Certificateless online/offline signcryption for the Internet of Things

The Internet of Things (IoT) is an emerging network paradigm that aims to obtain the interactions among pervasive things through heterogeneous networks. Security is an important task in the IoT. Luo et al. (Secur Commun Netw 7(10): 1560–1569, 2014) proposed a certificateless online/offline signcryption (COOSC) scheme for the IoT (hereafter called LTX). Unfortunately, Shi et al. showed that LTX is not secure. An adversary can easily obtain the private key of a user by a ciphertext. Recently, Li et al. proposed a new COOSC scheme (hereafter called LZZ). However, both LTX and LZZ need a point multiplication operation in the online phase, which is not suitable for resource-constrained devices. To overcome this weakness, we propose a new COOSC scheme and prove its security in the random oracle model. In addition, we analyze the performance of our scheme and show its application in the IoT.


Introduction
The Internet of Things (IoT) is an emerging network paradigm that aims to get the interactions among pervasive things through heterogeneous networks [1,2]. The pervasive things (e.g. human beings, computers, appliances and cars) can communicate with each other at any time, any place, and in any way. Many information technologies serve as the building blocks of the IoT, such as radio frequency identification (RFID), wireless sensor networks (WSNs), machine-to-machine interfaces (M2M), cloud computing, and so on [3]. The IoT has been widely applied in the smart grid, intelligent transportation, and smart city. The security task to the IoT is challenging because of the scalability, heterogeneity, open nature of wireless communication and limited resources of WSNs and RFID [4]. Luo et al. [5] proposed a certificateless online/offline signcryption (COOSC) scheme (hereafter called LTX) and designed a secure communication model using the COOSC scheme. The COOSC has the following two advantages: (1) it simultaneously achieves confidentiality and authentication at a low cost; (2) it has neither public key certificates nor key escrow problem. Unfortunately, Shi et al. [6] showed that LTX is not secure. An adversary can easily obtain the private key of a user by a ciphertext. Recently, Li et al. [7] gave a new COOSC scheme (hereafter called LZZ). However, both LTX and LZZ need a point multiplication operation in the online phase, which is not suitable for resource-constrained devices.

Motivation and contribution
To overcome the weakness that needs a point multiplication operation in the online phase of LTX and LZZ, we propose a new COOSC scheme. Using the random oracle model, we prove that our scheme has the indistinguishability against adaptive chosen ciphertext attack (IND-CCA2) under q-bilinear Diffie-Hellman inversion (q-BDHI) and modified bilinear inverse Diffie-Hellman (mBIDH) problems and has the existential unforgeability against adaptive chosen messages attack (EUF-CMA) under q-strong Diffie-Hellman (q-SDH) and modified inverse computational Diffie-Hellman (mICDH) problems. Compared with LTX and LZZ, our scheme has no point multiplication operation in the online phase. In the unsigncryption phase, our scheme has less computational cost than LTX and LZZ. For the ciphertext size and private key size, our scheme is also shorter than LTX and LZZ. We analyze the performance of our scheme and show its application in the IoT.

Related work
Signcryption [8] is a cryptographic primitive that performs both the functions of digital signature and public key encryption in a logical single step, at a cost significantly lower than that required by the traditional signature-thenencryption method. Signcryption is very suitable for resource-constrained devices since it simultaneously achieves confidentiality, authentication, integrity and nonrepudiation at a lower cost.
In a public key cryptosystem, there exist three methods for the authenticity of a public key, public key infrastructure (PKI), identity-based cryptosystem (IBC) and certificateless cryptosystem (CLC). According to the three public key authentication methods, signcryption can be divided into three types: PKI-based signcryption, identitybased signcryption (IBSC) and certificateless signcryption (CLSC). In the PKI, a certificate authority (CA) issues a certificate that binds a public key and the identity of a user by the signature of the CA. The expired certificates are issued by a certificate revocation list (CRL). The PKI has been widely used in the Internet security. Some famous signcryption schemes in the PKI have been proposed [8,9]. However, the PKI may not be a good choice for resource-constrained devices since the certificates management is heavy, including distribution, verification, storage and revocation. To reduce the burden of the certificates management, some IBSC schemes were proposed [10][11][12][13]. Compared with the PKI, the main advantage of the IBC is the elimination of public key certificates. In the IBC, a user's public key is derived directly from its identity information, such as telephone numbers, email addresses and IP addresses. There is a trusted third party called private key generator (PKG) who takes charge of generating a private key for each user using a master secret key. Authenticity of a public key is explicitly verified without requiring a public key certificate. However, the IBC has a weakness called key escrow problem since the PKG holds all the users' private keys. To overcome this problem, some CLSC schemes were proposed [14][15][16]. The CLC uses a trusted third party called the key generating center (KGC) who takes charge of generating a partial private key for each user using a master secret key.
Then the user generates a secret value and combines the secret value with the partial private key to form a full private key. Note that the KGC does not know the full private key since it does not know the secret value. Therefore, the CLC has neither public key certificates nor key escrow problem.
In 2002, An et al. introduced a new notion called online/ offline signcryption (OOSC) by combining the concepts of online/offline signature and signcryption together [17]. A OOSC scheme splits the signcryption into two phases: offline phase and online phase. In the offline phase, most heavy operations are done without the knowledge of a message. In the online phase, only light operations are done when the message is available. OOSC is very suitable to supply the security solution for resource-constrained devices such as sensor nodes, RFID, smart cards and mobile phones. A resource-constrained device is characterized by low computational power and limited battery lifetime and capacity. It can be loaded with the precomputed result of the offline phase from a more powerful device. The entire signcryption process can be finished quickly using the precomputed result. Some PKI-based OOSC schemes are proposed [18][19][20]. Sun et al. [21] proposed an identity-based online/offline signcryption (IBOOSC) scheme. However, this scheme needs a receiver's identity in the offline phase. To overcome this weakness, Liu et al. [22] proposed a new IBOOSC scheme that does not need a receiver's identity in the offline stage. Li et al. [23] gave a new IBOOSC that has the great advantage in the offline storage and ciphertext length. Li and Xiong [24] proposed a heterogeneous OOSC to secure the communication of the IoT. In the heterogeneous OOSC, the sender belongs to the IBC and the receiver belongs to the PKI. Senthil kumaran and Ilango [25] used the heterogeneous OOSC to design a secure routing in the WSNs.
Recently, the COOSC is considered in [5][6][7]. However, these schemes need a point multiplication operation in the online phase. We know that the aim of online/offline technique is to shift the heavy operations to the offline phase. Therefore, [5][6][7] violate this object. In this paper, we give a new COOSC scheme that removes all heavy operations in the online phase.

Organization
The rest of the paper is organized as follows. The bilinear pairings and security assumptions are introduced in Sect. 2. The formal model of COOSC is given in Sect. 3. We describe a new COOSC scheme in Sect. 4. We give the security and performance of our scheme in Sect. 5. The application of our scheme in the IoT is described in Sect. 6. Finally, the conclusions are given in Sect. 7.

Preliminaries
In this section, we describe the bilinear pairings and security assumptions.
Let G 1 and G 2 be two cyclic groups with same prime order p. G 1 is an additive group and G 2 is a multiplicative group. Let P be a generator of G 1 . A bilinear pairing is a mapê : G 1 Â G 1 ! G 2 that satisfies the following properties: 1. BilinearityêðaP; bQÞ ¼êðP; QÞ ab for all P; Q 2 G 1 , a; b 2 Z Ã p . 2. Non-degeneracy there are P; Q 2 G 1 such that eðP; QÞ 6 ¼ 1, where 1 is the identity element of group G 2 . 3. ComputabilityêðP; QÞ can be efficiently computed for all P,Q 2 G 1 .
The modified Weil pairing and Tate pairing provide admissible maps of this kind. Please refer to [26] for details. The security of our scheme depends on the hardness of the following assumptions.
Definition 2 Given groups G 1 and G 2 of the same prime order p, a generator P of G 1 and a bilinear map e : G 1 Â G 1 ! G 2 , the modified bilinear inverse Diffie-Hellman (mBIDH) problem in ðG 1 ; G 2 ;êÞ is to computê eðP; PÞ 1=ðaþcÞ given ðP; aP; cÞ. Here a; c 2 Z Ã p .
Definition 3 Given groups G 1 and G 2 of the same prime order p, a generator P of G 1 and a bilinear map e : G 1 Â G 1 ! G 2 , the q-strong Diffie-Hellman (q-SDH) problem in ðG 1 ; G 2 ;êÞ is to find a pair ðw; 1 aþw PÞ 2 Z Ã p Â G 1 given ðP; aP; a 2 P; . . .; a q PÞ. Here a 2 Z Ã p .
Definition 4 Given a group G 1 of prime order p and a generator P of G 1 , the modified inverse computational Diffie-Hellman (mICDH) problem in G 1 is to compute ða þ cÞ À1 P given ðP; aP; cÞ. Here a; c 2 Z Ã p .
3 Certificateless online/offline signcryption COOSC is an online/offline signcryption scheme in the certificateless cryptosystem. In such a scheme, the signcryption process is split into two phases: offline phase and online phase. In the offline phase, most heavy cryptographic operations are done without the knowledge of a message. In the online phase, only light cryptographic operations are done when the message is available. Now we give the formal definition and security notions of the COOSC.

Syntax
A generic COOSC scheme consists of the following seven algorithms [5,7].
Setup is a probabilistic algorithm run by a KGC that takes as input a security parameter k, and outputs a master secret key s and the system parameters params that contains a master public key P pub . For simplicity, we omit params in the other algorithms in the following content.
PPKE is a partial private key extraction algorithm run by the KGC that takes as input a user's identity ID and a master secret key s, and outputs a partial private key D ID .
UKG is a user key generation algorithm run by a user that takes as input an identity ID, and outputs a secret value x ID and a public key PK ID . The public key can be published without a certificate.
FPKS is a full private key setup algorithm run by a user that takes as input a partial private key D ID and a secret value x ID , and outputs a full private key S ID .
OffSC is a probabilistic offline signcryption algorithm run by a sender that takes as input a sender's private key S A and a receiver's identity ID B and public key PK B , and outputs an offline signcryption result d. Note that a message is not required in this phase.
OnSC is an online signcryption algorithm run by a sender that takes as input a message m, an offline signcryption d and a sender's identity ID A and public key PK A , and outputs a ciphertext r.
USC is a deterministic unsigncryption algorithm run by a receiver that takes as input a ciphertext r, a sender's identity ID A and public key PK A , and a receiver's private key S B , and outputs a message m or a failure symbol ? if r is not a valid ciphertext between the sender and the receiver.
The above algorithms should satisfy the consistency constraint of the COOSC, i.e. if d ¼ OffSCðS A ; ID B ; PK B Þ; r ¼ OnSCðm; d; ID A ; PK A Þ then we have m ¼ USCðr; ID A ; PK A ; S B Þ:

Security notions
In the CLC, we need consider two types of adversaries [26], Type I and Type II. A Type I adversary models an attacker that is a common user and does not have the  [14]. So, in the CLSC, we should consider four security notions, IND-CCA2-I for a Type I adversary, IND-CCA2-II for a Type II adversary, EUF-CMA-I for a Type I adversary and EUF-CMA-II for a Type II adversary. The four games for the four security notions are described as follows [5,7]. The first game (Game-I) is a confidentiality game played between a Type I adversary A I and a challenger C.
Initial C runs Setup algorithm with a security parameter k and gives the system parameters params to A I .
Phase 1 A I performs a polynomially bounded number of queries in an adaptive manner (i.e., each query may depend on the answer to the previous queries).
• Partial private key extraction queries A I submits an identity ID to C. C runs PPKE algorithm and sends a partial private key D ID to A I . • Private key queries A I submits an identity ID to C. C runs FPKS algorithm and gives a full private key S ID to A I (C may first run PPKE and UKG algorithms if necessary). • Public key queries A I may ask a public key query by submitting an identity ID. C runs UKG algorithm and sends a public key PK ID to A I . • Public key replacement queries A I can replace a public key PK ID with a selected value. • Signcryption queries A I may ask a signcryption query by submitting a message m, a sender's identity ID i and a receiver's identity ID j . C first runs FPKS algorithm to get the sender's private key S i and UKG algorithm to get the sender's public key PK i and the receiver's public key PK j . Then C runs OffSCðS i ; ID j ; PK j Þ to obtain the offline signcryption d. Finally, C sends the result of algorithm OnSCðm; d; ID i ; PK i Þ to A I . If the public key associated with ID i has been replaced, C does not know the sender's secret value. In this case, we require A I to supply it. • Unsigncryption queries A I may ask an unsigncryption query by submitting a ciphertext r, a sender's identity ID i and a receiver's identity ID j . C first runs FPKS algorithm to get the receiver's private key S j and UKG algorithm to get the sender's public key PK i . Then C sends the result of algorithm USC ðr; ID i ; PK i ; S j Þ to A I . If the public key associated with ID j has been replaced, C does not know the receiver's secret value.
In this case, we require A I to supply it.
Challenge A I decides when phase 1 ends. A I outputs two equal length messages ðm 0 ; m 1 Þ, a sender's identity ID A and a receiver's identity ID B on which it wishes to be challenged. Note that ID B can not be submitted to a private key query in phase 1. ID B also can not be submitted to both a partial private key extraction query and a public key replacement query. C chooses a random bit b 2 f0; 1g, computes d Ã ¼ OffSCðS A ; ID B ; PK B Þ and the challenge ciphertext If the public key associated with ID A has been replaced, C may not know the sender's secret value. In this case, we require A I to supply it. Phase 2 A I may ask a polynomially bounded number of queries adaptively again as in the phase 1. This time, A I can not ask a private key query on ID B . A I also can not ask a partial private key extraction query on ID B if the public key of this identity has been replaced before the challenge phase. In addition, it can not ask an unsigncryption query on ðr Ã ; ID A ; ID B Þ to obtain the corresponding message unless the public key PK A or PK B has been replaced after the challenge phase.
Guess A I outputs a bit b 0 and wins the game Definition 5 A COOSC scheme is ð; t; q ppk ; q sk ; q pk ; q pkr ; q s ; q u Þ-IND-CCA2-I secure if there does not exist a probabilistic t-polynomial time adversary A I that has advantage at least after at most q ppk partial private key extraction queries, q sk private key queries, q pk public key queries, q pkr public key replacement queries, q s signcryption queries and q u unsigncryption queries in the Game-I.
The second game (Game-II) is a confidentiality game played between a Type II adversary A II and a challenger C.
Initial C runs Setup algorithm with a security parameter k and gives a master secret key s and the system parameters params to A II .
Phase 1 A II makes a polynomially bounded number of private key queries, public key queries, signcryption queries and unsigncryption queries just like in the Game-I. Note that the partial private key extraction queries is not needed since A II can do it by itself.
Challenge A II decides when phase 1 ends. A II outputs two equal length messages ðm 0 ; m 1 Þ, a sender's identity ID A and a receiver's identity ID B on which it wishes to be challenged. Note that ID B can not be submitted to a private key query in phase 1. C chooses a random bit b 2 f0; 1g, computes d Ã ¼ OffSCðS A ; ID B ; PK B Þ and r Ã ¼ OnSCðm b ; d Ã ; ID A ; PK A Þ, and sends r Ã to A II .
Phase 2 A II may ask a polynomially bounded number of queries adaptively again as in the phase 1. This time, A II can not ask a private key query on ID B . In addition, it can not make an unsigncryption query on ðr Ã ; ID A ; ID B Þ to obtain the corresponding message.
Guess A II outputs a bit b 0 and wins the game Definition 6 A COOSC scheme is ð; t; q sk ; q pk ; q s ; q u Þ-IND-CCA2-II secure if there does not exist a probabilistic t-polynomial time adversary A II that has advantage at least after at most q sk private key queries, q pk public key queries, q s signcryption queries and q u unsigncryption queries in the Game-II.
The Game-I and Game-II catch the insider security for confidentiality since the adversary knows all senders' private keys [17]. The insider security ensures the forward security of a signcryption scheme. That is, the confidentiality is still kept if the sender's private key is disclosed.
The third game (Game-III) is an unforgeability game played between a Type I adversary F I and a challenger C.
Initial C runs Setup algorithm with a security parameter k and gives the system parameters params to F I .
Attack F I performs a polynomially bounded number of queries just like in the Game-I.
Forgery F I outputs a ciphertext r Ã , a sender's identity ID A and a receiver's identity ID B . F I wins this game if the following conditions hold: 2. F I has not asked a private key query for ID A . 3. F I has not asked both a public key replacement query for ID A and a partial private key extraction query for ID A . 4. F I has not asked a signcryption query on ðm Ã ; ID A ; ID B Þ.
The advantage of F I is defined as the probability that it wins.
Definition 8 A COOSC scheme is ð; t; q ppk ; q sk ; q pk ; q pkr ; q s ; q u Þ-EUF-CMA-I secure if there does not exist a probabilistic t-polynomial time adversary F I that has advantage at least after at most q ppk partial private key extraction queries, q sk private key queries, q pk public key queries, q pkr public key replacement queries, q s signcryption queries and q u unsigncryption queries in the Game-III.
The fourth game (Game-IV) is an unforgeability game played between a Type II adversary F II and a challenger C.
Initial C runs Setup algorithm with a security parameter k and gives a master secret key s and the system parameters params to F II .
Attack F II performs a polynomially bounded number of queries just like in the Game-II.
Forgery F II outputs a ciphertext r Ã , a sender's identity ID A and a receiver's identity ID B . F II wins this game if the following conditions hold: 2. F II has not asked a private key query for ID A . 3. F II has not asked a signcryption query on ðm Ã ; ID A ; ID B Þ.
The advantage of F II is defined as the probability that it succeeds.
Definition 9 A COOSC scheme is ð; t; q sk ; q pk ; q s ; q u Þ-EUF-CMA-II secure if there does not exist a probabilistic t-polynomial time adversary F II that has advantage at least after at most q sk private key queries, q pk public key queries, q s signcryption queries and q u unsigncryption queries in the Game-IV.
Definition 10 A COOSC scheme is EUF-CMA secure if it is both EUF-CMA-I secure and EUF-CMA-II secure.
In the Game-III and Game-IV, the adversary is allowed to know the receiver's private key S B . The insider security for unforgeability is obtained [17].

An efficient COOSC scheme
In this section, we propose an efficient COOSC scheme. Here we assume that the sender's identity is ID A and the receiver's identity is ID B .
Setup given a security parameter k, the KGC chooses an additive group G 1 and a multiplicative G 2 of the same prime order p, a generator P of G 1 , a bilinear mapê : G 1 Â G 1 ! G 2 , and four hash functions Here n is the number of bits of a message to be sent. The KGC randomly selects a master secret key s 2 Z Ã p and computes the master public key P pub ¼ sP. The KGC publishes the system parameters fG 1 ; G 2 ; p;ê; n; P; P pub ; g; H 1 ; H 2 ; H 3 ; H 4 g and keeps s secret. Here g ¼êðP; PÞ.
PPKE a user sends its identity ID U to the KGC. The KGC computes a partial private key and returns D U to the user. UKG A user with identity ID U randomly selects x U 2 Z Ã p as the secret value and sets as the public key. The public key can be published without certification.
FPKS Given a partial private key D U and a secret value x U , the user sets a full private key OffSC Given a sender's private key S A and a receiver's identity ID B and public key PK B , this algorithm works as follows.
OnSC given a message m, a offline signcryption d and a sender's identity ID A and public key PK A , this algorithm works as follows. USC given a ciphertext r, a sender's identity ID A and public key PK A , and a receiver's private key S B , this algorithm works as follows. We summarize the communication process in Fig 1. Now we check the consistency of our scheme. First, because Second, since we have Eq. (2).  In this section, we analyze the security and performance of our scheme.

Security
Theorem 1 In the random oracle model, our scheme is IND-CCA2 secure under the q-BDHI and mBIDH assumptions.
Proof This theorem follows from the following Lemmas 1 and 2. h In the random oracle model, if there is an adversary A I that has a non-negligible advantage against the IND-CCA2-I security of our scheme when running in a time t and performing q ppk partial private key extraction queries, q sk private key queries, q pk public key queries, q pkr public key replacement queries, q s signcryption queries, q u unsigncryption queries and q H i queries to oracles H i (i ¼ 1; 2; 3; 4), then we can construct an algorithm C that can solve the q-BDHI problem for q ¼ q H 1 with an advantage where t p is the cost for one pairing operation, t m is the cost for a point multiplication operation in G 1 and t e is the cost for an exponentiation operation in G 2 .
Proof We show how C can use A I as a subroutine to solve a random instance ðP; aP; a 2 P; . . .; a q PÞ of the q-BDHI problem.
Initial in a preparation phase, C chooses ' 2 f1; . . .; q H 1 g, elements e ' 2 Z Ã p and w 1 ; . . .; w 'À1 ; w 'þ1 ; w q 2 Z Ã p randomly. For i ¼ 1; . . .; ' À 1; ' þ 1; . . .; q, C sets e i ¼ e ' À w i . Then C uses its input to set a generator Q 2 G 1 and an element X ¼ aQ 2 G 1 such that it knows q À 1 pairs ðw i ; V i ¼ 1 aþw i QÞ for i 2 f1; . . .; qgnf'g as in [27]. To do so, C expands the polynomial A generator Q and an element X can be obtained as c jÀ1 ða j PÞ ¼ af ðaÞP ¼ aQ: As in [27], the pairs ðw i ; V i Þ for i 2 f1; . . .; qgnf'g can be gotten by expanding The master public key of the KGC is set as Q pub ¼ ÀX À e ' Q ¼ ðÀa À e ' ÞQ and its corresponding master secret key is implicitly set to s ¼ Àa À e ' 2 Z Ã p . For all i 2 f1; . . .; qgnf'g, we have ðe i ; ÀV i Þ ¼ ðe i ; 1 e i þs QÞ. C gives A I the system parameters with Q, Q pub ¼ ðÀa À e ' ÞQ and g ¼êðQ; QÞ.
Phase 1 C simulates A I 's challenger in the Game-I. C keeps four lists L 1 , L 2 , L 3 and L 4 to simulate oracles H 1 , H 2 , H 3 and H 4 , respectively. C should maintain the consistency and avoid collision for these answers. In addition, C maintains a list L k that is initially empty to keep the public key information. We assume that H 1 queries are different, that A I will ask H 1 ðIDÞ before ID is used in the other queries and that the target identity ID B is submitted to H 1 at some point. In addition, we suppose that the sender's identity is different to the receiver's identity by irreflexivity assumption [10].
• H 1 queries: These queries are indexed by a counter m that is initially set to 1. For a H 1 ðID m Þ query, C returns e m as the answer, inserts ðID m ; e m Þ into the list L 1 and increments m. • H 2 queries: For a H 2 ðPK i Þ query, C checks if the value of H 2 has been defined for the PK i . If yes, C returns previously defined value. Otherwise, C returns a random h 2;i 2 Z Ã p to A I and inserts ðPK i ; h 2;i Þ into the list L 2 .
• H 3 queries: For a H 3 ðr i Þ query, C checks if the value of H 3 has been defined for the same input. If yes, C returns previously defined value. Otherwise, C returns a random h 3;i 2 f0; 1g n to A I and inserts ðr i ; h 3;i Þ into the list L 3 . • H 4 queries: For a H 4 ðm i ; ID i ; PK i ; r i ; S 0 i Þ query, C checks if the value of H 4 has been defined for the same input. If yes, C returns the previously defined value. Otherwise, C returns a random h 4;i 2 Z Ã p to A I . In addition, to answer the following queries, C simulates H 3 oracle to get h 3;i ¼ H 3 ðr i Þ 2 f0; 1g n and sets c i ¼ m i È h 3;i and n i ¼ r i ÁêðQ; QÞ h 4;i . Finally, C inserts the tuple ðm i ; ID i ; PK i ; r i ; S 0 i ; h 4;i ; c i ; n i Þ into the list L 4 . • Partial private key extraction queries A I can ask a partial private key extraction query by submitting an identity ID i . If i ¼ ', then C fails and stops. Otherwise, C knows that H 1 ðID i Þ ¼ e i and returns ÀV i ¼ 1 e i þs Q to A I . • Private key queries A I can ask a private key query by submitting an identity ID i . If i ¼ ', then C fails and stops. Otherwise, C knows the partial private key ÀV i ¼ 1 e i þs Q. Then C searches the list L k for the entry ðID i ; PK i ; x i Þ (C generates a new key pair information if this entry does not exist) and returns S i ¼ À 1 x i þh 2;i V i . • Public key queries A I chooses an identity ID i and sends it to C. If the list L k has a tuple ðID i ; PK i ; x i Þ, then C gives PK i to A I . Otherwise, C selects a random number inserts ðID i ; PK i ; x i Þ into the list L k , and gives PK i to A I . • Public key replacement queries for a public key replacement query for ðID i ; PK i Þ, C updates the list L k with tuple ðID i ; PK i ; ?Þ. Here ? denotes an unknown value. • Signcryption queries A I can ask a signcryption query by submitting a message m, a sender's identity ID i and a receiver's identity ID j . If i 6 ¼ ', C knows the sender's private key S i and can answer this query according to the steps of OffSC and OnSC algorithms. If i ¼ ' but j 6 ¼ ' by the irreflexivity assumption [10], C knows the receiver's private key S j . To answer this query, C first randomly chooses h; g; h 2 Z Ã p , computes S 0 ¼ h À1 gS j , T ¼gðPK ' þh 2;' ðe ' QþQ pub ÞÞÀhðPK j þh 2;j ðe j Qþ Q pub ÞÞ and r¼êðT;S j Þ. Then C defines the hash value H 4 ðm;ID ' ;PK ' ;r;S 0 Þ to h. Finally, C computes c¼mÈ H 3 ðrÞ and returns r¼ðc;h;S 0 ;TÞ to A I . C fails if H 4 is already defined but this only happens with probability ðq s þq H 4 Þ=2 k .
• Unsigncryption queries A I can ask an unsigncryption query by submitting a ciphertext r ¼ ðc; h; S 0 ; TÞ, a sender's identity ID i and a receiver's identity ID j . If j 6 ¼ ', C knows the receiver's private key S j and can answer this query according to the steps of USC algorithm. If j ¼ ', C knows the sender's private key S i since i 6 ¼ ' by the irreflexivity assumption [10]. For all valid ciphertexts, we have log S i ðhS 0 À hS i Þ ¼ log PK ' þh 2;' ðe ' QþQ pub Þ T; where h ¼ H 4 ðm; ID i ; PK i ; r; S 0 Þ. So the following equation eðT; S i Þ ¼êðPK ' þ h 2;' ðe ' Q þ Q pub Þ; hS 0 À hS i Þ holds. C first computes n ¼êðhS 0 ; PK i þ h 2;i ðe i Q þ Q pub ÞÞ and then searches the list L 4 for the entries of the form ðm i ; ID i ; PK i ; r i ; S 0 i ; h 4;i ; c; nÞ indexed by i 2 f1; . . .; q H 4 g. If there is no such an entry, r is rejected. Otherwise, C further checks whether the following equation holds for the corresponding indexeŝ If the unique i 2 f1; . . .; q H 4 g that satisfies this above equation is found, C returns the matching message m i . Otherwise, r is also rejected. For all unsigncryption queries, the probability to reject a valid ciphertext is less than or equal to q u 2 k . Challenge A I generates two equal length messages ðm 0 ; m 1 Þ, a sender's identity ID A and a receiver's identity ID B on which it hopes to be challenged. If ID B 6 ¼ ID ' , C fails. Otherwise, C chooses c Ã 2 f0; 1g n , k; h Ã 2 Z Ã p , S 0Ã 2 G 1 randomly and sets T Ã ¼ Àkx B Q À kh 2;B Q. C returns a ciphertext r Ã ¼ ðc Ã ; h Ã ; S 0Ã ; T Ã Þ to A I . If we define q ¼ k=a and since s ¼ Àa À e ' , we have A I cannot identify that r Ã is not a valid ciphertext unless it asks a H 3 or H 4 query onêðQ; QÞ q . Phase 2 A I can ask a polynomially bounded number of queries adaptively again as in the phase 1 with the following limitation: (1) it can not ask a private key query on ID B ; (2) it can not ask a partial private key extraction query on ID B if the public key of ID B has been replaced before the challenge phase; (3) it can not ask an unsigncryption query on ðr Ã ; ID A ; ID B Þ to obtain the corresponding message unless the public key PK A or PK B has been replaced after the challenge phase. C answer A I 's queries according to the same method as in the phase 1.
Guess A I outputs a guess bit b 0 which is ignored by C. C fetches a random entry ðr i ; h 3;i Þ from the list L 3 or ðm i ; ID i ; PK i ; r i ; S 0 i ; h 4;i ; c i ; n i Þ from the list L 4 . Since L 3 contains no more than q H 3 þ q H 4 records, the selected entry will contain the correct element r i ¼êðQ; QÞ q 1 eðP; PÞ f ðaÞ 2 k=a with probability 1=ðq H 3 þ 2q H 4 Þ. As in [12], the q-BDHI problem can be solved by noting that, if n Ã ¼êðP; PÞ 1=a , then êðQ; QÞ 1=a ¼ n Ã ðc 2 0 Þê ð X qÀ2 j¼0 c jþ1 ða j PÞ; c 0 PÞêðQ; X qÀ2 j¼0 c jþ1 ða j ÞPÞ: This finishes the description of the whole simulation. Now we analyze C's advantage. Define the events E 1 , E 2 , E 3 , E 4 and E 5 as E 1 : A I has not chosen ID ' as the receiver's identity in the challenge phase. E 2 : A I has asked a private key query on ID ' . E 3 : A I has asked a partial private key extraction query on ID ' and the public key of ID ' has been replaced before the challenge phase.
E 4 : C aborts in a signcryption query because of a collision on H 4 .
E 5 : C aborts in an unsigncryption query because of rejecting a valid ciphertext.
According to above analysis, we know that the probability of C not aborting is Pr½:abort ¼ Pr½:E 1^: E 2^: E 3^: E 4^: E 5 : We know that Pr½:E 1 ¼ 1=q H 1 , Pr½E 4 q s ðq s þ q H 4 Þ=2 k and Pr½E 5 q u =2 k . In addition, we know that :E 1 implies :E 2 and :E 3 . So we have In addition, C chooses the correct element from the list L 3 or L 4 with probability 1=ðq H 3 þ 2q H 4 Þ. Therefore, we have The bound on C's computation time is obtained from the fact that C needs Oðq 2 H 1 Þ point multiplication operations in G 1 in the preparation phase, Oðq s þ q u Þ pairing operations and Oðq u q H 4 Þ exponentiation operations in G 2 in the signcryption and unsigncryption queries. h

Lemma 2
In the random oracle model, if there is an adversary A II that has a non-negligible advantage against the IND-CCA2-II security of our scheme when running in a time t and performing q sk private key queries, q pk public key queries, q s signcryption queries, q u unsigncryption queries and q H i queries to oracles H i (i ¼ 1; 2; 3; 4), then we can construct an algorithm C that can solve the mBIDH problem with an advantage in a time t 0 t þ Oðq s þ q u Þt p þ Oðq u q H 4 Þt e , where t p is the cost for one pairing operation and t e is the cost for an exponentiation operation in G 2 .
Proof We show how C can use A II as a subroutine to solve a random instance ðP; aP; cÞ of the mBIDH problem. Initial C gives A II a master secret key s and the system parameters params with P pub ¼ sP. Here s is randomly chosen by C.
Phase 1 C simulates A II 's challenger in the Game-II. C maintains four lists L 1 , L 2 , L 3 and L 4 to simulate oracles H 1 , H 2 , H 3 and H 4 , respectively. C should keep the consistency and avoid collision for these answers. In addition, C keeps a list L k that is initially empty to maintain the public key information. We suppose that H 1 queries are different and that A II will ask H 1 ðIDÞ before ID is used in the other queries. In addition, we suppose that the sender's identity is different to the receiver's identity by irreflexivity assumption [10]. C chooses a random number ' 2 f1; 2; . . .; q H 1 g and answers A II 's queries as follows.
• H 1 queries For each new ID i , C randomly selects e i 2 Z Ã p , inserts ðID i ; e i Þ into the list L 1 and answers • H 2 queries For a H 2 ðPK i Þ query, C checks if the value of H 2 has been defined for the same input. If yes, C returns previously defined value. Otherwise, C checks if PK i ¼ e i aP þ saP (i.e., i ¼ '). If yes, C returns h 2;' ¼ c and inserts ðPK ' ; cÞ into the list L 2 . If no, C selects a random h 2;i from Z Ã p , returns h 2;i as an answer and inserts ðPK i ; h 2;i Þ into the list L 2 .
• H 3 queries: For a H 3 ðr i Þ query, C checks if the value of H 3 has been defined for the same input. If yes, C returns previously defined value. Otherwise, C selects a random h 3;i from f0; 1g n , returns h 3;i as an answer and inserts ðr i ; h 3;i Þ into the list L 3 . • H 4 queries: For a H 4 ðm i ; ID i ; PK i ; r i ; S 0 i Þ query, C checks if the value of H 4 has been defined for the same input. If yes, C gives the previously defined value. Otherwise, C returns a random h 4;i 2 Z Ã p as the answer. In addition, to answer the following queries, C simulates H 3 oracle on its own to get h 3;i ¼ H 3 ðr i Þ 2 f0; 1g n and computes c i ¼ m i È h 3;i and n i ¼ r i ÁêðP; PÞ h 4;i . Lastly, C inserts the tuple ðm i ; ID i ; PK i ; r i ; S 0 i ; h 4;i ; c i ; n i Þ into the list L 4 . • Private key queries A II can ask a private key query by submitting an identity ID i . If i ¼ ', then C fails and stops. Otherwise, C runs H 1 oracle to get ðID i ; e i Þ. Then C searches the list L k for the entry ðID i ; PK i ; x i Þ (C generates a new key pair information if this entry does not exist) and returns Here h 2;i ¼ H 2 ðPK i Þ. • Public key queries A II can ask a public key query by submitting an identity ID i . If i 6 ¼ ', C selects a random x i 2 Z Ã p , sets a public key PK i ¼ x i ðe i P þ P pub Þ, inserts ðID i ; PK i ; x i Þ into the list L k and returns PK i to A II . Otherwise, C returns PK ' ¼ e ' aP þ saP and inserts ðID ' ; PK ' ; ?Þ into the list L k .
• Signcryption queries A II can ask a signcryption query by submitting a message m, a sender's identity ID i and a receiver's identity ID j . If i 6 ¼ ', C knows the sender's private key S i and can answer this query according to the steps of OffSC and OnSC algorithms. If i ¼ ' but j 6 ¼ ' by the irreflexivity assumption, C knows the receiver's private key S j . To answer this query, C first randomly chooses h; g; h 2 Z Ã p and computes where h ¼ H 4 ðm; ID i ; PK i ; r; S 0 Þ. Therefore, we havê eðT; S i Þ ¼êðPK ' þ h 2;' ðe ' P þ P pub Þ; hS 0 À hS i Þ: C first computes n ¼êðhS 0 ; PK i þ h 2;i ðe i P þ P pub ÞÞ and then searches the list L 4 for the entries of the form ðm i ; ID i ; PK i ; r i ; S 0 i ; h 4;i ; c; nÞ indexed by i 2 f1; . . .; q H 4 g. If there is no such an entry, r is rejected. Otherwise, C further checks whether the following equation holds for the corresponding indexeŝ If the unique i 2 f1; . . .; q H 4 g that satisfies this above equation is found, then C returns the matching message m i . Otherwise, r is also rejected. For all unsigncryption queries, the probability to reject a valid ciphertext is less than or equal to q u 2 k . Challenge A II generates two equal length messages ðm 0 ; m 1 Þ, a sender's identity ID A and a receiver's identity ID B on which it hopes to be challenged. If ID B 6 ¼ ID ' , C fails. Otherwise C randomly chooses c Ã 2 f0; 1g n , k; h Ã 2 Z Ã p , S 0Ã 2 G 1 and sets T Ã ¼ kP. C returns the ciphertext r Ã ¼ ðc Ã ; h Ã ; S 0Ã ; T Ã Þ to A II . A II cannot identify that r Ã is not a valid ciphertext unless it makes a H 3 or H 4 query onêðT Ã ; S B Þ. Phase 2 A II can ask a polynomially bounded number of queries adaptively again as in the phase 1 with the limitation: (1) it can not ask a private key query on ID B ; (2) it can not ask an unsigncryption query on ðr Ã ; ID A ; ID B Þ to obtain the corresponding message. C answer A II 's queries according to the same method as in the phase 1.
Guess A II produces a bit b 0 which is ignored by C. C fetches a random entry ðr i ; h 3;i Þ from the list L 3 or ðm i ; ID i ; PK i ; r i ; S 0 i ; h 4;i ; c i ; n i Þ from the list L 4 . Since the list L 3 includes no more than q H 3 þ q H 4 records, the chosen entry will contain the right element r i ¼êðT Ã ; S B Þ with probability 1=ðq H 3 þ 2q H 4 Þ. The mBIDH problem can be solved by noting that, if This finishes the description of the whole simulation. Now we analyze C's advantage. Define the events E 1 , E 2 , E 3 and E 4 as E 1 : A II does not select ID ' as the receiver's identity in the challenge phase. E 2 : A II has asked a private key query on the identity ID ' .
E 3 : C aborts in a signcryption query because of a collision on H 4 .
E 4 : C aborts in an unsigncryption query because of rejecting a valid ciphertext.
According to above analysis, we know that the probability of C not aborting is Pr½:abort ¼ Pr½:E 1^: E 2^: E 3^: E 4 : From the above analysis, we know that Pr½:E 1 ¼ 1=q H 1 , Pr½E 3 q s ðq s þ q H 4 Þ=2 k and Pr½E 4 q u =2 k . In addition, we know that :E 1 implies :E 2 . So we have In addition, C chooses the correct element from the list L 3 or L 4 with probability 1=ðq H 3 þ 2q H 4 Þ. Therefore, we have The bound on C's computation time can be obtained from the fact that C needs Oðq s þ q u Þ pairing operations and Oðq u q H 4 Þ exponentiation operations in G 2 in the signcryption and unsigncryption queries. h Theorem 2 In the random oracle model, our scheme is EUF-CMA secure under the q-SDH and mICDH assumptions.
Proof This proof is similar to the proof of Theorem 1. We can show that a forger in the EUF-CMA game implies a forger in a chosen messages and given identity attacks. By using the forking lemma [28] and the relationship between given identity attack and chosen identity attack [29], we can easily finish this proof. h

Performance
In this section, we compare the computational cost, offline storage, ciphertext size, private key size and security of our scheme with those of LTX [5] and LZZ [7] in Table 1. We denote by M the point multiplication in G 1 , E the exponentiation in G 2 and P the pairing computation. The other operations are ignored in Table 1 since these operations take the most running time of the whole algorithm. |x| denotes the number of bits of x. From Table 1, we know that both LTX and LZZ need one point multiplication in the OnSC algorithm. However, our scheme does not need any point multiplication, exponentiation or pairing operation in the OnSC algorithm. In addition, our scheme has less computational cost than LTX and LZZ in the USC algorithm. For the OffSC algorithm, the computational cost of our scheme is slightly higher than LTX and is lower than LZZ. For the offline storage, our scheme is slightly larger than LTX and is smaller than LZZ. For the ciphertext size and private key size, our scheme is shortest among the three schemes. Note that LTX was showed insecure in [6]. We give a quantitative analysis for offline storage, ciphertext size and private key size. We use PBC Type A pairing [30] in this analysis. The Type A pairing is constructed on the curve y 2 ðx 3 þ xÞ mod q for some prime q 3 mod 4, where the embedding degree is 2 and the order of G 1 is p. In this analysis, we use three kinds of parameters that represents 80-bit, 112-bit and 128-bit AES [31] key size security level, respectively. Table 2 gives the specification for different security level of this analysis.
We summarize the offline storage, ciphertext size and private key size of the three schemes at different security level in Figs. 2, 3 and 4, respectively.

Application
In this section, we give an application of our scheme in the IoT. Wireless sensor networks (WSNs) are an important part of the IoT since the WSNs takes charge of collecting environmental data for the IoT. The WSNs are composed of a large number of tiny sensor nodes and one or more  base stations [33,34]. The base station acts as a gateway between sensor nodes and users since it typically forwards data from the WSNs to an Internet server. This communication from the WSNs to the server should satisfy confidentiality, authentication, integrity, and non-repudiation. Without confidentiality, the data may be disclosed to an adversary. Without authentication, the server can not use the data since the data may be unbelievable. An adversary can send wrong data to the server. Without integrity check, an adversary can modify the transmitted data. Without nonrepudiation, the WSNs may deny the transmitted data when a dispute happens. Fig. 5 shows a secure communication model for the IoT using our scheme. This model consists of three main entities, the WSNs, a service provider (SP) and an Internet server. The SP acts as the KGC in the CLC. That is, the SP first runs Setup algorithm to setup the system parameters. Then the SP runs PPKE algorithm to generate the partial private keys for the base station and the SP. The base station and the server run UKG algorithm to generate their secret values and public keys. In addition, the base station and the server run FPKS algorithm to obtain their full private keys. The base station is loaded with the precomputed result d from OffSC algorithm. When the WSNs is required to send data to the server, the base station runs OnSC algorithm and sends the ciphertext r ¼ ðc; h; S 0 ; TÞ to the server. When receiving the r, the server runs USC algorithm to recover the data m and verify the validity. In this communication, the confidentiality, authentication, integrity, and non-repudiation are simultaneously achieved. The computational cost of base station is very small since there is no any point multiplication, exponentiation or pairing operation in the OnSC algorithm. If the data are large, we also can used hybrid encryption method [16]. That is, we compute c ¼ E H 3 ðrÞ ðmÞ instead of c ¼ m È H 3 ðrÞ. Here E is the encryption algorithm for a symmetric cipher (such as AES [31]) and H 3 ðrÞ is the session key. Such modification does not affect the security and efficiency of our scheme.

Conclusion
In this paper, we proposed a new certificateless online/ offline signcryption scheme and proved its security in the random oracle model. As compared with two existing  Private key size (bytes) LTX LZZ Ours Fig. 4 The private key size of the three schemes certificateless online/offline signcryption schemes, our scheme does not require any point multiplication operation in the online phase. This characteristic makes our scheme very suitable for resource-constrained devices. We gave an application of our scheme in the Internet of Things. A weakness of our scheme is that a receiver's identity is required in the offline phase. An interesting work is to find a certificateless online/offline signcryption scheme that does not need a receiver's identity in the offline phase and does not need any point multiplication operation in the online phase.