An Improved Efficient Certificateless Hybrid Signcryption Scheme for Internet of Things

The Internet of Things (IoT) is a vast perceptual network formed by a variety of IoT devices connected to each other. In IoT, various devices cooperate with each other to collect and transmit private data of IoT and sustain the e ﬃ cient and orderly operation of IoT. However, in the complex security situation of IoT, due to the resources of IoT devices being limited, it is di ﬃ cult for IoT devices to a ﬀ ord the heavy resource consumption of sophisticated data encryption and decryption mechanism, which brings certain security risk to data transmission of IoT. To ensure safe and e ﬃ cient data transmission, we propose an improved e ﬃ cient certi ﬁ cateless hybrid signcryption scheme for IoT, which satis ﬁ es con ﬁ dentiality, unforgeability, forward security, public veri ﬁ cation, and known session-speci ﬁ c temporary information security; meanwhile, we prove them in random oracle model (ROM). In addition, through simulation experiment, we ﬁ nd that our scheme has higher communication e ﬃ ciency and computational e ﬃ ciency compared with existing schemes.


Introduction
The Internet of Things (IoT) realizes the mapping from the real world to the virtual world through the perception of a large number of IoT devices to the real world. In the virtual world, by sorting out and analyzing massive perceptual data, users can obtain more accurate and effective information, so as to obtain detailed status in the real world, and then realize more accurate and efficient adjustment to the real world. At present, with the extensive development of the IoT, IoT has brought unimaginable convenience to the people and the country. For example, in the smart home, various furniture and equipment can cooperate with each other, so that people can get rid of heavy housework [1]. In the smart medical, through the real-time perception and analysis of the disease, patients can attain more perfect and comprehensive treatment in time [2]. Therefore, IoT plays a key role in people's production and life and has become one of the most potential technologies in the 21st century [3].
In IoT, there are a large number of devices with different structures, which cooperate to transmit sensitive data or private information of IoT, forming an organic whole. However, in order to reduce production costs, manufacturers often adopt overly simple structure design and limited resources in the design and manufacture of IoT devices. It is easy for attackers to guess the general structure of the device and carry out illegal operations such as hacking and misappropriation [4]. Additionally, in the face of the complex security situation of IoT, it is difficult for the resource-constrained devices to afford the heavy resource consumption of sophisticated data transmission mechanism, which also brings certain security risks to the data transmission in IoT [5]. Therefore, for the massive resourceconstrained devices in IoT, how to ensure the efficient and secure data transmission has become a key factor in the security of IoT [6].
Data encryption has become the primary choice to ensure the security of data transmission and has been suc-cessfully applied in many fields such as the Internet. However, in IoT, the normal data encryption mechanism is no longer suitable for data encryption of IoT devices because it consumes too much software and hardware resources or lacks some security features of IoT. In order to reduce the resource consumption in the process of data encryption and improve efficiency and security levels of data transmission, the researchers put forward a series of lightweight data encryption algorithm [7,8]. Among them, the concept of certificateless hybrid signcryption has attracted extensive attention since it was put forward.
Compared with other data encryption methods, the certificateless hybrid signcryption mechanism can greatly reduce the consumption of computing resources and communication resources in the process of data transmission and has higher flexibility and security [9]. In the certificateless cryptosystem, the key generation center (KGC) can generate the user's partial private key according to the user's public information and send it to the user through the secure channel. After receiving the partial private key, the user combines its own secret value to generate the full private key. After that, the user computes the public key to complete the initialization of the user key. Compared with other public key cryptosystem, the certificateless cryptosystem gets rid of the problem of public key authentication in traditional cryptosystem based on public key infrastructure (PKI). Meanwhile, the full private key of the users in the certificateless public key cryptography is generated jointly by the user and KGC and overcomes the key escrow problem in identity-based cryptography [10]. In terms of data encryption algorithm, compared with the traditional "signature before encryption" method, the hybrid signcryption algorithm can achieve the signature and encryption in one calculation turn, which can improve the computing efficiency and provide stronger security for data transmission [11]. Therefore, for resource-constrained devices and complex security situations in IoT, the certificateless hybrid signcryption mechanism can not only greatly reduce the consumption of computing resources and the communication pressure in data transmission but also can provide better security and flexibility for data transmission of IoT [12].
However, in the practical application of resourceconstrained devices of IoT, the existing certificateless hybrid signcryption schemes are hard to keep the balance between security and efficiency. In security, the capabilities of attackers are also increasing day by day in IoT, and some proposed schemes have certain flaws in the face of new security requirements of IoT [6]. In efficiency, bilinear pairing operation improves the flexibility and security of the algorithm but also increases the computational pressure on devices [13]. However, most existing schemes adopt multiple bilinear pairing operations, which consume too much hardware and software resources and are no longer suitable for the data transmission requirements of resource-constrained devices in IoT. Therefore, to ensure secure and efficient data transmission in IoT, our contribution is therefore as follows.
(1) We evaluate the security of Gong et al.'s certificateless hybrid signcryption scheme for IoT [14] (2) We propose an improved efficient certificateless hybrid signcryption scheme for IoT (3) Our scheme can meet confidentiality, unforgeability, forward security, public verification, and known session-specific temporary information security, and we prove them in random oracle model (ROM) (4) In theoretical analysis and experimental simulation, we find that our scheme has higher communication efficiency and computational efficiency than the existing schemes The rest of the paper is organized as follows. In Section 2 and Section 3, we present research status and preliminaries related to this paper. The review and the evaluation of the Gong's scheme are carried out in Section 4. In Section 5, we show the specific details of our scheme. In Section 6, we analyze the security of the proposed scheme. In Section 7, we perform theoretical analysis and experimental simulation. In Section 8, we make the summary of this paper.

Related Work
Since the concept of certificateless hybrid signcryption is put forward, it has attracted more and more attention, and a series of effective schemes had been produced. Li et al. took the lead in proposing the concept of certificateless hybrid signcryption, gave an example of certificateless hybrid signcryption scheme, and declared that their scheme satisfied confidentiality and unforgeability in ROM [9]. However, Li et al.'s scheme uses too many bilinear pairs, resulting in low computational efficiency.
To ensure efficient data transmission, a series of feasible methods and schemes were proposed. Yin and Liang proposed a certificateless hybrid signcryption scheme for wireless sensor networks, which performed only two bilinear calculations and improved computational efficiency [15]. However, after receiving valid message, the receiver can forge any information, resulting in Yin and Liang's scheme not meeting the unforgeability. Yu and Yang proposed a certificateless hybrid signcryption scheme without pairing, which did not require bilinear computation and improved computing efficiency [16]. However, compared with other schemes, this scheme transmits more data and has certain deficiencies in communication efficiency. Luo and Ma proposed a new certificateless hybrid signcryption scheme for cloud storage, which did not require bilinear pairings and reduced the computational pressure in the process of data encryption [17]. However, Kasyoka et al. proved that Luo and Ma's scheme did not meet the requirement of unforgeability and had certain security defects and proposed an improvement scheme [18].
With the gradual improvement of the attacker's ability, researchers also put forward some certificateless hybrid signcryption schemes to enhance the security of data transmission. Luo et al. proposed a certificateless hybrid signcryption scheme, which can meet confidentiality, unforgeability, and the known session-specific temporary information security [19]. However, this scheme uses too many 2 Wireless Communications and Mobile Computing bilinear operations and has certain deficiencies in computing efficiency. To ensure data security and low computational overhead, Gong et al. proposed a lightweight and secure certificateless hybrid signcryption for the IoT, but it cannot satisfy the requirements of unforgeability, and its security analysis will be explained in Section 4 of this paper [14].

Formal Model of Certificateless Hybrid Signcryption.
There are three members: KGC, sender, and receiver. The general interaction process is as follows.
Setup. The KGC randomly chooses master system key s and generates system parameters params. After the algorithm is executed, KGC publishes the system parameters params to all users Extract Partial Private Key. The user firstly sends his unique identifier ID i to KGC, which generates the partial private key d i of user and sends the partial private key d i to the user through secure channel Generate User Key. After receiving the system parameters params published by KGC, the user generates the secret value x i and generates the public key P i . Next, the user publishes the public key P i and reserves the secret value x i Extract Full Private Key. After receiving partial private key d i sent secretly by KGC, the user generates the full private key s i combined with the secret value x i . From there, the user and KGC jointly generate the full private keys s i of user Signcryption. Assume that both sender and receiver have completed the initialization of the key. During the signcryption process, the sender generates the session key K, encrypts the information m with symmetric encryption algorithm, and generates ciphertext σ. After the signcryption is complete, the sender sends the ciphertext σ to the receiver Unsigncryption. After receiving the ciphertext σ, the receiver generates the session key K and decrypts the ciphertext to recover information m or error symbols ⊥. Finally, the receiver executes the authentication equation to judge the validity of the ciphertext 3.2. Security Notions. The security of modern cryptographic systems mostly is based on mathematical problems, and this paper is no exception. The mathematical difficult problems proposed in this paper are involved as follows. Definition 1. Let us say that G 1 is an additive cyclic group and P is the generator of G 1 . The challenger chooses aP, b P, where a, b ∈ Z q * . The computational Diffie-Hellman (CDH) is to compute abP.
Definition 2. Let us say that G 2 is a multiplication cyclic group and P is the generator of G 2 . The challenger chooses P a , P b , where a, b ∈ Z q * . The computational Diffie-Hellman (CDH) is to compute P ab .
Definition 3. Let us say that G 1 is an additive cyclic group and P is the generator of G 1 . The challenger chooses aP, b P, T ∈ G 1 , where a, b ∈ Z q * . The decisional Diffie-Hellman (DDH) is to determine whether the equation abP = T is true.
Definition 4. Let us say that G 1 is an additive cyclic group, G 2 is a multiplication cyclic group,ê : G 1 × G 1 ⟶ G 2 is a bilinear pairing, and P is the generator of G 1 . The challenger chooses aP, bP, cP ∈ G 1 and T ∈ G 2 , where a, b, c ∈ Z q * . The decisional bilinear Diffie-Hellman (DBDH) is to determine whether the equationêðP, PÞ abc = T is true.

Gong et al.'s Scheme Review and Security Analysis
In this section, we review the scheme proposed by Gong et al. and show the security analysis of Gong et al.'s scheme [14]. In the security analysis, we find that the scheme does not meet the unforgeability and prove it. Setup. After receiving the security parameter γ, the KGC selects an additive cyclic group G 1 , a multiplicative cyclic group G 2 , a bilinear pairingê : G 1 × G 1 ⟶ G 2 , and P as the generator of the additive cyclic group G 1 , where jG 1 j = jG 2 j = q. Then, KGC selects four hash functions h 1 1g n , and h 5 : G 1 ⟶ Z * q and one modular function h 3 : amodb, b = h 5 ðRÞ. After that, KGC selects x ∈ Z * q as the master system key and computes P pub = xP as the system public key. Finally, KGC publishes system parameters params and keeps the master system key x secret Extract Partial Private Key. After receiving the user's unique identifier ID i ∈ f0, 1g * sent by the user u i , and KGC computes d i = xQ i as the partial private key of the user u i , where Q i = h 1 ðID i Þ. Next, KGC sends the partial private key d i to the user u i through the private channel Generate User Key. The user selects a random value x i as the secret value and computes P i = x i P as the public key. After receiving the partial private key d i of the user sent by KGC, the user generates the full private key Signcryption. Suppose Alice and Bob have completed the initialization of the key, and Alice already gets Bob's public key P B . The specific process of signcryption is as follows.
(1) Chooses r ∈ Z * q randomly and compute R = rP Unsigncryption. Assume that Bob has obtained the public key P A of sender Alice and received the signcryption ciphertext σ = ðc, R, sÞ. The specific process of unsigncryption is as follows.
(2) Computes the session key K = h 4 ðy, z, RÞ and generates the message m \ ⊥ = Dec K ðcÞ It is assumed that the sender Alice and the receiver Bob have generated their key. If the receiver Bob has received a valid ciphertext σ = ðc, R, sÞ, then Bob is able to forge any ciphertext σ ′ and claims that it was sent by the sender Alice. The forgery process is as follows.
(1) Chooses a ∈ Z * q and R ′ = Ra = arP The forgeable ciphertext σ ′ = ðc ′ , R ′ , s ′ Þ can be able to overcome the verification equation. The verification process is as follows: Since then, the receiver Bob has successfully forged a valid signcryption ciphertext. Thus, Gong et al.'s proposed scheme does not satisfy the requirement of unforgeability. Based on the analysis of the Gong et al.'s scheme, we propose an improved scheme, which will be introduced in Section 5.

The Proposed Scheme
In this section, we take the communication between Alice and Bob as an example to introduce our scheme in detail, where Alice represents the sender and Bob represents the receiver. For increasing readability, the main symbols involved in our scheme are introduced in Table 1.
Setup. Let G 1 and G 2 be an additive cyclic group and a multiplicative cyclic group, where jG 1 j = jG 2 j = p and p is a prime. Choose a bilinear pairingê : G 1 × G 1 ⟶ G 2 , P be the generator of G 1 and a pair of symmetric encryption and decryption algorithms (Enc, Dec). Select three hash where l is the length of identity and n is the length of session key, respectively. Then, the KGC chooses s ∈ Z q * as the master system key and computes P pub = sP as the system public key. Finally, the KGC publishes the system parameters params = fG 1 , G 2 , q,ê, P, P pub , h 1 , h 2 , h 3 , Enc, Decg and keeps the master system key s secret Extract Partial Private Key. After receiving the unique identifier ID i ∈ f0, 1g l of user, the KGC randomly selects r i ∈ Z q * , computes Q i = h 1 ðID i Þ, R i = r i P, and generates the partial private key D i = r i + s · h 1 ðID i Þ. Finally, KGC sends the partial private key D i and R i to the user Generate User Key. After receiving the partial private key D i and the partial public key R i , the user randomly chooses x i ∈ Z q * as the secret value and computes P i =ê ðP, P pub Þ x i as the public key. Note that the user combines R i and P i to generate the full public keys PK i = ðR i , P i Þ Extract the Full Private Key. The user combines the secret value x i and the partial private key D i to generate the full private key SK i = ðx i , D i Þ Signcryption. Before performing signcryption, the sender Alice has obtained the full public key PK A = ðR A , P A Þ, the full private key SK A = ðx A , D A Þ, the message m needed to be transmitted, system parameters params, the full public key PK B = ðR B , P B Þ, and identity ID B of the receiver Bob. The detailed process is as follows.
(1) Chooses r ∈ Z q * randomly and compute R = rP Unsigncryption. Before performing unsigncryption, the receiver Bob has obtained the full public key PK B = ðR B , P B Þ, the full private key SK B = ðx B , D B Þ, the ciphertext σ = ðc, R, sÞ, the system parameters params, the full public key P K A = ðR A , P A Þ, and identity ID A of the sender Alice. The detailed process is as follows.
(1) Computes t 1 = RD B and t 2 = P A x B (2) Computes session key k = h 2 ðt 1 , t 2 , RÞ and generate the message m = Dec k ðcÞ or error symbol ⊥

Security Analysis
There are two kinds of security adversary A 1 , A 2 in certificateless public key cryptosystems. The adversary A 1 , impersonating the user in cryptosystems, can replace the public key of any user in system. The adversary A 2 , impersonating the KGC in cryptosystems, can obtain the master system key. In this section, we discuss the security attributes of our scheme from the perspective of two types of attackers.

Confidentiality
Lemma 5. Assuming that the adversary A 1 can be able to win the game with a nonnegligible advantages ε after q 1 h 1 queries, q 2 h 2 queries, q 3 h 3 queries, q pk public key queries, q sk secret value queries, q psk the partial private key queries, and q rpk the replace public key queries, the challenger C can solve the CDH problem with the follow probability ε ′ . Note that q T = q 1 + q sk + q psk + q pk .
Proof. The challenger C takes adversary A 1 as the subroutine, gives the adversary A 1 the ðP, aP, bPÞ. And the target is compute the abP through the game between adversary A 1 and the challenger C.
Setup. The challenger C executes the setup algorithm and generates the system public parameters params Phase 1. The adversary A 1 execute the following polynomially bounded queries. Note that before the adversary executes queries, the challenger C chooses randomly I, J ∈ ½1, q 1 for the challenged phase. h 1 query: the challenger C initializes and updates data table L 1 , where the tuple format is ðID i , l i Þ. When adversary A 1 executes the h 1 query with the user identity ID i as input, C firstly checks if L 1 contains item ðID i , l i Þ. If L 1 contains the tuple ðID i , l i Þ, C returns the l i to A 1 . If not, C randomly chooses the l i ∈ Z q * , adds or updates the new item ðID i , l i Þ to L 1 , and returns l i to A 1 h 2 query: the challenger C initializes and updates data table L 2 , where the tuple format is ðt 1 , t 2 , R, kÞ. When adversary A 1 executes the h 2 query with the ðt 1 , t 2 , RÞ as the input, the challenger C firstly checks if L 2 contains the related tuple ðt 1 , t 2 , R, kÞ. If L 2 contains the tuple ðt 1 , t 2 , R, kÞ, C returns the k to A 1 . If not, C randomly chooses k ∈ f0, 1g n , inserts the new item ðt 1 , t 2 , R, kÞ to the list L 2 , and returns the k to A 1 h 3 query: the challenger C initializes and updates data table L 3 , where the tuple format is ðID A , ID B , P A , P B , R A , R B , P pub , R, hÞ. When the adversary A 1 executes the h 3 query with the ðID A , ID B , P A , P B , R A , R B , P pub , RÞ as input, the challenger C firstly checks if L 3 contains the interrelated tuple. If L 2 contains this tuple, C returns the h to A 1 . If not, C randomly chooses h ∈ Z q * , adds or updates the new item ðID A , ID B , P A , P B , R A , R B , P pub , R, hÞ to L 3 , and returns h to A 1 Secret value query: the challenger C initializes and updates data table L k , where the tuple format is ðID i , P i , R i , D i , x i Þ. When adversary A 1 executes the secret value query with the ID i as the input, the challenger C firstly checks if L k contains the interrelated tuple ðID i , P i ,−,−,x i Þ. If L k contains this tuple, C returns the x i to A 1 . If not, C chooses x i ∈ Z q * randomly, computes P i =êðP, P pub Þ x i , adds or updates the item ðID i , P i ,−,−,x i Þ to L k , and returns x i to A 1 . Note that if ID i = ID J , C aborts this game Partial private key query: with the ID i as the input, the challenger C firstly checks if L k contains the interrelated tuple ðID i ,−,−,−,D i Þ. If L k contains this tuple, C returns the  Public key query: when adversary A 1 executes the public key query with the ID i as the input, the challenger C firstly checks if L k contains list item ðID i , P i , R i ,−,−Þ. If L k contains this tuple, C returns the PK i = ðR i , P i Þ to A 1 . Otherwise, if ID i ≠ ID J , C executes the secret value query and partial private key query. If ID i = ID J , C sets x J ∈ Z * q , D J = b ∈ G 1 and computes P J =êðP, P pub Þ x J and R J = bP − l J P pub , where l J is from the list L 1 . Next, C adds or updates the item ðID i , P i , R i ,−,−Þ to L k and returns PK i = ðR i , P i Þ to A 1 Replace public key query: with theID i , PK i ′ = ðR i ′ , P i ′ Þ as the input, C updates the list L k with the new item ðID i , P i ′ , R i ′ ,−,−Þ Signcryption query: when adversary A 1 executes the signcryption query with the ID A , ID B , m as the input, c firstly checks whether ID A = ID J . If ID A ≠ ID J , C executes the normal signcryption process according to our scheme. If ID A = ID J , the full private key of ID A cannot be obtained, and C queries the full private key SK B = ðx B , D B Þ of ID B and the full public key PK A = ðP A , R A Þ of ID A from L k and performs the following operation.
(1) Chooses r, v ∈ Z q * randomly and computes R′ = rP − vR A − vh 1 ðID A ÞP pub After Bob receives the ciphertext σ ′ = ðc ′ , R ′ , s ′ Þ, it can pass the verification, with the following computation: Challenge. After the queries in Phase 1, the adversary A 1 selects two same length plaintext m 1 , m 2 and two user's identity ID A , ID B . In this phase, ID A and ID B are the users that A 1 will challenge. Before the challenge, the full private key SK B cannot be queried and PK B cannot be replaced. If ID A ≠ ID I or ID B ≠ ID J , C aborts the game. Otherwise, C generates the ciphertext σ by following the steps.
(1) Sets R * = aP, chooses v ∈ Z * q , t 1 * ∈ G 1 , and computes (2) Chooses session key k * = h 2 ðt 1 * , t 2 , R * Þ and generates the ciphertext c * = Enc k ðm λ Þ, where λ ∈ f0, 1g (4) Computess * = ða + h * D A Þ/x A , generates the ciphertext σ * = ðc * , R * , s * Þ, and returns σ * to A 1 Phase 2. In this stage, the adversary A 1 can execute the polynomially bounded queries like Phase 1. Note that SK B of ID B cannot be queried, PK B cannot be replaced, and the ciphertext σ = ðc, R, sÞ with sender ID I and receiver ID J cannot be executed unsigncryption query Guess. The challenger computes the probability of solving the CDH through the adversary A 1 that wins the game. If the A 1 wins the game, the list L 2 will store q 2 items, one of which is the answer to the CDH problem. Thus, C chooses the t 1 in every item of L 2 to test.
Analysis. Let us compute the probability of the challenger C cab by solving the CDH problem. In this game, there are two conditions for the challenger to solve CDH: the challenger C does not abort in this game and the adversary A 1 successfully wins this game. Firstly, the challenger C abandons the challenge by following four events. Note that q T = q 1 + q sk + q psk + q pk .
(1) Event 1: the adversary A 1 executes the partial private key query of ID J , and the probability of this event is q psk /q T (2) Event 2: the adversary A 1 executes the secret value query of ID J , and the probability of this event is q sk /q T Therefore, we calculate the probability that C does not give up the game with the probability ð1 − q psk /q T Þð1 − q sk / q T Þð1 − q rpk /q T Þð1/C 2 q 1 Þ. Secondly, the challenger C goes through the list L 2 and selects t 1 as the answer to the CDH. Thus, the probability of finding the correct solution to CDH is 1/q 2 . Therefore, with the adversary A 1 as the subroutine, the challenger C solves the CDH with the following probability ε ′ .
Lemma 6. Assuming that the adversary A 2 can be able to win the game with a nonnegligible advantages ε after q 1 h 1 queries, q 2 h 2 queries, q 3 h 3 queries, q pk public key queries, and q sk secret value queries, the challenger C can solve the CDH problem with the follow probability ε ′ .
Proof. The challenger C takes adversary A 2 as the subroutine, gives the adversary A 2 the ðP, P a , P b Þ. And the target is compute the P ab through the interactions between adversary A 2 and the challenger C.

Wireless Communications and Mobile Computing
Setup. The challenger C executes the setup algorithm and generates the system public parameters params Phase 1. The adversary A 2 executes the following polynomially bounded queries. Note that before the adversary executes queries, the challenger C chooses randomly I, J ∈ ½ 1, q 1 for the challenged phase. h 1 query: the challenger C initializes and updates data table L 1 , where the tuple format is ðID i , l i Þ. When adversary A 2 executes the h 1 query with the user identity ID i as input, C firstly checks if L 1 contains the interrelated tuple ðID i , l i Þ. If L 1 contains the tuple ðID i , l i Þ, C returns the l i to A 2 . If not, C randomly chooses the l i ∈ Z q * , adds or updates the new item ðID i , l i Þ to L 1 , and returns l i to A 2 h 2 query: the challenger C initializes and updates data table L 2 , where the tuple format is ðt 1 , t 2 , R, kÞ. When adversary A 2 executes the h 2 query with the ðt 1 , t 2 , RÞ as the input, the challenger C firstly checks if L 2 contains the interrelated tuple ðt 1 , t 2 , R, kÞ. If L 2 contains the tuple ðt 1 , t 2 , R, kÞ, C returns the k to A 2 . If not, C randomly chooses k ∈ f0, 1g n , inserts the new item ðt 1 , t 2 , R, kÞ to L 2 , and returns the k to A 2 h 3 query: the challenger C initializes and updates data table L 3 , where the tuple format is ðID A , ID B , P A , P B , R A , R B , P pub , R, hÞ. When the adversary A 2 executes the h 3 query with the ðID A , ID B , P A , P B , R A , R B , P pub , RÞ as the input, the challenger C firstly checks if L 3 contains the interrelated tuple. If L 2 contains this tuple, C returns the h to A 2 . If not, C randomly chooses h ∈ Z q * , adds or updates the new item ðID A , ID B , P A , P B , R A , R B , P pub , R, hÞ to L 3 , and returns h to A 2 Secret value query: the challenger C initializes and updates data table L k , where the tuple format is ðID i , P i , R i , D i , x i Þ. When adversary A 2 executes the secret value query with the ID i as the input, the challenger C firstly checks if L k contains the interrelated item ðID i ,−,−,−,x i Þ. If L k contains this tuple, C returns the x i to A 2 . If not, C randomly chooses x i ∈ Z q * , computes P i =êðP, P pub Þ x i , adds or updates the item ðID i ,−,−,−,x i Þ to L k , and returns x i to A 2 . Note that if ID i = ID J , C aborts this game Partial private key query: with the ID i as the input, the challenger C firstly checks if L k contains the interrelated item ðID i ,−,−,−,D i Þ. If L k contains this tuple, C returns the D i to A 2 . Otherwise, C randomly chooses D i ∈ Z * q , adds or updates the item ðID i ,−,−,−,D i Þ to L k , and returns D i toA 2 Public key query: with the ID i as the input, the challenger C firstly checks if L k contains the interrelated item ð ID i , P i , R i ,−,−Þ. If L k contains this tuple, C returns the PK i = ðR i , P i Þ to A 2 . Otherwise, if ID i ≠ ID I or ID i ≠ ID J , C executes the secret value query with ID i , gets the secret value x i from L k , and computes P i =êðP, P pub Þ x i . If ID i = ID I , C sets a ∈ Z * q and computes P I =êðP, P pub Þ a . If ID i = ID J , C sets b ∈ Z * q and computes P J =êðP, P pub Þ b . Then, C chooses r i ∈ Z q * and computesR i = r i * P, where l i is from L 1 . Next, C adds or updates the L k with the tuple ðID i , P i , R i ,−,−Þ and returns PK i = fP i , R i g to A 2 Signcryption query: when adversary A 2 executes the signcryption query with the ðID A , ID B , mÞ as the input, C firstly checks whether ID A = ID J . If ID A ≠ ID J , C executes the normal signcryption process according to our scheme. If ID A = ID J , the full private key of ID A cannot be obtained, C queries the full private key SK B = ðx B , D B Þ of ID B and the full public key PK A = ðP A , R A Þ of ID A from L k and performs the following operation.
(1) Chooses r, v ∈ Z q * randomly and computes The adversary A 2 can pass the verification, with the following computation: Unsigncryption query: when adversary A 2 executes the unsigncryption query with the ðID A , ID B , σ = ðc, R, sÞÞ as the input, C firstly checks whether ID B = ID J . If ID B ≠ ID J , C executes the normal unsigncryption process according to our scheme. If ID B = ID J , the full private key of ID B cannot be obtained, and C queries SK A = ðx A , D A Þ of ID A and PK B = ðP B , R B Þ of ID B from L k and performs the following operation.
(1) Computes t 1 = RD B (2) Retrieves each item ðt 1 , t 2 , R, kÞ in L 2 to determine whether t 2 = ðP B Þ x A is true. If the equation is true, it computes k = h 2 ðt 1 , t 2 , RÞ and generates the message m = Dec k ðcÞ or error symbol ⊥ (1) Chooses r ∈ Z * q , v ∈ Z * q , and t 2 * ∈ G 2 (2) Computes R * = rP and t 1 = rðR B + P pub Q B Þ (3) Computes the session key k * = h 2 ðt 1 , t 2 * , R * Þ and generates the ciphertext c * = Enc k * ðm λ Þ, where λ ∈ f0, 1g (4) Adds the new item ðID A , ID B , P A , P B , R A , R B , P pub , R * , vÞ to the list L 3 (5) Computess * = r + h * D A /x A , generates the ciphertext σ * = ðc * , R * , s * Þ, and returns σ * to A 2 Phase 2. In this stage, the adversary A 2 can execute the polynomially bounded queries like Phase 1. Note that the secret value x B of ID B cannot be queried and the ciphertext σ = ðc, R, sÞ with sender ID I and receiver ID J cannot be executed in the unsigncryption query Guess. The challenger computes the probability of solving the CDH through the adversary A 2 that wins the game. If the A 2 wins the game, the list L 2 will store q 2 items, one of which is the answer to the CDH problem. C chooses the t 2 in every item for test.
Analysis. Let us compute the probability of the challenger C that can solve the CDH problem. In this game, there are two conditions for the challenger to solve CDH: the challenger C does not abort in this game and the adversary A 2 successfully wins this game. Firstly, the challenger C abandons the challenge by following two events. Note that q T = q 1 + q sk .
(1) Event 1: the adversary A 2 executes the secret value query of ID J , and the probability of this event is q sk /q T (2) Event 2: when the adversary A 2 executes challenges, the user ID B , ID A are not challenged user identity, that is, ID B ≠ ID J , ID A ≠ ID I . The probability of this event is 1 − 1/C 2 q 1 Therefore, we calculate the probability that C does not give up the game with the probability ð1 − q sk /q T Þð1/C 2 q 1 Þ. Secondly, the challenger C goes through the list L 2 and selects t 2 as the answer to the CDH. Thus, the probability of finding the correct solution to CDH is 1/q 2 . Therefore, with the adversary A 2 as the subroutine, the challenger C solves the CDH with the following probability ε ′ . with a nonnegligible advantages ε after q 1 h 1 queries, q 2 h 2 queries, q 3 h 3 queries, q pk public key queries, q sk secret value queries, q psk the partial private key queries, and q rpk the replace public key queries, the challenger C can solve the DBDH problem with the follow probability ε ′ .
Proof. The proof is similar to Lemma 5. The challenger C takes adversary A 1 as the subroutine and gives the adversary A 1 the ðP, aP, bP, cP ∈ G 1 , Z ∈ G 2 Þ. And the target is determined whether P abc = Z is true through the game between adversary A 1 and the challenger C. In Phase 1, the adversary A 1 can execute the polynomially bounded queries, and C returns the corresponding answer to A 1 . The adversary A 1 cannot perform the query about the full private key and replace public key of ID A and the signcryption query with the sender ID A and the receiver ID B . In the forgery phase, the adversary A 1 generates the forgery ciphertext σ ′ = ðc ′ , R ′ , s ′ Þ. If the adversary A 1 wins the game and the challenger C does not abort the game, C makes the a = x A , b = r i /x A , c = s, and Z =êðR, P pub Þ. And the probability ε ′ that the challenger C solves DBDH is the following. Note that q T = q 1 + q sk + q psk + q pk . with a nonnegligible advantages ε after q 1 h 1 queries, q 2 h 2 queries, q 3 h 3 queries, q pk public key queries, and q sk secret value queries, the challenger C can solve the DDH problem with the following probability ε ′ . Note that q T = q 1 + q sk .
Proof. The proof is similar to Lemma 6. The challenger C takes adversary A 1 as the subroutine and gives the adversary 9 Wireless Communications and Mobile Computing A 2 the ðP a , P b , Z ∈ G 2 Þ. And the target is determined whether P ab = Z is true through the interactions between adversary A 2 and the challenger C. In Phase 1, the adversary A 2 can execute the polynomially bounded queries, and C returns the corresponding answer to A 2 . The adversary A 2 cannot perform the query about the secret value of ID A and the signcryption query with ID A to ID B . In the forgery phase, A 2 generates the forgery ciphertext σ ′ = ðc ′ , R ′ , s ′ Þ. If the adversary A 2 wins the game and the challenger C does not abort the game, C makes the a = sx A , b = hr A /x A , and Z =êðhR A , P pub Þ = P shr A . And the probability ε′ that the challenger C solves DDH is the following: 6.3. Forward Security. To prove that our scheme meets forward security, we discuss the security situation of our scheme from two kinds of adversary A 1 , A 2 . For the adversary A 1 , it can obtain all the private key of the sender ID A and all the ciphertext information in the previous communication. However, it is difficult for the adversary A 1 to decrypt the ciphertext and get the corresponding message m. The symmetric key of the ciphertext is generated by the the Hash function h 2 with t 1 , t 2 and R. In the communication, the adversary A 1 can recover t 2 = P B x A and get R from previous ciphertext. However, based on the CDH, the adversary A 1 cannot calculate t 1 = RD B ðaP = R, bP = D B Þ. Therefore, adversary A 1 cannot recover the message m from the previous communication. For the adversary A 2 , it can get the master system key s but cannot obtain the partial private key D B of the receiver Bob. Thus, the proof of A 2 is similar to that of the first type of attacker. Based on CDH, it is difficult for the adversary to calculate the t 1 and the session key k and decrypt the ciphertext. Therefore, our scheme can meet forward security.
6.4. Public Verification. All users in the certificateless public key system can authenticate any ciphertext σ = ðc, R, sÞ. When receiving a ciphertext σ, ID A , PK A = ðP A , R A Þ, ID B and PK B = ðP B , R B Þ, any user of the system can compute h = h 3 ðID A , ID B , P A , P B , R A , R B , P pub , RÞ and execute the authentication equation P A s =êðR + hR A + hQ A P pub , P pub Þ to determine whether the ciphertext is valid or not. In the process of authentication, decryption operations and the full private keys of the sender or receiver are not required, and verification can be quickly implemented. Therefore, our scheme can meet public verification.

Known Session-Specific Temporary Information Security.
Assuming that the adversary has obtained the random value r of the sender's signcryption process, the adversary still cannot obtain any valuable information. For the adversary A 1 , it can obtain ID A , PK A = ðP A , R A Þ, ID B , and PK B = ðP B , R B Þ and generates t 1 = ðR B + P pub Q B Þr and R = rP. However, based the assumption of CDH problem, it is difficult for the adversary A 1 to calculate the t 2 = P B x A and computes the correct session key k. For the adversary A 2 , it can obtain the master system key s of KGC but cannot obtain the secret value of x A . Thus, the proof of A 2 is similar to the proof of A 1 and the adversary A 2 cannot correct session key k based on the assumption of CDH problem. Therefore, our scheme can meet known session-specific temporary information security.
7. Performance Analysis 7.1. Comparison of Communication Efficiency. In this section, we compared the communication efficiency of our scheme with other existed schemes and generate Table 2.
In Table 2, m indicates the length of data to be transmitted, q indicates the length of each element in Z q * , and g 1 indicates the length of each element in G 1 . Assume that we use the 80 bit security level in the standard model and the size of message m is 200 bits, the size of element in Z * q is 20 bits, and the size of element of G 1 is 65 bits [21]. As can be seen from Table 2, in one communication, the message length of Luo et al.'s scheme is calculated l luo = 20 + 65 × 2 + 200 = 350 bits, the message length of Yin and Liang's scheme is l yin = 20 × 2 + 65 + 200 = 305 bits, and the message length of our scheme is l our = 20 + 65 + 200 = 285 bits. Thus, compared with existing schemes, this scheme transmits less messages and has higher communication efficiency.

Comparison of Computational Efficiency.
In this section, we analyze the computational efficiency of the proposed scheme through theoretical calculation and simulation experiments. In theoretical calculation, bilinear pairing computation, multiplication operation, and exponential operation are the three operations that consume the most computing resources in schemes. Therefore, we compare with other schemes on the number of operations of three kinds of calculations and generate Table 3, where mul, exp, and pair, respectively, stand for multiplication operation and exponential operation and bilinear pairing operation [22]. As can be seen from Table 3, compared with existing schemes, the proposed scheme reduces the calculation times of multiplication operation and bilinear pairing operation and reduces the calculation pressure of data encryption and decryption.
In the simulation experiment, we used ubuntu20.04 and pypbc to build a 512-bit standard security model. In the security model, we simulate the running process of the proposed scheme and the comparison schemes, measure the average running time under different size of message, and generate Figure 1. From Figure 1, in the process of data transmission, our scheme requires shorter running time than other schemes, and with the increase of the size of data transmission, our scheme has more obvious advantages in computing efficiency. Therefore, our proposed scheme reduces the computational pressure in the data encryption and decryption and is suitable for data transmission of the practical application of IoT.

Conclusion
In this paper, we firstly review and evaluate the certificateless hybrid signcryption proposed by Gong et al. [14]. It is pointed out that there are some deficiencies in its unforgeability. Based on the Gong et al.'s scheme, we propose an improved certificateless hybrid signcryption scheme for IoT and prove that the scheme can meet confidentiality, unforgeability, forward security, public verification, and known session-specific temporary information security in ROM. In addition, through theoretical analysis and simulation experiment, compared with the existing scheme, our scheme consumes less communication resources and computing resources, has higher communication efficiency and computing efficiency, and is suitable for data transmission of the practical application of IoT device.
In addition, it needs to be noted that this scheme increases the number of exponential operations in data transmission. In the future work, it can be considered to reduce the number of exponential operations, so as to further reduce the computing pressure of resourceconstrained devices in IoT and improve the computing efficiency of this scheme.

Data Availability
No data were used to support this study.

Conflicts of Interest
The authors declare that they have no conflicts of interest.