A Conditional Privacy Preserving Generalized Ring Signcryption Scheme for Micro Aerial Vehicles

Abstract

Micro Aerial Vehicles (MAVs) are a type of UAV that are both small and fully autonomous, making them ideal for both civilian and military applications. Modern MAVs can hover and navigate while carrying several sensors, operate over long distances, and send data to a portable base station. Despite their many benefits, MAVs often encounter obstacles due to limitations in the embedded system (such as memory, processing power, energy, etc.). Due to these obstacles and the use of open wireless communication channels, MAVs are vulnerable to a variety of cyber-physical attacks. Consequently, MAVs cannot execute complex cryptographic algorithms due to their limited computing power. In light of these considerations, this article proposes a conditional privacy-preserving generalized ring signcryption scheme for MAVs using an identity-based cryptosystem. Elliptic Curve Cryptography (ECC), with a key size of 160 bits, is used in the proposed scheme. The proposed scheme’s security robustness has been analyzed using the Random Oracle Model (ROM), a formal security evaluation method. The proposed scheme is also compared in terms of computation cost, communication cost and memory overhead against relevant existing schemes. The total computation cost of the proposed scheme is 7.76 ms, which is 8.14%, 5.20%, and 11.40% schemes. The results show that the proposed scheme is both efficient and secure, proving its viability.

1. Introduction

Micro Aerial Vehicles (MAVs) are getting a lot of attention from research organizations and businesses around the world [1]. These flying machines have proven their worth in situations where humans cannot reach or work efficiently, such as last-minute package delivery during rush hours or base searches in inaccessible areas of the battlefield. Compared to conventional methods, MAVs can significantly lower the risk to human life, increase the system’s efficiency, and shorten the time of operations. The broad capabilities of MAVs range from surveillance MAVs with fixed wings to advanced MAVs capable of hovering, navigation, carrying several sensors, and carrying out their missions up to several kilometers in range [2]. MAVs can transmit data to a portable base station and can exchange data with one another. A general architecture of MAVs network is depicted in Figure 1. Despite these benefits, MAVs are not suitable for real-time or processor-intensive applications because to their limited memory and processing power [3].

Apart from the aforementioned constraints, the security measures to fight against cyber-attacks are rarely considered during the design of MAVs [4]. The security and privacy of the network could be severely compromised due to this vulnerability, which would have a devastating effect on data transmission and storage. There are a variety of ways a malicious attacker can compromise the MAVs system. The malicious attacker can, for instance, send several reservation requests, eavesdrop on control messages, or fake data. Wi-Fi-connected MAVs are more vulnerable to cyber-attacks than cellular-connected ones because of their less-reliable connections and weaker security measures [5]. Tracking MAV locations, tampering with onboard hardware, illegal data access, message modification, and fabrication are examples of common privacy and security concerns across the MAV system [6,7]. A major security concern that compromises the privacy of MAVs is a Global Positioning System (GPS) spoofing attack [8,9,10], in which an attacker exploits GPS signals. In this method, an adversary sends an MAV slightly stronger GPS signals in order to deviate it from its original mission. Therefore, given their extensive usage in current military and commercial applications, there is an urgent need for enhanced security measures for MAVs.

Authentication and confidentiality are two of the most important aspects of any security protocol design for ensuring secure communication, and the same is applicable for MAVs security. Encryption and digital signatures provide solutions for confidentiality and authenticity respectively. When both attributes are required simultaneously and in a single logical step for devices with limited resources, such as MAVs, signcryption [11] is preferred. In addition, generalized signcryption is an extension of the signcryption scheme that not only offers encryption and digital signature simultaneously, but also has the option to offer both independently, if desired. Such a characteristic is useful if one of the two essential characteristics, confidentiality or authenticity, is desired [12]. Generalized signcryption can be used in ring configurations, known as ring signcryption, which offers advantageous characteristics such as anonymity, spontaneity, flexibility, and equal membership [13]. A conditional privacy preserving property can be implemented in addition to generalized ring signcryption to guarantee recipient and sender identify anonymity. In this approach, each entity encrypts their real identity using a common secret key between entity and PKG in the key generation process rather than using the real identities of sender and receiver. PKG must first locate the secret key and real identity after obtaining the encrypted identity. The encrypted identities of each user for signcryption and unsigncryption are then published by PKG.

Zhou et al. [14] proposed a concrete scheme for generalized ring signcryption in an identity-based framework. The proposed technique is based on bilinear pairing, and a random oracle model (ROM) is used for the security analysis. Due to the fact that the scheme [14] is based on bilinear pairing, which involves computationally expensive cryptographic operations, it is not suited for resource-constrained devices with low processing capabilities, such as MAVs, to conduct such operations. In addition, the proposed scheme lacks conditional privacy-preserving characteristics. Caixue Zhou [15] proposed a certificate-based generalized ring signcryption method and a concrete methodology employing bilinear pairings for certificate-based cryptosystems. Using the ROM, the security hardness of the proposed system is evaluated. Again, this scheme [15] is not suitable for MAVs due to the high computation cost of bilinear pairing and the absence of conditional privacy-preserving attribute.

M. Luo and Y. Zhou [16] introduced an efficient conditional privacy-preserving authentication protocol based on generalized ring signcryption scheme. Generalized ring signcryption is proposed in this protocol to provide ring signature mode and ring signcryption mode inside a single algorithm in order to meet the diverse security needs of complicated application scenarios. A practical public verification technique is meant to make tracking results verifiable and more trustworthy. In addition, the protocol accomplishes secrecy, immutability, and Known Session-Specific Temporary Information Security (KSSTIS). However, the proposed protocol involves bilinear pairing-based multiplication, modular exponentials, and bilinear pairing in the combined ring signature and signcryption method, which is incompatible for MAVs. Khan et al. [17] presented an identity-based generalized signcryption with multi-access edge computing option to protect Flying Ad hoc Networks (FANETs). However, neither conditional privacy preservation nor ring signcryption are supported by the proposed scheme. Consequently, this scheme [17] does not ensure anonymity. Din et al. [18] presented an improved identity-based generalized signcryption scheme for secure multi-access edge computing-enabled FANETs. The proposed scheme supports neither conditional privacy preservation nor ring signcryption. Therefore, this approach [18] does not guarantee anonymity.

With the aforementioned facts and favorable features in mind, we provide a conditional privacy-preserving generalized ring signcryption scheme for MAVs in this work. Moreover, the proposed scheme is based on an Identity-based public key cryptosystem, which uses the user’s name, IP address, etc. as his/her public key, hence eliminating the requirement for a public key certificate. Then, a trusted third party known as the PKG produces all users’ private keys, which introduces a new issue known as the private key escrow problem. However, it is still quite beneficial in situations when the PKG is completely trusted. The following are the main contributions of the proposed scheme that distinguish it from existing schemes.

• We propose a conditional privacy-preserving generalized ring signcryption scheme for MAVs using the ECC operation.
• The proposed scheme is conditional privacy-preserving, meaning each entity encrypts its real identity using a common secret key between entity and PKG in the key generation process.
• The proposed scheme enables encryption and digital signature simultaneously as well as independently using generalized signcryption. In ring configurations mode, this scheme guarantees anonymity, spontaneity, flexibility, and equal membership.
• We conducted a formal security study using the Random Oracle Model (ROM) and found that the proposed scheme is secure against a wide range of cyber-attacks.
• Finally, the proposed scheme’s efficiency is compared to its counterparts, validating its low computation cost, communication cost and memory overhead.

The structure of the article is as follows: Section 2 provides preliminary information, the network model, and the syntax of the proposed scheme. In contrast, Section 3 includes a security analysis of the proposed scheme. In Section 4, performance analysis is discussed. The conclusion is contained in Section 5.

2. Preliminaries, Network Model and Syntax of the Proposed Scheme

This section includes preliminaries (elliptic curve cryptography, the elliptic curve decisional Diffie–Hellman problem, the elliptic curve discrete logarithm problem), syntax of the proposed scheme, network model and notations for the proposed scheme as shown in

Table 1. Notation table.

S. No	Notation	Descriptions
1	GCN	Ground core network
2	PKG	Private key generator
3	$\mathrm{Ж}$	Public parameter param
4	${\mathrm{Ц}}_1$,${\mathrm{Ц}}_2,{\mathrm{Ц}}_3$	Irreversible and collision resistant hash functions
5	${\delta }_{GCN}$	Master secret key of ground core network
6	${\delta }_{GCN}$	Master public key of ground core network
7	$\xi$	Generator of group $G_{ECC}$
8	$G_{ECC}$	Finite cyclic group on the elliptic curve $E_{ECC}$
9	$E_{ECC}$	The elliptic curve defined on $V^2=U^3+sU+t$
10	$EI{d}_{MAV}$	Encrypted identity of $MAV$
11	$MAV$	It represents a Micro Aerial Vehicle ($MAV$)
12	$EI{d}_X$	Encrypted identity of everything ($X$)
13	$I{d}_{MAV}$	Real identity of $MAV$
14	$I{d}_X$	Real identity of everything ($X$)
15	$f_q$	Finite field on the elliptic curve $E_{ECC}$ of order $q$
16	${\Phi }_{MAV}$	Private key of $MAV$
17	${\Phi }_X$	Private key of everything ($X$)
18	${\lambda }_X$	Public key of everything ($X$)
19	${\lambda }_{MAV}$	Public key of $MAV$
20	$\mathsf{\Delta }$	Identities of ring group $\{EI{d}_{MAV 1}$, $EI{d}_{\mathit{MAV} 2},EI{d}_{\mathit{MAV} 3},\dots \dots ,EI{d}_{\mathit{MAV}n}\}$
21	${\gamma }_{MAV}$	Encryption and decryption key for real identity of $MAV$
22	${\gamma }_X$	Encryption and decryption key for real identity of everything ($X$)
23	$\Psi$	Encryption and decryption key for message $MAV$ and everything ($X$)
24	$\oplus$	Used for Encryption and decryption

.

2.1. Preliminaries

2.1.1. Elliptic Curve Cryptography (ECC)

Suppose ${\mathrm{G}}_{ECC}$ is a finite cyclic group on the elliptic curve ($E_{ECC}$), $f_q$ is the finite field of $E_{ECC}$ with prime order $q$, let $q>3$, and $\xi$ is the generator of group ${\mathrm{G}}_{ECC}$; the elliptic can be defined as follows: $V^2=U^3+sU+t$ on $f_q$. Suppose $\left(U,V\right)\in f_q$ × $f_q$ based on the point, which is called infinity point on elliptic curve $\left(\mathrm{Ô}\right)$ and congruence $V^2$ ≡ $U^3+sU+tmod q$, where the values $\left(s,t\right)\in f_q$ satisfying $4s^3+27t^{2}mod q$.

2.1.2. Elliptic Curve Decisional Diffie-Hellman Problem (ECDDHP)

Assume $\xi$ is the generator of group ${\mathrm{G}}_{ECC}$ with prime order $q$, and given ($\Omega ·\xi , \theta · \xi ,\xi ,K \in {\mathrm{G}}_{ECC}$), extracting $\theta$ and $\Omega$ from $K=\Omega ·\theta ·\xi$ is called ECDDHP.

2.1.3. Elliptic Curve Discrete Logarithm Problem (ECDLP)

Assume ξ is the generator of group G_ECC with prime order q, and given (θ.ξ,ξ,K ∈ G_ECC), extracting θ from K = θ. ξ is called ECDLP.

2.2. Syntax

The syntax of the proposed scheme consists of the five sub-algorithms listed below.

• Initialization: The ground core network (GCN) can play the role private key generator (PKG), in which he/she can sets ${\mathrm{ß}}_{GCN}$ as his/her secret key, ${\mathrm{\delta }}_{GCN}$ as his/her public key, and generates a public parameter set $\mathrm{Ж}$.
• Key Generation: The device that participates in a network as a legal user will send ($EI{d}_i, {\Omega }_i$) to GCN by using open channel. Based on ($EI{d}_i, {\Omega }_i$), GCN first compute ${\gamma }_i$ and recover the real identity $I{d}_i$. Then, GCN computes ${\lambda }_i,$ ${\Phi }_i$ and send (${\Phi }_i, {\lambda }_i$) to the legitimate user by using secure channel.
• Generalized Ring Signcryption: This algorithm will run by Micro Aerial Vehicle (MAV), in which the MAV take input that are (${\mathit{EId}}_{\mathit{MAV}},m,{\lambda }_X,{\pounds }_X,{\delta }_{GCN}$) and produce the tuple ($\kappa ,\mathrm{Л},\Gamma$).
• Generalized Ring Signcryption Verifications: Given the tuple ($EI{d}_X,{\lambda }_{MAV},{\pounds }_{MAV},{\delta }_{GCN},\kappa ,\mathrm{Л},\Gamma ,{\Phi }_X.$), a user can verify ($\kappa ,\mathrm{Л},\Gamma$).

2.3. Network Model

Figure 2 depicts the network model of the proposed scheme, which includes entities such as MAVs and Base Station (BS) deployed to provide monitoring of a certain region. The proposed network model relies heavily on MAVs, which are outfitted with a camera, IMU, sensors, and GPS devices capable of handling a wide range of use cases. It allows for interaction between many MAVs and also between MAVs and fixed facilities. To establish a connection with the BS, the MAV makes use of 5G and Wi-Fi wireless technologies. The MAVs are able to talk to one another over Wi-Fi. The primary goal of a hybridised approach is to capitalise on the strengths of both technologies.

3. Proposed Scheme Construction

The construction of the proposed scheme includes the following steps.

Initialization: In this sub algorithm, a ground core network (GCN) can play the role private key generator (PKG) that can first choose his own secret key ${\mathrm{ß}}_{GCN}\in f_q$ and compute a master public key as ${\delta }_{GCN}={\mathrm{ß}}_{GCN}·\xi$. then, GCN chooses three hash functions (${\mathrm{Ц}}_1$, ${\mathrm{Ц}}_2,{\mathrm{Ц}}_3$) that are irreversible and collision resistant. At the end, GCN produces a public param $\mathrm{Ж}=(f_q,{\delta }_{GCN},\xi , {Ц}_1$, ${Ц}_2,{Ц}_3$).

Key Generation: In this sub algorithm, a device which participated in a network as a legal user will send his encrypted real identity $EI{d}_i={\gamma }_i\oplus I{d}_i$, and ${\Omega }_i={\alpha }_i·\xi ,$ to GCN by using open channel, where ${\gamma }_i={\alpha }_i·{\delta }_{GCN}$ and ${\alpha }_i\in f_q$. Based on ($EI{d}_i, {\Omega }_i$), GCN firs compute ${\gamma }_i={\mathrm{ß}}_{GCN}·{\Omega }_i$ and recover the real identity $I{d}_i$ as $I{d}_i=EI{d}_i\oplus {\gamma }_i$. Then, GCN choose ${\eta }_i\in f_q$, compute ${\lambda }_i={\eta }_i·\xi$, ${\pounds }_i={\mathrm{Ц}}_1\left(I{d}_i,{\lambda }_i\right)$, calculate ${\Phi }_i={\eta }_i+{\pounds }_i·{\mathrm{ß}}_{GCN}$, and send (${\Phi }_i, {\lambda }_i$) to the legitimate user by using secure channel.

Generalized Ring Signcryption: This algorithm will run by MAV, in which the MAV first select his identity (${\mathrm{EId}}_{\mathit{MAV} }$) from $\mathsf{\Delta }=\{EI{d}_{\mathit{MAV} 1}$, $EI{d}_{\mathit{MAV} 2},EI{d}_{\mathit{MAV} 3},\dots \dots ,EI{d}_{\mathit{MAV}n}\}$ and perform the following steps.

• MDN choose ${\chi }_{\mathit{MAV} }\in f_q$ and compute $\mathrm{Л}={\chi }_{\mathit{MAV} }·\xi$.
• Compute $\Psi ={\chi }_{\mathit{MAV} }\left({\lambda }_X+{\pounds }_X·{\delta }_{GCN}\right)$ and $\Gamma ={\mathrm{Ц}}_2\left(\Psi \right)\oplus \left(m,EI{d}_{MAV }\right).$
• Compute $\omega ={\mathrm{Ц}}_3\left(EI{d}_{MAV },{\lambda }_{MAV},{\lambda }_X,\mathrm{Л},\Gamma \right)$ and $\kappa ={\chi }_{\mathit{MAV} }+\omega ·{\Phi }_{MAV}$.
• MAV send ($\omega ,\mathrm{Л},\Gamma$) to everything (X).

Generalized Ring Signcryption Verifications: With the encrypted identity ($EI{d}_X$), a user upon reception of ($\omega ,\mathrm{Л},\Gamma$) can perform the following steps.

• Compare if $\kappa ·\xi =\mathrm{Л}+\omega ·\left({\lambda }_{MAV}+{\pounds }_{MAV}·{\delta }_{GCN}\right)$ is holds, where $\omega ={\mathrm{Ц}}_3\left(EI{d}_{MAV},{\lambda }_{MAV},{\lambda }_X,\mathrm{Л},\Gamma \right)$.
• Compute $\Psi ={\Phi }_X·\mathrm{Л}$ and $\left(m,EI{d}_{MAV}\right)=\Gamma \oplus {\mathrm{Ц}}_2\left(\Psi \right)$.

Correctness Analysis

The device at receiving end (X) can verify the signature as follows.

$$\begin{array}{c}\kappa ·\xi =\mathrm{Л}+\omega ·\left({\lambda }_{MAV}+{\pounds }_{MAV}·{\delta }_{GCN}\right)=\left({\chi }_{MAV}+\omega ·{\Phi }_{MAV}\right)·\xi =({\chi }_{MAV}·\xi +\\ \omega ·{\Phi }_{MAV}·\xi )=\left({\chi }_{MAV}·\xi +\omega ·\left({\eta }_{MAV}+{\pounds }_{MAV}·{\mathrm{ß}}_{GCN}\right)·\xi \right)=({\chi }_{MAV}·\xi +\\ \omega ·\left({\eta }_{MAV}·\xi +{\pounds }_{MAV}·{\mathrm{ß}}_{GCN}·\xi \right))=\left(\mathrm{Л}+\omega ·\left({\lambda }_{MAV}+{\pounds }_{MAV}·{\delta }_{GCN}\right)\right)\end{array}$$

(1)

hence proved.

Furthermore, a device at receiving end (X) can made the decryption key as follows.

$$\begin{array}{c}\Psi ={\Phi }_X·\mathrm{Л}=\left({\eta }_X+{\pounds }_X·{\mathrm{ß}}_{GCN}\right)·{\chi }_{MAV}·\xi =\left({\eta }_X·\xi +{\pounds }_X·{\mathrm{ß}}_{GCN}·\xi \right)·{\chi }_{MAV}=\\ \left({\lambda }_X+{\pounds }_X·{\delta }_{GCN}\right)·{\chi }_{MAV}={\chi }_{MAV}\left({\lambda }_X+{\pounds }_X·{\delta }_{GCN}\right)\end{array}$$

(2)

hence proved.

4. Security Analysis

In this section, we first show that the proposed scheme is secure against breaches of confidentiality and forgeability under the Random Oracle Model (ROM). Then, using an informal security analysis, we show that the proposed scheme is secure against an adversary attempting to violate sender and recipient anonymity. The subsequent theorems demonstrate that the proposed scheme provides security properties such as confidentiality, unforgeability, sender anonymity, and recipient anonymity, respectively.

Theorem 1. 

Confidentiality: The proposed generalized ring signcryption is indistinguishable against intruder INT under the ROM, if ECDDHP is hard.

Proof. 

Suppose the instances of elliptic curve $(\Omega ·\xi , \theta · \xi ,\xi ,K \in {\mathrm{G}}_{ECC})$ is given to $C_{\mathit{ECDDHP}}$. To find $\theta$ and $\Omega$ from $K=\Omega ·\theta ·\xi$, $C_{\mathit{ECDDHP}}$ will play the following Game with $INT$.

Initialization: $C_{\mathit{ECDDHP}}$ can first choose the secret key ${\mathrm{ß}}_{GCN}\in f_q$, public key ${\delta }_{GCN}$, public parameter set $\mathrm{Ж}$. Then, $C_{\mathit{ECDDHP}}$ sends $\mathrm{Ж}$ to $INT$.

Phase 1: Here, $INT$ can made the following queries with $C_{ECDDHP}.$

${\mathrm{Ц}}_1$

Query: $INT$ send a request for ${\mathrm{Ц}}_1$ Query with identity $(I{d}_i) C_{ECDDHP}$ check for a tuple $\left(I{d}_i,{\lambda }_i,{\pounds }_i\right)$ in the list $L_{{\mathrm{Ц}}_1}$, if $\left(I{d}_i,{\lambda }_i,{\pounds }_i\right)$ is found, $C_{ECDDHP}$ returns ${\pounds }_i$ to $INT$. Otherwise, $C_{ECDDHP}$ choose the value for ${\pounds }_i$ randomly and returns it to $INT$.

${\mathrm{Ц}}_2$

Query: $INT$ send a request for ${\mathrm{Ц}}_2$ Query with identity $(I{d}_i) C_{ECDDHP}$ check for a tuple $\left({\Psi }_i,{\pounds }_{1i}\right)$ in the list $L_{{\mathrm{Ц}}_2}$, if $\left({\Psi }_i,{\pounds }_{1i}\right)$ is found, $C_{ECDDHP}$ returns ${\pounds }_{1i}$ to $INT$. Otherwise, $C_{ECDDHP}$ choose the value for ${\pounds }_{1\mathrm{i}}$ randomly and returns it to $INT$.

${\mathrm{Ц}}_3$

Query: $INT$ send a request for ${\mathrm{Ц}}_3$ Query with identity $(I{d}_i) C_{ECDDHP}$ check for a tuple $\left(EI{d}_i,{\lambda }_i,{\Gamma }_i,{\mathrm{Л}}_i,{\omega }_i\right)$ in the list $L_{{\mathrm{Ц}}_3}$, if $\left(EI{d}_i,{\lambda }_i,{\Gamma }_i,{\mathrm{Л}}_i,{\omega }_i\right)$ is found, $C_{ECDDHP}$ returns ${\omega }_i$ to $INT$. Otherwise, ${\mathrm{C}}_{\mathit{ECDDHP}}$ choose the value for ${\omega }_i$ randomly and returns it to $INT$.

User Public Key Query: $INT$ send a request for User Public Key Query with $(I{d}_i,{\lambda }_i), C_{ECDDHP}$ check for a tuple $\left(I{d}_i,{\lambda }_i\right)$ in the list $L_{UPK}$, if $\left(I{d}_i,{\lambda }_i\right)$ is found, $C_{ECDDHP}$ returns ${\lambda }_i$ to $INT$. Otherwise, $C_{ECDDHP}$ perform the following two steps.

• At $jth$ query, if $i=j$, $C_{ECDDHP}$ set ${\lambda }_i=\Omega ·\xi$.
• Else, compute ${\lambda }_i={\eta }_i·\xi$, where it selects ${\eta }_i$ randomly.
• At the end, $C_{ECDDHP}$ returns ${\lambda }_i$ to $INT.$

User Private Key Query: $INT$ send a request for User Private Key Query with $(I{d}_i,{\lambda }_i,{\Phi }_i), C_{ECDDHP}$ check for a tuple $\left(I{d}_i,{\lambda }_i,{\Phi }_i\right)$ in the list $L_{UPRK}$, if $I{d}_i=Id,$ $C_{ECDDHP}$ stop further processing, otherwise he found the tuple $\left(I{d}_i,{\lambda }_i,{\Phi }_i\right)$ and returns ${\Phi }_i$ to $INT$.

Generalized Ring Signcryption Query: $INT$ send a request for Generalized Ring Signcryption with $m,$ $EI{d}_{MAV}$ and $EI{d}_X$, where $EI{d}_{MAV} \in \mathsf{\Delta }=\{EI{d}_{\mathit{MAV} 1}$, $EI{d}_{\mathit{MAV} 2}, EI{d}_{\mathit{MAV} 3},\dots \dots ,EI{d}_{\mathit{MAV}n}\}$ and $C_{ECDDHP}$ perform the following steps.

• If $EI{d}_{MAV} !=Id$, It choose ${\chi }_{MAV}\in f_q$ and compute $\mathrm{Л}={\chi }_{MAV}·\xi -\omega \left({\lambda }_{MAV}+{\pounds }_{MAV}·{\delta }_{GCN}\right)$.
• Compute $\Psi ={\chi }_{MAV}\left({\lambda }_X+{\pounds }_X·{\delta }_{GCN}\right)$ and $\Gamma ={\mathrm{Ц}}_2\left(\Psi \right)\oplus \left(m,EI{d}_{MAV}\right).$
• Compute $\omega ={\mathrm{Ц}}_3\left(EI{d}_{MAV},{\lambda }_{MAV},{\lambda }_X,\mathrm{Л},\Gamma \right)$ and $\kappa ={\chi }_{MAV}+y$, where$y$ is randomly selected now here.
• $C_{ECDDHP}$ send ($\kappa ,\mathrm{Л},\Gamma$) to $INT$.

Generalized Ring Signcryption Verification Query: If $EI{d}_X=Id$, $C_{ECDDHP}$ shows the tuple ($\kappa ,\mathrm{Л},\Gamma$) is invalid. Otherwise, it normally Generalized Ring Signcryption Verification algorithm.

Challenge: $INT$ send the tuple ($m_{101}$, $m_{102},EI{d}_{MAV},EI{d}_X$) to $C_{ECDDHP}$, where $m_{101}$, $m_{102}$ are the two plaintexts with same size but contains different contents. If $EI{d}_X=Id$, $C_{ECDDHP}$ pick $\mathsf{\iota }\in \left\{0, 1\right\}$ and perform the following computations.

• It computes $\mathrm{Л}=\Omega ·\xi$.
• Compute $\Psi =K+{\pounds }_X·{\delta }_{GCN}$ and $\Gamma ={\mathrm{Ц}}_2\left(\Psi \right)\oplus \left(m,EI{d}_{MAV}\right).$
• Compute $\omega ={\mathrm{Ц}}_3\left(EI{d}_{MAV},{\lambda }_{MAV},{\lambda }_X,\mathrm{Л},\Gamma \right)$ and $\kappa =\omega ·{\Phi }_{MAV}+y+\Omega$, where$y$ is randomly selected now here.
• $C_{ECDDHP}$ returns ($\kappa ,\mathrm{Л},\Gamma$).

Phase 2: In this phase, INT executes ${\mathrm{Ц}}_1$ Query, ${\mathrm{Ц}}_2$ Query, ${\mathrm{Ц}}_3$ Query, User Public Key Query, Generalized Ring Signcryption Query, and Generalized Ring Signcryption Verification Query, respectively. Note that at this stage INT should not perform User Private Key Query on encrypted identity $EI{d}_X$ and requested message corresponding to the Generalized ring signcrypted text.

Guess: INT return ${\mathsf{\iota }}^{/}\in \left\{0, 1\right\}$, if $\mathsf{\iota }={\mathsf{\iota }}^{/}$, $C_{ECDDHP}$ outputs 1. Otherwise, $C_{ECDDHP}$ outputs 0.

Probability Analysis: Suppose $Q{\mathrm{Ц}}_1,Q{\mathrm{Ц}}_1,Q{\mathrm{Ц}}_1,Q_{UPK}$, and $Q_{UPRK}$ represent ${\mathrm{Ц}}_1$ Query, ${\mathrm{Ц}}_2$ Query, ${\mathrm{Ц}}_3$ Query, User Public Key Query, and User Private Key Query, respectively. So, we express the following events.

1.

${\Theta }_1:$ $C_{ECDDHP}$ succeeded in User Private Key Query.

2.

${\Theta }_2:$ ${\mathrm{C}}_{\mathit{ECDDHP}}$ succeeded in Generalized Ring Signcryption Verification Query.

3.

${\Theta }_2:$ ${\mathrm{C}}_{\mathit{ECDDHP}}$ succeeded in in challenge phase.

After denoting the above events, we can easily receive the following outcomes.

$\mathrm{Pr}\left({\Theta }_1\right)=1-\frac{Q_{UPRK}}{Q_{UPK}}, \mathrm{Pr}\left({\Theta }_2\right)=1-\frac{1}{2^j},$ and $\mathrm{Pr}\left({\Theta }_3\right)=\frac{1}{Q_{UPK}-Q_{UPRK}}$, then $\mathrm{Pr}\left(C_{ECDDHP} sucess\right)=\mathrm{Pr}\left({\Theta }_1\wedge {\Theta }_2\wedge {\Theta }_3\right)=\mathrm{Pr}\left({\Theta }_1\right)·\mathrm{Pr}\left({\Theta }_2\right)·\mathrm{Pr}\left({\Theta }_3\right)=\left(1-\frac{Q_{UPRK}}{Q_{UPK}}\right)\left(1-\frac{1}{2^j}\right)\left(\frac{1}{Q_{UPK}-Q_{UPRK}}\right)$≈ $(\frac{1}{Q_{UPK}})$≈ $\frac{€}{Q_{UPK}}$, where $€$ represent the advantage of INT. □

Theorem 2. 

Unforgeability. Our proposed generalized ring signcryption is indistinguishable against intruder INT under the random oracle model, if ECDLP is hard.

Proof. 

Suppose the instance of elliptic curve ($\Omega ·\xi , \xi ,K \in {\mathrm{G}}_{ECC}$) is given to $C_{\mathrm{ECDLP}}$ so, to find $\Omega$ from $K=\Omega ·\xi$, $C_{\mathrm{ECDLP}}$ will play the following Game with $INT$.

Initialization: $C_{\mathrm{ECDLP}}$ can first choose the secret key ${\mathrm{ß}}_{GCN}\in f_q$, public key ${\delta }_{GCN}$, public parameter set $\mathrm{Ж}$. Then, $C_{\mathit{ECDDHP}}$ send $\mathrm{Ж}$ to $INT$.

Queries: All the queries are processed is same as executed in Theorem 1-Confidentiality.

Forgery: $INT$ wants to generate and verify combined ring signature and signcryption, in which he needs the private key of MAV and X (${\Phi }_{MAV},{\Phi }_X$). $INT$ can generate the forge signature as follows.

• $INT$ choose ${\chi }_{INT}\in f_q$ and compute $\mathrm{Л}={\chi }_{INT}·\xi$.
• Compute $\Psi ={\chi }_{INT}\left({\lambda }_X+{\pounds }_X·{\delta }_{GCN}\right)$ and $\Gamma ={\mathrm{Ц}}_2\left(\Psi \right)\oplus \left(m,EI{d}_{MAV}\right).$
• Compute $\omega ={\mathrm{Ц}}_3\left(EI{d}_{MAV},{\lambda }_{INT},{\lambda }_X,\mathrm{Л},\Gamma \right)$ and $\kappa ={\chi }_{INT}+\omega ·{\Phi }_{INT}$.
• Returns ($\omega ,\mathrm{Л},\Gamma$).

In the above process for forging a signature, INT can solve two-time ECDLP such as finding the values (${\chi }_{MAV},{\Phi }_{MAV}$).

Probability Analysis: Suppose $Q{\mathrm{Ц}}_1, Q{\mathrm{Ц}}_1, Q{\mathrm{Ц}}_1,Q_{UPK}$, and $Q_{UPRK}$ represent ${\mathrm{Ц}}_1$ Query, ${\mathrm{Ц}}_2$ Query, ${\mathrm{Ц}}_3$ Query, User Public Key Query, and User Private Key Query, respectively. So, we express the following events.

4.

${\Theta }_1:$ $C_{ECDDHP}$ succeeded in User Private Key Query.

5.

${\Theta }_2:$ $C_{ECDDHP}$ succeeded in Generalized Ring Signcryption Verification Query.

6.

${\Theta }_2:$ $C_{ECDDHP}$ succeeded in in challenge phase.

After denoting the above events, we can easily receive the following outcomes.

$\mathrm{Pr}\left({\Theta }_1\right)=1-\frac{Q_{UPRK}}{Q_{UPK}}, \mathrm{Pr}\left({\Theta }_2\right)=1-\frac{1}{2^j},$ and $\mathrm{Pr}\left({\Theta }_3\right)=\frac{1}{Q_{UPK}-Q_{UPRK}}$, then $\mathrm{Pr}\left(C_{ECDDHP} sucess\right)=\mathrm{Pr}\left({\Theta }_1\wedge {\Theta }_2\wedge {\Theta }_3\right)=\mathrm{Pr}\left({\Theta }_1\right)·\mathrm{Pr}\left({\Theta }_2\right)·\mathrm{Pr}\left({\Theta }_3\right)=\left(1-\frac{Q_{UPRK}}{Q_{UPK}}\right)\left(1-\frac{1}{2^j}\right)\left(\frac{1}{Q_{UPK}-Q_{UPRK}}\right)$≈ $(\frac{1}{Q_{UPK}})$≈ $\frac{€}{Q_{UPK}}$, where $€$ represents the advantage of INT. □

Theorem 3. 

Sender Anonymity. In the key generation phase, the sender device called MAV will send his encrypted real identity$EI{d}_{MAV}={\gamma }_{MAV}\oplus I{d}_{MAV}$, and${\Omega }_{MAV}={\alpha }_{MAV}·\xi ,$to GCN by using open channel, where${\gamma }_{MAV}={\alpha }_{MAV}·{\delta }_{GCN}$ and${\alpha }_{MAV}\in f_q$. Based on ($EI{d}_{MAV}, {\Omega }_{MAV}$), GCN firs compute${\gamma }_{MAV}={\mathrm{ß}}_{GCN}·{\Omega }_{MAV}$ and recover the real identity$I{d}_{MAV}$as$I{d}_{MAV}=EI{d}_i\oplus {\gamma }_{MAV}$. Here, if INT wants the real identity$I{d}_{MAV}$of MAV, he will pass the following two cases.

• INT first struggle to access ${\alpha }_{MAV}$ from ${\Omega }_{MAV}={\alpha }_{MAV}·\xi$ to made ${\gamma }_{MAV}={\alpha }_{MAV}·{\delta }_{GCN}$.
• Secondly INT can access ${\mathrm{ß}}_{GCN}$ from ${\delta }_{GCN}={\mathrm{ß}}_{GCN}·\xi$ to made ${\gamma }_{MAV}={\mathrm{ß}}_{GCN}·{\Omega }_{MAV}$.

In both the above cases, INT can solve ECDLP which will be infeasible for him/her.

Theorem 4.

Receiver Anonymity. In the key generation phase, the receiver device called$X$ will send his encrypted real identity$EI{d}_X={\gamma }_X\oplus I{d}_X$, and${\Omega }_X={\alpha }_X·\xi ,$to GCN by using open channel, where${\gamma }_X={\alpha }_X·{\delta }_{GCN}$ and${\alpha }_X\in f_q$. Based on ($EI{d}_X, {\Omega }_X$), GCN firs compute${\gamma }_X={\mathrm{ß}}_{GCN}·{\Omega }_X$and recover the real identity$I{d}_X$as$I{d}_X=EI{d}_X\oplus {\gamma }_X$. Here, if INT wants the real identity$I{d}_X$ of$X$, he will pass the following two cases.

• INT first struggle to access ${\alpha }_X$ from ${\Omega }_X={\alpha }_X·\xi$ to made ${\gamma }_X={\alpha }_X·{\delta }_{GCN}$.
• Secondly INT can access ${\mathrm{ß}}_{GCN}$ from ${\delta }_{GCN}={\mathrm{ß}}_{GCN}·\xi$ to made ${\gamma }_X={\mathrm{ß}}_{GCN}·{\Omega }_X$.

In both the above cases, INT can solve ECDLP, which will be infeasible for him/her.

5. Performance Comparison

This section compares the performance of the proposed scheme with the relevant existing counterparts proposed by Zhou et al. [14], Zhou et al. [15], and Luo and Zhou [16].

5.1. Computation Cost

The computation cost represents the operational expenses spent by each user during the proposed generalized ring signcryption process and existing comparable schemes proposed by Zhou et al. [14], Zhou et al. [15], and Luo and Zhou [16]. In

Table 2. Comparison of computation cost with major operations.

Schemes	Sender	Receiver	Total
Zhou et al. [14]	$7B{P}_{BM}+1M{D}_{EXP}+1B{P}_{OP}$	$1B{P}_{BM}+3B{P}_{OP}$	$8B{P}_{BM}+1M{D}_{EXP}+4B{P}_{OP}$
Zhou et al. [15]	$10B{P}_{BM}+3M{D}_{EXP}+2B{P}_{OP}$	$3B{P}_{BM}+4B{P}_{OP}$	$13B{P}_{BM}+3M{D}_{EXP}+6B{P}_{OP}$
Luo and Zhou [16]	$7B{P}_{BM}+2M{D}_{EXP}$	$1B{P}_{BM}+1M{D}_{EXP}+2B{P}_{OP}$	$8B{P}_{BM}+3M{D}_{EXP}+2B{P}_{OP}$
Proposed Scheme	$4EC{C}_{PM}$	$4EC{C}_{PM}$	$8EC{C}_{PM}$

, we list the key operations of the proposed scheme, including Elliptic Curve Point Multiplication ($EC{C}_{PM}$), Bilinear Pairing Based Multiplication ($B{P}_{BM}$), Modular Exponentials ($M{D}_{EXP}$), and Bilinear Pairing ($B{P}_{OP}$).

Table 3. Comparison of computation cost (in ms).

Schemes	Sender	Receiver	Total
Zhou et al. [14]	$7\times 4.31+1\times 1.25+1\times 14.9=46.32$	$1\times 4.31+3\times 14.90=49.01$	$8\times 4.31+1\times 1.25+4\times 14.90=95.33$
Zhou et al. [15]	$10\times 4.31+3\times 1.25+2\times 14.90=76.65$	$3\times 4.31+4\times 14.90=72.53$	$13\times 4.31+3\times 1.25+6\times 14.90=149.18$
Luo and Zhou [16]	$7\times 4.31+2\times 1.25=32.67$	$1\times 4.31+1\times 1.25+2\times 14.90=35.36$	$8\times 4.31+3\times 1.25+2\times 14.90=68.03$
Proposed Scheme	$4\times 0.97=3.88$	$4\times 0.97=3.88$	$8\times 0.97=7.76$

contains the operating expenses, measured in milliseconds (ms), for the proposed scheme, as well as those of Zhou et al. [14], Zhou et al. [15], and Luo and Zhou [16]. The time requires for a single $EC{C}_{PM}$ takes 0.97 ms, $B{P}_{BM} , 4.31 \mathrm{ms},M{D}_{EXP} , 1.25 \mathrm{ms}$ and $B{P}_{OP} \mathrm{takes} 14.90$ [19]. The Multi-Precision Integer and Rational Arithmetic C Library (MIRACL) [20] is used to assess the performance of the proposed scheme by testing the runtime of the core cryptographic operations up to 1000 times. Observations are made on a workstation with the following specifications: 8 GB RAM and the Windows 7 Home Basic 64-bit operating system [21]. As seen in Figure 3, the proposed scheme has a lower computation cost than the schemes proposed by Zhou et al. [14], Zhou et al. [15], and Luo and Zhou [16].

5.2. Communication Cost

In this subsection, the proposed scheme is compared to existing schemes, namely those proposed by Zhou et al. [14], Zhou et al. [15], and Luo and Zhou [16], in terms of communication cost. We list the communication cost incurred based on the Elliptic Curve Parameter Size (|ECC q|), Bilinear Pairing Parameter Size (|BP G|), and a message size (|m|) for the proposed and those of Zhou et al. [14], Zhou et al. [15], and Luo and Zhou [16]. We have selected the bit values 160, 1024, and 1024 bits for (|ECC q|), (|m|), and (|BP G|) from [19]. In addition, the communication cost analysis between Zhou et al. [14], Zhou et al. [15], and Luo and Zhou [16] and the proposed scheme are provided in

Table 4. Comparison of communication cost (in bits).

Schemes	Communication Cost	Communication Cost in Bits
Zhou et al. [14]	$\left|m\right|+3\left|B{P}_G\right|$	$\left|1024\right|+3\times \left|1024\right|=4096$
Zhou et al. [15]	$\left|m\right|+3\left|B{P}_G\right|$	$\left|1024\right|+3\times \left|1024\right|=4096$
Luo and Zhou [16]	$\left|m\right|+5\left|B{P}_G\right|$	$\left|1024\right|+5\times \left|1024\right|=6144$
Proposed Scheme	$\left|m\right|+2\left|EC{C}_q\right|$	$\left|1024\right|+2\times \left|160\right|=1344$

. As seen in Figure 4, the proposed scheme has a lower communication cost than the schemes proposed by Zhou et al. [14], Zhou et al. [15], and Luo and Zhou [16].

5.3. Memory Overhead

The proposed scheme is compared in terms of memory overhead to existing schemes proposed by by Zhou et al. [14], Zhou et al. [15], and Luo and Zhou [16].

Table 5. Memory Overhead Analysis.

Schemes	Sender	Receiver	Total
Zhou et al. [14]	9|$B{P}_G|+3\left|H\right|$+ $\left|m\right|$	3|$B{P}_G|+2\left|H\right|$+ $\left|m\right|$	12|$B{P}_G|+5\left|H\right|$+ $2\left|m\right|$
Zhou et al. [15]	11|$B{P}_G|+4\left|H\right|$+ $\left|m\right|$	4|$B{P}_G|+4\left|H\right|$+ $\left|m\right|$	15|$B{P}_G|+8\left|H\right|$+ $2\left|m\right|$
Luo and Zhou [16]	11|$B{P}_G|+4\left|H\right|$+ $\left|m\right|$	5|$B{P}_G|+2\left|H\right|$+ $\left|m\right|$	16|$B{P}_G|+6\left|H\right|$+ $2\left|m\right|$
Proposed Scheme	10|$EC{C}_q|+1\left|H\right|$+ $\left|m\right|$	8|$EC{C}_q|+1\left|H\right|$+ $\left|m\right|$	18|$EC{C}_q|+2\left|H\right|$+ $2\left|m\right|$

Note: |$EC{C}_q|=160,\left|H\right|=256,$|$B{P}_G|=1024$, and $\left|m\right|=1024$.

describes the primary operations, and

Table 6. Memory Overhead Analysis in Bits.

Schemes	Sender	Receiver	Total
Zhou et al. [14]	9$\left|1024\left|+3\right|256\right|$+ $\left|1024\right|=10996$	3|$1024\left|+2\right|256|$+ $\left|1024\right|=4608$	12|$1024\left|+5\right|256|$+ $2\left|1024\right|=15604$
Zhou et al. [15]	11|$1024\left|+4\right|256|$+ $\left|1024\right|=13312$	4|$1024\left|+4\right|256|$+ $\left|1024\right|=6144$	15|$1024\left|+8\right|256|$+ $2\left|1024\right|=19456$
Luo and Zhou [16]	11|$1024\left|+4\right|256|$+ $\left|1024\right|=13312$	5|$1024\left|+2\right|256|$+ $\left|1024\right|=6656$	16|$1024\left|+6\right|256|$+ $2\left|1024\right|=19968$
Proposed Scheme	10|$160\left|+1\right|256|$+ $\left|1024\right|=2880$	8|$160\left|+1\right|256|$+ $\left|1024\right|=2560$	18|$160\left|+2\right|256|$+ $2\left|1024\right|=5440$

compares the memory overhead in bits of the proposed scheme to that of relevant existing schemes. A significant reduction in memory space is achieved, as shown in Figure 5.

6. Conclusions

In this article, we proposed a conditional privacy-preserving generalized ring signcryption scheme for MAVs using an identity-based cryptosystem. The proposed scheme is developed using the Elliptic Curve Cryptography concept (ECC). A comprehensive security analysis of ROM indicates that the proposed method is robust to a number of attacks. Comparing the proposed scheme to similar schemes presented by Zhou et al. [14], Zhou et al. [15], and Luo and Zhou [16] with regard to commutation and communication costs. The results reveal that the proposed scheme is more cost-effective in terms of computation and communication costs than its current alternatives. In addition, the results demonstrate that the proposed method is suitable for MAV systems due to the algorithm’s functionality and reduced computation cost, communication cost and memory overhead.