; tag; f ; c ! Þ: It takes as inputs the public parameter pp, the sender's public key pk S , the receiver's public key pk R , a tag tag ∈ f0; 1g λ , a function f ∈ F , and a tuple of signcryptions c ! ∈ C k , and outputs a derived signcryption c 0 ∈ C. � Verifyðpp; pk S ; pk R ; tag; m 0 ; c 0 ; f Þ: It takes as inputs the public parameter pp, sender's public key pk S , receiver's public key pk R , a tag tag ∈ f0; 1g λ , a message m 0 ∈ M, a function f ∈ F , and a signcryption c 0 ∈ C, and outputs either 0 (reject) or 1 (accept).Let fΦ i : M k → Mg be the function Φ i (m 1 , …, m k ) = m i that maps onto the i-th component and Φ 1 ; …; Φ k ∈ F for all pp output by Setupð1 probabilistic polynomial time (PPT) algorithm iO is said to be an indistinguishability obfuscator for a circuits class fC λ g, if the following conditions are satisfied:� For all security parameters λ ∈ N, for all C ∈ C λ , for all inputs x, we have that Pr½C 0 ðxÞ ¼ CðxÞ : C 0 ← iOðλ; CÞ� ¼ 1: � For any (not necessarily uniform) PPT adversaries ðSamp; DÞ, there exists a negligible function negl(•) such that the following holds: if Pr½∀x; C 0 ðxÞ ¼ C 1 ðxÞ : ðC 0 ; C 1 ; σÞ← Sampð1 λ Þ� > 1 − neglðλÞ, then we have: jPr ½Dðσ; iOðλ; C 0 ÞÞ ¼ 1 : ðC 0 ; C 1 ; σÞ ← Sampð1 λ Þ�− Pr Dðσ; iOðλ; C 1 ÞÞ ¼ 1 : ðC 0 ; C 1 ; σÞ ← Samp 1 λ Informally, a homomorphic signcryption scheme in a public evaluation setting consists of algorithms Setup; KGen S ; KGen R ; Signcrypt; UnSigncrypt as well as two additional algorithms, that is, Evaluate and Verify.The Evaluate algorithm is able to transform the signcryptions on some original messages to a signcyrption on an outcome of the function applied to those original messages without using any secret keys.The Verify algorithm enables a verifier to test whether the (either original or derived) signcryption is a valid signcryption of a given message under the corresponding sender and receiver's public keys.If c ! is a valid set of signcryptions on the messages m !, then Evaluateðf ; c ! Þ should be a valid signcryption for f ðm !Þ.An additional 'tag' is employed to distinguish different datasets, so that only signcryptions with matching tags can be computed homomorphically.A tag is a bit-string of length λ that is randomly chosen from {0,1} λ .λ ; kÞ: It takes as inputs the security parameter λ and a maximum size k of a dataset, whose messages can be signcrypted.It outputs the public parameter pp and defines a message space M, a signcryption space C, and a set F of functions f : M k → M. � KGen S ðppÞ: It takes as inputs the public parameter pp, and outputs a sender's key-pair ðpk S ; sk S Þ. LI ET AL. � KGen R ðppÞ: λ ; kÞ.Correctness For all pp ← Setupð1 λ ; kÞ; ðpk S ; sk S Þ← KGen S ðppÞ and ðpk R ; sk R Þ ← KGen R ðppÞ we have: 1.For all tags tag ∈ f0; 1g λ ; m ∈ M, and i ∈{1, …, k}, if c ← Signcryptðpp; sk S ; pk R ; tag; m; iÞ, then with overwhelming probability it holds that UnSigncryptðpp; pk S ; sk R ; cÞ ¼ m and Verifyðpp; pk S ; pk R ; tag; m; c; Φ i Þ ¼ 1. 2. For all tag ∈ f0; 1g λ , tuples m !¼ ðm 1 ; …; m k Þ ∈ M k , and functions f ∈ F , if c i ← Signcryptðpp; sk S ; pk R ; tag; m i ; iÞ for i = 1, …, k and c 0 ← Evaluateðpp; pk S ; pk R ; tag; f ; ðc 1 ; …; c k ÞÞ, then with overwhelming probability it holds UnSigncrypt pp; pk S ð ,sk R

�
The challenger runs pp ← Setupð1 λ ; kÞ; ðpk S ; sk S Þ← KGen S ðppÞ and ðpk R ; sk R Þ ← KGen R ðppÞ, and sends pp; pk S ; pk R to the adversary A. � A proceeds with adaptive queries, � SIGNCRYPTION QUERIES.Each query consists of: � a dataset given as a k-message vector m !For each i, the challenger sends back a randomly chosen tag tag i ∈ f0; 1g λ , and a signcryption vector c! i ¼ fc ij g j∈½k� where c ij ← Signcryptðpp; sk S ; pk R ; tag i ; m ij Þ for j ∈ [k].�UNSIGNCRYPTION QUERIES.Each query consists of: � a signcryption c ı ∈ C � For each ı, the challenger sends back: a message m ı ← UnSigncryptðpp; pk S ; sk R ; c ı Þ. � A outputs a tag tag � ∈ f0; 1g λ , a message m � ∈ M, a function f i ¼ fm i;1 ; …; m i;k g. � For each i, the challenger sends back a randomly chosen tag tag i ∈ f0; 1g λ , and a signcryption vector c! i ¼ fc ij g j∈½k� where c ij ← Signcryptðpp; sk S ; pk R ; tag i ; m ij Þ for j ∈ [k].� a dataset given as a k-message vector m !i ¼ fm i;1 ; …; m i;k g. � � ∈ F , and a signcryption c*.The adversary wins if Verifyðpp; pk S ; pk R ; tag � ; m Next, for each i ∈ [s] the challenger computes a derived signcryption b c i ← Evaluateðpp; pk S ; pk R ; tag; f The challenger generates a random bit b ∈{0, 1} and a random tag tag ∈ f0; 1g λ .It signcrypts the messages in m !� b using a tag to obtain a vector c ! of k signcryptions, where c j ← Signcryptionðpp; sk S ; pk R ; tag; m � bj ; jÞ for all j ∈ [k].i ; c ! Þ.It sends tag and the signcryptions ðb c 1 ; …; b c s Þ to A.
signature scheme HS ¼ HS:Setup; ð HS:Sign, HS:Evaluate; HS:VerifyÞ with message of length |m| and signature of length ℓ sig .Signcrypt; Unsigncrypt; Evaluate; Verify in a public evaluation setting with respect to F is built as follows.