Quantum Attack-Resistent Certificateless Multi-Receiver Signcryption Scheme

The existing certificateless signcryption schemes were designed mainly based on the traditional public key cryptography, in which the security relies on the hard problems, such as factor decomposition and discrete logarithm. However, these problems will be easily solved by the quantum computing. So the existing certificateless signcryption schemes are vulnerable to the quantum attack. Multivariate public key cryptography (MPKC), which can resist the quantum attack, is one of the alternative solutions to guarantee the security of communications in the post-quantum age. Motivated by these concerns, we proposed a new construction of the certificateless multi-receiver signcryption scheme (CLMSC) based on MPKC. The new scheme inherits the security of MPKC, which can withstand the quantum attack. Multivariate quadratic polynomial operations, which have lower computation complexity than bilinear pairing operations, are employed in signcrypting a message for a certain number of receivers in our scheme. Security analysis shows that our scheme is a secure MPKC-based scheme. We proved its security under the hardness of the Multivariate Quadratic (MQ) problem and its unforgeability under the Isomorphism of Polynomials (IP) assumption in the random oracle model. The analysis results show that our scheme also has the security properties of non-repudiation, perfect forward secrecy, perfect backward secrecy and public verifiability. Compared with the existing schemes in terms of computation complexity and ciphertext length, our scheme is more efficient, which makes it suitable for terminals with low computation capacity like smart cards.


Introduction
Signcryption is a cryptographic primitive that provides both signature and encryption simultaneously to sensitive information at a lower computation and communication overhead than the traditional signature-then-encryption approach [1]. In terms of the implementation method, there are two kinds of signcryption schemes. One is based on traditional public key infrastructure [2], which causes the costly certificate management problem; the other is based on identity-based public key cryptography [3], which avoids the certificate management, but induces the key escrow problem.
In 2003, Al-Riyami et al. [4] proposed the certificateless cryptosystem (CLC). In their certificateless cryptosystem, a user's secret key is derived from two parts: one is an identity-based secret key generated by Key Generation Center (KGC) and the other is a self-generated secret key. Thus CLC solves the key escrow problem as well as the certificate management problem, and it also reduces the implementation complexity of the cryptosystem. In 2008, Barbosa et al. [5] first proposed the certificateless signcryption scheme (CLSC) based on bilinear pairing operations. However, they did not give the security proof of their scheme. Since then, certificateless signcryption schemes [6][7] have been studied extensively. In 2010, Li et al. proposed another CLSC [8] and proved its security formally. However, these schemes [5][6][7][8] are inefficient in computation because they use the bilinear pairing operation, a quite complex computation. Selvi et al. [9] and Jing et al. [10] constructed an efficient CLSC based on the CDH (Computational Diffie-Hellman) problem without bilinear pairing operations, respectively. At the same time, they proved their schemes' security in the random oracle model. However, their schemes are only single-receiver ones. If there are multiple receivers at the same time, these schemes need to signcrypt the same message for each receiver separately, so they are very inefficient for the multi-receiver scenario. In order to improve the efficiency of signcryption in the multi-receiver setting, Selvi et al. [11] proposed the certificateless multi-receiver signcryption scheme (CLMSC), and this scheme only needs two bilinear pairing operations and (t+2) exponentiation operations (t denotes the number of the receivers) in the signcryption and designcryption phases. However, they found that this scheme cannot resist the forgery attack and then presented an enhanced scheme [12] later. But Miao et al. [13] showed that the enhanced scheme is still insecure against the internal attack and provided a detailed security analysis.
To date, the implementations of almost all certificateless signcryption schemes [5][6][7][8][9][10][11][12][13] are based on traditional public key cryptosystems, in which the security mainly relies on the hard problems, such as factor decomposition and discrete logarithm. However, in 1994, Shor [14] proposed a polynomial-time quantum algorithm that can successfully factor large integers, which shows that quantum computing has brought a potential challenge to these hard mathematical problems. Once quantum computers is developed successfully, they will pose a fatal threat to the security of almost all certificateless signcryption schemes which are based on public key cryptosystems such as RSA, ElGamal and ECC. So it is more and more urgent to design a certificateless signcryption scheme that can resist quantum attack. Multivariate public key cryptography (MPKC), which can resist quantum attack, is one of the alternative solutions to guarantee the security of communications in the post-quantum age. The security of MPKC is based on the Multivariate Quadratic (MQ) problem and the Isomorphism of Polynomials (IP) problem. Compared with identity-based cryptography, MPKC has lower calculation complexity and is higher in efficiency, which makes MPKC well suitable to implement strongly secure communications for low-end devices. The MPKC-based schemes have been studied widely, and several excellent schemes have been proposed. For example, SFLASH, a signature scheme based on MPKC, has been recommended by the NESSIE European Consortium since 2003 as the best known solution for implementation on low-cost smart cards [15].
Our contribution. Motivated by these concerns, we employ MPKC to construct an efficient quantum attack-resistent certificateless multi-receiver signcryption scheme, which combines the certificateless cryptosystem and MPKC. The new scheme not only has the advantage of the certificateless cryptosystem, which avoids the problem of key management, but also resists quantum attack only with light-weight computation like the multivariate quadratic polynomial operations. In our scheme, multivariate quadratic polynomial operations, which have lower computation complexity than bilinear pairing operations, are employed in signcrypting a message for a certain number of receivers. Therefore, our scheme is more efficient than the existing CLMSC schemes, and it is suitable for mobile terminals with low computing power. Security analysis shows that our scheme is a secure MPKC-based multireceiver signcryption scheme, and it also has the important security properties such as message confidentiality, unforgeability, non-repudiation, perfect forward secrecy, perfect backward secrecy and public verifiability.

MQ Problem and IP Problem
In this section, we shall briefly recall some basic concepts of MPKC including multivariate polynomial equations, the MQ problem and the IP problem.
Let G be a finite field of prime order p. Let n be the number of variables, namely, x 1 , x 2 , …, x n in the multivariate polynomial equation, g be the number of the multivariate polynomial equations, and d be the degree of the multivariate polynomial equations.
A tuple of multivariate quadratic polynomials consists of a finite ordered set of polynomials of the following form: where i = 1, 2, …, g, and x j , x k MG, and the coefficients {a ijk , b ij , c i } are over G [16]. Then, the MQ problem can be described as follows: Definition 1. (MQ). Given a tuple P = (p 1 , p 2 , …, p g ) of g multivariate quadratic polynomials with n unknowns defined over G, and the image y = (p 1 (z), p 2 (z), …, p g (z)) of an element z randomly chosen from G n (G n denotes the nth extension of G), the problem to find an element x of G n such that y = (p 1 (x), p 2 (x), …, p g (x)) is called the MQ problem [16].
Solving a set of randomly chosen quadratic equations with several variables over a finite field is considered as an NP hard problem [17].
Definition 2. (IP). Given P and Q be two public sets of n quadratic equations with n variables over G, if P and Q are isomorphism, then P~T0Q0V (0 denotes composition of mappings), where T and V are two invertible affine transformations on G n ?G n . Finding (T, V) for P, Q such that P~T0Q0V is called the IP problem [18].

Multivariate Public Key Cryptosystem
In a primitive multivariate public key cryptosystem [19], for a user U with identity ID U , his/her public key is P U~T 0Q0V , and his/her secret key is the 3-tuple P

Framework of CLMSC
A certificateless multi-receiver signcryption scheme consists of five probabilistic polynomial-time algorithms, namely Setup, Partial Key Extract, Key Extract, Signcrypt and De-signcrypt. According to the features of MPKC, we improve the existing CLMSC model, that is, KGC produces the common partial public key and partial secret key in the phase of Partial Key Extract. N Partial Key Extract: This algorithm is run by KGC. KGC first chooses a random number w as the system master key. Then it takes as input w and params and returns the common partial public key PP u and partial secret key PS u .
N Key Extract: This algorithm is run by a user U. It takes as input params, PP u , PS u and an identity ID u and returns the full public key PK u and the full secret key SK u of the user. N Signcrypt: To securely send a message m to a group of receivers {ID 1 , ID 2 , …, ID t }, the sender S should run this algorithm to signcrypt it first. It takes as input params, a message m, the sender's identity ID S , the full keys PK u and SK u of the sender, and lists of the receiver identities and their public keys, and returns a ciphertext s. N De-signcrypt: This algorithm takes as input a ciphertext s, the receiver's identity ID i , the receiver's full keys PK i and SK i , the identity ID s and the public key PK s of the sender, and returns either a plaintext m or an error symbol H.

Security Model for CLMSC
Our security model is established based on Selvi et al.'s security model [11]. For a certificateless signcryption scheme, there are two types of attacks corresponding to two types of attackers, namely A 1 and A 2 . In the attack of Type 1, A 1 does not have access to the system master key, but he/she has the ability to replace the public key of any user with a value that he/she chooses arbitrarily. A 2 has access to the master key, but he/she cannot change public key of any user.
Definition 3. Confidentiality under the attack of Type 1. A certificateless multi-receiver signcryption scheme is Type-1-CCA2 secure if no probabilistic polynomial-time attacker A has a nonnegligible advantage in winning the IND-CLMSC-CCA2-1 game [11].
For A, there are the following constraints. A can not have access to the master key w. No Extract Secret Key query is allowed on any of the challenge identities. No De-signcrypt query is allowed on the challenge ciphertext.
Definition 4. Confidentiality under the attack of Type 2. A certificateless multi-receiver signcryption scheme is Type-2-CCA2 secure if no probabilistic polynomial-time attacker A has a nonnegligible advantage in winning the IND-CLMSC-CCA2-2 game [11].
For A, there are the following constraints. No Extract Secret Key query is allowed on any of the challenge identities. No Replace Public Key query is allowed on any of the challenge identities. No De-signcrypt query is allowed on the challenge ciphertext.
For A, there are the following constraints. A can not have access to the master key w. No Extract Secret Key query is allowed on any of the challenge identities.
Definition 6. Confidentiality under the attack of Type 2. A certificateless multi-receiver signcryption scheme is Type-2-sEUF-CMA-2 secure if no probabilistic polynomial-time attacker A has a non-negligible advantage in winning the EUF-CLMSC-CMA-2 game [11].
For A, there are the following constraints. No Extract Secret Key query is allowed on any of the challenge identities. No Replace Public Key query is allowed on any of the challenge identities.

Methods
In order to construct our scheme, we employed the Perturbed Matsumoto-Imai-Plus (PMI+) cryptosystem [20], which can resist the linearization attack, rank attacks, and the differential attack and is much faster than RSA and ECC. The new scheme that we proposed consists of five probabilistic polynomial-time algorithms, namely Setup, Partial Key Extract, Key Extract, Signcrypt and De-signcrypt. We shall give a detailed description of the proposed scheme as follows.
Setup. Given a security parameter s as input, KGC returns a big positive integer q and a small positive integer p. Let G be a finite field of order q and characteristic two, and define two noncollision hash functions H 1 : f0,1g Ã |f0,1g Ã |G nzp ?G nzp and H 2 : f0,1g Ã |G n |G nzp ?f0,1g lm , where G n is the nth extension of G and G n+p is the (n+p)th extension of G. The positive integer n is the number of variables in the equation (1) and l m is the bit length of the message m. Then KGC selects a positive integer g to denote the number of equations. At last, KGC publishes the public parameters params denoted by(G,g,n,q,p,H 1 ,H 2 ).
Partial Key Extract 1) KGC selects a secure MPKC, which is PMI+ in our scheme.
The system public key can be expressed as a typical multivariate quadratic system: F F~T0F 0V where T is a randomly chosen invertible affine transformation on G nzp ?G nzp , V is a randomly chosen invertible affine transformation on G n ?G n , and F is a public set of (n+p) quadratic equations with n variables over G. The system secret key is (T, F, V). The related parameters refer to [20].
2) KGC randomly chooses T 0 and V 0 , where T 0 is a randomly chosen invertible affine transformation onG nzp ?G nzp and V 0 is a randomly chosen invertible affine transformation on G n ?G n . Then, compute F F 0 is the system partial public key, and (T 0 0T,F ,V 0V 0 ) is the system partial secret key. It is worth noting that KGC needs to compute the new system partial secret key when some user drops out of the group.
Key Extract. Each user runs this algorithm to compute his/ her full public and secret keys. The user U randomly chooses T u and V u , where T u is an invertible affine transformation on G nzp ?G nzp and V u is an invertible affine transformation on G n ?G n . Then, compute the public key F u of user U, that is, Signcrypt. Suppose that Alice, whose identity is ID A , wants to signcrypt a message m to t different receivers denoted by L = {ID 1 , ID 2 , …, ID t }. Alice performs the following steps: De-signcrypt. Each receiver ID i , i = 1, 2, …, t, uses his/her secret key to decrypt s.

1) IDi extracts his/her corresponding ciphertext information (S,
Y, Z, Wi) according to his/her position in L. 2) IDi computes Y '~F A (S) and checks whether the equation Y '~Y holds. If it holds, IDi continues to decrypt s as follows; otherwise, IDi outputs H.
hold. If both of them hold, output m~m'; otherwise, output H.

Correctness Analysis
Theorem 1. The De-signcrypt algorithm is correct.
Proof. Upon receiving a ciphertext s, each receiver ID i , i = 1, 2, …, t, extracts his/her own corresponding ciphertext information (S, Y, Z, W i ) from s. According to the Signcrypt algorithm, we It is worth noting that only the sender, Alice, can generate the correct Y such that Y '~Y because only she knows her secret keyF {1 A . The receiver, ID i , can decrypt the ciphertext by computing )~S'DDX ' and m'~Z+H 2 (ID A ,S',X '). ID i can judge whether m9 is correct by checking whether S~S' and Y '~H 1 (m',ID A ,X ') hold. Note that only ID i can obtain m'~Z+H 2 (ID A ,S',X ')correctly because only he/she knows his/her secret key F {1 i . Therefore, the Designcrypt algorithm of our scheme is correct.
2 Security Analysis 2.1 Security of MPKC. In the last twenty years, many MPKC schemes were proposed, and they are mainly based on four basic MPKC schemes including the Matsumoto Imai (MI) cryptosystem, the Hidden Field Equation (HFE) cryptosystem, the Oil Vinegar (OV) cryptosystem and the Stepwise Triangular System [20]. Although most of them have been broken, some variants of the basic MPKC schemes, such as Rainbow and PMI+ [20], have survived known attacks like the linearization equation attack, the rank attack and the differential attack. In 2011, Hashimoto et al. [21] proposed two types of fault attacks which further weaken the security of the MPKC schemes. They detailed the fault attack on the MPKC schemes such as UOV, Rainbow, TTS and HFE, and most of the MPKC schemes were proven insecure. However, the PMI+ cryptosystem is one of the few approved cryptosystems which survived the linearization equation attack, the rank attack, the differential attack and even the fault attacks. PMI+ uses the Plus (+) method of external perturbation to prevent attacks without significantly decreasing the efficiency of the system [20]. So in our work, we used PMI+ which is based on the IP problem to construct our scheme.
Cryptosystems based on the IP problem belong to a major category of MPKC. Faugère et al. [22] gave an upper bound on the theoretical complexity of the ''IP-like'' problem, and presented a new algorithm to solve the IP problem when S and T are linear mappings. Bouillaguet et al. [23] proposed an improved algorithm combining the linear algebra techniques, together with Gröbner bases and statistical tools. To date, the best algorithm for the IP problem is exponential. For the IP problem used in our scheme, the attacking complexity of the best algorithm will be O(n 3.5 ?q n/2 ) [24], where n is the number of variables and q is the cardinality of the finite field. So the IP problem will be computationally hard if we can choose the parameter properly.
With the knowledge of the most efficient attacks on the IP problem, in order to strengthen the security of our scheme, we suggest that the parameters of our scheme should satisfy the following conditions: the transformations T and V should be affine; the polynomials in P and Q should be homogeneous. In our method, for example, if we choose n = 16 and q = 2 9 , the attacking complexity should be greater than O(n 3.5 ?q n/2 ) = 16 3.5 N(2 9 ) 16/ 2 = 2 86 . Usually, it is considered to be a computationally secure MPKC scheme if the attacking complexity is greater than 2 80 [24]. Therefore, our scheme is a secure MPKC-based scheme.
Although we used PMI+ for the construction of the proposed multi-receiver signcryption scheme, there are still some other multivariate cryptosystems suitable for the construction of our scheme, such as the internally perturbed HFE cryptosystem (IPHFE) [25]. Different from PMI+, IPHFE is build by using the idea of internal perturbation. Vivien et al. [26,27] and Ding et al. [28,29] analyzed the security of IPHFE, and their work showed that IPHFE with appropriate parameters can withstand all known attacks. So IPHFE can be substituted for PMI+ in our construction. Due to space limitations, we do not introduce the detailed realization of the construction based on IPHFE.
2.2 Message Confidentiality. Theorem 2. Confidentiality under the attack of Type 1. In the random oracle model, if an IND-CLMSC-CCA2-1 adversary A has a non-negligible advantage e against the security of our scheme when performing q Hi queries to random oracles H i (i = 1, 2), q ske Extract Secret Key queries, q pke Extract Public Key queries, q pkr Replace Public Key queries, q sc Signcrypt queries and q dsc Designcrypt queries, then there exists an algorithm C that can solve the MQ problem with advantage defined as: e'w e t : q sc zq H 1 (1{ q sc : (t : q sc zq H 2 ) where t is the number of receivers in the challenge set and G 2 denotes the bit length of the element over G n . Proof. We show how to build an algorithm C that solves the MQ problem with the help of an adversary A. Let C receive a random instance {f(x), Y 0 = f(X 0 )} of the MQ problem, and the goal of C is to compute X 0 . To solve this problem, C acts as A's challenger in the IND-CLMSC-CCA2-1 game.
Setup. C sets F F~T0F0V as the system public key, chooses an invertible affine transformation T 0 on G nzp ?G nzp , and chooses an invertible affine transformation V 0 on G n ?G n randomly. So the system partial secret key is (T 0 0T,F ,V 0V 0 ), and the partial public key is F F 0~T0 0 F F 0V 0 . C sends the system parameters (G,g,n,q,p,H 1 ,H 2 ), the system public key and the system partial secret key to A. Then A outputs a set of target identities, denoted by L Ã~f ID Ã 1 ,ID Ã 2 ,:::,ID Ã t g. To handle A's queries, C maintains a list L i for each H i (i = 1, 2) query.
Phase1. C simulates A's queries as follows: H 1 queries. A can perform an H 1 query on the input of (m, ID i , X, L) and then C checks the list L 1 . If an entry corresponding to (m, ID i , X, L) is present in L 1 , then C retrieves the hash value h i from L 1 and returns h i . Otherwise, it returns a random number h i [G nzp and stores the entry (h i , m, ID i , X, L, =, D) in L 1 , where the symbols = and D denote the signature information and the encryption information of the message m, respectively.
H 2 queries. A can perform an H 2 query on the input of (ID s , S, X) for ID i and then C checks the list L 2 . If an entry corresponding to ID i is present in L 2 , then C retrieves Z i from L 2 and returns Z i . Otherwise, it returns a random number Z i and stores the entry (Z i , ID s , S, X, ID i , L, %, e, b i = 0) in L 2 , where the symbols L, % and e denote the public key F i , the secret parameters T i and V i , respectively. The bit b i is a flag bit used to denote whether the public keys have been replaced or not.
Extract Secret Key queries. A can perform an Extract Secret Key query on the input of ID i . C first checks whether ID i~I D Ã j ,j[f1,2,:::,tg holds. If ID i~I D Ã j ,j[f1,2,:::,tgholds, then C aborts the query. Otherwise, C retrieves the entry (Z i , ID s , S, X, If b i = 0, then C returns the secret key (T i 0T 0 0T,F ,V 0V 0 0V i ); otherwise, the public key of the identity ID i has been replaced and in this case, C asks A for the new secret parameters (T i , V i ), computes the new secret key (T i 0T 0 0T,F ,V 0V 0 0V i ) and returns it to A.
Extract Public Key queries. A can perform an Extract Public Key query on the input of ID i and then C checks L 2 . If an entry corresponding to ID i is present in L 2 , then C retrieves F i from L 2 and returns F i . Otherwise, C chooses T i [ R G nzp ,V i [ R G n , returns the public key F i~Ti 0 F F 0 0V i and updates the entry corresponding to ID i in L 2 with T i , V i and F i .
Replace Public Key queries. When A performs a Replace Public Key query on the input of (ID i ,F i ' ), C searches the corresponding entry ( : ,ID i , : ) in L 2 . If the entry is found, then C replaces the public key in the entry corresponding to ID i in L 2 with F ' i and sets the flag bit b i to 1. Otherwise, C generates the public key using the Extract Public Key query and then replaces the public key of ID i with F ' i .
Signcrypt queries. A can perform a Signcrypt query on the input of (m, ID s , L = {ID R1 , ID R2 , …, ID Rt }). If ID s = ID Ri , i[f1,2,:::,tg, or if ID s [L Ã and at least one ID Ri [L Ã ,i [f1,2,:::,tg, then C aborts the query. Otherwise, C knows the secret key of the sender and performs the computations as the signcryption algorithm to return the ciphertexts~(S,Y ,Z,W 1 ,W 2 ,:::,W t ,L). If ID s~I D Ã j ,j [f1,2,:::,tg, C does not know the secret key of the sender and in this case, it generates the ciphertext as follows: First, C retrieves the entry (?, ID s , F s , T s , V s , b s ) from L 2 and chooses r[ R G n and Z s [ R f0,1g lm . C computes X~ F F (r), extracts Y = h s by calling the oracle H 1 with the input (m,ID S ,X ,L)and computes the signature S. Then, C retrieves the corresponding entry ( : ,ID Ri , : ,b Ri ) in L 2 and then computes W i = F i (S||X) and Z = Z s ›m. C updates the corresponding entry in L 1 . Note that if b i = 1, then the public key of the receiver has been replaced and in this case, the challenger asks A for (T i , V i ) and uses it in place of the old value stored in the entry. Finally, add i (W i ), and m'~Z+H 2 (ID s ,S',X '). If Y '~Y andS'~Shold, and (m',X ') passes the verification, then C returns m; otherwise, C rejects s. Note that a valid ciphertext is rejected with probability at most q dsc 2 G2{1 : Challenge. A outputs two messages m 0 and m 1 together with an arbitrary sender's identity ID s = [L Ã on which A wishes to be challenged. C selects a bit b[ R f0,1g and sends m b to the t target identities denoted by L Ã~f ID Ã 1 ,ID Ã 2 ,:::,ID Ã t g. C chooses X Ã [ R G nzp ,S Ã [ R G n and Z s [ R f0,1g lm , sets X 0~X Ã DDS Ã and then computes Y Ã~F s (S Ã ),W Ã i~F i (X 0 )and Z Ã~Z s +m b . Then, C responds with the ciphertext s Ã~v Y Ã ,S Ã ,Z Ã ,W Ã 1 ,W Ã 2 ,:::,W Ã t ,L Ã w: Phase2. A performs new queries as in Phase 1. However, A is not allowed to ask Designcrypt queries on s * for ID Ã i ,i~1,2,:::,t: Guess. At the end of the game, A returns his/her guess result.
C ignores the answer to A's guess. According to the above discussion, we know that as long as the simulation of the attacker's environment is perfect, the probability that A asks the value of W i = F i (X * ||S * ), i = 1, 2, …, t, by the H 1 oracle is the same as the probability in a real attack. C fetches a random entry (h i , m, ID i , X, L, S, W i ) from L 1 . With probability 1 t : q sc zq H1 (as L 1 contains no more than t?q sc +q H1 elements by our construction), the chosen entry contains the right element W i~Fi (X Ã DDS Ã ). C returns X 0 as a solution to the MQ problem. Now, we analyze the probability of C's success. Let E be the event that A outputs the correct bit b * = b.
Simulation fails if any of the following events occurs: E 1 : Extract Secret Key query is executed for some chosen challenge identity. E 2 : Both the sender and at least one of receivers belong to the challenge set in some Signcrypt query. E 3 : The H 2 oracle collides in Signcrypt queries. Also, we have Pr½E 3 ƒ q sc : (t : q sc zq H2 ) 2 G2 since A conducts a total of q sc Signcrypt queries and there are at most t?q sc +q H2 entries in L 2 .
The event E 5 implies that C chooses the correct entry from L 1 in the Guess Phase. And we know that Pr½E 5 ƒ 1 t : q sc zq H1 : So, the advantage e' of C is defined as: Therefore, we obtain e'w e t : q sc zq H 1 (1{ q sc : (t : Theorem 3. Confidentiality under the attack of Type 2. In the random oracle model, if an IND-CLMSC-CCA2-2 adversary A has a non-negligible advantage e against the security of our scheme when performing q Hi queries to random oracles H i (i = 1, 2), q ske Extract Secret Key queries, q pke Extract Public Key queries, q sc Signcrypt queries and q dsc Designcrypt queries, then there exists an algorithm C that can solve the MQ problem with an advantage e' defined as: e'w e t : q sc zq H 1 (1{ q sc : (t : q sc zq H 2 ) where t is the number of receivers in the challenge set and G 2 denotes the bit length of the element over G n . The attacker has access to the master key, but cannot perform public key replacement under the attack of Type 2. The proof is similar to that of Theorem 2.
2.3 Unforgeability. Theorem 4. Unforgeability under the attack of Type 1. In the random oracle model, if an SUF-CLMSC-CMA-1 adversary A has a non-negligible advantage e against the security of our scheme when performing q Hi queries to random oracles H i (i = 1, 2), q ske Extract Secret Key queries, q pke Extract Public Key queries, q pkr Replace Public Key queries, q sc Signcrypt queries and q ver Verify queries, then there exists an algorithm C that can solve the IP problem with an advantage e' defined as: where t is the number of receivers in the challenge set and G 2 denotes the bit length of the element over G n .
Proof. We show how to build an algorithm C that solves the IP problem with the help of an adversary A. Let C receive a random instance (F s~Ts 0 F F 0 0V s , F F 0 ) of the IP problem, and the goal of C is to compute (T s , V s ). To solve this problem, C acts as A's challenger in the SUF-CLMSC-CMA-1 game.
Setup. C sets F F~T0F 0V as the system public key, and chooses an invertible affine transformation T 0 on G nzp ?G nzp and an invertible affine transformation V 0 on G n ?G n randomly.
So the system partial secret key is (T 0 0T,F ,V 0V 0 ), and the partial public key is F F 0~T0 0 F F0V 0 . C sends the system parameters (G,g,n,q,p,H 1 ,H 2 ), the system public key and the system partial secret key to A. Then A outputs a set of target identities, denoted by L Ã~f ID Ã 1 ,ID Ã 2 ,:::,ID Ã t g. To handle A's queries, C maintains a list L i for each H i (i = 1, 2) query.
Attack. C simulates A's queries as follows: H 1 queries. A can perform an H 1 query on the input of (m, ID i , X, L) and then C checks the list L 1 . If an entry corresponding to (m, ID i , X, L) is present in L 1 , then C retrieves h i from L 1 and returns h i . Otherwise, it returns a random number h i [G nzp and stores the entry (h i , m, ID i , X, L, =, D) in L 1 , where the symbols = and D denote the signature information and the encryption information for message m, respectively.
H 2 queries. A can perform an H 2 query on the input of (ID s , S, X) for ID i and then C checks the L 2 . If an entry corresponding to ID i is present in L 2 , then C retrieves Z i from L 2 and returns Z i . Otherwise, it returns a random number Z i and stores the entry (Z i , ID s , S, X, ID i , L, %, e, b i = 0) in L 2 , where the symbols L, % and e denote the public key F i , the secret parameters T i and V i , respectively. The bit b i is a flag bit used to denote whether the public keys have been replaced or not.
Extract Secret Key queries. A can perform an Extract Secret Key query on the input of ID i , and C first checks whether ID i~I D Ã j ,j[f1,2,:::,tg holds. If ID i~I D Ã j ,j[f1,2,:::,tgholds, then C aborts the query. Otherwise, C retrieves the entry (Z i , ID s , S, X, Otherwise, the public key of the identity ID i has been replaced and in this case, C asks A for the new secret parameters (T i , V i ), computes the new secret key (T i 0T 0 0T,F , V 0V 0 0V i ) and returns it to A.
Extract Public Key queries. A can perform an Extract Public Key query on the input of ID i and then C checks L 2 . If an entry corresponding to ID i is present in L 2 , then C retrieves F i from L 2 and returns F i . Otherwise C chooses T i M R G n+p and V i M R G n , returns the public key F i~Ti 0 F F 0 0V i and updates the entry corresponding to ID i in L 2 with T i , V i and F i .
Replace Public Key queries. When A performs a Replace Public Key query on the input of (ID i ,F ' i ), C searches the corresponding entry ( : ,ID i , : ) in L 2 . If the entry is found, then C replaces the public keys in the entry corresponding to ID i in L 2 with F ' i and sets the flag bit b i to 1. Otherwise, C generates the public key using Extract Public Key query and then replaces the public key of ID i with F ' i .
Signcrypt queries. A can performs a Signcrypt query on the input of (m, ID s , L = {ID R1 , ID R2 , …, ID Rt }). If ID s = ID Ri ,i[f1,2,:::,tg, or if ID s [L Ã and at least one ID Ri [L Ã ,i[f1,2,::::,ng, then C aborts the query. If ID s =ID Ã j ,j[f1,2,:::,tg, then C knows the secret key of the sender and performs the computations as the Signcrypt algorithm to return the ciphertext s~(S,Y ,Z,W 1 ,W 2 ,:::,W t ,L). If ID s~I D Ã j ,j[f1,2,:::,tg, C does not know the secret key of the sender and hence it generates the ciphertext as follows: First, C retrieves the entry (?, ID s , F s , T s , V s , b s ) from L 2 and chooses r[ R G n and Z s [ R f0,1g lm . C computes X~ F F (r), extracts Y = h s by calling the oracle H 1 with the input (m, ID s , X, L) and computes the signature S. Then, C retrieves the corresponding entry ( : ,ID Ri , : ,b Ri ) in L 2 and then computes W i = F i (S||X) and Z = Z s ›m. C updates the corresponding entry in L 1 . Note that if b i = 1, then the public key of the receiver has been replaced and in this case, the challenger asks A for (T i , V i ) and uses it in place of the old value stored in the entry.
defined on any of such entries, but this happens only with probability t : q sc zq H2 2 G2 ). At last, C sends s~(S,Y ,Z,W 1 ,W 2 ,:::,W t ,L) to A.

Verify queries. When
A submits a ciphertext s~(S,Y ,Z,W 1 ,W 2 ,:::,W t ,L), a receiver's identity ID R and a sender's identity ID s , C extracts (S, Y, Z, W i , L) from s. If ID R = [L Ã , then C knows the secret key of ID R and hence designcrypts s using the De-signcrypt Algorithm. Otherwise, C searches all entries (Y, ?, ID s , ?, L, ?, Z) in L 1 , and if no such entries exist, the symbol H is returned to indicate that the ciphertext is invalid. Meanwhile, C searches the entry (Z i , ID s , S, X, ID s , F s , T s , V s , b s ) in L 2 , and if it is not found, C rejects the ciphertext s. If the ciphertext s passes the above verification, C computes Y '~F s (S),S'DDX '~F {1 i (W i ) and m'~Z+H 2 (ID s ,S',X '). If Y '~Y and S'~Shold, and (m',X ') passes the verification test, then C accepts s; otherwise, C rejects s. Note that a valid ciphertext is rejected with probability at most q dsc 2 G2{1 : Forge. After a polynomial-bounded number of queries, the adversary A outputs forged ciphertext s~vS,Y ,Z,W 1 ,W 2 ,:::,W t ,Lw (a receiver list L = {ID R1 , ID R2 , …, ID Rt }, and at least one ID Ri = [L Ã ) and the sender's identity ID s [L Ã : According to the above discussion, we know that as long as the simulation of the attacker's environment is perfect, the probability that A asks the value of (T s , V s ) by the H 2 oracle is the same as the probability in a real attack. C fetches a random entry (Z i , ID s , S, X, contains no more than t?q sc +q H2 elements by our construction, and C chooses ID s with probability 1/t), the chosen entry contains the right element (T s , V s ). C returns (T s , V s ) as the solution to the IP problem. Now, we analyze the probability of C's success. Let E be the event that the forged ciphertext passes verifications.
Simulation fails if any of the following events occurs: E 1 : Extract Secret Key query is executed for some chosen challenge identity. E 2 : Both sender and at least one of receivers belong to the challenge set in some Signcrypt query. E 3 : The H 2 oracle collides in Signcrypt queries. E 4 : C rejects a valid ciphertext in Verify queries. According to the above discussion, we know that Pr[E] = e, where E implies that E 1 and E 2 never occur, that is, :E 1^: E 2 .
Also, we have Pr½E 3 ƒ q sc : (t : q sc zq H2 ) 2 G2 , since A conducts a total of q sc Signcrypt queries and there are at most t?q sc +q H2 entries in L 2 . Pr½E 4 ƒ q dsc 2 G2{1 represents the probability of rejection of valid ciphertexts.
The event E 5 implies that C chooses the correct entry from L 2 in the last Verify Phase. And we know that Pr½E 5 ƒ 1 t(t : q sc zq H2 ) . So, the advantage e' of C is defined as: Therefore, we obtain e'w e t(t : q sc zq H 2 ) (1{ q sc : (t : q sc zq H 2 ) Theorem 5. Unforgeability under the attack of Type 2. In the random oracle model, if an SUF-CLMSC-CMA-2 adversary A has a non-negligible advantage e against the security of our scheme when performing q Hi queries to random oracles H i (i = 1, 2), q ske Extract Secret Key queries, q pke Extract Public Key queries, q sc Signcrypt queries and q ver Verify queries, then there exists an algorithm C that can solve the IP problem with an advantage e' defined as: where t is the number of receivers in the challenge set and G 2 denotes the bit length of the element over G n . The attacker has access to the master key, but cannot perform public key replacement under the attack of Type 2. The proof is similar to that of Theorem 4.
2.4 Backward Secrecy. Each time Alice sends a message m to receivers, she chooses r[G n randomly as the session key. Even though she sends the same message m, the corresponding ciphertext s will be different in different sessions. So the new receiver who joins the group later does not have the previous value X~ F F (r) which is computed for the message m, and thus he/she can not obtain the previous message m. Therefore, our scheme is backward secure.
2.5 Forward Secrecy. Forward secrecy means that the members who have quitted the group are not able to know the later session keys. In our scheme, the session key r is randomly chosen in each session. When some member of the group quits the group, the sender will compute the partial key for the rest members again, which guarantees that the members who have quitted the group cannot obtain the plaintext message from the later ciphertext. So our scheme is forward secure.
2.6 Non-repudiation. According to Theorem 4 and Theorem 5, our scheme is unforgeable. Suppose that Alice signcrypts a message m. If others want to repudiate her signature S, they have to solve the MQ problem to get the secret key of Alice, and it is computationally infeasible because the MQ problem is an NPhard problem. Therefore, only Alice knows her secret key and others can not repudiate her behavior of signcrypting the message m. So our scheme is non-repudiation.
2.7 Public Verifiability. The proposed scheme provides public verifiability of ciphertext source, which is an important requirement in broadcast communications. Any third party can be convinced of the sender of the ciphertext s by recovering Y ' in the second step of the de-signcryption phase and checking whether the equation Y '~Y holds. This is in fact due to the unforgeability of the signature. This verification procedure does not involve the knowledge of messages or the receiver's secret key but only the ciphertext s. Hence, our scheme supports public verifiability.

Performance Comparison
In this section, we shall compare our scheme with the existing schemes [8][9][10]12] in performance. We mainly consider the computation and communication cost.
The proposed scheme does not involve any bilinear pairing operations, exponentiation operations and multiplications in groups. In the signcryption phase, it needs only two hash operations, (t+2) MQ-mapping (it means the mapping operation on the multivariate quadratic equations) operations and one XOR operation, while in the de-signcryption phase, it needs two hash operations, two MQ-mapping operations and one XOR operation. The MQ-mapping operations are linear operations and have much lower computation complexity than bilinear pairing operations and exponentiation operations. According to the above analysis, the computation complexity of our scheme is O(t+4). The ciphertext of our scheme is (t+1)G 1 +(t+1)G 2 +|m| bits in length, where t is the number of receivers, G 2 is the bit length of the element over G n , and G 1 is the bit length of the element over G n+p . Compared with the representative CLMSC scheme [12], the new scheme has lower computation complexity without bilinear pairing operation needed. We also compare our scheme with the naive extension of schemes [8][9][10] for multi-receiver setting in Table 1, in which par denotes pairing operation, exp denotes exponentiation operation and ciphertext-size denotes the bit length of the ciphertext. The comparisons are summarized in Table 1.
According to the above analyses, the proposed scheme is more efficient than the existing ones, and it is also provably secure in the random oracle model. The proposed scheme is a very useful tool in multicast communication. With the rapid development of wireless networks, it is particularly important to transfer instruction data from the control center to multiple intelligent terminals securely [30]. The control center needs to encrypt the sensitive information to prevent it from being eavesdropped and cracked before sending it to intelligent terminals, while intelligent terminals need to judge whether the received instruction is from the trusted entity. To solve this security problem, we must take both the security requirements and the performance of the intelligent terminals into account, because intelligent terminals are generally characterized by low power consumption, low computing power and narrow communication bandwidth, which make the traditional identity-based scheme not suitable for them. Through the analyses about the security and performance of our scheme, it can be concluded that our scheme can better address these issues and it is in line with the characteristics of intelligent terminals.

Conclusions
As one of the alternative cryptosystems, multivariate public key cryptography can resist quantum attack, and has been researched by scholars extensively. In this paper, we employ multivariate public key cryptography to propose a new construction of the certificateless multi-receiver signcryption scheme, called a quantum attack-resistent certificateless multi-receiver signcryption scheme. The new scheme inherits the security of multi-variable cryptosystems that could resist quantum attack, and it avoids the certificate management and the key escrow problem. We proved its security under the hardness of the MQ problem and its unforgeability under the IP assumption in the random oracle model. In addition, the scheme also has security properties such as forward secrecy, backward secrecy, non-repudiation and public verifiability. Analyses show that the proposed scheme is more efficient than the existing ones. Although our scheme is constructed by using PMI+, there are still some other multivariate cryptosystems like IPHFE suitable for our construction. In the future work, we will construct the multi-receiver signcryption scheme by using IPHFE or other better multivariate cryptosystem, and compare the performance of the new scheme with that of the scheme proposed in this paper.

Author Contributions
Analyzed the data: HL XC LP WS. Wrote the paper: HL XC LP WS. Conceived and designed the scheme: HL XC. Proved the security of the scheme: HL XC.