This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2703922, IEEE
Transactions on Industrial Informatics
1

Certificateless Searchable Public Key Encryption

Scheme for Industrial Internet of Things
Mimi Ma, Debiao He, Neeraj Kumar, Kim-Kwang Raymond Choo and and Jianhua Chen

Abstract—With the widespread adoption of Internet of Things and cloud computing in different industry sectors, an increasing number
of individuals or organizations are outsourcing their Industrial Internet of Things (IIoT) data in the cloud server to achieve cost saving
and collaboration (e.g. data sharing). However, in this environment, preserving the privacy of data remains a key challenge and
inhibiting factor to an even wider adoption of IIoT in the cloud environment. To mitigate these issues, in this paper, we design a new
secure channel free certificateless searchable public key encryption with multiple keywords (SCF-MCLPEKS) scheme for IIoT
deployment. We then demonstrate the security of the scheme in the random oracle model against two types of adversaries, where one
adversary is given the power to choose a random public key instead of the user’s public key and another adversary is allowed to learn
the system master key. In presence of these types of adversaries, we evaluated the performance of the proposed scheme and
demonstrate that it achieves (computational) efficiency with low communication cost.

Index Terms—certificateless public key encryption, Industrial Internet of Things, privacy, security

1 I NTRODUCTION

A T ypical Internet of Things (IoT) deployment consists of

sensors, actuators, and other smart devices connected
to the Internet. These devices facilitate the collection and
the cloud. This allows one to reduce data management costs
and efforts and facilitate collaboration (e.g. allow sharing of
IIoT data between users, with no geographic constraints).
exchange of information in a wide range of applications Specifically, cloud computing can be leveraged as a compu-
[1]. An increasingly popular application of IoT is in the tational model for information processing in the data pro-
industrial sector, and such an environment is also referred cessing layer, enabling users to access the application and
to the Industrial Internet of Things (IIoT). Research findings data anywhere through an authorized Internet-connected
from Gartner suggested that an approximately 63 million of device. Computing resources can also be dynamically de-
IoT devices will be connected to the enterprise network each ployed and shared with each other [4], [5], [6].
second by 2020 [2] and the global economic impact of IoT is A typical network architecture for IIoT data storage is
estimated to be USD 2 trillion by 2020 [3]. shown in Fig. 1. In such an architecture, the cloud server is
With parallel advances in other communication tech- responsible for the computing and storage of data for the
nologies such as cloud computing as well as a faster and less IIoT system. The enterprise collects data collected during
costly bandwidth, IIoT data is increasingly being stored in industrial production, operation status of the equipment,
and other information collected by the sensor(s), and sends
• The work was supported in part by the National Natural Science this data to the cloud server via the Internet. Data needs to
Foundation of China under Grant 61572379, Grant 61501333, Grant be securely stored so that other authorized users can access
61402339, and Grant U1536204, in part by the National High-Tech and the provide analysis of the collected data from different
Research and Development Program of China (863 Program) under
Grant 2015AA016004, in part by the open fund of State Key Laboratory
environment.
of Cryptology and in part by the Natural Science Foundation of Hubei
Province of China under Grant 2015CFB257.

• M. Ma is with the School of Mathematics and Statistics, Wuhan Univer-

sity, Wuhan, China and the Co-Innovation Center for Information Supply
& Assurance Technology, Anhui University, Hefei, China
E-mail: [email protected]
• D. He (Corresponding author) is with the State Key Lab of Software
Engineering, Computer School, Wuhan University, Wuhan, China
E-mail: [email protected]
• N. Kumar is with the Department of Computer Science and Engineering,
Thapar University, Patiala, India
E-mail: [email protected]
• K.-K. R. Choo is with the Department of Information Systems and
Fig. 1. A typical network architecture for IIoT data storage
Cyber Security, The University of Texas at San Antonio, San Anto-
nio, USA and the School of Information Technology and Mathematical
Sciences, University of South Australia, Adelaide, Australia E-mail: However, the security and privacy of the data rely on
[email protected]
• J. Chen is with the School of Mathematics and Statistics, Wuhan Univer- the security of the cloud server. In addition, we have to
sity, Wuhan, China and the Co-Innovation Center for Information Supply assume that the cloud service providers are not malicious
& Assurance Technology, Anhui University, Hefei, China and will not attempt to learn about the data stored in their
E-mail: chenjh [email protected]
servers. This is clearly not a realistic assumption, as the

1551-3203 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2703922, IEEE
Transactions on Industrial Informatics
2

cloud service providers may be malicious or corrupted. paper, we construct a CLPEKS model.
For example, a cloud service provider’s employee or a Specifically, we design an efficient secure channel free
vendor with insider access to the provider’s network may certificateless searchable public key encryption with mul-
be corrupted and attempt to insert, delete, modify, add, tiple keywords (SCF-MCLPEKS) scheme for IIoT deploy-
and rearrange the data. In other words, the confidentiality ment (see Section 4). We then demonstrate that even in the
and privacy of the data outsourced to the cloud cannot be presence of both T ype1 and T ype2 adversaries, our SCF-
guaranteed [7], [8]. One could choose to encrypt the IIoT MCLPEKS scheme can resist chosen keyword attack (see
data prior to outsourcing it to the cloud to ensure data Section 5). A T ype1 adversary has the ability to choose a
confidentiality. However, searching within the encrypted public key to replace the user’s public key, and a T ype2
data becomes a challenging issue. A naive approach is to adversary is given the system’s master key. We then evaluate
download all databases, decrypt the entire encrypted data, the performance of the proposed scheme (see Section 6).
and then read or search the decrypted data. This is clearly In the next two sections, we will discuss related literature
a time-consuming and expensive exercise, and not viable in and present the preliminaries (including the system model
most of the real-time applications. of the proposed scheme), respectively. Section 4 describes
Searchable encryption (SE) [9], [10], [11], [12], [13] was the proposed scheme. Section 5 presents the security anal-
introduced to allow users to search on encrypted data. SE ysis of the proposed scheme. In Section 6, the proposed
can be broadly categorized into symmetric encryption and scheme is evaluated with respect to various parameters.
asymmetric encryption. Although searchable symmetric en- Finally, Section 7 concludes the paper.
cryption (SSE) [14], [15], [16] has high execution efficiency,
but its application is limited. SSE is only suitable for a single-
user model. Not being able to deploy in a multi-user model 2 R ELATED L ITERATURE
is a key limitation. Therefore, to address this limitation, As previously discussed, the first SE scheme was construct-
the first public-key encryption with keyword search (PEKS) ed by Song et al. [15] using symmetric cryptography. To
scheme was designed by Boneh et al. [9], which allows users address the single-user model limitation associated with the
to search efficiently on ciphertext. In a PEKS system, by scheme, Golle et al. [26] presented the first SE scheme with
using receiver’s public key, the sender encrypts the key- conjunctive keyword. The search time of Golle et al.’s scheme
words (called PEKS ciphertexts) contained in documents, is, however, linear with the size of the searched keyword. In
after appends them to the encrypted documents. To search 2013, Cash et al. [27] proposed the first sublinear SSE scheme
documents that contain a specific keyword, the receiver with support for boolean queries and can be applied for big
sends the keyword’s trapdoor to the cloud server. Upon data. As these schemes are fundamentally SE schemes, they
receiving the trapdoor and PEKS ciphertexts, the cloud suffer from the same single-user limitation.
server then checks whether the keyword included in PEKS The public-key encryption with keyword search (PEKS)
ciphertexts is equal to the one picked by the receiver and scheme was first proposed by Boneh et al. [9]. But as pointed
returns the corresponding encrypted data. out by Baek et al. [28], Boneh et al.’s model requires a
In a public key instrastructure (PKI), a certificate author- secure key distribution channel. As a countermeasure, Baek
ity (CA) registers, distributes and manages digital certifi- et al. [28] designed the first PEKS without the need for
cates. Certificate management is an inhibiting factor. To ad- a secure channel (SCF-PEKS). In a separate work, Tang et
dress this drawback, Shamir [17] introduced the concept of al. [29] proposed a PEKS with registered keywords, where
identity-based public-key cryptosystem (IDPKC). In a IDP- the receiver needs to run a keyword registration algorithm,
KC, a user’s identity information (e.g. name, cell number, before sending the pre-tag to the sender through a secure
and driving license number) can be used as the public key. channel. A year later in 2010, Rhee et al. [30] designed
A trusted key generation center (KGC) entity then generates a SCF-PEKS scheme with designated tester. In 2013, Xu
the user’s private key. While IDPKC significantly simplifies et al. [31] constructed the first PEKS with fuzzy keyword
certificate management, but it introduces the problem of search, where the server executes the fuzzy keyword search
key escrow due to the reliance on the KGC doing the right algorithm prior to sending the documents to the receiver.
thing (i.e. not being malicious or corrupted). Al-Riyami et Upon receiving the documents, the receiver runs the exact
al. [18] designed a certificateless-public-key cryptosystem keyword search algorithm to obtain the target files from
(CLPKC), which removes the inherent key escrow problem these documents. More recently in 2016, Wang et al. [32]
in IDPKC while preserving the certificateless property. In a presented a secure channel free searchable encryption with
CLPKC system, a user’s private key consists of two parts: multiple keywords scheme. However, these schemes as well
a part chosen by the user, and the other part generated as those reported in [33], [34], [35], [36], [37], [38] have
by the KGC. Therefore, the private key cannot be entirely associated certificate management or key escrow challenges.
influenced by the KGC. Since then, several encryption and
signature schemes based on CLPKC [19], [20], [21], [22], [23]
were proposed for different applications in the literature. 3 P RELIMINARIES
However, certificate-free PEKS schemes are less investigat-
ed. Only in 2014, Peng et al. [24] designed a certificateless 3.1 Bilinear pairing
PEKS (CLPEKS) scheme in email system. However, the We let G1 , G2 be two cycle groups with the same order q . We
scheme was later shown to be vulnerable to attacks in- then select a generator P ∈ G1 , and let e : G1 × G1 → G2
volving a malicious KGC and an off-line keyword guessing be a map. e is a bilinear pairing if it satisfies the following
attack [25]. Thus, to contribute to this literature gap, in this conditions:

1551-3203 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2703922, IEEE
Transactions on Industrial Informatics
3

1) Bilinear: for all ∀a, b ∈ Zq∗ and ∀M, N ∈ G1 , Setup: Input a security parameter k , KGC performs the
e(aM, bN ) = e(bN, aM ) = e(M, N )ab . following steps:
2) Non-degenerate: There exists M, N ∈ G1 so that
1) Pick two q order cyclic groups G1 , G2 , and choose a
e(M, N ) 6= 1 ∈ G2 . bilinear pairing e: G1 × G1 → G2 .
3) Computable: In polynomial time, e(M, N ),
2) Select a generator P ∈R G1 and choose a number
∀M, N ∈ G1 , can be calculated. s ∈R Zq∗ randomly. Let s be master key.
3) Compute Ppub = sP ∈ G1 .
3.2 Bilinear Diffie-Hellman (BDH) Problem 4) Select four different cryptographic hash functions:
BDH: Let e : G1 × G1 → G2 be a bilinear pairing. H1 , H2 , H3 : {0, 1}∗ → G1 and h4 : G2 → {0, 1}log q .
Suppose that P, aP, bP, cP ∈ G1 are known points and 5) Keep s secretly and publish the system parameters
a, b, c ∈R Zq∗ are unknown numbers, then compute the prms = {k, G1 , G2 , e, q, P, Ppub , H1 , H2 , H3 , h4 }.
value of e(P, P )abc ∈ G2 . Extract-Partial-Private-Key: In this phase, KGC executes
the steps as below to generate server’s and receiver’s partial
private keys.
3.3 System model
Next, we define the system model of our proposed SCF- 1) Take server’s identity IDS ∈ {0, 1}∗ as input.
MCLPEKS scheme (see Fig. 2), which has four entities, 2) Compute QIDS = H1 (IDS ).
namely: a cloud server, a data owner, a receiver, and a key 3) Compute server’s partial private key DIDS =
generation center (KGC). sQIDS .
4) Take receiver’s identity IDR ∈ {0, 1}∗ as input.
5) Compute QIDR = H1 (IDR ).
6) Compute receiver’s partial private key DIDR =
sQIDR .
Set-Secret-Value: Input IDS ∈ {0, 1}∗ and IDR ∈
{0, 1}∗ .
1) Server selects a number xIDS ∈ Zq∗ randomly as its
secret value.
2) Receiver selects a number xIDR ∈ Zq∗ randomly as
its secret value.
Set-Private-Key: Input xIDS , xIDR , DIDS and DIDR .
1) Server’s private key SKIDS = (xIDS , DIDS ).
2) Receiver’s private key SKIDR = (xIDR , DIDR ).
Set-Public-Key: Server produces its public key by exe-
cuting the following steps.

Fig. 2. A system model for SCF-MCLPEKS 1) Input prms, server’s secret value xIDS .
2) Compute P KIDS = xIDS P .
• KGC is responsible for generating system keys, and Receiver produces its public key by executing the fol-
partial private keys of both receiver and server. lowing steps.
• Data Owner uses the receiver’s and server’s public 1) Input prms, receiver’s secret value xIDR .
keys to encrypt the data and the index of keywords 2) Compute P KIDR = xIDR P .
contained in the data. Once this has been performed,
the data owner can store the encrypted data and SCF-MCLPKES: Let W = {wi |1 ≤ i ≤ n} be a set of
encrypted keyword indexes in the cloud server. keywords. Take prms, server’s identity IDS , server’s public
• Receiver is a data user who obtains his/her partial key P KIDS , receiver’s identity IDR , receiver’s public key
private key from the KGC. The receiver generates the P KIDR as input. Data owner performs the following steps
trapdoor of keywords that he/she wishes to search, to encrypt the keyword wi ∈ W :
and sends it to cloud server. 1) Compute QIDR = H1 (IDR ).
• Cloud Server obtains its partial private key from 2) Select a number ri ∈ Zq∗ randomly.
KGC. It is responsible for processing data, such as 3) Compute Ui = ri P .
computing data, storing data and searching data for 4) Compute
user.
Ti = e(ri H2 (wi ), P KIDR + P KIDS )e(ri QIDR , Ppub )
e(ri H3 (wi ), P ).
4 P ROPOSED SCF-MCLPEKS S CHEME
5) Compute vi = h4 (Ti )
In this section, we describe the proposed SCF-MCLPEKS
scheme, which consists of eight ploynomial-time probabilis- The final ciphertext C = {C1 , C2 , · · · , Cn }, where Ci =
tic algorithms. (Ui , vi ).

1551-3203 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2703922, IEEE
Transactions on Industrial Informatics
4

Trapdoor: Take prms, a keyword w, and the receiver’s • Trapdoor-Query: A1 can perform any keyword w’s
private key SKIDR as input. Receiver executes Trapdoor trapdoor queries, with the exception of the chal-
algorithm to compute trapdoor Tw = xIDR H2 (w) + DIDR . lenged keywords. C runs Trapdoor algorithm and
Test: Take prms, keyword w’s trapdoor Tw , server’s outputs a trapdoor Tw to A1 .
private key SKIDS and ciphertext C as input. Verify • Challenge: A1 outputs two challenge keywords W0
h4 (e(Tw + xIDS H2 (wi ) + H3 (wi ), Ui )) = vi . If it is true, and W1 , where W0 6= W1 and they have not been
then outputs “1”; otherwise, outputs “0”. queried by A1 . C chooses a b ∈ {0, 1} uniformly
Suppose that w = wi , where i ∈ {1, 2, . . . , n}. We will and performs SCF-MCLPKES algorithm to generate
prove that the proposed SCF −M LP EKS scheme satisfies a target ciphertext, and returns to A1 .
the computational consistency as follows: • Guess: At last, A1 outputs b0 ∈ {0, 1}. We say A1
wins the game if b0 = b .
h4 (e(Tw + xIDS H2 (wi ) + H3 (wi ), Ui )) The advantage of A1 winning Game 1 is expressed
= h4 (e(xIDR H2 (wi ) + DIDR + xIDS H2 (wi ) + H3 (wi ), ri P )) as
= h4 (e(xIDR H2 (wi ) + xIDS H2 (wi ), ri P )e(DIDR , ri P )e(H3 (wi ), ri P ))  
IN D−SCF −M K−CKA
 0 1 
= h4 (e(ri H2 (wi ), (xIDR + xIDS )P )e(sQIDR , ri P )e(H3 (wi ), ri P )) AdvSCF −M CLP EKS,A1 (k) = P r [b = b] −  .

= h4 (e(ri H2 (wi ), P KIDR + P KIDS )e(ri QIDR , Ppub )e(ri H3 (wi ), P )) 2
= vi Game 2. Let A2 be a malicious-but-passive KGC.

5 S ECURITY A NALYSIS • Setup: C inputs a secure parameter k , and performs

Setup algorithm to obtain system public parameters
Prior to proving the security of the proposed SCF-MCLPEKS
prms and system master key s. Then, C returns prms
presented in the preceding section, we will introduce the
and s to A2 .
security model. Secondly, we will show that, our scheme is
Queries: A2 can adaptively execute a sequence
semantically secure under the above security model.
of queries, including Hash-Query, Request-Public-
Key-Query, Extract-Private-Key-Query, Trapdoor-
5.1 Security model Query.
The indistinguishability of chosen keyword attacks for a • Challenge: A2 outputs two challenge keywords W0
secure channel free certificateless searchable public key en- and W1 . A2 has not queried both W0 and W1 .
cryption with multiple keywords (hereafter referred to as C chooses a b ∈ {0, 1} uniformly and runs SCF-
IND-SCF-MK-CKA) is defined as follows. MCLPKES algorithm to generate CWb as response.
In certificateless cryptography [18], there exists a T ype1 • Guess: At last, A2 outputs b0 ∈ {0, 1}. If b0 = b, we
adversary A1 and a T ype2 adversary A2 . Suppose that A1 say A2 wins the game.
simulates a dishonest user, and A2 simulates a malicious- The advantage of A2 winning Game 2 is defined as
but-passive KGC. A1 does not know the system master key,  
but it is able to choose a random public key instead of the IN D−SCF −M K−CKA
 0 1 
AdvSCF −M CLP EKS,A2 (k) = P r [b = b] −  .

user’s public key. A2 is given the system master key and 2
user’s partial-private-key. However, A2 does not have the Definition 2 The SCF-MCLPEKS scheme is IND-
ability to replace a user’s public key. IN D−SCF −M K−CKA
SCF-MK-CKA secure if AdvSCF −M CLP EKS,A1 (k) and
Formally, security is defined using the two games be- IN D−SCF −M K−CKA
AdvSCF −M CLP EKS,A2 (k) are negligible.
tween a challenger C and adversary A1 (or adversary A2 )
as below.
Game 1. Assume that A1 is a dishonest user. 5.2 Proof
• Setup: C inputs a secure parameter k , then performs Theorem 1. Suppose that BDH problem is intractable. Then,
Setup algorithm to obtain public parameters prms the proposed SCF-MCLPEKS is IND-SCF-MK-CKA secure
and master key s. At last, C returns prms to A1 , and under random oracle model.
keeps s secretly. A1 performs the following oracle Theorem 1 will be proved based on the following two
queries: lemmas.
• Hash-Query: A1 can ask all hash random oracles, Lemma 1. Assume that A1 breaks the proposed SCF-
and C returns the corresponding value to A1 . MCLPEKS scheme with advantage ε. Let qH1 , qh4 , qT ,
• Extract-Partial-Private-Key-Query: If A1 does a par- qE and qExt denote the numbers of H1 -Query, h4 -
tial private key query with identity ID, C executes Query, Trapdoor-Query, Extract-Partial-Private-Key-Query
Extract-Partial-Private-Key algorithm to get DID , and Extract-Private-Key-Query, respectively. An algorithm
and outouts DID . B will be constructed to solve BDH problem with advantage
• Request-Public-Key-Query: Upon receiving such a  qE +qExt +qT
query with ID, C outputs P KID . ε 1
ε0 ≥ 1− .
• Replace-Public-Key-Query: A1 can pick a random qH1 qh4 qH1
value instead of the user’s public key. Proof.
• Extract-Private-Key-Query: A1 can make private key
SKID queries for any user’s except the challenge • Setup: Given a BDH instance (P, aP, bP, cP ), we will
identity, C runs Set-Private-Key algorithm and re- construct an algorithm B . The goal of B is to compute
turns SKID to A1 . the value of e(P, P )abc by using A1 as a subroutine.

1551-3203 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2703922, IEEE
Transactions on Industrial Informatics
5

B runs Setup, sets Ppub = aP . B randomly chooses 2) Otherwise, picks a random number xi ∈R Zq∗ ,
IDI (1 ≤ I ≤ qH1 ) as a challenge identity, sends and computes P KIDi = xi P .
prms to A1 who then executes the following queries. 3) Adds hIDi , xi , P KIDi i into P K list and re-
• H1 -Query : B maintains a list, called H1list , contain- turns P KIDi to A1 .
ing tuples hIDi , αi , QIDi i. When the identity IDi is
submitted for this query, B performs the following • Replace-P ublic-Key -Query : A1 can replace any us-
steps: er’s public key with a random value.
• Extract-P rivate-Key -Query : Take identity IDi as
1) If IDi already in a tuple hIDi , αi , QIDi i in input. If IDi = IDI , then B aborts (this event is
H1list , then B outputs QIDi . denoted by E2 ). Otherwise, B performs the following
2) Otherwise, if IDi = IDI , then B picks a actions:
random number αi ∈R Zq∗ , and computes
QIDi = αi bP . 1) If hIDi , QIDi , DIDi i and hIDi , xi , P KIDi i
3) Otherwise, picks a random number αi ∈R Zq∗ , exist in P P K list and P K list , respectively,
and computes QIDi = αi P then B sets SKIDi = (xi , DIDi ) and sends
4) Adds hIDi , αi , QIDi i to H1list and outputs it to A1 .
QIDi . 2) Otherwise, performs a Request-P ublic-Key -
Query and a Extract-P artial-P rivate-Key -
• H2 -Query : B maintains a list H2list with tuples
Query with IDi , simulating the above pro-
hwi , βi , H2 (wi )i. When A1 asks a H2 query on wi ,
cess to obtain SKIDi = (xi , DIDi ) and sends
B responds as follows:
it to A1 .
1) If H2 (wi ) already in a tuple hwi , βi , H2 (wi )i
in H2list , then B returns H2 (wi ) to A1 . • T rapdoor-Query : When A1 asks Trapdoor-Query on
2) Otherwise, picks a random number βi ∈R Zq∗ , keyword wi of identity IDi , B responds as follows:
and computes H2 (wi ) = βi P . 1) if IDi = IDI , then B aborts (this event is
3) Outputs H2 (wi ) and adds hwi , βi , H2 (wi )i to denoted by E3 ).
H2list . 2) Otherwise, recovers hIDi , xi , P KIDi i from
• H3 -Query : B maintains a list H3list with tuples P K list , recovers hIDi , QIDi , DIDi i from
hwi , γi , H3 (wi )i. P P K list and retrieves hwi , βi , H2 (wi )i from
1) B outputs the record H3 (wi ) if this query has H2list . Computes Twi = xi H2 (wi ) + DIDi and
been asked. sends Twi to A1 .
2) Otherwise, B picks γi ∈R Zq∗ randomly, com- • Challenge: A1 will issue a challenge on two different
putes H3 (wi ) = γi P . keywords w0 and w1 with identity ID∗ . B executes
3) B returns H3 (wi ) to A1 and adds as follows:
hwi , γi , H3 (wi )i to H3list .
1) if ID∗ 6= IDI , then B aborts (this event is
• h4 -Query : A list is maintained by B , called hlist
4 , con- denoted by E4 ).
taining tuples hTi , vi i. When A1 makes h4 − Query
2) Otherwise, chooses b ∈R {0, 1} randomly.
with Ti ∈ G2 , simulator B responds as below:
3) Chooses two random numbers r ∈ Zq∗ , v ∈
1) If Ti exists in a tuple hTi , vi i, then outputs vi . {0, 1}log q , and sends Cb = (rcP, v) to A1 .
2) Otherwise, picks a random number vi ∈ If Cb = (rcP, v) is a valid ciphertext, then
{0, 1}log q , returns vi to A1 and adds hTi , vi i
v = h4 (e(βi P, xi P + P KIDS )rc e(αi bP, aP )rc e(γi P, P )rc )
into hlist
4 .
= h4 (e(P, P )crβi xi e(P KIDS , P )crβi e(P, P )rabcαi e(P, P )crγi )
• Extract-P artial-P rivate-Key -Query : A list is = h4 (e(P, P )cr(βi xi +γi ) e(P, P KIDS )crβi e(P, P )rabcαi )
maintained by B (referred to as P P K list ), contain-
ing tuples hIDi , QIDi , DIDi i. When A1 asks for the • M ore-T rapdoor-Queries: A1 can perform addition-
partial-private-key of IDi , B performs H1 -Query al trapdoor queries on keyword wi , where wi 6= w0
and obtains hIDi , αi , QIDi i. and wi 6= w1 . B responds as above. Let E5 denotes
the event that A1 does not ask a query for either w0
1) If IDi 6= IDI , then computes DIDi =
or w1 .
αi Ppub , returns DIDi to A1 and adds • Guess: Finally, A1 outputs b0 ∈ {0, 1} as its guess.
hIDi , QIDi , DIDi i into P P K list . And at this point, B can pick a pair hT, vi randomly
2) Otherwise, B aborts (this event is represented
from hlist
4 . e(P, P )
abc
can be computed as follows:
by E1 ).
• Request-P ublic-Key -Query : A list is maintained   rα1
T i
by B , called P K list , with tuples hIDi , xi , P KIDi i.
e(cP, P )r(βi xi +γi ) e(cP, P KIDS )rβi
When A1 asks for the public-key query of identity  rα1 i
e(P, P )cr(βi xi +γi ) e(P, P KIDS )crβi e(P, P )rabcαi

IDi , B responds as follows: =
e(cP, P )r(βi xi +γi ) e(cP, P KIDS )rβi
1) If P KIDi already exists in a tuple
1
hIDi , xi , P KIDi i in P K list , then B returns = e(P, P )rabcαi rαi
P KIDi to A1 . = e(P, P )abc

1551-3203 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2703922, IEEE
Transactions on Industrial Informatics
6

B ’s advantage ε’ in solving the BDH problem is as 1) If IDi already exists in hIDi , Qi i in H1list ,
follows: then B outputs Qi .
2) Otherwise, picks a Qi ∈R G1 , adds hIDi , Qi i
• When A1 asks H1 -Query , H2 -Query , H3 -Query and
to H1list and sends Qi to A2 .
h4 -Query , the response is as distinct as the real
world, since each response is answered with a ran- • H2 -Query : A list is maintained by B , called H2list ,
dom value. with tuples hwi , βi , H2 (wi )i. When A2 asks a H2
• The responses to A1 ’s Extract-P artial-P rivate- query on wi , B responds as follows:
Key -Query and T rapdoor-Query are valid unless
E1 or E2 occurs. If all events Ei (1 ≤ i ≤ 5) do not 1) If H2 (wi ) already in a tuple hwi , βi , H2 (wi )i
occur, then B does not interrupt. in H2list , then returns H2 (wi ) to A2 .
2) Otherwise, picks a random number βi ∈R Zq∗ ,
Now, we have and computes H2 (wi ) = βi aP .

1
qE +qExt +qT 
1

3) Outputs H2 (wi ) and adds hwi , βi , H2 (wi )i to
P r[¬E1 ∧ ¬E2 ∧ ¬E3 ∧ ¬E4 ] = 1− ,
qH1 qH1 H2list .
We will now need to prove that P r[¬E5 ] ≥ 2ε. • H3 -Query : A list is maintained by B , called H3list ,
Since containing tuples hwi , γi , H3 (wi )i.
P r[b0 = b] 1) If this query has been asked, then B outputs
= P r[b = b0 |E5 ]P r[E5 ] + P r[b = b0 |¬E5 ]P r[¬E5 ] the record H3 (wi ).
≤ P r[b = b0 |E5 ]P r[E5 ] + P r[¬E5 ] 2) Otherwise, B picks γi ∈R Zq∗ randomly, com-
1 putes H3 (wi ) = γi P .
= P r[E5 ] + P r[¬E5 ] 3) B returns H3 (wi ) to A2 and adds
2
1 1 hwi , γi , H3 (wi )i to H3list .
= + P r[¬E5 ]
2 2 • h4 -Query : A list is maintained by B , called hlist
4 ,
and containing tuples hTi , vi i. When A2 makes h4 query
1 1 on Ti ∈ G2 , B responds as below:
P r[b0 = b] ≥ P r[b = b0 |E5 ]P r[E5 ] = − P r[¬E5 ],
2 2 1) If Ti exists in a tuple hTi , vi i, then outputs vi .
it follows that 2) Otherwise, picks a random number vi ∈
{0, 1}log q , returns vi , and adds hTi , vi i into
 
1  0 1 
P r[¬E5 ] ≥ P r[b = b ] −  ≥ ε.

hlist
2 2 4 .

Thus, P r[¬E5 ] ≥ 2ε. B will select the correct pair with • Request-P ublic-Key -Query : A list is maintained
probability at least 1/qh4 . by B , called P K list , with tuples hIDi , xi , P KIDi i.
Thus, we have When A2 asks for the public-key query of identity
 qE +qExt +qT   IDi , B responds as below:
1 1 1 1
ε0 ≥ · 2ε · 1− 1) If P KIDi already exists in hIDi , xi , P KIDi i
2 qh4 q H1 qH1
 qE +qExt +qT in P K list , then returns P KIDi .
ε 1
= 1− 2) Otherwise, picks a random number xi ∈R Zq∗ .
qH1 qh4 q H1 If IDi = IDI , and sets P KIDi = xi bP .
Lemma 2. Suppose that A2 breaks the proposed SCF- Otherwise (IDi 6= IDI ), P KIDi = xi P .
MCLPEKS scheme with advantage ε. Let qH1 , qh4 , qT 3) Adds hIDi , xi , P KIDi i into P K list and out-
and qExt denote the numbers of H1 -Query , h4 -Query , puts P KIDi .
T rapdoor-Query , and Extract-P rivate-Key -Query , re-
• Extract-P rivate-Key -Query : Take identity IDi as
spectively. An algorithm B can be constructed to solve BDH
input. If IDi = IDI , B aborts (this event is denot-
problem with advantage
ed by E1 ). Otherwise, B performs H1 -Query and
qExt +qT
Request-P ublic-Key -Query to obtain hIDi , Qi i and

0 ε 1
ε ≥ 1− . hIDi , xi , P KIDi i. B sets SKIDi = (xi , sQi ) and
qH1 qh4 q H1
sends SKIDi to A2 .
Proof. • T rapdoor-Query : When A2 performs wi ’s trapdoor
• Setup: Given a BDH instance (P, aP, bP, cP ), B ’s query with IDi , B responds as follows:
goal is to determine the value of e(P, P )abc by us-
1) If IDi = IDI , then B aborts (this event is
ing A2 as a subroutine. B executes Setup, picks a
denoted by E2 ).
number s ∈R Zq∗ as system master key and chooses
2) Otherwise, recovers hIDi , xi , P KIDi i from
IDI as a challenge identity. Sets Ppub = sP , sends
P K list , recovers hIDi , Qi i from H1list and re-
public parameters prms and s to A2 . A2 executes
trieves hwi , βi , H2 (wi )i from H2list . Computes
the following queries.
Twi = xi H2 (wi ) + sQi and sends Twi to A2 .
• H1 -Query : B maintains a list H1list containing tuples
hIDi , Qi i. When the identity IDi is submitted for • Challenge: A2 will make challenge on two different
this query, B performs the following steps: keywords w0 and w1 with ID∗ . B executes as below:

1551-3203 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2703922, IEEE
Transactions on Industrial Informatics
7

1) If ID∗ 6= IDI , then B aborts (this event is Thus, we have

denoted by E3 ). 1 1

1
qExt +qT 
1

2) Otherwise, chooses b ∈R {0, 1} randomly. ε0 ≥ · 2ε · 1−
2 qh4 qH1 qH1
3) Chooses two random numbers r ∈ Zq∗ , v ∈  qExt +qT
{0, 1}log q , and sends Cb = (rcP, v) to A2 . ε 1
= 1−
If Cb = (rcP, v) is a valid ciphertext, then qH1 qh4 qH1
v = h4 (e(βi aP, xi bP + P KIDS )rc e(Qi , sP )rc e(γi P, P )rc ) 6 P ERFORMANCE E VALUATION
= h4 (e(P, P )abcrβi xi e(P, P KIDS )acrβi e(Qi , scP )r e(P, cP )rγi )
We now evaluate the performance of our SCF-MCLPEKS
= h4 (e(P, P )abcrβi xi e(aP, xIDS cP )rβi e(Qi , scP )r e(P, cP )rγi )
scheme and the scheme of Peng et al. [24], in terms of both
• M ore-T rapdoor-Queries: A2 can perform addition- computation and communication costs.
al trapdoor queries on keyword wi , where wi 6= w0
and wi 6= w1 . B responds as above. Let E4 denotes 6.1 Computation cost
the event that A2 does not ask a query for either w0 The notations and the executing times used in the evaluation
or w1 . are defined in Table 1. The evaluations were performed on
• Guess: Finally, A2 outputs b0 ∈ {0, 1} as its guess. a personal computer (Dell with an I5-4460S 2.90GHz pro-
And at this point, B can pick a pair hT, vi randomly cessor, 4G bytes memory and Window 8 operating system)
from hlist
4 . e(P, P )
abc
can be computed as follows: using the MIRACL library [39].

  rβ1x TABLE 1
T i i
Notations and executing times (ms)
e(aP, xIDS cP )rβi e(Qi , scP )r e(P, cP )rγi
 rβ1x
e(P, P )abcrβi xi e(aP, xIDS cP )rβi e(Qi , scP )r e(P, cP )rγi Notation Description Times

i i
= Tsm a scalar multiplication executing time 2.165
e(aP, xIDS cP )rβi e(Qi , scP )r e(P, cP )rγi

1
abcrβi xi rβi xi
Tbp a bilinear pairing executing time 5.427
= e(P, P ) TH a Hash-to-point executing time 5.493
= e(P, P )abc Th a general hash function executing time 0.007
Tpa a point addition executing time 0.013
We will now analyze B ’s advantage ε’ in solving the
BDH problem. Table 2 and Fig. 3 show the computation cost for both
schemes, and it is clear that, the computation cost of our
• When A2 asks H1 -Query , H2 -Query , H3 -Query and scheme is lower than Peng et al.’s scheme [24] except slightly
h4 -Query , the view of A2 running as a subroutine worse in test phase. However, our scheme can resist chosen
under B is identical to the view of A2 response is keyword attack, which scheme [24] does not.
as distinct as in the real world. This is because each
response is answered with a random value. TABLE 2
• The responses to A2 ’s Extract-P rivate-Key -Query A comparative summary: Computation cost (ms)
and T rapdoor-Query are valid unless E1 or E2
occurs. If all events Ei (1 ≤ i ≤ 4) do not occur, Peng et al.’s scheme Our proposed scheme
then B does not interrupt. 2TH + 8Tsm 2TH + 4Tsm
KeyGen
=28.306 =19.646
3TH + 2Th + 5Tsm + 3TH + Th + 4Tsm +
Noting that CLP EKS
3Tbp =43.599 3Tbp + Tpa =41.433
qExt +qT  TH + Th + 3Tsm TH + Tsm + Tpa
T rapdoor
 
1 1 =11.995 =7.671
P r[¬E1 ∧ ¬E2 ∧ ¬E3 ] = 1− ,
q H1 q H1 Th + Tsm + 2Tpa + 2TH + Th + Tsm +
T est
Tbp =7.625 2Tpa + Tbp =18.611
Next, we prove that P r[¬E4 ] ≥ 2ε. Since

P r[b0 = b] 6.2 Communication cost

= P r[b = b0 |E4 ]P r[E4 ] + P r[b = b0 |¬E4 ]P r[¬E4 ] We let P K , CT , T D denote public key, ciphertext and
≤ P r[b = b0 |E4 ]P r[E4 ] + P r[¬E4 ] trapdoor, respectively. |G1 | and |Zq | denote the bit sizes
1 1 of point in group G1 and the bit length of number ∈ Zq ,
= + P r[¬E4 ] respectively. Table 3 shows the communication cost in both
2 2
the schemes.
and
TABLE 3
0 01 1 A comparative summary: Communication cost
P r[b = b] ≥ P r[b = b |E4 ]P r[E4 ] = − P r[¬E4 ]
2 2
Peng et al.’s scheme Our scheme
Thus,   Size of P K 4|G1 | 2|G1 |
1  Size of CT |G1 |+|Zq | |G1 |+|Zq |
P r[¬E4 ] ≥ 2 P r[b = b0 ] −

≥ 2ε.
2 Size of T D 3|G1 | |G1 |

B may pick the correct pair from hlist

4 with probability As shown in Table 3, the proposed scheme has a lower
at least 1/qh4 . communication cost than Penget al.’s scheme [24].

1551-3203 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2703922, IEEE
Transactions on Industrial Informatics
8

50 [10] Z. Xia, X. Wang, X. Sun, and Q. Wang, “A secure and dynamic

45
Peng et al., s scheme multi-keyword ranked search scheme over encrypted cloud data,”
Our proposed scheme
IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 2,
40 pp. 340–352, 2016.
35 [11] Z. Fu, X. Wu, C. Guan, X. Sun, and K. Ren, “Toward efficient
multi-keyword fuzzy search over encrypted outsourced data with
30
Time (ms)

accuracy improvement,” IEEE Transactions on Information Forensics

25 and Security, vol. 11, no. 12, pp. 2706–2716, 2016.
20
[12] Z. Fu, X. Sun, Q. Liu, L. Zhou, and J. Shu, “Achieving efficient
cloud search services: multi-keyword ranked search over encrypt-
15 ed cloud data supporting parallel computing,” IEICE Transactions
10
on Communications, vol. 98, no. 1, pp. 190–200, 2015.
[13] X. Yang, T.-T. Lee, J. K. Liu, and X. Huang, “Trust enhancement
5
over range search for encrypted data,” in Trustcom/BigDataSE/I?
0 SPA, 2016 IEEE, pp. 66–73, IEEE, 2016.
KeyGen CLPEKS Trapdoor Test
[14] R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, “Searchable
symmetric encryption: improved definitions and efficient con-
Fig. 3. Computation comparison structions,” Journal of Computer Security, vol. 19, no. 5, pp. 895–934,
2011.
[15] X. Song, D. Wagner, and A. Perrig, “Practical techniques for
searches on encrypted data,” in Security and Privacy, 2000. S&P
7 C ONCLUSION 2000. Proceedings. 2000 IEEE Symposium on, pp. 44–55, IEEE, 2000.
Integrating IIoT and the cloud is likely to become a norm [16] C. Zuo, J. Macindoe, S. Yang, R. Steinfeld, and J. K. Liu, “Trusted
in the foreseeable future, and ensuring the privacy and boolean search on cloud using searchable symmetric encryption,”
in Trustcom/BigDataSE/I? SPA, 2016 IEEE, pp. 113–120, IEEE, 2016.
confidentiality of user data is important for the IIoT infras- [17] A. Shamir, “Identity-based cryptosystems and signature schemes,”
tructure owner and the cloud service provider. To address in Workshop on the Theory and Application of Cryptographic Tech-
limitations inherent in existing PEKS, we construct an effec- niques, pp. 47–53, Springer, 1984.
tive SCF-MCLPEKS scheme for IIoT system in this paper. [18] S. S. Al-Riyami and K. G. Paterso, “Certificateless public key cryp-
tography,” in International Conference on the Theory and Application
We then demonstrate the utility of the proposed scheme by of Cryptology and Information Security, pp. 452–473, Springer, 2003.
demonstrating its security against chosen keyword attacks [19] J. K. Liu, M. H. Au, and W. Susilo, “Self-generated-certificate
in random oracle model, as well as its performance in terms public key cryptography and certificateless signature/encryption
of high computational efficiency and low communication scheme in the standard model,” in Proceedings of the 2nd ACM
symposium on Information, computer and communications security,
cost. In comparison to Peng et al.’s scheme, the executing pp. 273–283, ACM, 2007.
times of the proposed scheme decrease by 30.58%, 0.05% [20] Y. H. Hwang, J. K. Liu, and S. S. Chow, “Certificateless public key
and 36.05% in KeyGen, CLPEKS and Trapdoor, respectively. encryption secure against malicious kgc attacks in the standard
In the future, we will implement a prototype of a (semi- model.,” J. UCS, vol. 14, no. 3, pp. 463–480, 2008.
[21] F. Wang and Y. Zhang, “A new provably secure authentication and
)closed cloud environment using the proposed scheme. key agreement mechanism for sip using certificateless public-key
cryptography,” Computer communications, vol. 31, no. 10, pp. 2142–
2149, 2008.
ACKNOWLEDGEMENTS [22] L. Zhang, F. Zhang, B. Qin, and S. Liu, “Provably-secure electronic
We are thankful to all anonymous reviewers for their sug- cash based on certificateless partially-blind signatures,” Electronic
gestions and comments for improvement of the paper. Commerce Research and Applications, vol. 10, no. 5, pp. 545–552, 2011.
[23] S.-H. Seo, M. Nabeel, and X. Ding, “An efficient certificateless
encryption for secure data sharing in public clouds,” IEEE Trans-
R EFERENCES actions on Knowledge and Data Engineering, vol. 26, no. 9, pp. 2107–
2119, 2014.
[1] K. Ashton, “That internet of things thing,” RFiD Journal, vol. 22, [24] Y. Peng, J. Cui, and Z. Ying, “Certificateless public key encryption
no. 7, pp. 97–114, 2009. with keyword search,” China Communications, vol. 11, no. 11,
[2] L.-O. Wallin and T. Zimmerman, “2017 Strategic Roadmap for IoT pp. 100–113, 2014.
Network Technology,” tech. rep., Gartner, 2017.
[25] T.-Y. Wu, F. Meng, C.-M. Chen, S. Liu, and J.-S. Pan, “On the secu-
[3] S. B. Alaybeyi, “Pragmatic Strategies to Improve Industrial IoT
rity of a certificateless searchable public key encryption scheme,”
Security,” tech. rep., Gartner, 2016.
in International Conference on Genetic and Evolutionary Computing,
[4] Q. Liu, W. Cai, J. Shen, Z. Fu, X. Liu, and N. Linge, “A specula-
pp. 113–119, Springer, 2016.
tive approach to spatial-temporal efficiency with multi-objective
[26] P. Golle, J. Staddon, and B. Waters, “Secure conjunctive keyword
optimization in a heterogeneous cloud environment,” Security and
search over encrypted data,” in International Conference on Applied
Communication Networks, vol. 9, no. 17, pp. 4002–4012, 2016.
Cryptography and Network Security, pp. 31–45, Springer, 2004.
[5] Z. Xia, X. Wang, L. Zhang, Z. Qin, X. Sun, and K. Ren, “A privacy-
preserving and copy-deterrence content-based image retrieval [27] D. Cash, S. Jarecki, C. Jutla, H. Krawczyk, M.-C. Roşu, and
scheme in cloud computing,” IEEE Transactions on Information M. Steiner, “Highly-scalable searchable symmetric encryption
Forensics and Security, vol. 11, no. 11, pp. 2594–2608, 2016. with support for boolean queries,” in Advances in Cryptology–
[6] Z. Fu, F. Huang, X. Sun, A. Vasilakos, and C.-N. Yang, “Enabling CRYPTO 2013, pp. 353–373, Springer, 2013.
semantic search based on conceptual graphs over encrypted out- [28] J. Baek, R. Safavi-Naini, and W. Susilo, “Public key encryption
sourced data,” IEEE Transactions on Services Computing, 2016. with keyword search revisited,” in International conference on Com-
[7] K.-K. R. Choo, “Cloud computing: Challenges and future direc- putational Science and Its Applications, pp. 1249–1259, Springer, 2008.
tions,” Trends & Issues in Crime and Criminal Justice, vol. 400, pp. 1– [29] Q. Tang and L. Chen, “Public-key encryption with registered
6, 2010. keyword search,” in European Public Key Infrastructure Workshop,
[8] C. Esposito, A. Castiglione, B. Martini, and K.-K. R. Choo, “Cloud pp. 163–178, Springer, 2009.
manufacturing: Security, privacy, and forensic concerns,” IEEE [30] H. S. Rhee, J. H. Park, W. Susilo, and D. H. Lee, “Trapdoor security
Cloud Computing, vol. 3, pp. 16–22, 2016. in a searchable public-key encryption scheme with a designed
[9] D. Boneh, G. Crescenzo, R. Ostrovsky, and G. Persiano, “Public tester,” Journal of Systems and Software, vol. 83, no. 5, pp. 763–771,
key encryption with keyword search,” in International Conference 2010.
on the Theory and Applications of Cryptographic Techniques, pp. 506– [31] P. Xu, H. Jin, et al., “Public-key encryption with fuzzy keyword
522, Springer, 2004. search: A provably secure scheme under keyword guessing at-

1551-3203 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2703922, IEEE
Transactions on Industrial Informatics
9

tack,” IEEE Transactions on Computers, vol. 62, no. 11, pp. 2266–
2277, 2013.
[32] T. Wang, M. H. Au, and W. Wu, “An efficient secure channel
free searchable encryption scheme with multiple keywords,” in
International Conference on Network and System Security, pp. 251–
265, Springer, 2016.
[33] J. Su, D. Cao, X. Wang, Y. Sun, and Q. Hu, “Attribute-based
encryption schemes,” Journal of Software, vol. 22, no. 6, pp. 1299–
1315, 2011.
[34] H. S. Rhee, J. H. Park, and D. H. Lee, “Generic construction
of designed tester public-key encryption with keyword search,”
Information Sciences, vol. 205, pp. 93–109, 2012.
[35] C. Hu and P. Liu, “A secure searchable public key encryption
scheme with a designated tester against keyword guessing attacks
and its extension,” in International Conference on Computer Science,
Environment, Ecoinformatics, and Education, pp. 131–136, Springer,
2011.
[36] Y. H. Hwang and P. J. Lee, “Public key encryption with conjunctive
keyword search and its extension to multi-user system,” in Interna-
tional Conference on Pairing-Based Cryptography, pp. 2–22, Springer,
2007.
[37] S. Sun, J. K. Liu, A. Sakzad, R. Steinfeld, and T. H. Yuen, “An
efficient non-interactive multi-client searchable encryption with
support for boolean queries,” in European Symposium on Research
in Computer Security, pp. 154–172, Springer, 2016.
[38] K. Liang, X. Huang, F. Guo, and J. K. Liu, “Privacy-preserving
and regular language search over encrypted cloud data,” IEEE
Transactions on Information Forensics and Security, vol. 11, no. 10,
pp. 2365–2376, 2016.
[39] “Shamus software ltd., miracl library.” http://www.shamus.ie/
index.php?page=home, 2016.

1551-3203 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.