#### Abstract

Air pollution, water pollution, soil erosion, land desertification, and other environmental issues are becoming more and more serious. And ecological security has become a key issue for the sustainable development of the world, so research on ecology has received more and more attention. At present, ecological data is collected and stored separately by various departments or agencies. In order to conduct better research, various institutions or individuals begin to share their own data. However, data sharing between different organizations is affected by many factors, especially data security issues. At the moment, there is no scheme that has been commonly recognized to solve the problem of ecological data sharing. To provide a secure data sharing way for ecological research, a certificateless multireceiver signcryption scheme is proposed. In this paper, the proposed scheme can solve the key escrow problem, and it can improve efficiency on the basis of ensuring security by adopting elliptic curve cryptography (ECC). A rigorous security analysis proves that the scheme can resist various security attacks and ensure privacy protection based on a random oracle model. Performance analysis also shows that this scheme has the advantage of computational overhead compared to the same type of scheme. Therefore, the scheme is very suitable for the safe sharing of ecological data.

#### 1. Introduction

Ecological data is receiving more and more attentions nowadays. It plays an important role in global climate change prediction, ecological network observation and simulation, regional air pollution control, and so on. However, the scope, degree, quality, and usability of data sets mastered by different research institutions vary greatly, which is not conductive to the research in related fields. In order to solve this problem, relevant organizations begin to share their own data, which enables researchers to find and reuse relevant data. Combining data from multiple sources can better raise new questions and accelerate the pace of science. Sharing of relevant data can also make the related scientific research more transparent, which helps boost public trust.

In the process of information sharing, on the one hand, the sender of the information only wants the authorized receiver to receive the correct information in order to prevent the information from being maliciously revealed. On the other hand, the recipient of the message wants to verify the sender of the message to prevent the message from being tampered with and the sender from being forged.

In view of all the requirements above, the information sent needs to be confidential and verifiable. The confidentiality needs to be implemented by encryption, and the verification needs to be implemented by signature. Traditionally, the method of first signing and then encrypting is adopted, but it is too computationally intensive resulted in the low efficiency. In order to improve the efficiency on the basis of ensuring confidentiality and verification of messages, Zheng [1] proposed the concept of signcryption, which enables encryption and signature to be performed simultaneously; therefore, encryption and signature functions can be realized by one signcryption.

With the development of communication, the identity-based multireceiver encryption (IMRE) proposal was presented by Baek et al. [2]; this proposal can encrypt multiple recipients’ messages by one calculation. And then, the IMRE schemes [3–5] were proposed successively. Subsequently, on the basis of the scheme in [2], the identity-based multireceiver signcryption (IMRS) proposal was presented by Duan and Cao [6]. According to this scheme, the sender only needs to perform a signcryption operation to simultaneously send messages to multiple authorized recipients, and each authorized recipient can perform corresponding decryption and verification. The ciphertext received by the receiver does not contain a list of receiver identity information, and the receiver cannot find the relevant information in the ciphertext. It is more effective than one-to-one scheme and is an ideal choice for information sharing. Then, many IMRS schemes [7–14] were proposed. What is more, communicators are paying more and more attentions to personal privacy issues. Usually, people intend to conceal their identities when they use multireceiver signcryption-related devices. In order to realize anonymity, Fan et al. [15] proposed the first anonymous IMRE scheme. However, Wang et al. [16] proposed that the scheme in [15] does not truly achieve that goal. Also, Wang et al. [16] proposed a new anonymity scheme, but Li and Pang [17] proposed that the scheme in [16] still could not completely realize anonymity either. Later, Fan and Tseng [18] proposed an anonymous IMRE scheme and the receiver of the scheme has the capability of identity verification, but the efficiency is not high because of the excessive bilinear parings operations in the scheme. Then, Pang et al. [19] put forward an absolutely cryptonymous IMRS proposal which can realize the anonymity of the receiver and sender. Gradually, people have found a serious problem that these multireceiver schemes have key escrow problems because they cannot block malicious key generation center (KGC) attacks. If nothing is done to solve this problem, the KGC can view all users’ communications and can pretend to be any user, which is insecure.

Given the above requirements, Al-Riyami and Paterson [20] proposed a certificateless public key cryptosystem. For the user in this system, he and KGC jointly generate his private key, and the system parameters and his private key jointly determine his public key. The scheme in [20] can solve the problem of certificate management in traditional public key cryptography and key escrow in identity-based cryptosystems, so the certificateless multirecipient scheme has become a research hotspot. Influenced by the scheme in [20], the proposals [21–24] were successively put forward. Selvi et al. [25] came up with the earliest certificateless multireceiver signcryption (CMRS) scheme, but it does not have the confidentiality of messages under external attacks and is inefficient due to the use of a large number of bilinear pairing operations (BPO).

Gradually, people began to pursue efficiency on the basis of satisfying the safety function. A cryptonymous certificateless multireceiver encryption (CMRE) proposal was presented by Islam et al. [26]. In order to improve efficiency, the scheme in [26] uses scalar point multiplication operations on elliptic curve cryptography (SPMOOECC), which does not use BPO. Since schemes in [26] can still further improve efficiency, schemes in [27–30] have been proposed successively. The scheme in [27] used the BPO and map-to-point hash function (MTPHF), scheme in [28] and scheme in [30] used lots of SPMOOECC, and scheme in [29] used BPO in the decryption step, all of which greatly limit the efficiency of the scheme. Among them, schemes in [26–30] have no signature function and cannot resist forgery attacks, and schemes in [25, 27–29] did not successfully achieve fair decryption, nor did they implement the verification of part of the private key.

Through the analysis of the schemes, we found that the multirecipient signcryption scheme is required to solve the main problems as below during the communication process: (1)Key escrow problem: malicious KGC can forge encrypted ciphertext and decrypt ciphertext, which dramatically reduces the confidentiality of the message. In order to prevent malicious KGC attacks, we need to solve the key escrow problem(2)The calculation efficiency is not ideal: in the process of encryption or decryption, BPO or a large number of SPMOOECC will result in inefficiency

In view of the requirements of ecological data sharing communication and taking into account the shortcomings of existing communication mechanisms, we propose a CMRS scheme for ecological data sharing. Relevant institutions or researchers can send data to other researchers or related institutions through our program. The communication process is shown in Figures 1 and 2. When multiple researchers or related organizations share relevant ecological data (such as forest ecological data, grassland ecological data, and desert ecological data), they first exchange key with KGC to obtain their own public key and private key; then, they signcrypt the data and send the signcrypted message to the cloud space; finally, the signcrypted data in the cloud space will be forwarded to the authorized recipient and the receiver performs verification and decryption after receiving the message.

The specific features of the scheme are as follows: (1)The scheme realizes the anonymity of the receiver. Not only the attacker cannot obtain the information of the receiver, but also the receiver does not know the information of other receivers(2)The scheme uses a certificateless method and can perform partial private key verification. It not only solves the key escrow problem but also ensures the correctness of some private keys received from KGC(3)The scheme is of high efficiency. Instead of using BPO and exponential operations in the signcryption and decryption phases, the scheme uses the SPMOOECC during encryption and decryption processes and minimizes the number of SPMOOECC, which greatly increases efficiency

Finally, in using the stochastic prediction model, we prove the confidentiality, unforgeability, and recipient anonymity of our CMRS scheme based on the difficult problems.

The rest of the paper is as follows: in the second part, the initial knowledge is described. In the third part, the proposed scheme is described. In addition, in the fourth part, the correctness and security of the scheme were analyzed. Next, in the fifth part, the proposed scheme and the existing scheme are compared in terms of efficiency and functionality. Finally, the sixth section summarizes this paper.

For ease of understanding, the symbols used are listed in Table 1.

#### 2. Preliminaries

We will make an introduction of difficult problems, algorithm model, and security models.

##### 2.1. Difficult Problems

It is specified that is a cyclic group on ECC, the generator of is the , and is the nonzero multiplication group, which depend on the big prime number . The elliptic curve discrete logarithm problem (ECDLP) and Diffie-Hellman problem (CDHP) are described below:

*(1) CDHP*. Known , calculating is CDHP

*Definition 1. *If the probabilistic polynomial time (PPT) algorithm A can solve CDHP, the probability advantage is specified as
*CDHP hypothesis*: we believe that can be ignored for any PPT algorithm A.

*(2) ECDLP*. Known , calculating is ECDLP

*Definition 2. *If the PPT algorithm B can solve CDHP, the probability advantage is specified as
*ECDLP hypothesis*: we believe that can be ignored for any PPT algorithm B.

##### 2.2. Algorithm Model

*Definition 3. *The algorithm model of this proposal consists of *SetUpAlgorithm*, *SetSecretValueAlgorithm*, *ExtractPartialPrivateKeyAlgorithm*, *SetPublicAndPrivateKeysAlgorithm*, *SigncryptionAlgorithm*, and *DesigncryptionAlgorithm*:

*SetUpAlgorithm*: input , is the security parameter; KGC executes the algorithm; the system’s master key and the public parameter *pars* are generated by KGC; and KGC exposes *pars* and secretly saves .

*SetSecretValueAlgorithm*: enter , is the user’s information; the user executes the algorithm; and the user gets the secret value and the secret value parameter .

*ExtractPartialPrivateKeyAlgorithm*: enter the user’s information , the master key , the secret value parameter *X _{i}*, and the public key parameter

*pars*. For the user, KGC uses this algorithm to obtain the partial private key and key generation parameter .

*SetPublicAndPrivateKeysAlgorithm*: input the parameter *pars* of the system, the information of the user, the partial private key of the user, the secret value , and the key generation parameter and the user uses the algorithm to obtain public key pair and the private key pair .

*SigncryptionAlgorithm*: input the system’s public parameter *pars*, receiver information , plaintext , the recipient’s public key , the private key of THE transmitter, and the information of the transmitter. The transmitter initiates the algorithm to obtain the ciphertext .

*DesigncryptionAlgorithm*: enter the public parameter pars, the recipient’s private key , the recipient’s information , and ciphertext **C**. The receiver uses the algorithm to gain the plaintext and verifies using the sender’s public key .

##### 2.3. Security Models

The security model required for our scheme consists of information confidentiality, unforgeability, and recipient anonymity. In each security model, there are two types of opponents, called and [20]. does not know the system master key but does, and can replace the user’s public key but cannot. Specific descriptions are as follows:

###### 2.3.1. Information Confidentiality

Information confidentiality means that an attacker cannot successfully decrypt a plaintext message in his or her own attack. In this scheme, information confidentiality is the indistinguishability of certificateless signcryption in the context of selecting ciphertext attack and selective multiple ID (IN-CMRS-CA) [25]. We defined *Game1* for ’s IN-CMRS-CA and *Game2* for ’s IN-CMRS-CA.

*Game1*: this game is the interaction of opponent and challenger in the context of IN-CMRS-CA.

*Setup. * performs the corresponding steps for obtaining the public parameter *pars* and the master key *s*, then sends the *pars* to the and secretly saves *s*. After receives the *pars*, the outputs a group of target identities , where is a positive integer.

*Phase 4. * requires to perform flexible queries, and performs feedback. The details are the following:

*SetSecretValueQuery*: requires to run the *SetSecretValueQuery* on the *ID*. After the request is received, uses the *SetSecretValueAlgorithm* to get the user’s secret value, and transmits the result to .

*ExtractPartialPrivateKeyQuery*: lets run the *ExtractPartialPrivateKeyQuery* against the *ID*. After the request is received, executes the *ExtractPartialPrivateKeyAlgorithm* to gain the partial private key of the user and sends result to .

*SetPublicAndPrivateKeysQuery:* requires to run the *SetPublicAndPrivateKeysQuery* on the *ID*. After receiving the request, executes the *SetPublicAndPrivateKeysAlgorithm* to get the public and private keys of user and returns them to .

*PublicKeyReplacementQuery*: requires to use the PK_{ID} to run the *PublicKeyReplacementQuery* on the ID. Upon receipt, will retain the as the new public key.

*SigncryptionQuery*: lets perform the *SigncryptionQuery* with a series of information and plaintext . After the request is received, randomly selects the information ID* _{s}* to execute the

*SigncryptionAlgorithm*to obtain the ciphertext

**C**and transmits to .

*DesigncryptionQuery*: requires to perform the *DesigncryptionQuery* for ciphertext . After the request is received, executes the *DesigncryptionAlgorithm* to obtain the plaintext , after that, verify that is compliant, and returns to.

*Challenge*: chooses a pair of plaintext , the length of the plaintext is the same, and transmits to . selects ; then, uses the selected plaintext to obtain and transmits to .

*Phase 5. * wants to provide the same query as Phase 4, but cannot perform the private key portion of *SetPublicAndPrivateKeysQuery* and *ExtractPartialPrivateKeyQuery* on the user who has replaced the public key. cannot perform *DesigncryptionQuery* on ciphertext .

*Guess*: gives , and if can be determined, wins, otherwise, fails. The probability advantage of winning is defined as follows:

*Definition 6. *The probability that any in the case of IN-CMRS-CA can obtain the *Game1* victory in time can satisfy , indicating that the scheme conforms to *-IN-CMRS-CA* security, represents a nonnegligible probability advantage and represents the time of a polynomial operation.

*Game2*: this game is the interaction of opponent and challenger in the context of IN-CMRS-CA. The details are the following:

*Setup. * performs the corresponding steps for obtaining the public parameter *pars* and the master key , then transmits the result to the . After successful reception, gives a set of target identifiers is a positive integer.

*Phase 7. * makes a series of queries to like Phase 4 of *Game1*, but cannot carry out *PublicKeyReplacementQuery*. responds accordingly.

*Challenge*: selects a pair of plaintext ; the length of the plaintext is the same and transmits to . selects ; then, uses the selected plaintext to obtain , transmits to .

*Phase 8. * needs to perform the same query as Phase 4, but cannot execute the *SetSecretValueQuery* for the target identity , and cannot run the *DesigncryptionQuery* against the ciphertext .

*Guess*: gives , and if can be determined, wins, otherwise, fails. The probability advantage of winning is defined as follows:

*Definition 9. *The probability that any in the case of IN-CMRS-CA can obtain the *Game2* victory in time can satisfy , indicating that the scheme conforms to *-*IN-CMRS-CA security, represents a nonnegligible probability advantage and represents a time of a polynomial operation.

###### 2.3.2. Unforgeability

The unforgeability of the proposal in this paper is prescribed as the strong unforgeability of certificateless signcryption in the context of selecting ciphertext attacks and optional multiple ID (SU-CMRS-PA) [25]. *Game3* and *Game4* are used to describe the SU-CMRS-PA of the opponent and , respectively.

*Game3*: this section is the mutual response between and under SU-CMRS-PA. The details are the following:

*Setup. *This procedure is similar to Setup in *Game1.*

*Attack*: requires to perform flexible queries. The queries are similar to Phase 4 in *Game1*, after which responds.

*Forgery*: uses and plaintext to forge ciphertext . If any recipient in can correctly decrypt , then wins, otherwise fails. In this process, *SigncryptionQuery* cannot get , other restrictions are similar to Phase 5 in *Game1.*

*Definition 10. *The probability that any in the case of SU-CMRS-PA can obtain the *Game3* victory in time can satisfy , indicating that the scheme conforms to *-*SU-CMRS-PA security, represents a nonnegligible probability advantage and represents the time of a polynomial operation.

*Game4*: this process is the interaction between and under SU-CMRS-PA. The details are the following:

*Setup. *This procedure is similar to *Setup* in *Game2.*

*Attack*: performs flexible queries for . The queries are similar to Phase 4 in *Game2*, after which responds.

*Forgery*: uses and plaintext to forge ciphertext . If any recipient in can correctly decrypt , then wins, otherwise fails. In this process, *SigncryptionQuery* cannot get , and the other restrictions are similar to Phase 5 in *Game2.*

*Definition 11. *The probability that any in the case of SU-CMRS-PA can obtain the *Game4* victory in time can satisfy , indicating that the scheme conforms to *-*SU-CMRS-PA security, represents a probabilistic advantage that is not negligible. represents the time of a polynomial operation.

###### 2.3.3. Receiver Anonymity

In this scheme, receiver anonymity is prescribed as the anonymous indistinguishability of certificateless signcryption in the context of selecting ciphertext attacks and selective multiple ID (ANO-CMRS-CA) [26]. *Game5* and *Game6* each implement ANO-CMRS-CA for and .

*Game5*: this process is the interaction between and under ANO-CMRS-CA. The details are the following:

*Setup. * performs the corresponding steps for obtaining the public parameter *pars* and the master key , then transmits *pars* to and secretly saves . After receiving, selects and sends to .

*Phase 12. *This procedure is similar to Phase 4 in *Game1*.

*Challenge*: picks identity list and plaintext , transmits them to . selects and forms the ciphertext with a new set of identity list , and transmits to .

*Phase 13. *This procedure is similar to Phase 5 in *Game1*.*Guess*: gives *e*, and If can be determined, wins, otherwise, fails. The probability advantage of winning is defined as follows:

*Definition 14. *The probability that any in the case of I ANO-CMRS-CA can obtain the *Game5* victory in time can satisfy , indicating that the scheme conforms to *-*ANO-CMRS-CA security, represents a nonnegligible probability advantage and represents the time of a polynomial operation.

*Game6*: this process is the interaction between and under ANO-CMRS-CA. The details are the following:

*Setup. * performs the corresponding steps for obtaining the public parameter *pars* and the master key , then transmits the result to , selects and output .

*Phase 15. *This procedure is similar to Phase 4 in *Game2*.

*Challenge*: picks identity list and a plaintext , transmits *L* and to . selects and forms a ciphertext with a new set of identity list , and sends to .

*Phase 16. *This procedure is similar to Phase 5 in *Game2*.*Guess*: gives *e*, and if can be determined, wins, otherwise, fails. The probability advantage of winning is defined as follows:

*Definition 17. *The probability that any in the case of ANO-CMRS-CA can obtain the *Game6* victory in time can satisfy , indicating that the scheme conforms to *-*ANO-CMRS-CA security, represents a nonnegligible probability advantage and represents the time of a polynomial operation.

#### 3. The Proposed Scheme

Our scheme includes *SetUpAlgorithm*, *KeyExtractAlgorithm*, *SigncryptionAlgorithm*, and *DesigncryptionAlgorithm*. The *KeyExtractAlgorithm* includes *SetSecretValueAlgorithm*, *ExtractPartialPrivateKeyAlgorithm*, and *SetPublicAndPrivateKeysAlgorithm*.

##### 3.1. Setup Algorithm

KGC performs the corresponding steps for obtaining the public parameter and master keys. The details are the following:
(1)Input , is the security parameter and KGC selects a large prime number on the finite field at random and generates a finite field with order. Next, a suitable elliptic curve *E _{p}* is generated on the domain

*F*, and an addition cycle group is determined on the elliptic curve , and the generator of is (2)Select a positive whole number at random, is the system master key and secretly save and calculate the system public key (3)Select five safe and reliable hash function as follows: (4)The appropriate symmetric encryption algorithm and decryption algorithm are selected at random. as a symmetric key(5)Output the public parameters .

_{p}##### 3.2. Key Extract Algorithm

The user and KGC perform the corresponding steps for obtaining the user’s private and public keys.
(1)*SetSecretValueAlgorithm*: user randomly selects as a secret value and keeps it in secret, calculates , and sends and to KGC via a secure channel(2)*ExtractPartialPrivateKeyAlgorithm*: after receiving, KGC randomly selects the integer , then calculates and , and then calculates and , finally sending and to the user via a secure channel(3)*SetPublicAndPrivateKeysAlgorithm*: after the user receives and , it calculates and . Then, check if the equation is established, and if so, the user receives successfully. Otherwise, the reception fails

The user public key pair is , private key pair is . is published by KGC.

##### 3.3. Signcryption Algorithm

The sender uses the public parameter *pars*, its own private key , plaintext , a set of recipient information , the recipient’s public key , and the information of a transmitter for signcryption:
(1)Select the integer at random and then calculate (2)Calculate (3)Select the whole number at random, , then calculate the formula:
(4)Calculate .(5)Calculate , where (6)Generate ciphertext and send the ciphertext to all recipients

##### 3.4. Designcryption Algorithm

The receiver decrypts after receiving the ciphertext . Proceed as follows: (1)Calculate (2)Calculate (3)Calculate and (4)Search and obtain , calculate .

And judge whether is established, If successful, the recipient receives the plaintext and then exits. Otherwise, the recipient rejects and quits.

#### 4. Correctness Analysis and Security Proofs

##### 4.1. Correctness Analysis

Theorem 18. *Confirm that the part private key of the user in KeyExtractAlgorithm is right.*

*Proof. *In order for the user’s partial private key to be verified correctly, needs to be established. The specific inference of this equation is as follows:
The establishment of the formula determines that the verification of the part private key is right in the *KeyExtractAlgorithm*.

Theorem 19. *The DesigncryptionAlgorithm is right.*

*Proof. *The formula guarantees the correctness of the *DesigncryptionAlgorithm*. The specific inference of the formula is as follows:
The formula holds, so it is determined that the *DesigncryptionAlgorithm* is correct.

##### 4.2. Security Proofs

We have security proofs of the proposal based on the safety model outlined in section 2. Theorem 20 and Theorem 23 guarantee confidentiality of the message, Theorem 26 and Theorem 27 ensure unforgeability, and recipient anonymity is ensured by Theorem 28 and Theorem 31.

Theorem 20. *There is an opponent under the IN-CMRS-CA, in the polynomial time , if wins the Game1 victory with a probability advantage that cannot be ignored, ( can request up to hash queries , KeyQuery, SetSecretValueQuery, ExtractPrivateKeyQuery, SetPublicAndPrivateKeysQuery, PublicKeyReplacementQuery, SigncryptionQuery, and DesigncryptionQuery), then within time , challenger ’s interaction with opponent makes overcome CDHP with a probability advantage of is the time of SPMOOECC.*

*Proof. *Under a nonnegligible probability, it is assumed that opponent can attack the IN-CMRS-CA security, the probability advantage is , and under the stochastic prediction model, requires challenger to perform queries. Given , in the time-limited polynomial, obtains through the opponent interaction to overcome CDHP. and opponent will interact with the followings:

*Setup. * performs the corresponding steps for obtaining the public parameter and master key , and then transmits *pars* to and save . After the recipient receives it, selects the target identity and transmits to , denotes a positive whole number. are all random oracles; they are controlled by . The details are the following:
(1)*H _{1}HashQuery*: the tuple is taken as input, and requires to execute

*H*. After receiving, checks whether the tuple exists in list . If it exists, will send to . Otherwise, selects at random and sends to and restores the tuple into list (2)

_{1}HashQuery*H*the tuple and are taken as input, and requires to execute

_{2}HashQuery:*H*. After receiving, checks whether the tuple and exist in the list . If yes, will send and to . Otherwise, selects two integer and at random and transmits them to and restores the tuple and into list (3)

_{2}HashQuery*H*: the tuple is taken as input, and requires to execute

_{3}HashQuery*H*. After receiving, judges whether or not the tuple exists in the list . If it exists, will send

_{3}HashQuery*α*to . Otherwise, selects at random and sends

_{j}*α*to and restores the tuple into list (4)

_{j}*H*: the tuple is taken as input, and requires to execute

_{4}HashQuery*H*. After receiving, judges whether or not the tuple exists in the list . If it exists, will send to . Otherwise, selects at random, and sends

_{4}HashQuery*k*to , and re-stores the tuple into list

*L*

_{4}(5)

*H*The tuple is taken as input, and requires to execute

_{5}HashQuery:*H*. After receiving, judges whether or not the tuple exists in list . If it exists, will send to . Otherwise, selects at random, and sends to and restores the tuple into list

_{5}HashQuery*Phase 21. * requires to perform flexible queries and performs feedback. The details are the following:
(1)*KeyQuery*: checks if the tuple exists in the list . If it exists, reserves the tuple . Otherwise, does the following:
(a)If , selects two integers at random, sets , computes , and then updates tuples in list and in list , respectively(b)If , selects two integers at random, sets computes and then updates tuples in list and in list , respectively(2)*SetSecretValueQuery:* requires to execute the *SetSecretValueQuery* on . After receiving the request, checks whether there are tuples in list . if it exists, sends to , otherwise, C performs the *KeyQuery* to generate a tuple and then sends to (3)*ExtractPartialPrivateKeyQuery:* requires to perform the *ExtractPartialPrivateKeyQuery* on . After receiving the request, the details are the followings:
(a)If sends “failure” to (b)If judges whether or not the tuple exists in the list , and if so, sends to , otherwise, performs the *KeyQuery* to generate tuple and sends to (4)*SetPublicAndPrivateKeysQuery*: requires to execute the public key portion of *SetPublicAndPrivateKeysQuery* on the . After the recipient receives it, judges whether or not the tuple exists in list . If it exists, sends to , otherwise performs *KeyQuery* to generate a tuple and then send to requires to execute the private key portion of *SetPublicAndPrivateKeysQuery* on the . After the recipient receives it, responds:
(a)If sends “failure” to (b)If judges whether or not the tuple exists in list , and if so, sends to , otherwise, uses *KeyQuery* to generate tuple and sends to (5)*PublicKeyReplacementQuery:* requires to perform a *PublicKeyReplacementQuery* on with . After the recipient receives it, queries the tuple in list , and uses instead of PK* _{j}*. Next, restores the tuple in list (6)

*SigncryptionQuery:*requires to perform the

*SigncryptionQuery*for plaintext and information ID

*. After receiving the request, determines if is correct, . If the expression is correct, executes the*

_{s}*SetPublicAndPrivateKeysQuery*to generate the private key SK

*and ciphertext , and then sends to if not, implement the corresponding operation (a)Select at random and calculate Select at random and define the formula: (b)Calculate (c)Select at random(d)Output the ciphertext to (7)*

_{s}*DesigncryptionQuery:*requires to perform a

*DesigncryptionQuery*for ciphertext . After receiving the request, selects at random and verifies whether is true, . If the formula is true, sends “failure” to Otherwise, will perform the corresponding operation: (a)Search for the tuple in list to obtain SK

*and compute (b)Calculate , generate with and .(c)Calculate (d)Consider whether the equation can be established. If it is established, sends to If not, sends “failure” to*

_{j}*Challenge:*selects the plaintext at random, they are equal in length, and they are transmitted to . After receiving, selects a bit

*at*random, uses to get the ciphertext , and is the selected plaintext. The details are the following: (a)Stipulate and (b)Select at random and define the formula: (c)Calculate and (d)Select at random(e)Output the to

*Phase 22. * requires to perform the same queries as Phase 4, but cannot run the *DesigncryptionQuery* against .*Guess*: gives a at random. If , then wins, outputs CDHP’s solution . Otherwise, outputs “failure.”

From the above discussion, it can be concluded that the *H*_{5}*hash* provides a valid ciphertext during the *DesigncryptionQuery*; therefore, the probability of ciphertext being denied is no more than . During the attack process, since requires to execute the *DesigncryptionQuery*, the probability of decryption success is . The *H _{3} hash* satisfies CDHP during the guessing process, so the probability that is correctly calculated by is at least . in the running time , ‘s interaction with opponent makes overcome CDHP, and the probability advantage is , is the time of the SPMOOECC.

Theorem 23. *There is an opponent under the IN-CLMS-CA. In the polynomial time , if the wins the Game2 victory with a probability advantage that cannot be ignored, ( can request up to q_{i} hash queries, KeyQuery, SetSecretValueQuery, ExtractPrivateKeyQuery, SetPublicAndPrivateKeysQuery, SigncryptionQuery, and DesigncryptionQuery.), then within time , challenger ’s interaction with opponent makes overcome CDHP with a probability advantage of , is the time of SPMOOECC.*

*Proof. *Under a nonnegligible probability, it is assumed that the opponent can attack the IN-CMRS-CA security, the probability advantage is , and under the stochastic prediction model, requires challenger to perform a series of queries. Given , in the time-limited polynomial, obtains through the opponent interaction to overcome CDHP. and opponent will interact with the following:

*Setup. * performs the corresponding steps for obtaining the public parameter and master key *s*, and then returns the result to , where . After receiving the result, outputs , where is a positive integer. are random predictions controlled by , the interactions between and is similar to *Setup* in Theorem 20.

*Phase 24. * requires to perform flexible queries and performs feedback. The details are the following:
(1)*KeyQuery:* checks if there is a tuple in the list . If it exists, reserves the tuple. Otherwise, will perform related operations as follows:
(a)If , selects two integers at random and computes , , and then updates tuples in list and in list , respectively, where and (b)If selects two integers at random, and sets , computes , and then updates tuples in list and in list , respectively(2)*SetSecretValueQuery:* requires to execute *SetSecretValueQuery* for . Upon receipt of the request, executes as follows:
(a)If , sends “failure” to (b)If , judges whether or not the tuple exists in list . If yes, returns to. Otherwise, uses *KeyQuery* to generate the tuple and sends to .(3)*ExtractPartialPrivateKeyQuery*: requires to perform *ExtractPartialPrivateKeyQuery* against . After the recipient receives it, checks whether there is a tuple in list . If it exists, sends to . Otherwise, runs *KeyQuery* to generate tuple and sends to (4)*SetPublicAndPrivateKeysQuery:* requires to perform the public key portion of *SetPublicAndPrivateKeysQuery* against *ID _{j}.* After receiving the request, checks whether there is a tuple in list . If it exists, sends PK

*to . Otherwise, runs*

_{j}*KeyQuery*to generate tuple and sends PK

*to requires to perform the private key portion of*

_{j}*SetPublicAndPrivateKeysQuery*against . After the recipient receives it, responded with the following response: (a)If , sends “failure” to (b)If , judges whether or not the tuple exists in list . If yes, returns SK

*to . Otherwise, run the*

_{j}*KeyQuery*to generate the tuple and sends SK

*to (5)*

_{j}*SigncryptionQuery*: this section is similar to the

*SigncryptionQuery*in Theorem 20(6)

*DesigncryptionQuery*: this section is similar to the

*DesigncryptionQuery*in Theorem 20

*Challenge*: selects plaintext at random, they are equal in length, and transmits the result to . After receiving the result, .selects at random and obtains the ciphertext generated by : (a)Stipulate and (b)Select at random and define the formula: (c)

_{Calculate}and (d)Select at random(e)Output the ciphertext to

*Phase 25. * requires to perform the same queries as Phase 4, but cannot run the *DesigncryptionQuery* against .*Guess:* gives a at random. If , then wins, outputs CDHP’s solution . If not outputs “failure.”

From the above discussion, it can be concluded that the *H*_{5}*hash* provides a valid ciphertext during the *DesigncryptionQuery*, therefore, the probability of ciphertext being denied is no more than . During the attack process, since requires to execute the *q _{d} DesigncryptionQuery*, the probability of decryption success is . The

*H*satisfies CDHP during the guessing process, so the probability that

_{3}hash*xyP*is correctly calculated by is at least . In the running time , ’s interaction with opponent makes overcome CDHP, and the probability advantage is , is the time of the SPMOOECC.

Theorem 26. *There is an opponent under the SU-CMRS-PA. In the polynomial time , if the wins the Game3 victory with a probability advantage that cannot be ignored ( can obtain queries similar to that obtained by in Theorem 20), then within time challenger can overcome CDHP by interacting with opponent with a probability advantage of , is the time of SPMOOECC.*

*Proof. *Under a nonnegligible probability, it is assumed that the opponent can attack the SU-CMRS-PA security, the probability advantage is , under the stochastic prediction model, requires challenger to perform a series of queries. Given , in the time-limited polynomial, obtains *xyP* through the opponent interaction to overcome CDHP. and opponent will interact with the following:

*Setup. *The process is similar to *Setup* in Theorem 20.*Attack:* requires to perform flexible queries similar to Phase 4 in Theorem 20.*Forgery:* falsifies ciphertext using and a plaintext . If the formula can be established, faked successfully, defining and , calculates , and outputs is the CDHP’s solution. Otherwise returns *“failure”.*

From the above discussion, it is concluded that the probability of success of the *q _{a} SigncryptionQuery* is at least calculates

*xyP*in the forgery process, and the probability of

*xP*correct is at least . Therefore, can overcome CDHP by interacting with opponent within the running time and the probability advantage is . is the time of the SPMOOECC.

Theorem 27. *There is an opponent under the SU-CMRS-PA. In the polynomial time , if the wins the Game4 victory with a probability advantage that cannot be ignored ( can obtain queries similar to that obtained by in Theorem 23), then within time , challenger can overcome CDHP by interacting with opponent with a probability advantage of , is the time of SPMOOECC.*

*Proof. *Under a non-negligible probability, it is assumed that the opponent can attack the SU-CMRS-PA security, the probability advantage is , under the stochastic prediction model, requires challenger to perform a series of queries. Given , in the time-limited polynomial, Challenger obtains *xyP* through the opponent interaction to overcome CDHP. The details are the followings:

*Setup. *The process is similar to *Setup* in Theorem 23.*Attack:* requires to perform flexible queries similar to Phase 4 in Theorem 23.*Forgery:* falsifies ciphertext using