Anonymous and Efficient Certificateless Multirecipient Signcryption Scheme for Ecological Data Sharing

the


Introduction
Ecological data is receiving more and more attentions nowadays. It plays an important role in global climate change prediction, ecological network observation and simulation, regional air pollution control, and so on. However, the scope, degree, quality, and usability of data sets mastered by different research institutions vary greatly, which is not conductive to the research in related fields. In order to solve this problem, relevant organizations begin to share their own data, which enables researchers to find and reuse relevant data. Combining data from multiple sources can better raise new questions and accelerate the pace of science. Sharing of relevant data can also make the related scientific research more transparent, which helps boost public trust.
In the process of information sharing, on the one hand, the sender of the information only wants the authorized receiver to receive the correct information in order to prevent the information from being maliciously revealed. On the other hand, the recipient of the message wants to verify the sender of the message to prevent the message from being tampered with and the sender from being forged.
In view of all the requirements above, the information sent needs to be confidential and verifiable. The confidentiality needs to be implemented by encryption, and the verification needs to be implemented by signature. Traditionally, the method of first signing and then encrypting is adopted, but it is too computationally intensive resulted in the low efficiency. In order to improve the efficiency on the basis of ensuring confidentiality and verification of messages, Zheng [1] proposed the concept of signcryption, which enables encryption and signature to be performed simultaneously; therefore, encryption and signature functions can be realized by one signcryption.
With the development of communication, the identitybased multireceiver encryption (IMRE) proposal was presented by Baek et al. [2]; this proposal can encrypt multiple recipients' messages by one calculation. And then, the IMRE schemes [3][4][5] were proposed successively. Subsequently, on the basis of the scheme in [2], the identity-based multireceiver signcryption (IMRS) proposal was presented by Duan and Cao [6]. According to this scheme, the sender only needs to perform a signcryption operation to simultaneously send messages to multiple authorized recipients, and each authorized recipient can perform corresponding decryption and verification. The ciphertext received by the receiver does not contain a list of receiver identity information, and the receiver cannot find the relevant information in the ciphertext. It is more effective than one-to-one scheme and is an ideal choice for information sharing. Then, many IMRS schemes [7][8][9][10][11][12][13][14] were proposed. What is more, communicators are paying more and more attentions to personal privacy issues. Usually, people intend to conceal their identities when they use multireceiver signcryption-related devices. In order to realize anonymity, Fan et al. [15] proposed the first anonymous IMRE scheme. However, Wang et al. [16] proposed that the scheme in [15] does not truly achieve that goal. Also, Wang et al. [16] proposed a new anonymity scheme, but Li and Pang [17] proposed that the scheme in [16] still could not completely realize anonymity either. Later, Fan and Tseng [18] proposed an anonymous IMRE scheme and the receiver of the scheme has the capability of identity verification, but the efficiency is not high because of the excessive bilinear parings operations in the scheme. Then, Pang et al. [19] put forward an absolutely cryptonymous IMRS proposal which can realize the anonymity of the receiver and sender. Gradually, people have found a serious problem that these multireceiver schemes have key escrow problems because they cannot block malicious key generation center (KGC) attacks. If nothing is done to solve this problem, the KGC can view all users' communications and can pretend to be any user, which is insecure.
Given the above requirements, Al-Riyami and Paterson [20] proposed a certificateless public key cryptosystem. For the user in this system, he and KGC jointly generate his private key, and the system parameters and his private key jointly determine his public key. The scheme in [20] can solve the problem of certificate management in traditional public key cryptography and key escrow in identity-based cryptosystems, so the certificateless multirecipient scheme has become a research hotspot. Influenced by the scheme in [20], the proposals [21][22][23][24] were successively put forward. Selvi et al. [25] came up with the earliest certificateless multireceiver signcryption (CMRS) scheme, but it does not have the confidentiality of messages under external attacks and is inefficient due to the use of a large number of bilinear pairing operations (BPO).
Gradually, people began to pursue efficiency on the basis of satisfying the safety function. A cryptonymous certificateless multireceiver encryption (CMRE) proposal was presented by Islam et al. [26]. In order to improve efficiency, the scheme in [26] uses scalar point multiplication operations on elliptic curve cryptography (SPMOOECC), which does not use BPO. Since schemes in [26] can still further improve efficiency, schemes in [27][28][29][30] have been proposed successively. The scheme in [27] used the BPO and map-topoint hash function (MTPHF), scheme in [28] and scheme in [30] used lots of SPMOOECC, and scheme in [29] used BPO in the decryption step, all of which greatly limit the efficiency of the scheme. Among them, schemes in [26][27][28][29][30] have no signature function and cannot resist forgery attacks, and schemes in [25,[27][28][29] did not successfully achieve fair decryption, nor did they implement the verification of part of the private key.
Through the analysis of the schemes, we found that the multirecipient signcryption scheme is required to solve the main problems as below during the communication process: (1) Key escrow problem: malicious KGC can forge encrypted ciphertext and decrypt ciphertext, which dramatically reduces the confidentiality of the message. In order to prevent malicious KGC attacks, we need to solve the key escrow problem (2) The calculation efficiency is not ideal: in the process of encryption or decryption, BPO or a large number of SPMOOECC will result in inefficiency In view of the requirements of ecological data sharing communication and taking into account the shortcomings of existing communication mechanisms, we propose a CMRS scheme for ecological data sharing. Relevant institutions or researchers can send data to other researchers or related institutions through our program. The communication process is shown in Figures 1 and 2. When multiple researchers or related organizations share relevant ecological data (such as forest ecological data, grassland ecological data, and desert ecological data), they first exchange key with KGC to obtain their own public key and private key; then, they signcrypt the data and send the signcrypted message to the cloud space; finally, the signcrypted data in the cloud space will be forwarded to the authorized recipient and the receiver performs verification and decryption after receiving the message.
The specific features of the scheme are as follows: (1) The scheme realizes the anonymity of the receiver. Not only the attacker cannot obtain the information of the receiver, but also the receiver does not know the information of other receivers (2) The scheme uses a certificateless method and can perform partial private key verification. It not only solves the key escrow problem but also ensures the correctness of some private keys received from KGC (3) The scheme is of high efficiency. Instead of using BPO and exponential operations in the signcryption and decryption phases, the scheme uses the SPMOOECC during encryption and decryption processes and minimizes the number of SPMOOECC, which greatly increases efficiency Finally, in using the stochastic prediction model, we prove the confidentiality, unforgeability, and recipient anonymity of our CMRS scheme based on the difficult problems.
The rest of the paper is as follows: in the second part, the initial knowledge is described. In the third part, the proposed scheme is described. In addition, in the fourth part, the correctness and security of the scheme were analyzed. Next, in the fifth part, the proposed scheme and the existing scheme are compared in terms of efficiency and functionality. Finally, the sixth section summarizes this paper.

Preliminaries
We will make an introduction of difficult problems, algorithm model, and security models.

Difficult Problems.
It is specified that G p is a cyclic group on ECC, the generator of G p is the P, and Z * p is the nonzero multiplication group, which depend on the big prime number p. The elliptic curve discrete logarithm problem (ECDLP) and Diffie-Hellman problem (CDHP) are described below: (1) CDHP. Known ðP, xP, yPÞ ∈ G p , x, y ∈ Z * p , calculating xy P ∈ G p is CDHP Definition 1. If the probabilistic polynomial time (PPT) algorithm A can solve CDHP, the probability advantage is specified as SetUpAlgorithm: input λ, λ is the security parameter; KGC executes the algorithm; the system's master key s and the public parameter pars are generated by KGC; and KGC exposes pars and secretly saves s.
SetSecretValueAlgorithm: enter ID i , ID i is the user's information; the user executes the algorithm; and the user gets the secret value x i and the secret value parameter X i .
ExtractPartialPrivateKeyAlgorithm: enter the user's information ID i , the master key s, the secret value parameter X i , and the public key parameter pars. For the user, KGC uses this algorithm to obtain the partial private key z i and key generation parameter W i .
SetPublicAndPrivateKeysAlgorithm: input the parameter pars of the system, the information ID i of the user, the partial private key z i of the user, the secret value x i , and the key generation parameter W i and the user uses the algorithm to obtain public key pair PK i and the private key pair SK i .
SigncryptionAlgorithm: input the system's public parameter pars, receiver information L = fID 1 , ID 2 ⋯ :ID n g, plaintext M, the recipient's public key PK i ð1 ≤ i ≤ nÞ, the private key SK c of THE transmitter, and the information ID c of the transmitter. The transmitter initiates the algorithm to obtain the ciphertext C = Signcryptionðpars, M, L, PK i , SK c , ID c Þ.
DesigncryptionAlgorithm: enter the public parameter pars, the recipient's private key SK i , the recipient's information ID i , and ciphertext C. The receiver uses the algorithm to gain the plaintext M = Designcryption ðpars, C, SK i , ID i Þ and verifies M using the sender's public key PK c .

Security
Models. The security model required for our scheme consists of information confidentiality, unforgeability, and recipient anonymity. In each security model, there are two types of opponents, called A 1 and A 2 [20]. A 1 does not know the system master key but A 2 does, and A 1 can replace the user's public key but A 2 cannot. Specific descriptions are as follows: 2.3.1. Information Confidentiality. Information confidentiality means that an attacker cannot successfully decrypt a plaintext message in his or her own attack. In this scheme, information confidentiality is the indistinguishability of certificateless signcryption in the context of selecting ciphertext  Setup. C performs the corresponding steps for obtaining the public parameter pars and the master key s, then sends the pars to the A 1 and secretly saves s. After A 1 receives the pars, the A 1 outputs a group of target identities L = fID 1 , ID 2 , ⋯, ID n g, where n is a positive integer.
Phase 4. A 1 requires C to perform flexible queries, and C performs feedback. The details are the following: SetSecretValueQuery: A 1 requires C to run the SetSecret-ValueQuery on the ID. After the request is received, C uses the SetSecretValueAlgorithm to get the user's secret value, and C transmits the result to A 1 .
ExtractPartialPrivateKeyQuery: A 1 lets C run the Extra-ctPartialPrivateKeyQuery against the ID. After the request is received, C executes the ExtractPartialPrivateKeyAlgorithm to gain the partial private key of the user and sends result to A 1 .
SetPublicAndPrivateKeysQuery: A 1 requires C to run the SetPublicAndPrivateKeysQuery on the ID. After receiving the request, C executes the SetPublicAndPrivateKeysAlgorithm to get the public and private keys of user and returns them to A 1 .
PublicKeyReplacementQuery: A 1 requires C to use the PK ' ID to run the PublicKeyReplacementQuery on the ID. Upon receipt, C will retain the PK ' ID as the new public key. SigncryptionQuery: A 1 lets C perform the Signcryption-Query with a series of information and plaintext M. After the request is received, C randomly selects the information ID s to execute the SigncryptionAlgorithm to obtain the ciphertext C and transmits C to A 1 .
DesigncryptionQuery: A 1 requires C to perform the DesigncryptionQuery for ciphertext C. After the request is received, C executes the DesigncryptionAlgorithm to obtain the plaintext M, after that, verify that M is compliant, and returns M toA 1 .
Challenge: A 1 chooses a pair of plaintext ðM 0 , M 1 Þ, the length of the plaintext is the same, and transmits ðM 0 , M 1 Þ to C. C selects φ ∈ f0, 1g; then, C uses the selected plaintext M φ to obtain C * and C transmits C * to A 1 .
Phase 5. A 1 wants C to provide the same query as Phase 4, but A 1 cannot perform the private key portion of SetPubli-cAndPrivateKeysQuery and ExtractPartialPrivateKeyQuery on the user who has replaced the public key. A 1 cannot perform DesigncryptionQuery on ciphertext C * .
Guess: A 1 gives φ * , and if φ * = φ can be determined, A 1 wins, otherwise, A 1 fails. The probability advantage of A 1 winning is defined as follows: Definition 6. The probability that any A 1 in the case of IN-CMRS-CA can obtain the Game1 victory in time τ can satisfy Adv IN−CMRS−CA ðA 1 Þ ≤ ε, indicating that the scheme conforms to ðτ, εÞ -IN-CMRS-CA security, ε represents a nonnegligible probability advantage and τ represents the time of a polynomial operation.
Game2: this game is the interaction of opponent A 2 and challenger C in the context of IN-CMRS-CA. The details are the following: Setup. C performs the corresponding steps for obtaining the public parameter pars and the master key s, then transmits the result to the A 2 . After successful reception, A 2 gives a set of target identifiers L = fID 1 , ID 2 , ID 3 , ⋯, ID n g, n is a positive integer.
Phase 7. A 2 makes a series of queries to C like Phase 4 of Game1, but A 2 cannot carry out PublicKeyReplacementQuery. C responds accordingly.
Challenge: A 2 selects a pair of plaintext ðM 0 , M 1 Þ; the length of the plaintext is the same and transmits ðM 0 , Phase 8. A 2 needs C to perform the same query as Phase 4, but A 2 cannot execute the SetSecretValueQuery for the target identity L, and A 2 cannot run the DesigncryptionQuery against the ciphertext C * .
Guess: A 2 gives φ * , and if φ * = φ can be determined, A 2 wins, otherwise, A 2 fails. The probability advantage of A 2 winning is defined as follows: Definition 9. The probability that any A 2 in the case of IN-CMRS-CA can obtain the Game2 victory in time τ can satisfy Adv IN−CMRS−CA ðA 2 Þ ≤ ε, indicating that the scheme conforms to ðτ, εÞ -IN-CMRS-CA security, ε represents a nonnegligible probability advantage and τ represents a time of a polynomial operation.

Unforgeability.
The unforgeability of the proposal in this paper is prescribed as the strong unforgeability of certificateless signcryption in the context of selecting ciphertext attacks and optional multiple ID (SU-CMRS-PA) [25].
Game3 and Game4 are used to describe the SU-CMRS-PA of the opponent A 1 and A 2 , respectively. Game3: this section is the mutual response between C and A 2 under SU-CMRS-PA. The details are the following: Setup. This procedure is similar to Setup in Game1.
Attack: A 1 requires C to perform flexible queries. The queries are similar to Phase 4 in Game1, after which C responds.

Journal of Sensors
Forgery: A 1 uses L = fID 1 , ID 2 , ⋯, ID n g and plaintext M to forge ciphertext C * . If any recipient in L can correctly decrypt C * , then A 1 wins, otherwise A 1 fails. In this process, SigncryptionQuery cannot get C * , other restrictions are similar to Phase 5 in Game1.
Definition 10. The probability that any A 1 in the case of SU-CMRS-PA can obtain the Game3 victory in time τ can satisfy Adv SU−CMRS−PA ðA 1 Þ ≤ ε, indicating that the scheme conforms to ðτ, εÞ -SU-CMRS-PA security, ε represents a nonnegligible probability advantage and τ represents the time of a polynomial operation.
Game4: this process is the interaction between C and A 2 under SU-CMRS-PA. The details are the following: Setup. This procedure is similar to Setup in Game2.
Attack: A 2 performs flexible queries for C. The queries are similar to Phase 4 in Game2, after which C responds.
Forgery: A 2 uses L = fID 1 , ID 2 , ⋯, ID n gand plaintext M to forge ciphertext C * . If any recipient in L can correctly decrypt C * , then A 2 wins, otherwise A 2 fails. In this process, SigncryptionQuery cannot get C * , and the other restrictions are similar to Phase 5 in Game2.
Definition 11. The probability that any A 2 in the case of SU-CMRS-PA can obtain the Game4 victory in time τ can satisfy Adv SU−CMRS−PA ðA 2 Þ ≤ ε, indicating that the scheme conforms to ðτ, εÞ -SU-CMRS-PA security, ε represents a probabilistic advantage that is not negligible. τ represents the time of a polynomial operation.

Receiver Anonymity.
In this scheme, receiver anonymity is prescribed as the anonymous indistinguishability of certificateless signcryption in the context of selecting ciphertext attacks and selective multiple ID (ANO-CMRS-CA) [26]. Game5 and Game6 each implement ANO-CMRS-CA for A 1 and A 2 .
Game5: this process is the interaction between C and A 1 under ANO-CMRS-CA. The details are the following: Setup. C performs the corresponding steps for obtaining the public parameter pars and the master key s, then transmits pars to A 1 and secretly saves s. After receiving, A 1 selects L = fID 0 , ID 1 g and sends L to C.
Phase 12. This procedure is similar to Phase 4 in Game1.
Challenge: A 1 picks identity list L * = fID 2 , ID 3 , ⋯, ID n g and plaintext M, A 1 transmits them to C. C selects e ∈ f0, 1g and forms the ciphertext C * with a new set of identity list L * * = fID e , ID 2 , ID 3 , ⋯, ID n g, and C transmits C * to A 1 .
Phase 13. This procedure is similar to Phase 5 in Game1.
Guess: A 1 gives e * , and If e * = e can be determined, A 1 wins, otherwise, A 1 fails. The probability advantage of A 1 winning is defined as follows: Definition 14. The probability that any A 1 in the case of I ANO-CMRS-CA can obtain the Game5 victory in time τ can satisfy Adv ANO−CMRS−CA ðA 1 Þ ≤ ε, indicating that the scheme conforms to ðτ, εÞ -ANO-CMRS-CA security, ε represents a nonnegligible probability advantage and τ represents the time of a polynomial operation.
Game6: this process is the interaction between C and A 2 under ANO-CMRS-CA. The details are the following: Setup. C performs the corresponding steps for obtaining the public parameter pars and the master key s, then transmits the result to A 2 , A 2 selects L = fID 0 , ID 1 g and output L.
Phase 15. This procedure is similar to Phase 4 in Game2.
Challenge: A 2 picks identity list L * = fID 2 , ID 3 , ⋯, ID n g and a plaintext M, A 2 transmits L * and M to C. C selects e ∈ f0, 1g and forms a ciphertext with a new set of identity list L * * = fID e , ID 2 , ID 3 , ⋯, ID n g, and C sends C * to A 2 .
Phase 16. This procedure is similar to Phase 5 in Game2.
Guess: A 2 gives e * , and if e * = e can be determined, A 2 wins, otherwise, A 2 fails. The probability advantage of A 2 winning is defined as follows: Definition 17. The probability that any A 2 in the case of ANO-CMRS-CA can obtain the Game6 victory in time τ can satisfy Adv ANO−CMRS−CA ðA 2 Þ ≤ ε, indicating that the scheme conforms to ðτ, εÞ -ANO-CMRS-CA security, ε represents a nonnegligible probability advantage and τ represents the time of a polynomial operation.
3.1. Setup Algorithm. KGC performs the corresponding steps for obtaining the public parameter and master keys. The details are the following: (1) Input λ, λ is the security parameter and KGC selects a large prime number p on the finite field at random and generates a finite field F p with p order. Next, a suitable elliptic curve E p is generated on the domain F p , and an addition cycle group G p is determined on the elliptic curve E p , and the generator of G p is P 6 Journal of Sensors (2) Select a positive whole number s ∈ Z * p at random, s is the system master key and secretly save and calculate the system public key P pub , P pub = sP (3) Select five safe and reliable hash function as follows: (4) The appropriate symmetric encryption algorithm E k and decryption algorithm D k are selected at random. k as a symmetric key 3.2. Key Extract Algorithm. The user and KGC perform the corresponding steps for obtaining the user's private and public keys.
(1) SetSecretValueAlgorithm: user ID i randomly selects x i ∈ Z * p as a secret value and keeps it in secret, calculates X i = x i P, and sends ID i and X i to KGC via a secure channel (2) ExtractPartialPrivateKeyAlgorithm: after receiving, KGC randomly selects the integer w i ∈ Z * p , then calculates W i = w i P and h i = H 1 ðID i , X i , W i Þ, and then calculates y i = w i + h i s mod q and z i = y i + H 2 ðsX i , ID i Þ mod q, finally sending z i and W i to the user ID i via a secure channel The user ID i public key pair is PK i = ðX i , Y i Þ, private key pair is SK i = ðx i , y i Þ. PK i is published by KGC.
3.3. Signcryption Algorithm. The sender uses the public parameter pars, its own private key SK c , plaintext M, a set of recipient information L = fID 1 , ID 2 , ⋯, ID n g, the recipient's public key PK i ð1 ≤ i ≤ nÞ, and the information ID c of a transmitter for signcryption: (1) Select the integer r ∈ Z * p at random and then calculate R = rP (3) Select the whole number ξ at random, ξ ∈ Z * p , then calculate the formula: (4) Calculate k = H 4 ðξÞ, J = E k ðM kID c Þ.
(5) Calculate h c = H 5 ðM, ID c , X c , PK c , J, R, a0, a1, ⋯:a n Þ, where σ = x c + y c + h c r mod q (6) Generate ciphertext C = fJ, R, a0, a1, ⋯:a n , σg and send the ciphertext to all recipients 3.4. Designcryption Algorithm. The receiver ID i decrypts after receiving the ciphertext C = fJ, R, a 0 , a 1 , ⋯:a n , σg. Proceed as follows: And judge whether σP = X c + Y c + h c R is established, If successful, the recipient receives the plaintext M and then exits. Otherwise, the recipient rejects and quits.

Correctness Analysis
Theorem 18. Confirm that the part private key of the user in KeyExtractAlgorithm is right.
Proof. In order for the user's partial private key to be verified correctly, y i P = W i + h i P pub needs to be established. The specific inference of this equation is as follows: The establishment of the formula y i P = W i + h i P pub determines that the verification of the part private key is right in the KeyExtractAlgorithm. Proof. The formula σP = X c + Y c + h c R guarantees the correctness of the DesigncryptionAlgorithm. The specific inference of the formula is as follows:

Security
Proof. Under a nonnegligible probability, it is assumed that opponent A 1 can attack the IN-CMRS-CA security, the probability advantage is ε, and under the stochastic prediction model, A 1 requires challenger C to perform queries. Given ðP, xP, yPÞ, in the time-limited polynomial, C obtains xyP through the opponent A 1 interaction to overcome CDHP. C and opponent A 1 will interact with the followings: Setup. C performs the corresponding steps for obtaining the public parameter pars = ðE p , G p , E k , D k , p, P, P pub = aP, H 1 , H 2 , H 3 , H 4 , H 5 Þ and master key = a ∈ Z * p , and then transmits pars to A 1 and save s. After the recipient receives it, A 1 selects the target identity L = fID 1 , ID 2 , ⋯, ID n g and transmits L to C, n denotes a positive whole number. H 1 , H 2 , H 3 , H 4 , and H 5 are all random oracles; they are controlled by C. The details are the following: (1) H 1 HashQuery: the tuple ðID j , X j , W j Þ is taken as input, and A 1 requires C to execute H 1 HashQuery.
After receiving, C checks whether the tuple ðID j , X j , W j , d j Þ exists in list L 1 . If it exists, C will send d j to A 1 . Otherwise, C selects d j ∈ Z * p at random and sends d j to A 1 and restores the tuple ðID j , X j , W j , d j Þ into list L 1 (2) H 2 HashQuery: the tuple ðsX j , ID j Þ and ðX j P pub , ID j Þ are taken as input, and A 1 requires C to execute H 2 HashQuery. After receiving, C checks whether the tuple ðsX j , ID j , θ j Þ and ðX j P pub , ID j , δ j Þ exist in the list L 2 . If yes, C will send θ j and δ j to A 1 . Otherwise, C selects two integer θ j and δ j ∈ Z * p at random and transmits them to A 1 and restores the tuple ðs X j , ID j , θ j Þ and ðX j P pub , ID j , δ j Þ into list L 2 (3) H 3 HashQuery: the tuple ðrX j , ID j Þ is taken as input, and A 1 requires C to execute H 3 HashQuery. After receiving, C judges whether or not the tuple ð rX j , I D j , α j Þ exists in the list L 3 . If it exists, C will send α j to A 1 . Otherwise, C selects α j ∈ Z * p at random and sends α j to A 1 and restores the tuple ðrX j , ID j , α j Þ into list L 3 (4) H 4 HashQuery: the tuple ðξÞ is taken as input, and A 1 requires C to execute H 4 HashQuery. After receiving, C judges whether or not the tuple ðξ, kÞ exists in the list L 4 . If it exists, C will send k to A 1 . Otherwise, C selects k ∈ Z * p at random, and sends k to A 1 , and restores the tuple ðξ, kÞ into list L 4 (5) H 5 HashQuery: The tuple ðM, ID j , X j , PK j , J, R, a 0 , a 1 , ⋯:a n Þ is taken as input, and A 1 requires C to execute H 5 HashQuery. After receiving, C judges whether or not the tuple ðM, ID j , X j , PK j , J, R, a 0 , a 1 , ⋯:a n , h j Þ exists in list L 5 . If it exists, C will send h j to A 1 . Otherwise, C selects hj ∈ Z * p at random, and sends h j to A 1 and restores the tuple ðM, ID j , X j , PK j , J, R, a 0 , a 1 , ⋯:a n , h j Þ into list L 5 Phase 21. A 1 requires C to perform flexible queries and C performs feedback. The details are the following: (1) KeyQuery: C checks if the tuple ðID j , SK j , PK j , x j , z j Þ exists in the list L C . If it exists, C reserves the tuple ðID j , SK j , PK j , x j , z j Þ. Otherwise, C does the following: (a) If ID j = ID i , i = 1, 2, 3, ⋯, n, C selects two integers x j , w j ∈ Z * p at random, sets X j = x j P and SK j ⟵ ⊥, computes W j = w j P, y j = w j + H 1 ðID i , X i , W i Þ s mod q, Y j = y j P, PK j = ðX j , Y j Þ and then updates tuples ðID j , SK j , PK j , x j , z j Þ in list L C and ðID j , X j , W j , d j Þ in list L 1 , respectively (b) If ID j ! = ID i , i = 1, 2, 3, ⋯, n, C selects two integers x j , z j ∈ Z * p at random, sets X j = x j P, computes y i = z i -H 2 ðx i P pub , ID i Þ, Y j = y j P, PK j = ðX j , Y j Þ, S K j = ðx j , y j Þ and then updates tuples ðID j , SK j , P K j , x j , z j Þ in list L C and ðID j , X j , W j , d j Þ in list L 1 , respectively (2) SetSecretValueQuery: A 1 requires C to execute the SetSecretValueQuery on ID j . After receiving the request, C checks whether there are tuples ðID j , SK j , PK j , x j , z j Þ in list L C . if it exists, C sends x j to A 1 , otherwise, C performs the KeyQuery to generate a tuple ðID j , SK j , PK j , x j , z j Þ and then sends x j to A 1 (3) ExtractPartialPrivateKeyQuery: A 1 requires C to perform the ExtractPartialPrivateKeyQuery on ID j .

Journal of Sensors
After receiving the request, the details are the followings: (a) If ID j = ID i , i = 1, 2, 3, ⋯, n,C sends "failure" to A 1 (b) If ID j ! = ID i , i = 1, 2, 3, ⋯, n,C judges whether or not the tuple ðID j , SK j , PK j , w j , x j , z j Þ exists in the list L C , and if so, C sends z j to A 1 , otherwise, C performs the KeyQuery to generate tuple ðID j , SK j , PK j , x j , z j Þ and sends z j to A 1 (4) SetPublicAndPrivateKeysQuery: A 1 requires C to execute the public key portion of SetPublicAndPriva-teKeysQuery on the ID j . After the recipient receives it, C judges whether or not the tuple ðID j , SK j , PK j , x j , z j Þ exists in list L C . If it exists, C sends PK j to A 1 , otherwise C performs KeyQuery to generate a tuple ðID j , SK j , PK j , x j , z j Þ and then send PK j to A 1 A 1 requires C to execute the private key portion of Set-PublicAndPrivateKeysQuery on the ID j . After the recipient receives it, C responds: (a) If ID j = ID i , for i = 1, 2, 3, ⋯, n,C sends "failure" to A 1 (b) If ID j ! = ID i , for i = 1, 2, 3, ⋯, n,C judges whether or not the tuple ðID j , SK j , PK j , w j , x j , z j Þ exists in list L C , and if so, C sends SK j to A 1 , otherwise, C uses KeyQuery to generate tuple ðID j , SK j , PK j , x j , z j Þ and sends SK j to A 1 (5) PublicKeyReplacementQuery: A 1 requires C to perform a PublicKeyReplacementQuery on ID j with PK j ′ . After the recipient receives it, Cqueries the tuple ðID j , SK j , P K j , w j , x j , z j Þ in list L C , and uses PK j ′ instead of PK j . Next, C restores the tuple ðID j , SK j , PK j , x j , z j Þ in list L C (6) SigncryptionQuery: A 1 requires C to perform the SigncryptionQuery for plaintext M and information ID s . After receiving the request, C determines if ID s ! = ID i is correct, i = 1, 2, 3, ⋯, n. If the expression is correct, C executes the SetPublicAndPrivateKeysQuery to generate the private key SK s and ciphertext C, and then sends C to A 1 if not, C implement s the corresponding operation (a) Select r ∈ Z * p at random and calculate Select R = rP, rX j = rx j P, at random and define the formula: PKs, J, R, a 0 , a 1 , ⋯, a n−1 Þ, σ = x s + y s + h mod q ; (c) Select z ∈ Z * p at random (d) Output the ciphertext C = ð J, R, a 0 , a 1 , ⋯, a n−1 , σÞ to A 1 (7) DesigncryptionQuery: A 1 requires C to perform a DesigncryptionQuery for ciphertext C. After receiving the request, C selects ID j at random and verifies whether ID j = ID i is true, i = 1, 2, 3, ⋯, n. If the formula is true, C sends "failure" to A 1 Otherwise, C will perform the corresponding operation: (a) Search for the tuple ðID j , SK j , PK j , x j , z j Þ in list L C to obtain SK j and compute  Challenge: A 1 selects the plaintext ðM 0 , M 1 Þ at random, they are equal in length, and they are transmitted to C. After receiving, C selects a bit φ ∈ f0, 1g at random, C uses M φ to get the ciphertext C * , and M φ is the selected plaintext. The details are the following: Select ξ ∈ Z * p at random and define the formula: (c) Calculate k = H 4 ðξÞ, J * = E k ðkID s Þ and h = ðM, ID s , X s , PK s , J, R, a 0 , a 1 ,: ⋯ a n Þ (d) Select z ∈ Z * p at random 9 Journal of Sensors (e) Output the C * = ðJ * , W i , z, h, a 0 , a 1 , ⋯, a n−1 Þ to A 1 Phase 22. A 1 requires C to perform the same queries as Phase 4, but A 1 cannot run the DesigncryptionQuery against C * .
Guess: A 1 gives a φ * at random. If φ * = φ, then A 1 wins, C outputs CDHP's solution xyP = rX i − R. Otherwise, C outputs "failure." From the above discussion, it can be concluded that the H 5 hash provides a valid ciphertext during the Designcryp-tionQuery; therefore, the probability of ciphertext being denied is no more than q 5 /2 k . During the attack process, since A 1 requires C to execute the q d DesigncryptionQuery, the probability of C decryption success is ε d ≥ εq 5 q d /2 k . The H 3 hash satisfies CDHP during the guessing process, so the probability that xyP is correctly calculated by C is at least ε g = 2/nq 3 . in the running time τ ' ≤ τ + ð2q c + 3q d ÞOðτ s Þ, C 's interaction with opponent A 1 makes C overcome CDHP, and the probability advantage is ε ' ≥ ε d ε g ≥ 2ðε − q d q 5 /2 k Þ/ nq 3 ,τ s is the time of the SPMOOECC.

Theorem 23.
There is an opponent A 2 under the IN-CLMS-CA. In the polynomial time τ, if the A 2 wins the Game2 victory with a probability advantage ε that cannot be ignored, (A 2 can request up to q i hash queries H i ði = 1, 2, 3, 4, 5Þ, q c KeyQuery, q e SetSecretValueQuery, q b ExtractPrivateKeyQuery, q pk Set-PublicAndPrivateKeysQuery, q a SigncryptionQuery, and q d DesigncryptionQuery.), then within time τ ' ≤ τ + ð3q c + 3q d Þ Oðτ s Þ, challenger C's interaction with opponent A 2 makes C overcome CDHP with a probability advantage of ε ' ≥ 2ðε − q d q 5 /2 k Þ/nq 3 , τ s is the time of SPMOOECC.
Proof. Under a nonnegligible probability, it is assumed that the opponent A 2 can attack the IN-CMRS-CA security, the probability advantage is ε, and under the stochastic prediction model, A 2 requires challenger C to perform a series of queries. Given ðP, xP, yPÞ, in the time-limited polynomial, C obtains xyP through the opponent A 2 interaction to overcome CDHP. C and opponent A 2 will interact with the following: Setup. C performs the corresponding steps for obtaining the public parameter pars = ðE p , G p , E k , D k , p, P, K = xP, P pub , H 1 , H 2 , H 3 , H 4 , H 5 Þ and master key s ∈Z * p , and then returns the result to A 2 , where x ∈ Z * p . After receiving the result, A 2 outputs L = fID 1 , ID 2 , ID 3 , ⋯, ID n g, where n is a positive integer. H 1 , H 2 , H 3 , H 4 , and H 5 are random predictions controlled by C, the interactions between A 2 and C is similar to Setup in Theorem 20.
Phase 24. A 2 requires C to perform flexible queries and C performs feedback. The details are the following: (1) KeyQuery: C checks if there is a tuple ðID j , SK j , PK j , x j , z j Þ in the list L C . If it exists, C reserves the tuple. Otherwise, C will perform related operations as follows: (a) If ID j = ID i , i = 1, 2, 3, ⋯, n, C selects two integers xj, wj ∈ Z * p at random and computes W j = w j P, y j = w j + H 1 ðID j , X j , W j Þs mod q, Y j = y j P, PK j = ðX j , Y j Þ, and then updates tuples ðID j , SK j , P K j , x j , z j Þ in list L C and ðID j , X j , W j , h j Þ in list L 1 , respectively, where X j = x j P and SK j ⟵ ⊥ (b) If ID j ! = ID i , i = 1, 2, 3, ⋯, n,C selects two integers xj, zj ∈ Z * p at random, and sets X j = x j P, computes y i = z i -H 2 ðx i P pub , ID i Þ, Y j = y j P, PK j = ðX j , Y j Þ, SK j = ðx j , y j Þ, and then updates tuples ðID j , SK j , PK j , x j , z j Þ in list L C and ðID j , X j , W j , h j Þ in list L 1 , respectively (2) SetSecretValueQuery: A 2 requires C to execute SetSe-cretValueQuery for c. Upon receipt of the request, C executes as follows: (a) If ID j = ID i , i = 1, 2, 3, ⋯, n, C sends "failure" to A 2 (b) If ID j ! = ID i , i = 1, 2, 3, ⋯, n, C judges whether or not the tuple ðID j , SK j , PK j , x j , z j Þ exists in list L C .
If yes, C returns x j to A 2 . Otherwise, C uses Key-Query to generate the tuple ðID j , SK j , PK j , x j , z j Þ and sends x j to A 2 .
(3) ExtractPartialPrivateKeyQuery: A 2 requires C to perform ExtractPartialPrivateKeyQuery against ID j . After the recipient receives it, C checks whether there is a tuple ðID j , SK j , PK j , x j , z j Þ in list L C . If it exists, C sends z j to A 2 . Otherwise, C runs KeyQuery to generate tuple ðID j , SK j , PK j , x j , z j Þ and sends z j to A 2 (4) SetPublicAndPrivateKeysQuery: A 2 requires C to perform the public key portion of SetPublicAndPrivate-KeysQuery against ID j . After receiving the request, C checks whether there is a tuple ðID j , SK j , PK j , x j , z j Þ in list L C . If it exists, C sends PK j to A 2 . Otherwise, C runs KeyQuery to generate tuple ðID j , SK j , PK j , x j , z j Þ and sends PK j to A 2 A 2 requires C to perform the private key portion of Set-PublicAndPrivateKeysQuery against ID j . After the recipient receives it, C responded with the following response: (a) If ID j = ID i , i = 1, 2, 3, ⋯, n, C sends "failure" to A 2 (b) If ID j ! = ID i , i = 1, 2, 3, ⋯, n, C judges whether or not the tuple ðID j , SK j , PK j , x j , z j Þ exists in list L C . If yes, C returns SK j to A 2 . Otherwise, C run the KeyQuery to generate the tuple ðID j , SK j , PK j , x j , z j Þ and sends SK j to A 2 (5) SigncryptionQuery: this section is similar to the Sign-cryptionQuery in Theorem 20 10 Journal of Sensors (6) DesigncryptionQuery: this section is similar to the DesigncryptionQuery in Theorem 20 Challenge: A 2 selects plaintext ðM 0 , M 1 Þ at random, they are equal in length, and transmits the result to C. After receiving the result, C.selects φ ∈ f0, 1g at random and obtains the ciphertext C * generated by M φ : (a) Stipulate R = yðPK i + YÞ, rX i = yðPK i + P pub Þ and α i = H 3 ðrX i , ID i Þ, i = 1, 2, 3, ⋯, n, Y = K + P pub (b) Select ξ ∈ Z * p at random and define the formula: (c) Calculate k = H 3 ðξÞ, J * = E k ðM φ kID s Þ and h = H 5 m, ID s , X s , Y s , J, R, a 0 , a 1 , ⋯:a n ð Þ ; ð15Þ (d) Select z ∈ Z * p at random (e) Output the ciphertext C * = ðJ * , R, z, h, a 0 , a 1 , ⋯, a n−1 Þ to A 2 Phase 25. A 2 requires C to perform the same queries as Phase 4, but A 2 cannot run the DesigncryptionQuery against C * . Guess: A 2 gives a φ * at random. If φ * = φ, then A 2 wins, C outputs CDHP's solution xyP = R − rX i . If not C outputs "failure." From the above discussion, it can be concluded that the H 5 hash provides a valid ciphertext during the Designcryp-tionQuery, therefore, the probability of ciphertext being denied is no more than q 5 /2 k . During the attack process, since A 2 requires C to execute the q d DesigncryptionQuery, the probability of C decryption success is ε d ≥ εq 5 q d /2 k . The H 3 hash satisfies CDHP during the guessing process, so the probability that xyP is correctly calculated by C is at least ε g = 2/nq 3 . In the running time τ ' ≤ τ + ð3q c + 3q d ÞOðτ s Þ, C's interaction with opponent A 2 makes C overcome CDHP, and the probability advantage is τ s ðτ s Þε ' ≥ 2ðε − q d q 5 /2 k Þ/ nq 3 , τ s is the time of the SPMOOECC.

Theorem 26.
There is an opponent A 1 under the SU-CMRS-PA. In the polynomial time τ, if the A 1 wins the Game3 victory with a probability advantage that cannot be ignored (A 1 can obtain queries similar to that obtained by A 1 in Theorem 20), then within time τ ' ≤ τ + ð2q c + 2q a ÞOðτ s Þ, challenger C can overcome CDHP by interacting with opponent A 1 with a probability advantage of ε ' ≥ ðεq a /2 k Þ/2, τ s is the time of SPMOOECC.
Proof. Under a nonnegligible probability, it is assumed that the opponent A 1 can attack the SU-CMRS-PA security, the probability advantage is ε, under the stochastic prediction model, A 1 requires challenger C to perform a series of queries. Given ðP, xP, yPÞ, in the time-limited polynomial, C obtains xyP through the opponent A 1 interaction to overcome CDHP. C and opponent A 1 will interact with the following: Setup. The process is similar to Setup in Theorem 20.
Attack: A 1 requires C to perform flexible queries similar to Phase 4 in Theorem 20.
Forgery: A 2 falsifies ciphertext C * = ðJ, R, z, h, a 0 , a 1 , ⋯, a n−1 Þ using L = fID 1 , ID 2 , ⋯, ID n g and a plaintext M. If the formula σP = X s + Y s + h s R can be established, C * faked successfully, defining PK ' i = y −1 PK i and rX i = yðPK i + P pub Þ, C calculates rX i = PK i ' + xyP, and outputs xyP = rX i − PK i , xy P is the CDHP's solution. Otherwise C returns "failure".
From the above discussion, it is concluded that the probability of success of the q a SigncryptionQuery is at least ε a = ε − q a /2 k : calculates xyP in the forgery process, and the probability of xP correct is at least ε g = 1/2. Therefore, C can overcome CDHP by interacting with opponent A 1 within the running time τ ' ≤ τ + ð2q c + 2q a ÞOðτ s Þ, and the probability advantage is ε ' ≥ ε a ε g= ðεq a /εq a Þ/2. τ s is the time of the SPMOOECC.

Theorem 27.
There is an opponent A 2 under the SU-CMRS-PA. In the polynomial time τ, if the A 2 wins the Game4 victory with a probability advantage ε that cannot be ignored (A 2 can obtain queries similar to that obtained by A 2 in Theorem 23), then within time τ ' ≤ τ + ð3q c + 2q a ÞOðτ s Þ, challenger C can overcome CDHP by interacting with opponent A 2 with a probability advantage of ε ' ≥ ðε − q a /2 k Þ/2, τ s is the time of SPMOOECC.
Proof. Under a non-negligible probability, it is assumed that the opponent A 2 can attack the SU-CMRS-PA security, the probability advantage is ε, under the stochastic prediction model, A 2 requires challenger C to perform a series of queries. Given ðP, xP, yPÞ, in the time-limited polynomial, Challenger C obtains xyP through the opponent A 2 interaction to overcome CDHP. The details are the followings: Setup. The process is similar to Setup in Theorem 23.
Attack: A 1 requires C to perform flexible queries similar to Phase 4 in Theorem 23.
Forgery: A 2 falsifies ciphertext C * = ðJ, R, z, h, a 0 , a 1 , ⋯, a n−1 Þ using L = fID 1 , ID 2 , ⋯, ID n g and a plaintext M. If the formula σP = X s + Y s + h s R can be established, C * faked successfully, defining PK ' i = y −1 PK i and rX i = yðPK i + P pub Þ, C calculates rX i = PK i + xyP and outputs xyP = rX i − PK i , xyP is the CDHP's solution. Otherwise C returns "failure." From the above discussion, it is concluded that the probability of success of the q a SigncryptionQuery is at least ε a = ε − q a /2 k calculates xyP in the forgery process, and the 11 Journal of Sensors probability of xyP correct is at least ε g = 1/2 Therefore, in the running time τ ' ≤ τ + ð3q c + 2q a ÞOðτ s Þ, C's interaction with opponent A 2 makes C overcome CDHP, and the probability advantage is ε ' ≥ ε a ε g= ðεq a /2 k Þ/2. τ s is the time of the SPMOOECC.

Theorem 28.
There is an opponent A 1 under the ANO-CMRS-CA. In the polynomial time τ, if the A 1 wins the Game5 victory with a probability advantage ε that cannot be ignored (A 1 can obtain queries similar to that obtained by A 1 in Theorem 20), within time τ ' ≤ τ + ð2q c + 3q d ÞOðτ s Þ, challenger C can overcome CDHP by interacting with opponent A 1 with a probability advantage of ε ' ≥ ðε − q d q 5 /2 k Þ/ nq 3 , τ s is the time of SPMOOECC.
Proof. Under a non-negligible probability, it is assumed that the opponent A 1 can attack the ANO-CMRS-CA security, the probability advantage is ε, under the stochastic prediction model, A 1 requires challenger C to perform a series of queries. Given ðP, xP, yPÞ, in the time-limited polynomial, C obtains xyP through the opponent A 1 interaction to overcome CDHP. The details are the followings: Setup. C execution of this algorithm is used to generate the public parameter pars = ðE p , G p , E k , D k , p, P, P pub = xP, H 1 , H 2 , H 3 , H 4 , H 5 Þ and the master key s = a ∈ Z * p , then sends the pars to the A 1 and secretly saves s. After the A 1 receives the pars, the A 1 outputs L = fID 0 , ID 1 g, where n is a positive integer. H 1 , H 2 , H 3 , H 4 , and H 5 are all random oracles, they are controlled by C. The interaction is similar to Setup in Theorem 20, and the two sides of the interaction are A 1 and C.
Phase 29. A 1 makes a series of queries to C like Phase 4 in Theorem 20.
Challenge: A 1 selects the target identifier L * = fID 2 , ID 3 , ⋯, ID n g and plaintext M, and sends L * and M to C. After receiving, C selects a bit e ∈ f0, 1g and uses the new target identifier L * * = fID e , ID 2 , ID 3 , ⋯, ID n g to obtain the ciphertext C * : Select ξ ∈ Z * p at random and define the formula: (c) Calculate k = H 3 ðξÞ, J * = E k ðM φ kID s Þ and h * = H 4 ðM, ID s , X s , Y s , J, R, a 0 , a 1 ,: ⋯ a n Þ (d) Select z ∈ Z * p at random (e) Output the ciphertext C * = ðJ * , R, z, h, a 0 , a 1 , ⋯, a n−1 Þ to A 1 Phase 30. A 1 requires C to execute the queries, and the contents are similar to Phase 5, but A 1 cannot run the Design-cryptionQuery against C * . Guess: A 1 gives a e * at random. If e * = e, then A 1 wins, C outputs CDHP's solution xyP = rX i − R . If not, C outputs "failure." From the above discussion, it can be concluded that the H 5 hash provides a valid ciphertext during the Designcryp-tionQuery, therefore, the probability of ciphertext being denied is no more than q 5 /2 k . During the attack process, since A 1 requires C to execute the q d DesigncryptionQuery, the probability of C decryption success is ε d ≥ εq 5 q d /2 k . The H 3 hash satisfies CDHP during the guessing process, so the probability that xyP is correctly calculated by C is at least ε g = 1/nq 3 C can solve CDHP by interacting with opponent A 1 in the running time τ ' ≤ τ + ð2q c + 3q d ÞOðτ s Þ, and the probability advantage is ε ' ≥ ε d ε g ≥ ðε − q d q 5 /2 k Þ/nq 3 , τ s is the time of the SPMOOECC.
Theorem 31. There is an opponent A 2 under the ANO-CMRS-CA In the polynomial time τ, if the A 2 wins the Game6 victory with a probability advantage ε that cannot be ignored (A 2 can obtain queries similar to that obtained by A 2 in Theorem 23.), then within time τ ' ≤ τ + ð3q c + 3q d ÞOðτ s Þ, challenger C can overcome CDHP by interacting with opponent A 2 with a probability advantage of ε ' ≥ ε − q d q 5 /2 k /nq 3 , τ s is the time of SPMOOECC.
Proof. Under a nonnegligible probability, it is assumed that the opponent A 2 can attack the ANO-CMRS-CA security, the probability advantage is ε, under the stochastic prediction model, A 2 requires challenger C to perform a series of queries. Given ðP, xP, yPÞ, in the time-limited polynomial, C obtains xyP through the opponent A 2 interaction to overcome CDHP. The details are the followings: Setup. C performs the corresponding steps for obtaining the public parameter pars = ðE p , G p , E k , D k , p, P, K = xP, P pub , H 1 , H 2 , H 3 , H 4 , H 5 Þ and master key s ∈ Z * p and then returns the result to A 2 , where x ∈ Z * p . After receiving the result, A 2 outputs L = fID 0 , ID 1 g. H 1 , H 2 , H 3 , H 4 , and H 5 are random predictions controlled by C. The interaction is similar to Setup in Theorem 20, and the two sides of the interaction are A 2 and C.
Phase 32. A 2 makes a series of queries to C like Phase 4 in Theorem 23.
Challenge: A 2 selects the target identifier L * = fID 2 , ID 3 , ⋯, ID n gand plaintext M and sends L * and M to C. After receiving, C selects a bit e ∈ f0, 1g and uses the new target identifier L * * = fID e , ID 2 , ID 3 , ⋯, ID n g to obtain the ciphertext C * : (a) Calculate R = yðPK i + YÞ, rX i = yðPK i + P pub Þ and Journal of Sensors (b) Select ξ ∈ Z * p at random and define the formula: (c) Calculate k = H 3 ðξÞ, J * = E k ðM φ kID s Þ and h * = H 4 ðM, ID s , X s , Y s , J, R, a 0 , a 1 ,: ⋯ a n Þ (d) Select z ∈ Z * p at random (e) Output the ciphertext C * = ðJ * , R, z, h, a 0, a 1 , ⋯, a n−1 Þ to A 2 Phase 33. A 2 requires C to perform the same queries as Phase 5, but A 2 cannot run the DesigncryptionQuery against C * . Guess: A 2 gives a e * at random. If e * = e, then A 2 wins, C outputs CDHP's solution xyP = R − rX i . If not C outputs "failure." From the above discussion, it can be concluded that the H 5 hash provides a valid ciphertext during the Designcryp-tionQuery; therefore, the probability of ciphertext being denied is no more than q 5 /2 k . During the attack process, since A 2 requires C to execute the q d DesigncryptionQuery process, the probability of C decryption success is ε d ≥ εq 5 q d /2 k . The H 3 hash satisfies CDHP during the guessing process, so the probability that xyP is correctly calculated by C is at least ε g = 1/nq 3 . In the running time τ ' ≤ τ + ð3q c + 3q d ÞOðτ s Þ, C's interaction with opponent A 2 makes C overcome CDHP, and the probability advantage is ε ' ≥ ε d ε g ≥ ðε − q d q 5 /2 k Þ/nq 3 , τ s is the time of the SPMOOECC.

Efficiency Analysis and Functional Comparison
Schemes in [25,27,29,30] and our scheme are based on certificateless signcryptions. To reflect the superiority of our scheme, we will compare our scheme with them in terms of functions and efficiency.

Functional Comparison.
We have compared the functions of our scheme and the functions of schemes in [25,27,29,30], as shown in Table 2.
From the graph, we can get the following results, schemes in [25,27,29,30] do not satisfy decryption fairness and do not guarantee that each recipient has the same chance of decryption. Schemes in [25,29,30] are not anonymous to the recipient, which may result in the disclosure of the recipient information, greatly reducing the encryption effect. Schemes in [25,27,29] cannot implement the verifiability of partial private key, which means they can be attacked by malicious KGC. Schemes in [27,29,30] have no signature function and cannot prevent an attacker from sending an unreliable messages.

Efficiency Analysis.
For the sake of comparison, we have defined some symbols to represent the calculation of different operations in the encryption process and the decryption process, and the corresponding data is taken from [26]. We only consider the calculations defined in Table 3, because what is shown in Table 3 is the key to computational performance.
With the integration of encryption and decryption processes, as shown in Table 4, Figures 3 and 4, our scheme is Selvi et al. [25] N N N Y Hung et al. [27] N Y N N Zhu et al. [29] N N N N Win et al. [30] N N Y N Our program Y Y Y Y   [25,27,29,30], because the scheme in [25] and scheme in [29] use the BPO, scheme in [27] uses the BPO and MTPHF, and scheme in [30] uses lots of SPMOOECC. In this way, these operations all cause a lot of overheads, making the scheme less efficient. Our scheme also uses SPMOOECC, but we attempt to reduce the number of SPMOOECC. Therefore, the performance of our scheme is superior to the scheme in [25,27,29,30].  Selvi et al. [25] Hung et al. [27] Zhu et al. [29] Win et al. [30] Our scheme  Selvi et al. [25] Hung et al. [27] Zhu et al. [29] Win et al. [30] Our scheme Time of a modular multiplication (T m ) Figure 4: Efficiency in decryption/designcryption. The unit is T m .

Conclusion
In this paper, we propose a CMRS scheme of high efficiency for ecological data sharing. After functional analysis, our scheme satisfies the security requirements, and it solves the problems of decryption fairness, recipient anonymity, and so on. After efficiency analysis, our scheme has high efficiency. It does not use BPO, but uses SPMOOECC for encryption and decryption, and ensures that SPMOOECC is used as little as possible, which greatly improves the efficiency of our scheme. After analysis, we can conclude that our scheme can be well applied to ecological data sharing.

Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.