#### Abstract

Certificateless cryptography aims at combining the advantages of public key cryptography and identity based cryptography to avoid the certificate management and the key escrow problem. In this paper, we present a novel certificateless public key encryption scheme on the elliptic curve over the ring, whose security is based on the hardness assumption of Bilinear Diffie-Hellman problem and factoring the large number as in an RSA protocol. Moreover, since our scheme requires only one pairing operation in decryption, it is significantly more efficient than other related schemes. In addition, based on our encryption system, we also propose a protocol to protect the confidentiality and integrity of information in the scenario of Internet of Things with constrained resource nodes.

#### 1. Introduction

In a traditional public key cryptography (PKC) scheme, public key certificates signed by a certificate authority (CA) are employed to ensure the authenticity of public keys. Thus, the PKC takes a huge effort to manage the certificates, including revocation, storage, distribution, and verification, which places a computational burden on the whole system. To simplify the complex certificate management process, Shamir proposed the concept of identity-based public key cryptography (ID-PKC) [1], where an entity is allowed to use his identity such as email and IP address as his public key. However, the private keys of users are totally generated by a trusted third party named private key generator (PKG), which enables the PKG to impersonate any user to recover his/her confidential messages.

In order to resolve the inherent key escrow problem while preserving the advantage of ID-PKC, Al-Riyami and Paterson [2] introduced a new paradigm called certificateless public key cryptography (CL-PKC), which does not require the management of certificates and resolve the key escrow problem. Specifically, in CL-PKC, there also exists a trusted third party called key generation center (KGC) which supplies a partial private key for entity. Then, the entity takes advantage of this partial private key and a secret value picked by itself to generate the full private key. According to this method, KGC cannot obtain the user’s private key to decrypt his/her ciphertext anymore, and it avoids the escrow problem in ID-PKC. Therefore, CL-PKC is considered as lying in between PKC and ID-PKC. However, it should be emphasized that so far certificateless public key encryption (CL-PKE) schemes have been constructed within the framework of identity-based encryption (IBE) schemes from Weil pairing proposed by Boneh and Franklin [3]. As a result, the CL-PKE schemes in the literature are always based on the bilinear pairings.

Recently, the pairings, such as Weil pairing and Tate pairing, have been of essential use in CL-PKE, because of the excellent properties of bilinearity and nondegeneracy [4–7]. The central idea is the construction of a mapping between two useful cryptographic groups that allow for new cryptographic schemes based on the reduction of one problem in one group to a different group and usually is easier problem than the other group. Therefore, the construction based on the bilinear pairing is more concise than the existing methods of cryptographic scheme constructions and it owns the merits of security. In Cheng and Comley’s scheme [4], they constructed a more efficient scheme and then extended it to an authenticated encryption. Shi and Li [5] proposed a CL-PKE scheme which was based on the Weil pairing. That scheme worked in a kind of parallel model and it was more efficient on computation. In [6], Dent et al. presented the first constructions for CL-PKE schemes that were provably secure against strong adversaries in the standard model. For raising efficiency, Sun and Li [7] proposed a short-ciphertext CCA2 secure certificateless encryption scheme under the standard bilinear Diffie-Hellman assumption. Due to short ciphertext and convincing security, their scheme had practical value.

The Internet of Things (IoT) [8, 9] is a kind of network, which can connect everything to the Internet by using of the RFID, Infrared Sensors, GPS, Laser Scanner, Sensor Node, and other sensor equipments, thus possessing the ability of identifying, locating, tracking, monitoring, managing, and other intelligent actions. In IoT, it requires sensor nodes to be employed in unprotected and even hostile environments, and therefore IoT brings lots of research challenges; one of the important issues is the security [10, 11].

In this paper, we employ use of the bilinear pairing to design a certificateless encryption scheme on the elliptic curves over the ring [12, 13], which overcomes the security defect of the Koyama et al.’s scheme [14] whose security is only based on the problem of factoring the large number as in RSA. Furthermore, we prove that our scheme is secure in the random oracle model, provided that the BDH assumption and the problem of factoring the large number are intractable. Comparing with the related CL-PKE schemes, our proposal offers better performances than others on the efficiency and security. At last, based on our CL-PKE scheme, we also present another protocol to protect the confidentiality and integrity of data transmitted between the gateway node and the sensor node in IoT.

The remainder of this paper is organized as follows. In Section 2, we introduce the preliminary concepts, including properties of the elliptic curve over the ring , the related computational problems, and the formal definition and security model of CL-PKE. In Section 3, we present our CL-PKE scheme and analyze the security and performance of it. Based on our CL-PKE, in Section 4, we propose a scheme to protect the confidentiality and integrity of information in the business of IoT. Finally, we conclude the paper in Section 5.

#### 2. Preliminaries

In this section, we summarize the definitions and properties of elliptic curve over a ring , bilinear pairing, and models of CL-PKE, where is a RSA modulus.

##### 2.1. Elliptic Curve over the Ring

*Definition 1. *Let be a field and prime ; all the points satisfying the equation compose the elliptic curve over together with the point at infinity denoted , where are two parameters satisfying ; such a curve is denoted by .

The addition operation on the points of can be defined as follows.

Let , be the points of ; then .(a)If , then , and ;(b)if , then ;(c)if , then , where , , and

From these definitions, we know the fact that the addition operation on the points of can be made as an Abelian group, where is the neutral element of .

Let , where is the product of two large primes as the RSA modulus. The Chinese Remainder Theorem says that there is an isomorphism of rings given by

This yields a bijection between elements in and pairs of elements, one in and the other in . Thus, the following theorem can be given.

Theorem 2. *Let and be odd integers with ; let be an elliptic curve defined over . Then, there is a group isomorphism
*

Therefore, there is an isomorphism mapping where , and .

Let and ; we can get

Because is an isomorphism mapping, there is an inverse mapping of it, denoted . Thus, which means that the addition law on can be defined as an isomorphism mapping of the addition law in and , with the convention that the infinity point of can be presented by , where and are the points at infinity on and , respectively. Then, is an Abelian group under this definition of point addition.

For more details concerning the addition law on elliptic curves over the ring, see [12, 13, 15]. Besides, there is an important theorem in constructing our CL-PKE over the ring as shown below.

Theorem 3. *Let be an elliptic curve such that , , and let be . Then, for any and any integer ,
*

##### 2.2. Bilinear Pairings

Let be a cyclic additive group generated by an elliptic curve point , whose order is ; let be a multiplicative group of the same order. Assume that bilinear pairing is a map with the following properties.(1)*Bilinearity*: for all , and . Consequently, , we have , and so forth.(2)*Nondegeneracy*: , where denotes the identity element of the group .(3)*Computability*: there exists an efficient algorithm to compute for any .

We also consider the following computational problem in as above which will form the basis of security for our CL-PKE scheme.

*Definition 4. *The Bilinear Diffie-Hellman Problem (BDHP) is given with uniformly random choices of ; compute . An algorithm has the advantage in solving the BDHP in if .

The BDHP is said to be -intractable if there is no algorithm that solves this problem with .

##### 2.3. Definition of CL-PKE

According to [2], a CL-PKE scheme consists of seven probabilistic, polynomial time (PPT) algorithms:* Setup*,* Partial-Private-Key-Extract*,* Set-Secret-Value*,* Set-Private-Key*,* Set-Public-Key*,* Encrypt*, and* Decrypt*.

*Setup*. On input a security parameter , this algorithm returns the system parameters* param* and the master key* msk*. The system* param* includes the plaintext space and the ciphertext space . After this algorithm is over, the KGC publishes* param* and keeps the* msk* secret.

*Partial-Private-Key-Extract*. On input* param*,* msk,* and an identity ID for the entity, KGC executes this algorithm and returns the partial private key to entity via a confidential and authentic channel.

*Set-Secret-Value*. On input* param* and an identity ID, entity executes this algorithm and returns entity’s secret value .

*Set-Private-Key*. On input* param*, entity’s partial private key , and secret value , this algorithm returns the entity’s full private key SK_{ID}. Note that this algorithm is executed by the entity itself.

*Set-Public-Key*. On input* param* and entity’s secret value , this algorithm returns the public key PK_{ID} to the entity. This algorithm is also executed by the entity itself.

*Encrypt*. Running by a sender. On input message , public key PK_{ID}, and identity ID of an entity, this algorithm returns a ciphertext .

*Decrypt*. Running this determinate algorithm by a receiver. On input* param*, , and a private key SK_{ID}, this algorithm returns a message , which is either a plaintext message or a “Reject” message.

##### 2.4. Security Model for CL-PKE

In CL-PKE, there are two types of adversary with different capabilities, Type I and Type II adversaries [2]. A difference between these two attackers is that does not have access to the master key of KGC, while does have. Specifically, the adversary in Type I represents a normal third party attacker against the CL-PKE scheme; that is, is not allowed to access to the master key but may request public keys and replace public keys with values of its choice. The adversary represents a malicious KGC who generates partial private keys of users. The adversary is allowed to have access to the master key but not replace a public key.

*Definition 5. *A CL-PKE scheme is IND-CCA secure if neither polynomially bounded adversary of Type I nor Type II has a nonnegligible advantage against the challenger in the following game.

*Setup*. The challenger takes a security parameter as inputs and runs the Setup algorithm; then it sends the resulting system parameters* param* to . If is of Type I, keeps the master secret key to itself. Otherwise, it returns to .

*Phase 1*. is given access to the following oracles.(1)Partial-Key-Extract-Oracle: upon receiving a partial key query for a user’s identity ID, computes and returns it to . (Note that it is only useful to Type I adversary.)(2)Private-Key-Request-Oracle: upon receiving a private key query for a user’s identity ID, computes SK_{ID} and returns it to . It outputs (denotes failure) if the user’s public key has been replaced (in the case of Type I adversary).(3)Public-Key-Request-Oracle: upon receiving a public key query for a user’s identity ID, computes PK_{ID} and returns it to .(4)Public-Key-Replace-Oracle: for identity ID and a valid public key, replaces the associated user’s public key with the new one of its choice (this is only for Type I adversary). The new value will be recorded and used by in the coming computations or responses to the adversary’s queries.(5)Decryption-Oracle: On input a ciphertext and an identity, it returns the correct decryption of ciphertext, which is encrypted under the private key corresponding to the current value of the public key associated with an identity of the user, even if the corresponding public key for the user ID has been replaced.

*Challenge Phase*. Once decides that Phase 1 is over, it outputs and submits two messages , together with a challenge identity of the uncorrupted secret key. Note that is not allowed to know the private key of in anyway. The challenger picks a random bit and computes , which is the encryption of under the current public key for . If the output of the encryption is , immediately loses the game. Otherwise, is delivered to .

*Phase 2*. Now issues a second sequence of queries as in* Phase 1*. A decryption query on the challenge ciphertext for the combination of and is not allowed.

*Guess*. Finally, outputs its guess for . The adversary wins the game if and the advantage of in this game is defined to be . The adversary breaks an IND-CCA secure CL-PKE scheme with if and only if the guessing advantage of that makes times the random oracle , times Partial-Key-Extract-Oracle, times Public-Key-Request-Oracle, times Private-Key-Request-Oracle, and times Decryption-Oracle queries is greater than . The scheme is said to be -IND-CCA secure if there is no attacker that breaks IND-CCA secure scheme with .

#### 3. Our CL-PKE Scheme

In this section, we propose a CL-PKE scheme based on the bilinear pairing over the ring and evaluate its performance.

##### 3.1. Construction

The proposed CL-PKE scheme consists of the following seven PPT algorithms.

*Setup*. Let , be bilinear groups of order with an arbitrary generator , and is a bilinear pairing, where is a elliptic curve . The KGC selects an at random and computes as the master public key. Then, it chooses two collision resistant hash functions , , where denotes the bit-length of identity. The system parameters are and the master secret key is .

*Partial-Private-Key-Extract*. On input an entity’s identity , this algorithm computes and sends the partial private key to entity via a secure channel.

*Set-Secret-Value*. On input* param* and an identity ID, entity picks a secret value . Return .

*Set-Private-Key*. On input* param*, ID and , entity obtains the private key SK_{ID} by computing .

*Set-Public-Key*. On input* param* and ID, this algorithm returns as the public key.

*Encrypt*. To encrypt , entity selects a random value and , computes such that
outputs the ciphertext .

*Decrypt*. To decrypt ciphertext for the entity with identity ID and private key SK_{ID}, compute
and return as plaintext.

Notice that if is the encryption of with public key PK_{ID}, we have

##### 3.2. Security Analysis

In this section, we will show that the scheme described in the previous is secure in the random oracle model.

Theorem 6. *Given that and are two collision resistant hash functions. The proposed CL-PKE scheme based on the ring is IND-CCA secure in the random oracle model assuming that the BDHP is intractable.*

In the procession of attacking this system by an adversary , it chooses two messages , and is given the challenge ciphertext for one of these two messages by the challenger firstly. Then, may make decryption queries but not ask for the decryption of . If ’s guess is equal to , it wins the game.

In order to prove Theorem 6, we prove two lemmas firstly to show that our CL-PKE scheme is secure against Type I and Type II attacker whose behavior is as described in Definition 5.

Lemma 7. *The CL-PKE scheme is -IND-CCA secure against Type I attacker in the random oracle assuming that the BDH problem is -intractable, where .*

*Proof. *In this lemma, Type I models an “outside” adversary, which can replace the public key of arbitrary identities but cannot corrupt the master secret key.

Let be a Type I IND-CCA adversary against our scheme. Suppose that has the advantage and makes queries to random oracle and decryption queries. We show how to construct an algorithm to solve the BDH problem with the instance of by interacting with .

At the beginning, simulates the algorithm* Setup* for by supplying it with , where , is random oracles that will be controlled by . chooses an index uniformly at random with .

The adversary may make queries of the random oracles at any time during its attack. responds as follows.* Queries*. maintains a list of tuples in List . On receiving a query to , responds as follows.(1)If already appears on the list in a tuple , responds as an answer.(2)Otherwise, if , choose at random and compute , add to , and return as an answer.(3)If , add to and return as an answer (where denotes the arbitrary value).* Queries*. maintains a list of tuples in List . On receiving a query to , responds as follows.(1)If already appears on the list in a tuple , responds as an answer.(2)Otherwise, pick at random, add to and return as an answer.*Phase 1*. After receiving* param* from , issues a sequence of polynomially bounded number of requests, each request being either a* Partial-Private-Key-Extraction*, a* Private-Key-Extraction*, a* Request-Public-Key*, a* Replace-Public-Key*, or* Decryption-Queries* for an entity. We assume that always makes the appropriate queries on the identity ID before making one of these requests and never makes a decryption query on a ciphertext obtained from the encryption oracle. replies to these requests as follows.*Partial-Private-Key-Extraction*. maintains a Partial Private Key List of tuples . On receiving a query , responds as follows.(1)If exist in Partial Private Key List, return as an answer.(2)Otherwise, pick at random, so that . ( will be determined later.) If , search the for a tuple , compute , add to the Partial Private Key List, and return as an answer.(3)If , return “Abort” and terminate.*Private-Key-Extraction*. maintains a Private Key List of tuples . On receiving a query , responds as follows.(1)If exist in Private Key List, return as answer.(2)Otherwise, if , run the simulation algorithm Request-Public-Key to get a tuple and the simulation algorithm Private-Key-Extraction to get a tuple , add to the Private Key List, and return as an answer. (Note that if the corresponding public key has been replaced, such a private key query is not allowed.)(3)If , return “Abort” and terminate.*Request-Public-Key*. maintains a Public Key List of tuples . On receiving a query , responds as follows.(1)If exist in Public Key List, return as an answer.(2)Otherwise, choose , compute , add to the Public Key List, and return as an answer.*Replace-Public-Key*. may replace any public key with a new value of its choice and records all the changes.*Decryption-Queries*. On receiving a query , where and . responds as follows.(1)If and is the correct public key not a replaced one, decrypts by using the corresponding private key.(2)Otherwise, search for a tuple . If such a tuple exists, retrieves the related to compute and returns as an answer.(3)Otherwise, picks at random, computes and returns as an answer. Add to .*Challenge Phase*. then outputs two messages and a challenge identity . On receiving a challenge query :(1)If , aborts the game.(2)Otherwise, selects and randomly, computes and (note that does not know “”), returns as a target ciphertext.*Phase 2*. requests in the same ways as in* Phase 1*. Moreover, no private key extraction on is allowed and no decryption query can be made on the ciphertext for the combination of identity and public key that encrypted plaintext .*Guess*. should make a guess for . The adversary wins the game if .*Analysis*. By we denote the event that has been queried to . Also, by we denote the event that has been queried to . If happens, will be able to solve the BDH problem by choosing a tuple from and computing with the probability at least . Hence, we have .

It is easy to notice that if does not abort, the simulations of* Partial-Key-Extract*,* Private-Key-Request*,* Public-Key-Request*, and the simulated target ciphertext are identically distributed as the real one from the construction.

Now, we evaluate the simulation of the decryption oracle. If a public key PK_{ID} has not been replaced nor PK_{ID} has been produced by reselecting , the simulation is perfect as knowing the private key SK_{ID} corresponding to PK_{ID}. Otherwise, simulation error may occur while is running the decryption oracle simulation specified above. Let be this event. Suppose that , PK_{ID}, , where and , have been issued as a valid decryption query. Even if is valid, there is a possibility that can be produced without querying to . Let be an event that is valid; let and be events that have been queried to and ID have been queried to , respectively. Since is an event that happens after the entire simulation and decryption oracle queries being performed, we have , where,

Now, the event is denoted by , where denotes an event that aborts during the simulation. The probability that happens is given by which is maximized at . Hence, we have , where denotes the base of the natural logarithm.

If does not happen, it is clear that does not gain any advantage greater than to guess due to the randomness of the output of the random oracle . Namely, we have .

By definition of , we have

Consequently, we obtain .

Lemma 8. *The CL-PKE scheme is -IND-CCA secure against Type II attacker in the random oracle assuming that the BDH problem is -intractable, where .*

*Proof. *In this lemma, a Type II models an “insider” adversary, who has access to* msk* but cannot replace public keys of entities.

Let be a Type II IND-CCA adversary against our scheme. Suppose that has the advantage , makes queries to random oracle , and decryption queries. We show how to construct an algorithm to solve the BDH problem with the instance of by interacting with .

At the beginning, simulates the algorithm Setup for by supplying with , where , are random oracles that will be controlled by . chooses an index uniformly at random with .

The adversary may make queries of the random oracles at any time during its attack. responds as follows.* Queries*. maintains a list of tuples in List . On receiving a query to , responds as follows.(1)If already appears on the list in a tuple , responds as an answer.(2)Otherwise, if , choose at random and add to and return as an answer.* Queries*. maintains a list of tuples in List . On receiving a query to , responds as follows.(1)If already appears on the list in a tuple , responds as an answer.(2)Otherwise, pick at random, add to , and return as an answer.*Phase 1*. After receiving* param* from , issues a sequence of polynomially bounded number of requests, each request being either a* Private-Key-Extraction*, a* Request-Public-Key*, or* Decryption-Queries* for an entity. We assume that always makes the appropriate queries on the identity ID before making one of these requests and never makes a decryption query on a ciphertext obtained from the encryption oracle. replies to these requests as follows.*Private-Key-Extraction*. maintains a Private Key List of tuples . On receiving a query , responds as follows.(1)If exist in Private Key List, return as an answer.(2)Otherwise, pick at random, so that . ( is the same as it is in the proof of Lemma 7.) If , run the simulation algorithm Request-Public-Key to get a tuple and compute , add to the Private Key List, and return as an answer.(3)If , return “Abort” and terminate.*Request-Public-Key*. maintains a Public Key List of tuples . On receiving a query , responds as follows.(1)If exist in Public Key List, return as an answer.(2)Otherwise, if , choose , compute , add to the Public Key List, and return as an answer.(3)If , set , add to the public key list, and return as an answer (where denotes the arbitrary value).*Decryption-Queries*. On receiving a query , where . responds as follows.(1)If , decrypts by using the private key .(2)Otherwise, search for a tuple . If such a tuple exists, retrieves the related to compute and returns as an answer.(3)Otherwise, picks at random, computes , and returns as an answer. Add to .*Challenge Phase*. then outputs two messages and a challenge identity . On receiving a challenge query :(1)If , aborts the game.(2)Otherwise, selects and randomly, computes and , returns as a target ciphertext.*Phase 2*. repeats the same methods it used in* Phase 1*. Moreover, no private key extraction on is allowed and no decryption query can be made on the ciphertext for the combination of identity and public key that encrypted plaintext .*Guess*. should make a guess for . The adversary wins the game if .*Analysis*. This part is similar to* Analysis* in the proof of Lemma 7.

Consequently, we obtain .

These two lemmas complete the proof of Theorem 6.

Furthermore, in our CL-PKE scheme, is an elliptic curve over the ring , where . According to Theorem 6, in order to run the algorithm on , such as addition and scalar multiplication, we should construct two elliptic curves and firstly and execute the corresponding operation on them, respectively. Then, we use the results of operation on and to present the operation on , which means that we should factoring into and firstly. Therefore, the security of our CL-PKE scheme is also based on the intractability of factoring the large number.

##### 3.3. Comparison to Related Schemes

In this section, we compare the proposed scheme with other related CL-PKE schemes on the computation complexity of encryption (Enc) and decryption (Dec), security level (Sec-Lev), and security assumption (Sec-Ass), where RSA in Table 1 represents the problem of factoring the large number. Without considering the addition of two points and hash function on the elliptic curves, all the schemes have three major operations, that is, Pairing (P), Scalar Multiplication (S), and Exponentiation (E).

The essential operation of our proposed scheme is to compute a bilinear pairing. According to [16], the computation of a bilinear pairing becomes efficient. From Table 1, compared with the related works, our scheme needs only one pairing and two scalar multiplications in Encrypt and one pairing operation in* Decrypt*, which will consume less energy while preserving a higher security level. Therefore, the scheme proposed in this paper is more suitable to be applied in IoT with the characteristics of low cost, low power, multifunctional sensor nodes that are small in size and communicate wirelessly with each other node in a short distance.

#### 4. Application to Internet of Things

In this section, based on our proposed scheme, we present a protocol to protect the confidentiality and integrity of the transmitting information between the gateway node and the sensor node.

In IoT, Smart Car, as illustrated in Figure 1, the gateway nodes in the car is responsible for transmitting the information of driving, such as the speed and location that are collected by sensor nodes fixed in the car, to the platform so that it can be monitored in real time. Furthermore, the gateway node will deliver the data and signaling obtained from the platform to sensor nodes for updating and managing equipments. Consequently, the transmitted information between the gateway node and the sensor nodes should be protected in confidentiality and integrity from being eavesdropped and destroyed by an adversary and damaging the normal operation of a Smart Car as a result.

Considering the sensor node with identity in the initial phase, the details of this encryption scheme are as follows.

The algorithms of* Setup*,* Partial-Private-Key-Extract*,* Set-Secret-Value*,* Set-Private-Key*, and* Set-Public-Key* are the same as that of the proposed CL-PKE scheme in Section 3.1.

*Encrypt*. To encrypt , the gateway node of the Smart Car selects a random value , computes such that
sends the ciphertext to the sensor node.

*Decrypt*. To decrypt ciphertext , sensor node fixed in the car uses its private key SK_{ID} and computes
The sensor node checks whether the equation holds. If the verification succeeds, return as the legal data and signaling. Otherwise, return “Reject”.

According to the encryption scheme above, this encryption scheme can not only protect the confidentiality of the transmitted data and signaling between gateway node and sensor node in the Smart Car, but also the integrity. This is because the sensor node can determine the transmitted data that was distorted or destroyed by an adversary or the reasons of environment in the public wireless channel, provided that is not equal to in the phase of Decrypt. Moreover, there is only one pairing operation in Decrypt, which satisfies the characteristics of low-cost, low-power, and low-computation of the sensor node in the Smart Car.

#### 5. Conclusion

We have proposed a CL-PKE scheme on the elliptic curve over the ring and proved that the scheme is IND-CCA secure in the random oracle model, relative to the intractability of the BDHP and factoring the large number problem. A comparison in Table 1 concludes that the proposed scheme is advantageous over the existing related schemes on performance. Due to the appealing properties, based on the proposed one, we also present another CL-PKE scheme for Smart Car in the end, which can provide confidentiality and integrity.

#### Conflict of Interests

The authors declare that we have no conflict of interests.

#### Acknowledgments

This work is supported by NSFC (Grant nos. 61300181, 61272057, 61202434, 61170270, 61100203, 61121061), the Fundamental Research Funds for the Central Universities (Grant nos. 2012RC0612, 2011YB01, GK201402006), and China Postdoctoral Science Foundation (Grant no. 2013M530561).