A Lightweight and Formally Secure Certificate Based Signcryption With Proxy Re-Encryption (CBSRE) for Internet of Things Enabled Smart Grid

,


I. INTRODUCTION
Electricity is the main source of energy which plays a vital role in the power industry. As the complex traditional electricity systems have been developed more than 100 years ago which are not able to scale down the dynamic changes of the modern era [1], [2]. However, the smart grid (SG) is a new technology system that can manage wide energy sources and increases the reliability and efficiency of an entire The associate editor coordinating the review of this manuscript and approving it for publication was S. K. Hafizul Islam . energy system which can be a sustainable solution for the transmission, generation, distribution, and consumption of electricity [3], [4]. The SG ecosystem is actually made by combining a number of smart devices, i.e. smart metering and monitoring systems that are able to generate enormous amounts of data and transmits it to the network by using the Internet [5].
Nowadays, the Internet of Things (IoT) involves in almost every domain of modern society. About 30 billion smart objects will be connected to the internet in 2020 which includes physical devices, vehicles, sensors, software, actuators, embedded object, and home appliances [6]. The IoT is a network of smart devices that provide connectivity for these smart devices through which they can exchange data and commands. Similarly, the IoT technology can be applied in SG technology will effectively integrate the infrastructure of the power system as well as facilitates the communication resources [7]. Besides, there is a need for IoT big data analytics platform which is proficient for managing and transforming the gigantic household energy consumption data into some actionable insights [8]. It is conspicuous that cloud computing owns the potential capability which can improve the reliability of SG systems by allowing the data-driven services to encounter the challenges of data storage, processing and classification analysis [9]. Furthermore, an IoT enabled Cloud-based platform for SG application, is shown in Figure 1 below, in which the IoT devices are responsible for data attainment, while the substantial amount of data collected by IoT devices is stored and managed in the cloud server (CS). Here, the commercial nature of a CS and the sensitivity of grid-related data collected by IoT Devices enquires strong security measures during the transmission process [10]. The stored data in the CS can be accessible to multiple data users such as researchers, government agencies and power grid staff, etc. the government agencies and researchers analyze the stored data for future policymaking or investigation purposes. However, the power grid staff can access the collected data for monitoring the status of the power grid respectively [11].
The data can be accessible to anyone so there is a need for authenticity and data security. The authenticity can be ensured by applying a digital signature [12], while the data security can be gained from encryption [13]. However, the high communication and computation cost of encryption and digital signature makes a way for signcryption. In 1997, Zheng for the first time proposed the concept of signcryption which logically combines the functions of digital signature and encryption in a single step with minimal costs [14]. As the data collected from IoT smart devices are sent for processing and storage purposes to the cloud server where the cloud service provider can check the authentication of data only. Here, the involvement of such a third-party service provider arises a new trust-related issue for SG systems. For this purpose, in 1998, Blaze at Euro crypt [15], introduced the concept of Proxy re-encryption (P-RE) cryptosystem which allows a third party to alter a ciphertext that has been encrypted for one user, such that another user may also be able to decrypt it. The given concept was later enhanced by Ateniese and Hohenberger in 2005 [16], by introducing a proxy-re signature (P-RS) cryptosystem, in which a proxy is able to transform a signature computed under Bob's private key into another signature that can be verified under Alice's public key. Later, in 2008, Chandrasekar et al. [17], combined signcryption with proxy re-encryption (SP-RE) which provides the security features like confidentiality and authentication with P-RE capabilities in an efficient and cost-effective way.
However, most of proxy re-encryption, proxy-re signature, and signcryption with proxy re-encryption (SP-RE) schemes are based on old public-key cryptography (PKC), identity-based cryptography (IBC), and certificateless cryptography (CLC), respectively. Unfortunately, the PKC is not a suitable choice for IoT devices due to certificate management issues such as certificate revocation and renewing [18]. Besides, the IBC suffers from an eminent key escrow problem (KEP), as the private keys of all the participants are known to the private key generation center [19]- [21]. Furthermore, the CLC also suffers from the partial private key distribution problem (PPKDP), as the distribution of partial private keys needs a secure channel between the key generation center and all the participants [21], [22]. VOLUME 8, 2020 In contrast to the aforementioned cryptosystems, to remove the certificate management issues such as certificate revocation and renewing of PKC, the KEP of IBC, and the PPKDP of CLC, Gantry [23], proposed the concept of certificate-based cryptography (CBC). The CBC is based on the old concept of PKC, in which the participants in a network have their public and private keys. The public key used by the certifier's authority (CsA), based on that the CsA generates a certificate for each participant using the concept of IBC. Furthermore, the certificate assigned by CsA acts as a partial private key and also used as a decryption key on the receiver side [19].
Note that, here in CBC the certificate distribution among the users does not need any secure channel.
The security and efficiency of the signcryption with reencryption schemes by utilizing the aforementioned cryptography (PKC, IBC, CLC, and CBC) is normally based on computational hard problems i.e. RSA, Bilinear pairing (BP), and elliptic curve cryptosystems (ECC). However, the RSA suffers from a large factorization problem with a 1024 key size while the BP is 14.31 times worse than the RSA due to its large pairing computation [24], [25]. The ECC uses a 160-bit key to reduce the computation hard problem to some extent [26]. Likewise, a 160-bit key is still not affordable for the resource-constrained devices which generate a huge amount of random data. For this purpose, a new type of cryptosystem is introduced in [27], [28], called the hyperelliptic curve cryptosystem (HEC), which offers the correspondent level security of RSA, ECC, and BP, using 80-bit key. The small key size with strong security better suits it for the SG based-IoT devices.
The aforementioned discussion motivates us, to contribute a new scheme called certificate-based signcryption with proxy re-encryption (CBSRE), with the intention to remove the limitations of existing SP-RE, in terms of security and efficiency. The CBSRE scheme can be lightweight in nature because it uses the concept of HEC which needs fewer key sizes as compared to RSA, ECC, and BP. Furthermore, the proposed scheme removes the shortcomings such as certificate management issues, KEP, and the PPKDP, respectively. The salient features of the CBSRE scheme are as follows.
• First, we provide the syntax for the proposed CBSRE scheme.
• Second, we provide a proper algorithm for the proposed CBSRE scheme.
• We also compared our proposed CBSRE scheme with the existing SP-RE schemes on the bases of computational cost and communicational overhead, the final results show that our proposed scheme consumes less computational and communicational resources as compared to the previous schemes.

A. PRELIMINARIES 1) HYPERELLIPTIC CURVE (HEC)
The HEC is a class of algebraic curves, introduced by Koblitz [29]. It can also be viewed as a generalized form of elliptic curves (EC) [30]. Unlike EC, the points of HEC cannot be derived from a group [31]. The HEC computes the additive Abelian group which can be derived from a devisor. The lower parameter size with the same level security in contrast with RSA, bilinear pairing and EC, the HEC attracts the resource-constrained devices [32]. The curve whose genus value is 1, usually, known as EC. An HEC with a genus greater than 1 is shown in Figure 2 [33]. Similarly, the group order of the finite field (F ) for the (genus = 1), required 160-bits long operands, that at least needs .
( ) ≈ , where, is the genus of the curve over F which is a set of a finite field of order . Similarly, for the curve with (genus = 2), required 80-bits long operands. Furthermore, for curve with (genus = 3), required 54-bits long operands [34]. Suppose F be a finite field with F to be the algebraic closure of the field F. An HEC of a genus ( > 1) over F is a set of solution ( , )EF x F to the following equation of the curve.
If there are no pairs of ( , )EF x F then such a curve is considered to be non-singular, further, it needs to satisfy the aforementioned curve equation at the same time with the following given partial differential equation.

2) COMPLEXITY ASSUMPTIONS
While conducting the analysis, we made the following assumptions; • The D is a divisor of an HEC, which is a finite sum of points as D = p iεHEC m i p i , where m i εF .

3) ASSUMPTIONS OF HYPERELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM (HECDLP)
We made the following supposition for HECDLP.

B. SYNTAX OF CERTIFICATE-BASED SIGNCRYPTION WITH PROXY RE-ENCRYPTION (CBSRE) SCHEME
Our proposed CBSRE scheme is an extended version of Manzoor et al. [36] and Yang and Jiguo [22] schemes. The syntax includes nine algorithms (i.e. Setup, Certifications, Key Generations, Signcryption, Re-encryption Key Generation, Re-encryption, Unsigncryption, and Decryption) which are discussed below.

1) SETUP
In this phase, the CsA takes the security parameter π is input and generates the common parameter set = (HC, 0 , 1 , 2 , n= 2 80 , Z n , R) and published it to the network.

2) KEY GENERATION
A user with an identity ID will produce his private and public key as: it selects the private key α Z n and set P = α , then calculate a partial public key PPβ . It takes π and as an input

3) CERTIFICATIONS
Given , R, ID , and PPβ , C s A randomly pick δ Z n and compute a full public key for the user with ID as: FPβ and certificate C .

4) SIGNCRYPTION
Provide as an input, the sender identity ID s , receiver's ID r , sender private key P s and massage ( ), respectively. This algorithm creates the signcrypted cipher text ψ = (C, ϒ, W, Z).

5) RE-ENCRYPTION KEY GENERATION
Provide as an input , the sender certificate C s , sender identity ID s , receiver's ID r , and sender private key P s , respectively. It generates a re-encryption key RK s −→r and send it with ψ to the (proxy) Cloud Server (CS).

7) UNSIGNCRYPTION
Given an input , sender certificate C s, sender identity ID s , sender private key P s , and ψ = (C, ϒ, W, Z), the sender performs the Unsigncryption process.

8) DECRYPTION
Given an input, receiver,s certificate C r , sender identity ID s , receiver identity ID r , sender public key P sI , receiver private key P r , φ = (C / , ϒ / , Z, G), the receiver performs the decryption process.

C. THREAT MODEL
For the security explanation of certificate-based cryptosystems, two types of adversaries need to considered i.e. Type-one adversary (A I ) and Type-two adversary (A II ), respectively [22], [23], [38]. The A I adversary shows an uncertified contestant that doesn't know the certificate of the target contestants and the master secret key, while A II adversary shows an honest-but-curious certificate authority that has complete control of the master secret key and also controls the generation of certificates for the contestants. Moreover, we are going to use the following 6 oracles which can be accessed by the adversaries in an adaptive manner to simulate the attacking scenarios.

1) θ CREATECONT QUERIES
Upon receiving the identity ID i , the challenger (ξ ) will respond with the public key FPβ i . However, if the ID i somehow doesn't exist, then the ξ generates a key pair of the public and private key (FPβ i , P i ) for the recipient ID i and outputs the FPβ i . In this scenario, a contestant is created with an identity ID i . Further, for simplicity purposes, we presume that identity will be responded only by the following mentioned oracles when it has been created.

2) θ CORRUPT QUERIES
Upon receipting an identity ID i , ξ will output a private key P i in response to the identity ID i .

3) θ CERTIFICATE QUERIES
Upon receiving an identity ID i , the challenger will output a certificate cert i in response to the identity ID i . The A II adversary doesn't need to make any sort of queries to this particular oracle, because it uses the master secret key to generate a certificate for the users.

4) θ SIGNCRYPT QUERIES
Upon receiving the message m the ξ runs the signcryption algorithm and produces the respective signcrypted text ψ.

6) θ RE−ENCRYPTION QUERIES
On receiving the original ciphertext (C i ), and two dissimilar identities (ID i , ID j ), ξ will output re-encrypted ciphertext (C i ). VOLUME 8, 2020 7) θ DECRYPT upon receiving an original ciphertext C i or re-encrypted ciphertext C / j , and identity ID i , the challenger will output the decryption of original ciphertext C i . Definition 1: The CBSRE is considered to be indistinguishable against the adaptive chosen-ciphertext attacks (IND − CCA2 secure) if there is no adversary that can take a non-negligible advantage in the followed IND-CBSRE-CCA2-I and IND-CBPSE-CCA2-II games.
The indistinguishable security against an adaptive-chosenciphertext attack (IND-ACCA2 security) of CBSRE can be explained by two adversaries games IND-CBSRE-CCA2-I and IND-CBSRE-CCA2-II in which the challenger will make interaction with Type-one adversary (A I ) and Type-two adversary (A II ).
The IND-CBSRE-CCA2-I is a game played between the adversary A I and the challenger. The Oracle − I means that the A I adversary can adaptively make any sort of queries to oracles (θ createcont , θ corrupt , θ certificate , θ signcrypt , θ re−encrypt−key , θ re−encryption , θ Decrypt ) with the given restrictions i.e. 1) on identity ID chl it never queries the θ certificate oracle. 2) On the (ID chl , C chl ) and its derivatives it never queries the θ Decrypt oracle.
Similarly, the IND-CBSRE-CCA2-II is a game played between the adversary A II and the challenger. The Oracle − II means that the A II the adversary can adaptively make any sort of queries to oracles (θ createcont , θ corrupt , θ signcrypt , θ re−encrypt−key , θ re−encryption , θ Decrypt ) with the given restrictions i.e. 1) on identity ID chl it never queries the θ corrupt oracle. 2) On the (ID chl , C chl ) and its derivatives it never queries the 0 Decrypt oracle.
Here, in both the games i.e. (IND-CBSRE-CCA2-I and IND-CBSRE-CCA2-II), if / = , then we can say that the game is won by the adversary. Moreover, the winning advantage of the adversary's in the game is to be: The EUF − CBSRE − CMA − I is a game played between the forger f I and ξ .
Proof: Here we are going to show that, how the algorithm ξ can interact with f I to solve HCCDHP. So, the ξ can interact with f I by utilizing the followed steps.
Setup: In this phase, ξ choose an index ∂ uniformly, Select master secret key and compute master public key and Compute common perimeter param. Then provide master public key and param to f I .
Training Phase: In this game, the same steps are performed for different queries oracles are the same as in the game IND-CBSRE-CCA2-I among f I and ξ .
Forgery: At the end of the above process, f I can make a signcrypted text ψ = (C, ϒ, W, Z). Here, note that when f I the capacity to win this game if the result of decryption has is valid and it holds the following conditions 1) On identity ID s it never queries the oracle θ certificate .
2) ψ is not produced by the oracle θ signcrypt . The EUF − CBPSE − CMA − II is a game played between the forger f II and ξ .
Proof: Here we are going to show that, how the algorithm ξ can interact with f II to solve HCCDHP. So, the ξ can interact with f II by utilizing the followed steps.
Setup: In this phase, ξ choose an index ∂ uniformly, Select master secret key and compute master public key and Compute common perimeter param. Then provide a master public key, secret key, and param to f II .
Training Phase: In this game, the same steps are performed for different queries oracles are the same as in the game IND-CBSRE-CCA2-II among f II and ξ .
Forgery: At the end of the above process, f I can make a signcrypted text ψ = (C, ϒ, W, Z). Note that when f I has the capacity to win this game if the result of the decryption is valid and holds the following conditions 1) On identity ID s it never queries the oracle θ corrupt 2) ψ is not produced by the oracle θ signcrypt .

D. PAPER ORGANIZATION
The organization of the paper is shown in the following chart.

II. LITERATURE REVIEW
Hayden et al. [40], proposed an Identity (ID)-based Signcryption (IBS) mechanism which assumes a unique identification number available from every device that can be used by the central authority holding a master key and can produce a unique secret key also. The proposed work is helpful because it does not require a separate configuration of each device. However, the given scheme requires a secure channel for private key distribution between the keygenerating server (KGS) and SG devices. Moreover, both the sender and receiver need a huge amount of computational efforts due to Tate pairing with EC. In addition, the scheme can be affected by larger bandwidth requirements. Chen and Zhang [41], coined the concept of data aggregation with identity-based signcryption to facilitate the SG technology. The authors use a pseudonym technology for achieving the identity of the user. Furthermore, the scheme performs the efforts for reducing the computational cost at the same time with data security during communication. However, the given scheme doesn't meet the security requirement of forward secrecy and suffers from the KEP. Additionally, the scheme is based on BP which can cause the worst efficiency regarding the communication bandwidth and computation efforts.
Alishahi et al. [42], presented a free pairing certificateless signcryption scheme based on EC for preserving privacy and integrity of data between data producers and utility servers. Though, the given scheme removes the certificates related issues and key escrow problem. However, the scheme is based on EC which requires a huge amount of communicational and computational resources. Furthermore, it can also be affected by the partial private key distribution problem (PPKDP) i.e. needs a secure channel for partial keys.
Hu et al. [43], tossed an attribute-based signcryption scheme for secure multicast communication systems. The author's claim that the scheme provides the security properties of data confidentiality, collusion resistivity, verification of message, and unforgeability. Unfortunately, the scheme was constructed upon BP therefore the computation cost is too high for SG systems.
Umar and Amin [44], proposed a key establishment scheme with secure and critical message dissemination for multicast communications in SG applications. The authors claim that the proposed work provides the security requirements of confidentiality, authentication, and secure message communication. However, the scheme suffers from the requirement of greater computation power due to the use of EC. Furthermore, the author didn't provide any sort of formal network model. Moreover, the authors didn't prove the security of the proposed scheme. Additionally, the scheme suffers from certificate management issues.
Chen and Ren [45], proposed an aggregate signcryption scheme in which the signcryption of multiple messages is combined to generate one signcrypted text. In the proposed scheme the user can signcrypt there data by adding masking random number, then the building gateway combines these multiple signcrypted messages, and forward it to the control center (CC). The CC then verifies the signcrypted messages before aggregation. However, the given scheme is affected by the need for a secure channel for partial private key distribution among the users and high computation cost requirements.
Hu et al. [46], proposed a Ciphertext-Policy Attributebased signcryption scheme for pull and pushed based secure multicast communication in SG. The given scheme provides resistance against the collusion attack and can achieve the security requirements of authentication, confidentiality, and unforgeability. However, the scheme is based on BP which can cause the worst efficiency regarding communication bandwidth and computation efforts.
Sedaghat et al. [47], proposed a Ciphertext-policy attribute-based signcryption for data sharing in the SG to reduce computation cost and perform lighter pairing. Moreover, the author outsourced the functionality of signcryption for the end-user, where the storage center transfers the ciphertext to simple cipher (partial designcryption) which requires less computation during designcryption. The proposed scheme provides the security properties of authentication, privacy, and unforgeability. Unfortunately, the proposed scheme is based on BP which is not efficient for the devices with limited resources.
Jin et al. [48], proposed a heterogeneous signcryption (HS) scheme to secure the communication between smart meters (SM) and utility servers. In the proposed approach the SM uses the services of IBC and the utility server uses the services of PKI. The authors claim that the given scheme provides the property of integrity, authentication, confidentiality, non-repudiation, and ciphertext anonymity. However, the proposed scheme suffers from certificates management issues and KEP.
Wan et al. [49], presented a multi-authority attribute-based signcryption scheme in order to enable the SG operators and electricity suppliers to communicate securely with their respective users in a (downlink). The given scheme provides confidentiality, authentication, and non-repudiation security properties. However, the scheme lacks forward secrecy as a security requirement respectively.
Baoyi et al. [50], tossed a certificateless aggregate signcryption scheme to resolve the privacy leakage problem in advance metering infrastructure, which protects the user information and diminishes the amount of data transmission through data concentrator with aggregation. However, the proposed scheme suffers from PPKDP.
Huige et al. [51], proposed an ID-based proxy resigncryption (IDB-PRS) scheme that combines the idea of signcryption with proxy re-encryption. Unfortunately, their scheme is not correct from a mathematical point of view [52]. Furthermore, it also suffers from the KEP, because the private keys for the participated users are generated by KGC.
Rawat and Shrivastava [53], proposed an IDB-PRS scheme to improve the given work of Huige et al. [51]. In the proposed scheme the authors use different secure hashing functions message-digest-5 (MD5), secure hash algorithm 1(SHA-1), and secure hash algorithm 256 (SHA-256) separately. The final results show that the SHA-1 algorithm gives high performance as compared to the remaining algorithm. However, the proposed scheme suffers from KEP because the private for the participated users are generated by KGC.
Wang and Ye [54], proposed a new IDB-PRS scheme which uses a semi-trusted party for the conversion among ID decryption and ID verification. Unfortunately, the proposed scheme suffers from the KEP as well as based on BP which can cause the worst efficiency regarding communication bandwidth and computation efforts.
Braeken et al. [19], proposed an ID-based signcryption scheme for securing cloud data storage. In the proposed scheme the user can store the signed and encrypted data in the cloud storage server. However, the cloud storage service provider can only check the authenticity of data. When a user request for a particular data access, the data generator first checks the authorization of the requested user and then provides an encryption key to the CS to re-encrypt the stored data for that particular user. However, the given scheme suffers from the KEP as well as the scheme is based on EC which requires a heavy amount of computation and communication cost.
Manzoor et al. [36], proposed a blockchain-based proxy re-encryption scheme in which a distributed cloud, stores the data generated by IoT devices after encryption. In the given scheme a system creates a smart contract to share the collected IoT data between the sensor and data users with the interaction of the third party. Moreover, it also uses a proxy re-encryption mechanism that allows visibility to data owners and smart contract holders. Unfortunately, the scheme is based on EC which requires a heavy amount of computation and communication cost. Further, the authors did not validate the security of the scheme in any formal validation tool.
Ahene et al. [55], tossed a data access control scheme based on certificateless signcryption with proxy re-encryption for SG in which a data user can securely access customer data with the help of a gateway known as an energy service interface (ESI). The ESI works as a proxy that can re-encrypt data for authorized users based on some delegation commands from the data owner. The given scheme provides the security properties of authentication, confidentiality, integrity, and non-repudiation. However, their scheme suffers from PPKDP. Additionally, it also suffers from more computational power consumption and the need for more bandwidth due to EC.
Ahene et al. [56], proposed a data access control scheme based certificateless signcryption with proxy re-encryption for cloud-based SG. In the given scheme, a CS is used to store the encrypted grid-related data. Further, a data user can securely access customer data with the help of the CS. The cloud works as a proxy which re-encrypt data for authorized data users. The proposed scheme provides confidentiality, integrity, and authentication security requirement. However, the proposed scheme suffers from PPKDP. Additionally, the suffer from more computational and consumption power due to BP.

III. PROPOSED CBSRE SCHEME NETWORK MODEL
The smart grid technology manages a wide energy source which increases the efficiency and reliability of the energy system that is a sustainable solution for the transmission, generation, distribution, and consumption of electricity. For security and authenticity in smart grid technology, a number of schemes have been proposed in the literature [19], [36], and, [40]- [56], the proposed schemes provide some useful security features but still have some limitations as mentioned in Table 1. Recently, Ahene et al. [55], [56] propose an access control schemes for smart grid-based IoT. The schemes provide security features like confidentiality, integrity, authentication, and non-repudiation for SG based-IoT. However, these schemes are affected form the PPKDP. Furthermore, it also suffers from more computational and communicational powers that need more bandwidth due to the use of BP and ECC. On the other hand, the resource-constrained nature of SG based-IoT devices cannot afford these types of heavy computational and communications operations. To cover the above-mentioned limitation and keeping the demand of SG based-IoT devices motivate us to design a lightweight CBSRE scheme for SG based-IoT.
We present the mechanism for the IoT Enabled SG with certificate-based signcryption with proxy re-encryption for both data sharing and secure data access respectively. For this purpose, we consider four entities, namely certifier authority (C s A), controller, cloud service provider, and data user as also shown in Figure 3. The SG based-IoT devices sense data and forward it to the controller. The C s A takes control of the registration process by generating certificates for both the controller and data users based on their identities. The controller ensures the security of gathered data from IoT enabled smart grid devices through signcryption. Further, the controller also ensures the secure transmission of the signcrypted data to the cloud service provider. The cloud service provider is capable of providing high computation and storage facilities. In addition, it also provides services like virtualization, proxy re-encryption, and backup storage merged with many other services that are efficient and beneficial for IoT enabled SG devices. Whenever a data user wants to access some specific data, it simply requests for that particular data to the controller. The controller then issues a special command to the cloud service provider to re-encrypt that particular data for the requested data users. After receiving the signcrypted data, the data user verifies the received signcrypted data and simply performs decryption in order to obtain the desired data.

A. PROPOSED ALGORITHMS FOR CBSRE
This section contains the construction of the proposed CBSRE scheme algorithm and its sub-phases such as Setup, Certifications, Key Generations, Signcryption, Re-encryption Key Generation, Re-encryption, Unsigncryption, and Decryption, respectively. Further, the basic symbols which are used in the construction of the proposed algorithm are shown in Table 2.
The new CBSRE scheme is actually the extended version of Manzoor et al. [36] and Yang and Jiguo [22] and contains nine steps that can be seen from the following sub-phases also.

1) SETUP
This phase is executed by Certifiers Authority (C s A), it takes the security parameter π is an input. Also, it generates a common parameter set by completing the following.
• Select a genus two hyperelliptic curve (HC) with an 80-bit key and parameter size.

2) KEY GENERATIONS
A user with an identity ID will produce his private and public key as: it selects the private key α Z n and set P = α , then calculate a partial public key PPβ =α .D. It takes as an input π and .

3) CERTIFICATIONS
Given , R, ID , and PPβ , C s A randomly pick δ Z n and compute a full public key for the user with ID as: FPβ = (P I , P II ) = (PPβ , δ .D) and certificate C = δ + 0 (ID , FPβ ).

4) SIGNCRYPTION
Provide as an input , sender identity ID s , receiver's ID r , sender private key P s and massage ( ), respectively. This algorithm creates the signcrypted cipher text ψ = (C s , G, Z) through the following computations.
• Select Z n and compute W = .D

5) RE-ENCRYPTION KEY GENERATIONS
Provide as an input , sender certificate C s , sender identity ID s , receiver's ID r , and sender private key P s , respectively. It computes S = 4 (ID s , ID r , P s (P rI + P rII + 0 ID r , FPβ r .R)) and re-encryption key as It is easy to presume that RK s −→r = P s +C s 4 (ID s ,ID r (P r +C r ) .

6) RE-ENCRYPTION
Given an input , ψ = (C, ϒ,W, ) and a re-encryption key RK s −→r , the CS performs the following steps.

7) UNSIGNCRYPTION
Given an input , sender certificate C s , sender identity ID s , sender private key P s , and = (C, ϒ,G, Z), the sender performs the following steps.

8) DECRYPTION
Given an input, receivers certificate C r , sender identity ID s , receiver identity ID r ,sender public key P sI , receiver private key P r , φ = (C / , ϒ / , Z,G), the receiver performs the following steps.

B. CORRECTNESS
The receiver can recover the plaintext as: (η, ID s , m)

IV. SECURITY ANALYSIS
In the threat model, we explain the basic security properties that need efficient and secure communication between cloud and smart grid-based IoT devices. Moreover, we prove that the CBSRE scheme is fully secured and infeasible against malicious attackers while satisfying the basic security properties.
To certify the security of the CBSRE scheme we are checking the following security features of CBSRE against the attacker, i.e. type one A I and type two A II .

A. THEOREM (CONFIDENTIALITY)
Confidentiality means that the plaintext message ( ) should be hidden from the attacker. The CBSRE provides confidentiality property because of the attacker (A I and A II ) is infeasible to get access to the original contents of ciphertext in the following cases. We provide the following two Lemma's to prove this property.
Lemma 1: Suppose a probabilistic polynomial-time attacker called type one A I having the advantage ς to break IND-CBSRE-CCA2-I, the security of designed approach with the time τ and carrying out utmost Q i hash queries i (i = 0, 1, 2, 3, 4), Q cc create contestant queries to the oracle θ createcont , Q corp corrupt queries to the oracle θ corrupt , Q cert certificate queries to the oracle θ certificate , Q signc signcryption queries to the oracle θ signcrypt , Q renk re-encryption key queries to the oracle θ re−encrypt−key , Q renc re-encryption queries to the oracle θ re−encryption , and Q decr decryption queries to the oracle θ decryption , then there exists an algorithm ξ which can solve HCCDHP problems for A I with the following advantages: Here we show that how the algorithm ξ can interact with A I to solve HCCDHP from the given instance (D, .D, .D). So, the ξ can interact with A I by utilizing the followed steps.
Setup: In this phase, ξ choose an index ∂ uniformly from (1 ∂ Q cc ), select Z n and compute R = . D as a master public key. Compute = (HC, 0 , 1 , 2 , h 3 , 4 , n= 2 80 ,Z n , R), provide R and to A I . 0 Queries: If A I submit a query with (ID i , FPβ i ) after reception this query ξ search in LH 0 list, and if the tuple (ID i , FPβ i , h 0 ) exists, then ξ handover h 0 to A I . Otherwise, it picks h 0 from Z n , store (ID i , FPβ i , h 0 ) in LH 0 , and returns h 0 to A I . 1 Queries: An event that A I submit a query with (η, ID i , FNi, m) after reception this query ξ search in LH 1 , and if the tuple (η, ID i , FNi, m, h 1 ) exists, then ξ handover h 1 to A I . Otherwise, it picks h 1 Z n , store (η, ID i , FNi, m, h 1 ) in LH 1 , and returns h 1 to A I . 2 Queries: When A I submit a query with (δ), after reception this query ξ search in LH 2 , and if the tuple (δ, h 2 ) exists, then ξ handover h 2 to A I . Otherwise, it picks h 2 Z n , store (δ, h 2 ) in LH 2 , and returns h 2 to A I . 3 Queries: An event that A I submit a query with (W i , ϒ i , C i ), after reception this query ξ search in LH 3 , and if the tuple (W i , ϒ i , C i , h 3 ) exists, then ξ handover h 3 to A I . Otherwise, it picks h 3 Z n , store (W i , ϒ i , C i , h 3 ) in LH 3 , and returns h 3 to A I . 4 Queries: When A I submit a query with (ID i , ID j , S), after reception this query ξ search in LH 4 , and if the tuple (ID i , ID j , S, h 4 ) exists, then ξ handover h 4 to A I . Otherwise, it picks h 4 Z n , store (ID i , ID j , S, h 4 ) in LH 4 , and returns h 4 to A I . θ createcont Queries: If A I send a query with identity ID i for the tuple (ID i , FPβ i , P i , δ i , C i ), then ξ can do the following steps.
• At the event if ID i is already available In the contestant list CON list , then it returns FPβ i to A I .
• If the above two steps were not happening, it uni- After this process, it inserts a tuple (ID i , FPβ i , , i ) into LH 0 and (ID i , FPβ i , P i , ⊥, C i ) into CON list . It also handover FPβ i to A I . θ corrupt Queries: Upon receiving the query for the corruption of the private key of ID i , ξ can search for a tuple (ID i , FPβ i , P i , C i ) in CON list and send P i to A I . θ certificate Queries: Upon receiving the query for the certificate of ID i , ξ can search for a tuple (ID i , FPβ i , P i , C i ) in CON list and send C i to A I . θ signcrypt Queries: When A I send the query with ID i , if ID i = ID * r or ID i = ID * s , then ξ terminate the game, otherwise, it checks the entry for ID i and ID r in CON list and if such entry is not available previously, then it calls θ createcont Queries. Hence, utilizing the obtained information, ξ produced the signcrypted text ψ.
θ re−encrypt−key Queries: When A I submit two distinct identities (ID i , ID j ), ξ can check the equality ID i = ID ∂ , if this equality holds, then ξ destroyed further processing. Further, if it is not held, then ξ produce the private key P i and certificate C i of the identity ID i . It also produces the public key FPβ j of identity of ID j and send the output of Re Encryption Key Generations ( , ID i , P i , C i , ID j ,FPβ j ) to A I θ re−encryption Queries: When A I submit two distinct identities (ID i , ID j ) and ψ = (C, ϒ, W, Z), ξ can check the equality ϒ ? = Z.D+h 3 .PPβ i , if this equality fails, then ξ destroyed further processing. Otherwise, it performs the following steps: If the aforementioned parameters are not available in LH 1 and LH 3 , then ξ cannot respond for the asked query. Otherwise, ξ sets ϒ / = h 1 .RK i −→j , C / = C, and send a tuple ψ / = (C / , ϒ / , Z) as a re-encrypted text to A I . • Otherwise, it asked for the oracle θ re−encrypt−key with two different identities (ID i , ID j ), for to get re-encryption key RK i −→j , then it produces the final re-encrypted text and handover to A I .
Not that the HCCDHP solver algorithm ξ cannot accept the valid encrypted text, during the simulation of an θ re−encryption oracle, if the probability is lesser then Q renc 2 π . θ decryption Queries: When A I submit query (ID i , ψ i ), then ξ performs the following steps.
• If ID i = ID ∂ and ψ / i is the re-encryption text (C / , ϒ / , Z, ), it send a query for θ re−encrypt−key with (ID j , ID i ) to get a re-encryption key RK j −→i and calculate ϒ = ϒ / RK j −→i . ξ combs for the tuple (η, ID j , m, h 1 ) in a list LH 1 such that ϒ = h 1 .D, C / = (η, ID j , m) ⊕ 2 ( †.Q j ), where Q j = P jI +P jII + 0 (ID j , FPβ j ). R, and Z = h 1 − h 3 .P j . If the aforementioned parameters are available in LH 1 , then it sends a tuple (η, ID j , m) as a decryption result to A I .
• If the above two steps have not happened, it recovers the plain text from the encrypted text in a normal method because of the private key P i and certificate C i is already known to it.
Not that the HCCDHP solver algorithm ξ cannot accept the valid encrypted text, during the simulation of an θ decryption oracle, if the probability is lesser then Q decr 2 π . Challenge: The attacker A I submits an identity ID chl and two equal length but distinct plaintexts (M x , M y ). The algorithm ξ check if ID chl = ID ∂ , then it aborts further processing. Otherwise, it uniformly picks {0, 1}, Z chl , , include a tuple (ϒ chl , C chl , W chl , * ) to LH 3 , and send ψ chl = (ϒ chl , Z chl , W chl , C chl ) as challenge ciphertext to A I . It is not difficult for the challenger to verify it by utilizing the followed equation ϒ chl ? = Z chl ..D+ * (ν.D). Note that, here the process for recovering of the challenge signcrypted text 93240 VOLUME 8, 2020 Hence, A I cannot decide on ψ chl that it is a genuine ciphertext of M , since it produced a query 1 η * , ID ∂ , M or 2 ((α ∂ + δ ∂ + 0 (ID ∂ , FPβ ∂ )) .D). Guess: In the guessing phase, ξ disregarded the bit / which is guess by A I . So, to calculate . .D, the output of ξ from CON list is α ∂ and δ ∂ with ID ∂ . The algorithm uniformly picks (I, h 2 ) from LH 2 and determine the solution for HCCDHP as φ = 0 (ID ∂ , FPβ ∂ ) −1 (I − α ∂ . . D − δ ∂ . .D). So, it is not hard to assume that φ = . .D if I = α ∂ + δ ∂ + 0 ID ∂ , FPβ ∂ .D. Analysis: We define the following events, in which the algorithm ξ can get the solution of HCCDHP. a) EV a : During the execution, the algorithm ξ stops the game. b) EV b : Error occurred during the execution of θ re−encryption oracle. c) EV c : Error occurred during the execution of θ decryption oracle. d) EV d : When A I makes a query to 1 oracle on η * , ID ∂ , M . e) EV e : When A I makes a query to 2 oracle on Note that, if EV does not occur during the aforementioned simulation, then A I advantage's for winning is not exceeded from 1 2 . So, we can get P Here, the solution for HCCDHP that if EV e occurred, then the algorithm ξ choose the correct values from LH 2 . Hence, the obtained advantages of the algorithm ξ for solving HCCDHP as Lemma 2: Let a probabilistic polynomial-time attacker known to be type two A II having the advantage ς to break IND-CBPSE-CCA2-II, the security of the proposed approach with the time τ and performing utmost Q i hash queries where i (i = 0, 1, 2, 3, 4), Q cc create contestant queries to the oracle θ createcont , Q corp corrupt queries to the oracle θ corrupt , Q cert certificate queries to the oracle θ certificate , Q signc signcryption queries to the oracle θ signcrypt , Q renk reencryption key queries to the oracle θ re−encrypt−key , Q renc re-encryption queries to the oracle θ re−encryption , and Q decr decryption queries to the oracle θ decryption , then there exists an algorithm ξ which may able to solve HCCDHP problems for A II with the following mentioned advantages: Proof: Here we show that how the algorithm ξ will interact with A II to solve HCCDHP from the given instance (D, .D, .D). So, ξ can interact with A II by applying the followed steps.
Setup: In this phase, ξ choose an index ∂ uniformly from (1 ∂ Q cc ), Select Z n and compute R = .D as a master public key. Compute = (HC, 0 , 1 , 2 , 3 , 4 , n = 2 80 ,Z n , R) and published it to the network and provide to A II .
The queries which can be used in this game are the same as in theorem 1, except the following. θ createcont Queries: If A II send a query with identity ID i for the tuple (ID i , FPβ i , P i , δ i , C i ), then ξ can do the following steps.
• At the event if ID i is already available In the contestant list CON list , then it returns FPβ i to A II .
• When the ID i is the ∂ dissimilar identity which is asked by A II , then it uniformly picks δ ∂ , h ∂ Z n , sets FPβ ∂ = (δ ∂ .D, .D) and C ∂ = δ ∂ + h ∂ After this process, it inserts a new tuple (ID ∂ , FPβ ∂ , δ ∂ , C ∂ , ⊥) into CON list and (ID ∂ , FPβ ∂ , h ∂ ) into LH 0 . Note that P ∂ = and A II will not know about .
• If the above two steps were not happening, it uniformly selects α i , δ i , h i Z n , set FPβ i = (P iI , P iII ) = (α i .D, δ i .D), set α i = P i , and C i = δ i + h i . After this process, it inserts a tuple (ID i , FPβ i , , h i ) into LH 0 and (ID i , FPβ i , P i , δ i , C i ) into CON list . It also handover FPβ i to A II . θ corrupt Queries: Upon receiving the query for the corruption of the private key of ID i , ξ can check the equality ID i = ID ∂ , if this equality holds, then ξ destroyed further processing. Otherwise, it can search for a tuple (ID i , FPβ i , P i , C i ) in CON list and send P i to A II .
Challenge: The attacker A I submits an identity ID chl and two equal length but distinct plaintexts (M x , M y ). The algorithm ξ check if ID chl = ID ∂ , then it aborts further processing. Otherwise, it uniformly picks {0, 1}, Z chl , , include a tuple (ϒ chl , C chl , W chl , * ) to LH 3 , and send ψ chl = (ϒ chl , Z chl , W chl , C chl ) as challenge ciphertext to A I . It is not difficult for the challenger to verify it by utilizing the followed equation ϒ chl ? = Z chl ..D+ * (ν.D). Note that, here the process for recovering of the challenge signcrypted text Hence, A II cannot decide on ψ chl that it is a genuine ciphertext of M , since it produced a query 1 η * , ID ∂ , FN ∂, M or 2 (( + δ ∂ + 0 (ID ∂ , FPβ ∂ )) .D). Guess: In the guessing phase, ξ disregarded the bit / which is guess by A II . So, to calculate . .D, the output of ξ from CON list is α ∂ and δ ∂ with ID ∂ . The algorithm uniformly picks (I, h 2 ) from LH 2 and determine the solution So, it is not hard to assume that φ = . .D if I = ( + δ ∂ + 0 (ID ∂ , FPβ ∂ )) .D.
Analysis: We define the following events, in which the algorithm ξ can get the solution of HCCDHP.
f) EV a : During the execution, the algorithm ξ stops the game. g) EV b : Error occurred during the execution of θ re−encryption oracle. h) EV c : Error occurred during the execution of θ decryption oracle. i) EV d : When A II makes a query to 1 oracle on η * , ID ∂ , M . j) EV e : When A II makes a query to 2 oracle on We apparently have that P Here, the solution for HCCDHP that if EV e occurred, then the algorithm ξ choose the correct values from LH 2 . Hence, the obtained advantages of the algorithm ξ for solving HCCDHP as Note that, the encryption is done through 2 ( †.Q s ), this further needs the calculation of † from † = 1 (η, ID s , m).
Here, computing both † needs η, which is infeasible for the adversary. So, from the above discussion, it is clear that our proposed scheme provides the following Corollary. Corollary: if the adversary somehow obtains the private key of the sender in the proposed scheme, even still the confidentiality of the messages will be maintained which is called forward secrecy.

B. THEOREM UNFORGEABILITY
Unforgeability means that the forger (f I and f II ) is infeasible to forge the original signature. We provide the following two Lemma's i.e., Lemma-III and Lemma-IV to prove this property.
Lemma 3: Let a probabilistic polynomial-time attacker known as type one f I having the advantage ς to break the EUF-CBSRE-CMA-I, the security of the proposed technique with the time τ and performing utmost Q i hash queries i (i = 0, 1, 2, 3, 4), Q cc create contestant queries to the oracle θ createcont , Q corp corrupt queries to the oracle θ corrupt , Q cert certificate queries to the oracle θ certificate , Q signc signcryption queries to the oracle θ signcrypt , Q renk reencryption key queries to the oracle θ re−encrypt−key , Q renc re-encryption queries to the oracle θ re−encryption , and Q decr decryption queries to the oracle θ decryption , then there exists an algorithm ξ which can solve the HCCDHP problems for f I with the mentioned advantages below: Proof: Here we are going to show that, how the algorithm ξ can interact with f I to solve HCCDHP from the given instance (D, .D, .D). So, the ξ can interact with f I by utilizing the followed steps.
Training Phase: In this game, the same steps are performed for different queries oracles are the same as in theorem 1 of game IND-CBSRE-CCA2-I among f I and ξ .
Forgery: At the end of the above process, f I can make a signcrypted text ψ = (C, ϒ, W, Z). Here, note that when f I have the capacity to produce a valid signcrypted, then we can conclude that, ξ will also have the capacity of solving HCCDHP problems. Hence, by utilizing a forking lemma [], ξ will produce another signcrypted text ψ f = (C, ϒ f , W f , Z f ). So, it leads us to the followed calculations.
is the solution for HCCDHP. 93242 VOLUME 8, 2020 Analysis: We define the following events, in which the algorithm ξ can get the solution of HCCDHP. a) EV a : During the execution, the algorithm ξ stops the game. b) EV b : Error occurred during the execution of θ re−encryption oracle. c) EV c : Error occurred during the execution of θ decryption oracle. d) EV d : When f I makes a query to 1 oracle on η * , ID ∂ , M . e) EV e : When f I makes a query to 2 oracle on Here, the solution for HCCDHP that if EV b , EV c , EV d , and EV e occurred, without errors. Hence, the obtained advantages of the algorithm ξ for solving HCCDHP as Lemma 4: Suppose a probabilistic polynomial-time attacker called type one f II having the advantage ς to break EUF-CBSRE-CMA-I, the security of the proposed method with the time τ and carrying out utmost Q hi hash queries i (i = 0, 1, 2, 3, 4), Q cc create contestant queries to the oracle θ createcont , Q corp corrupt queries to the oracle θ corrupt , Q cert certificate queries to the oracle θ certificate , Q signc signcryption queries to the oracle θ signcrypt , Q renk reencryption key queries to the oracle θ re−encrypt−key , Q renc re-encryption queries to the oracle θ re−encryption , and Q decr decryption queries to the oracle θ decryption , then there exists an algorithm ξ which can solve the HCCDHP problems for f II with the given advantages: Proof: Here we are showing how the algorithm ξ can interact with f II to solve HCCDHP from the given instance (D, .D, .D). So, the ξ can interact with f II by utilizing the followed steps.
Setup: In this phase, ξ choose an index ∂ uniformly from (1 ∂ Q cc Select Z n and compute R = .D as a master public key. Compute and published it to the network and provide to f II .
Training Phase: in this game, the same steps are performed for different queries oracles are the same as in theorem 2 of game IND-CBSRE-CCA2-II among f II and ξ .
Forgery: At the end of the above process, f II can make a signcrypted text Here, note that when f II have the capacity to produce a valid signcrypted, then we can conclude that, ξ will also have the capacity of solving HCCDHP problems. Hence, by utilizing a forking lemma [], ξ will produce another signcrypted text ψ ff = (C, ϒ ff , W ff , Z ff ). So, it leads us to the followed calculations.
is the solution for HCCDHP. Analysis: We define the following events, in which the algorithm ξ can get the solution of HCCDHP. a) EV a : During the execution, the algorithm ξ stops the game. b) EV b : Error occurred during the execution of θ re−encryption oracle. c) EV c : Error occurred during the execution of θ decryption oracle. d) EV d : When f II makes a query to h 1 oracle on η * , ID ∂ , M . e) EV e : When f II makes a query to 2 oracle on Here, the solution for HCCDHP that if EV b , EV c , EV d , and EV e occurred, without errors. Hence, the obtained advantages of the algorithm ξ for solving HCCDHP as

A. COMPUTATIONAL COST
It is very important to find out the computational cost for the sender and receiver in terms of major operations used. Normally, the computational cost includes an expensive mathematical operation like elliptic curve point multiplication ( ), pairing operations ( ), pairing-based point multiplication ( ), and hyperelliptic curve divisor multiplication (h d ) while designing a cryptographic algorithm. So, we compare our CBSRE scheme with Ahene et al. [56],   Ahene et al. [55], Manzoor et al. [36], and Braeken et al. [19] based on the aforementioned major operations, which is shown in the following Table 3. Here we neglect the operations which require minimal time such division, subtraction, encryption, decryption, addition, and hashing. Further, in the following Table 5, we also provide a comparison in milliseconds (ms) by utilizing these aforementioned major operations. By observing the experiments performed in [31], [35], and [57]- [60] with the given system specifications.
• The hardware consisted Intel Core i74510UCPU • 2.0 GHz processor with 8 GB of memory • Operating system used Windows 7 Home Basic 64-bit • Multi-precision Integer and Rational Arithmetic C Library (MIRACL) used for runtime basic operation. According to [31], [35], and [58]- [60], a single pairingbased point multiplication ( ) will consume 4.31 milliseconds, pairing operations ( ) will consume 14.90 milliseconds, single scaler point multiplication will take 0.97 ms and a hyperelliptic curve divisor multiplication (h d ) will consume 0.48 as shown in Table 4. Thus, from Table 5, it is clear that the proposed CBSRE scheme requires minimal computational powers as compared to the existing. Furthermore, in Figure 4, a clear computational cost reduction is shown.

Computation Cost Reduction of CBSRE From the Existing Scheme
The computational cost reduction can be calculated by using the following formula [58].

Cost of existing scheme − Cost of CBSRE
Cost of existing * 100 The computational cost reduction of the proposed CBSRE scheme from the existing schemes is followed.

Communication Cost Reduction of CBSRE From the Existing Schemes:
The computational cost reduction of the proposed CBSRE scheme from the existing schemes is followed.

VI. CONCLUSION
In this paper, we contribute a lightweight and formally secured certificate-based signcryption with proxy re-encryption (CBSRE) for the internet of things (IoT) enabled smart grid (SG) systems. The proposed scheme provides the security requirements of confidentiality (IND-CBSRE-CCA2-I and IND-CBSRE-CCA2-II), unforgeability (EUF-CBSRE-CMA-I and EUF-CBSRE-CMA-II) and forward secrecy. The comparison regarding computation and communication cost shows that the total computation cost of the proposed CBSRE scheme is 4.8 millisecond which reduced the computation cost from 72.50% of [56], 95.91% of [55], 45.01% of [36] and 58.76% of [19], while the total communication cost of the proposed CBSRE scheme is 872 bits which reduced the communication cost from 88.16% of [56], 33.93% of [55], 39.10% of [36] and 58.23% of [19] respectively. Thus, we can say that our scheme will be the best choice for the resource-hungry devices of the smart grid.