CLE against SOA with Better Data Security Storage to Cloud 5G

Cloud 5G and Cloud 6G technologies are strong backbone infrastructures to provide high data rate and data storage with low latency for preserving QoS (Quality of Service) and QoE (Quality of Experience) in applications such as driverless vehicles, drone-based deliveries, smart cities and factories, remote medical diagnosis and surgery, and artificial-intelligence-based personalized assistants. .ere are many techniques to support the aforementioned applications, but for privacy preservation of Cloud 5G, the existing methods are still not sufficient. Public key encryption (PKE) scheme is an important means to protect user data privacy in Cloud 5G. Currently, the most common PKE used in Cloud 5G is CCA or CPA secure ones. However, its security level maybe not enough. SOA security is a stronger security standard than CPA and CCA. Roughly speaking, PKE with SOA security means that the adversary is allowed to open a subset of challenger ciphertexts and obtains the corresponding encrypted messages and randomness, but the unopended messages and randomness remain secure in the rest of the challenger ciphertexts. Security against SOA in PKEs has been a research hotspot, especially with the wide discussion in Cloud 5G. We revisited the SOA-CLE and proposed a new security proof, which is more concise and user friendly to understand privacy preservation in Cloud 5G applications.


Introduction
Cloud 5G achieves high data transmission speed, large data storage, and low latency mobile communication. According to the inherent property of electromagnetic waves: the higher the frequency, the shorter the wavelength, so it tends to propagate like a straight line. From the last few years, we have witnessed a paradigm shift with a major focus on mission critical applications and ultra-reliable low latency applications (URLCC) such as AR/VR, autonomous vehicles, e-healthcare, smart education, and so on, the aim of which is to provide QoS (Quality of Service) and QoE (Quality of Experience) to the end users with high data storage and low latency. Starting from driverless vehicles and drone-based deliveries, smart cities and factories, remote medical diagnosis and surgery, and artificial-intelligencebased personalized assistants, there is enormous number of applications around us which require strong network backbone infrastructure for QoS and QoE preservation.
Based on the above applications and the advantages in Cloud 5G, in the years to come, Cloud 5G and Cloud 6G technologies are expected to provide high data rate with low latency and large data storage for preserving QoS and QoE. Although there are many techniques in the literature which can resolve these issues, the existing methods are still not sufficient to privacy preservation in the application in Cloud 5G. Hence, secure protocols and encryption schemes are required to resolve the aforementioned issues. Public key encryption (PKE) scheme is an important means to protect user data privacy in Cloud 5G. Currently, the most commonly used means to protect user data privacy is CPA (chosen-plaintext attacks) or CCA (chosen-ciphertext attacks) secure PKEs where the latter provides the decryption queries and thus is stronger than the former. However, SOA is a stronger security standard than CCA because the SOA security allows additional opening partial ciphertexts. Specially, in particular, due to the inherent advantages of certificateless public key (CLE), it solves the certificate management problem in the traditional public key cryptography and the key-escrow problem [8] in IBE schemes. Security against SOA in CLEs has been a research hotspot, especially with the wide discussion in Cloud 5G [11,12]. In this paper, we focus on the research on the SOA secure CLE. e definition of SOA was first proposed by Dwork et al. at FOCS99 [4], which is an important target to measure the security of PKE. SOA security mainly applies to multipleuser settings where a subset of the challenge ciphertexts is allowed to open for the adversary. From the opened ciphertexts, the adversary can get not only the message but also the randomness. e question that we want to solve is how to make the remaining unopened ciphertexts secure? Following Dwork's work, SOA secure IBE and public key encryption (PKE) with SOA security have been widely developed [2,5,7]. CLE is another form of public key encryption system. Compared with IBE and PKE, CLE has the advantages of removing the certificate management in PKIbased PKE and key escrow in IBE. However, the study on CLE with SOA security is still rare.
1.1. Motivation. In the CLE system, a user's private key is jointly generated by the KGC and the user. e user's public key is generated by using the secret value generated by itself instead of the identity information. Obviously, compared with PKI-based PKE (hereafter, we abbreviated "PKI-based PKE" as "PKE") and IBE, CLE removes the disadvantages that exist in both schemes, namely, the certificate transaction in PKE and key escrow in IBE. Due to the merits of this notion, many CLEs with various security models (e.g., IND-CPA [9] and IND-CCA [1,13]) were presented. As in PKE and IBE settings, implementing SOA security in CLE is also important. However, the particular security model makes constructing CLEs with SOA security more intractable. With more and more applications for CLE (such as cloud computing), implementing SOA security in CLE becomes more and more critical. In 2016, Wang et al. proposed an SOA secure CLE [14] under the standard DDH assumptions where the scheme is user friendly in construction and more efficient in practical applications. Recently, the relative discussions about Cloud 5G have become a new research focus, especially its data security and privacy protection. Due to the notable efficiency and security level, SOA secure CLE has been regarded as one of the most practical candidate encryption algorithms for Cloud 5G. However, we find that there are still some disadvantages needed to avoid such as complex security proof and obscure proof process. Based on this, we revisited the scheme in [14] and improved the security proof to make it more concise and easier to understand. [14]. In the scheme of [3], the authors proposed a one-sided publicly opening identitybased encryption scheme (1SPO-IBE) and, based on which, constructed an IBE scheme with SOA security. Adopting the similar method, the authors in [14] resolved the SOA security in CLE. More concretely, they first proposed a one-sided publicly opening certificateless encryption scheme (1SPO-CLE). en, based on the proposed 1SPO-CLE, they presented a CLE scheme that is SOA secure in the case of two-type adversary model (i.e., CLE security model where an adversary refers to a user who is granted the ability to change the public key but does not know the master key; another one means the malicious KGC, who is not granted the ability to change the public key but knows the master secret key). e core idea is that we first combined one-bit CLE and 1SPO to generate a 1SPO-CLE with IND-CPA security in the CLE settings and then showed that a multi-bit CLE scheme with SOA security can be constructed from the 1SPO-CLE scheme under the one-time signature and CDH assumptions.

Reviewing the Contribution in
1.3. Revisiting the Reduction from SOA to CPA in [14]. In [14], the authors constructed an IND-CPA secure 1SPO-CLE scheme by combining the 1SPO and one-bit CLE scheme. A CLE scheme that encrypts 1 bit messages is called 1SPO if it is possible, given the public parameter par, public key PK id , and the ciphertext c that encrypts message 0 with the randomness r to efficiently open the ciphertext c into another randomness used to encrypt message 1. In particular, the opening process is required to be done without any secret information. Furthermore, they proved that if the 1 bit 1SPO-CLE is IND-CPA secure, then the multi-bit CLE from it is SOA secure. Specifically, the encryption process is performed as follows. If the message is 1, then the encryption process follows specific rules and the correctness of the resulted ciphertext can be checked with some secret information; otherwise, the generated ciphertext is sampled randomly and uniformly from the ciphertext space. As stated in [3], the domain used as the ciphertext space is also required to have the property of sampleability and invertible sampleability in order to guarantee that the resulted scheme has the property of 1SPO. [14]. In [14], the authors gave a concrete construction based on one-time signature and CDH assumptions. Specifically, the 1SPO-CLE is designed as follows. Assume G 1 and G 2 are both sampleable and invertibly sampleable domains as in [3]. If the encrypted message is 1, then the encryption of 1 is processed as c � (c 1 , c 2 , σ, svk)⟵Encrypt ex (par, PK id , 1), where par is the public parameter and PK id is the public key, and the first two values c 1 , c 2 have certain structure and the value σ is a signature for certain medians generated in the encryption, while the last value svk is the signature verification key. If the encrypted message is 0, then the first three elements of its encryption are all random. In particular, if c is an encryption of 1, then the medians u, K, and r can be always correctly recovered from c with the private key SK id . en, using these medians and the output of the equations sign · Ver(svk, σ, u, id) � 1 and u x id � PK H 2 (K‖PK id ‖id) id , the decryption algorithm Decryp ex (par, c, SK id ) decides whether the ciphertext c encrypts 0 or 1, where x id is the secret value. [14]. In this paper, we revisited the IND-CPA security proof of the 1 bit 1SPO-CLE scheme. Since the security proof in [14] is long and unintelligible, we do not intend to describe the difference between their scheme and ours. Below, we will directly describe our proof ideas and proof process. IND-CPA security means that given a ciphertext, no PPT adversary could distinguish which bit has been encrypted even if the adversary has the ability to replace public key or knows the master key (i.e., type 1 adversary and type 2 adversary) in the SOA security game. We present the proof of IND-CPA security for our concrete construction (for 1SPO-CLE scheme) under the two types of attacks defined in CLE. Briefly, under type 1 attack (where the adversary is granted the ability to change the public key but does not know the master key), we reduce the IND-CPA security to the assumption of one-time signature, where the reduction (the adversary that breaks one-time signature) performs the simulation itself except that the signature part is constructed by querying its signing oracle. However, unfortunately, under type 2 attack (where the adversary knows the master key but cannot change the public key), when we try to complete the reduction from the IND-CPA security to the CDH assumption, some obstacles arise. Namely, in the construction of challenge ciphertext, since the value r, as the exponent part of the challenge g r , is unknown to the CDH adversary, it results in that the c 1 � rQ id * P + rP pub part cannot be computed. Luckily, we find a way to solve this problem. Specifically, we do this by allowing the reduction algorithm (the CDH adversary) to query its CDH challenger to obtain c 1 . Of course, to do this, we assume that computing r from rP is not easier than computing r from g r . In fact, this can be done over the elliptic curve groups.

Other Related Work.
We note that in the past few years, there emerged many remarkable SOA secure systems in PKE setting such as the schemes proposed by Bellare et al. [2], Fehr et al. [5], and Huang et al. [6]. Recently, SOA secure IBE also made rapid progress. In 2011, Bellare et al. [3] proposed two SO-CPA secure IBEs. In 2014, Lai et al. [10] proposed SO-CCA secure IBE using cross authentication codes. In 2016, Wang et al. proposed an SO-CPA secure CLE scheme [14] which avoids the problem of certificate management in PKE settings and key escrow in IBE settings. However, the security proof in [14] is complex and ambiguous.

Our Contribution.
Our SO-CPA secure certificateless encryption scheme (CLE) is constructed based on the technique of one-sided public openability (1SPO) and onebit CPA secure CLE. Specifically, by combining the techniques of 1SPO and one-bit CLE, we construct an IND-CPA secure 1SPO-CLE scheme. 1SPO means that given a system parameter par, public key PK id , and a ciphertext c encrypting message 0 under randomness r, it enables to open the ciphertext c to another message and randomness pair (1, r ′ ).
is method is very challenging since the opening process does not need any secret key to participate in. Interestingly, by revisiting, we found that this method can provide us concise security proof in order to obtain the desired security.
In particular, this design implies that 1 bit 1SPO-CLE with IND-CPA security implies multi-bit CLE with the same security. In more detail, the scheme is outlined as follows. If the encrypted message is 1, then its ciphertext preserves a certain structure and can be detected with some secret information. On the contrary, if the encrypted message is 0, its ciphertext takes on a random status and thus is not checkable due to its unstructured property. ese properties described above are just what we need for revisiting the CLE with SO-CPA security in [14].

Preliminary
In the following, we give several assumptions used in this paper.
(i) sign.Skg(1 λ ): taking a security parameter 1 λ as input, this algorithm outputs a signature/verification key pair (ssk, svk). sign.Sig(ssk, m): on input signature key ssk and a message m ∈ M, this algorithm outputs a signature σ. sign.Ver(svk, (m, σ)): on input a verification key svk, a signature σ and a message m, this algorithm outputs 1, if σ is valid, and 0 otherwise.
Definition 1 (discrete logarithm assumption (DL)). Assume that G is a multiplicative group with prime order q and g ∈ G is a generator. Given g, y � g a , computing is difficult, where a⟵ $ 0, . . . , q − 1 . Formally, for all probabilistic polynomial time (short for PPT) adversary A, there exists a negligible function negl such that Adv DL is a negligible function in the security parameter λ.
Definition 2 (computational Diffie-Hellman assumption). Assume that G is a cyclic group with prime order q and g ∈ G is a generator. Given g, g a , g b , computing g ab is difficult, where a, b⟵ $ 0, . . . , q − 1 . Formally, for all PPT adversary A, there exists a negligible function negl such that: Definition 3 (one-time signature). Let M be message space, R be randomness space, and S be the signature space. A signature scheme sign � (sign.Skg, sign.Sig, sign.Ver) consists of three (probabilistic) polynomial time algorithms: We say that a message/signature pair (m, σ) is valid if for all λ, all (ssk, svk)⟵sign.Skg(1 λ ), all m ∈ M, and all σ⟵sign.Sig(ssk, m), the equation sign.Ver(svk, (m, σ)) � 1 holds.
We say that a signature scheme sign � (sign.Skg, sign.Sig, \\sign.Ver) is one-time unforgeable under chosen-message attack if for any PPT adversary A, Security and Communication Networks the success probability of A in the following experiment (see Figure 1) is negligible. Figure 1.

Detailed Legend for
is figure describes onetime unforgeability experiment for one-time signature denoted in Section 2, where an adversary and a challenger participate in the experiment and interact with each other. Specifically, in this experiment, the challenger first invokes the algorithm (ssk, svk)⟵sign.Skg(1 λ ) to generate a pair of signature key and verification key (ssk, svk). e signature key ssk is used to sign a message and the verification key svk is used to verify whether a given signature is valid. Given a verification key, the adversary outputs a message/signature forge pair (m * , σ * ) with multiple times of signature queries to oracle O sign.Sig ssk (·). When the message/signature forge does not belong to the queried items to oracle O sign.Sig ssk (·) and the forge can verify, the experiment outputs 1 which denotes that the adversary wins the experiment. Particularly, the oracle O sign.Sig ssk (·) means that when an adversary delivers a message m, the oracle returns a signature σ.
In the above experiment, we allow the adversary to query O sign.Sig ssk (·) oracle only one time. Assume that the adversary output a message/signature pair satisfying (m * , σ * ) ≠ (m, σ) and sign.Ver(svk, (m * , σ * )) � 1. en, we say that the adversary gives a successful forge. Formally, the scheme sign is unforgeable, if there exists a negligible function negl such that Adv otUF sign,A (λ) � Pr Exp otUF sign,A (λ) � 1 . Note that the Sample algorithm has sampling failure probability ζ if the sampling algorithm Sample outputs ⊥ with probability at most ζ and invertible sampling failure probability θ if the invertible algorithm Sample − 1 outputs ⊥ with probability at most θ.
Definition 5 (one-sided public openability (1SPO)). A scheme has the 1SPO property if for a ciphertext C � (c 0 , c 1 ) which is the encryption result of 0 under identity ID and public key PK, where c 0 and c 1 are randomly distributed over an efficiently sampleable and invertible domain G w.r.t. algorithms Sample and Sample − 1 , there exists an algorithm P Open To Zero (PK, ID, C � (c 0 , c 1 )) that can use the algorithm Sample − 1 to open (c 0 , c 1 ). Namely, (R 0 , R 1 )⟵ P Open(PK, ID, (c 0 , c 1 )) with R 0 ⟵Sample − 1 (G, c 0 ) and R 1 ⟵Sample − 1 (G, c 1 ).

Extractable 1SPO-CLE
3.1. Extractable 1SPO-CLE. An extractable certificateless encryption consists of the following algorithms: (i) Setup: the algorithm Setup ex (1 λ ) takes a security parameter λ as input and outputs a master key msk and a public parameter par, where par defines an identity space v and ciphertext space Space c . (ii) Partial private key generation: the algorithm ParPrivKeyGen ex (par, id, msk) takes a public parameter par, an identity id ∈ Space id , and a master key msk as input and outputs the partial private key d id . (iii) Secret key generation: the algorithm SecValGen ex (par, id) takes an identity id and the public parameters par as input and outputs the secret value x id . (iv) Private key generation: the algorithm PrivKeyGen ex (par, d id , x id ) takes the public parameter par, a user's partial private key d id , and secret value x id as input and outputs the private key SK id � (d id , x id ). (v) Public key generation: the algorithm PubKeyGen ex (par, x id ) takes a public parameter par and a user's secret value x id as input and outputs the user's public key PK id . (vi) Encryption: the algorithm Encrypt ex (par, m, PK id ) takes a public parameter par, a message m ∈ 0, 1 { }, and a user's public key PK id and returns the ciphertext c by using the defined algorithm if m � 1; otherwise, it returns c by sampling randomly from the ciphertext space. (vii) Decryption: the algorithm Decrypt ex (par, c, SK id ) takes a public parameter par, a ciphertext c, and a private key SK id as input and outputs m ∈ 0, 1 { }. (viii) Correctness: the correctness follows that in [14]; here we omitted it in order to save space.
Definition 6 (see [5] (1SPO-CLE)). An extractable 1SPO-CLE is a scheme with the property of one-sided public openability in the CLE setting and is associated with a PPT public algorithm P Open To Zero, so that for all (par, msk) ⟵Setup ex (1 k ), c⟵Encrypt ex (par, 0, PK id ), PK id ⟵PubKeyGen ex (par, x id ), x id ⟵SecValGen ex (par, id) and id ∈ Space id , P Open To Zero(par, PK id , c) distributes uniformly at random over Coins(par, PK id , c, 0). Here, Coins(par, PK id , c, 0) represent the set of random coins R|c � { Encrypt ex (par, 0, PK id ; R)}.
As described in [14], the multi-bit 1SPO-CLE can be constructed from 1 bit 1SPO-CLE. Since the concrete construction and security overlap with that in [14], here we do not dwell on it, but, for completeness, we describe it in Appendices A and B.

Construction.
In this section, we describe the 1SPO-CPA secure 1-bit CLE scheme. We mainly focus on the following algorithms: Setup. e algorithm Setup ex (1 λ ) first takes a security parameter λ as input and then runs a group generator GR(λ) to get a group description (G 1 , G 2 , e, q). Here, G 1 and G 2 are both groups of prime order q, G 1 is an additive group, and G 2 is a multiplicative group. We also notice that both G 1 and G 2 are efficiently sampleable and invertible domain associated with algorithms Sample and Sample − 1 shown in [3]. e: G 1 × G 1 ⟶ G 2 is a non-degenerate bilinear map, and P is a non-zero generator of G 1 ⟶ G 1 be three hash functions. Pick s⟵ $ Z * q , set master key msk: � s, and compute P pub � sP and g � e(P, P) ∈ G 2 . Let sign � (sign.Skg, sign.Sig, sign.Ver) be one-time signature scheme with signature space G 2 . Finally, the public parameter is set as par: � (G 1 , G 2 , e, q, P), P pub , g}.
Partial Private Key Generation. e algorithm ParPrivKeyGen ex (par, id, msk) first takes the public parameter par, an identity id ∈ 0, 1 { } l , and the master secret key msk as input and proceeds as follows. It computes the partial private key d id � (1/(s + H 1 (id)))P ∈ G 1 . is can be done since if q is large enough, the probability that the unlikely event s + H 1 (id) � 0(modq) happens is negligible.

Secret Key Value Generation.
e algorithm SecValGen ex (par, id) first takes the public parameters par and an identity id as input and then randomly selects a value x id ⟵Z * q as the secret value. Private Key Generation. e algorithm PrivKeyGen ex (par, d id , x id ) first takes the public parameter par, the partial private key d id , and the secret value x id as input and then returns SK id � (d id , x id ) as the private key.

Public Key Generation.
e algorithm PubKeyGen ex (par, x id ) first takes the public parameter par and the secret value x id as input and then computes the public key PK id � g x id . Encryption.
Decryption. e algorithm Decrypt ex (par, c, SK id ) takes the public parameter par, a ciphertext c, and a private key SK id as input. To decrypt a ciphertext c � (c 1 , c 2 , σ, svk), firstly compute u � e(c 1 , d id ) � g r and K � c 2 − H 3 (u, u x id ) and verify whether sign.Ver(svk, σ, u, id) � 1 holds; if not, outputs ⊥; otherwise, verify whether u x id � PK sign.Ver(svk, σ, u, id) � 1, and u x id � PK H 2 (K,PK id ,id) id hold, so the decryption always recovers 1. If c � (c 1 , c 2 , σ, svk) is the encryption of 0, since c 1 ⟵ $ Sample G 1 , c 2 ⟵ $ Sample G 1 and σ⟵ $ Sample G 2 are sampled uniformly and randomly. So, ] ≤ (1/q(λ)) (we assume that q(λ) is large enough which, in turn, results in a negligible quantity for (1/q(λ))). Proof. We first prove that, for type 1 adversary, the security can be reduced to the security of one-time signature scheme sign and then prove that, for type 2 adversary, the security can be reduced to the computational Diffie-Hellman assumption (short for CDH). In the following, we describe the reduction between the adversary A sig (which tries to break the one-time signature scheme) and the type 1 adversary A 1 and the reduction between the adversary A cdh (which tries to break the CDH assumption) and the type 2 adversary A 2 , respectively.

Type 1 Adversary
Setup: the adversary A sig (which has the signing verification key svk) first generates the public parameter par: � (G 1 , G 2 , e, q, P), P pub , g and the master key s, where P pub � sP and g � e(P, P) ∈ G 2 , and then sends the public parameter par to the adversary A 1 . Partial private key query: on receiving the identity id, if id ∉ ChID, where ChID is the challenge identity set, the adversary A sig invokes the partial private key generation algorithm to obtain the partial private key d id and sends it to the adversary A 1 ; otherwise it aborts. Concretely, the adversary A sig first queries the random oracle H 1 to get Q id and then computes d id � (1/(s + Q id ))P ∈ G 1 . Note that the oracle H 1 here is stateful and assume that all oracles in the following are stateful.
Private key query: on receiving the identity id, if id ∉ ChID, where ChID is the challenge identity set, A sig first invokes the secret value generation algorithm and the partial private key generation algorithm to get the secret value x id and the partial private key d id and then sets the private key as SK id � (d id , x id ), i.e., SK id � (1/(s + H 1 (id))P, x id ); otherwise it aborts.
Public key query: on receiving the identity id, A sig first invokes the secret value generation algorithm to get x id and then computes the public key as PK id � g x id .
Replace public key query: on receiving the identity id, A sig replaces the original public key PK id � g x id with the new public key PK id ′ � g x id ′ .
Challenge: on receiving the challenge identity id * and the challenge message m 0 � 0, m 1 � 1 and the public key PK id * , the adversary A sig computes challenge ciphertext as follows.
If m b � 1, do the following steps.
(3) Compute g r and PK r id * , and then for (g r , PK r id * ), query oracle H 3 to get h. (4) Compute c 1 � rQ id * P + rP pub and c 2 � K + h. (5) For (g r , id * ), query signature oracle to get σ.
From above, we can see that the adversary A sig provides perfect simulation for A 1 . Now we do the following analysis.
Analysis: let the challenge ciphertext c � (c 1 , c 2 , σ, svk). In the experiment, since A 1 does not know d id * , it cannot compute the value u � g r . Assume A 1 guess u ′ � g r′ randomly.
en, by the one-time signature scheme sign, the verification equation sign.Ver(svk, σ, u ′ , id * ) � 1 does not hold with overwhelming probability.

Type 2 Adversary
Setup: the adversary A cdh (which has the challenge (PK id * , u � g r )) first generates the public parameter par: � (G 1 , G 2 , e, q, P), P pub , g and the master key s, where P pub � sP and g � e(P, P) ∈ G 2 , and then sends the public parameter par to the adversary A 2 .
Private key query: in this phase, If id ∉ ChID, where ChID is the challenge identity set, the adversary A cdh first invokes the secret value generation algorithm to get secret value x id and computes partial private key d id , and then sets the private key as SK id � (d id , x id ), i.e., SK id � (1/(s + H 1 (id))P, x id ).
Public key query: in this phase, if id ∉ ChID, the adversary A cdh first invokes the secret value generation algorithm to get secret value x id and then computes the public key as PK id � g x id ; otherwise it aborts. Challenge: on receiving the challenge identity id * and the challenge message m 0 � 0, m 1 � 1 and the public key PK id * , the adversary A cdh computes challenge ciphertext as follows. First sample a random b⟵ $ 0, 1 { }, then check whether (PK id * ) q ≐1 G 2 ; if not, abort; otherwise, compute (ssk, svk)⟵sign.Skg(1 λ ) and proceed as follows. If m b � 1, do the following steps.
(2) For id * , query oracle H 1 to get Q id * .
From above, it is easy to see that we implicitly set r � H 2 (K, PK id * , id * ) for K � c 2 − h and h � H 3 (g r , PK r id * ). In addition, we require here that computing r from rP is not easier than computing r from g r .
en, set the challenge ciphertext as c � (c 1 , c 2 , σ, svk). From above, we can see that the adversary A cdh provides perfect simulations for the adversary A 2 . Now we do the following analysis. Analysis: let c � (c 1 , c 2 , σ, svk) be the challenge ciphertext. In the experiment, A 2 knows u � g r and PK id * ; by the CDH assumption, it is still difficult to compute u x id * and K to make the verification equation is completes the proof of eorem 1.

Comparisons and Discussion
e authors in [14] first proposed an SOA secure certificateless encryption scheme. In this paper, we improved it to make the security proof more concise and user friendly. Although in [14], they gave an efficiency analysis, here, to make it easier to understand, we give a more detailed comparison with the existing similar schemes, especially with that in [3,14]. e detailed comparison results are shown in Table 1. Similarly, in terms of complexity, we also just make comparisons among them on the cost of the additive and multiplicative operations, especially on the exponent and the pairing operations. In addition, we also compare them in "security model," "whether key escrow is needed," and "whether a simplified proof is provided." From this table, we can see that in [3], the first scheme requires 14 exponents and 5 pairings and the second scheme requires 15 exponents and 1 pairing, while in [14], the scheme only needs 6 exponents and 2 pairings. By comparison, we can see that our scheme not only realizes a simplified security proof but also obtains the same efficiency and security level as that of [14].

Result
As shown in Table 1, compared with the schemes in [3], our scheme is practical in real applications which is mainly reflected in the following 4 aspects: (1) our scheme can be instantiated from very standard assumption such as computational Diffie-Hellman; (2) the used one-time signature can be constructed from standard assumption such as oneway function; (3) the hash functions such as random oracles in our scheme are very easily run on a low-configured device; (4) our scheme has better efficiency as analyzed in Section 5. Specifically, our scheme has 8 exponents and 3 pairings less than that of the first scheme in [3] and has 1 pairing more than that of the second scheme in [3], respectively. In addition, compared with [14], our scheme has more concise and user-friendly security proof.

Conclusions
is paper proposed a certificateless public key encryption against selective opening attacks (SOA), which is suitable for the data storage in Cloud 5G environment. is scheme is proved secure in the ROM under the assumptions of CDH and security of one-time signature. e advantage of the scheme is that it eliminates both certificate management and key management in PKI-based PKE and IBE settings and is practical in Cloud 5G settings. Compared with [14], our scheme not only has more concise and user-friendly security proof but also achieves the same level of security, which strengthens the data security storage in Cloud 5G applications.

B. Security
In the security definition, there are two types of adversaries: type 1 adversary A 1 and type 2 adversary A 2 . Type 1 adversary is a malicious user, who can replace the user's public key but cannot know the master key. Type 2 adversary is a malicious KGC, who can know the master key but cannot replace the user's public key. In Figure 2 (resp. Figure 3), IND-CPA1 game is for Type 1 adversary A 1 in CLE (resp. IND-CPA2 is for Type 2 adversary A 2 ). We have Adv IND−CPA−1 II ⇒true] − 1). We say that II is IND-CPA-1 public key PK id . e challenge oracle proc.NewMg (i d, PK, α) first checks whether the identity i d is legal; if not, the challenger samples a message m according to   Finally, the experiment outputs b � b ′ , which denotes whether the adversary wins or not in the experiment. Figure 6. is figure describes selective opening chosen-message attack ideal experiment for certificateless encryption scheme, where an adversary and a simulator participate in the experiment and interact with each other. Specifically, in this experiment, during the initialization phase, the challenger returns nothing for an adversary, while the challenge oracle proc.NewMg (i d, PK, α) only samples messages m according to distribution M determined by α but returns nothing to the adversary. In the corruption phase, the challenger opens the partial messages m[I] according to the set I chosen by the adversary. Finally, the experiment returns an output of a relation with respect to an input tuple (m, ChID, I, out).

C. Conversion from 1SPO to SIM-SO-CPA
Here, we use a theorem (i.e., eorem 2) to demonstrate how to reduce the SIM-SO-CPA security to 1SPO security.
Theorem 2 (see [14]). Let II be a 1-bit 1SPO-CLE scheme with a δ one-sided opener P Open To Zero algorithm [3] and II l the l-bit 1SPO-CLE scheme from II. A 1 and A 2 are type 1 adversary and type 2 adversary against SO-CPA security of II l , respectively. Let R be a PPT relation and M be a PPT message sampler. en, there exist S and two B 1 and B 2 such that

Proof.
is proof process is exactly the same as that of eorem 1 in [14], so we will not repeat it here in order to save space.

Data Availability
e data used to support the findings of this study are included within the article.