Certificateless signcryption access control method suitable for internet of things
By using a certificateless public-key cryptography system and signature mechanism, combined with cyclic group operations, the problem of key management and excessive computational burden in the Internet of Things (IoT) is solved, achieving secure, fast, and efficient access control, and adapting to the security requirements of the IoT environment.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING UNIV OF TECH
- Filing Date
- 2023-06-03
- Publication Date
- 2026-07-14
AI Technical Summary
In the Internet of Things (IoT), existing technologies suffer from problems such as key management and excessive computational burden, especially in environments with a large number of heterogeneous devices from multiple sources, making it difficult to achieve secure, fast, and efficient access control.
Employing a certificateless public-key cryptography system and signature-based encryption mechanism, signature verification and ciphertext decryption are achieved through a single round of computation. The computation process is restricted to addition and multiplication operations in cyclic groups, reducing the computational burden of exponential and bilinear pairing operations. Security attributes based on mathematically difficult problems are constructed to ensure the security of data transmission and computational efficiency.
It enables fast and efficient access control in the Internet of Things (IoT) environment, reduces the computing and communication burden on devices, has good adaptability and security, meets the requirements of confidentiality, non-repudiation, non-forgeability and authentication, and reduces computing and communication costs.
Smart Images

Figure CN116707820B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the fields of the Internet of Things and data security. Background Technology
[0002] To address the key management needs of massive numbers of devices in the Internet of Things (IoT) and the excessive computational burden caused by existing "sign-then-encrypt" mechanisms, researchers have proposed a certificateless signature-cryptography mechanism that combines certificateless cryptography and signature-cryptography. This mechanism employs a certificateless public-key cryptography system, eliminating the need for the key generation center to manage and escrow keys for the vast number of IoT devices, thus reducing the computational and storage burden on the key management center. Simultaneously, the signature-cryptography mechanism avoids the heavy computational burden of the two-round "sign-then-encrypt" computation process, achieving simultaneous signature verification and ciphertext decryption in a single round of parallel computation, improving security while reducing communication and computational burden. Therefore, given the current state of managing massive, multi-source, heterogeneous devices and encrypting data transmission in the IoT, the certificateless signature-cryptography mechanism demonstrates strong applicability to IoT environments or other resource-constrained environments.
[0003] To ensure the security of cryptographic algorithms, modern cryptography typically reduces the prerequisites for breaking the algorithm to a mathematically difficult problem, thereby guaranteeing the security of the cryptographic algorithm. The mathematically difficult problems involved in this invention are mainly as follows.
[0004] Definition 1: Discrete Logarithm Problem (DL)
[0005] Suppose there exists an additive cyclic group G and a generator P of G, where |G| = q. Given a pair of tuples (P, aP), where... If the problem is unknown, then the deep learning problem (DL) can be represented by finding 'a' from the tuple. Assume that attacker A can break the DL problem in arbitrary polynomial time, meaning the attacker can find the correct tuple. The probability of is ε, and is defined as follows: Then DL assumes this probability It is small enough to be negligible.
[0006] Definition 2: Computational Diffie-Hellman Problem (CDH)
[0007] Suppose there exists an additive cyclic group G and a generator P of G, where |G| = q. Given a pair of tuples (P, aP, bP), where... If the problem is unknown, then the CDH problem can be represented as being able to compute abP from the tuple (aP, bP). Assume that attacker A can break the CDH problem in arbitrary polynomial time, meaning the probability that the attacker can find the correct abP∈G is ε, and is defined as... CDH then assumes this probability It is small enough to be negligible.
[0008] Definition 3: Decisional Diffie-Hellman Problem (DDH)
[0009] Suppose there exists an additive cyclic group G and a generator P of G, where |G| = q. Given a pair of tuples (P, T1 = aP, T2 = bP, T... x ),in Given the unknown and x∈(0,1), the DDH problem represents randomly selecting an element T from (aP,bP) and determining whether the equation T = T is true. x Let x be the value of x. Assume attacker A can break the DDH problem in arbitrary polynomial time, meaning the probability that attacker A can find the correct x is... And defined as DDH then assumes this probability It is small enough to be negligible. Summary of the Invention
[0010] To address the secure access challenge of massive, multi-source, heterogeneous devices in the Internet of Things (IoT) environment, how can we build a system for rapidly verifying the legitimacy and validity of access devices while ensuring security, thereby achieving secure, fast, and efficient access control for service devices to access devices?
[0011] The certificateless signature-based access control method proposed in this invention integrates a certificateless public-key cryptosystem and a signature mechanism. On the one hand, it eliminates the problems of public key management and key escrow in traditional public-key cryptosystems. On the other hand, by leveraging the signature mechanism, this invention enables the signing and decryption of request information in a single round of computation, and restricts the entire computation process to addition and multiplication operations in a cyclic group, thus eliminating the computational pressure caused by exponential operations and bilinear pairing operations and improving the computational efficiency of access control.
[0012] Furthermore, to improve the security and computational efficiency of the access control scheme, the access control scheme proposed in this invention satisfies confidentiality, authentication, non-forgeability, and non-repudiation, and enables public and legitimate verification of signed ciphertext without decrypting the plaintext, thus meeting the security requirements of access control in IoT scenarios as much as possible. Moreover, through simulation operation and theoretical analysis, it is shown that compared with schemes in recent years, the scheme of this invention has higher computational efficiency and faster communication efficiency, reducing the computational and communication burden on devices and demonstrating good adaptability in IoT scenarios.
[0013] First, this invention proposes a certificateless signature mechanism. To alleviate the heavy computational burden during verification, the entire computation process is restricted to dot product and addition operations based on cyclic groups, thereby improving computational efficiency. To ensure the security of data transmission after signature, multiple security attributes based on mathematically difficult problems are constructed based on public verifiability to enhance the security of the proposed scheme. Finally, this invention introduces an access control scheme based on the certificateless signature mechanism, constructing an access control mechanism based on certificateless signature.
[0014] To improve the readability of the proposed method, the symbols involved in the proposed scheme are described and explained, as shown in Table 1.
[0015] Table 1. Explanation of symbols in this invention
[0016]
[0017]
[0018] The proposed certificateless signature scheme can be divided into five parts: system initialization, partial private key generation, key generation, signature verification, and designification. The specific calculation process is as follows.
[0019] System initialization: Given a security parameter k, the key generation center KGC selects an additive cyclic group G and a generator P from G, where the rank of G is a large prime number q. Then, KGC selects three secure one-way hash functions. And H3:G→{0,1} l , where {0,1} * This refers to the bit representation of the user's identity information identifier, where 'l' represents the number of bits in the message transmitted by the user. Next, KGC randomly selects a value as its master system key. After being computed with the generator P, a corresponding system public key P is generated. pub =sP, where This represents a positive integer less than q. Finally, KGC publishes the system's public parameters params = {G, P, q, P} to all users in the system. pub ,H1,H2,H3}, and preserve the privacy of the master system key s.
[0020] Partial private key generation: After the system initialization phase is complete, user u i A user registration request needs to be sent to KGC, along with the user's unique identifier ID. i ∈{0,1} * After receiving a user's registration request, KGC first randomly selects a value. Calculate the random element R of group G1 i =r i P, hash value Q i =H1(ID) i ,R i ) and user u i Partial private key d i =ri+sQ i =ri+sH1(ID i ,R i After that, KGC will d i As user u i Part of the private key, R i As part of the user's public key, and transmitted to the designated user u via a secure channel. i .
[0021] Key generation: User u i After receiving a portion of the private key d sent by KGC i and part of the public key R i Next, the hash value Q is calculated. i =H1(ID) i ,R i And determine and verify equation d. i P = R i +H1(ID i ,R i Check if Ppub is true. If not, discard the information sent by KGC. If true, user u i Choose a random number Use it as your own secret value, and calculate part of the public key P. i =x i P is part of the complete public key. Then, user u... i SK i =(x i ,d i ) as its own complete private key, PK i =(P i ,Ri () as its own complete public key.
[0022] To better illustrate the signing and desealing process, this invention uses two users, Alice and Bob, as typical examples in the system, with Alice as the data sender and Bob as the data receiver to demonstrate the specific signing and desealing process. Alice's identity identifier is ID. A The public and private keys are SK. A =(x A ,d A ) and PK A =(P A ,R A Bob's identifier is ID. B The public and private keys are SK. B =(x B ,d B ) and PK B =(P B ,R B ).
[0023] Sign-cryption: Based on the given system parameters params and the plaintext data m to be transmitted, assuming Alice knows user Bob's public key PK B =(P B ,R B In the case of ), the signed ciphertext is generated according to the following calculation process.
[0024] (1) Select a temporary random number Computational group G1 random element T a =aP;
[0025] (2) Using the multiplication of random value a and user Bob's public key as input to hash function H3, generate hash value H3(aP). B );
[0026] (3) Using hash value H3(aP) B Perform a bitwise XOR operation on the plaintext data m and the ciphertext c = H3(aP) to generate the ciphertext c = H3(aP) B )⊕m;
[0027] (4) Using ID A ID B ,P A ,P B ,c,T a As input, the hash function H3 is executed to calculate the hash value h = H2(ID). A ID B ,P A ,P B ,c,T a);
[0028] (5) Calculate temporary data
[0029] (6) Output the ciphertext δ=(S,c,T) a ).
[0030] Decryption: Based on receiving the ciphertext δ=(S,c,T) through a public channel a Then, suppose Bob knows user Alice's public key PK. B =(P B ,R B After that, the ciphertext is decrypted according to the following calculation process to restore the plaintext data m.
[0031] (1) Using ID A ID B ,P A ,P B ,c,T a As input, the hash function H3 is executed to calculate the hash value h = H2(ID). A ID B ,P A ,P B ,c,T a );
[0032] (2) Using ID A ,R A As input, execute hash function H3 to generate hash value Q. A =H1(ID) A ,R A );
[0033] (3) Perform the verification equation S(R) A +Q A P pub )=hP A +T a The system checks if the signature is valid. If valid, the ciphertext is valid, and the next decryption operation is performed; otherwise, the ciphertext is discarded, and an error symbol ⊥ is returned.
[0034] (4) Using the temporary value T A The secret value x of user Bob B The multiplication operation is used as input to the hash function H3 to generate the hash value H3(x). B T A );
[0035] (5) Using ciphertext c and hash value H3(x) B T AUsing ) as input, perform a bitwise XOR operation to obtain the transmitted plaintext data m = H3(x) B T A )⊕c. The decryption is now complete.
[0036] Correctness analysis:
[0037] To ensure the correctness and effectiveness of the proposed solution, the important formulas involved in this paper will be verified, as follows.
[0038] m=H3(aP B )⊕m⊕H3(x B T A )=H3(x B aP)⊕m⊕H3(ax B P)=m
[0039]
[0040]
[0041] As can be seen from the above calculation process, the calculation process of the proposed solution in the verification and encryption / decryption processes is correct and has computational validity. Attached Figure Description
[0042] Figure 1 Flowchart of Certificate-Free Access Control Scheme
[0043] Figure 2 Comparison of computation time for different schemes
[0044] Figure 3 Comparison of time consumption for different schemes with increasing number of communications Detailed Implementation
[0045] In this section, based on the proposed certificateless signature encryption scheme, this invention proposes an efficient certificateless signature encryption access control mechanism suitable for the Internet of Things (IoT). Similar to general access mechanisms, the access control scheme proposed in this invention mainly consists of four stages: system initialization, user registration, authentication and authorization, and revocation. A general structural diagram of the proposed access control scheme is attached. Figure 1 As shown.
[0046] To better illustrate the operational process of the proposed access control scheme, this invention uses two users, Alice and Bob, as typical examples, where Alice is the service provider and Bob is the service requester. Subsequently, this invention uses the access control between Alice and Bob as an example to explain the computational details of the proposed access control scheme.
[0047] System initialization phase
[0048] During this phase, KGC executes a system initialization algorithm similar to that used in certificateless signature encryption, generating the master system key and public system parameters `params`. User Alice, acting as the service provider, interacts with KGC through a private channel to complete the verification of her own secret value `x`. A and part of the private key d A The generation of SK, and then the synthesis of its own complete private key SK. A =(x A ,d A ) and all public keys PK A =(P A ,R A Afterwards, KGC and Alice respectively exposed the system's public parameters `params` and public key information `PK` to all users in the system. A =(P A ,R A ).
[0049] User registration phase
[0050] Similar to the user registration calculation method in certificate-free signature schemes, service requester Bob first requests user registration from KGC and provides his unique identification ID. B The identifier is sent to KGC. KGC receives Bob's identity identifier ID. B Next, the KGC first checks if Bob's identity is valid. If valid, the KGC responds to Bob's registration request and proceeds to the next step; otherwise, the KGC rejects Bob's registration request. Then, the KGC generates Bob's partial private key d by setting a validity period T for Bob's identity and executing a partial private key generation algorithm from the certificateless signature scheme. B And transmit part of the private key d through a secure channel B Send to Bob. Bob receives part of the private key d. B Then, the verification algorithm d is executed. B P = R B +H1(ID B ,R B )P pub Verify the validity of a portion of the private key. If the verification is successful, Bob considers that portion of the private key d to be valid. B It is valid and executes the key generation algorithm to generate its own public key PK. B =(P B ,R B ) and all private keys SK B =(x B ,d B Otherwise, Bob discards that portion of the private key. B .
[0051] Authentication and Authorization Phase
[0052] The authentication and authorization phase primarily involves the interaction between service requester Bob and service provider Alice. When Bob wants to connect to Alice, he first generates request information m and then uses Alice's public key PK. A =(P A ,R A ) and its own private key SK B =(x B ,d B Generate the signed ciphertext δ=(S,c,T) a Next, to prevent Alice from not having received Bob's public key, Bob needs to combine it with his own unique identifier ID. B PK with public key information B =(P B ,R B The completed request information (δ, ID) is generated. B ,P B ,R B The request is sent to service provider Alice via a public channel. Upon receiving the request, Alice decrypts the ciphertext using the decryption algorithm proposed in the certificateless signature scheme. If the decryption algorithm returns an error symbol ⊥, Alice considers the request invalid and discards it. Otherwise, Alice considers the request valid and uses the session cipher H3(aP) to decrypt the ciphertext. B ) or H3(x B T A Establish a covert communication link and provide corresponding services to Bob based on the decrypted plaintext data m.
[0053] Cancellation phase
[0054] The revocation phase primarily involves restricting Bob's access permissions for the service request. Generally, Bob's access permissions will be automatically revoked after the expiration time T. For example, after the expiration time T, KGC can revoke part of Bob's private key and part of his public key, causing Bob to automatically become unauthorized after the expiration time T, meaning he will be unable to access the service provider Alice. However, if, for some reason, such as Bob being identified as a malicious device, we need to restrict Bob's access permissions before the expiration time T, KGC can generate an access permission revocation request, including Bob's unique identifier ID. B This is given to Alice. After receiving the cancellation request, Alice will add Bob to the cancellation form, thus preventing Bob from connecting with Alice.
[0055] To verify the performance of the proposed scheme, in this section we will compare the performance of our proposed access control scheme with similar schemes proposed in the last five years, mainly including a comparison of security strength, computational efficiency, and communication efficiency. The main process is as follows.
[0056] Security Attribute Comparison
[0057] This invention focuses on the security attributes in access control schemes, compares the security attributes of recently proposed schemes with our proposed scheme, and generates a security attribute comparison table as shown in Table 1.
[0058] In Table 1, to better verify the advancement of our proposed scheme, we analyzed the security attributes of schemes in recent years from multiple perspectives, including confidentiality, non-repudiation, non-forgeability, authenticability, public verifiability, certificate-free management, key escrow, bilinear pairing, and exponential operation.
[0059] As shown in Table 1, our proposed scheme satisfies confidentiality, non-repudiation, non-forgeability, authentication, and public verifiability, while possessing multiple lightweight properties characteristic of certificate-free public-key cryptography. Furthermore, our scheme eliminates the need for bilinear pairing and exponential operations, limiting it to dot product operations, significantly reducing the computational burden on users implementing access control schemes. Therefore, compared to other schemes, our proposed scheme achieves a higher level of security by reducing computational inefficiency while satisfying the maximum set of security attributes required by other schemes, thus demonstrating strong security capabilities and adapting to the security requirements of 5G scenarios.
[0060] Table 1 Comparison of Security Attributes
[0061]
[0062]
[0063] Computational efficiency comparison
[0064] In the Internet of Things (IoT), there are a massive number of heterogeneous network devices from multiple sources. These devices have varying resources, and some, due to resource constraints, struggle to handle the complex encryption and decryption resource consumption. Therefore, ensuring secure, rapid access and authentication for network devices is crucial to the effectiveness of access control schemes. To verify the computational efficiency of our proposed scheme, this section compares its theoretical computational efficiency with schemes proposed in recent years, and verifies the high computational efficiency of our proposed scheme through simulation experiments.
[0065] Theoretical Analysis
[0066] In the process of theoretically analyzing the access control scheme proposed in this paper, we quantitatively calculate the computation process of the access control scheme in recent years and the scheme in this paper, and count the number of calculations when performing different operations, so as to compare the computation efficiency of different access control schemes.
[0067] To address the difficulty in statistically analyzing various operations in access control schemes without certificates, we define four symbols—Pair, Exp, Mul, and Add—to represent bilinear pairing, exponential, dot product, and addition operations, respectively. These operations are all based on certain cyclic groups. For hash calculations, due to their relatively low computational resource consumption, we have ignored the computational resource consumption of hash operations in our quantitative comparison. We then statistically analyzed the number of operations in the four operations for the three comparison schemes and the scheme proposed in this paper, resulting in the computational resource quantitative comparison table shown in Table 2.
[0068] Table 2 Comparison of Computational Resources for the Four Schemes
[0069]
[0070] The comparison table of computational resources reveals that, compared to the first scheme, both our invention and the first scheme only use dot multiplication and addition operations. However, in terms of the number of operations, our proposed scheme requires fewer addition operations compared to the first scheme. Therefore, our invention has higher computational efficiency than the first scheme. Secondly, compared to the second and third schemes, the second and third schemes require two additional operations—exponential and bilinear pairing operations. However, the computational resources consumed by exponential and bilinear pairing operations exceed those of addition and dot multiplication operations, and are even exponentially higher. Therefore, compared to the second and third schemes, our proposed scheme, whose computation process is limited to dot multiplication and addition operations, has better computational efficiency. Furthermore, we will construct simulation experiments later to simulate and prove this conclusion.
[0071] Simulation Experiment Analysis
[0072] To increase the actual computational efficiency of different access control schemes based on certificateless signature encryption, we first constructed a virtual computing environment based on the PYPBC cryptographic library. The specific configuration of the simulated computing environment is shown in Table 3.
[0073] To better demonstrate the high efficiency of the proposed scheme, we statistically analyzed the computation time of four main operations in both the proposed and comparative schemes: bilinear pairing, exponential operation, dot product, and addition, under a simulated environment. We also calculated the average computation time after 100 calculations, generating a single-operation time statistics table, as shown in Table 4. Following this, using the theoretical analysis results above, we statistically analyzed the simulation computation time for each scheme and generated a computation time comparison chart for each scheme, as shown in Table 4. Figure 1 As shown.
[0074] Table 3 Simulation Experiment Environment Configuration Table
[0075]
[0076] Table 4 Comparison of Specific Calculation Times
[0077] Specific calculations Execution time addition operation <![CDATA[3.874301×10 -6 ]]> Dot product <![CDATA[3.457308×10 -5 ]]> Exponentiation <![CDATA[6.936312×10 -5 ]]> Bilinear pairing operation <![CDATA[9.32026×10 -4 ]]>
[0078] Finally, to compare the performance of different solutions, we calculated the total time consumed by each solution at different execution counts, as shown in the figure. Figure 2 The chart showing the time consumption is shown.
[0079] From Table 3, Figure 3 It can be observed that, compared with access control schemes in recent years, this invention is limited to dot product and addition operations in specific calculations. Compared with the computationally intensive exponential and bilinear pairing operations, this invention's scheme has a significant improvement in computational efficiency compared to the two schemes proposed by Li. Compared with Gao's scheme, this invention and its comparative scheme have the same number of dot product operations. However, Gao's scheme requires an additional 4 addition operations, which increases the computational cost of access control. Secondly, from the comparison of the time consumption of different schemes under different communication counts, it can be seen that as the number of communication counts increases, the advantages of our proposed scheme become more apparent, that is, it consumes fewer computational resources.
[0080] Communication efficiency comparison
[0081] In comparing communication efficiency, we continue to compare it from both theoretical and simulation experiments. First, theoretically, we analyze the generated ciphertexts after the signature encryption process in our proposed scheme and three comparative schemes. To quantify the communication data, we assume that the symbols |G|, |ID|, |M|, and ... The bit length of any element in the cyclic group G, the bit length of the unique identifier of the data requester, the length of the data requested for service, and... The bit length of any operation in the algorithm. Since the data service provider only needs to receive request information, we statistically analyzed the data sent by the data requester during the communication process in the four schemes and generated a communication consumption comparison table as shown in Table 5.
[0082] In the communication comparison simulation, to eliminate the impact of discrepancies between user identifiers and requested service data, we assume that the data length and unique user identifier sent by the four schemes are constant values, i.e., |M| = 160 bits and |ID| = 80 bits. Furthermore, for For the bit length of |G|, we used the data length from our simulation experiment. That is, when rbits = 160 in the cryptographic library, the length of any element of |G| can be compressed to 65 bits. It can also be represented using 20 bits. Therefore, based on the above analysis of various data lengths, we analyzed the communication data of the four schemes under specific simulation environments and generated a comparison table of communication resource consumption as shown in the table below. Among them, for Li (2016)'s scheme, the data length transmitted during communication is For Li's (2017) scheme, the data length transmitted during communication is For Gao's scheme, the data length transmitted during communication is For our proposed scheme, the data length transmitted during communication is
[0083] Table 5 Comparison of Communication Resource Consumption for the Four Schemes
[0084]
[0085] The comparison table of communication resource consumption for the four schemes reveals that, compared to the first and third schemes, our proposed access control scheme transmits the same amount of data during communication. However, compared to the second scheme, our proposed scheme requires 45 bits more data during communication, resulting in a certain deficiency in communication efficiency.
[0086] [1].Li F, Han Y, Jin C. Cost-effective and anonymous access control for wireless body area networks[J]. IEEE Systems Journal, 2016, 12(1):747-758.
[0087] [2].Gao G M,Peng X G,Jin L Z.Efficient Access Control Scheme withCertificatelessSigncryption for Wireless Body Area Networks[J].Int.J.Netw.Secur.,2019,21(3):428-437.
[0088] [3].Li F,Hong J,Omala AA.Efficient certificateless access control forindustrial Internet of Things[J].Future Generation Computer Systems,2017,76:285-292.
Claims
1. A certificateless signature-based access control method suitable for the Internet of Things, characterized in that: The symbols are explained as follows: ; The method consists of five parts: system initialization, partial private key generation, key generation, signature verification, and signature decryption. The specific calculation process is as follows. System initialization: via the given security parameters The Key Generation Center (KGC) selects an addition cyclic group. addition cyclic group One generator The addition cyclic group The rank of a large prime number Then, KGC selected three secure one-way hash functions. , as well as ,in, This refers to the bit representation of the user's identity information identifier. This indicates the number of bits in the message transmitted by the user; next, KGC randomly selects a random value as its master system key. , and generator The corresponding system public key is generated after participating in the calculation. ,in Indicates less than Positive integers; finally, KGC publishes the system's public parameters to all users in the system. and retain the master system key. Privacy; Partial private key generation: After the system initialization phase is completed, the user... A user registration request needs to be sent to KGC, along with the user's unique identifier. After receiving a user's registration request, KGC first randomly selects a value. Computational group random elements hash value and users Partial private key Afterwards, KGC will As a user Part of the private key, As part of the user's public key, it is transmitted to the designated user via a secure channel. ; Key generation: User After receiving a portion of the private key sent by KGC and part of the public key Next, the hash value is calculated. And determine and verify the equation. Check if the condition is met; if not, discard the information sent by KGC; if met, the user... Choose a random number Use it as your own secret value and calculate a portion of the public key. As part of the complete public key; afterwards, the user Will As its own complete private key, As its own complete public key; This demonstration uses Alice as the data sender and Bob as the data receiver to illustrate the specific signing and desealing process. Alice's identifier is... The public key and private key are respectively and Bob's identity identifier is The public key and private key are respectively and ; Sign-to-secret: based on given system parameters and need to transmit plaintext data Suppose Alice knows user Bob's public key. In this case, the signed ciphertext is generated according to the following calculation process; (1) Select a temporary random number Computational group random elements ; (2) Using random values Multiplication with user Bob's public key as a hash function The input is used to generate a hash value. ; (3) Using hash value and plaintext data Perform a bitwise XOR operation to generate ciphertext. ; (4) with As input, execute the hash function Calculate the hash value ; (5) Calculate temporary data ; (6) Output the encrypted signature . Desealing: Based on receiving the ciphertext via a public channel. Next, suppose Bob knows user Alice's public key. Then, the ciphertext is decrypted according to the following calculation process to restore the plaintext data. ; (1) with As input, execute the hash function Calculate the hash value ; (2) with Execute the hash function as input. Generate hash value ; (3) Perform the verification equation The system checks if the signature is valid; if valid, the ciphertext is valid, and the next decryption operation is performed; otherwise, the ciphertext is discarded, and an error symbol is returned. ; (4) Using temporary values Secret value with user Bob Multiplication as a hash function The input is used to generate a hash value. ; (5) In ciphertext and hash value As input, a bitwise XOR operation is performed to obtain the transmitted plaintext data. At this point, the decryption is complete.