A Lightweight and Provable Secured Certiﬁcateless Signcryption Approach for Crowdsourced IIoT Applications

: Industrial Internet of Things (IIoT) is a new type of Internet of Things (IoT), which enables sensors to merge with several smart devices to monitor machine status, environment


Introduction
Nowadays, the Internet of Things (IoT) is a growing technology, which not only enables conventional devices to communicate with each other, but also includes modern devices, e.g., sensors, mobile phones, smart camera, etc. Similarly, the merger of IoT with wireless sensor networks has increased the usage in our daily lives, for example, it is used in industrial automation, smart cities, smart transportation, smart homes, and health monitoring [1]. Among these, the Industrial Internet of Things (IIoT) is an emerging type of IoT, which provides smart factory systems for business and Symmetry 2019, 11, 1386 3 of 18 efficiency of the scheme based on 160-bit small keys, as compared to Bilinear pairing and RSA [23]. Still, the 160-bit key is not suitable and affordable for resource hungry IoT devices. A new type, the generalization of elliptic curve called hyper elliptic curve was proposed [24]. The hyper elliptic curve provides the same level security of elliptic curve, bilinear pairing, and RSA, using 80-bit key, identity and certificate size [25,26]. The hyper elliptic curve assumed to be a better choice for low power IoT devices.

Motivation and Contributions
Nowadays, IIoT is using the concept of crowdsourcing, which has become the hotest research topic in all over the world. On the other hand, cloud technology is most suitable for storing the huge data of the crowdsourced IIoT environment. Further, collecting data from IIoT devices through open channel needs secrecy and accessing data from cloud required authentication. Recently Karati et al. [8] proposed identity-based signcryption scheme for the crowdsourced IIoT applications. The proposed scheme efficiency and security is realized on a bilinear pairing. We investigate the following points in this paper.

•
The scheme is using the concept of identity-based cryptosystem which suffers from the key escrow problem; • Also, they used the mathematical concepts of bilinear pairing for the proposed scheme which needs huge computational power; • Because of bilinear pairing, the scheme needs high bandwidth; • The scheme does not fulfill the security property of resisting against a replay attack and forward secrecy; • They did not validate the security requirement of their proposed scheme by utilizing the formal security validation tools like AVISPA, Scyther, etc.
Also, Karati et al. [27], proposed another scheme by using the concept of certificateless signature for the applications of crowdsourced IIoT. We found the following limitations in this scheme.

•
The scheme has just provided the authentication of IIoT crowdsourced data; • Also, they used the mathematical concepts of bilinear pairing for the proposed scheme which needs high computational power; • Because of bilinear pairing, the scheme needs high bandwidth.

•
The scheme does not fulfill the security property of resisting against replay attack, confidentiality, and forward secrecy; • The authentication of the scheme is not validated through the formal security validation tools like AVISPA, Scyther, etc.
Moreover, we studied all the existing certificateless signcryption schemes. We found that these schemes are based on hard problems like elliptic curve, RSA, and bilinear pairing. Because of the heavy parameters and key sizes of these hard problems (elliptic curve, RSA, and bilinear pairing), the existing schemes are suffering from high computational cost and communication overhead. Also, all the existing certificatelesssigncryption schemes are not resisting against the replay attack and nor validated through the formal security validation tools like AVISPA, Scyther, etc. As we already discussed in the introduction section, the hyper elliptic curve is the new version of the elliptic curve which provides the same security level of elliptic curves, RSA, and bilinear pairing with low key size. So keeping in view the above discussion, to remove all the above limitations, we present a new scheme, called a lightweight and provable secured certificateless signcryption scheme for crowdsourced IIoT applications. We explain our contributions in the following steps.

•
We design certificatelesssigncryption for crowdsourced IIoT based on the hyper elliptic curve; • We remove the key escrow problem; • We will showthe results for proving the efficiency in term of computational cost and communication overhead; • Our scheme will provide security services such as confidentiality, anti-replay attack, integrity, authentication, sender authentication, message authentication, and unforgeability, respectively; • We will validate our scheme security services through a well-known simulation tool AVISPA with the help of HLPSL language.

Outlines of Paper
The paper is organized such that Section 1 provides the introduction; Section 2 presents a comprehensive literature review; Section 3 provides the basic preliminaries of the hyper elliptic curve, and the basic notations used in the scheme; Section 4 shows the detail about the proposed model; Section 5 elaborates the generic model for certificatelesssigncryption; Section 6 provides the practical construction of the proposed scheme; Section 7 exhibits the correctness of the new scheme; Section 8 includes the detail discussion about the security properties of the new scheme; Section 9 discusses the computational cost; Section 10 illustrates the communication overhead details; Section 11 provides the final conclusion; and at the end, AVISPA code and simulation results are provided in the Appendix A.

Related Work
In modern communication systems, information security plays a vital role to secure critical data/information because people communicate through the public network. To secure critical data/information required to be hidden from illegal access (confidentiality), knowing about the message originator (authentication), protection from modification (integrity), and availability for a legal user when he/she requires [28]. Therefore, confidentiality can be ensured through encryption procedures, while the integrity and authenticity can be assured by using digital signature methods. In the old days before sending documents, the sender had to first sign the document and then encrypt it which is called the signature then encryption mechanism. But this method has some limitations such as it requires more machine cycles and more energy which affect the efficiency of the system.
To improve such deficiencies, Zheng [9] tossed a new scheme called signcryption that fulfills the task of signature and encryption in one step. The scheme is based on the public key infrastructure (PKI) and suffered from the deficiencies, for example, certificate distribution, storage, and manufacturing difficulties. Hence, to remove such deficiencies, Malone Lee [15] coined a new topic, by combining the capabilities of the identity-based signature and identity-based encryption into a single step, called identity-based signcryption. After the first identity-based signcryption scheme, a number of identity-based signcryption schemes were introduced in [29][30][31][32][33][34][35]. Hence, identity-based signcryption schemes are suffering from the key escrow problem.
Then, to avoid the escrow problem of the key, a certificateless signcryption was tossed by Barbosa and Farshim [17], which simultaneously fulfills the property of certificateless encryption and signature in a single step. After this scheme, another certificateless signcryption scheme [36] was contributed, but this scheme was based on the random oracle model. Hence, the random oracle model was not supposed to be used in a practical manner, therefore, to remove this shortcoming, the pioneer standard model-based certificateless signcryption was proposed by Liu et al. [37] in 2010. The limitation of this scheme is that Selvi etal. [38] show in their paper, this scheme cannot resist against a public key replacement attack. In the same year, by using the one-time Schnorr-based signature to the user's public key, Jin et al. [39] give the improved version of the scheme proposed in [38]. After a year, in the Liu et al. scheme [40], Weng et al. [41] point out that the two malicious-but-passive KGCs attack. These attacks were managed in the improved scheme [40]. Also, in 2013, Miao et al. [42] pointed out the scheme [39] suffered from two types of public key replacement attacks. The attack one is same as [38] attack, the other one is a new kind of attack. After some time, there are two standard model-based certificateless signcryption schemes proposed by Xiong [43] and Cheng et al. [44], and up till now there are no flaws reported in these two schemes. In 2016, Abdul Wahida and Masahiro Mamb [45] contributed an elliptic curve-based certificateless signcryption and gave the implementations in Javascript. They gave comparisons with respect to computational and communication costs of the proposed and some existing schemes. They claimed from their comparisons that the newly presented scheme is better than existing schemes. A new standard model-based certificateless signcryption scheme was projected by Caixue et al [46]. They proved their scheme security requirements using the hard problem; a modified decisional bilinear Diffie-Hellman problem and unforgeability security requirement by assuming through a square computational Diffie-Hellman problem. Parvin Rastegari and Mehdi Berenjkoub [47] proposed another scheme called efficient certificatelesssigncryption based on the standard model. Their analysis shows that the presented scheme is more secure and efficient as compared to all the random oracle model-based certificatelesssigncryption schemes existing in the literature. In 2017, Yu And Yang [48] designed and analyzed a new certificateless signcryption scheme without bilinear pairing. The scheme security requirements are proven through the random oracle model. In addition, they claimed, the newly presented algorithm is more attractive for applications like an email system, online auction, and private contractual signature. Xi-Jun et al. [49] present the cryptanalysis of a pairing-free certificateless signcryption scheme [48]. They pointed out that their scheme could be totally broken since confidentiality and unforgeability are not captured. Zhou [50] proposed a new certificateless signcryption approach without using the concept of the random oracle model. The scheme security hardiness is based on bilinear pairing and security proofs realized on the standard model. Liling and Wancheng [51] proposed a new certificateless signcryption based on the efficiency and the hardiness of the elliptic curve cryptosystem. They claimed that the newly designed scheme is secured and needs a low computational cost due to elliptic curve low parameter and key size. Luo and Ma [52], proposed a certificatelesshybrid signcryption for to provide the best solutions forcloud storage.

Preliminary
The concept of the hyper elliptic curve was first introduced by N. Koblitz [53], which is the generalized form of elliptic curve [54]. Unlike the elliptic curve point, the points of the hyper elliptic curvecannot be derived from a group, it computes the additive Abelian group which is derived from the divisor. In contrast with elliptic curves, the hyper elliptic curve has acceptable constancy with a small base field size. According to the lower size of parameters, with the same security level of elliptic curves and RSA, the hyper elliptic curve is attractive in fewer hardware resource devices [55]. Let f be the ultimate field and suppose f * is to be the algebraic closure of ultimate field f. Then the hyper elliptic curve H E of genus G where G > 1 over the ultimate field f which can be defined as H E : is a polynomial and the degree of this is at most G and F(α) ∈ f (α)is the monic polynomial and have degree is 2G + 1. The divisor of the hyper elliptic curve is the pair of polynomials and can be represented by using the Mumford [56]. The most important factor of every cryptographic system is the discrete logarithm problem in some Abelian group. Suppose there is a randomly selected number from the Abelian group and computing .D = D + D + D + . . . . . . . . . + D is scalar multiplication of divisors. And it is said to be a hyper elliptic curve discrete logarithm problem because finding the random number from .D = D + D + D + . . . . . . . . . + D is infeasible. Also, the Table 1 shows the symbols/notations used in the algorithm.

Proposed Model
Here, in Figure 1, we present our proposed model consisting of four entities calledthe network manager (NMR), crowdsourced IIoT, cloud server, and receiver, respectively. Note that, the NMR acts like a key generation center in the certificateless public key cryptosystem. When the process began, the crowdsourced IIoT and receiver gave their identities to the NMR and the NMR generates the partial private keys for both on the behalf of their identities. Further, the NMR is responsible for generating all the public parameters, the master secret, and public key and publishing the public parameters and master public key publicly. The crowdsourced IIoT is responsible for generating the certificateless signcryptionin IIoT plaintext, by using his private key and shared secret key and then sending this signcrypted text to the cloud. A cloud server is responsible for storing and processing of IIoT data for the users if required. If the receiver required the crowedsourced IIoT data, then it is obligatory for him to request first to the cloud for the signcrypted text. Then, the cloud gives this signcrypted text to the receiver, and the receiver performs the unsigncryption process by using his private key and the shared secret key. Means signcryption tuple

Proposed Model
Here, in Figure1, we present our proposed model consisting of four entities calledthe network manager (NMR), crowdsourced IIoT, cloud server, and receiver, respectively. Note that, the NMR acts like a key generation center in the certificateless public key cryptosystem. When the process began, the crowdsourced IIoT and receiver gave their identities to the NMR and the NMR generates the partial private keys for both on the behalf of their identities. Further, the NMR is responsible for generating all the public parameters, the master secret, and public key and publishing the public parameters and master public key publicly. The crowdsourced IIoT is responsible for generating the certificateless signcryptionin IIoT plaintext, by using his private key and shared secret key and then sending this signcrypted text to the cloud. A cloud server is responsible for storing and processing of IIoT data for the users if required. If the receiver required the crowedsourced IIoT data, then it is obligatory for him to request first to the cloud for the signcrypted text. Then, the cloud gives this signcrypted text to the receiver, and the receiver performs the unsigncryption process by using his private key and the shared secret key.

Setup (STP)
This algorithm is executed by the network manager (NMR) which plays the role of key generation center, further, the NMR selects all the public parameters param (f *, f, HE, , α, β), master secret key mβ and master public key mσ. After selecting and generating the public parameters and keys, NMR will publish the master public key mσ and public parameters param (f *, f, HE, , α, β) publicly and keep secret the master secret key mβ.

User Key Generation (UKG)
This algorithm is run by each user with identity ID for selecting the secret value X and computing a public key Y .

Set Partial Private Key (SPPK)
The NMR executed this algorithm, by taking each user's identity ID to produce a partial private key for every participant (Lu, δu). Later on, by using the safe channel NMR sends the partial private key = (Lu, δu) to each user.

Set Private Key (SPK)
This algorithm is executed by each user by taking input the received partial private key (Lu, δu) and identity ID of each user to produce the private key (X , δu) for each participant.

CertificatelessSigncryption (CLSN)
This algorithm is usually run by the IIoT data owner. It takes the private key pair Ps = (Xs, δs) of Cl-Signrypter (CLSR)/ data owner, the identity IDs of CLSR and identity IDr of Cl-Un-Signcrypter (CLUR)/ data consumer, a plain text m, and the public key of CLUR Yr to produce the signcryption tuple Ω = (C, S, H, Z).

CL-Unsigncryption (CLUS)
This algorithm is executed by the data consumer after getting the signcryption tuple Ω = (C, S, H) from the data owner side. It takes input the signcryption tuple Ω = (C, S, H, Z), the private key pair Pr = (Xr, δr) and public key Yr of CLUR, the identity of CLUR IDr and IDs CLSR, and the public key Ys of CLSR for verification of signature and decryption of encrypted text

Proposed CertificatelessSigncryption
In this phase, we practically construct the certificateless signcryption for crowdsourced IIoT. The following steps explain the construction of our new scheme.

SPK
In this phase, each user with identity IDu, after getting the partial private key from the NMR produces the private key P = (X , δu).

CLSN
In this phase, the CLSR takes his own private key pair Ps = (Xs, δs), its own identity IDs, massage m, and the public key Yr and identity IDr of CLUR is an input and computes the signcryption tuple Ω = (C, S, H, Z), after then, transmits it to the CL-Un-Signcrypter by using the insecure channel.

Correctness
The CLUR can recover the secret key easily if the following computations are successfully holding.

Security Analysis
This phase presents the security analysis of our designed approach. Our design scheme ensures the security requirements such as confidentiality, the resistance against replay attack, integrity, authenticity, and unforgeability.

Confidentiality
Our method ensures the requirements of confidentiality. In our method, if the intruder wants to steal the original contents of a message, then he must know about the secret key K. Thus, for knowing the secret key intruder must perform the following steps: Step 1: Intruder easily gets the secret key K, if an intruder computes the Equation (1). For this, Intruder must need the secret random number Y from the Equation (2). Hence, getting V from the Equation (2), it is infeasible for the intruder and an equivalent is like solving the hyper elliptic curve discrete logarithm problem.
Step 2: Intruder also gets easily the secret key K by computing Equation (3). Hence, computing Equation (3) intruder requires the private keys < xr, δr > of CLSR from the Equations (4), (5) and (6). For this intruder must solve two hyper elliptic curve discrete logarithm problems which are infeasible.

Replay Attack
Our method resists against the security service of reply attack. In our scheme, if intruder wants to send the past messages to the CLUR, intruder generates and sends a tuple like Ω = (C, S, H,) with fresh Nc to CLUR. Therefore, later the CLUR checks the validity of nonce Nc, if the nonce is fresh then the message is from the original sender otherwise not.

Integrity
Our designed mechanism enables the CLUR to verify that the ciphertext was modified or not at the time communication by using the Equation (7). If the intruder changes the ciphertext C to C/, then the received plain text must be changed from to /. Thus, our designed method meets the security service of integrity because the generated digital signature of is not the same as the digital signature of /.

Authentication
In this section, we discuss two types of authentication, the first one is sender authentication and the second one is the message authentication.
(1) Sender Authentication Our designed method meets the sender authentication security requirement. In our mechanism, the CLUR used the public key pair (Ls, Ys) and identity IDs of CLSR for verifying the originator of the message. The CLSR generates the digital signature by using their private key pair (Xs, δs). Thus, our designed method granted the security requirement of sender authentication.
(2) Message Authentication In our scheme, before the delivery of the message to the CLUR, the CLSR generates a digital signature on it like S = Xs + H.(Y + δs); by using the private key pair (Xs, δs) of CLSR. The CLUR can verify the message by using the received signature S, if the Equation (7) is held; it means that the message is coming from authentic CLSR.

Unforgeability
In our proposed mechanism, if the intruder tries to generate a valid signature, then he/she should first compute the Equation (8). For this, the intruder needs the private key pair (Xs, δs) of the CLSR. Therefore, to know about the private keys; an intruder should first compute the Equation (9) and (10). For Equation (9) Intruder has to solve the hyper elliptic curve discrete problem which is infeasible, while for (10) intruder needs the random rs from the Equation (11) which also leads to infeasibility. Hence our designed technique ensures the security service of unforgeability.

Computational Cost
In this section we compare our approach with recently contributed certificateless signature for IIoT AIK [27], an identity-based signcryption scheme for IIoT ASGMPM [8], and the certificatelesssigncryption schemes such as PM [47], HB [48], ZC [50], LW [51], and LM [52] with respect to computational cost. We consider the major operations, for example, bilinear pairing operation (BP), exponential (EX), elliptic curve point multiplication (EM), and hyper elliptic curve divisor multiplication (HDM) in proposed scheme and those of ASGMPM [8], AIK [27], PM [47], HB [48], ZC [50], LW [51], and LM [52] for computational cost comparisons. Table 2 shows the consuming major operations of the proposed scheme and the existing schemes. We also provide comparisons of computational cost with respect to milliseconds (ms). For this purpose, we use the results of schemes [21,26] which shows the computational time in milliseconds of different cryptographic operations such as single BP consumes 14.31 ms, EX consumes 1.25 ms, EM consumes 0.97 ms, and HDM consumes 0.48 ms, respectively. For this experiment, the authors of the schemes [21,26], used the hardware resources, for example, 8 GB RAM, Intel Core i74510UCPU, and 2.0GHz processor. The software resources like window 7 and C++ with Multi-Precision Integer and Rational Arithmetic C Library (MIRACL). Further, Table 3 shows more clear comparisons shown in milliseconds (ms). Additionally, we use the reduction formula [57], for the reduction of the computational cost of the proposed and those of ASGMPM [8], AIK [27], PM [47], HB [48], ZC [50], LW [51], and LM [52], respectively. So for the reduction, we use the values of Table 3 and the following steps represent the clear reduction:

Communication Overhead
Communication overhead means that how many extra bits will be sent along with the actual message. Bandwidth is an important part of the data communication channels. If the scheme needs fewer bits along with the message at the time of sending, it means the channel required low bandwidth. Here, we compare our proposed scheme with those ASGMPM [8], AIK [27], PM [47], HB [48], ZC [50], LW [51], and LM [52], with respect to communication overheads and shows that our scheme needs very little communication overhead. Our results based on [57,58], in which |G1| respectively. So for the reduction, we use the values of

Communication Overhead
Communication overhead means that how many extra bits will be sent along with message. Bandwidth is an important part of the data communication channels. If the sch fewer bits along with the message at the time of sending, it means the channel req bandwidth. Here, we compare our proposed scheme with those ASGMPM [8], AIK [27], P [48], ZC [50], LW [51], and LM [52], with respect to communication overheads and show scheme needs very little communication overhead. Our results based on [57,58], in whi |G2| ≌ |G| ≌ 1024bits for bilinear pairing, |P| ≌ 1024 bits for the discrete logarithm prob |G2| respectively. So for the reduction, we use the values of

Communication Overhead
Communication overhead means that how many extra bits will be sent alon message. Bandwidth is an important part of the data communication channels. If fewer bits along with the message at the time of sending, it means the chan bandwidth. Here, we compare our proposed scheme with those ASGMPM [8], AIK [48], ZC [50], LW [51], and LM [52], with respect to communication overheads an scheme needs very little communication overhead. Our results based on [57,58], |G2| ≌ |G| ≌ 1024bits for bilinear pairing, |P| ≌ 1024 bits for the discrete logarith |G| respectively. So for the reduction, we use the values of

Communication Overhead
Communication overhead means that how many extra bits will be sen message. Bandwidth is an important part of the data communication chann fewer bits along with the message at the time of sending, it means the bandwidth. Here, we compare our proposed scheme with those ASGMPM [8 [48], ZC [50], LW [51], and LM [52], with respect to communication overhea scheme needs very little communication overhead. Our results based on [5 |G2| ≌ |G| ≌ 1024bits for bilinear pairing, |P| ≌ 1024 bits for the discrete lo 1024 bits for bilinear pairing, |P| d and those of ASGMPM [8], AIK [27], PM [47], HB [48], ZC [50], LW [51], and LM [52], vely. So for the reduction, we use the values of Table 3    munication Overhead mmunication overhead means that how many extra bits will be sent along with the actual e. Bandwidth is an important part of the data communication channels. If the scheme needs its along with the message at the time of sending, it means the channel required low dth. Here, we compare our proposed scheme with those ASGMPM [8], AIK [27], PM [47], HB [50], LW [51], and LM [52], with respect to communication overheads and shows that our needs very little communication overhead. Our results based on [57,58], in which |G1| ≌ |G| ≌ 1024bits for bilinear pairing, |P| ≌ 1024 bits for the discrete logarithm problem, |q|≌ 1024 bits for the discrete logarithm problem, |q| proposed and those of ASGMPM [8], AIK [27], PM [47], HB [48], ZC [50], LW [51], and L respectively. So for the reduction, we use the values of Table 3 and the following steps repre clear reduction: •

Communication Overhead
Communication overhead means that how many extra bits will be sent along with th message. Bandwidth is an important part of the data communication channels. If the schem fewer bits along with the message at the time of sending, it means the channel requir bandwidth. Here, we compare our proposed scheme with those ASGMPM [8], AIK [27], PM [ [48], ZC [50], LW [51], and LM [52], with respect to communication overheads and shows t scheme needs very little communication overhead. Our results based on [57,58], in which |G2| ≌ |G| ≌ 1024bits for bilinear pairing, |P| ≌ 1024 bits for the discrete logarithm problem 160 bits for elliptic curve, |n| MPM [8], AIK [27], PM [47], HB [48], ZC [50], LW [51], and LM [52], ction, we use the values of

Conclusions
This paper contributes, a lightweight and provable secured certificatelesssigncryption approach for the crowdsourced IIoT applications. The efficiency and security hardiness of the proposed approach is based on the hyper elliptic curve cryptography. The security requirements of the proposed approach are validated through the most famous tool, automated validation of Internet security protocols and applications (AVISPA). The proposed approach ensures the security services of resistance against replay attack, confidentiality, integrity, authentication (of sender and message), non-repudiation and unforgeability. Furthermore, our designed approach has reduced in computational cost from 71.13% to 97% and in communication overhead from 5.95% to 82.36%, compared to the existing approaches. Due to the cost efficiency and enhanced security, our approach is more attractive for low power devices of IIoT.

Future Work
In the future, we are planning to conduct a practical test to measure performance.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A Implementation and Validation
Here, in this phase, we are going to implement and validate the security requirement of our approach practically by using the most popular simulation tool AVISPA [59]. So, the AVISPA is a well-known automatic tool, which works under two validation state, namely, SAFE if the cryptographic scheme resists against man-in-the-middle attack and UNSAFE if the scheme cannot resist against man-in-the-middle attack. Here, in Figure A1, we show the basic structure of AVISPA tool. For specifying the cryptographic scheme, AVISPA used a well-known role oriented language, named HLPSL (high-level protocol specification language). To provide an interface to the user, AVISPA merged with SPAN. Therefore, to check whether the cryptographic scheme is either SAFE or UNSAFE, the user first converts the pseudo-code of the proposed algorithm to the HLPSL source code. After, that HLPSL2IF translator, translate the HLPSL code into the intermediate format (IF). The HLPSL2IF translator checks the scheme security under the four backend checkers named, On-the-fly-Model-Checker (OF-MC), CL-based Attack Searcher (CL-AtSe), SAT-based Model-Checker (SATMC), and Tree-Automata-based Protocol Analyzer (TA4SP), respectively. According to the user requirements, each backend has its own functionality as discussed in [60,61]. According to [57], HLPSL2IF check the protocol security keeping in view the initial knowledge under these backends.
So, we provide the HLPSL code for our proposed scheme, including three main roles named, CLSN, CLUS, the session, the environment, and goals, respectively. We did this experiment by using the hardware resources, for example, Haier Win8.1 PC, Inter (R) Core (TM) i3-4010U CPU @ 1.70 GHz, supporting 64-bit operating system, x64-based processor. Also, the software resources such as Oracle VM Virtual Box (version: 5.2.0.118431) and SPAN (version: SPAN-Ubuntu-10.10-light_1). In Table A1, we provide the HLPSL code for CLSN, in which the role_Clsn represents CLSR, Ys:public_key means the public key Ys of CLSR, Yr:public_key represents the public key  Table A2, we illustrate the HLPSL code for CLUS. In this code, {Nc'}_Yr means encryption of nonce through the public key Yr of CLUR and RCV(Clsn.{En(M')}_K'.{H'.Y'}_inv(Ys)) means the received signcrypted tuple Ω = (C, S, H, Z). In Tables A3 and A4, we show the code for a session and environment role. For the intruder, the AVISPA used a special identifier (i).We test the Code of our approach under the functionality of two backends of AVISPA tool, called ASTE and OFMC.       In Figure A2, we provide the simulation result of our proposed scheme under the functionality of the OFMC back-end of the AVISPA tool, which is safe. The OFMC accomplishes schemes misrepresentation and restricted authorization by investigating the change framework portrayed by an IF detail in an interest-driven manner. OFMC actualizes various right and complete representative methods. It strengthens the detail of mathematical properties of cryptographic properties and composed and un-typed scheme models. Also in Figure A3, we offer the simulation result of our proposed scheme under the functionality of the ATSE back-end of AVISPA tool, which is safe. CL-AtSe works in a measured manner and is available to augmentations for taking care of the mathematical properties of cryptographic operators. It supports type-imperfection discovery and handles associativity of message concatenation. Also in Figure A3, we offer the simulation result of our proposed scheme under the functionality of the ATSE back-end of AVISPA tool, which is safe. CL-AtSe works in a measured manner and is available to augmentations for taking care of the mathematical properties of cryptographic operators. It supports type-imperfection discovery and handles associativity of message concatenation. Also in Figure A3, we offer the simulation result of our proposed scheme under the functionality of the ATSE back-end of AVISPA tool, which is safe. CL-AtSe works in a measured manner and is available to augmentations for taking care of the mathematical properties of cryptographic operators. It supports type-imperfection discovery and handles associativity of message concatenation.