Secure and Efficient Certificateless Signcryption Protocol for Wireless Body Area Networks (WBANs) (original) (raw)

IHTERMATIONAL JOURNALS OF ACADEMICS & RESEARCH (IJARKE Science & Technology Journal)

Secure and Efficient Certificateless Signcryption Protocol for Wireless Body Area Networks (WBANs)

King’ang’i Misheck Murimi, Tharaka University, Kenya
Kirima Daniel Mukathe, Tharaka University, Kenya
Makembo John Majira, Tharaka University, Kenya

Abstract

In WBANs, security and efficiency are critical concerns. Devices communicate via an insecure short-range communication standard, exposing patients’ sensitive data to security breaches. Additionally, WBAN entities are resource-constrained devices that demand lightweight computations. Meanwhile, researchers have designed numerous schemes to combat the abovementioned problems. Nevertheless, several schemes rely on bilinear pairing and certificate management, which are heavy cryptographic operations, thus suffering computational inefficiencies. To resolve security and efficiency issues, we design and validate a secure and efficient certificateless signcryption scheme using elliptic curve cryptography and general hash functions to signcrypt and unsigncrypt messages. Besides, we conduct formal security proof using the Random Oracle Model (ROM) to demonstrate Indistinguishability under Chosen Ciphertext Attack (IND-CCA) and Existential Unforgeability under Chosen Message Attack (EUF-CMA). From the formal security proof, the proposed scheme has proven to be IND-CCA and EUFCMA secure against adversaries of Type I and Type II. Finally, we conduct efficiency evaluation in terms of computation and communication costs. During performance evaluation, we analyzed the computational and communication costs and compared them with state-of-the-art works, where the proposed scheme showed computation efficiency improvements and communication efficiency improvement against other schemes. Compared to existing schemes, the scheme from this study has better performance in terms of computation and communication cost, thus its applicability in WBANs environment.

Key words: Certificateless, Signcryption, Confidentiality, Unforgeability

1. Introduction

The remarkable progress of the Internet of Things (IoT) in recent years has given rise to the wireless body area networks (WBANs), a cutting-edge healthcare system that enables the monitoring of patients’ health conditions without the need for constant physician supervision and aids in the diagnosis of diseases. WBAN refers to a wireless network involving the human body, biosensors, application provider, and network manager (as depicted in Figure 1), (Mandal, 2023).

The human body avails physiological data (i.e., body temperature, blood pressure, heart rate, blood sugar level, and Electrocardiogram (ECG)) to biosensors implanted inside or outside the human body. Upon receiving physiological data, the biosensors transmit the data to the application provider for immediate diagnosis and treatment. In addition, WBAN contains an aggregator, such as a mobile device, which is responsible for collecting and aggregating data from multiple biosensors and transmitting it to the application provider (Almuhaideb, 2022).

The network manager acts as a trusted authority mandated for the entire network management, including registration and revocation of entities. The biosensors connect with the aggregator in a star or multi-hop topology, and their communication occurs via the short-range communication standard called IEEE 802.15.6 (Cornet et al., 2022).

WBAN provides numerous benefits to patients and medical service providers, such as real-time and remote health monitoring of patients’ conditions for early detection of abnormalities. For instance, WBANs ensure automated health care for people with diabetes by detecting the glucose level and stimulating the insulin pump to release insulin, thus providing automatic dosing in diabetics (Jahan et al., 2023). As a result, the patients and medical service providers save time and resources. Despite the numerous benefits provided by WBANs, the network is coupled with several challenges, some of which are life-threatening.

Figure 1: The Propose System Model

1.1 Motivation and Contribution

Firstly, in WBANs, data is transmitted through insecure public channels exposing sensitive data to security risks such as message injection, eavesdropping, message replay, spoofing, and compromise to the integrity of the message (Sama et al., 2022). For instance, data may be altered, leading to wrong diagnosis, posing a risk to patient’s safety, and potentially leading to catastrophic consequences. Secondly, the confidentiality of patients’ data is required to protect against unauthorized access, which could result in ill purposes such as cybercrimes. Finally, biosensors in WBANs are resource-constrained due to their tiny-size nature, thus limiting their ability to handle highly complex computations while providing efficiency, which is a critical requirement (Mandal, 2022).

Several schemes have been presented to achieve secure communication through an insecure channel. However, many schemes experience security issues coupled with performance overheads. To achieve security for instance, several authors have used heavy cryptographic operations such as those involving bilinear pairing and certificate management, exposing WBAN resource constrained devices to complex computations thus compromising efficiency. On the other hand, several schemes presented to achieve WBAN efficiency lacks confidentiality of patient’s data, and identity privacy. Motivated by the above-mentioned challenges, this paper therefore proposes a secure and efficient protocol to signcrypt and unsigncrypt health related messages for WBANs.

Below is a summary of the major challenges facing existing WBAN schemes:

• Certificate management problems
• Bilinear pairing complexities
• Confidentiality issues
• Forgeability problem
• Key escrow problems
• Lack of forward secrecy
• Lack of anonymity
• Vulnerability to common attacks

2. Related Work

Researchers have made significant progress in addressing security issues in WBANs by utilizing public key cryptography (PKC) to design various authentication schemes, which may fall under public key infrastructure (PKI), identity-based cryptography (IBC), and certificateless cryptography (CLC). Zhou (2019) proposed a protocol for mobile health systems based on certificateless signcryption as an improvement to Zhang et al.'s scheme. The author applied certificateless elliptic curve cryptography to achieve confidentiality and unforgeability, as well as improving a little on computation and communication costs compared to the original scheme. However, the scheme is relatively expensive in terms of computation and lacks a conditional anonymity security feature. Liu et al., (2020) designed a streamlined data access control scheme by leveraging the signcryption technique for improved efficiency.

A pairing-free RSA cryptosystem is applied to make the scheme more applicable in the industry in terms of efficiency. Formal analysis proves the scheme resilient to typical security attacks. The scheme, however, lacks anonymity. Ullah et al. (2021) designed a signcryption scheme for the internet of health things based on hyper-elliptic curve certificateless cryptography to achieve anonymity and forward secrecy at the same time. The scheme further proves to achieve confidentiality and unforgeability through formal security analysis in the ROM. Nonetheless, the scheme lacks sender authentication and is a little more expensive computationally.

Xiong et al., (2022) presented a signcryption scheme for flexible heterogeneous WBAN environment. The security of the scheme is achieved by enabling body sensors to encrypt sensitive data using the PKI’s management system public key and then uploading it to a server in the cloud, which conducts an equivalence test on the ciphertext. Despite the security achievements of the above-discussed schemes, they suffer from one common problem, i.e., certificate management complexity, which makes them unsuitable for WBANs.

Ramadan et al. (2023) presented an identity-based signcryption protocol for telemedicine systems with an equality test feature. The scheme achieves confidentiality and unforgeability in the ROM. Nevertheless, the scheme suffers from the key escrow problem, high computation and communication costs due to bilinear pairing operations, and a lack of sender authentication. Zhang et al. (2024) proposed a certificateless signcryption scheme for internet of medical things (IoMT) safe data communication based on zero knowledge proof. Their scheme achieves confidentiality and unforgeability, as well as improved communication efficiency compared to other relevant schemes. However, Zhang et al.'s scheme lacks a sender authentication security feature and is expensive in terms of communication and computation.

In summary, the schemes proposed by various authors experience certificate management problem, key escrow problem, and reduced efficiency. To be precise, the major gaps identified from the existing literature include: complex computations due to bilinearly and certificate management, lack of conditional anonymity, key escrow problem, lack of sender authentication, lack of forward secrecy, and lack of unforgeability. Table 1 provides a summary of identified gaps for the literature:

Table 1: Summary of Strengths and Weaknesses of Related Schemes

2.1 Mathematical Preliminaries

The fundamental mathematical concepts used in the proposed scheme are discussed below:

2.1.1 Elliptic Curve Group

An elliptic curve E over a prime finite field FpF_{p} is defined by an equation y2=x2+ax+by^{2}=x^{2}+a x+b where a,b∈Fpa, b \in F_{p} and 4a3+27b2≠4 a^{3}+27 b^{2} \neq 0 . Then G={(x,y):x,y∈Fp,E(x,y)=0}∪{0}G=\left\{(x, y): x, y \in F_{p}, E(x, y)=0\right\} \cup\{0\} is the additive elliptic curve where O is the point at infinity (Mandal, 2022). Figure 2 shows an elliptic curve.

Figure 2: Elliptic Curve
Source: (Kasyoka, 2022)

2.1.2 Point Addition

Taking P,QP, Q as two points on the curve, such that P+Q=RP+Q=R, and −R-R is a third point where the line joining PP and QQ intersects the curve, then point RR is the reflection of −R-R on x -axis (Mandal, 2022).

2.1.3 Scalar Multiplication

If point PP is a generator of cyclic additive group GG. Then, kP=P+P+⋯+P(kk P=P+P+\cdots+P(k times )) where k∈Zq∗k \in \mathbb{Z}_{q}^{*} (Ali et al., 2021).

2.1.4 Computationally Hard Problems

The security of ECC relies on the computational difficulty of solving the discrete logarithm problem, which entails determining the exponent (scalar) when given a base point and the resulting point on the curve, and computational Diffie-Helman Problem (CDHP) which involves computing a third point from two given points as demonstrated below:
i. Elliptic Curve Discrete Logarithm Problem (ECDLP)

Given points P,Q∈GP, Q \in G, to find an integer x∈Zq∗x \in \mathbb{Z}_{q}^{*} such that Q=xPQ=x P. It is hard to compute xx from P and Q by an algorithm that is polynomial time bounded. (Yang et al., 2022).
ii. Computational Diffie-Hellman Problem (CDHP)

Given an elliptic curve E defined over a finite field GF(p)G F(p), a point P∈EP \in E of order n,A=aP,B=bPn, A=a P, B=b P, it is computationally hard to find to find the point C=abPC=a b P (Zhang et al., 2021). The problems are believed to be computationally infeasible to solve efficiently.

3. The Proposed Signcryption Scheme

In this section, the proposed ECC-based secure and efficient certificateless signcryption protocol for a wireless body area network is presented. The protocol entails four major algorithms, i.e., setup, registration and key generation, message signcryption, and message unsigncryption. Table 2 provides a description of the notations used in the proposed scheme.

Table 2: Notations used in the Proposed Scheme

3.1 Setup

The Network Manager (NM)(N M) solely initializes the system by performing the following.
i. Inputs lambdainZ+\lambda \in Z^{+}lambdainZ+as security parameter, randomly picks two large prime numbers pp and qq, and non-singular elliptic curve EE defined by the equation γ2=x2+ax+b\gamma^{2}=x^{2}+a x+b, where a,b∈FPa, b \in F_{P} and 4a3+27b2≠04 a^{3}+27 b^{2} \neq 0.
ii. Selects a generator PP for group GG, where GG are elliptic curve points with prime order q.Pq . P and qq are supposed to be large prime numbers to enhance security.
iii. Randomly picks sNM∈Zq∗s_{N M} \in \mathbb{Z}_{q}^{*} as its master secret key, and computes its public key as PKNM=sNMPP K_{N M}=s_{N M} P.
iv. Randomly picks four one-way hash functions: H0:{0,1}∘→Zq∘,H1:G×G×G→Zq∘,H2:G→Zq∘H_{0}:\{0,1\}^{\circ} \rightarrow \mathbb{Z}_{q}^{\circ}, \quad H_{1}: G \times G \times G \rightarrow \mathbb{Z}_{q}^{\circ}, \quad H_{2}: G \rightarrow \mathbb{Z}_{q}^{\circ}, H3:G×{0,1}∘×G×G×G→Zq∘H_{3}: G \times\{0,1\}^{\circ} \times G \times G \times G \rightarrow \mathbb{Z}_{q}^{\circ}.
v. Finally, the NMN M publicly publishes system parameters params as {p,q,G,P,PKNM,H0,H1,H2,H3}\left\{p, q, G, P, P K_{N M}, H_{0}, H_{1}, H_{2}, H_{3}\right\}

3.2 Registration and Key Generation

3.2.1 PD Registration

The guide for PD registration is outlined below.
i. The PD randomly chooses ωi∈Zq∗\omega_{i} \in \mathbb{Z}_{q}^{*} and computes PIDi1=ωiPP I D_{i 1}=\omega_{i} P.
ii. The PD picks its real-identity RIDPDiR I D_{P D_{i}} and sends tuple {PIDi1,RIDPDi}\left\{P I D_{i 1}, R I D_{P D_{i}}\right\} to NM .
iii. Upon successfully scrutinizing RIDPDiR I D_{P D_{i}}, the NM computes PIDi2=RIDPDi⊕H0(sNMPIDi1)P I D_{i 2}=R I D_{P D_{i}} \oplus H_{0}\left(s_{N M} P I D_{i 1}\right) and submits pseudoidentity PIDi={PIDi1,PIDi2,Ti}P I D_{i}=\left\{P I D_{i 1}, P I D_{i 2}, T_{i}\right\} to PD. Meanwhile, the NM records tuple {PIDi,RIDPDi}\left\{P I D_{i}, R I D_{P D_{i}}\right\} in a secure database.

After PIDiP I D_{i} generation, the NM continues to compute a partial private key for the PD using the steps below.
iv. The NM randomly chooses dPDi∈Zq∗d_{P D_{i}} \in \mathbb{Z}_{q}^{*} and computes DPDi=dPDiPD_{P D_{i}}=d_{P D_{i}} P.
v. The NM computes βPDi=H1(PIDi,DPDi,PKNM)\beta_{P D_{i}}=H_{1}\left(P I D_{i}, D_{P D_{i}}, P K_{N M}\right)
vi. The NM computes kPDi=(dPDi+βPDi,sNM) mod qk_{P D_{i}}=\left(d_{P D_{i}}+\beta_{P D_{i}}, s_{N M}\right) \bmod q
vii. The NM sends PPKPDi={kPDi,DPDi}P P K_{P D_{i}}=\left\{k_{P D_{i}}, D_{P D_{i}}\right\} to PD as a partial private key
viii. Upon receiving PPKPDiP P K_{P D_{i}}, the PD checks for its authenticity by verifying the equation kPDiP=DPDi+βPDiPKNMk_{P D_{i}} P=D_{P D_{i}}+\beta_{P D_{i}} P K_{N M}.

Proof of Correctness

kPDiP=(dPDi+βPDi,sNM)P=dPDiP+βPDi,sNMP=DPDi+βPDiPKNM\begin{aligned} k_{P D_{i}} P & =\left(d_{P D_{i}}+\beta_{P D_{i}}, s_{N M}\right) P \\ & =d_{P D_{i}} P+\beta_{P D_{i}}, s_{N M} P \\ & =D_{P D_{i}}+\beta_{P D_{i}} P K_{N M} \end{aligned}

After successful verification of the PPKPD1P P K_{P D_{1}}, the PD generates its secret and public key pair using steps below.
ix. The PD randomly chooses xPD1∈Zq∗x_{P D_{1}} \in \mathbb{Z}_{q}^{*} and sets its secret key as SKPD1={xPD1,kPD1}S K_{P D_{1}}=\left\{x_{P D_{1}}, k_{P D_{1}}\right\}.
x. The PD computes XPD1=xPD1PKNMX_{P D_{1}}=x_{P D_{1}} P K_{N M} and YPD1=kPD1PKNMY_{P D_{1}}=k_{P D_{1}} P K_{N M}.
xi. Finally, the PD sets its full public key as PKPD1=(XPD1,YPD1)P K_{P D_{1}}=\left(X_{P D_{1}}, Y_{P D_{1}}\right).

3.2.2 AP Registration

The steps for PD registration are outlined below.
i. The AP randomly chooses θ1∈Zq∗\theta_{1} \in \mathbb{Z}_{q}^{*} and computes its public key PKAP=θ1PP K_{A P}=\theta_{1} P.
ii. The AP sends tuple {RIDAP,PKAP}\left\{R I D_{A P}, P K_{A P}\right\} to NM, where RIDAPR I D_{A P} is the real identity for AP.
iii. Upon successfully scrutinizing RIDAPR I D_{A P}, the NM randomly chooses dAP∈Zq∗d_{A P} \in \mathbb{Z}_{q}^{*} and computes DAP=dAPPD_{A P}=d_{A P} P.
iv. The NM computes βAP=H1(DAP,PKAP,PKNM)\beta_{A P}=H_{1}\left(D_{A P}, P K_{A P}, P K_{N M}\right).
v. Next, the NM computes kAP=(dAP+βAP⋅sNM) mod qk_{A P}=\left(d_{A P}+\beta_{A P} \cdot s_{N M}\right) \bmod q and sends partial private key PPKAP={kAP,DAP}P P K_{A P}=\left\{k_{A P}, D_{A P}\right\} to AP.
vi. Upon receiving PPKAPP P K_{A P}, the AP checks for its authenticity by verifying the equation kAPP=DAP+βAPPKNMk_{A P} P=D_{A P}+\beta_{A P} P K_{N M}.

Proof of Correctness

kAPP=(dAP+βAP⋅sNM)P=dAPP+βAP⋅sNMP=DAP+βAPPKNM\begin{aligned} k_{A P} P & =\left(d_{A P}+\beta_{A P} \cdot s_{N M}\right) P \\ & =d_{A P} P+\beta_{A P} \cdot s_{N M} P \\ & =D_{A P}+\beta_{A P} P K_{N M} \end{aligned}

After successful verification of the PPKPD1P P K_{P D_{1}}, the AP generates it’s secret and public key pair using the steps below.
vii. The AP randomly chooses xAP∈Zq∗x_{A P} \in \mathbb{Z}_{q}^{*} and sets its secret key as SKAP=(xAP,kAP)S K_{A P}=\left(x_{A P}, k_{A P}\right).
viii. Next, the AP computes XAP=xAPPKNMX_{A P}=x_{A P} P K_{N M} and YAP=kAPPKNMY_{A P}=k_{A P} P K_{N M}, and sets its full public key as PKAP=(XAP+YAP)P K_{A P}=\left(X_{A P}+Y_{A P}\right).

3.3 Message Signcryption

Every health-related message should be signcrypted before transmission to enhance authenticity.

3.3.1 PD to AP Signcryption

On input of health-related message mPD1∈{0,1}∗m_{P D_{1}} \in\{0,1\}^{*}, system parameters params, pseudo identity PIDPD1P I D_{P D_{1}}, private key SKPD1S K_{P D_{1}}, and AP’s public key PKAPP K_{A P}, the PD outputs a signcrypted message ϱi\varrho_{i}. The steps for signcryption are outlined as follows.
i. The PD selects a random value rPD1∈Zq∗r_{P D_{1}} \in \mathbb{Z}_{q}^{*} and computes RPD1=rPD1PKAPR_{P D_{1}}=r_{P D_{1}} P K_{A P}.
ii. The PD computes b=H2(RPD1)b=H_{2}\left(R_{P D_{1}}\right) and c=b⊕mPD1c=b \oplus m_{P D_{1}} and e=H3(PIDPD1,mPD1,RPD1,PKPD1,PKAP,t1)e=H_{3}\left(P I D_{P D_{1}}, m_{P D_{1}}, R_{P D_{1}}, P K_{P D_{1}}, P K_{A P}, t_{1}\right).
iii. Next, the PD computes s=rPD1−1(e+SKPD1)s=r_{P D_{1}}^{-1}\left(e+S K_{P D_{1}}\right). If s=0s=0, return to step (i). Otherwise, output a signcrypted message ϱi=(c,e,s)\varrho_{i}=(c, e, s), and send it to APA P.

3.3.2 AP to PD Signcryption

When the AP needs to send a diagnostic message mAP∈{0,1}∗m_{A P} \in\{0,1\}^{*} to PD, the AP will use its secret key SKAPS K_{A P} and PD’s public key PKPD1P K_{P D_{1}} to signcrypt message mAPm_{A P} in the same manner that PD to AP signcryption is done.

3.4. Message Unsigncryption

Before acting on the signcrypted message, the receiver must run an unsigncryption algorithm to ensure the sender’s and message’s integrity.

3.4.1 PD to AP Unsigncryption

Upon receiving the signcrypted message ϱi=(c,e,s)\varrho_{i}=(c, e, s) from PD, the AP extracts pseudo-identity’s validity period TiT_{i} and timestamp tit_{i} and checks their expiry. If the message is fresh, the AP runs the unsigncryption algorithm by taking system parameters params, its private key SKAPS K_{A P} and PD’s public key PKPD1P K_{P D_{1}} as inputs and outputs the original message mPD1m_{P D_{1}}. The steps for unsigncryption are outlined as follows.
i. The AP takes message ϱi=(c,e,s)\varrho_{i}=(c, e, s) and computes γ=s−1\gamma=s^{-1}.
ii. The AP computes VAP=eγPKAP+yPKPD1SKAPV_{A P}=e \gamma P K_{A P}+y P K_{P D_{1}} S K_{A P}.
iii. The AP computes b′=H2(VAP)b^{\prime}=H_{2}\left(V_{A P}\right).
iv. The AP computes mPD1=b′⊕cm_{P D_{1}}=b^{\prime} \oplus c.
v. Finally, the AP computes e′=H3(mPD1,VAP,PKPD1,PKAP,PIDPD1,t1)e^{\prime}=H_{3}\left(m_{P D_{1}}, V_{A P}, P K_{P D_{1}}, P K_{A P}, P I D_{P D_{1}}, t_{1}\right).
vi. If e′=ee^{\prime}=e, AP returns original message mPD1m_{P D_{1}}, otherwise returns error message ⊥\perp

3.4.2 AP to PD Unsigncryption

The PD will perform the unsigncryption process in the same manner that PD to AP unsigncryption is done. Proof of Correctness
Given s=rPD1−1(e+SKPD1)s=r_{P D_{1}}-1\left(e+S K_{P D_{1}}\right), we have s−1=rPD1(e+SKPD1)−1s^{-1}=r_{P D_{1}}\left(e+S K_{P D_{1}}\right)^{-1}
Therefore, the following correctness holds;

VAP=eyPKAP+yPKPD1SKAP=es−1PKAP+s−1PKPD1SKAP=es−1SKAPP+s−1SKPD1SKAPP=(e+SKPD1)s−1SKAPP=(e+SKPD1)rPD1(e+SKPD1)−1SKAPP=rPD1SKAPP=rPD1PKAP=RPD1\begin{aligned} V_{A P} & =e y P K_{A P}+y P K_{P D_{1}} S K_{A P} \\ & =e s^{-1} P K_{A P}+s^{-1} P K_{P D_{1}} S K_{A P} \\ & =e s^{-1} S K_{A P} P+s^{-1} S K_{P D_{1}} S K_{A P} P \\ & =\left(e+S K_{P D_{1}}\right) s^{-1} S K_{A P} P \\ & =\left(e+S K_{P D_{1}}\right) r_{P D_{1}}\left(e+S K_{P D_{1}}\right)^{-1} S K_{A P} P \\ & =r_{P D_{1}} S K_{A P} P \\ & =r_{P D_{1}} P K_{A P} \\ & =R_{P D_{1}} \end{aligned}

Thus, it is clear that b′=bb^{\prime}=b, implying that the receiving device can obtain the original message mPD1m_{P D_{1}} from the sender through the decryption process. Additionally, e′=ee^{\prime}=e, which means the receiving device can validate the sender’s signature’s correctness. Consequently, the proposed signcryption protocol is correct.

4. Security Analysis

4.1 Security Model

We consider two adversary types: Type-1 and Type-2. The two types of adversaries model the typical WBAN attackers in real-life scenario. Type-1 adversary is defined as an outsider attacker or a regular user who can replace the node’s public key with a choice value without accessing the NM’s master secret key. This type of adversary can perform eavesdropping and impersonation attacks in WBANs. Type-2 adversary on the other hand is characterized as an insider attacker, specifically a trusted but curious NM who possesses the master secret key. The NM is expected to be honest and should not replace the node’s public key with a choice value. Type-2 adversary can tamper with data and perform session hijacking.

4.2 Security Proof

Security proof is conducted using Game-1 and Game-2. The players of Game-1 are Type-1 adversary Adv1A d v_{1} and the challenger C\mathcal{C}, which involves Adv1A d v_{1} asking C\mathcal{C} some queries and C\mathcal{C} answering them correctly. The target of Adv1A d v_{1} is to compromise the proposed scheme using the answers given by C\mathcal{C}.

Definition 1: If the advantage of Adv1A d v_{1} in winning Game-1 is negligible, the study argues that the proposed scheme is secure against Adv1A d v_{1}.

The players of Game-2 are type-2 adversary Adv2A d v_{2} and the challenger C\mathcal{C}, which involves Adv2A d v_{2} asking C\mathcal{C} some queries and C\mathcal{C} answering them correctly. The target of Adv2A d v_{2} is to compromise the proposed scheme using the answers given by C\mathcal{C}.

Definition 2: If the advantage of Adv2A d v_{2} in winning Game-2 is negligible, the study argues that the proposed scheme is secure against Adv1A d v_{1}.

Theorem 1: Assume that adversary Adv1A d v_{1} can win Game 1 with a non-negligible advantage ε′≥c(qH0+qH1+qH2+qH3+qSig+qDnsig)\varepsilon^{\prime} \geq \frac{c}{\left(q_{H_{0}}+q_{H_{1}}+q_{H_{2}}+q_{H_{3}}+q_{S i g}+q_{D n s i g}\right)}, in ROM after qHi(i=0,…,3)q_{H_{i}}(i=0, \ldots, 3) hash queries, qSigq_{S i g} signcryption query and qDnsq_{D n s} unsigncryption query. Then, there exists a challenger C\mathcal{C} who can solve CDH problem with a minimum advantage ε′\varepsilon^{\prime} as defined at the end of the proof.

Proof: Suppose (P,aP,bP)(P, a P, b P) is an instance of CDH problem, where a,b∈Iqa, b \in \mathcal{I}_{q}. We show how challenger C\mathcal{C} in Game 1 interacts with adversary Adv1A d v_{1} to compute C=abPC=a b P.

Setup: The challenger C\mathcal{C} executes the setup algorithm to generate the system parameters params as {p,q,G,P,PKNM,H0,H1,H2,H3}\left\{p, q, G, P, P K_{N M}, H_{0}, H_{1}, H_{2}, H_{3}\right\} and a master secret key sNMs_{N M}. Note, the challenger C\mathcal{C} shares the params with Adv1A d v_{1} but keeps sNMs_{N M} a secret. To ensure consistency of the queries and responses to ROM, the challenger C\mathcal{C} maintains lists LHi(i=0,…,3)L_{H_{i}}(i=0, \ldots, 3) for hash queries, and lists LPPK,LSK,LPK,LSigL_{P P K}, L_{S K}, L_{P K}, L_{S i g} and LDnsigL_{D n s i g} for partial private key query, secret key query, public key query, signcryption query, and unsigncryption query, respectively. Note all the lists are initially set to empty.

i. Phase-I

The challenger C\mathcal{C} randomly chooses mathrmPID1+\mathrm{PID}_{1}^{+}mathrmPID1+as the target pseudo identity to be challenged. At this point, the study adopts the irreflexivity assumption (Li, 2018), i.e., given two pseudo identities PID1P I D_{1} and PID2P I D_{2}, if PID1=PID1+P I D_{1}=\mathrm{PID}_{1}^{+}, then PID2neqmathrmPID1+P I D_{2} \neq \mathrm{PID}_{1}^{+}PID2neqmathrmPID1+and vice versa.
a. H0H_{0} query: Adversary Adv1A d v_{1} submits a query on (αi,Ti)\left(\alpha_{i}, T_{i}\right) to the challenger C.C\mathcal{C} . \mathcal{C} searches for the tuple (αi,Ti,h0)\left(\alpha_{i}, T_{i}, h_{0}\right) in the list LH0L_{H_{0}} and returns h0h_{0} if the tuple exists. Otherwise, C\mathcal{C} chooses hash value h0∈Zq∗h_{0} \in \mathbb{Z}_{q}^{*} at random and returns h0h_{0} to Adv1A d v_{1}. Then, challenger C\mathcal{C} updates LH0L_{H_{0}} with tuple (αi,Ti,h0)\left(\alpha_{i}, T_{i}, h_{0}\right).
b. H1H_{1} query: Adversary Adv1A d v_{1} submits a query on (PID1,DPD1,PKNM)\left(P I D_{1}, D_{P D_{1}}, P K_{N M}\right) to the challenger C.C\mathcal{C} . \mathcal{C} searches for the tuple (PID1,DPD1,PKNM,βPD1)\left(P I D_{1}, D_{P D_{1}}, P K_{N M}, \beta_{P D_{1}}\right) in the list LH1L_{H_{1}} and returns βPD1\beta_{P D_{1}} if the tuple exists. Otherwise, C\mathcal{C} chooses hash value βPD1∈Zq∗\beta_{P D_{1}} \in \mathbb{Z}_{q}^{*} at random and returns βPD1\beta_{P D_{1}} to Adv1A d v_{1}. Then, challenger C\mathcal{C} updates LH1L_{H_{1}} with tuple (PID1,DPD1,PKNM,βPD1)\left(P I D_{1}, D_{P D_{1}}, P K_{N M}, \beta_{P D_{1}}\right).
c. H2H_{2} query: Adversary Adv1A d v_{1} submits a query on (RPD2)\left(R_{P D_{2}}\right) to the challenger C.C\mathcal{C} . \mathcal{C} searches for the tuple (RPD2,b)\left(R_{P D_{2}}, b\right) in the list LH2L_{H_{2}} and returns bb if the tuple exists. Otherwise, C\mathcal{C} chooses hash value b∈Zq∗b \in \mathbb{Z}_{q}^{*} at random and returns bb to Adv1A d v_{1}. Then, challenger C\mathcal{C} updates LH2L_{H_{2}} with tuple (RPD2,b)\left(R_{P D_{2}}, b\right).
d. H3H_{3} query: Adversary Adv1A d v_{1} submits a query on (PIDPD3,mPD3,RPD3,PKPD3,PKAP,ti)\left(P I D_{P D_{3}}, m_{P D_{3}}, R_{P D_{3}}, P K_{P D_{3}}, P K_{A P}, t_{i}\right) to the challenger C.C\mathcal{C} . \mathcal{C} searches for the tuple (PIDPD3,mPD3,RPD3,PKPD3,PKAP,ti,e)\left(P I D_{P D_{3}}, m_{P D_{3}}, R_{P D_{3}}, P K_{P D_{3}}, P K_{A P}, t_{i}, e\right) in the list LH3L_{H_{3}} and returns ee if the tuple exists. Otherwise, C\mathcal{C} chooses hash value e∈Zq∗e \in \mathbb{Z}_{q}^{*} at random and returns ee to Adv1A d v_{1}. Then, challenger C\mathcal{C} updates LH3L_{H_{3}} with tuple (PIDPD3,mPD3,RPD3,PKPD3,PKAP,ti,e)\left(P I D_{P D_{3}}, m_{P D_{3}}, R_{P D_{3}}, P K_{P D_{3}}, P K_{A P}, t_{i}, e\right).
e. Partial private key query: Adversary Adv1A d v_{1} submits partial private key query for PIDPD1P I D_{P D_{1}} to the challenger C\mathcal{C}. If PID1=PID1+P I D_{1}=\mathrm{PID}_{1}^{+}, challenger C\mathcal{C} terminates the algorithm. Otherwise, if PID1≠PID1+P I D_{1} \neq \mathrm{PID}_{1}^{+}, challenger C\mathcal{C} performs the following: selects ηi,ϕi∈Zq∗\eta_{i}, \phi_{i} \in \mathbb{Z}_{q}^{*} \quad at random and computes DPD1=ηiP−ϕiPD_{P D_{1}}=\eta_{i} P-\phi_{i} P. Next, challenger C\mathcal{C} sets kPD1=ηik_{P D_{1}}=\eta_{i}, H1(PID1,DPD1,PKNM)=βPD1=ϕiH_{1}\left(P I D_{1}, D_{P D_{1}}, P K_{N M}\right)=\beta_{P D_{1}}=\phi_{i} and PPKPD1=(kPD1,kPD1)P P K_{P D_{1}}=\left(k_{P D_{1}}, k_{P D_{1}}\right). Finally, Challenger C\mathcal{C} returns PPKPD1P P K_{P D_{1}} to adversary Adv1A d v_{1} as partial private key and updates list LPPKL_{P P K} with the tuple (PID1,DPD1,βPD1,kPD1)\left(P I D_{1}, D_{P D_{1}}, \beta_{P D_{1}}, k_{P D_{1}}\right).
f. Public key query: Adversary Adv1A d v_{1} submits a public key query for PID1P I D_{1} to the challenger C.C\mathcal{C} . \mathcal{C} searches for PID1P I D_{1} query in the list LPKL_{P K} and returns PKPD1P K_{P D_{1}} if the query exists. Otherwise, C\mathcal{C} recovers tuple (PID1,DPD1,βPD1,kPD1)\left(P I D_{1}, D_{P D_{1}}, \beta_{P D_{1}}, k_{P D_{1}}\right) from LPPKL_{P P K}. Next, C\mathcal{C} chooses xPD1∈Zq∗x_{P D_{1}} \in \mathbb{Z}_{q}^{*} at random and computes XPD1=xPD1PKNMX_{P D_{1}}=x_{P D_{1}} P K_{N M} and YPD1=kPD1PKNMY_{P D_{1}}=k_{P D_{1}} P K_{N M}. Finally, C\mathcal{C} returns PKPD1=(XPD1+YPD1)P K_{P D_{1}}=\left(X_{P D_{1}}+Y_{P D_{1}}\right) to Adv1A d v_{1} as public key and updates list LPKL_{P K} with the tuple (PID1,kPD1,xPD1,PKPD1)\left(P I D_{1}, k_{P D_{1}}, x_{P D_{1}}, P K_{P D_{1}}\right).
g. Private key query: Adversary Adv1A d v_{1} submits private key query for PID1P I D_{1} to the challenger C\mathcal{C}. If PID1=PID1+,CP I D_{1}=\mathrm{PID}_{1}^{+}, \mathcal{C} terminates the algorithm. Otherwise, if PID1≠PID1+P I D_{1} \neq \mathrm{PID}_{1}^{+}, challenger C\mathcal{C} performs the following: searches for PID1P I D_{1} query in the list LPKL_{P K} and returns SKPD1S K_{P D_{1}} to Adv1A d v_{1} if the query exists. Otherwise, C\mathcal{C} runs partial private key and public key queries to output tuple (PID1,kPD1,xPD1,XPD1,YPD1)\left(P I D_{1}, k_{P D_{1}}, x_{P D_{1}}, X_{P D_{1}}, Y_{P D_{1}}\right). Finally, C\mathcal{C} returns SKPD1=(kPD1,xPD1)S K_{P D_{1}}=\left(k_{P D_{1}}, x_{P D_{1}}\right) to Adv1A d v_{1} as the private key.
h. Public key replace query: Adversary Adv1A d v_{1} submits public key replace query with an input (PID1,PKPD1i)\left(P I D_{1}, P K_{P D_{1}}^{i}\right) to the challenger C\mathcal{C}, where PKPD1i=XPD1′+YPD1′,XPD1′=xPD1′PKNMP K_{P D_{1}}^{i}=X_{P D_{1}}^{\prime}+Y_{P D_{1}}^{\prime}, X_{P D_{1}}^{\prime}=x_{P D_{1}}^{\prime} P K_{N M} and YPD1′=kPD1′PKNMY_{P D_{1}}^{\prime}=k_{P D_{1}}^{\prime} P K_{N M}. Next, C\mathcal{C} sets XPD1=XPD1′X_{P D_{1}}=X_{P D_{1}}^{\prime}, YPD1=YPD1′,kPD1=kPD1′Y_{P D_{1}}=Y_{P D_{1}}^{\prime}, k_{P D_{1}}=k_{P D_{1}}^{\prime} and kPD1=xPD1′k_{P D_{1}}=x_{P D_{1}}^{\prime}. Finally, C\mathcal{C} updates list LPKL_{P K} with the tuple (PID1,kPD1′,xPD1′,PKPD1′)\left(P I D_{1}, k_{P D_{1}}^{\prime}, x_{P D_{1}}^{\prime}, P K_{P D_{1}}^{\prime}\right).
i. Signcryption query: Adversary Adv1A d v_{1} submits a signcryption query with an input (PKPD1,PKAP,mPD1)\left(P K_{P D_{1}}, P K_{A P}, m_{P D_{1}}\right) to the challenger C.C\mathcal{C} . \mathcal{C} then chooses rPD1∈Zq∗r_{P D_{1}} \in \mathbb{Z}_{q}^{*} and computes RPD1=rPD1PKAPR_{P D_{1}}=r_{P D_{1}} P K_{A P}. Next, C\mathcal{C} computes b=H2(RPD1)b=H_{2}\left(R_{P D_{1}}\right) where H2(RPD1)H_{2}\left(R_{P D_{1}}\right) can be retrieved from list LH2L_{H_{2}}. Additionally, C\mathcal{C} computes c=b⊕mPD1c=b \oplus m_{P D_{1}} and e=H3(PIDPD1,mPD1,RPD1,PKPD1,PKAP,ti)e=H_{3}\left(P I D_{P D_{1}}, m_{P D_{1}}, R_{P D_{1}}, P K_{P D_{1}}, P K_{A P}, t_{i}\right), where e=H3(PIDPD1,mPD1,RPD1,PKPD1,PKAP,ti)e=H_{3}\left(P I D_{P D_{1}}, m_{P D_{1}}, R_{P D_{1}}, P K_{P D_{1}}, P K_{A P}, t_{i}\right) can be retrieved from list LH3L_{H_{3}}. Finally, C\mathcal{C} computes s=rPD1−1(e+SKPD1)s=r_{P D_{1}}^{-1}\left(e+S K_{P D_{1}}\right), returns ϱi=(c,e,s)\varrho_{i}=(c, e, s) to adversary Adv1A d v_{1} and updates list LSigL_{S i g} with the tuple (c,e,s,ϱi)\left(c, e, s, \varrho_{i}\right).
j. Unsigncryption query: Adversary Adv1A d v_{1} submits an unsigncryption query with an input (PKPD1,PKAP,ϱi)\left(P K_{P D_{1}}, P K_{A P}, \varrho_{i}\right) to the challenger C.C\mathcal{C} . \mathcal{C} computes y=s−1y=s^{-1} and VAP=eyPKAP+yPKPD1SKAPV_{A P}=e y P K_{A P}+y P K_{P D_{1}} S K_{A P}. If VAP∉LH3V_{A P} \notin L_{H_{3}}, an error message is returned. Otherwise, C\mathcal{C} computes b′=H2(VAP)b^{\prime}=H_{2}\left(V_{A P}\right), then mPD1=b′⊕cm_{P D_{1}}=b^{\prime} \oplus c. If (mPD1,VAP,PKPD1,PKAP,PIDPD1,ti)∉LH3\left(m_{P D_{1}}, V_{A P}, P K_{P D_{1}}, P K_{A P}, P I D_{P D_{1}}, t_{i}\right) \notin L_{H_{3}}, an error message is returned. Otherwise, C\mathcal{C} computes e′=H3(mPD1,VAP,PKPD1,PKAP,PIDPD1,ti)e^{\prime}=H_{3}\left(m_{P D_{1}}, V_{A P}, P K_{P D_{1}}, P K_{A P}, P I D_{P D_{1}}, t_{i}\right). If e′≠ee^{\prime} \neq e, an error message is returned. Otherwise, C\mathcal{C} returns mPD1m_{P D_{1}} to Adv1A d v_{1} and updates list LUnsigL_{U n s i g} with (mPD1)\left(m_{P D_{1}}\right)
k. Challenge: Adversary Adv1A d v_{1} gives two challenge plaintexts {mPD0,mPD1}\left\{m_{P D_{0}}, m_{P D_{1}}\right\} and a target pseudo-identity mathrmPID1+tochallengertochallengermathcalC.Next,.Next,mathcalC\mathrm{PID}_{1}^{+}tochallengerto challenger \mathcal{C}.Next,. Next, \mathcal{C}mathrmPID1+tochallengertochallengermathcalC.Next,.Next,mathcalC chooses i∈{0,1}i \in\{0,1\} at random, b+∈{0,1}ib^{+} \in\{0,1\}^{i}, and e+,s+∈Zq∗.Ce^{+}, s^{+} \in \mathbb{Z}_{q}^{*} . \mathcal{C} computes c+=b+⊕mPD1c^{+}=b^{+} \oplus m_{P D_{1}} and y+=(s+)−1.Cy^{+}=\left(s^{+}\right)^{-1} . \mathcal{C} queries values αi\alpha_{i} and βPD1\beta_{P D_{1}} from list LH0L_{H_{0}} and LH1L_{H_{1}}, respectively. When Adv1A d v_{1} submits H2H_{2} query with input RPD1+=(e+y++y+SKPD1)PKAP,CR_{P D_{1}}^{+}=\left(e^{+} y^{+}+y^{+} S K_{P D_{1}}\right) P K_{A P}, \quad \mathcal{C} returns b+b^{+}. When Adv1A d v_{1} submits H3H_{3} query with input (mPD1\left(m_{P D_{1}}\right., RPD1+=(e+y++y+SKPD1)PKAP,PKPD1,PKAP),C\left.R_{P D_{1}}^{+}=\left(e^{+} y^{+}+y^{+} S K_{P D_{1}}\right) P K_{A P}, P K_{P D_{1}}, P K_{A P}\right), \mathcal{C} returns e+e^{+}. Finally, C\mathcal{C} returns ciphertext varrhoi+=left(c+,e+,s+right)\varrho_{i}^{+}=\left(c^{+}, e^{+}, s^{+}\right)varrhoi+=left(c+,e+,s+right)to Adv1A d v_{1}.

ii. Phase-II

Adversary Adv1A d v_{1} can execute all queries in phase-I except unsigncryption query on varrhoi+\varrho_{i}^{+}varrhoi+to extract plaintext mPD1m_{P D_{1}}.

Guess: Lastly, Adv1A d v_{1} makes a guess i′∈{0,1}i^{\prime} \in\{0,1\} for ii. If i′=ii^{\prime}=i holds, adversary Adv1A d v_{1} returns rPDi=ey+ySKPDir_{P D_{i}}=e y+y S K_{P D_{i}} as the solution to CDH problem. Otherwise, Adv1A d v_{1} fails to solve CDH. Similar steps are followed during game-2. This theorem proves the scheme’s Indistinguishability under Chosen Ciphertext Attack (IND-CCA). Since our scheme is IND-CCA, it implies that no attacker can read the details of the messages sent in this network due to the hardness assumption of the Computational DiffieHelman problem. Therefore, theorem 1 confirms our scheme has confidentiality security property.

Theorem 2: Assume that adversary Adv1A d v_{1} can win Game 3 with a non-negligible advantage ε′≥c(qH0+qH1+qH2+qH3+qSig+qDnsig)\varepsilon^{\prime} \geq \frac{c}{\left(q_{H_{0}}+q_{H_{1}}+q_{H_{2}}+q_{H_{3}}+q_{S i g}+q_{D n s i g}\right)}, in ROM after qHi(i=0,…,3)q_{H_{i}}(i=0, \ldots, 3) hash queries, qSigq_{S i g} signcryption query and qDnsq_{D n s} unsigncryption query. Then, there exists a challenger C\mathcal{C} who can solve ECDL problem with a minimum advantage ε′\varepsilon^{\prime} as defined at the end of the proof.

Proof: Suppose (Q=aP)(Q=a P) is an instance of ECDL problem, where a∈Zq+a \in \mathbb{Z}_{q}^{+}. We show how challenger C\mathcal{C} in Game 3 interacts with adversary Adv1A d v_{1} to compute aa from QQ and PP.

Setup: The challenger C\mathcal{C} executes the setup algorithm to generate the system parameters params as {p,q,G,P,PKNM,H0,H1,H2,H3}\left\{p, q, G, P, P K_{N M}, H_{0}, H_{1}, H_{2}, H_{3}\right\} and a master secret key sNMs_{N M}. Note, the challenger C\mathcal{C} shares the params with Adv1A d v_{1} but keeps sNMs_{N M} a secret. To ensure consistency of the queries and responses to ROM, the challenger C\mathcal{C} maintains lists LHi(i=0,…,3)L_{H_{i}}(i=0, \ldots, 3) for hash queries, and lists LPPK,LSK,LPK,LSigL_{P P K}, L_{S K}, L_{P K}, L_{S i g} and LDnsigL_{D n s i g} for partial private key query, secret key query, public key query, signcryption query, and unsigncryption query, respectively. Note all the lists are initially set to empty.

Phase-I

The challenger C\mathcal{C} randomly chooses mathrmPIDi+\mathrm{PID}_{i}^{+}mathrmPIDi+as the target pseudo identity to be challenged. At this point, we adopt the irreflexivity assumption (Li, 2018) i.e., given two pseudo identities PID1P I D_{1} and PID2P I D_{2}, if PID1=PIDi+P I D_{1}=\mathrm{PID}_{i}^{+}, then PID2neqmathrmPIDi+P I D_{2} \neq \mathrm{PID}_{i}^{+}PID2neqmathrmPIDi+and vice versa.

Adversary Adv1A d v_{1} adaptively submits hash queries including H0H_{0} query, H1H_{1} query, H2H_{2} query, H3H_{3} query, partial private key query, private key query, and public key query, to the challenger C\mathcal{C}, who responds in a similar manner as in Theorem 1 and 2.

Signcryption query: Adversary Adv1A d v_{1} submits a signcryption query with an input (PKPD1,PKAP,mPD1)\left(P K_{P D_{1}}, P K_{A P}, m_{P D_{1}}\right) to the challenger C.C\mathcal{C} . \mathcal{C} then chooses rPD1inmathbbZq+r_{P D_{1}} \in \mathbb{Z}_{q}^{+}rPD1inmathbbZq+and computes RPD1=rPD1PKAPR_{P D_{1}}=r_{P D_{1}} P K_{A P}. Next, C\mathcal{C} computes b=H2(RPD1)b=H_{2}\left(R_{P D_{1}}\right) where H2(RPD1)H_{2}\left(R_{P D_{1}}\right) can be retrieved from list LH2L_{H_{2}}. Additionally, C\mathcal{C} computes c=b⊕mPD1c=b \oplus m_{P D_{1}} and e=H3(PIDPD1,mPD1,RPD1,PKPD1,PKAP,ti)e=H_{3}\left(P I D_{P D_{1}}, m_{P D_{1}}, R_{P D_{1}}, P K_{P D_{1}}, P K_{A P}, t_{i}\right), where e=H3(PIDPD1,mPD1,RPD1,PKPD1,PKAP,ti)e=H_{3}\left(P I D_{P D_{1}}, m_{P D_{1}}, R_{P D_{1}}, P K_{P D_{1}}, P K_{A P}, t_{i}\right) can be retrieved from list LH3L_{H_{3}}. Finally, C\mathcal{C} computes s=rPD1−1(e+SKPD1)s=r_{P D_{1}}^{-1}\left(e+S K_{P D_{1}}\right), returns ϱi=(c,e,s)\varrho_{i}=(c, e, s) to adversary Adv1A d v_{1} and updates list LSigL_{S i g} with the tuple (c,e,s,ϱi)\left(c, e, s, \varrho_{i}\right).

Forgery: After all the queries have been made, adversary adv1a d v_{1} furnishes challenging pseudo identity PIDi+P I D_{i}^{+}PIDi+i.e., the sender’s identity, a message mPD+m_{P D}^{+}, and a challenge signcryption ϱi+=(c+e+s+)\varrho_{i}^{+}=\left(c^{+} e^{+} s^{+}\right). Note, the adversary is forbidden from making unsigncryption query for varrhoi+usingthetargetidentity′sprivatekeyasthiswillresulttogametermination.Otherwise,thechallengerusingthetargetidentity′sprivatekeyasthiswillresulttogametermination.Otherwise,thechallengermathcalC\varrho_{i}^{+}usingthetargetidentity′sprivatekeyasthiswillresulttogametermination.Otherwise,thechallengerusing the target identity's private key as this will result to game termination. Otherwise, the challenger \mathcal{C}varrhoi+usingthetargetidentity′sprivatekeyasthiswillresulttogametermination.Otherwise,thechallengerusingthetargetidentity′sprivatekeyasthiswillresulttogametermination.Otherwise,thechallengermathcalC outputs a message mm as the result for unsigncryption with input (PKPD1,PKAP,ϱi)\left(P K_{P D_{1}}, P K_{A P}, \varrho_{i}\right). If m=mPD+m=m_{P D}^{+}m=mPD+and adv1a d v_{1} did not query for PIDi+P I D_{i}^{+}PIDi+private key and neither did adv1a d v_{1} submit a replace the public key query for PIDi+P I D_{i}^{+}PIDi+nor did adv1a d v_{1} issue an extract partial private key query for PIDi+P I D_{i}^{+}PIDi+at some point, the adversary adv1a d v_{1} wins the game.

Similar steps are followed during game 2. This theorem proves the scheme’s Existential Unforgeability under Chosen Message Attacks (EUF-CMA). Since our scheme is EUF-CMA, it implies that no attacker can generate valid signatures without access to the NM’s secret key, a value that is randomly generated and difficult to compute due to the hardness of the Elliptic Curve Discrete Logarithm problem. Therefore, theorem 2 confirms our scheme has unforgeability security property.

5. Performance Evaluation

This section evaluates the performance of the proposed scheme in terms of security features, computation cost, and communication cost, and compares it with state-of-art schemes.

5.1 Security Features

Table 3 presents a summary of the security features achieved by the study’s scheme and a comparison with other related schemes. The security features considered include: sender authentication, message authentication, confidentiality, unforgeability, non-repudiation, key-escrow resistance, availability, forward secrecy, and conditional anonymity. The study uses the symbols \sqrt{ } to denote that the scheme meets the security property. On contrary, the symbol ×\times denotes that the scheme fails to meet the security property. Notably, the study’s scheme meets all the security properties aforementioned, whereas the other six schemes lack various security features, as shown in Table 3.

Table 3: Comparison of Security Features of the Proposed Scheme with Related Schemes

5.2 Computation Cost

Here, we evaluate the signcryption and unsigncryption costs for both ECC and bilinear pairing-based cryptographic operations. Table 4 shows the running times for the various cryptographic operations considered in this scheme. We generated the running times from a simulation experiment. The experiment employed Mult-precision Integer and Rational Arithmetic Cryptographic Library for C/C++\mathrm{C} / \mathrm{C}++ (MIRACL CC), a widely recognized encryption toolkit used for conducting various cryptographic operations across different environments. The results were obtained from a set-up with the following specifications: an Intel i7 processor, Windows 10 operating system, 8GB RAM capacity, and a 3.40 GHz CPU.

Table 4: Cryptographic Operations Running Times

Table 5 presents a summary of the computation costs for the proposed scheme and other related schemes for signcryption and unsigncryption algorithms. From the summary, the computation costs for signcryption and unsigncryption algorithms for the proposed scheme are TSM_ecc+TPA_ecc+TIN+2Th=0.618 msT_{S M \_e c c}+T_{P A \_e c c}+T_{I N}+2 T_{h}=0.618 \mathrm{~ms} and 2TSM_ecc+TPA_ecc+TIN+2Th=1.06 ms2 T_{S M \_e c c}+T_{P A \_e c c}+T_{I N}+2 T_{h}=1.06 \mathrm{~ms}, respectively, and the overall computation cost is 1.678 ms . We note that the proposed scheme outperforms the other six related schemes in terms of computational efficiency for both signcryption and unsigncryption algorithms, as well as overall efficiency.

Table 5: Total Computation Cost for both Signcryption and Unsigncryption

Figure 3: Total Computation Cost for both Signcryption and Unsigncryption

5.3 Communication cost

To evaluate communication cost, we consider the storage cost for transmitting ciphertext, the sender’s public key, the receiver’s public key, and the timestamp, measured in terms of byte size. For the analysis of bilinear pairing-based schemes, the study adopts a curve E^:y2=x3+x( mod p^)\hat{\mathrm{E}}: y^{2}=x^{3}+x(\bmod \hat{\mathrm{p}}), and p^\hat{\mathrm{p}} is a prime number of size 64 bytes. Curve E^\hat{\mathrm{E}} contains some points generated by P^\hat{\mathrm{P}} which forms an additive group G1\mathbb{G}_{1} with order qq, a 20-byte prime number. A bilinear pairing operation is thus defined as G1×G1→G2\mathbb{G}_{1} \times \mathbb{G}_{1} \rightarrow \mathbb{G}_{2}, G1\mathbb{G}_{1} and G2\mathbb{G}_{2} being the additive and multiplicative groups respectively. Therefore, the length of G1\mathbb{G}_{1} is taken as 128 bytes and that of Zq∗\mathbb{Z}_{q}^{*} as 20 bytes. For analysis of elliptic curve-based schemes, the study adopts a curve E: y2=x3+ax+b( mod p)y^{2}=x^{3}+a x+b(\bmod p), and p∈Zq∗p \in \mathbb{Z}_{q}^{*} is a prime number of size 20 bytes. Curve E contains some points generated by PP, which forms a cyclic additive group G\mathbb{G} of order qq, where q∈Zq∗q \in \mathbb{Z}_{q}^{*} is a 20 -byte prime number. Therefore, the length of ∣G1∣\left|\mathbb{G}_{1}\right| is taken as 40 bytes and that of ∣Zq∗∣\left|\mathbb{Z}_{q}^{*}\right| as 20 bytes. The length of the plaintext message ∣m∣|\mathrm{m}| and timestamp ∣t∣|\mathrm{t}| are assumed to be 20 bytes and 4 bytes, respectively, for both bilinear pairing and elliptic curve-based schemes. From the summary in Table 6, the total communication cost of the proposed scheme is given as 4∣G1∣+3∣Zq∗∣+∣t∣=4×40+3×20+4=2244\left|G_{1}\right|+3\left|\mathbb{Z}_{q}^{*}\right|+|t|=4 \times 40+3 \times 20+4=224 bytes. The total communication costs of other related schemes used to compare our scheme are provided in the table 6 .

Table 6: Total communication cost for single message

Figure 4: Total communication cost for single message
Table 7 provides comparison of the computational and communication costs between the proposed scheme and other related schemes.

Table 7: Comparison of the Total Computation and Communication Costs of the Proposed Scheme with Existing Schemes

5. Conclusion and Future Work

This study has successfully achieved its objective by analyzing, designing and validating secure and efficient certificateless signcryption for wireless body area networks by utilizing elliptic curve cryptography (ECC). The design has achieved significant improvement in terms of performance through optimizing the cost for computational algorithms and that of communication, thus making it suitable for resource constrained WBAN devices.

Through comprehensive performance evaluation, the results have proved the scheme to outsmart the state-of-the art schemes across the key performance metrics i.e., security, computation cost, and communication cost. This validation confirms that the proposed scheme is not only secure but also efficient in terms of resource usage, thereby enhancing WBAN reliability and usability for healthcare applications. In the future, this study intends to improve the proposed scheme by exploring and developing a hybrid cryptographic framework that combines the strengths of ECC with the advanced security features of quantum key distribution (QKD) to create a robust and future-proof cryptographic system that can withstand the capabilities of quantum computers while maintaining the practical benefits of ECC.

References

1. Ali, I., Chen, Y., Ullah, N., Kumar, R., & He, W. (2021). An Efficient and Provably Secure ECC-Based Conditional Privacy-Preserving Authentication for Vehicle-to-Vehicle Communication in VANETs. IEEE Transactions on Vehicular Technology, 70(2), 1278-1291. https://doi.org/10.1109/TVT.2021.3050399
2. Almuhaideb, A. M. (2022). Secure and Efficient WBAN Authentication Protocols for Intra-BAN Tier. J. Sens. Actuator Netw, 11(44). https://doi.org/https://doi.org/ 10.3390/jsan11030044
3. Cornet, B., Fang, H., Ngo, H., Boyer, E. W., & Wang, H. (2022). An Overview of Wireless Body Area Networks for Mobile Health Applications. IEEE Network, 36(1), 76-82. https://doi.org/10.1109/MNET.103.2000761
4. Jahan, M., Zohra, F. T., Parvez, M. K., Kabir, U., Al Radi, A. M., & Kabir, S. (2023). An end-to-end authentication mechanism for Wireless Body Area Networks. Smart Health, 29, 100413. https://doi.org/10.1016/j.smhl.2023.100413
5. Kasyoka, P. N. (2022). Certificateless Signcryption for Wireless Sensor Networks.
6. Li, A. A. O. (2018). Provably Secure Heterogeneous Access Control Scheme for Wireless Body Area Network. J Med Syst, 42(108), 190-198. https://doi.org/https://doi.org/10.1007/s10916-018-0964-z SYSTEMS-LEVEL
7. Liu, X., Wang, Z., Ye, Y., & Li, F. (2020). An efficient and practical certificateless signcryption scheme for wireless body area networks. Computer Communications, 162(February), 169-178. https://doi.org/10.1016/j.comcom.2020.08.014
8. Mandal, S. (2022). Provably secure certificateless protocol for wireless body area network. Wireless Networks, 4. https://doi.org/10.1007/s11276-022-03205-4
9. Mandal, S. (2023). Provably secure certificateless protocol for wireless body area network. Wireless Networks, 29(3), 1421-1438. https://doi.org/10.1007/s11276-022-03205-4
10. Qu, Y., Zheng, G., Ma, H., Wang, X., Ji, B., & Wu, H. (2019). A survey of routing protocols in WBAN for healthcare applications. Sensors (Switzerland), 19(7). https://doi.org/10.3390/s19071638
11. Ramadan, M., Raza, S., & Member, S. (2023). Identity-Based Signcryption for Telemedicine Systems. IEEE Internet of Things Journal, 10(18), 16594-16604. https://doi.org/10.1109/JIOT.2023.3269222
12. Sama, N. U., Zen, K., Humayun, M., Jhanjhi, N. Z., & Rahman, A. U. (2022). Security in Wireless Body Sensor Network: A Multivocal Literature Study. Applied System Innovation, 5(4). https://doi.org/10.3390/asi5040079
13. Ullah, I., Alkhalifah, A., Rehman, S. U., Kumar, N., & Khan, M. A. (2021). An Anonymous Certificateless Signcryption Scheme for Internet of Health Things. IEEE Access, 9, 101207-101216. https://doi.org/10.1109/ACCESS.2021.3097403
14. Xiong, H., Hou, Y., Huang, X., Zhao, Y., & Chen, C. M. (2022). Heterogeneous Signcryption Scheme from IBC to PKI with Equality Test for WBANs. IEEE Systems Journal, 16(2), 2391-2400. https://doi.org/10.1109/JSYST.2020.3048972
15. Yang, X., Yi, X., Khalil, I., Huang, X., & Shen, J. (2022). Efficient and Anonymous Authentication for Healthcare Service with Cloud Based WBANs. IEEE Transactions on Services Computing, 15(5), 27282741 .
16. Zhang, J., Dong, C., & Liu, Y. (2024). Efficient Pairing-Free Certificateless Signcryption Scheme for Secure Data Transmission in IoMT. IEEE Internet of Things Journal, 11(3), 4348-4361. https://doi.org/10.1109/JIOT.2023.3298840
17. Zhang, J., Zhang, Q., Li, Z., Lu, X., & Gan, Y. (2021). A Lightweight and Secure Anonymous User Authentication Protocol for Wireless Body Area Networks. Security and Communication Networks, 2021. https://doi.org/10.1155/2021/4939589
18. Zhou, C. (2019). An improved lightweight certificateless generalized signcryption scheme for mobilehealth system. International Journal of Distributed Sensor Networks, 15(1), 1550147718824465.