Provable secure identity-based online/offline encryption scheme with continual leakage resilience for wireless sensor network

As a potential technology, the identity-based online/offline encryption scheme is split into two phases (the offline phase and the online phase) which is especially suitable for sensor nodes with limited computation resources in that most of the works can be executed offline. However, a challenging issue is the well-known identity-based online/offline encryption schemes unable to resist continual key leakage attacks of the secret keys. To address the above security challenge, we put forth the first continual leakage-resilient identity-based online/offline encryption scheme which is suitable for ensuring secure communications in wireless sensor networks. More specifically, our formal security proofs analysis indicates that the proposed scheme can guarantee security even if partial information of the secret key is continually leaked due to side-channel attacks or fault injection attacks. Above all, compared to the existing identity-based online/offline encryption schemes, an identity-based online/offline encryption scheme with continual leakage resilient meets wireless sensor networks with strong security.


Introduction
Wireless sensor networks (WSNs) as a major technique is an academic hotspot that possesses the advantages of building the Internet of things (IoT). Due to the demand for sensing, gathering, and monitoring data, individual users and enterprises make better management control and decision-making. For example, individual users equipped with tiny sensor nodes continuously monitor their sensitive data such as health records and so on which is necessary to be encrypted before transmitting to the base stations (BSs). However, the security and efficiency challenges need to design access control systems in WSNs. For one thing, the sensor nodes have the limited capabilities. For were proposed in a weak security model. In order to solve the above problems, researchers directly utilized typical identity-based encryption (IBE) schemes to design access control systems. IBE [1][2][3][4] is one of the powerful cryptographic mechanisms to realize the above functionality. The encryption procedure of IBE simply employs the user's identity which was composed of an arbitrary string. However, the IBE system always requires the user to execute expensive computations, such as pairings over points on the elliptic curve and exponentiations in groups which is not desirable for weak users with limited computation resources. Especially in WSNs, the nodes have very limited computation resources, memory, and storage capabilities. These make many cryptographic primitives impractical. A good solution to reduce the computational overhead of encryption procedure is the model of identity-based online/offline encryption (IBOOE) which splits the encryption process into two phases: the offline phase and the online phase. In the offline phase, the vast majority of the work is to be done and it requires neither the information of the message to be encrypted nor the receiver's identity. This division of computational tasks makes most of the works executed offline. However, the security and efficiency challenges have appeared when traditional IBOOE schemes are directly utilized in the WSN environment. In such applications, it is usually assumed that the adversary cannot get any information about the internal secret states. In contrast, this assumption no longer holds in WSNs in that a malicious adversary can obtain partial information from side-channel attacks 5 which will lead to the leakage of important sensitive information. Then, a natural question arises: Can we design a provable secure IBOOE scheme resilient to the continual leakage of secret keys? A plausible solution to the above problem might be dual system encryption which has the potential to address the problem of continual key leakage for traditional IBOOE schemes.

Related work
In this subsection, we summarize leakage-resilient IBE (lr-IBE) cryptography and the online/offline encryption cryptography.
Leakage resilience was first studied in public key setting by Akavia et al. 6 It is a powerful tool to ensure security-protecting data confidential against sidechannel attacks. Naor and Segev 5 extended leakage resilience to the public key encryption. More broadly, Alwen et al. 7 first introduced leakage-resilient security to identity-based setting and constructed lr-IBE scheme using the identity-based hash proof system (IB-HPS). Unfortunately, only the third scheme was proved in the standard model based on Gentry's IBE system. 3 So far, two main models have been proposed: bound leakage model (BLM) and the continual leakage model (CLM). The first line of work constructs lr-IBE schemes that are proven secure in the BLM. In CCS, Chow et al. 8 proposed three lr-IBE schemes assuming that each secret-key holder had two randomness that applied to secret keys and master secret keys. The first two lr-IBE schemes based on BB-IBE 1 and Waters-IBE 2 , respectively, which had selective security and the third scheme was fully secure and short public parameters using Lewko and Waters's dual system encryption. 4 Namely, they showed how to go from IB-HPS to lr-IBE scheme. Li et al. 9 investigated how to accomplish chosen ciphertext attack (CCA) security of the lr-IBE scheme by applying a hash proof technique into Gentry's IBE scheme. 3 However, the lr-IBE schemes presented in Alwen et al., 7 Chow et al., 8 and Li et al. 9 cannot resistant to continual key leakage attack. Another line of work is so-called the CLM. It divides the lifetime of the cryptosystem into some periods, and updates the secret keys at the end of each period. Lewko et al. 10 first proposed the IBE scheme under continual leakage resilient which allows continual leakage of user's key and master key. Subsequently, Li et al. 11 developed the first identity-based broadcast encryption scheme under continual leakage of secret keys of any identity. To improve the security level, Zhou et al. [12][13][14] gave exciting new continual leakage-resilient constructions for IBE from decisional bilinear Diffie-Hellman (DBDH), truncated augmented bilinear Diffie-Hellman exponent (q-TABDHE) assumptions, and a new primitive called updatable identity-based hash proof system (U-IB-HPS). Recently, many BLMs and CLMs were surveyed in Zhang et al. 15 and Yael et al. 16 Online/offline encryption technology has been widely accepted as an effective method to protect data security and privacy in online/offline scenarios and becomes a useful tool to achieve effective encryption such that only the authorized users can access the data. Online/offline encryption technology mainly focuses on efficient encryption which is different from efficient decryption. 17 Guo et al. 18 first introduced encryption schemes which split the encryption procedure into two phases: the offline phase and the online phase. In the offline phase without input of plaintext and user's identity, it outputs the offline ciphertext. Then, in the online phase, it efficiently generates the online ciphertext concerning plaintext and the identity of the user. Subsequently, Liu et al. 19 presented a more efficient IBOOE scheme in the random oracles which is especially suitable for embedded devices of limited computation power such as smart cards or wireless sensors. Later, Chu et al. 20 proposed a practical IBOOE scheme in the selective-ID model, which is suitable for WSN which removed the elements in the group G T from the offline storage. The notion of ID-based online/offline key encapsulation mechanism (IBOOKEM) was introduced by Chow et al. 21 and a generic construction of the IBOOE scheme to achieve CCA security in the ROM. However, the above scheme has the following property: the security, storage, and computation have relied on symmetric encryption mechanism. By utilizing a novel notion to obtain an efficient semi-generic transformation from IBOOKEM 22 scheme to IBOOE scheme in the standard model. Recently, to address the problem of large ciphertext, efficient IBOOE and signcryption with short ciphertext were proposed by Lai et al. 23 Nevertheless, according to the technologies of side-channel attacks and new attack methods are appearing, the conventional IBOOE scheme will be threatened. Thus, those schemes mentioned above will be broken by key leakage attacks. As an attractive technique for naturally leading to leakage resilience, dual system encryption holds very strong security proofs based on three static assumptions. In this article, our goal is to propose an IBOOE scheme in the continual key leakage security model.

Motivation and our contribution
The primary challenge for the IBOOE schemes is to achieve leakage resilience. In this article, we consider the continual leakage resilience in IBOOE schemes. Specifically, the contributions of this work are elaborated as follows: Motivated by the aforementioned application to leakage tolerance in WSNs, we study IBOOE resilient to a stronger form of leakage. We first introduce the notion of the continual leakageresilient IBOOE (clr-IBOOE) and formalize its framework. In clr-IBOOE, the encryption procedure is split into two phases, that is, an offline phase and an online phase. To support continual leakage functionality, we expand the space of secret key and ciphertext to n + 2 and n + 5 dimensional vectors, respectively. Here, the parameter n(n.3) will determine the leakage tolerance. We utilize the semi-functional structures and a hybrid argument which was used in the security proof by a sequence of games. The main difficulty in constructing our scheme is to implement nominally semi-functional secret keys that can decrypt semi-functional ciphertext without the adversary awareness of. Nominality permits the simulator to produce nominal semi-functional keys which is decrypt successfully the interrelated challenge ciphertext while the adversary was unaware of the above process. We provide provable security of clr-IBOOE, including indistinguishability of normal secret keys and semi-function secret keys, indistinguishability of normal ciphertext and semi-function ciphertext, and continual leakage of secret keys. In addition, we conduct a comprehensive performance evaluation compared with the existing IBOOE schemes, our scheme not only enjoys continual leakage resilience but also avoids the additional online computation. Specifically, clr-IBOOE dramatically realizes the strongest features of continual leakage. This is because that in update process, the secret key is updated over time.
The rest of the article is organized as follows: in section ''Preliminaries,'' we describe the notation used in this article, composite order bilinear and complexity assumptions. In section ''System architecture and security model,'' we first present a continual leakageresilient security model and a formal definition for IBOOE, respectively. Then, we propose a clr-IBOOE scheme based on three assumptions in which encryption can be afforded by mobile devices with limited computation power. We elaborate on formal security proof in the standard model based on the new security model in section ''System architecture and security model.'' And in section ''Provable secure IBOOE with continual leakage resilience in WSNs,'' we give efficiency results and security of the new scheme compared to the existing IBOOE schemes. At last, we conclude this article in section ''Security proof and efficiency comparisons.''

Preliminaries
In this section, we introduce the preliminary knowledge on some cryptographic background used throughout this article.

Notations
Assuming that all the algorithms take as input the security parameter represented in unary, that is, 1 l . Let N be a positive integer. For a set R, R j j represents its cardinality and means that the variable s is chosen uniformly at random from R. Let symbols Á and Ã denote dot product of two vectors and component-wise product of two elements, respectively. In addition, the useful notations for IBOOE scheme are listed in Table 1. These notations are employed throughout this literature.

Composite order bilinear groups
Three assumptions based on the pairing over composite order groups 4,10 are as follows. Let the parameters be N = p 1 p 2 p 3 , where p 1 , p 2 , p 3 are three numbers. The group generator algorithm I takes as input a security parameter 1 l and outputs the description of a bilinear group (N = p 1 p 2 p 3 , G, G T , e). In the group description, p 1 , p 2 , p 3 are three distinct numbers; G and G T are cyclic groups of order N; and e:G 3 G ! G T is a bilinear map. We assume that the generator algorithm outputs the values of p 1 , p 2 , p 3 and g i is generator of subgroup Complexity assumptions Assumption 1. Given D 1 = (N, G, G T , e, g 1 , g 3 ), it is hard for an adversary to distinguish T 1 0 = g z 1 from , it is hard for an adversary to distinguish , it is hard for an adversary to distinguish

Security theorem
In the context of Lewko and Waters, 10 it expands the semi-functional space to n + 2 dimensional vectors, where n ø 3. Notice that, the leakage depends only on the size of the G 2 subgroup, and not on the size of p 1 or p 3 . They give the Lemma 1 as follows.
c.0 is a fixed positive constant, our dual system IBE scheme is (l MK , l SK )-master-leakage secure.

System architecture and security model
Before giving the formalized security model, we first lay out the system architecture and specification of an IBOOE scheme with the key update algorithm which is the underlying technique of the proposed secure identity-based online/offline scheme with continual leakage resilience for WSNs.

Network model
In WSNs, we focus on single-SP (service provider) multi-user sensor network. The overview of the network model is shown in the following Figure 1. There are four different entities in the system, that is, the SP, the sensor node, the gateway, and the network user.
SP is an authority who deploys a sensor network composed of multiple sensors, such as the registration of sensor nodes and users. The SP is a trusted third party. Sensor nodes are battery powered which is a big challenge for network designers. Note that sensor nodes can offline. Gateway: compared with sensor nodes, it has much higher storage and processing capability. Users: a user can join the system by registering with the SP to join the WSN.
It is assumed that all the entities except SP are ''honest-but-curious.'' Sensor nodes generate offline ciphertexts, encrypt a file, and outsource the final ciphertext to SP. When users use the encrypted data, he downloads a ciphertext from SP. Then, he decrypts it based on the secret keys if the ciphertext is legitimate.

Specification of clr-IBOOE
An IBOOE scheme typically consists of six algorithms: Setup, Ext, UpdateSK, Enc off , Enc on , and Dec. In the continual leakage setting, we require an additional algorithm UpdateSK which updates the secret key of users. We define a continual leakage resilience IBOOE scheme, clr-IBOOE in short. Note that the public key remains unchanged. The definition below summarizes the above.

Definition 1 (clr-IBOOE).
IBOOE schemes are defined by a tuple of algorithms and protocols P = (Setup, Ext, UpdateSK, Enc off , Enc on , Dec) where A negligible function of security parameter l s S(Á) Run a randomized algorithm S(Á) and output s x $ Z N The operation of choosing an element x of Z N uniformly at random Parentheses denote collections of elements of different types Setup(1 l ) takes the security parameter l to return the master public key mpk and the master secret key msk.
Ext(mpk, I, msk) takes as input the master public key mpk, master secret key msk, an identity I 2 I and returns a secret key sk I for I. UpdateSK(sk I , I, mpk) takes in a secret key sk I and outputs a re-randomized key sk 0 I , such that the distribution of a secret key sk 0 I is indistinguishable from the distribution of a secret key sk I . Enc off (mpk) takes mpk to return an offline ciphertext c off . Enc on (m, mpk, I, c off ) takes as input the message m, the master public key mpk, an identity I 2 I , and an offline ciphertext c off and returns the ciphertext c. Dec(mpk, sk I , c) takes a secret key sk I and ciphertext c to return a message m or a special reject symbol ' indicating c is invalid.

Security model
In our surroundings, there exist two adversaries either an external intruder or a registered network user who intended to obtain other users' data without the authorization of access according to work. 24 Based on the adversary's ability and the specification of IBOOE scheme, we formalize the security model by specifying the ability of adversaries. To define continual leakage security, we extend the CLM of Li and Zhang 11 to online/offline identity-based setting. The security model is defined through a game played by a probabilistic polynomial-time (PPT) adversary A and a challenger (also called simulator). Assuming A cannot win the following security game cLeak with probability greater than (1=2) + negl(l). All the queries in the following security can happen adaptively, that is, they can depend on previous ones. Setup: The simulator B runs the Setup(1 l ) algorithm, obtains the public secret key mpk and the master secret key msk. The master secret key is kept secret. The challenger gives mpk to the adversary A. B creates a set L = Ø to keep track of Ext queries and key leakage queries. Moreover, another set K = N corresponds with Reveal queries. The set L of triples of handles, identities, secret keys, and a counter, that is, (h, I, SK, Cntr) 2 H 3 I 3 SK 3 N. Note that a handle counter h is set to 0.  Phase 2: The same as Phase 1, except that I * may not be submitted for all the oracles in Phase 1.
Guess: Finally, A outputs a guess bit b# 2 {0, 1}. If b# = b, A wins the game. The advantage of an adversary A in attacking the IBOOE scheme P with security parameter l is defined as Adv cLeak A, P (l, l) = Pr½b 0 = bÀ j 1=2j.

Definition 2.
If for all PPT adversaries A, the advantage Adv cLeak A, P (l, l) in the above game cLeak is negligible, that is, Adv cLeak A, P (l, l) ł negl(l), we say that a clr-IBOOE scheme P = (Setup, Ext, UpdateSK, Enc off , Enc on , Dec) is fully secure against l-continual leakage attacks, the total amount of leakage on each secret key of user has to be bounded by l. Note that in all definitions and lemmas we will not write the dependence of Adv in l, l for easiness of notation.

Provable secure IBOOE with continual leakage resilience in WSNs
In this section, we first present the proposed IBOOE with continual leakage resilience in WSNs and then show its correctness. Our clr-IBOOE scheme P comprises six algorithms detailed as follows.

Details of the proposed IBOOE scheme
Our construction of clr-IBOOE scheme employs a composite order bilinear groups I = (N = p 1 p 2 p 3 , G, G T , e) where p 1 , p 2 , p 3 are three l-bits length primes; G, G T are cyclic groups with order N = p 1 p 2 p 3 ; and e is such a bilinear map e:G 3 G ! G T . Assume that each identity is an element in Z N and every message is an element in group G T . In our scheme, the secret key is randomized by subgroup G 3 . The elements of subgroup G 2 will not be used in the real scheme, but it supplies semifunctional property.

Setup(1 l ):
The setup algorithm picks ha, x 1 , . . . , x n i $ Z n + 1 N , u 1 , g 1 , h 1 2 G 1 at random. It computes R 1 = e(g 1 , g 1 ) a . Finally, it outputs the master secret key msk = a and the master public key mpk = (u 1 , g 1 , h 1 , R 1 , g x 1 1 , . . . , g x n 1 ). Ext(I, msk, mpk): On input the master public key mpk, the master secret key msk, and an identity I 2 I , the algorithm picks n + 1 random exponents hr, y 1 , . . . , y n i $ Z n + 1 N and returns the secret key . Enc off (mpk): On input the master public key mpk, the algorithm chooses x, s, w 2 Z N and computes the offline ciphertext c off = (c 1 , c 2 , c 3 , c 4 , c 5 , w) = ((g x 1 1 ) s , . . . , (g x n 1 ) s , g s 1 , (u x 1 h 1 ) s , u sw 1 , R s 1 , w). The offline storage is c off = (c 1 , c 2 , c 3 , c 4 , c 5 , w). Enc on (m, mpk, I, c off ): On input message m, master public key mpk, an identity I 2 I , and offline ciphertext c off , the algorithm picks x 2 Z N and encrypts the message by computing c 0 = m Á c 5 and w 1 = w À1 (I À x)modN . Finally, it outputs the final ciphertext c = (c 0 ,c 1 , c 2 , c 3 , c 4 , w 1 ). Dec(sk I , c, mpk): Let the ciphertext c be parsed as (c 0 ,c 1 , c 2 , c 3 , c 4 , w 1 ). The decryption algorithm calculates the blinding factor e(g 1 , g 1 ) as using the secret key sk I Finally, the message is computed as m = (c 0 =(e(g 1 , g 1 ) as )). It proves correctness of decryption procedure.

Continual leakage
To implement re-randomization, we give here the update algorithm for the secret keys.
UpdateSK(sk I , I, mpk): The update algorithm picks n + 1 exponents hr 0 , z 1 , . . . , z n i $ Z n + 1 N and a random vectorr 0 $ Z n + 2 N . It outputs the new secret key as follows

Semi-functionality
All the secret keys and ciphertext generated by the above algorithms are normal which has no group G 2 parts. To get semi-functional key and ciphertext, we add a factor of G 2 into the normal key and normal ciphertext as follows: KeygenSF(I, msk): Let sk I be a normal secret key of user I which was generated by calling key extraction algorithm Ext(I, msk, mpk) and g 2 be a generator of group G 2 . Then picks random u $ Z n N , u n + 1 , u n + 2 2 Z N and calculates the semi-functional secret key sk semi ). EncryptSF(sk I , I, mpk): It first calls the online encryption algorithm Enc on (m, mpk, I, Enc off (mpk)) to obtain a normal ciphertext c = (c 0 ,c 1 , c 2 , c 3 , c 4 , w 1 ). Then, it picks random d $ Z n N , d n + 1 , d 0 n + 2 , d 0 2 Z N and calculates a semi-functional ciphertext c semi = (c 0 ,c 1 Ã gd 2 , Here, we contract the n + 2 factors of semi-functional coefficient by d n + 2 = d 0 n + 2 + d 0 .

Procedure of decryption
First, we contract the two termsũ,d the semi-functional parameters of the secret key and the ciphertext, respectively. The algorithm Dec(sk I , c, mpk) shows the detailed procedure on how to decrypt the normal ciphertext using the normal secret key. That is, it concludes e(g 1 , g 1 ) as by computing e(k 1 ,c 1 ) Á e(k 2 , c 2 ) Áe(k 3 , c 3 Á c w 1 4 ). Second, we elaborate on the whole derivation of decryption procedure about two types of secret keys and ciphertexts.
1. The normal secret key decrypts the semifunctional ciphertext as follows The semi-functional secret key decrypts the normal ciphertext as follows The semi-functional secret key decrypts the semi-functional ciphertext as follows Here, we write e(g 2 , g 2 )ũd Á e(g 2 , g 2 ) u n + 1 d n + 1 Á e(g 2 , g 2 ) u n + 2 (d 0 n + 2 + d 0 w 1 ) = e(g 2 , g 2 )ũ n + 2dn + 2 where implicitly include d n + 2 = d 0 n + 2 + d 0 w 1 . Through the above analysis, we obtain an additional entry e(g 2 , g 2 )ũ n + 2dn + 2 by the pairing. That is, a semifunctional secret key of identity I k with parameterũ is nominal relative to a semi-functional ciphertext for identity I c with parameterd if and only ifũ Ád = 0 mod p 2 for I k = I c .

Security proof and efficiency comparisons
Security proof Theorem 1. If Assumptions 1, 2, and 3 hold in G, G T , then the above proposal P is l SK -fully secure against key leakage attacks.
Proof. Each secret key sk I is a n + 2 dimensional vector where n ø 3 is a parameter determining the leakage tolerance. Based on lemma 1 in section ''Security theorem,'' we have leakage parameters l SK = (n À 1 À 2c)l. To prove theorem, we will build a PPT simulator B that breaks Assumption 1, 2, 3 with the help of a PPT adversary A that breaks the adaptive security of our proposal P. First, we consider the following sequence of hybrid games.
cLeak. This game is the original game as defined in the section ''Security model.'' Leak i . This game has the following differences from cLeak: first, the simulator responses a semi-functional ciphertext as the challenge ciphertext. Second, the first i keys generated by Ext queries are semi-functional for i = 0, ..., q. Remark that the simulator returns normal secret keys for key extraction queries and a semifunctional challenge ciphertext for challenge phase in game Leak 0 . Moreover, the simulator returns semifunctional secret keys for key queries in game Leak q .
Leak F . It is the same as Leak q , except that the simulator encrypts a random message to get the challenge ciphertext.
By the following lemmas, we prove these games are indistinguishable.
Lemma 2. Suppose there exists a PPT algorithm A such that Adv cLeak A, P À Adv Leak 0 A, P ø e. Then, we can build a PPT algorithm B with advantage at least e=2 in breaking Assumption 1.
Proof. The algorithm B simulates fully the encryption scheme P as follows. B receives D 1 = (N, G, G T , e, g 1 , g 3 ) and T where T = g z 1 or g z 1 g v 2 . Then, B randomly chooses ha, b, a, x 1 , . . . , x n i $ Z n + 3 N and calculates u 1 = g a 1 , h 1 = g b 1 , g x 1 1 , . . . , g x n 1 , R 1 = e(g 1 , g 1 ) a using group element g 1 in Assumption 1. B sets msk = a as the master secret key and has ability to provide two types of secret keys for all identities to answer all key extraction queries and key leakage queries. Moreover, B makes normal ciphertext as well as semi-functional one for any message in the challenge phase.
Both games, B always calculates normal secret keys for all identities as follows. B randomly chooses hr, y 1 , . . . , y n i $ Z n + 1 N and a random vectorr $ Z n + 2 N , creates the secret key of identity I sk I = g y 1 1 , . . . , g y n 1 , g In the challenge phase, B gets two messages m 0 , m 1 and the challenge identity I * from A. Then, it randomly chooses b 2 {0, 1}, x, w 2 Z N and creates the following challenge ciphertext using the challenge term T from Assumption 1.
Phase 2: B works in the same way as Phase 1.
If T = g z 1 , then c Ã = (m b Á e(g 1 , g 1 ) az , (g z 1 ) x 1 , . . . , (g z 1 ) x n , g z 1 , (g z 1 ) ax + b , (g z 1 ) aw , w Ã 1 ) which has no G 2 components. Hence, it is a normal ciphertext. In other words, B has properly simulate game cLeak. Because it set u 1 = g a 1 and h 1 = g b 1 at the begin, that is, it has (g z 1 ) ax + b = u x 1 h 1 . If T = g z 1 g v 2 , the challenge ciphertext generated as follows This implicitly has s = z. We get the semi-functional parameterd = vhx 1 , . . . , x n , (ax + b + aw)i according to decryption. A plays game Leak 0 . Hence, if B answers b = 0 when A succeeds, he has advantage in breaking Assumption 1. Thus, if Assumption 1 holds, these two successive games cLeak and Leak 0 are indistinguishable. Lemma 3. Suppose there exists a PPT algorithm A such that Adv Leak iÀ1 A, P À Adv Leak i A, P ø e (i 2 1, . . . , q). Then, we can build a PPT algorithm B with advantage at least e=2 in breaking Assumption 2.
Proof. If the challenge instance B simulates fully, the encryption scheme P as follows. B receives D 2 = (N, G, G T , e, g 1 , g 3 , g z 1 g v 2 , g u 2 g v 3 ) and T where T = g w 1 g s 3 or g w 1 g k 2 g s 3 . Then, B constructs the public parameters and the secret parameters as lemma 1. At some point, the adversary A sends identity I to simulator B. B simulates the secret key as below.
If k \ i, B generates the semi-functional secret key for identity I as follows If k = i, B simulates the challenge secret key for identity I as follows sk I = T y 1 , . . . , T y n , g a If k . i, B creates the secret key of identity sk I like lemma 1.
In challenge phase, B selects two distinct and random messages m 0 , m 1 with equal length and the challenge identity I * . It sends the messages to A. Then, it randomly chooses b 2 {0, 1}, x, w 2 Z N and returns the challenge ciphertext as follows Here, it has w Ã 1 = w À1 (I Ã À x)modN . This implicitly has s = z and d = v(x 1 , . . . x n , 1, aI Ã + b). Hence, if B answers b = 0 when A succeeds, he has advantage in breaking Assumption 2. Thus, if Assumption 2 holds, Leak iÀ1 and Leak i successive games are indistinguishable. Lemma 4. Suppose there exists a PPT algorithm A such that Adv Leak p A, P À Adv Leak F A, P ø e. Then, we can build a PPT algorithm B with advantage at least e=2 in breaking Assumption 3.
Proof. B simulates fully the encryption scheme P as follows. B receives D 3 = (N, G, G T , e, g 1 , g 2 , g 3 , g a 1 g v 2 , g z 1 g u 2 ) and T where T = e(g 1 , g 1 ) az or T 2 G T . The public parameter mpk and the master secret key msk as lemma 1. When B receives secret key queries, he constructs the semi-functional secret key In the challenge phase, the challenge ciphertext generates as follows Here, it has coefficient w Ã 1 = w À1 I Ã À x ð ÞmodN . If T = e(g 1 , g 1 ) az , then this is a semi-functional ciphertext of message m b . This is because the semifunctional parameters s = z andd = hux 1 , . . . ux n , u, u(aI Ã + b)i implicitly d n + 2 = d 0 n + 2 + d n + 3 w 1 . It is easy to verify vectord is properly distributed since all terms hx 1 , . . . , x n , 1, (aI Ã + b)i are random modulo p 2 .
Finally, in game Leak F value of b is information theoretically hidden from the adversary A. Consequently, A has no advantage in winning Leak F . Hence, cLeak is indistinguishable from Leak F if Assumption 1, 2, and 3 hold. As a result, the adversary has negligible advantage in winning game cLeak. Lemma 2, Lemma 3, and Lemma 4 conclude the proof of Theorem 1. Thus, we finish the proof of Theorem 1.
Theorem 2. If Assumptions 1, 2, and 3 hold in G, G T , our proposed scheme P has continual leakage resilience in the standard model.
Proof. According to the algorithm UpdateSK given in section ''Continual leakage,'' we get continual leakage resilience. The algorithm UpdateSK inputs the secret key sk I , identity I, and master public key mpk and then outputs a new secret key sk 0 I . In our update algorithm, it picks n + 1 values from Z N , adds extra G 1 part and G 3 part to all the n + 2 parts of the secret key sk I in turn. Hence, the generated secret key has the same distribution with the old one. As a result, we achieve continual leakage resilience by calling UpdateSK periodically.

Leakage resilience and performance analysis
In this section, we draw a comparison between the proposed scheme and the existing IBOOE schemes in Table  2. The computation efficiency and offline-storage cost are determined by the computation costs of the encryption algorithm which constitutes two subroutines Enc off (mpk) and Enc on (m, mpk, I, c off ). When evaluate the computation efficiency, we omit minor factors such as hash functions. We calculate only the dominant operations which are the exponentiations in G i or G T denoted as E and the multi-exponentiations in G i or G T denoted as ME. For modular computation in Z p and Z N , we denote by m c (Z p ) and m c (Z N ). Without loss of generality, we assume that one multi-exponentiation is equal to two exponentiations in group G i or G T . Moreover, the size of element in the group G i and G T is denoted by |G i | and |G T |, the size of element in Z N is denoted by n. Furthermore, to avoid a large number of calculations at the online encryption phase, we place it in the offline encryption phase. According to Table 2, we can obtain that our proposal have the minimum computation of Enc on (Á,Á,Á,Á) algorithm and achieve leakage resilience. This is suitable for WSNs which were interconnected sensor nodes that communicate wirelessly to collect data about the surrounding circumstance. Moreover, LR and CLR denote the security of leakage resilience and continual leakage resilience, respectively. Even though the offline storage has a larger size than other two traditional IBOOE schemes. From Table 2, it is clear that our scheme resolves the problem of continual leakage resilience which can be obtained naturally using the techniques of dual system encryption.

Conclusion
In this article, we propose the first clr-IBOOE scheme which is suitable for WSNs. Especially, sensor nodes in WSN with limited computation ability, but it also brings some security challenges. To avoid the problems of continual key leakage attacks in the existing IBOOE schemes, we formalize the notion and the security model for clr-IBOOE. Furthermore, we propose the first clr-secure IBOOE scheme based on three static assumptions in composite order groups. To the best of our knowledge, this is the first IBOOE resilient to continual key leakage. It achieves fully secure and continual leakage resilience against chosen plaintext attacks in the standard model. Compared with the schemes, 20,19 performance analysis shows the proposed scheme has low computation overhead in the online encryption phase which is suitable for WSN with limited sensor nodes. As a direction of future work, designing secure IBOOE resilient to master secret key leakage would be another interesting work.

Author note
The author Xingbing Fu is now affiliated to Guangxi Key Laboratory of Cryptography and Information Security.