Secure Encapsulation Schemes Using Key Recovery System in IoMT Environments

Recently, as Internet of Things systems have been introduced to facilitate diagnosis and treatment in healthcare and medical environments, there are many issues concerning threats to these systems’ security. For instance, if a key used for encryption is lost or corrupted, then ciphertexts produced with this key cannot be decrypted any more. Hence, this paper presents two schemes for key recovery systems that can recover the lost or the corrupted keys of an Internet of Medical Things. In our proposal, when the key used for the ciphertext is needed, this key is obtained from a Key Recovery Field present in the cyphertext. Thus, the recovered key will allow decrypting the ciphertext. However, there are threats to this proposal, including the case of the Key Recovery Field being forged or altered by a malicious user and the possibility of collusion among participating entities (Medical Institution, Key Recovery Auditor, and Key Recovery Center) which can interpret the Key Recovery Field and abuse their authority to gain access to the data. To prevent these threats, two schemes are proposed. The first one enhances the security of a multi-agent key recovery system by providing the Key Recovery Field with efficient integrity and non-repudiation functions, and the second one provides a proxy re-encryption function resistant to collusion attacks against the key recovery system.


Introduction
In the era of the Fourth Industrial Revolution, as various countries and companies around the world have heavily invested in Information Technology (IT), the emergence of Internet of Things (IoT) environments has increasingly enabled a convenient and broad diversity of services to be distributed to consumers via various types of smart devices. There are various systems such as the Internet of Medical Things (IoMT), Intelligent Transportation Systems (ITS), smart home appliances, and connected cars that have been implemented on those smart devices and deploy a vast number of services to consumers [1,2]. Therefore, many current types of research have applied those IoT technologies to various environments.
Although the development of IoT has increased device convenience, it has also been accompanied by increasing threats to national, corporate, and personal information security [3]. According to the security threats, such as personal information leakage cases, encryption has rapidly become important to secure personal information [4]. Therefore, the importance of security issues in IoT environments has also increased. Furthermore, there is discussion regarding security issues related to key management, in which problems may arise where ciphertexts cannot be decrypted if the keys are lost or corrupted.
In general, key recovery is a system that provides the ability to reveal the key to an authorized user under specific conditions specified in advance [5]. This paper presents schemes to recover lost or corrupted keys using an encapsulation-based key recovery • It provided a key recovery system based on secure encapsulation against various types of attacks and provides the ability to securely recover a lost or corrupted key. • It uses signcryption to ensure KRF integrity and non-repudiation. In addition, it provides both digital signing and encryption at the same time to increase computational efficiency. • It uses values that only authorized KRAs hold to prevent unauthorized KRAs and group-based authentication attacks. If some KRAs do not perform the key recovery properly, key recovery may be performed by other authenticated KRAs to prevent a single point of failure.
Furthermore, the Med, KRA, and KRC may collude and behave maliciously. To solve this problem, we propose scheme 2, which provides a proxy re-encryption function and enhances the security of a key recovery system against various types of attacks such as collusion attacks and the key escrow problem.
The main contributions of our proposed scheme-II as follows: • It prevents the Med, KRC, and KRA from behaving maliciously to recover keys without authorization and prevents unauthorized entities from obtaining keys. • It uses a partial private key generation scheme to prevent the KGC from generating private keys for all participants.
The remaining parts of the paper are organized as follows. Section 2 describes related work, and Section 3 describes system model for the proposed schemes. Section 4 describes scenarios and detailed protocols for the proposed scheme-I, and Section 5 describes scenarios and detailed protocols for the proposed scheme-II. Section 6 analyzes whether the proposed schemes satisfy the security requirements. Finally, Section 7 discusses our conclusions.

Related Work
This section reviews and discusses existing works related to key recovery systems and encryption schemes.

Encapsulation Key Recovery Systems
A key recovery system is an important part of an encryption system. If a private key or session key used for a ciphertext is lost or corrupted, or a Law Enforcement Agency (LEA) wishes to intercept suspicious ciphertexts lawfully, it must be possible to recover the key. There have been several proposals related to such key recovery systems. Kanyamee et al. [10] proposed a highly available distributed session key recovery system. It provides high availability and attack detection for secure session key management and group authentication while using Multi-Key Recovery Agents (M-KRA) to solve the single point of failure problem encountered in the traditional KRA approach. However, many problems remain, such as the risks of forgery, counterfeiting, and collusion attacks for user-generated KRFs, which can cause problems for the key recovery service.
Lim et al. [11] proposed an encapsulation-based M-KRA key recovery system. They attempted to solve the problem that the M-KRA must communicate directly with one or more KRAs in existing M-KRA scheme, and the user must directly perform a complex key recovery process. Their scheme provides secure session key management and recovery using a new type of M-KRA to solve this problem. However, problems may arise in the key recovery service the forgery or modification of KRFs and non-repudiation problems related to user-generated KRFs.
Kyusuk et al. [12] proposed an identity-based key escrow scheme to prevent malicious key use by LEAs. If an LEA maliciously obtains the key, it can read the encrypted data to the desired user. In other words, an LEA can intercept and obtain the users' keys to read all encrypted data. To solve this problem, the scheme prevents LEAs from obtaining a key by themselves after generating a user's key pair with the KGC generated master key and the user's ID. However, since it is a single KRA, it is vulnerable to problems such as a single point of failure weakness and group authentication attacks, causing problems with the key recovery service.
Huadpaknam [13] proposed the Security Key Recovery System with Channel Quality Awareness (SKRS-CQA) for smart grid applications. If a Smart Meter Unit (SMU) loses the keys used for correcting to the smart grid, it needs to be recovered. To solve this problem, key recovery proposed, providing improved reliability, system availability, and data confidentiality. In addition, system reliability was improved by using amplification and forwarding relay protocols and a cooperative communication network with optimal power allocation.

Multi-Agent Key Recovery
A single agent key recovery system is associated with service overload and security problems. Therefore, we use a multi-agent (at least two agents) key recovery system. The multi-agents receive a ciphertext that contains a key from the user or the KRC. Later, KRAs send pieces of the key to the KRC to allow the KRC to recover the complete key. However, various attacks and security breaches are possible, and efforts have been made to deal with these issues [14]. In our key recovery system using signcryption, we security by increasing availability and enhance security.

Signcryption
Encryption and digital signatures are two encryption tools that can ensure confidentiality, integrity, and non-repudiation. Until 1997, cryptographic systems used separate components to provide these security functions. In public key schemes, the traditional scheme is to digitally sign the message and then perform encryption (signature-thenencryption). However, there are two problems: the operation efficiency is low and the cost is high. To solve this signcryption was proposed In 1997 Zheng [15] proposed the first signcryption scheme. Signcryption simultaneously performs digital signature and encryption. Signcryption compared to the traditional signature-then-encryption scheme, can effectively improve computational efficiency, by reducing computational cost and communication overhead. In addition, many other signcryption schemes have been proposed throughout the years, each of them having its problems and limitations while offering different levels of security and computational cost [16,17].

Secret Sharing
Secret sharing schemes are ideal for sensitive information. These pieces of information should kept highly confidential, as their exposure could be disastrous. However, it is also critical that they should not be lost. Traditional encryption schemes are not suitable for achieving a high level of confidentiality and stability at the same time. When storing encryption keys, the user has to choose between keeping a single copy of the key in one location or multiple copies of the key in multiple locations for maximum security. The secret sharing scheme proposed by Shamir and Blakley [18,19] in 1979 is a scheme of dividing the secret value into several pieces so that the secret value can be recovered only when more than a certain number of pieces are collected. Such a scheme is called Shamir's (k, n) threshold scheme. This scheme divides the secret value into n pieces and entities may recover the secret value only when more than k pieces are collected. In another type of secret sharing scheme, there is one dealer and n players. The dealer gives a share of the secret to the players, but only when specific conditions are fulfilled will the players reconstruct the secret from their shares. The dealer accomplishes this by giving each player a share so that any group of t (for threshold) or more players can together reconstruct the secret but no group of fewer than t players can. In addition, many other secret sharing schemes have been proposed throughout the years with as in the care of signcryption, each of them having its problems and limitations while offering different levels of security and computational costs [20,21].

Proxy Re-Encryption
A Proxy Re-Encryption (PRE) scheme is a scheme that converts the ciphertext so that a proxy server can decrypt the ciphertext encrypted with user A's public key using user B's private key. In 1998, Blaze et al. [22] proposed the first two-way proxy re-encryption scheme. This scheme was designed using the ElGamal encryption scheme [23]. In 2007, Green et al. [24] proposed an ID-based proxy re-encryption scheme using ID-based encryption for the first time to solve the certificate management problem of the existing Public Key Infrastructure (PKI) based proxy re-encryption. ID-based encryption is a scheme of using the user's identity as a public key [25]. In this scheme, the user's identity itself is owned, so unlike in PKI-based environments there is no need to issue and manage certificates. In addition, since the KGC generates a private key corresponding to the identities and issues them to the users, it has the advantage of performing verification of the user through KGC in case of a dispute. However, the KGC issues all users' private keys, which causes a key escrow problem in which KGC knows the private keys. Therefore, to solve this problem, a Certificateless Public Key Cryptography (CL-PKC) system was developed. The CL-PKC scheme was proposed by Al-Riyami et al. [26], and it solves the key escrow problem by issuing partial private keys to the users by combining the user's identity and a random number. Building on these feature, in 2010, Sur et al. [27] proposed Certificateless Proxy Re-Encryption (CL-PRE) using CL-PKC. CL-PRE is currently a representative form of secure PRE because it can perform the purpose of proxy re-encryption without suffering the PKI certificate management problem or IBE key escrow problem [28][29][30].

System Model
This section describes the system models, system objects, and security requirements of the proposed schemes.

Common Proposed Key Recovery System Model
In this section, we present the two key recovery system models proposed in this study. Before describing each proposed model, we present the common elements of the proposed models.

Common Design Goals of Proposed Schemes
The two key recovery system models presented in this research were designed in different forms. However, the basic goal of both models is encapsulated key recovery. The first model proposed in this study is a key recovery system using signcryption. This process involves recovering the session key used for communication by using the encapsulated key recovery field. The second model proposed in this study is a key recovery system using proxy re-encryption. The basic goal is the same as the first model described above. However, the design and additional goals of the two models differ from each other, The similarities and differences between the two models can be seen in Figure 1, which will be described in detail below.

Common Objects of Proposed Schemes
The composition of the two system models proposed in this study can be seen in Figure 1. In Figure 1, the difference between M-KRA and KRA methods is shown for the types of participants in the two models. The remaining differences are detailed in each model's respective section.
• Key Generation Center (KGC): Every participant Part must perform the KCG and key generation and communication steps to generate keys. All Part can generate a private key through the private key generation step with KGC, and a public key corresponding to the private key can be generated. The KGC publishes the public parameter params for performing encrypted communication with Part. Med is a medical institution that manages device authorization control and data on medical devices. When a device requests KRF key recovery, the Med verifies that it is the lawful owner of the KRF. In this paper, the step of confirming whether the KRF is a lawful owner is omitted. In addition, the Med sends the KRF to KRC to help recover the key.

Proposed Scheme-I(Key Recovery System Using Signcryption)
This section describes additional elements of the key recovery system model using signcryption, excluding the common elements of the two models proposed in Section 3.1.

Design Goals of Proposed Scheme-I
The model of the key recovery system using signcryption is a key recovery system that is used when a device key is lost or corrupted as shown in Figure 2. The device requests key recovery from Med and sends KRF. The Med receiving the KRF verifies that it is a lawful device of KRF. If it is a lawful device, it requests KRC to recover the key and sends KRF. After receiving KRF, KRA decrypts the KRF and sends the obtained KRF pieces to the M-KRA. Then, after receiving the pieces of KRF, M-KRA decrypts them and sends the session key pieces to KRC. It collects the session key pieces, generates a complete session key, and sends it to the device.

Objects of Proposed Scheme-I
The system objects of the key recovery system using signcryption is shown in Figure 2. In addition, M-KRA additionally exists, and its roles are as follows:

Proposed Scheme-II (Key Recovery System Using Proxy Re-Encryption)
This section describes additional elements of the key recovery system model using proxy re-encryption, excluding the common elements of the two models proposed in Section 3.1.

Design Goals of Proposed Scheme-II
The model of the key recovery system using proxy re-encryption is a key recovery system that is used when a device key is lost or corrupted as shown in Figure 3. The device requests key recovery from Med and sends KRF. The Med receiving the KRF verifies that it is a lawful device of KRF. If it is a lawful device, it generates a re-encryption key. Then, it requests key recovery from KRC and sends the obtained KRF and the re-encryption key. After receiving the KRF and re-encryption key, the KRA partially calculates KRF and sends the partially calculated KRF to KRA. After receiving the partial calculated KRF, KRA performs some calculations and sends partial calculated KRF to KRC. After receiving KRF, KRC sends it to the Med. The Med decrypts it, generates a session key, and sends it to the device.

Objects of Proposed Scheme-II
The system objects of the key recovery system using proxy re-encryption is shown in Figure 3. KRA is a monitoring agency that judges whether a key can be recovered by auditing the validity of key recovery. The KRA determines whether KRF is suitable for recovery to prevent abuse of authority through collusion between the Med and the KRC. If the key recovery request is deemed to be lawful, KRA will perform the KRF recovery process with its private key and sends it over to the KRC.

Security Requirements of Proposed Scheme-II
The security requirements of the key recovery system using proxy re-encryption are as follows: • KRF integrity: No participant in key recovery can maliciously transform KRF information from the device and KRF information required for key recovery cannot be changed. • Data confidentiality: It should be possible for only authorized devices to decrypt encrypted data. • Med applied for support: The session key used for communication must be encrypted and stored in KRF. In the event of an emergency when it is necessary to view the device's data, the encrypted session key must be able to recover the encrypted message according to the procedure determined by Med as needed. • Collusion attack resistance: Fewer than three participants among the Med, KRC, and KRA should not be allowed to obtain keys even if they are maliciously colluding. • Key escrow problem: KGC can generate private keys for all participants, but the complete private key must not be known.

Proposed Scheme-I (Key Recovery System Using Signcryption)
In this section, we propose a key recovery scheme using signcryption. This scheme is a scheme for recovering the lost or corrupted device's key. This is mainly composed of a setup phase, a key pair generation phase, a session key exchange and encryption phase, a KRF generation phase, and a session key recovery phase as shown in Figure 4.

System Parameters
The system parameters used in the proposed scheme-I are as follows.

Setup Phase
In this phase, the KGC takes the security parameters as an input the security parameter 1 λ and generates public parameters.

•
Step 1: The KGC selects λ-bit large prime p, where q is a large prime factor of p − 1 and group G of prime order p. In addition, a random generator g ∈ G is selected. • Step 2: A master private key sk M ∈ Z * p is randomly selected and a master public key pk M ∈ g sk M is computed. • Step 3: KGC selects Hash function H.

Key Pair Generation Phase
In this phase, Part i receives a partial private key from KGC and uses it to generate full private key sk i and public key pk i .

•
Step 1: KGC generates parameters w i , t i ∈ Z * p for participant Part i through the following operation and sends them to Part i through a secure channel. • Step 2: Participant Part i who receives X i , d i from KGC, selects Random numbers z i , v i ∈ Z * p and sets Part i 's private key sk i . • Step 3: Participant Part i generates Z i , V i and sets public key pk i .

Session Key Exchange and Encryption Phase
In this phase, the key recovery system uses signcryption to ensure integrity and non-repudiation and performs encryption of the session key simultaneously as shown in Figure 5.

•
Step 1: Dev A selects a ∈ Z * p and calculate partial session key PSK A = g a . Dev B also selects b ∈ Z * p and calculates partial session key PSK B = g b . After that, Dev A and Dev B exchange PSK A and PSK B with each other. • Step 2: Dev A and Dev B calculate the session key SK = (PSK B ) a = (PSK A ) b using the exchanged values PSK A and PSK B . • Step 3: Dev A generates random number x ∈ Z * p and k = pk x KRC mod p, which is then divided in half into k 1 and k 2 . • Step 4: Dev A generates c, r and s using k 1 , k 2 , sk A , pk A and SK. • Step 5: Dev A divides c, r and s to c i , r i and s i .

KRF Generation Phase
In this phase, when the key is lost or corrupted, the necessary KRF is generated to recover the key as shown in Figure 6.

•
Step 1: Dev A requests SGN to M-KRA. • Step 2: Each of the KRAs requested for SGN from Dev A randomly selects R KRA i ∈ Z * p . After that, each KRA generates an SGN by sharing R KRA i generated through a secure channel with each other. • Step 3: M-KRA send SGN to Dev A .

•
Step 4: Dev A generates Tc i , Tr i , Ts i using c i , r i , s i and SGN. Then, TT i is generated using Tc i , Tr i , and Ts i .
TT i = (Tc i Tr i Ts i ) • Step 5: Dev A generates KRF using KRF i . • Step 6: Then, the generated KRF is attached to the ciphertext C.

KRA Fault Recovery Phase
In this phase, if some KRAs fail to operate properly, the selected KRA or KRAs will instead perform key recovery as shown in Figure 7.

•
Step 1: Dev A refers to the total number of KRAs n and the number of KRAs required for key recovery as mr.

•
Step 2: Dev A calculates the number of KRAs t required to distribute TT i . • Step 3: Dev A selects a KRA or KRAs to replace the failed KRA i as follows:

Session Key Recovery Phase
This phase describes how to recover a key if the Dev B requests key recovery as shown in Figure 8.

•
Step 1: When Dev B requests KRF decryption from Med to recover SK, and sends KRF.

•
Step 2: Then Med requests KRF decryption from KRC to recover SK, and sends KRF.

•
Step 3: KRC upon receiving a request for KRF decryption, obtains KRF i pieces after KRF decrypt with sk KRC . • Step 4: The obtained KRF i pieces are sent to each M-KRA to request decryption. • Step 5: The requested M-KRA obtain c i , r i , s i , SGN, TT i values with sk KRA i . • Step 6: Among the obtained values, c i , r i , s i , SGN values are encrypted with pk KRC and sends to the KRC.

•
Step 7: KRC compares SGN obtained by decrypting the received ciphertext with sk KRC and H(SGN). If they match, c i , r i , s i pieces are collected and c, r, s are recovered. • Step 8: KRC recovers the k value using the received ciphertext, public parameters, and recovered c, r, s. • Step 9: Then, KRC divides k by k 1 , k 2 . • Step 10: KRC recovers the SK using the obtained k 1 and c. • Step 11: KRC compares the calculated H k 2 (SK) and r values using the obtained k2.

•
Step 12: If it matches, KRC sends the recovered SK to Med. • Step 13: Then, Med sends SK to Dev B and the message is decrypted using the received SK.

Proposed Scheme-II (Key Recovery System Using Proxy Re-Encryption)
In this section, we propose a proposed scheme-II. This scheme is a scheme recovering the lost and corrupted device's key. This system was designed based on the scheme of Yang et al. [31]. It consists of a setup phase, a key pair generation phase, a Med enforcement phase, and a session key recovery phase, as shown in Figure 9.

System Parameters
The system parameters used in the proposed scheme-II are as follows:

Setup Phase
In this phase, the KGC takes the security parameter 1 λ as an input and generates public parameters.

•
Step 1: KGC selects λ-bit large prime q and group G of prime order q. In addition, a random generator g ∈ G is selected. • Step 2: KGC randomly selects master secret key s ∈ Z * q , and compute S = g s . • Step 3: KGC selects Hash function H 1 , H 2 , H 3 , H 4 , H 5 , H 6 . • Step 4: The message space M and public parameters params = (G, l 1 , l 2 , q, g, S, H 1 ,

Key Pair Generation Phase
In this phase, Part i receives a partial private key from KGC and uses it to generate full private key sk i and public key pk i .

•
Step 1: KGC generates parameters x i ∈ Z * q for participant Part i through the following operation and sends them to Part i through a secure channel. • Step 2: Part i who receives X i , d i from KGC, selects Random numbers y i , z i ∈ Z * q and sets Part i 's private key sk i . • Step 3: Part i generates Y i , Z i and sets public key pk i .
After that, Part i publishes public key pk i .

Session Key Exchange and KRF Generation Phase
In this phase, a session key is exchanged between Dev A and Dev B , and a KRF is generated. Furthermore, in the KRF generation phase, after generating KRF, the ciphertext C is communicated with KRF as shown in Figure 10.

•
Step 1: Dev A selects a ∈ Z * q and calcultate partial session key PSK A .
Dev B also selects b ∈ Z * q and calculates partial session key PSK B .
After that, Dev A and Dev B exchange PSK A and PSK B with each other. • Step 2: Dev A and Dev B calculate the session key SK = (PSK B ) a = (PSK A ) b using the exchanged values PSK A and PSK B . • Step 3: Dev A generates the ciphertext message C = E SK (M) using the generated session key SK.

•
Step 4: After that, Dev A selects a random value t, c ∈ Z * q and σ ∈ {0, 1} l 2 , and generates KRF using SK, pk Med , pk KRC and pk KRA as follows: After that, Dev A and Dev B communicate with each other using (C KRF).

Med Enforcement Phase
In this phase, Med will start recovering the encrypted session key between Dev A and Dev B at the request of Dev A as shown in Figure 11.

•
Step 1: Dev A sends KRF to Med to recover the session key SK.

Session Key Recovery Phase
In this phase, KRC receives a key recovery request from Med. KRF calculates KRF 2 using its private key, and then requests key recovery from KRA as shown in Figure 12.

•
Step 4: Med decrypts KRF 4 to obtain SK as follows: After that, Med sends SK to Dev A . • Step 5: Dev A decrypts the message M using the obtained SK.

Analysis of the Proposed Schemes
This section explores whether the abovementioned security requirements are satisfied by the two proposed schemes, as shown in Table 1.  • KRF integrity: The device, Med, KRA, and KRC participating in key recovery should not be able to transform a device key that generates a KRF maliciously. To solve this problem, this includes the session key hash in parameter r of the KRF. Therefore, KRF data cannot be forged. Only the device can access the KRF session key generated by the device. r =? r H k 2 (g x mod p, SK) =? H k 2 (g x mod p, SK ) (59) • Data confidentiality: In the proposed scheme-I, communication between devices is performed through a session key. Therefore, if the session key for the corresponding communication is unknown, the malicious user will not be able to obtain the message. In addition, as the KRF generated in the communication process contains the public keys of KRC and M − KRA, third-party besides KRC and KRA cannot know the contents of the corresponding KRF. • Non-repudiation: If the device generates and uses the wrong KRF, KRC cannot recover the key. To solve this problem, the device should not be able to reject the fact that it generated KRF. Therefore, this includes the private key sk A of the device in parameter s of the KRF. The device cannot deny that it generated the KRF.
In order to obtain SK from the above KRF = (KRF 1 , KRF 2 , KRF 3 , KRF 4 ), KRF 3 must be decrypted. In order to decrypt KRF 3 , Med, KRC and KRA need to know c or g c . However, c and g c know only Dev. Therefore, it is necessary to obtain g c by decrypting KRF 4 .
Here, KRF 4 contains α · β = Y c Med · Z c Med , so the attackers are H 4 (V τ KRA ) and H 4 (V τ Med ) should be computed.
Since V i can be created using a public key, anyone can create it. However, since τ only knows Dev, attackers must use KRF 2 to calculate H 4 (V τ KRA ) and H 4 (V τ Med ).
Here, a KRC's private key y KRC is required to obtain g τ from KRF 2 . Therefore, KRC is required in the key recovery process.
Next, since the attacker does not know τ, he has to perform the following operation to calculate H 4 (V τ KRA ). In the end, the KRA's private keys d K RA and y K RA are required, so KRA is also required.
In order to acquire g c using KRF 4 , Med's private keys y Med and z Med are required, so Med is also required. As a result, in order to obtain SK by decrypting KRF, all of Med, KRC, and KRA must participate. • Key escrow problem: The proposed scheme-II is based on a CL-PKC scheme. Therefore, as KGC can generate only a part of the private key during the private key generation process, the key escrow problem caused by KGC in ID-based encryption has been solved.

Conclusions
This paper proposed key recovery systems based on key encapsulation secured from various attacks in IoMT environments in schemes II and II.
In the key recovery system, the session key used in the ciphertext is recovered via the KRF and used. However, the KRF can be forged and KRF owners can deny the fact that they generated the KRF. Furthermore, unauthorized KRAs can access the M-KRA and interfere with key recovery. To solve this problem, the key recovery system using signcryption includes the session key hash in the KRF. Therefore, the KRF data cannot be forged. In addition, this system includes the private key of a device in special value of the KRF. A device cannot deny that it generated the KRF. Furthermore, the system ensures the security requirements mentioned in Section 3, including KRF integrity and non-repudiation, are fulfilled.
Additionally, there is a problem that the key can be recovered by collusion attacks and key or message leakage among the Med, KRC, and KRA. To solve this problem, the Med must have the help of the KRC and KRA to recover the key by a proxy re-encryption function. In addition, the KRC or KRA would also need mutual help to recover a complete session key. That is, by limiting the information and processing capabilities of the three participants, the key recovery system can be expected to be secure against various attacks. Furthermore, because the KGC generates the private keys of all participants, there is the problem that the KGC's authority is strong. To solve this, a partial private key generation scheme is used. The KGC generates a partial private key and sends it to the participants. Participants who receive partial private keys use them to generate complete private keys and solve the KGC key escrow problem.
Future research is to check whether unexpected problems occur when the proposed schemes are implemented in actual systems. Furthermore, additional research is needed that can examine the amount of computations, time, and cost incurred when recovering keys. In addition, further research is needed to determine whether the proposed schemes are secure against other types of security threats.