#### Abstract

Cloud 5G and Cloud 6G technologies are strong backbone infrastructures to provide high data rate and data storage with low latency for preserving QoS (Quality of Service) and QoE (Quality of Experience) in applications such as driverless vehicles, drone-based deliveries, smart cities and factories, remote medical diagnosis and surgery, and artificial-intelligence-based personalized assistants. There are many techniques to support the aforementioned applications, but for privacy preservation of Cloud 5G, the existing methods are still not sufficient. Public key encryption (PKE) scheme is an important means to protect user data privacy in Cloud 5G. Currently, the most common PKE used in Cloud 5G is CCA or CPA secure ones. However, its security level maybe not enough. SOA security is a stronger security standard than CPA and CCA. Roughly speaking, PKE with SOA security means that the adversary is allowed to open a subset of challenger ciphertexts and obtains the corresponding encrypted messages and randomness, but the unopended messages and randomness remain secure in the rest of the challenger ciphertexts. Security against SOA in PKEs has been a research hotspot, especially with the wide discussion in Cloud 5G. We revisited the SOA-CLE and proposed a new security proof, which is more concise and user friendly to understand privacy preservation in Cloud 5G applications.

#### 1. Introduction

Cloud 5G achieves high data transmission speed, large data storage, and low latency mobile communication. According to the inherent property of electromagnetic waves: the higher the frequency, the shorter the wavelength, so it tends to propagate like a straight line. From the last few years, we have witnessed a paradigm shift with a major focus on mission critical applications and ultra-reliable low latency applications (URLCC) such as AR/VR, autonomous vehicles, e-healthcare, smart education, and so on, the aim of which is to provide QoS (Quality of Service) and QoE (Quality of Experience) to the end users with high data storage and low latency. Starting from driverless vehicles and drone-based deliveries, smart cities and factories, remote medical diagnosis and surgery, and artificial-intelligence-based personalized assistants, there is enormous number of applications around us which require strong network backbone infrastructure for QoS and QoE preservation. Based on the above applications and the advantages in Cloud 5G, in the years to come, Cloud 5G and Cloud 6G technologies are expected to provide high data rate with low latency and large data storage for preserving QoS and QoE. Although there are many techniques in the literature which can resolve these issues, the existing methods are still not sufficient to privacy preservation in the application in Cloud 5G. Hence, secure protocols and encryption schemes are required to resolve the aforementioned issues. Public key encryption (PKE) scheme is an important means to protect user data privacy in Cloud 5G. Currently, the most commonly used means to protect user data privacy is CPA (chosen-plaintext attacks) or CCA (chosen-ciphertext attacks) secure PKEs where the latter provides the decryption queries and thus is stronger than the former. However, SOA is a stronger security standard than CCA because the SOA security allows additional opening partial ciphertexts. Specially, in particular, due to the inherent advantages of certificateless public key (CLE), it solves the certificate management problem in the traditional public key cryptography and the key-escrow problem [8] in IBE schemes. Security against SOA in CLEs has been a research hotspot, especially with the wide discussion in Cloud 5G [11, 12]. In this paper, we focus on the research on the SOA secure CLE.

The definition of SOA was first proposed by Dwork et al. at FOCS99 [4], which is an important target to measure the security of PKE. SOA security mainly applies to multiple-user settings where a subset of the challenge ciphertexts is allowed to open for the adversary. From the opened ciphertexts, the adversary can get not only the message but also the randomness. The question that we want to solve is how to make the remaining unopened ciphertexts secure? Following Dwork’s work, SOA secure IBE and public key encryption (PKE) with SOA security have been widely developed [2, 5, 7]. CLE is another form of public key encryption system. Compared with IBE and PKE, CLE has the advantages of removing the certificate management in PKI-based PKE and key escrow in IBE. However, the study on CLE with SOA security is still rare.

##### 1.1. Motivation

In the CLE system, a user’s private key is jointly generated by the KGC and the user. The user’s public key is generated by using the secret value generated by itself instead of the identity information. Obviously, compared with PKI-based PKE (hereafter, we abbreviated “PKI-based PKE” as “PKE”) and IBE, CLE removes the disadvantages that exist in both schemes, namely, the certificate transaction in PKE and key escrow in IBE. Due to the merits of this notion, many CLEs with various security models (e.g., IND-CPA [9] and IND-CCA [1, 13]) were presented. As in PKE and IBE settings, implementing SOA security in CLE is also important. However, the particular security model makes constructing CLEs with SOA security more intractable. With more and more applications for CLE (such as cloud computing), implementing SOA security in CLE becomes more and more critical. In 2016, Wang et al. proposed an SOA secure CLE [14] under the standard DDH assumptions where the scheme is user friendly in construction and more efficient in practical applications. Recently, the relative discussions about Cloud 5G have become a new research focus, especially its data security and privacy protection. Due to the notable efficiency and security level, SOA secure CLE has been regarded as one of the most practical candidate encryption algorithms for Cloud 5G. However, we find that there are still some disadvantages needed to avoid such as complex security proof and obscure proof process. Based on this, we revisited the scheme in [14] and improved the security proof to make it more concise and easier to understand.

##### 1.2. Reviewing the Contribution in [14]

In the scheme of [3], the authors proposed a one-sided publicly opening identity-based encryption scheme (1SPO-IBE) and, based on which, constructed an IBE scheme with SOA security. Adopting the similar method, the authors in [14] resolved the SOA security in CLE. More concretely, they first proposed a one-sided publicly opening certificateless encryption scheme (1SPO-CLE). Then, based on the proposed 1SPO-CLE, they presented a CLE scheme that is SOA secure in the case of two-type adversary model (i.e., CLE security model where an adversary refers to a user who is granted the ability to change the public key but does not know the master key; another one means the malicious KGC, who is not granted the ability to change the public key but knows the master secret key). The core idea is that we first combined one-bit CLE and 1SPO to generate a 1SPO-CLE with IND-CPA security in the CLE settings and then showed that a multi-bit CLE scheme with SOA security can be constructed from the 1SPO-CLE scheme under the one-time signature and CDH assumptions.

##### 1.3. Revisiting the Reduction from SOA to CPA in [14]

In [14], the authors constructed an IND-CPA secure 1SPO-CLE scheme by combining the 1SPO and one-bit CLE scheme. A CLE scheme that encrypts 1 bit messages is called 1SPO if it is possible, given the public parameter , public key , and the ciphertext that encrypts message 0 with the randomness to efficiently open the ciphertext into another randomness used to encrypt message 1. In particular, the opening process is required to be done without any secret information. Furthermore, they proved that if the 1 bit 1SPO-CLE is IND-CPA secure, then the multi-bit CLE from it is SOA secure. Specifically, the encryption process is performed as follows. If the message is 1, then the encryption process follows specific rules and the correctness of the resulted ciphertext can be checked with some secret information; otherwise, the generated ciphertext is sampled randomly and uniformly from the ciphertext space. As stated in [3], the domain used as the ciphertext space is also required to have the property of sampleability and invertible sampleability in order to guarantee that the resulted scheme has the property of 1SPO.

##### 1.4. Revisiting 1SPO-CLE Construction in [14]

In [14], the authors gave a concrete construction based on one-time signature and CDH assumptions. Specifically, the 1SPO-CLE is designed as follows. Assume and are both sampleable and invertibly sampleable domains as in [3]. If the encrypted message is 1, then the encryption of 1 is processed as , where is the public parameter and is the public key, and the first two values have certain structure and the value is a signature for certain medians generated in the encryption, while the last value is the signature verification key. If the encrypted message is 0, then the first three elements of its encryption are all random. In particular, if is an encryption of 1, then the medians , , and can be always correctly recovered from with the private key . Then, using these medians and the output of the equations and , the decryption algorithm decides whether the ciphertext encrypts 0 or 1, where is the secret value.

##### 1.5. Revisiting the Security Proof of IND-CPA [14]

In this paper, we revisited the IND-CPA security proof of the 1 bit 1SPO-CLE scheme. Since the security proof in [14] is long and unintelligible, we do not intend to describe the difference between their scheme and ours. Below, we will directly describe our proof ideas and proof process. IND-CPA security means that given a ciphertext, no PPT adversary could distinguish which bit has been encrypted even if the adversary has the ability to replace public key or knows the master key (i.e., type 1 adversary and type 2 adversary) in the SOA security game. We present the proof of IND-CPA security for our concrete construction (for 1SPO-CLE scheme) under the two types of attacks defined in CLE. Briefly, under type 1 attack (where the adversary is granted the ability to change the public key but does not know the master key), we reduce the IND-CPA security to the assumption of one-time signature, where the reduction (the adversary that breaks one-time signature) performs the simulation itself except that the signature part is constructed by querying its signing oracle. However, unfortunately, under type 2 attack (where the adversary knows the master key but cannot change the public key), when we try to complete the reduction from the IND-CPA security to the CDH assumption, some obstacles arise. Namely, in the construction of challenge ciphertext, since the value , as the exponent part of the challenge , is unknown to the CDH adversary, it results in that the part cannot be computed. Luckily, we find a way to solve this problem. Specifically, we do this by allowing the reduction algorithm (the CDH adversary) to query its CDH challenger to obtain . Of course, to do this, we assume that computing from is not easier than computing from . In fact, this can be done over the elliptic curve groups.

##### 1.6. Other Related Work

We note that in the past few years, there emerged many remarkable SOA secure systems in PKE setting such as the schemes proposed by Bellare et al. [2], Fehr et al. [5], and Huang et al. [6]. Recently, SOA secure IBE also made rapid progress. In 2011, Bellare et al. [3] proposed two SO-CPA secure IBEs. In 2014, Lai et al. [10] proposed SO-CCA secure IBE using cross authentication codes. In 2016, Wang et al. proposed an SO-CPA secure CLE scheme [14] which avoids the problem of certificate management in PKE settings and key escrow in IBE settings. However, the security proof in [14] is complex and ambiguous.

##### 1.7. Our Contribution

Our SO-CPA secure certificateless encryption scheme (CLE) is constructed based on the technique of one-sided public openability (1SPO) and one-bit CPA secure CLE. Specifically, by combining the techniques of 1SPO and one-bit CLE, we construct an IND-CPA secure 1SPO-CLE scheme. 1SPO means that given a system parameter , public key , and a ciphertext encrypting message 0 under randomness , it enables to open the ciphertext to another message and randomness pair . This method is very challenging since the opening process does not need any secret key to participate in. Interestingly, by revisiting, we found that this method can provide us concise security proof in order to obtain the desired security. In particular, this design implies that 1 bit 1SPO-CLE with IND-CPA security implies multi-bit CLE with the same security. In more detail, the scheme is outlined as follows. If the encrypted message is 1, then its ciphertext preserves a certain structure and can be detected with some secret information. On the contrary, if the encrypted message is 0, its ciphertext takes on a random status and thus is not checkable due to its unstructured property. These properties described above are just what we need for revisiting the CLE with SO-CPA security in [14].

#### 2. Preliminary

In the following, we give several assumptions used in this paper.(i): taking a security parameter as input, this algorithm outputs a signature/verification key pair . : on input signature key and a message , this algorithm outputs a signature . : on input a verification key , a signature and a message , this algorithm outputs 1, if is valid, and 0 otherwise.

*Definition 1. *(discrete logarithm assumption (DL)). Assume that is a multiplicative group with prime order and is a generator. Given *,*, computing is difficult, where . Formally, for all probabilistic polynomial time (short for PPT) adversary , there exists a negligible function such that , where is a negligible function in the security parameter *.*

*Definition 2. *(computational Diffie–Hellman assumption). Assume that is a cyclic group with prime order and is a generator. Given *,**,**, computing**is difficult, where*. Formally, for all PPT adversary , there exists a negligible function such that: *.*

*Definition 3. *(one-time signature). Let be message space, be randomness space, and be the signature space. A signature scheme consists of three (probabilistic) polynomial time algorithms:

We say that a message/signature pair is valid if for all , all , all , and all , the equation holds.

We say that a signature scheme is one-time unforgeable under chosen-message attack if for any PPT adversary , the success probability of in the following experiment (see Figure 1) is negligible.

##### 2.1. Detailed Legend for Figure 1

This figure describes one-time unforgeability experiment for one-time signature denoted in Section 2, where an adversary and a challenger participate in the experiment and interact with each other. Specifically, in this experiment, the challenger first invokes the algorithm to generate a pair of signature key and verification key . The signature key is used to sign a message and the verification key is used to verify whether a given signature is valid. Given a verification key, the adversary outputs a message/signature forge pair with multiple times of signature queries to oracle . When the message/signature forge does not belong to the queried items to oracle and the forge can verify, the experiment outputs 1 which denotes that the adversary wins the experiment. Particularly, the oracle means that when an adversary delivers a message , the oracle returns a signature .

In the above experiment, we allow the adversary to query oracle only one time. Assume that the adversary output a message/signature pair satisfying and . Then, we say that the adversary gives a successful forge. Formally, the scheme is unforgeable, if there exists a negligible function such that

*Definition 4. *(efficiently sampleable and invertible domain 3). Here, we define two PPT randomized algorithms that are sampleable and invertible, respectively:(i)(efficient sampling) We say that a domain is efficiently sampleable if there exists a PPT algorithm s.t. is uniformly distributed over for randomness , where is randomness space.(ii)(efficient invertible sampling) We say that a domain is efficiently invertible sampleable, if there exists a PPT invertible algorithm s.t. outputs uniformly distributed over for and any .

Note that the algorithm has sampling failure probability if the sampling algorithm outputs with probability at most and invertible sampling failure probability if the invertible algorithm outputs with probability at most .

*Definition 5. *(one-sided public openability (1SPO)). A scheme has the 1SPO property if for a ciphertext which is the encryption result of 0 under identity and public key , where and are randomly distributed over an efficiently sampleable and invertible domain w.r.t. algorithms and , there exists an algorithm that can use the algorithm to open . Namely, with and .

#### 3. Extractable 1SPO-CLE

##### 3.1. Extractable 1SPO-CLE

An extractable certificateless encryption consists of the following algorithms:(i)*Setup*: the algorithm takes a security parameter as input and outputs a master key and a public parameter , where defines an identity space and ciphertext space .(ii)*Partial private key generation*: the algorithm takes a public parameter , an identity , and a master key as input and outputs the partial private key .(iii)*Secret key generation*: the algorithm takes an identity and the public parameters as input and outputs the secret value .(iv)*Private key generation*: the algorithm takes the public parameter , a user’s partial private key , and secret value as input and outputs the private key .(v)*Public key generation*: the algorithm takes a public parameter and a user’s secret value as input and outputs the user’s public key .(vi)*Encryption*: the algorithm takes a public parameter , a message , and a user’s public key and returns the ciphertext by using the defined algorithm if ; otherwise, it returns by sampling randomly from the ciphertext space. (vii)* Decryption*: the algorithm takes a public parameter , a ciphertext , and a private key as input and outputs . (viii)* Correctness*: the correctness follows that in [14]; here we omitted it in order to save space.

*Definition 6. *(see [5] (1SPO-CLE)). An extractable 1SPO-CLE is a scheme with the property of one-sided public openability in the CLE setting and is associated with a PPT public algorithm , so that for all , , , and , distributes uniformly at random over . Here, represent the set of random coins .

As described in [14], the multi-bit 1SPO-CLE can be constructed from 1 bit 1SPO-CLE. Since the concrete construction and security overlap with that in [14], here we do not dwell on it, but, for completeness, we describe it in Appendices A and B.

#### 4. Proposed Extractable 1SPO-CLE

##### 4.1. Construction

In this section, we describe the 1SPO-CPA secure 1-bit CLE scheme. We mainly focus on the following algorithms: *Setup*. The algorithm first takes a security parameter as input and then runs a group generator to get a group description . Here, and are both groups of prime order , is an additive group, and is a multiplicative group. We also notice that both and are efficiently sampleable and invertible domain associated with algorithms and shown in [3]. is a non-degenerate bilinear map, and is a non-zero generator of . Let , , be three hash functions. Pick , set master key : = , and compute and . Let be one-time signature scheme with signature space . Finally, the public parameter is set as : = . *Partial Private Key Generation*. The algorithm first takes the public parameter , an identity , and the master secret key as input and proceeds as follows. It computes the partial private key . This can be done since if is large enough, the probability that the unlikely event happens is negligible. *Secret Key Value Generation*. The algorithm first takes the public parameters and an identity as input and then randomly selects a value as the secret value. *Private Key Generation*. The algorithm first takes the public parameter , the partial private key , and the secret value as input and then returns as the private key. *Public Key Generation*. The algorithm first takes the public parameter and the secret value as input and then computes the public key . *Encryption*. The algorithm first takes the public parameter , a message , and the public key as input. It then encrypts as follows: First, check whether . If not, abort; otherwise, compute and proceed as follows. If , pick , compute , , , and . If , pick , , and . Finally, the ciphertext is set as . *Decryption*. The algorithm takes the public parameter , a ciphertext , and a private key as input. To decrypt a ciphertext , firstly compute and and verify whether holds; if not, outputs ; otherwise, verify whether holds; if so, set ; otherwise, . *Correctness ***.** If is the encryption of 1, then the equations , , , and hold, so the decryption always recovers 1. If is the encryption of 0, since , and are sampled uniformly and randomly. So, (we assume that is large enough which, in turn, results in a negligible quantity for ).

##### 4.2. Security

Theorem 1. *Assume the hash functions**,*, *and**are random oracles, and the scheme**is one-time signature scheme. Let**be extractable 1SPO-CLE scheme proposed in* Section 4.1*and**and**be PR-sampleable (pseudorandom-sampleable) with negligible sampling failure probability. Let**and**be any IND-CPA type 1 and type 2 adversaries against scheme*, *respectively*, *and are allowed to make polynomial times of queries to**and**; then*, *the scheme**is IND-CPA secure under both type 1 adversary and type 2 adversary.*

*Proof. *We first prove that, for type 1 adversary, the security can be reduced to the security of one-time signature scheme and then prove that, for type 2 adversary, the security can be reduced to the computational Diffie–Hellman assumption (short for CDH). In the following, we describe the reduction between the adversary (which tries to break the one-time signature scheme) and the type 1 adversary and the reduction between the adversary (which tries to break the CDH assumption) and the type 2 adversary , respectively.

###### 4.2.1. Type 1 Adversary

the adversary (which has the signing verification key ) first generates the public parameter : = and the master key , where and , and then sends the public parameter to the adversary . on receiving the identity , if , where is the challenge identity set, the adversary invokes the partial private key generation algorithm to obtain the partial private key and sends it to the adversary ; otherwise it aborts. Concretely, the adversary first queries the random oracle to get and then computes . Note that the oracle here is stateful and assume that all oracles in the following are stateful. on receiving the identity , if , where is the challenge identity set, first invokes the secret value generation algorithm and the partial private key generation algorithm to get the secret value and the partial private key and then sets the private key as , i.e., ; otherwise it aborts. on receiving the identity , first invokes the secret value generation algorithm to get and then computes the public key as . on receiving the identity , replaces the original public key with the new public key . on receiving the challenge identity and the challenge message , and the public key , the adversary computes challenge ciphertext as follows. First flip a coin and then check whether ; if not, abort; otherwise, proceed as follows. If , do the following steps.(1)First, pick , and then for tuple , query oracle to get .(2)For , query oracle to get .(3)Compute and , and then for , query oracle to get .(4)Compute and .(5)For , query signature oracle to get . If , pick , and at random. Then, the final challenge ciphertext is set as . From above, we can see that the adversary provides perfect simulation for . Now we do the following analysis. let the challenge ciphertext . In the experiment, since does not know , it cannot compute the value . Assume guess randomly. Then, by the one-time signature scheme , the verification equation does not hold with overwhelming probability.

###### 4.2.2. Type 2 Adversary

the adversary (which has the challenge ) first generates the public parameter : = and the master key , where and , and then sends the public parameter to the adversary . in this phase, If , where is the challenge identity set, the adversary first invokes the secret value generation algorithm to get secret value and computes partial private key , and then sets the private key as , i.e., . in this phase, if , the adversary first invokes the secret value generation algorithm to get secret value and then computes the public key as ; otherwise it aborts. on receiving the challenge identity and the challenge message , and the public key , the adversary computes challenge ciphertext as follows. First sample a random , then check whether ; if not, abort; otherwise, compute and proceed as follows. If , do the following steps.(1)Pick .(2)For , query oracle to get .(3)Query the CDH challenger to get , where is computed as .(4)For , compute signature .(5)Set the challenge ciphertext as . From above, it is easy to see that we implicitly set for and . In addition, we require here that computing from is not easier than computing from . If , pick , , and at random. Then, set the challenge ciphertext as . From above, we can see that the adversary provides perfect simulations for the adversary . Now we do the following analysis. let be the challenge ciphertext. In the experiment, knows and ; by the CDH assumption, it is still difficult to compute and to make the verification equation hold.

This completes the proof of Theorem 1.

#### 5. Comparisons and Discussion

The authors in [14] first proposed an SOA secure certificateless encryption scheme. In this paper, we improved it to make the security proof more concise and user friendly. Although in [14], they gave an efficiency analysis, here, to make it easier to understand, we give a more detailed comparison with the existing similar schemes, especially with that in [3, 14]. The detailed comparison results are shown in Table 1. Similarly, in terms of complexity, we also just make comparisons among them on the cost of the additive and multiplicative operations, especially on the exponent and the pairing operations. In addition, we also compare them in “security model,” “whether key escrow is needed,” and “whether a simplified proof is provided.” From this table, we can see that in [3], the first scheme requires 14 exponents and 5 pairings and the second scheme requires 15 exponents and 1 pairing, while in [14], the scheme only needs 6 exponents and 2 pairings. By comparison, we can see that our scheme not only realizes a simplified security proof but also obtains the same efficiency and security level as that of [14].

#### 6. Result

As shown in Table 1, compared with the schemes in [3], our scheme is practical in real applications which is mainly reflected in the following 4 aspects: (1) our scheme can be instantiated from very standard assumption such as computational Diffie–Hellman; (2) the used one-time signature can be constructed from standard assumption such as one-way function; (3) the hash functions such as random oracles in our scheme are very easily run on a low-configured device; (4) our scheme has better efficiency as analyzed in Section 5. Specifically, our scheme has 8 exponents and 3 pairings less than that of the first scheme in [3] and has 1 pairing more than that of the second scheme in [3], respectively. In addition, compared with [14], our scheme has more concise and user-friendly security proof.

#### 7. Conclusions

This paper proposed a certificateless public key encryption against selective opening attacks (SOA), which is suitable for the data storage in Cloud 5G environment. This scheme is proved secure in the ROM under the assumptions of CDH and security of one-time signature. The advantage of the scheme is that it eliminates both certificate management and key management in PKI-based PKE and IBE settings and is practical in Cloud 5G settings. Compared with [14], our scheme not only has more concise and user-friendly security proof but also achieves the same level of security, which strengthens the data security storage in Cloud 5G applications.

#### Appendix

#### A. How to Construct -Bit 1SPO-CLE from 1-Bit 1SPO-CLE

Let be a 1 bit 1SPO-CLE scheme. An -bit CLE scheme with message space is constructed as follows:where such that and is the -th bit of .

: decrypt component for each and every message bit , then return .

The security is shown in Appendix B.

#### B. Security

In the security definition, there are two types of adversaries: type 1 adversary and type 2 adversary . Type 1 adversary is a malicious user, who can replace the user’s public key but cannot know the master key. Type 2 adversary is a malicious KGC, who can know the master key but cannot replace the user’s public key.

In Figure 2 (resp. Figure 3), IND-CPA1 game is for Type 1 adversary in CLE (resp. IND-CPA2 is for Type 2 adversary ). We have (resp. ). We say that is IND-CPA-1 (resp. IND-CPA-2) secure if (resp. ) is negligible for all PPT (resp. ).

##### B.1. Detailed Legend for Figure 2

This figure describes indistinguishable chosen-message attack1 experiment for certificateless encryption scheme, where an adversary and a challenger participate in the experiment and interact with each other. Specifically, in this experiment, the challenger first invokes the algorithm to generate , where is taken as the common input and is used to generate private key and partial private key. The partial private key oracle proc.ParPrivKeyGen invokes the partial key generation algorithm to return a partial private key . The secret value oracle proc.SecValGen() invokes the secret value generation algorithm to return a secret value . The private key oracle proc.PrivKeyGen invokes the private key generation algorithm to return a private key. The oracle proc.PubKeyGen invokes the public key generation algorithm which takes as input a public parameter and a secret value and returns a public key for user . The replace public key oracle proc.RePubKey takes as input a fresh public key , the original public key , and an identity and finally returns the replace public key . The challenge oracle proc.LR takes as input two messages , , and and returns a challenge ciphertext which encrypts challenge message or randomly. Finally, the experiment gives an output , which denotes whether the adversary wins or not in the experiment.

##### B.2. Detailed Legend for Figure 3

This figure describes indistinguishable chosen-message attack2 experiment for certificateless encryption scheme, where an adversary and a challenger participate in the experiment and interact with each other. Specifically, in this experiment, the challenger first invokes the algorithm to generate , where the public parameter is taken as a common input in all the other algorithms and is used to generate private key and partial private key. The oracle proc.SecValGen invokes to return a secret value . The private key oracle proc.PrivKeyGen invokes the private key generation algorithm to return a private key. The public key oracle proc.PubKeyGen invokes the public key generation algorithm to return a public key . The challenge oracle proc.LR takes as input two messages chosen by the adversary, , and and returns a challenge which encrypts challenge message or randomly. Finally, the experiment outputs , which denotes whether the adversary wins or not in the experiment.

Figures 4–6 are presented for the SO-CPA security for the scheme where we define two types of adversaries. Both and denote a randomized algorithm. and denote type 1 and type 2 SOA adversaries, respectively. In particular, both of the two type of adversaries are only allowed to make one time of query to NewMg before making the Corrupt query. The simulator in Figure 6 is an SOA-simulator and is only required to make one time of query to the oracles NewMg and Corrupt.

We say that a CLE scheme is SIM-SO-CPA secure if for every PPT , , , and adversary , there exists a PPT simulator such that . .

##### B.3. Detailed Legend for Figure 4

This figure describes selective opening chosen-message attack1 real experiment for certificateless encryption scheme, where an adversary and a challenger participate in the experiment and interact with each other. Specifically, in this experiment, the challenger first invokes to generate , where the value is taken as a common input and the value is used to generate private key and partial private key. The partial private key oracle proc.ParPrivKeyGen invokes the algorithm to produce a partial private key . The secret value oracle proc.SecValGen invokes the secret value generation algorithm to generate a secret value associated with . The oracle proc.PrivKeyGen invokes the private key generation algorithm to generate a private key. The public key oracle proc.PubKeyGen invokes the public key generation algorithm to generate a public key . The replace oracle proc.RePubKey replaces an old public key with a freshly replaced . The challenge oracle proc.NewMg first takes as input , , and , and then checks whether has been queried to the private key oracle or the replace public key oracle; if not, the challenger samples a message according to distribution determined by . Then, it samples a randomness and computes a challenge ciphertext for message . The corrupt oracle proc.Corrupt(*I*) on input a corrupt set 13 *I* chosen by the adversary and returns the opening . Finally, the experiment outputs , which denotes whether the adversary wins or not in the experiment.

##### B.4. Detailed Legend for Figure 5

This figure describes selective opening chosen-message attack1 real experiment for certificateless encryption scheme, where an adversary and a challenger participate in the experiment and interact with each other. Specifically, in this experiment, the challenger first invokes the algorithm to sample . The oracle proc.SecValGen invokes the algorithm to return a secret value for user . The private key oracle proc.PrivKeyGen invokes the private key generation algorithm to generate a private key. The oracle proc.PubKeyGen invokes the public key generation algorithm to return a public key . The challenge oracle proc.NewMg first checks whether the identity is legal; if not, the challenger samples a message according to distribution determined by . Then, it samples a randomness and invokes encryption algorithm to generate a challenge ciphertext for message . The corrupt oracle proc.Corrupt takes as input a corrupt set *I* (which is chosen by the adversary), and returns the opening messages and randomnesses . Finally, the experiment outputs , which denotes whether the adversary wins or not in the experiment.

##### B.5. Detailed Legend for Figure 6

This figure describes selective opening chosen-message attack ideal experiment for certificateless encryption scheme, where an adversary and a simulator participate in the experiment and interact with each other. Specifically, in this experiment, during the initialization phase, the challenger returns nothing for an adversary, while the challenge oracle proc.NewMg only samples messages according to distribution determined by but returns nothing to the adversary. In the corruption phase, the challenger opens the partial messages according to the set chosen by the adversary. Finally, the experiment returns an output of a relation with respect to an input tuple .

#### C. Conversion from 1SPO to SIM-SO-CPA

Here, we use a theorem (i.e., Theorem 2) to demonstrate how to reduce the SIM-SO-CPA security to 1SPO security.

Theorem 2. *(see [14]). Let be a 1-bit 1SPO-CLE scheme with a one-sided opener algorithm [3] and the -bit 1SPO-CLE scheme from .andare type 1 adversary and type 2 adversary against SO-CPA security of, respectively. Letbe a PPT relation andbe a PPT message sampler. Then, there existand twoandsuch that*

*Proof. *This proof process is exactly the same as that of Theorem 1 in [14], so we will not repeat it here in order to save space.

#### Data Availability

The data used to support the findings of this study are included within the article.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

The first author was supported by the National Key Research and Development Program of China (grant no. 2017 YFB0802000), the National Natural Science Foundation of China (grant no. NSFC61702007), and other foundations (grant nos. 2019M661360 (KLH2301024), gxbjZD27, KJ2018A0533, XWWD201801, and ahnis20178002). The third author was supported by the National Key Research and Development Program of China (grant no. 2017YFB0802000) and the National Natural Science Foundation of China (grant no. U1705264).