Efficient Anonymous Certificate-Based Multi- Message and Multi-Receiver Signcryption Scheme for Healthcare Internet of Things

Healthcare Internet of Things (IoT) is an emerging paradigm, which can provide comprehensive and different types of health services and enable various types of medical sensors to monitor patient’s health conditions. In the healthcare IoT, patient is deployed with a variety of medical sensors, which continuously monitors and collects patient’s sensitive health data that needs specially protection for preventing privacy leakage. To safely send multiple different health data monitored by multiple different medical sensors to multiple corresponding healthcare professionals in one data report, several multi-message and multi-receiver signcryption schemes have been introduced by employing the traditional public key cryptography, identity-based cryptography or certificateless cryptography. However, these schemes suffer from the certificate management, key escrow and key distribution problem. Besides, due to the resource-constraint property of medical sensors, they are unsuitable for healthcare IoT in terms of both performance and privacy requirements. To solve these issues, this paper introduces an efficient anonymous certificate-based multi-message and multi-receiver signcryption scheme for healthcare IoT, where the certificate-based cryptography and elliptic curve cryptography are combined to simplify the certificate management problem, eliminate the key escrow problem, solve the key distribution problem and ensure the privacy-preserving. Furthermore, the security analysis suggests that the proposed scheme is able to achieve the confidentiality, unforgeability, receiver anonymity, sender anonymity and decryption fairness; the performance evaluation indicates that the proposed scheme brings to the lower computation cost and communication cost in comparison to the existing schemes.


I. INTRODUCTION
Healthcare IoT [1] has been introduced as a promising paradigm to provide comprehensive and different types of health services and greatly improve the quality of health care. A typical healthcare IoT architecture [2], [3] is illustrated in Figure 1, which consists of medical sensors, patient, healthcare professionals, gateway and cloud server. In healthcare IoT system, a variety of medical sensors are deployed for patient to monitor health data of patient, such as temperature, heart rate, brain wave, blood pressure etc [4]. To share the The associate editor coordinating the review of this manuscript and approving it for publication was Kuo-Hui Yeh . monitored IoT medical sensors health data with the corresponding healthcare professionals, these health data need to be uploaded the cloud server via the gateway. After that, the healthcare professionals can access the cloud to analyze the health data and provide necessary assistance to the patient, for example, the healthcare professionals will immediately contact the patient to provide advices and arrange medical examinations when certain medical indicators of the patient are abnormal. It is worth noting that the medical sensors have normally a very limited communication and computational capabilities, so operations in the healthcare IoT should be lightweight [5]. Furthermore, there are risks of information leakage during the health data transmission [6], such as an VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ adversary may attempt to eavesdrop the wireless communication, so it is advisable to protect the health data during transmission.
In order to securely and efficiently send monitored health data to multiple corresponding healthcare professionals in the healthcare IoT system, the multicast communication [7] has received considerable attention recently, which is an essential one-to-many communication architecture. It is worth noting that data reports are transmitted via open wireless networks, so they are vulnerable to various attacks [8]. To achieve secure multicast communication, several multi-receiver encryption (ME) schemes [9]- [28] and multi-receiver signcryption (MSC) schemes [29]- [42] have been introduced. However, existing schemes [9]- [42] cannot send multiple different health data monitored by multiple different medical sensors to multiple corresponding healthcare professionals in one data report. To find a solution to the issue, several multi-message and multi-receiver signcryption (MMSC) schemes [43]- [49] have been introduced by using the public key infrastructure (PKI)-based cryptography [50], identity (ID)-based cryptography [51] or certificateless (CL)based cryptography [52]. However, the traditional PKI-based MMSC schemes [43], [44] suffers from the heavy certificate management burden, the ID-based MMSC scheme [45] brings the key escrow issue, the ID-based and CL-based Heterogeneous MMSC schemes [46], [47] exist the key escrow and key distribution problem, the CL-based MMSC schemes [48], [49] cause the key distribution problem. Furthermore, the schemes [43]- [49] either have a poor performance or fail to satisfy the security requirements.
To solve the aforementioned problems, based on the certificate-based (CB) cryptography [53] and the elliptic curve cryptography (ECC) [54], [55], this paper proposes an efficient anonymous certificate-based MMSC scheme for healthcare IoT. The main contributions of this paper are able to be summarized as follows: • Firstly, based on the certificate-based cryptography and ECC, an efficient anonymous certificate-based MMSC scheme is proposed, which avoids the problem of certificate management, key escrow and key distribution.
• Secondly, through comprehensive security analysis, the proposed certificate-based MMSC scheme satisfies the confidentiality, unforgeability, receiver anonymity, sender anonymity and decryption fairness.
• Finally, the performances evaluation results illustrates that the proposed certificate-based MMSC scheme brings the lower communication and computation cost compared with existing MMSC schemes.
This paper is organized as follows. Section 2 surveys the related work. In Section 3, the background was introduced. Section 4 presents the concrete scheme. The security proof and analysis are performed in Section 5. Section 6 makes the performance evaluation. The paper is summaried in Section 7.
In the PKI-based MMSC schemes, Seo and Kim [43] presented the first MMSC scheme based on the PKI-based cryptography, in which only predetermined users within the domain could obtain their own corresponding messages. Based on the PKI-based cryptography, Han and Gui [44] introduced a MMSC framework to achieve secure multicast communication, but it is inefficiency due to using the bilinear pairing. However, the PKI-based MMSC schemes requires large amounts of storage and computing resources to manage the certificate of users, which leads to the heavy the certificate management burden.
In order to overcome the certificate management problem in the PKI-based MMSC schemes, based on the ID-based cryptography, Qiu et al. [45] presented a secure ID-based MMSC scheme for key update, which has a poor performance due to employing bilinear pairing. In the ID-based MMSC scheme, user uses the identity as the public key and obtains the private key from private key generator (PKG). Therefore, the ID-based MMSC scheme avoids the certificate management problem in traditional PKC-based MMSC schemes. However, the ID-based MMSC scheme [45] causes the key escrow issue, namely, PKG has the ability to know the private key of user.
In order to solve the key escrow issue of the receiver in ID-based MMSC scheme, based on the ID-based cryptography and CL-based cryptography, Niu et al. [46] presented a heterogeneous hybrid MMSC scheme, which allows a sender in ID-based cryptography to send different multiple messages to different multiple receivers in CL-based cryptography, achieves confidentiality, unforgeability and conditional identity privacy preservation. In heterogeneous hybrid MMSC scheme, the private key of receiver is produced by integrating the partial private key from key generator center (KGC) and the secret value from receiver itself. Therefore, KGC does not have the ability to know the private key of receiver. Qiu et al. [47] introduces an efficient secure heterogeneous MMSC scheme for the distributed mobile IoT based on the ID-based cryptography, the CL-based cryptography and ECC. However, the heterogeneous hybrid MMSC schemes [46,47] exist the key escrow issue of the sender in ID-based cryptography and key distribution issue of the receiver in CL-based cryptography.
In order to resolve the key escrow issue in ID-based MMSC scheme and heterogeneous hybrid MMSC schemes, based on the CL-based cryptography, Pang et al. [48] introduced an efficient anonymous CL-based MMSC scheme. In the CL-based MMSC scheme, the private key of the user (receiver and sender) is generated by combining the partial private key from KGC and the secret value from user itself. Therefore, KGC does not have the ability to know the private key of the user. Peng et al. [49] illustrated that Pang et al.'s scheme [48] is unable to realize the confidentiality and unforgeability since the attacker is able to fake user's legal private key and public key, and introduced a CL-based MMSC scheme for secure multicast communication by employing the CL-based cryptography and ECC. However, the CL-based MMSC schemes [48], [49] bring the key distribution problem, that is, a secure channel is required during the private key generation process of the user.

A. SYSTEM MODEL
The system model of the proposed certificate-based MMSC scheme is shown in Figure 2, which consists of three entities: key generation center (KGC), patient U s , and healthcare professionals {U r 1 , U r 2 , · · ·, U r n }. For readability, we display the definitions of symbols in Table 1. KGC: It is an honest-but-curious entity responsible for the generation of system parameters and registration of patient and healthcare professionals. U s : It is a sender and deployed with various smart sensors monitoring the physical condition. Besides, it can signcrypt the health data {m r 1 , m r 2 , · · ·, m r n } to obtain the data report C s , and send it to multiple corresponding healthcare professionals.
U r i : It is a receiver and may obtain the monitored health data m r i from the patient's data report C s . Besides, different healthcare professionals are able to obtain different health data from the same data report.

B. DEFINITION OF ANONYMOUS CERTIFICATE-BASED MMSC
The definition of anonymous certificate-based MMSC comprises of the following four algorithms.
• Setup{λ} → {s, params}: This algorithm is run by the KGC. It takes a security parameter λ as input and outputs the master key s and system parameters params. KGC keeps s secretly and publishes params.
This algorithm is run by the user (sender and receiver) and KGC. It takes user's real identity id i , master key s and system parameters params as input and outputs the pseudo identity ID i , private key x i , public key {X i , R i } and certificate cert i .
This algorithm is run by the sender. It takes the messages {m r 1 , m r 2 , · · ·, m r n }, receivers' pseudo identity {I D r 1 , I D r 2 , · · ·, I D r n }, receivers' public key {{X r 1 , R r 1 }, {X r 2 , R r 2 }, · · ·, {X r n , R r n }}, sender's pseudo identity ID s , sender's private key x s , sender's public key {X s , R s }, sender's certificate cert s and system parameters params as input and outputs the ciphertext C s .
This algorithm is run by the receiver. It takes the ciphertext C s , receiver's pseudo VOLUME 8, 2020 identity I D r i , receiver's private key x r i , receiver's public key {X r i , R r i }, receiver's certificate c r i , sender's pseudo identity ID s , sender's public key {X s , R s } and system parameters params as input and outputs the message m r i .

C. SECURITY REQUIREMENTS 1) CONFIDENTIALITY
Only authorized healthcare professionals are able to obtain the monitored health data from patient's data report.

2) UNFORGEABILITY
Any attacker cannot forge the patient's legal data report; moreover, any modification of data reports can be detected.

3) RECEIVER ANONYMITY
For any data report, authorized healthcare professional has ability to know whether he/she is a legal receiver of the data report but cannot judge whether other users are the legitimate receivers of the data report.

4) SENDER ANONYMITY
Any attacker should not reveal the patient's real identity by analysing the received data report.

5) DECRYPTION FAIRNESS
All authorized healthcare professionals have the same ability to unsigncrypt patient's data report to obtain health data.

D. SECURITY ASSUMPTION
The elliptic curve E over finite field F p formed by a set of points (x, y) meeting y 2 = x 3 + ax + b mod p, where p is a prime number, 4a 3 + 27b 2 = 0 and a, b ∈ F p [54], [55]. All points on E and infinity point O form an additive cyclic group G with generator P and prime order q. The scalar multiplication calculation over G is defined as kP = P + P + · · · + P (k times), where k ∈ Z * q and P ∈ G. The security of the proposed certificate-based MMSC scheme depends on the hardness of DDH problem and ECDL problem, which are summarized as follows.

1) DECISIONAL DIFFIE-HELLMAN (DDH) ASSUMPTION [56]
Let G is an additive group with prime order q. For any probabilistic polynomial time (PPT) adversary, given P, aP, bP, Z ∈ G, where a, b ∈ Z * q , it is hard to decide whether Z = abP holds.
2) ELLIPTIC CURVE DISCRETE LOGARITHM (ECDL) ASSUMPTION [57], [58] Let G is an additive group with prime order q. For any PPT adversary, given P, xP ∈ G, where x ∈ Z * q , it is hard to compute x.

E. SECURITY MODEL
The security of certificate-based MMSC scheme should meet the confidentiality, unforgeability and receiver anonymity.
According to certificate-based cryptography [59], Type I adversary A I and Type II adversary A II are considered in the security model. A I serves as malicious user and models an outside adversary, A II acts as malicious-but-passive KGC and models an inside adversary.
• A I : It may not access the master key, but may replace the public key of user.
• A II : It may access the master key, but may not replace the public key of user.
The security model of the proposed certificate-based MMSC scheme is defined by the interaction between the challenger C and adversary A I (A II ). The following queries are able to be issued by A I and A II .
• Signcryption query: Receiving the signcryption query on the messages {m r 1 , m r 2 , · · ·, m r n } under the sender ID s and the receivers {ID r 1 , ID r 2 , · · ·, ID r n }, C returns the ciphertext C s . Initialization: A I selects the challenging identities ID * r = {ID * r 1 , ID * r 2 , · · ·, ID * r n } as the receivers, and sends them to C. Setup: C produces the system parameters, and outputs them to A I . Phase 1: A I adaptively issues polynomial bounded times hash, create user, private key, certificate, public key replacement, signcryption and unsigncryption queries.
Challenge: A I selects two messages m * 0 = {m * 0,r 1 , m * 0,r 2 , · · ·, m * 0,r n } and m * 1 = {m * 1,r 1 , m * 1,r 2 , · · ·, m * 1,r n } of equal length and the sender ID * s , and then sends them to C. C randomly selects β ∈ {0, 1} and generates the ciphertext C * s on m * β = {m * β,r 1 , m * β,r 2 , · · ·, m * β,r n } under ID * s and ID * r . Finally, C sends C * s to A I . Phase 2: A I adaptively issues the query in Phase 1 except that it cannot issue the certificate query on ID * r i (i = 1, 2, · · ·, n), the signcryption query on m * β under ID * s and ID * r , and the unsigncryption query on C * s under ID * s and ID * r .
A I 's advantage is defined as

Game 2 (IND-CCA-II):
It is the interactive game between C and A II .
Initialization: A II selects the challenging identities ID * r = {ID * r 1 , ID * r 2 , · · ·, ID * r n } as the receivers, and sends them to C. Setup: C produces the master key and system parameters, and outputs them to A II .
Phase 1: A II adaptively issues polynomial bounded times hash, create user, private key, signcryption and unsigncryption queries.

Phase 2:
A II adaptively issues the query in Phase 1 except that it cannot issue the private key query on ID * r i (i = 1, 2, · · ·, n), the signcryption query on m * β under ID * s and ID * r , and the unsigncryption query on C * s under ID * s and ID * r . Guess: A II outputs β ∈ {0, 1} as its guess and wins the game if β = β.
A II 's advantage is defined as

Game 3 (EUF-CMA-I):
It is the interactive game between C and A I .
Initialization: A I selects the challenging identity ID * s as the sender, and sends it to C.
Setup: C produces the system parameters, and outputs them to A I . Query: A I adaptively issues polynomial bounded times hash, create user, private key, certificate, public key replacement, signcryption and unsigncryption queries.
has never issues the certificate query on ID * s . • A I has never issues the signcryption query on {m * r 1 , m * r 2 , · · ·, m * r n } under ID * s and ID * r . A I 's advantage is defined as

Game 4 (EUF-CMA-II):
It is the interactive game between C and A II .
Initialization: A II selects the challenging identity ID * s as the sender, and sends it to C.
Setup: C produces the master key and system parameters, and outputs them to A II .
Query: A II adaptively issues polynomial bounded times hash, create user, private key, signcryption and unsigncryption queries.
has never issues the private key query on ID * s . • A II has never issues the signcryption query on

Definition 3 (Receiver anonymity): A certificate-based MMSC scheme is ANON-IND-CCA (anonymous indistinguishability under the chosen ciphertext attack) secure that if any PPT adversary has at most a negligible advantage in
Game 5 and Game 6.

Game 5 (ANON-IND-CCA-I):
It is the interactive game between C and A I .
Initialization: A I selects the challenging identities {ID * r 0 , ID * r 1 } as the receivers, and sends them to C. Setup: C produces the system parameters, and outputs them to A I . Phase 1: A I adaptively issues polynomial bounded times hash, create user, private key, certificate, public key replacement, signcryption and unsigncryption queries.
A I 's advantage is defined as

Game 6 (ANON-IND-CCA-II):
It is the interactive game between C and A II .
Initialization: A II selects the challenging identities {ID * r 0 , ID * r 1 } as the receivers, and sends them to C. Setup: C produces the master key and system parameters, and outputs them to A II .
Phase 1: A II adaptively issues polynomial bounded times hash, create user, private key, signcryption and unsigncryption queries.
A II 's advantage is defined as

IV. THE PROPOSED SCHEME
In the section, we proposes an efficient anonymous certificate-based MMSC scheme for healthcare IoT. Specifically, it includes setup, certificate and key generation, signcryption and unsigncryption phases.
A. SETUP KGC generates the system parameters by means of performing the following steps.
(1) KGC selects a non-singular elliptic curve E formed by where p is a prime number. (2) KGC chooses a group G with generator P and prime order q. (3) KGC randomly selects the master key s ∈ Z * q and calculates the system public key P pub =s · P.

B. CERTIFICATE AND KEY GENERATION
The user U i with real identity id i registers with KGC to produce the pseudo identity ID i , public key {X i , R i }, private key x i and certificate cert i through performing the following steps.
(1) U i randomly selects the private key ξ i , x i ∈ Z * q and calculates and then sends the pseudo identity ID i and partial public key X i to the KGC.
(2) Receiving the ID i and X i , KGC randomly selects r i ∈ Z * q and calculates and then sends the public key {X i , R i } and the certificate cert i to U i via public channel.
(3) U i can verify the certificate cert i by the following equation Given the health data {m r 1 , m r 2 , · · ·, m r n }, the healthcare professionals' identity {ID r 1 , ID r 2 , · · ·, ID r n } and public key < {X r 1 , R r 1 }, {X r 2 , R r 2 }, · · ·, {X r n , R r n } >, the patient U s could generates the data report C s through performing the following steps.
(1) U s randomly selects l s ∈ Z * q and calculates L s = l s · P.
(2) U s calculates and then calculates (4) U s sends the data report C s = {L s , G s , σ s } towards the corresponding healthcare professionals.

D. UNSIGNCRYPTION
Receiving the data report C s = {L s , G s , σ s }, U r i could unsigncrypt C s to obtain the health data m r i through performing the following steps.
(1) U r i calculates (2) U r i checks whether the following equation holds If it does hold, U r i calculates f (e r i ) = g n−1 e n−1 r i + · · · + g 1 e r i + g 0 = m r i .

V. SECURITY
Security proof and analysis between existing MMSC schemes [43]- [49] and the proposed certificate-based MMSC scheme is conducted. Proof: Assuming that A I wins the Game 1 with probability ε in time t, we can build an algorithm B to break DDH assumption with probability ε in time t . Given an instance (P, aP, bP, Z ) of DDH assumption, B's goal is to decide whether Z = abP holds.

A. SECURITY PROOF
Initialization: A I selects the challenging identities ID * r = {ID * r 1 , ID * r 2 , · · ·, ID * r n } as the receivers, and sends them to B. Setup: B sets P pub = aP, and returns params = In order to maintain the quick response and consistency, B keeps the following lists: Phase 1: A I adaptively issues the following polynomial bounded times queries.
H 0 query: A I issues a query on (id i , ξ i ), B checks the L H 0 and performs as follows: • If the L H 0 does not contain (id i , ξ i , τ i ), B randomly selects τ i ∈ Z * q , adds (id i , ξ i , τ i ) into the L H 0 and returns τ i to A I . H 1 query: A I issues a query on (I D i , X i , R i , P pub ), B checks the L H 1 and performs as follows: Otherwise, B performs as follows: If c i already appear in the L H 1 , B randomly selects cert i ∈ Z * q and tries again. Then, B adds ( Private key query: A I issues a query on I D i , B checks the L U i and performs as follows: performs the create user query on I D i and returns x i to A I . Certificate query: A I issues a certificate query on I D i , B performs as follows: • If ID i ∈ ID * r , B aborts the game. • If ID i / ∈ ID * r , B checks the L U i and performs as follows: B performs the create user query on I D i and returns cert i to A I . Public key replacement query: A I issues a query on I D i with {X i , R i }, B checks the L U i and performs as follows: B performs the create user query on I D i , and sets

Signcryption query:
A I issues a query on the messages {m r 1 , m r 2 , · · ·, m r n } under the sender ID s and the receivers {ID r 1 , ID r 2 , · · ·, ID r n }. B performs as follows: • If ID s ∈ ID * r , B aborts the game. • If ID s / ∈ ID * r , B performs the private key query on ID s to obtain x s , the certificate query on ID s to obtain cert s , and the create user query on ID r i to obtain {X r i , R r i }(i = 1, 2, · · ·, n). Finally, B generates the ciphertext C s = {L s , G s , σ s } according to the proposed certificate-based MMSC scheme, and returns the ciphertext C s to A I . VOLUME 8, 2020 Unsigncryption query: A I issues an unsigncryption query on C s = {L s , G s , σ s } under ID s and ID r i . B performs as follows: • If ID r i ∈ ID * r , B aborts the game. • If ID r i / ∈ ID * r , B performs the private key query on ID r i to obtain x r i and the certificate query on ID r i to obtain cert r i . Then, B unsigncrypts C s according to the proposed certificate-based MMSC scheme, and returns the message m r i to A I . Challenge: A I randomly selects two messages m * 0 = {m * 0,r 1 , m * 0,r 2 , · · ·, m * 0,r n } and m * 1 = {m * 1,r 1 , m * 1,r 2 , · · ·, m * 1,r n } of equal length, and then sends them to B. B randomly selects β ∈ {0, 1} and generates the ciphertext C * s on m * β = {m * β,r 1 , m * β,r 2 , · · ·, m * β,r n } under ID * s and ID * r as follows: , the H 1 query on (ID * r i , X * r i , R * r i , P pub ) to obtain c * r i , the private key query on ID * s to obtain x * s , and the certificate query on ID * s to obtain cert * s . Then, B computes L * s = bP, E * r i = x * r i bP + r * r i bP + c * r i Z , and performs the H 2 query on E * r i to obtain e * r i , where i = 1, 2, · · ·, n. Finally, B generates G * s and σ * s according to the proposed certificate-based MMSC scheme, and returns the ciphertext C * s = {L * s , G * s , σ * s } to A I . Phase 2: A I adaptively issues the query in Phase 1 except that it cannot issue the certificate query on ID * r i (i = 1, 2, · · ·, n), the signcryption query on m * β under ID * s and ID * r , and the unsigncryption query on C * s under ID * s and ID * r . Guess: A I outputs β ∈ {0, 1} as its guess. If β = β holds, B outputs 1 indicating that Z = abP. Otherwise, B outputs 0.
Probability analysis: Supposing A I can issue at most q H i hash H i (i = 0, 1, 2, 3, 4) queries, q c create user queries, q pri private key queries, q cert certificate queries, q pub public key replacement queries, q s signcryption queries and q u unsigncryption queries. The following two events are defined: • E 1 : B does not abort in the create user query, certificate query, public key replacement query, signcryption query and unsigncryption query.
In accordance with the above simulation, we are able to get ) q cert +q pub +q s +q u , Pr[E 2 |E 1 ] ≥ ε, so the success probability of B is displayed as: By the above analysis, we get conclusion that B breaks the IND-CCA-I secure with non-negligible advantage ε ≥ ) q cert +q pub +q s +q u ε in time t ≤ t + (3q c + (2n + 1)q s + 5q u )t sm , where t sm is the runtime of scalar multiplication calculation on ECC. This conflicts with the DDH assumption, therefore, the proposed certificate-based MMSC scheme meets the confidentiality.

Lemma 2: The proposed certificate-based MMSC scheme is IND-CCA-II secure in ROM under DDH assumption.
Proof: Assuming that A II wins the Game 2 with probability ε in time t, we can build an algorithm B to break DDH assumption with probability ε in time t . Given an instance (P, aP, bP, Z ) of DDH assumption, B's goal is to decide whether Z = abP holds.
Initialization: A II selects the challenging identities ID * r = {ID * r 1 , ID * r 2 , · · ·, ID * r n } as the receivers, and sends them to B. Setup: B randomly selects s ∈ Z * q as master key and calculates P pub = sP. Then, B returns s and params = {q, p, P, G, P pub , Phase 1: A II adaptively issues the following polynomial bounded times queries.
H i (i = 0, 1, 2, 3, 4) query: It is the same as Lemma 1. Create user query: A II issues a create user query on Otherwise, B performs as follows: Private key query: A II issues a query on I D i , B performs as follows: • If ID r i ∈ ID * r , B aborts the game. • If ID r i / ∈ ID * r , B checks the L U i and performs as follows: B performs the create user query on I D i and returns x i to A II . Signcryption query: A I issues a query on the messages {m r 1 , m r 2 , · · ·, m r n } under the sender ID s and the receivers {ID r 1 , ID r 2 , · · ·, ID r n }. B performs as follows: • If ID s ∈ ID * r , B aborts the game. • If ID s / ∈ ID * r , B performs the private key query on ID s to obtain x s and the create user query on ID r i to obtain {X r i , R r i }(i = 1, 2, · · ·, n). Finally, B generates the ciphertext C s = {L s , G s , σ s } according to the proposed certificate-based MMSC scheme, and returns the ciphertext C s to A I . Unsigncryption query: A II issues an unsigncryption query on C s = {L s , G s , σ s } under ID s and ID r i . B performs as follows: • If ID r i ∈ ID * r , B aborts the game. • If ID r i / ∈ ID * r , B performs the private key query on ID r i to obtain x r i . Then, B unsigncrypts C s according to the proposed certificate-based MMSC scheme, and returns m r i to A II . Challenge: A II randomly selects two messages m * 0 = {m * 0,r 1 , m * 0,r 2 , · · ·, m * 0,r n } and m * 1 = {m * 1,r 1 , m * 1,r 2 , · · ·, m * 1,r n } of equal length, and then sends them to B. B randomly selects β ∈ {0, 1} and computes the ciphertext C * s on m * β = {m * β,r 1 , m * β,r 2 , · · ·, m * β,r n } under ID * s and ID * r as follows: to obtain c * r i , and the private key query on ID * s to obtain x * s . Then, B computes L * s = bP, E * r i = x * r i Z + r * r i bP + c * r i sbP, and performs the H 2 query on E * r i to obtain e * r i , where i = 1, 2, · · ·, n. Finally, B produces G * s and σ * s according to the proposed certificate-based MMSC scheme, and returns the ciphertext C * s = {L * s , G * s , σ * s } to A II . Phase 2: A II adaptively issues the query in Phase 1 except that it is unable to issue the private key query on ID * r i (i = 1, 2, · · ·, n), the signcryption query on m * β under ID * s and ID * r , and the unsigncryption query on C * s under ID * s and ID * r . Guess: A II outputs β ∈ {0, 1} as its guess. If β = β holds, B outputs 1 indicating that Z = abP. Otherwise, B outputs 0.
Probability analysis: Supposing A II can issue at most q H i hash H i (i = 0, 1, 2, 3, 4) queries, q c create user queries, q pri private key queries, q s signcryption queries and q u unsigncryption queries. The following two events are defined: • E 1 : B does not abort in the private key query, signcryption query and unsigncryption query.
In accordance with the above simulation, we are able to get Pr[E 1 ] ≥ (1 − 1 q H 1 ) q pri +q s +q u , Pr[E 2 |E 1 ] ≥ ε, so the success probability of B is displayed as: ) q pri +q s +q u ε.
By the above analysis, we get conclusion that B breaks the IND-CCA-II secure with non-negligible advantage ε ≥ (1 − 1 q H 1 ) q pri +q s +q u ε in time t ≤ t + (2q c + (2n + 1)q s + 5q u )t sm . This conflicts with the DDH assumption, therefore, the proposed certificate-based MMSC scheme meets the confidentiality.
Theorem 2: The proposed certificate-based MMSC scheme is EUF-CMA secure in ROM under ECDL assumption. Proof: Theorem 2 is able to be proved by the Lemma 3 and Lemma 4.

Lemma 3: The proposed certificate-based MMSC scheme is EUF-CMA-I secure in ROM under ECDL assumption.
Proof: Assuming that A I wins the Game 3 with probability ε in time t, we can build an algorithm B to break ECDL assumption with probability ε in time t . Given an instance (P, aP) of ECDL assumption, B's goal is to compute a.
Initialization: A I selects the challenging identity ID * s as the sender, and sends it to B.
Setup: B sets P pub = aP, and returns params = Otherwise, B performs as follows: If c i already appear in the L H 1 , B randomly selects another cert i ∈ Z * q and tries again. Then, B adds ( Private key query: It is the same as Lemma 1. Certificate query: A I issues a certificate query on I D i , B performs as follows: s , B checks the L U i and performs as follows: B performs the create user query on I D i and returns cert i to A I . Public key replacement query: A I issues a query on I D i with {X i , R i }, B checks the L U i and performs as follows: performs the create user query on I D i , and sets X i = X i , R i = R i , x i = ⊥, r i = ⊥, cert i = ⊥, and adds (I D i , ⊥, X i , ⊥, R i , ⊥) into the L U i . Signcryption query: A I issues a query on the messages {m r 1 , m r 2 , · · ·, m r n } under the sender ID s and the receivers {ID r 1 , ID r 2 , · · ·, ID r n }, B performs as follows: • If I D s = ID * s , B performs the create user query on I D s to obtain {X s , R s }, and the H 1 query on (ID s , X s , R s , P pub ) to obtain c s . Then, B randomly selects f s , h s , σ s ∈ Z * q and computes L s = (h s ) −1 (σ s P − f s X s − R s − c s aP). If the h s already appears in the L H 4 , B randomly selects another σ s ∈ Z * q and tries again. B adds (I D s , X s , R s , G s , f s ) and (I D s , X s , R s , L s , h s ) into the L H 3 and the L H 4 , respectively. Finally, B produces G s according to the proposed certificate-based MMSC scheme, and returns the ciphertext C s = {L s , G s , σ s } to A I .
• If I D s = ID * s , B performs the private key query on ID s to obtain x s , the certificate query on ID s to obtain cert s , and the create user query on ID r i to obtain {X r i , R r i }(i = 1, 2, · · ·, n). Then, B produces the ciphertext C s = {L s , G s , σ s } according to the proposed certificate-based MMSC scheme, and returns C s to A I . VOLUME 8, 2020 Unsigncryption query: A I issues an unsigncryption query on C s = {L s , G s , σ s } under ID s and ID r i . B performs the private key query on ID r i to obtain x r i , and the certificate query on ID r i to obtain cert r i . Then, B unsigncrypts C s according to the proposed certificate-based MMSC scheme, and returns m r i to A I . Forgery: A I outputs a forged ciphertexts C * s = {L * s , G * s , σ * s } on the messages {m * r 1 , m * r 2 , · · ·, m * r n } under the sender ID * s and the receivers {ID * r 1 , ID * r 2 , · · ·, ID * r n }. Based on the forking lemma [60], B produces another valid ciphertext C * s = {L * s , G * s , σ * s } by choosing different H 1 . Due to both ciphertexts are valid, the following two equations are able to be obtain: We can obtain the equation: as a solution to the given ECDL problem.
Probability analysis: Supposing A I can issue at most q H i hash H i (i = 0, 1, 2, 3, 4) queries, q c create user queries, q pri private key queries, q cert certificate queries, q pub public key replacement queries, q s signcryption queries and q u unsigncryption queries. The following three events are defined: • E 1 : B never aborts the create user query, certificate query and signcryption query.
• E 2 : B outputs a valid ciphertext. • E 3 : ID i = ID * s . In accordance with the above simulation, we are able to get , so the probability that B solves the ECDL problem is displayed as: By the above analysis, we get conclusion that B breaks the ECDL problem with non-negligible advantage ε ≥ This conflicts with the ECDL assumption, therefore, the proposed certificate-based MMSC scheme meets the unforgeability.

Lemma 4: The proposed certificate-based MMSC scheme is EUF-CMA-II secure in ROM under ECDL assumption.
Proof: Assuming that A II wins the Game 4 with probability ε in time t, we can build an algorithm B to break ECDL assumption with probability ε in time t . Given an instance (P, aP) of ECDL assumption, B's goal is to compute a.
Initialization: A II selects the challenging identity ID * s as the sender, and sends it to B.
Setup: B randomly selects s ∈ Z * q as master key and calculates P pub = sP. Then, B returns s and params = {q, p, P, G, P pub , H 0 , H 1 , H 2 , H 3 , H 4 } to A II .
Query: A II adaptively issues the following polynomial bounded times queries.
H i (i = 0, 1, 2, 3, 4) query: It is the same as Lemma 1. Create user query: A II issues a create user query on Otherwise, B performs as follows: Private key query: A II issues a query on I D i , B performs as follows: s , B checks the L U i and performs as follows: B performs the create user query on I D i and returns x i to A II . Signcryption query: A II issues a query on the messages {m r 1 , m r 2 , · · ·, m r n } under the sender ID s and the receivers {ID r 1 , ID r 2 , · · ·, ID r n }, B performs as follows: • If I D s = ID * s , B performs the create user query on I D s to obtain {X s , R s }, and the H 1 query on (ID s , X s , R s , P pub ) to obtain c s . Then, B randomly selects f s , h s , σ s ∈ Z * q and computes L s = (h s ) −1 (σ s P − f s aP − R s − c s P pub ). If the h s already appears in the L H 4 , B randomly selects another σ s ∈ Z * q and tries again. B adds (I D s , X s , R s , G s , f s ) and (I D s , X s , R s , L s , h s ) into the L H 3 and the L H 4 , respectively. Finally, B produces G s according to the proposed certificate-based MMSC scheme, and returns the ciphertext C s = {L s , G s , σ s } to A II .
• If I D s = ID * s , B performs the private key query on ID s to obtain x s , and the create user query on ID r i to obtain {X r i , R r i }(i = 1, 2, · · ·, n). Then, B produces the ciphertext C s = {L s , G s , σ s } according to the proposed certificate-based MMSC scheme, and returns C s to A II .
Unsigncryption query: A II issues an unsigncryption query on C s = {L s , G s , σ s } under ID s and {ID r 1 , ID r 2 , · · ·, ID r n }. B performs the private key query on ID r i to obtain x r i . Then, B unsigncrypts C s according to the proposed certificate-based MMSC scheme, and returns m r i to A II .
Forgery: A II outputs a forged ciphertexts C * s = {L * s , G * s , σ * s } on the messages {m * r 1 , m * r 2 , · · ·, m * r n } under the sender ID * s and the receivers {ID * r 1 , ID * r 2 , · · ·, ID * r n }. Based on the forking lemma [60], B produces another valid ciphertext C * s = {L * s , G * s , σ * s } by choosing a different H 3 . Due to both ciphertexts are valid, the following two equations are able to be obtain: We can obtain the equation: as a solution to the given ECDL problem.
Probability analysis: Supposing A II can issue at most q H i hash H i (i = 0, 1, 2, 3, 4) queries, q c create user queries, q pri private key queries, q s signcryption queries and q u unsigncryption queries. The following three events are defined: • E 1 : B never aborts the private key query and signcryption query.
• E 2 : B outputs a valid ciphertext. • E 3 : ID i = ID * s . In accordance with the above simulation, we are able to get Pr[ , so the probability that B solves the ECDL problem is displayed as: By the above analysis, we get conclusion that B breaks the ECDL problem with non-negligible advantage ε ≥ This conflicts with the ECDL assumption, therefore, the proposed certificate-based MMSC scheme meets the unforgeability. certificate-based MMSC scheme, and returns the ciphertext C * s = {L * s , G * s , σ * s } to A II . Phase 2: A II adaptively issues the query in Phase 1 except that it is unable to issue the private key query on ID * r β , the signcryption query on {m * r 1 , m * r 2 , · · ·, m * r n } under ID * s and {ID * r β , ID * r 2 , · · ·, ID * r n }, and the unsigncryption query on C * s under ID * s and {ID * r β , ID * r 2 , · · ·, ID * r n }. Guess: A II outputs β ∈ {0, 1} as its guess. If β = β holds, B outputs 1 indicating that Z = abP. Otherwise, B outputs 0.
Probability analysis: It is the same as Lemma 2. We get conclusion that B breaks the ANON-IND-CCA-II secure with non-negligible advantage ε This conflicts with the DDH assumption, therefore, the proposed certificate-based MMSC scheme meets the receiver anonymity.

B. SECURITY ANALYSIS 1) CONFIDENTIALITY
In accordance with Theorem 1, any PPT adversary is not able to calculate patient's health data due to the DDH assumption, therefore, the confidentiality could be achieved in the proposed certificate-based MMSC scheme.

2) UNFORGEABILITY
According to Theorem 2, no PPT adversary can forge a valid data report due to difficulty of the ECDL problem, hence the unforgeability could be provided in the proposed certificate-based MMSC scheme.

3) RECEIVER ANONYMITY
Based on Theorem 3, for any data report, any healthcare professionals cannot judge whether others are receivers of the data report, and hence the receiver anonymity can be achieved in the proposed certificate-based MMSC scheme.

4) SENDER ANONYMITY
According to the proposed MMSC scheme, the patient's real identity id s is only contained in the random pseudo identity ID s = H 0 (id s , ξ s ). Due to the collision resistance of the hash function H 0 , for any PPT adversary, it is impossible to extract patient's real identity id s from the pseudo identity ID s , and thus the sender anonymity could be met in the proposed certificate-based MMSC scheme.

5) DECRYPTION FAIRNESS
From the equation f (e r i ) = g n−1 e n−1 r i +···+g 1 e r i +g 0 = m r i , any authorized healthcare professional has the same ability to achieve his/her own corresponding health data m r i by making use of e r i , thus the decryption fairness can be provided in the proposed certificate-based MMSC scheme.
In accordance with  [44] are not able to provide unforgeability, sender anonymity and decryption fairness. Furthermore, them exist certificate management problem and need secure channel as a result of the use of the PKI-based cryptography. Qiu et al.'s scheme [45] is not able to satisfy sender anonymity and decryption fairness. Moreover, it suffers key escrow issue and needs secure channel due to utilizing the ID-based cryptography. Niu et al.'s scheme [46] is unable to achieve decryption fairness. In addition, it exists key escrow issue and needs secure channel because of using the ID-based cryptography and CL-based cryptography. Qiu et al.'s scheme [47] is not able to satisfy the sender anonymity and decryption fairness. Pang et al.'s scheme [48] is unable to meet confidentiality, unforgeability and sender anonymity. Peng et al.'s scheme [49] could not achieve sender anonymity and decryption fairness. Besides, the existing MMSC schemes [48], [49] require of the secure channel owing to using the CL-based cryptography. By the contrast, the proposed certificate-based MMSC scheme is able to provide all security requirements.

VI. PERFORMANCE EVALUATION A. COMPUTATION COST
Analysis and comparison of the computation costs between the MMSC schemes [43]- [49] and the proposed certificatebased MMSC scheme are displayed in this subsection.
To realize fair comparison, the MMSC schemes [43]- [49] and the proposed certificate-based MMSC scheme are compared under the 80-bit security level. With regard to the pairing-based MMSC schemes [43]- [46], we select the bilinear pairing e : G 1 × G 1 → G 2 , where G 1 is the additive group formed by super singular elliptic curve E : y 2 = x 3 +x mod p, p is 512-bit random primer number, q is 160-bit random Solinas prime number and q · 12 · r = p + 1. For the MMSC schemes [47]- [49] and the proposed certificate-based MMSC scheme, we choose the additive group G formed by elliptic curve E : y 2 = x 3 + ax + b mod p, p are 160-bits random prime number, a = −3 and b is 160-bits prime number.
The runtime of cryptographic operations are able to be obtained by means of the MIRACL Crypto SDK [61]. The test could be run on the 64-bit Windows 7 system with i7 CPU, 1.8 GHz-4.9 GHz and 8 GB memory. The average runtime of cryptographic operations running 10000 times are listed in Table 3. Computation cost between the proposed certificate-based MMSC scheme and existing MMSC schemes [43]- [49] are compared in Table 4.
For the computation cost of signcryption, Seo et al.'s scheme [43] requires to run n + 1 scalar exponentiation operations in G 1 and n symmetric encryption, the total time thus is 1.4226n+1.4202 ms. Han et al.'s scheme [44] requires to run 3n + 1 scalar exponentiation operations in G 1 and n map to point hash operations, therefore the total time is 7.8425n + 1.4202 ms. Qiu et al.'s scheme [45] requires to run one scalar exponentiation operation in G 1 , n + 1 map to point hash operations and n bilinear pairing operations, and hence the total time is 13.8911n + 5.0021 ms. Niu et al.'s scheme [46] requires to run 2n + 2 scalar exponentiation operations in G 1 , 2n pairing-based exponentiation operations and one symmetric encryption, hence the total time thus is 3.8810n + 2.8428 ms. Qiu et al.'s scheme [47] requires to run 2n + 2 scalar multiplication operations in ECC and one symmetric encryption, so the total time is 0.7702n + 0.7726 ms. Pang et al.'s scheme [48] requires to run 2n + 1 scalar multiplication operations in ECC and one symmetric encryption, thence the total time is 0.7702n + 0.7726 ms. Peng et al.'s scheme [49] requires to run 2n+1 scalar multiplication operations in ECC and n symmetric encryption, and then the total time thus is 0.7726n + 0.3851 ms. In the single-receiver signcryption scheme, sending a message to one receiver requires to run three scalar multiplication operations in ECC, sending n messages to n receivers requires to run 3n scalar multiplication operations in ECC. Hence, the total time is 1.1553n ms. The proposed certificate-based MMSC scheme requires to run 2n+1 scalar multiplication operations in ECC, therefore the total time thus is 0.7702n + 0.3851 ms.
For the computation cost of unsigncryption, Seo et al.'s scheme [43] requires to run three exponentiation operations in G 1 and one symmetric decryption, the total time thus is 4.2634 ms. Han et al.'s scheme [44] requires to run one scalar exponentiation operation in G 1 , one map to point hash and two bilinear pairing operations, therefore the total time is 25.6205 ms. Qiu et al.'s scheme [45] requires to run two scalar exponentiation operations in G 1 , one map to point hash and one bilinear pairing operation, and hence the total time is 16.7315 ms. Niu et al.'s scheme [46] requires to run one scalar exponentiation operation in G 1 , four bilinear pairing operations and one symmetric decryption, hence the total time is 42.6598 ms. Qiu et al.'s scheme [47] requires to run five scalar multiplication operations in ECC and one symmetric encryption, so the total time is 1.9283 ms. Pang et al.'s scheme [48] requires to four scalar multiplication operations in ECC and one symmetric encryption, thence the total time is 1.5432 ms. Peng et al.'s scheme [49] requires to run four scalar multiplication operations in ECC and one symmetric encryption, and then the total time is 1.5432 ms. The single-receiver signcryption scheme requires to run five scalar multiplication operations in ECC, therefore the total time thus is 1.9255 ms. The proposed certificate-based MMSC scheme requires to run five scalar multiplication operations in ECC, therefore the total time thus is 1.9255 ms. From Figure 3, we could know that computation cost of signcryption increases linearly with the growth of healthcare professionals, the proposed certificate-based MMSC scheme has the lowest slope and smallest computation cost compared with the MMSC schemes [43]- [49] and the single-receiver signcryption scheme.
As displayed in Figure 4, the computation cost of unsigncryption in the proposed certificate-based MMSC scheme is the smallest than the MMSC schemes [43]- [47]; the computation cost of unsigncryption are 1.9255 ms in the proposed certificate-based MMSC scheme, which is reduced by 54.8%, 92.5%, 88.5%, 95.5% and 0.2% compared with the MMSC schemes [43]- [47], respectively; the computation cost of unsigncryption in the MMSC schemes [48], [49] is the smaller compared with the proposed certificate-based MMSC scheme, but Peng et al.'s scheme [49] declared that  Pang et al.'s scheme [48] fails to satisfy the unforgeability and confidentiality. Besides, Peng et al.'s scheme [49] is unable to not satisfy the sender anonymity and decryption fairness; the computation cost of unsigncryption in the single-receiver signcryption scheme is the same as the proposed certificate-based MMSC scheme.

VII. CONCLUSION
In this paper, an efficient anonymous certificate-based MMSC scheme for healthcare IoT is first presented by utilizing the certificate-based cryptography and the ECC, it avoids the problem of certificate management, key escrow and key distribution. Furthermore, the analysis of security displays that it could satisfy the confidentiality, unforgeability, receiver anonymity, sender anonymity and decryption fairness, with the performance evaluation indicating that it is the more effective in terms of computation and communication cost.