Certificateless broadcast signcryption scheme supporting equality test in smart grid

Shufen Niu; Runyuan Dong; Lizhi Fang

doi:10.1371/journal.pone.0290666

Abstract

With the development of cloud computing and the application of Internet of Things (IoT) in the smart grid, a massive amount of sensitive data is produced by the terminal equipment. This vast amount of data is subject to various attacks during transmission, from which users must be protected. However, most of the existing schemes require a large amount of network bandwidth resources and cannot ensure the receiver’s anonymity. To solve these shortcomings, we construct a broadcast signcryption scheme supporting equality test based on certificateless cryptosystem. The scheme employs a symmetric encryption algorithm to improve encryption and transmission efficiency; The Lagrange interpolation theorem is used to encrypt the user’s identity to ensure the privacy preservation of terminal devices; And a trusted third party is used to eliminate duplicated ciphertext for identical messages using an equality test, resulting in efficient network bandwidth utilization. Experimental analysis shows that our work has greater advantages in the field of practical broadcast services.

Citation: Niu S, Dong R, Fang L (2023) Certificateless broadcast signcryption scheme supporting equality test in smart grid. PLoS ONE 18(9): e0290666. https://doi.org/10.1371/journal.pone.0290666

Editor: Pandi Vijayakumar, University College of Engineering Tindivanam, INDIA

Received: March 24, 2023; Accepted: August 12, 2023; Published: September 7, 2023

Copyright: © 2023 Niu et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the experimental analysis section of the manuscript.

Funding: This work was supported by the National Natural Science Foundation of China (No.62241207) and Gansu Science and Technology Program (22JR5RA158). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Competing interests: The authors have declared that no competing interests exist.

Introduction

The use of intelligent Internet of Things (IoT) devices brings great convenience to data communication. Wireless sensor network has been widely applied in the smart grid. Considering wireless sensor networks transmit information over public channels, and that power data and sensitive information may be distorted in the transmission process, there are security risks associated with the smart grid. Many fields of study use it in conjunction with cryptography algorithms to guarantee the security of sensitive information. Amos Fiat and Moni Naor [1] first proposed broadcast encryption, which is suitable for one-to-many communication where the broadcaster transmits the encrypted data to an authorized receiver. Each receiver can obtain ciphertext and decrypt messages with their private key. Compared with the traditional one-to-one encryption model, broadcast encryption can reduce the computation and communication overhead. Therefore, it has significant application and value in IoT scenarios [2–4]. Unfortunately, they are unable to guarantee the privacy of users or the transmission of sensitive information. As the information collected by IoT equipment is sensitive, users expect a guarantee of the security of data transmission and communication. A certificateless cryptosystem is proposed to deal with the key escrow problem. It can realize efficient and secure transmission of broadcast ciphertext [5–8]. Considering the same broadcast ciphertext may be generated by different encryption methods, it will occupy bandwidth resources on resource-limited devices, limit the applicability of the application environment, and cause great inconvenience and waste of space. The ciphertext equality test [9–11] can match ciphertexts on broadcasters and cloud servers, so as to realize the de-duplication of redundant copies and save bandwidth resources.

Currently, there exist malicious attackers in the smart grid, causing the smart grid to face some security threats, such as user forging smart meter data, unauthorized user access to sensitive information leading to privacy leakage, and malicious attacker stealing data when wireless sensor networks transmit information over public channels. Thus, the scheme demands the intelligent power supply system encrypt data and send ciphertext to users in the form of broadcasting, so as to transmit users’ power information efficiently and securely. Broadcast signcryption achieves data sharing between broadcast servers and authorized receivers. Unfortunately, many existing broadcast signcryption schemes have some shortcomings. They are unable to realize the private preservation of receiver identities and need a lot of bandwidth resources.

Based on the current security threat in smart grid and the shortcomings of existing schemes, we propose a broadcast signcryption scheme that supports equality test based on certificateless cryptosystem. First, the scheme solves the key escrow problem in identity-based cryptosystem by using certificateless cryptosystem and ensures the receiver’s anonymity by using the Lagrange interpolation theorem. Second, our proposed scheme can be proven secure under the Random Oracle Model. In addition, the proposed scheme realizes the function of data de-duplication by using equality test and lightweight broadcast signcryption by reducing computation cost.

Motivation and contributions

To realize the private preservation of smart meter’s identities and the confidentiality of sensitive information, while also saving bandwidth resources, we propose a broadcast signcryption scheme supporting equality test based on certificateless cryptosystem. The main contributions of our work as follows:

The scheme ensures the privacy of the user’s identity. Not only are illegal receivers unable to obtain the sender’s identity but the receiver also do not know the other receiver’s identity.
The proposed scheme uses equality test to realize the function of data de-duplication. To achieve efficient utilization of network bandwidth, the duplicate ciphertext of the information generated by different encryption methods is de-duplicated by a trusted third party.
We realize lightweight broadcast signcryption by reducing the bilinear pairing operation with a high computation cost in unsigncryption. The experimental analysis showed that the computing efficiency was higher than existing schemes, and had greater advantages in practical applications.

Organization

The organization of this paper as follows. We survey the related works in Section 2. In Section 3, we briefly describe the background. Our scheme and correctness are present in Section 4. Security proof is given in Section 5. In Section 6, we present the performance evaluation. Finally, we conclude the work in Section 7.

Related works

Duan et al. [12] first construct the broadcast signcryption scheme in combination with the signcryption algorithm and the broadcast transmission. Unfortunately, the scheme does not meet the security requirements of adaptive chosen-ciphertext attack. Based on the problem of one-to-one single transmission in the traditional signcryption scheme, broadcast signcryption solves the shortcomings of communication efficiency in information transmission. Since the invention of broadcast signcryption, many academics and practitioners have propose the scheme to meet various security performance requirements [13, 14]. Zhang et al. [13] construct a signcryption scheme that resists quantum attacks based on lattice and identity cryptosystem. [14, 15] designed the efficient signcryption algorithm that allowed the sender to transmit multi-messages to multi-receivers and analyzed the efficiency of each scheme. Qiu et al. [15] design a broadcast scheme based on certificateless cryptosystem and applied it to the IoT, lowering the computation cost of the receiver by outsourcing the gateway signature verification operation. However, there is the problem of key escrow. Peng et al. [16] connected the edge node with the IoT device. Edge computing can reduce the computation burden of terminal devices and the delay of network transmission. However, the ciphertext of this scheme hasn’t the authorization set of the receiver. Due to the risk of location privacy leakage in the charging process of electric vehicles. Kumar et al. [17] design an electric vehicle charging framework combined with grid encryption technology. Alagarsamy et al. [18] propose an Exponentiated Multilinear Vectorized Certificateless Signcryption (EMV-CLSC) scheme, which reduces memory usage when processing multiple data and improves computation efficiency. [19–21] propose lightweight and efficient access control signcryption schemes based on the certificateless cryptosystem. Ullah et al. [20] propose an anonymous certificateless signcryption scheme using elliptic curves to guarantee security requirements in Internet of Vehicles, but this scheme only signcrypt single message and is not suitable for the multi-message environments. Sarvesh et al. [22] present a multi-signcryption scheme with public verifiability to reduce the threats of private key escrow and replay attacks. Unfortunately, These schemes fail to consider the processing of redundant data generated by different encryption methods for the same information. Luo et al. [23] propose the signcryption scheme for data communication between different network domains, but can’t ensure the privacy of receivers. Khan et al. [24] set a smaller key unit based-identity signcryption, which is not applicable to equipment with limited resources, and there is the risk of the receiver’s privacy leaking. Mandal et al. [25] design a user access control scheme that fails to achieve the receiver’s privacy preservation. Shen et al. [26] propose a lightweight and secure data transmission protocol for wireless body area networks, which support the multidisciplinary treatment but exist a risk of leakage of the partial private key.

Aiming at addressing the shortcomings and improving the efficiency of existing schemes, we propose a broadcast signcryption scheme that supports equality test based on certificateless cryptosystem. Our proposed work ensures the receiver’s anonymity and information integrity and confidentiality, while also the proposed scheme realizes the function of data de-duplication by using equality test and lightweight broadcast signcryption by reducing computation cost.

Background

Hard problems

We give several hard problems to demonstrate the security of our work.

Decision Diffie-Hellman (DDH) problem [9]. Given P, aP, bP, W ∈ G, where , it is hard for the probabilistic polynomial time (PPT) to determines whether W = abP with non-negligible advantage.

Bilinear Diffie-Hellman (BDH) problem [22]. Given P, aP, bP, cP ∈ G, where and P denotes the generator of group G, compute e(P, P)^abc ∈ G_T, if Pr[A(P, aP, bP, cP) = e(P, P)^abc] ≥ ε, the advantage of the adversary to solve the BDH problem.

Computational Diffie-Hellman (CDH) problem [23]. Given aP, bP ∈ G, compute abP element where are unknown and P denotes the generator of group G.

Decision Bilinear Diffie-Hellman (DBDH) problem. For , ∃P, aP, bP, cP ∈ G, it is hard for PPT to distinguish e(P, P)^abc by a non-negligible advantage.

System model

The smart power grid relies on intelligent technology, such as wireless sensors, to realize information collection and data transmission. As can be seen from Fig 1, detailed information is collected through sensor equipment. It is assumed that the application field deploys wireless sensor network nodes in multiple power jurisdictions and monitoring areas. The wireless sensor network nodes collect power data and other data in real-time and upload them to the aggregation base station. Considering wireless sensor networks transmit information over public channels, and that power data and sensitive information may be distorted in the transmission process, there are security risks associated with the smart grid. Many fields of study use it in conjunction with cryptography algorithms to guarantee the security of sensitive information.

Download:

Fig 1. Wireless sensor network transmission structure.

https://doi.org/10.1371/journal.pone.0290666.g001

As is shown in Fig 2, our proposed system model includes five entities: Intelligent power supply system, Trusted Third Party (TTP), Key Generation Center (KGC), Smart meter and Cloud Server (CS). After the KGC generates public and private key for the intelligent power supply system and the smart meter, the intelligent power supply system will signcrypt the collected information such as the meter operation status and smart meter data, and then sends ciphertext to CS and TTP for ciphertext equality test. TTP deletes the duplicate ciphertext of the information generated by different encryption methods. When the CS broadcasts ciphertext to smart meter, the authorized device can unsigncrypt ciphertext using private key independently.

Download:

Fig 2. System model.

https://doi.org/10.1371/journal.pone.0290666.g002

KGC. Assuming KGC is a fully trusted entity, the device set and the intelligent power supply system send a registration request before the broadcaster broadcasts the message. After receiving the request, the KGC generates public and private key for the smart meter and intelligent power supply system to ensure the device’s legality.

Intelligent power supply system. After receiving the information gathered by wireless sensor network monitoring equipment, it selects a group of equipment to collect messages, encrypt message and upload it in the monitoring area, and then sends signature to the TTP for ciphertext equality test.

TTP. In order to rid the ciphertext of duplicated data, the TTP checks whether the received ciphertext has a copy of the same information generated by different encryption methods on the CS.

Smart meter. The smart meter submits registration request for legal identities to the key generation center. When the CS broadcasts ciphertext to smart meter, the authorized device can send verification information to a trusted third party for ciphertext matching. After obtaining the correct response, the ciphertext can be decrypted independently.

CS. The trusted third party can be operated by the CS to match the duplicate data of the ciphertext generated and transmitted throughout the entire broadcast process. Although ciphertext is stored on the CS, it can’t get any information about ciphertext from the broadcaster.

Formal definition

For the signcryption scheme supporting equality test in smart grid, we give the detailed definition as follows for algorithm:

Setup (1^λ): Inputs security parameter λ, KGC returning public parameter Pars, TTP’s private key x_T and the master key s.

Set secret-value (ID_i): It takes Pars and the receiver’s identity ID_i as input and returns x_i as the receiver’s secret value.

Extract partial-private key (s, X_i, ID_i): The inputs are the ID_i of the receiver, the master key s, the public key of the receiver X_i and the public parameters Pars, and it returns the partial private key z_i.

Set private and public key (ID_i, z_i, W_i, Pars): Inputs the ID_i of the receiver, the partial private key z_i and Pars, and returns the private key of receiver (d_i, y_i) and the public key of receiver (X_i, Y_i).

Signcryption (Pars, ID_i, X_i, M): The inputs are the public parameters Pars, a set {ID_i, X_i}_i=1,2,⋯,n and the message M. The outputs are ciphertext σ.

Unsigncryption (y_i, σ, ID): The inputs are the public parameter Pars, a private key of the smart meter y_i, a set {ID_i}_i=1,2,⋯,n of the receiver’s identity, ciphertext σ, outputs recovered message and verify the message using the broadcaster’s public key.

Equality-test (CT, CT′): TTP executes this algorithm. The inputs are the public parameter Pars, the private key x_T and two ciphertexts CT and CT′. The output is 1 if CT and CT′ are same message generated by different encryption methods, otherwise, returns 0.

Security model

In order to ensure broadcasting safety, the proposed work must satisfy the security of message, define indistinguishability of chosen multiple identities and chosen ciphertext attack security (IND-CMID-CCA) by polynomial time simulating the game between adversary and challenger, ensure strong unforgeability of chosen multiple identities and ciphertext attack security (SUF-CMID-CCA) and ensure anonymity of chosen multiple identities and ciphertext attack security (ANON-CMID-CCA).

Game 1: IND-CMID-CCA security

This game is played between adversary and challenger under the IND-CMID-CCA security model. The security model is defined as follows:

Setup: takes the security parameter λ as input and returns the public parameters Pars and the master key s, sends the public parameter Pars to and keeps s. Then, selects a random identity from set {ID_i}_i=1,2,⋯,n.

Phase 1: runs an adaptive prediction query, and responds to the query.

Challenge: sends two equal-length plaintext M₀ and M₁ to . randomly selects a bit b ∈ {0, 1} to obtain ciphertext σ* and returns it to .

Phase 2: executes a series of inquiries as in Phase 1, but not allowed to perform extract partial-private key and unsigncryption queries if the user who replaced public key.

Guess: A guess bit b* ∈ {0, 1} is generated by . wins the game if b* = b.

Definition 1: Our work satisfies the indistinguishability of chosen multiple identities and the chosen ciphertext attack security (IND-CMID-CCA) if there are no adversaries having a non-negligible advantage to win Game 1.

Game 2: SUF-CMID-CCA security

The adversary interacts with the challenger under the SUF-CMID-CCA security model. We defined the security model as follows:

Setup: It is similar to the setup in Game 1.

Attack: It is similar to the attack in phase 1 of Game 1.

Forgery: uses target user set {ID_i}_i=1,2,⋯,n and plaintext to forge signatures σ*. If any user in the target user set {ID_i}_i=1,2,⋯,n unsigncrypt ciphertext σ* correctly, wins game. In this process, the ciphertext cannot be obtained by a series of inquiry, and all restrictions are consistent with those in phase 2 of Game 1.

Definition 2: Our proposed work can resist the strong unforgeability of chosen multiple identities and ciphertext attack (SUF-CMID-CCA) if there are no adversaries having a non-negligible advantage to win Game 2.

Game 3: ANON-CMID-CCA security

The adversary interacts with the challenger under the ANON-CMID-CCA security model. We defined the security model as follows:

Setup: taking λ as input, and returning Pars and s as output, sends Pars to and keeps s. Then, randomly selects identity set L = {ID₀, ID₁} to .

Phase 1: This is the same as Game 1.

Challenge: selects challenge target’s identity L* = {ID₂, ID₃, ⋯, ID_n} and plaintext to . randomly select a bit b ∈ {0, 1}, formalizes the challenge ciphertext CT* with a new target identity list L* = {ID_b, ID₂, ID₃, ⋯, ID_n} and sends CT* to .

Phase 2: It is the same as Game 1.

Guess: Finally, a guess bit b* ∈ {0, 1} is returned by . wins this game if b* = b.

Definition 3. Our work satisfies the anonymity of chosen multiple identities and ciphertext attack security (ANON-CMID-CCA) if there are no adversaries having a non-negligible advantage to win Game 3.

The proposed scheme

We construct a certificateless broadcast signcryption scheme that supports equality test. In the scheme, the broadcaster can signcrypt message for many different receivers, and receiver belonging to the authorization group can unsigncrypt ciphertext to obtain plaintext. Table 1 presents the notions in our proposed scheme. The scheme includes five algorithms:

Setup: Inputs security parameter λ and returns bilinear pairing e : G₁ × G₂ → G_T, where G₁ = 〈P₁〉, G₂ = 〈P₂〉 and they have same the prime order p. Define six hash functions as: H : {0, 1}* → G₁, , , , H₄ : G_T → G₁, and is a one-way function. The KGC randomly selects two numbers and to compute the public key PK_pub = s ⋅ P₁, PK_T = x_T ⋅ P₂, master secret key s keeps secret. Pars = {P₁, P₂, G₁, G₂, G_T, p, PK_T, PK_pub, e, f(), H, H₁, H₂, H₃, H₄, H₅, (E, D)} are system public parameters and (E(⋅), D(⋅)) is the encryption/decryption algorithm of the Advanced Encryption Standard.

Keygen: User and KGC run the keygen algorithm to obtain user’s private and public keys.

Set secret-value: A receiver selects number at random to act as secret value. It then computes X_i = d_i ⋅ P₁ and returns ID_i ∥ X_i to the KGC;
Partial-private key: A receiver submits its identity ID_i, master secret key s, public key X_i and Pars to KGC. KGC selects a number and computes W_i = ω_i ⋅ P₁, h_i = H(ID_i), y_i = (ω_i + h_i ⋅ s) mod p, generates user’s partial-private key z_i = y_i + H₁(ID_i, X_i, W_i), KGC sends h_i, z_i and W_i to user;
Set private and public key: Computes private key y_i = z_i − H₁(ID_i, X_i, W_i) and public key Y_i = y_i ⋅ P₁, the partial-private key is true where y_i ⋅ P₁ = W_i + h_i ⋅ PK_pub, otherwise, outputs ⊥. User’s public key PK_i = (X_i, Y_i) and private key SK_i = (d_i, y_i).

Signcryption: The public parameters Pars, message M, receiver’s identity ID_i, sender’s private key SK_s = (d_s, y_s), public key PK_s = (X_s, Y_s) and the public key PK_T of TTP are taken as inputs and then performs as follows:

Constructs , x_i = H₂(ID_i), clearly, C_i(x_i) = 1, C_i(x_j) = 0, i ≠ j;
Selects number , , and tag at random, computes K = H₃(a), C₀ = (f(M) + f(τ)) ⋅ PK_T, C₁ = k ⋅ P₂,C₂ = e(P₁, r₁ ⋅ P₂)^k ⋅ a, C₃ = E_K(M ∥ τ), C₄ = e(P₁, P₂)^f(τ), V_i = e(Y_i, C₁), F_i = e(P₁ ⋅ H₁(ID_i, X_i, W_i), C₁), T_i = H₄(V_i ⋅ F_i) + r₁ ⋅ X_i, , CT = (C₀, C₁, C₂, C₃, C₄, Q_j);
Randomly selects a number , computes R = r ⋅ P₁, h_s = H₅(M, ID_s, X_s, Y_s, R) and u = d_s + y_s + h_s ⋅ r;
The final broadcast ciphertext is σ = (CT, u, R).

Unsigncryption: The broadcast ciphertext σ, receiver’s public key (X_i, Y_i) and receiver’s identity ID_i are taken as inputs to perform the following steps:

Computes ;
Computes ,
and plaintext M = D_K (C₃);
Checks if . Return true if it holds, otherwise, return ⊥;
Computes h_s = H₅(M, ID_s, X_s, Y_s, R), if u ⋅ P₁ = X_s + Y_s + h_s ⋅ R, receiver accepts message (ID_i ∥ M)_i=1,2,⋯,n, otherwise, outputs ⊥.

Equality-test: Given two ciphertexts CT = (C₀, C₁, C₂, C₃, C₄, Q₁, Q₂, ⋯, Q_n) and . TTP checks if , returns 1 if it holds and ⊥ otherwise.

Correctness: The correctness of our proposed work as follows:

y_i ⋅ P₁ = (ω_i + h_i ⋅ s) ⋅ P₁ = W_i + h_i ⋅ PK_pub

Download:

Table 1. Notations.

https://doi.org/10.1371/journal.pone.0290666.t001

Security proof

We proof the security of our work under the hard problem and security model in Section 4.

Theorem 1. If the BDH problem in (G₁, G₂) is hard, our work is secure against the IND-CMID-CCA of the .

Proof: Simulator is created to solve the hard problems of BDH in (G₁, G₂). Inputs (P₁, β₁P₁, β₂P₁, V) of the DDH problem and checks . and to simulates the security game.

Setup: sets system public key PK_pub = αP₁ = φ(αP₂) and PK_T = β₁P₁, and then sends system parameter Pars = {P₁, P₂, G₁, G₂, p, e, H, H₁, H₂, H₃, H₄, H₅, (E, D)} to . After receiving Pars, outputs the target identity {ID_i}_i=1,2,⋯,n.

Phase 1: sets H, {H_i}_i=1,2,⋯,5 and runs a series of queries, returns the results to and the query results are stores in lists H, H₁, H₂, H₃, H₄, H₅.

H query: After receiving the query from the adversary on the target identity {ID_i}_i=1,2,⋯,n, creates (ID_i, W_i, ψ_i, θ_i) in the list H and initializes it to null. If the identity exists in the tuple, returns W_i. Otherwise, randomly selects a bit ψ_i ∈ {0, 1} and an integer θ_i ∈ Z_p. If ψ_i = 0, computes W_i = θ_i ⋅ P₁, otherwise, sets W_i = θ_i ⋅ bP₁ = θ_i ⋅ φ(bP₂) and adds (ID_i, W_i, ψ_i, θ_i) to the list H. Finally, returns W_i to ;

H₁ query: Inputs (ID_i, X_i, W_i), runs H₁ query, checks whether (ID_i, X_i, W_i, d_i) exists in the list H₁. If it does, returns d_i to . Otherwise, randomly selects to sends it to and stores (ID_i, X_i, W_i, d_i) in the list H₁;

H₂ query: A list L is created and initialized to empty. If the identity in the (ID_i, x_i) query already exists in the list, returns H₂(ID_i) = x_i. Otherwise, randomly selects an integer sends to and adds (ID_i, x_i) to the list L. Finally, it returns x_i to ;

H₃ query: The identity ID_i is taken as input. creates a tuple (ID_i, k_i) in the list H₃ and initializes it to empty. If (ID_i, k_i) exists in the list H₃, it will be returned k_i to . Otherwise, randomly selects k_i ∈ Z_p and returns to the adversary and add it to the tuple (ID_i, k_i) of the list H₃;

H₄ query: Inputs the identity ID_i, creates (ID_i, T_i) in the list H₄ and initializes it to empty. If (ID_i, T_i) exists in the list H₄, it returns T_i to . Otherwise, randomly selects an integer T_i ∈ G₁ and returns to and adds it to (ID_i, T_i) of the list H₄;

H₅ query: (M, ID_i, X_i, Y_i, R) is taken as input. If (M, ID_i, X_i, Y_i, R, h_k) exists in the list H₅, send h_k to , otherwise, randomly selects and sends it to and store (M, ID_i, X_i, Y_i, R, h_k) in the list H₅;

Key query: If (ID_i, SK_i, PK_i, x_i, z_i) exists in the list H_i, keep tuple (ID_i, SK_i, PK_i, x_i, z_i). Otherwise, responds as follows:

If ID_i = ID_j, randomly selects , computes X_i = x_i ⋅ P₁, W_i = ω_i ⋅ P₁, y_i = ω_i + H₁ (ID_i, X_i, W_i) ⋅ s mod p, Y_i = y_i ⋅ P₁, PK_i = (X_i, Y_i) and updates tuple (ID_i, SK_i, PK_i, x_i, z_i) in the list H_i and the tuple (ID_i, X_i, W_i, d_i) in the list H₁ respectively;
If ID_i ≠ ID_j, randomly selects , computes X_i = x_i ⋅ P₁, Y_i = y_i ⋅ P₁, PK_i = (X_i, Y_i), SK_i = (d_i, y_i) and updates tuple (ID_i, SK_i, PK_i, x_i, z_i) in list H_i and tuple (ID_i, X_i, W_i, d_i) in list H₁ respectively.

Secret-value query: After receiving the request from , it sends x_i to if (ID_i, SK_i, PK_i, x_i, z_i) exists in list H_i.

Extract Partial-private key query: Inputs ID_i, executes as follows:

If ID_i = ID_j, sends ⊥ to ;
If ID_i ≠ ID_j, and if (ID_i, SK_i, PK_i, w_i, x_i, z_i) exists in the list H_i, sends partial-private key z_i to , otherwise, runs key query and returns tuple (ID_i, SK_i, PK_i, x_i, z_i) and sends partial-private key z_i to .

Private query: After receiving the request from , sends public key PK_i to if (ID_i, SK_i, PK_i, x_i, z_i) exists in list H_i, otherwise, runs key query, return (ID_i, SK_i, PK_i, x_i, z_i) and sends public key PK_i to and responds as follows:

If ID_i = ID_j, sends ⊥ to ;
If ID_i ≠ ID_j, if (ID_i, SK_i, PK_i, w_i, x_i, z_i) in exists in the list H_i, sends private key SK_i to , otherwise, runs key query, return tuple (ID_i, SK_i, PK_i, x_i, z_i) and sends SK_i to .

Public key replace query: If tuple (ID_i, SK_i, PK_i, w_i, x_i, z_i) exists in the list H_i after receiving the request, replaces PK_i with public key , otherwise, will be stored tuple (ID_i, SK_i, PK_i, x_i, z_i) in list H_i.

Signcryption query: If ID_i ≠ ID_j, i = 1, 2, ⋯, n, runs the private key query, output SK_s, ciphertext CT, and sends CT to , otherwise, respond as follows:

Selects ID_i, computes x_i = H₂(ID_i);
Constructs ;
Randomly selects the integers , and , computes C₁ = k ⋅ P₂, K = H₃(A) and C₃ = E_K(M ‖ τ);
Randomly selects , computes R = r ⋅ P₁, h_s = H₅(M, ID_s, X_s, Y_s, R) and u = d_s + y_s + h_s ⋅ r;
Outputs CT = (C₀, C₁, C₂, C₃, C₄, Q_t) to .

Unsigncryption query: The adversary requires to run unsigncryption query on ciphertext CT and identity ID_i. After receiving the request, if ID_i = ID_j, i = 1, 2, ⋯, n, sends ⊥ to , otherwise, responds as follows:

Inputs the broadcaster identity ID_s, authorized device identity ID_i and ciphertext CT, and then computes W = r₁ ⋅ P₁;
Computes K′ = H₄(C₂/e(W, C₁));
If i = 1 in the H₄ query, recovers the plaintext M ∥ ID_i = D(K′, C₃) from the list H₄, uses the symmetric key K′ and returns it to . Checks if C₀ = f(M) ⋅ PK_T + f(τ) ⋅ PK_T. If so, the execution is completed. If i does not exceed the number of H₄ queries, returns M to , otherwise, outputs ⊥;
If R = h_i ⋅ P₂ − u ⋅ Y_i, returns M to , otherwise, outputs ⊥.

Challenge: selects two equal-length M₀, M₁ and challenger identity and public key set S* = (ID₁/X₁, ⋯, ID_l/X_l). In phase 1, cannot uses the identity ID_i ∈ S* to runs the private key query. If ψ_i = 1 at the tuple (ID_i, W_i, ψ_i, θ_i) in list H₁, responds as follows:

Sets ;
Computes , constructs ;
Randomly selects r₁ ∈ Z_p, R_i ∈ G₁, computes T_j = R_i + r₁ ⋅ X_j and ;
Randomly selects A ∈ G_T and τ ∈ {0, 1}^t, computes K = H₃(A), and , β ∈ {0, 1};
Computes and ;
Sends to .

Phase 2: runs a series of adaptive queries consistent with those in phase 1, but challenge ciphertext CT* cannot be decrypted. If ID_i ∈ S*, extract partial-private key query is not allowed.

Guess: Given a bit β′ ∈ {0, 1}, if V = β₁β₂P₁, CT* is valid. Suppose must run H₅ query as , H(ID_i) = q_i ⋅ b ⋅ P₁ and PK_pub = aP₁, computes . Therefore, our scheme is secure against the IND-CMID-CCA.

Theorem 2. If the DDH problem in G₁ is hard, our proposed scheme is secure against the IND-CMID-CCA of .

Proof: Simulator is created to solve the hard problems of DDH in G₁, Let P₁, aP₁, bP₁, W ∈ G₁, where are unknown, judge whether W = abP₁. and to simulates the security game.

Setup: sets system public key PK_pub = αP₁ and PK_T = βP₁, and then sends system parameter Pars = {P₁, P₂, G₁, G₂, p, e, H, H₁, H₂, H₃, H₄, H₅, (E, D)} to .

Phase 1: adaptively issue a series of queries.

H query: After receiving the query from the adversary on the target identity {ID_i}_i=1,2,⋯,n, creates (ID_i, W_i) in the list H and initializes it to null. If the identity exists in the tuple, returns W_i. Otherwise, randomly selects an integer θ_i ∈ Z_p, computes W_i = θ_i ⋅ P₁ and adds (ID_i, W_i, ψ_i) to the list H₁. Finally, returns W_i to .

H₁,H₂,H₃,H₄,H₅ query: It is similar to the H₁,H₂,H₃,H₄,H₅ query in Theorem 1.

Public key query: After receiving the query from the adversary on the target identity {ID_i}_i=1,2,⋯,n, if the (ID_i, W_i, x_i) has existed in the list H and initializes it to null. If the identity exists in the tuple, returns W_i. Otherwise, randomly selects a bit ψ_i ∈ {0, 1} and an integer a_i ∈ Z_p. If ψ_i = 0, computes X_i = a_i ⋅ P₁, otherwise, sets X_i = a_i ⋅ bP₁ and adds (ID_i, a_i, X_i, ψ_i) to the list H. Finally, returns X_i to .

Unsigncryption query: It is similar to the Unsigncryption query in Theorem 1.

Challenge: It is similar to the Challenge in Theorem 1.

Phase 2: runs a series of adaptive queries consistent with those in phase 1, but challenge ciphertext CT* cannot be decrypted.

Guess: Given its guess β, if , wins the game with non-ignorable advantage. When W = abP₁, is valid since T_i = H₄(V_i ⋅ F_i) + r₁ ⋅ W = H₄(V_i ⋅ F_i) + r₁⋅(abP₁), C₄ = e(P₁, P₂)^f(τ) = e(P₁, P₂)^f(b). This means that r₁ = a, τ = b in the signcryption. Thus, if breaks the proposed work, is able to solve the DDH problem.

Theorem 3. Define one-way functions H and {H_i}_i=1,2,⋯,5. If the CDH problem in (G₁, G₂) is hard, the scheme is secure against the SUF-CMID-CCA of .

Proof: The simulator is created to solve CDH problem in (G₁, G₂), interacts with as follows:

Setup: It is similar to the setup in Theorem 1.

Phase 1: It is similar to Phase 1 in Theorem 1.

Public key query: If the challenge identity is received, will sends PK_pub = a ⋅ P₁ to , otherwise, randomly selects and computes PK_pub = x_i ⋅ P₁.

Private key query: If the challenge identity is received, return ⊥, otherwise, run private key query and sends to .

Signcryption query: runs the following steps on the identity:

If , randomly selects , computes R = a_i ⋅ P₁ − b_i ⋅ Y_i;
If , generates ciphertext to .

Forge: If , uses the identity set L = {ID₁, ID₂, ⋯, ID_n} to forge a signature σ* = (CT*, u*). If σP₁ = X_i + Y_i + h_i ⋅ R holds, wins the game, defines and r ⋅ X_i = y_i(PK_i + PK_pub), computes and outputs αβP = r ⋅ X_i − PK_i, otherwise, outputs the terminator ⊥.

Theorem 4. Define one-way functions H and {H_i}_i=1,2,⋯,5. If the DBDH problem in (G₁, G₂) is hard, our work is secure against the ANON-CMID-CCA of .

Proof: Simulator is created to solve DBDH problem in (G₁, G₂). interacts with as follows:

Setup: The simulator sets system public key PK_pub = aP₁, sends system parameter Pars = {G₁, G₂, G_T, p, e, f(), H, H₁, H₂, H₃, H₄, H₅, (E, D)} to , outputs the target identity {ID_i}_i=1,2,⋯,n.

Phase 1: executes a series of adaptive queries consistent with Theorem 1.

Challenge: cannot run partial private key query on . Message M, two identities and public key sets with different lengths and are taken as inputs. runs as follows:

Sets ;
Retrieves on the identity , if , outputs ⊥, if , sets and . Then, is obtained by H₃ query;
Computes , , i ∈ {2, 3, ⋯, l};
Constructs , i ∈ {2, 3, ⋯, l};
Randomly selects integer , R_i ∈ G₁, i ∈ {2, 3, ⋯, l}, computes T_j = R_i + r₁ ⋅ X_j and ;
Computes , i ∈ {β, 2, 3, ⋯, l};
Randomly selects integers A ∈ G_p and τ ∈ Z_p, computes , , β ∈ {0, 1};
Computes and ;
Sends challenge ciphertext to .

Phase 2: runs adaptive queries consistent with those of phase 1, but is not allowed to perform partial-private key, public key replace, unsigncryption query for identity .

Guess: guesses b′, if b′ = b, outputs 1, otherwise, outputs 0.

Analysis: Simulator is indistinguishable from the scheme in the above game. When Z = e(P₁, P₂)^αβc, assuming that k* = c. where K = H₃(A) is a random element. Therefore, view M_β as independent, and our work is secure against the ANON-CMID-CCA.

Theorem 5. If the DDH problem in G₁ is hard, our proposed work is secure against the ANON-CMID-CCA of .

Proof: Simulator is created to solve the hard problems of DDH in G₁, Let P₁, aP₁, bP₁, W ∈ G₁, where are unknown, judge whether W = abP₁. and to simulates the security game.

Setup: It is similar to the Setup in Theorem 2.

Phase 1: It is similar to the Phase 1 in Theorem 2.

Challenge: It is similar to the Challenge in Theorem 2.

Phase 2: is not allowed performed public key query and unsigncryption query with ID, where .

Guess: Given β′, if , outputs 1, otherwise, outputs 0.

Analysis: Simulator is indistinguishable from the scheme in the above game. When W = abP₁, assuming that r₁ = a. In addition to W is a random element of group G₁, where K = H₃(A) is a random element. Therefore, view M_β as independent, and our work is secure against the ANON-CMID-CCA.

Performance evaluation

Functional comparison

We evaluate the functions of the proposed work with those of five existing broadcast signcryption schemes [15, 22–25]. From Table 2, scheme [15] outsource verification operation to gateway, which reduces the computation cost of the receiver at decryption stage. However, there is the problem of key escrow. Scheme [22] presents a multi-signcryption scheme with public verifiability to reduce the threats of private key escrow and replay attack but can’t eliminate duplicate copies in the system. The scheme [23] propose the certificateless broadcast signcryption scheme, but can’t ensure the privacy of the receiver. Scheme [24] set a smaller key unit based-identity signcryption, which is not applicable to equipment with limited resources, and there is the risk of the receiver’s privacy leaking. The scheme [25] design a user access control scheme which fails to achieve receiver’s privacy preservation and the computation cost of unsigncryption is higher than the proposed work.

Download:

Table 2. Comparison of functions.

https://doi.org/10.1371/journal.pone.0290666.t002

Efficiency analysis

We compare the computation times of our work with those of the existing schemes [15, 22] as shown in Table 3. The communication cost between our work and other schemes is shown in Table 4.

Download:

Table 3. Computation costs.

https://doi.org/10.1371/journal.pone.0290666.t003

Download:

Table 4. Communication cost.

https://doi.org/10.1371/journal.pone.0290666.t004

1) Computation cost. We compare the computation times of our work and existing schemes [15, 22] is shown in Table 3. T_e, T_m, T_p, T_h, T_Inv represents the time of executing exponential, multiplication, bilinear pairing, hash, and multiplication inversion operation, respectively. The operation time sequence is T_p > T_e > T_m > T_h > T_Inv. n represents the number of users. The computation cost increases as n grows.

2) Communication cost. We compare the communication costs of the proposed work with those of schemes [15, 22] in shown Table 4. We set =16 bytes and |G|=32 bytes. n represents the number of users. The ciphertext size are , , in [15, 22] and our scheme, respectively. The communication cost grows linearly with n from Table 4.

Experimental analysis

The experiment is using bilinear pairing-based cryptography library under the Linux operating system. The parameter type of bilinear pairing package is Type-A. It uses the C programming language and is programmed and executed on 2.60 GHz CPU and 8 GB RAM PC. We compare the computation time of [15, 22] and our proposed scheme of signcryption and unsigncryption algorithms, and set the number of devices from the smart grid at 10, 20, 30, 40, 50, 60, 70 and 80, respectively. The number of devices on the smart grid can dynamically adjusted to manage authorized devices more flexibly.

Download:

Fig 3. Time cost of signcryption.

https://doi.org/10.1371/journal.pone.0290666.g003

As is shown in Fig 3. that the computation time of our work in data signcryption stage is lower than scheme [22]. Although computation efficiency of scheme [15] is higher than our scheme, the proposed work has higher security and practical application value. It is also concluded from Fig 4. that the computation efficiency of our work in the data unsigncryption stage is higher than existing schemes [15, 22]. When the number of devices is 20, the computation time of our scheme is 46.565ms, [15, 22] are 122.278ms and 242.153ms respectively. Fig 5. show that the communication costs of our work are lower than [22]. The computation of unsigncryption and communication cost of [22] is highly than our proposed scheme. The core reason is equality test cannot be performed. Although communication costs of [15] is higher than our scheme, our proposed work has higher security and can better guarantee the privacy of users.

Download:

Fig 4. Time cost of unsigncryption.

https://doi.org/10.1371/journal.pone.0290666.g004

Download:

Fig 5. Communication costs.

https://doi.org/10.1371/journal.pone.0290666.g005

Conclusion

Currently, there exist malicious attackers in the smart grid, causing the smart grid to face some security threats, such as user forging smart meter data, unauthorized user access to sensitive information leading to privacy leakage, and so on. To realize the private preservation of smart meter’s identities and the confidentiality of sensitive information, guarantee the security of data communication and solve the problem of insufficient transmission network bandwidth resources, we construct a broadcast signcryption scheme supporting equality test based on certificateless cryptosystem. The scheme realizes the anonymity between receivers and ensures the privacy of data. In addition, our work also achieves data deletion function of the same ciphertext, which greatly saves the network bandwidth and ciphertext storage space. Finally, an analysis of the existing broadcast signcryption schemes and our proposed scheme reveals that our proposed work has higher practical application value.

References

1. Fiat A.; Naor M. Broadcast encryption. Santa Barbara, CA, USA, 22–26 August 1993; pp. 480–491
2. Lu Y, Li J, Zhang Y. Privacy-preserving and pairing-free multirecipient certificateless encryption with keyword search for cloud-assisted IIoT. IEEE Internet Things J. 2020,7 (4): 2553–2562.
- View Article
- Google Scholar
3. Deng L. Anonymous certificateless multi-receiver encryption scheme for smart community management systems. PLoS Genet. 2011 Oct;7(10):e1002337.
- View Article
- Google Scholar
4. Wang B, Rong J, Zhang S, Liu L. Research on data security of multicast transmission based on certificateless multi-recipient signcryption in AMI. Proc. Int. J. Electr. Power Energy Syst. 2020,121:1–8.
- View Article
- Google Scholar
5. Pka B, Mk A, Sma C. Cryptanalysis of a pairing-free certificateless signcryption scheme- ScienceDirect. ICT Express, 2021, 7(2):200–204.
- View Article
- Google Scholar
6. Ullah I, Alkhalifah A, Rehman S U, et al. An anonymous certificateless signcryption scheme for internet of health things. IEEE Access, 2021, 9: 101207–101216.
- View Article
- Google Scholar
7. Thorncharoensri P, Susilo W, Chow Y W. Privacy-preserving file sharing on cloud storage with certificateless signcryption. Theoretical Computer Science, 2022.
- View Article
- Google Scholar
8. Noor F, Kordy T A, Alkhodre A B, et al. Securing wireless body area network with efficient secure channel free and anonymous certificateless signcryption. Hindawi Limited, 2021.
- View Article
- Google Scholar
9. Zhang J, Ou P. Privacy-preserving multi-receiver certificateless broadcast encryption scheme with de-duplication. Sensors, 2019, 19(15):3370. pmid:31370322
- View Article
- PubMed/NCBI
- Google Scholar
10. Bhosale A H, MAnjrekar A A. Attribute-based storage control with smart de-duplication filter using hybrid cloud. Pune, India: IEEE, 2018.1–6.
11. Periasamy J K, Latha B. An enhanced secure content de-duplication identification and prevention (ESCDIP) algorithm in cloud environment. Neural Computing and Applications, 2020, 32(2): 485–494.
- View Article
- Google Scholar
12. Duan S, Cao Z. Efficient and provably secure multi-receiver identity-based signcryption. Springer, Berlin, Heidelberg, 2006: 195–206.
13. Zhang X J, Xu C X, et al. Efficient multi-receiver identity-based signcryption from lattice assumption. International Journal of Electronic Security and Digital Forensics: IJESDF, 2018, 10(1): 20–38.
- View Article
- Google Scholar
14. Pang L, Wei M, Li H. Efficient and anonymous certificateless multi-message and multi-receiver signcryption scheme based on ECC. IEEE Access, 2019: 1–1.
- View Article
- Google Scholar
15. Qiu J, Fan K, Zhang K, et al. An efficient multi-message and multi-receiver signcryption scheme for heterogeneous smart mobile IoT. IEEE Access, 2019, 7:180205–180217.
- View Article
- Google Scholar
16. Peng C, Chen J, Obaidat M S, et al. Efficient and provably secure multireceiver signcryption scheme for multicast communication in edge computing. IEEE Internet of Things Journal, 2020, 7(7): 6056–6068.
- View Article
- Google Scholar
17. Kumar G, Saha R, Rai M K, et al. A privacy-preserving secure framework for electric vehicles in IoT using matching market and signcryption. IEEE Transactions on Vehicular Technology, 2020, 69(7): 7707–7722.
- View Article
- Google Scholar
18. Alagarsamy S, Rajagopalan S P. Exponentiated multiple message communication using certificateless signcryption for mobile network security. International Journal of Computer Applications, 2017, 178(7): 13–24.
- View Article
- Google Scholar
19. Zhou C. An improved lightweight certificateless generalized signcryption scheme for mobile-health system. International Journal of Distributed Sensor Networks, 2019, 15(1).
- View Article
- Google Scholar
20. Ullah I, Khan MA, Alsharif MH, Nordin R. An Anonymous Certificateless Signcryption Scheme for Secure and Efficient Deployment of Internet of Vehicles. Sustainability, 2021, 13(19):10891.
- View Article
- Google Scholar
21. Gao G M, Peng X G, Jin L Z. Efficient access control scheme with certificateless signcryption for wireless body area networks. International Journal of Network Security, 2019, 21(3):428–437.
- View Article
- Google Scholar
22. tanwar Sarvesh, Kumar Anil. Extended identity based multi-signcryption scheme with public verifiability. Journal of Information and Optimization Sciences, 2018, 39(2):503–517.
- View Article
- Google Scholar
23. Ming L, Yi L, Yuwei W, et al. Secure and efficient access control scheme for wireless sensor networks in the cross-domain context of the IoT. Security and Communication Networks, 2018, 2018:1–10.
- View Article
- Google Scholar
24. Khan M A, Ullah I, Nisar S, et al. Multiaccess edge computing empowered flying ad hoc networks with secure deployment using identity-based generalized signcryption. Mobile Information Systems, 2020.
- View Article
- Google Scholar
25. Mandal S, Bera B, Sutrala A K, et al. Certificateless-signcryption-based three-factor user access control scheme for IoT environment. IEEE Internet of Things Journal, 2020, 7(4): 3184–3197.
- View Article
- Google Scholar
26. Shen J, Chen X, Zhang J, Xiang Y. Lightweight and certificateless multireceiver secure data transmission protocol for wireless body area networks. IEEE Transactions on Dependable and Secure Computing, 2022, 19(3): 1464–1475
- View Article
- Google Scholar

[ref1] 1. Fiat A.; Naor M. Broadcast encryption. Santa Barbara, CA, USA, 22–26 August 1993; pp. 480–491

[ref2] 2. Lu Y, Li J, Zhang Y. Privacy-preserving and pairing-free multirecipient certificateless encryption with keyword search for cloud-assisted IIoT. IEEE Internet Things J. 2020,7 (4): 2553–2562.
View Article
Google Scholar

[3] View Article

[4] Google Scholar

[ref3] 3. Deng L. Anonymous certificateless multi-receiver encryption scheme for smart community management systems. PLoS Genet. 2011 Oct;7(10):e1002337.
View Article
Google Scholar

[6] View Article

[7] Google Scholar

[ref4] 4. Wang B, Rong J, Zhang S, Liu L. Research on data security of multicast transmission based on certificateless multi-recipient signcryption in AMI. Proc. Int. J. Electr. Power Energy Syst. 2020,121:1–8.
View Article
Google Scholar

[9] View Article

[10] Google Scholar

[ref5] 5. Pka B, Mk A, Sma C. Cryptanalysis of a pairing-free certificateless signcryption scheme- ScienceDirect. ICT Express, 2021, 7(2):200–204.
View Article
Google Scholar

[12] View Article

[13] Google Scholar

[ref6] 6. Ullah I, Alkhalifah A, Rehman S U, et al. An anonymous certificateless signcryption scheme for internet of health things. IEEE Access, 2021, 9: 101207–101216.
View Article
Google Scholar

[15] View Article

[16] Google Scholar

[ref7] 7. Thorncharoensri P, Susilo W, Chow Y W. Privacy-preserving file sharing on cloud storage with certificateless signcryption. Theoretical Computer Science, 2022.
View Article
Google Scholar

[18] View Article

[19] Google Scholar

[ref8] 8. Noor F, Kordy T A, Alkhodre A B, et al. Securing wireless body area network with efficient secure channel free and anonymous certificateless signcryption. Hindawi Limited, 2021.
View Article
Google Scholar

[21] View Article

[22] Google Scholar

[ref9] 9. Zhang J, Ou P. Privacy-preserving multi-receiver certificateless broadcast encryption scheme with de-duplication. Sensors, 2019, 19(15):3370. pmid:31370322
View Article
PubMed/NCBI
Google Scholar

[24] View Article

[25] PubMed/NCBI

[26] Google Scholar

[ref10] 10. Bhosale A H, MAnjrekar A A. Attribute-based storage control with smart de-duplication filter using hybrid cloud. Pune, India: IEEE, 2018.1–6.

[ref11] 11. Periasamy J K, Latha B. An enhanced secure content de-duplication identification and prevention (ESCDIP) algorithm in cloud environment. Neural Computing and Applications, 2020, 32(2): 485–494.
View Article
Google Scholar

[29] View Article

[30] Google Scholar

[ref12] 12. Duan S, Cao Z. Efficient and provably secure multi-receiver identity-based signcryption. Springer, Berlin, Heidelberg, 2006: 195–206.

[ref13] 13. Zhang X J, Xu C X, et al. Efficient multi-receiver identity-based signcryption from lattice assumption. International Journal of Electronic Security and Digital Forensics: IJESDF, 2018, 10(1): 20–38.
View Article
Google Scholar

[33] View Article

[34] Google Scholar

[ref14] 14. Pang L, Wei M, Li H. Efficient and anonymous certificateless multi-message and multi-receiver signcryption scheme based on ECC. IEEE Access, 2019: 1–1.
View Article
Google Scholar

[36] View Article

[37] Google Scholar

[ref15] 15. Qiu J, Fan K, Zhang K, et al. An efficient multi-message and multi-receiver signcryption scheme for heterogeneous smart mobile IoT. IEEE Access, 2019, 7:180205–180217.
View Article
Google Scholar

[39] View Article

[40] Google Scholar

[ref16] 16. Peng C, Chen J, Obaidat M S, et al. Efficient and provably secure multireceiver signcryption scheme for multicast communication in edge computing. IEEE Internet of Things Journal, 2020, 7(7): 6056–6068.
View Article
Google Scholar

[42] View Article

[43] Google Scholar

[ref17] 17. Kumar G, Saha R, Rai M K, et al. A privacy-preserving secure framework for electric vehicles in IoT using matching market and signcryption. IEEE Transactions on Vehicular Technology, 2020, 69(7): 7707–7722.
View Article
Google Scholar

[45] View Article

[46] Google Scholar

[ref18] 18. Alagarsamy S, Rajagopalan S P. Exponentiated multiple message communication using certificateless signcryption for mobile network security. International Journal of Computer Applications, 2017, 178(7): 13–24.
View Article
Google Scholar

[48] View Article

[49] Google Scholar

[ref19] 19. Zhou C. An improved lightweight certificateless generalized signcryption scheme for mobile-health system. International Journal of Distributed Sensor Networks, 2019, 15(1).
View Article
Google Scholar

[51] View Article

[52] Google Scholar

[ref20] 20. Ullah I, Khan MA, Alsharif MH, Nordin R. An Anonymous Certificateless Signcryption Scheme for Secure and Efficient Deployment of Internet of Vehicles. Sustainability, 2021, 13(19):10891.
View Article
Google Scholar

[54] View Article

[55] Google Scholar

[ref21] 21. Gao G M, Peng X G, Jin L Z. Efficient access control scheme with certificateless signcryption for wireless body area networks. International Journal of Network Security, 2019, 21(3):428–437.
View Article
Google Scholar

[57] View Article

[58] Google Scholar

[ref22] 22. tanwar Sarvesh, Kumar Anil. Extended identity based multi-signcryption scheme with public verifiability. Journal of Information and Optimization Sciences, 2018, 39(2):503–517.
View Article
Google Scholar

[60] View Article

[61] Google Scholar

[ref23] 23. Ming L, Yi L, Yuwei W, et al. Secure and efficient access control scheme for wireless sensor networks in the cross-domain context of the IoT. Security and Communication Networks, 2018, 2018:1–10.
View Article
Google Scholar

[63] View Article

[64] Google Scholar

[ref24] 24. Khan M A, Ullah I, Nisar S, et al. Multiaccess edge computing empowered flying ad hoc networks with secure deployment using identity-based generalized signcryption. Mobile Information Systems, 2020.
View Article
Google Scholar

[66] View Article

[67] Google Scholar

[ref25] 25. Mandal S, Bera B, Sutrala A K, et al. Certificateless-signcryption-based three-factor user access control scheme for IoT environment. IEEE Internet of Things Journal, 2020, 7(4): 3184–3197.
View Article
Google Scholar

[69] View Article

[70] Google Scholar

[ref26] 26. Shen J, Chen X, Zhang J, Xiang Y. Lightweight and certificateless multireceiver secure data transmission protocol for wireless body area networks. IEEE Transactions on Dependable and Secure Computing, 2022, 19(3): 1464–1475
View Article
Google Scholar

[72] View Article

[73] Google Scholar

Figures

Abstract

Introduction

Motivation and contributions

Organization

Related works

Background

Hard problems

System model

Formal definition

Security model

The proposed scheme

Security proof

Performance evaluation

Functional comparison

Efficiency analysis

Experimental analysis

Conclusion

References