An Anonymous Certificateless Signcryption Scheme for Secure and Efficient Deployment of Internet of Vehicles

Abstract

Internet of Vehicles (IoV) is a specialized breed of Vehicular Ad-hoc Networks (VANETs) in which each entity of the system can be connected to the internet. In the provision of potentially vital services, IoV transmits a large amount of confidential data through networks, posing various security and privacy concerns. Moreover, the possibility of cyber-attacks is comparatively higher when data transmission takes place more frequently through various nodes of IoV systems. It is a serious concern for vehicle users, which can sometimes lead to life-threatening situations. The primary security issue in the provision of secure communication services for vehicles is to ensure the credibility of the transmitted message on an open wireless channel. Then, receiver anonymity is another important issue, i.e., only the sender knows the identities of the receivers. To guarantee these security requirements, in this research work, we propose an anonymous certificateless signcryption scheme for IoV on the basis of the Hyperelliptic Curve (HEC). The proposed scheme guarantees formal security analysis under the Random Oracle Model (ROM) for confidentiality, unforgeability, and receiver anonymity. The findings show that the proposed scheme promises better security and reduces the costs of computation and communication.

1. Introduction

Over the past few decades, academic and industry researchers have worked harder to push the technology of Mobile Ad hoc Networks (MANETs) to a new extreme [1]. Mobile devices may now establish a network with flying, self-organizing, and dynamic connections to one another without the need for any fixed communication infrastructure [2]. MANETs evolved over time too, and one of the most advanced forms, Vehicular Ad hoc Networks (VANETs), was introduced, in which peer vehicles exchange information [3]. Vehicles, in collaboration with transportation infrastructure, engage in vehicle-to-everything (V2X) communication, which includes vehicle-to-vehicle (V2V), vehicle-to-sensor (V2S), vehicle-to-pedestrian (V2P), and vehicle-to-infrastructure (V2I) interactions [4]. The Internet of Vehicles (IoV), a hybrid of VANETs and the Internet of Things, sometimes known as IoT on wheels, relies heavily on V2X communication. In both non-safety and safety-critical automotive applications, IoV is truly a breakthrough technology.

IoV is a dynamic mobile connectivity infrastructure that provides a low-cost networking solution for connecting vehicles to the public network in order to improve transportation system safety and performance [5]. Therefore, a strong, but versatile, communication, networking, and computing technology foundation is needed for this complex ecosystem. Fifth-generation (5G) technology would be a safer option in such a setting to offer ultra-low latency, ultra-fast reliability, high data rate, and everywhere access. Because 5G networks enable vehicles to accommodate different types of IoV message deliveries to support intelligent transportation systems, where all vehicles and infrastructure systems are interconnected. A 5G-enabled IoV system is very important for the automotive industry because of its infrastructure and large capacity to support communication services. As a result, connected vehicles represent the next IoV frontier, while ongoing 5G innovation is necessary to enable high-reliability and low-latency radio access for essential communications, even in high-density IoV systems [6].

Since IoV has widespread interconnected networks with numerous users, there is an increased risk of security and privacy concerns [7]. The possibility of cyber-attacks is comparatively higher when data transmission takes place more frequently through various nodes of IoV systems. For instance, if a self-governing vehicle needs to execute a certain task, it gets, among other things, the simple safety warning containing appropriate task-specific information such as time, speed, and destination, etc. However, the environments of IoV could be dangerous in the absence of security protections. It gives an enormous opportunity to malicious attackers to modify, intercept, delete, or even insert false information during the on-going transmission.

Most of the existing cybersecurity mechanisms deal with critical system components and provide a solution to the well-known security threats. Some of the well-known common security and privacy issues across the IoV environment include tracking vehicle locations, hardware tampering, unauthorized data access, message modification, and fabrication [8]. The intruders can even introduce an ambiguity across the network and steal the confidential data with the inevitable loss of data integrity and privacy features. Once the identity of the user is compromised, it will put his or her property and safety at risk, and a malicious attacker, such as a stalker, could use the targeted identity to track down a specific driver and/or initiate a malicious attack. Thus, advanced security measures for IoV systems have become the most essential requirement [9].

The primary security concerns in providing secure connectivity in an IoV network is to ensure the authenticity of the transmitted messages on an open wireless channel. Then, receiver anonymity is another important issue, i.e., only the sender knows the identities of the receivers. Providentially, such obstruction can be fulfilled by utilizing a compound scheme, named anonymous signcryption [10]. The scheme is anonymous and can avoid malicious user attack while performing encryption and authentication in one go. To avoid the key escrow problem in the proposed compound scheme, a certificateless cryptosystem is usually preferred [11].

The Key Generation Center (KGC) has no previous knowledge of the secret value of the participant in a certificateless cryptosystem; the key escrow dilemma can, therefore, be avoided. Rivest-Shamir-Adleman (RSA), bilinear pairing, and elliptic curve cryptography, which are typically based on computationally challenging problems, are typically used to achieve security and efficiency in the security scheme [12]. For example, the RSA cryptography uses a large factorization of having key-size stretches as much as 1024-bits. Bilinear pairing is weaker compared to RSA, due to immense pairing and map-to-point function computation. Similarly, the elliptic curve was implemented to resolve the inconsistencies associated with RSA and bilinear pairing, which is a modern cryptography technique. The elliptic curve cryptography is used to provide the security and efficiency with a key-size up to 160 bits. Nevertheless, to provide the same level of security as elliptic curve, an advanced version, called hyperelliptic curve (HEC), was introduced [13]. The HEC uses 80-bit key size, and, at the same time, promises the security features characteristic of elliptic curve, bilinear pairing, and RSA. Therefore, the hyper elliptic curve is alleged as a much better choice for IoV. In short, to adapt an anonymous certificateless signcryption scheme in the IoV environment, the proposed scheme must satisfy the following attributes:

• Confidentiality, unforgeability, and anonymity.
• Immune to key escrow problem.
• Secure in open wireless channels.
• Efficient in terms of computational and communication costs.
• Provably secure using ROM model.

1.1. Motivation and Contributions

This paper is motivated from the aforementioned discussion and solves the problem, to ensure the credibility of the transmitted message and receiver anonymity, by proposing a new scheme, which is certificateless and based on the concept of a hyper-elliptic curve. The main contributions of the undertaken research work are distinguished by the following outstanding attributes:

• An efficient and secure scheme, namely an anonymous certificateless signcryption scheme, has been proposed for an IoV environment.
• The proposed scheme avoids the key escrow problem by employing the certificateless cryptography mechanism.
• Moreover, the proposed scheme makes use of hyperelliptic curve cryptography for encryption and signature verification.
• The proposed scheme guarantees confidentiality, unforgeability, and receiver anonymity on open wireless links under the Random Oracle Model (ROM) analysis.
• Finally, it is revealed that the proposed scheme is superior, particularly in terms of computational and communication costs, while doing a comparative study with relevant state-of-art schemes.

1.2. Organization of the Paper

The article is structured as follows. Related work is discussed in Section 2. Preliminaries are explained in Section 3. System models are given in Section 4. The proposed scheme can be seen in Section 5. Formal security analysis, using ROM, is carried out in Section 6. Section 7 presents performance comparison with existing schemes. Finally, Section 8 contains the concluding thoughts.

2. Related Work

In recent years, IoV has been recognized in a range of applications, ranging from smart transportation to health care and itinerary planning. Vehicles aggregate mission-critical data from the deployed area within IoV systems and disseminate it using their OBUs with other vehicles, RSUs, and cloud servers. IoV data can be analyzed locally or on a cloud server, and actions are taken according to the type of request.

Since IoV has widespread interconnected networks with numerous users, it is obvious that there is an increased risk of security and privacy measures. The use of encryption and digital signature cryptographic tools will overcome these concerns. In addition, if both the tools, i.e., encryption and digital signature, are needed at the same time, an amalgamated form, called signcryption, is used. To remove the key escrow problem associated with signcryption, a certificateless approach is generally taken into account [14].

In 2008, certificateless signcryption (CLSC) scheme was first introduced by Barbosa and Farshim [15]. One year later, in 2009, Xie et al. [16] proposed a certificateless signcyption scheme based on the standard model. Liu et al. [17], in 2010, presented a standard model-based certificateless signcryption. These schemes, on the other hand, have a high computational cost, take a long time to execute, and are not very secure.

In the same year, in 2010, Selvi et al. [18], overcome the security weaknesses of Xie et al. [16] and Liu et al. [17] signcryption schemes.

In 2014, Shi et al. [19] suggested an improvement in the CLSC scheme in terms of security under random oracle model and without bilinear pairings. In 2016, Abdul Wahid and Masahiro Mamb [20] suggested a certificateless signature scheme based on the elliptic curve theorem. In JavaScript, the implementation of the proposed scheme was accomplished. The authors believed that, after cost analysis, their scheme was better than the relevant existing schemes. A standard model-based certificateless signcryption scheme was proposed by Caixue et al. [21] and Parvin Rastegari and Mehdi Berenjkoub [22]. Their analysis shows that, compared to all random oracle model-based certificateless sign encryption systems, the presented schemes were much more reliable and efficient.

In 2017, certificateless signcryption schemes, without bilinear pairing, were proposed [23,24]. The security specifications of the schemes presented in [23,24] were shown to be secured via the ROM. Later, in 2018, Zhou [25] suggested a new bilinear pairing certificateless signcryption approach, and security verification on the standard model was carried out. In the same year, pairing-free certificateless signcryption based on elliptic curve cryptography was proposed by Cao and Ge [26]. One year later, in 2019, Luo and Ma [27] proposed an efficient and secure certificateless hybrid signcryption for cloud storage.

In order to overcome the significant error in the construction of Luo and Ma [27] schemes, Rastegari et al. [28] revisited the proposed scheme in 2019. However, the schemes presented in [26,27,28] are based on the concept of elliptic curve cryptography, which incur high computational costs. Additionally, the schemes do not meet security requirements such as anonymity. Finally, Karati et al. [29] implemented a successful pairing-free certificateless signcryption scheme without a secure channel. The findings show that, in terms of communication overhead, the scheme is better than the relevant existing schemes and could be a better option for the Internet of Things (IoT) following the implementation of a proper revocation mechanism.

The IoV system is vulnerable to a variety of security and privacy risks. As a result, a lightweight security system is necessary to protect against a variety of known and unknown threats. Since all of the above schemes rely on complex cryptographic methods such as elliptic curves and bilinear pairing, they all have high computing and communication costs and are not compatible with the IoV system.

3. Preliminaries

This section introduces some of the fundamental concepts and materials that are used in our proposed model.

Hyperelliptic Curve

The 𝕙𝔼𝕔 is the compressed form of 𝔼𝕔, which contains fewer key and parameters size [30,31]. Equation (1) represents the 𝕙𝔼𝕔 of genus $𝒢$ ≥ 2 over a finite field $𝒰$_p, where $𝒢$ is the non-intersecting curves that is not touching each other when it is drawn on surface.

𝕙𝔼𝕔: Q²+H(V)Q= F(V) mod p

(1)

where $H\left(V\right)$ and $F\left(V\right)$ are polynomials with coefficients in $𝒰$_p. So, the degree of H(V) at most $𝒢$ and the degree of F(V) is equal to 2$𝒢$ + 1. In a sense of non-singularity, there must not exist a point on 𝕙𝔼𝕔 that satisfy the equation: $2Q+H\left(V\right)=0$ and $H^{/}-F^{-}\left(\mathrm{V}\right)=0$.

• HEDHPProblem: Suppose 𝜘.α.$𝒟$ is the assumed occurrence of 𝕙𝔼𝕔 computational defi-helman problem (HEDHP). Finding the two unknown variables that are 𝜘 and α which belongs to {1, 2, 3, p − 1} is called HEDHP. The symbols used in the scheme are illustrated in

  Table 1. Notations used in proposed scheme.

  S. No	Symbol	Descriptions
  1	σ	The predefined security parameter
  2	$𝒢$ ≥ 2	Genus of hyper elliptic curve with not less than 2
  3	$𝒰$p	finite field of order $p$ and $p$ $\ge 2^{80}$
  4	${𝒽}_v,{𝒽}_w,{𝒽}_x,{𝒽}_y$	Irreversible hash functions
  5	η and γ	The private key and public key of KGC respectively
  6	$E_{ℐ}$$\mathrm{and} D_{ℐ}$	An encryption and decryption algorithm
  7	$𝒟$	Devisor on hyper elliptic curve
  8	ξ	The global parameter set
  9	$I{D}_s$$\mathrm{and} I{D}_r$	Identity of sender and receiver
  10	${\mathcal{O}}_s$$\mathrm{and} {\mathcal{O}}_r$	Secret value of sender and receiver
  11	$P{B}_s$$\mathrm{and} P{B}_r$	Public key of sender and receiver
  12	$P_s$$\mathrm{and} P_r$	Private key of sender and receiver
  13	$\mathcal{X},m$	Ciphertext and plaintext
  14	$\stackrel{?}{=}$	The equality is hold or not
  15	${\beta }_s$$\mathrm{and} {\beta }_r$	The partial private key of sender and receiver
  16	$\Psi$	The signcrypted text generated by sender
  17	⊥	Used for null

  .

4. System Models

4.1. Network Model

In this subsection, we propose a network model consisting of cars, Onboard Units (OBUs), Regional Transportation Authority (RTA), and the Roadside Units (RSUs) that make an edge cluster and the vehicles that provide event-driven messages collected through their sensors, as shown in Figure 1, to create the operation and applicability of the proposed scheme in the IoV setting. As a primary component of the proposed network architecture, vehicles are considered. Each vehicle is fitted with OBU, which consists of a camera, IMU, sensors, and a GPS device that can handle various application scenarios. It offers connectivity from vehicle-to-vehicle and vehicle-to-infrastructures. In the proposed framework, RTA acts as a trusted agency that offers registrations facility for the vehicles and edge nodes. RSUs with fixed communication infrastructure are located on the roadside. The key function of RSUs is to collect and validate the event-driven messages provided by the vehicles. RSUs often function as a gateway node in order to access the backbone network. It accomplishes connectivity between these entities using 5G mobile networks. The proposed network model also guarantees flow isolation by individually tunneling data traffic to the app-server from the MEC-node.

4.2. Threat Model

In this section, we briefly discuss three kinds of threats that will happen with the proposed scheme [32]. The first one will be in the form of an indistinguishable scramble text attack (IN-ACLS-CA) against the opponent of ${\mathcal{O}}_1$ and ${\mathcal{O}}_2$, where ${\mathcal{O}}_1$ is the Type 1 opponent, which has the capability to replace the public key of a user and struggle with getting access to the plaintext of a transmitted scramble text. Further, ${\mathcal{O}}_2$ is the Type 2 opponent, which has the capability to access the private key of KGC and struggle with getting access to the plaintext from the transmitted encrypted-text. The second will be in the form of an existentially unforgeable against adaptive chosen plaintext attack (EF-ACLS-PA) against the opponent of ${\mathcal{O}}_1$ and ${\mathcal{O}}_2$. The third will be an indistinguishability of scramble text/identity attack (ANO-ACLS-CA) against the opponent of ${\mathcal{O}}_1$ and ${\mathcal{O}}_2$. The basic introduction about IN-ACLS-CA, against the opponent of ${\mathcal{O}}_1$ and ${\mathcal{O}}_2,$ is presented in the following Game 1 and Game 2. Further, EF-ACLS-PA and ANO-ACLS-CA, are explained in Game 3, Game 4, Game 5, and Game 6.

• Game 1: Let ${\mathcal{O}}_1$ be the Type 1 opponent in the IN-ACLS-CA, and φ can act as challenger and its task to interact with ${\mathcal{O}}_1$ during setup and queries of this Game. The task of φ is to solve HEDHP for ${\mathcal{O}}_1$.

• Setup:φ compute γ, ξ, and give γ and ξ to ${\mathcal{O}}_1$.

• ${𝒽}_i$ Query (${𝓆}_i$): ${\mathcal{O}}_1$ ask for these queries, φ searches whether the requested value subsists in list $L_i$. If it is subsisting, φ can send this exist value to ${\mathcal{O}}_1$. Otherwise, φ pick a random value and send it to ${\mathcal{O}}_1$, and update $L_i$ accordingly.

• CSV Query (${𝓆}_{csv}$): ${\mathcal{O}}_1$ needs φ to accomplish CSV Query. After reception, a φ search whether the requested value subsists in list $L_k$. If it is subsisting, φ send the secret value to ${\mathcal{O}}_1$. Otherwise, φ calls construct secret value algorithm and generates the secret value, send it to ${\mathcal{O}}_1$ and update $L_k$ accordingly.

• CPPK Query (${𝓆}_{cppk}$): ${\mathcal{O}}_1$ needs φ to accomplish CPPK Query. After reception, a φ search whether the requested value subsists in list $L_k$. If it is subsisting, φ send the partial private key to ${\mathcal{O}}_1$. Otherwise, φ calls construct partial private key algorithm and generates the partial private key, send it to ${\mathcal{O}}_1$, and update $L_k$ accordingly.

• CPBPK Query (${𝓆}_{cpbpk}$): ${\mathcal{O}}_1$ needs φ to accomplish CPBPK Query. After reception, a φ search whether the requested value subsists in list $L_k$. If it is subsisting, φ send the public and private key to ${\mathcal{O}}_1$. Otherwise, φ calls construct public and private key algorithm and generates the public and private key, send it to ${\mathcal{O}}_1$, and update $L_k$ accordingly.

• PBKR Query (${𝓆}_{pbkr}$): Upon the request of ${\mathcal{O}}_1$, φ convert the user public into his own selected public key.

• Signcryption Query (${𝓆}_s$): ${\mathcal{O}}_1$ needs φ to make Signcryption Query, φ check if $I{D}_s\ne I{D}_d$ then it calls CPBPK Query, produce $\Psi$ and send it to ${\mathcal{O}}_1$.

• Un-Signcryption Query (${𝓆}_{us}$): ${\mathcal{O}}_1$ needs φ to make Un-Signcryption Query, φ produce $m$ and send it to ${\mathcal{O}}_1$.

• Challenge: Here, $m_1$ and $m_2$ are the two identical sizes but dissimilar type of messages that are selected by ${\mathcal{O}}_1$ for φ. Further, φ chooses a bit 𝜗 ∈ {0, 1} at unsystematic way and uses $m_{\vartheta }$ to develop ${\Psi }^{*}$. Then, it returns ${\Psi }^{*}$ to ${\mathcal{O}}_1$.

• Note that ${\mathcal{O}}_1$ can carry with all the above queries except Un-Signcryption Query (${𝓆}_{us}$) against ${\Psi }^{*}$, further the private key part of CPBPK Query (${𝓆}_{cpbpk}$) and CPPK Query (${𝓆}_{cppk}$) of a device, whose public key is replaced.

• Guess: ${\mathcal{O}}_1$ provides ${\vartheta }^{*}$, if ${\vartheta }^{*}$ = 𝜗, then ${\mathcal{O}}_1$ succeeded and φ gives the solution of HEDHP. Otherwise, φ returns ⊥.

• Game 2: Let ${\mathcal{O}}_2$ be the Type 2 opponent in the IN-ACLS-CA and φ can act as challenger and its task to interact with ${\mathcal{O}}_2$ during setup and queries of this Game. The task of φ is to solve HEDHP for ${\mathcal{O}}_2$.

• Setup:φ give γ, η, and ξ to ${\mathcal{O}}_2$.

• Queries: The queries execution is same as Game 1 except PBKR Query (${𝓆}_{pbkr}$).

• Challenge: Here, $m_1$ and $m_2$ are the two identical sizes but dissimilar type of messages that are selected by ${\mathcal{O}}_2$ for φ. Further, φ chooses a bit 𝜗 ∈ {0, 1} at unsystematic way and uses $m_{\vartheta }$ to develop ${\Psi }^{*}$. Then, it returns ${\Psi }^{*}$ to ${\mathcal{O}}_2$.

• Note that ${\mathcal{O}}_2$ can carry with all the above queries except Un-Signcryption Query (${𝓆}_{us}$) against ${\Psi }^{*}$, further CSV Query (${𝓆}_{csv}$) for target identity.

• Guess: ${\mathcal{O}}_2$ provides ${\vartheta }^{*}$, if ${\vartheta }^{*}$ = 𝜗, then ${\mathcal{O}}_2$ succeeded and φ gives the solution of HEDHP. Otherwise, φ returns ⊥.

• Game 3: Let ${\mathcal{O}}_1$ be the Type 1 opponent in the EF-ACLS-PA and φ can act as challenger and its task to interact with ${\mathcal{O}}_1$ during setup and queries of this Game. The task of φ is to solve HEDHP for ${\mathcal{O}}_1$.

• Setup:φ give γ and ξ to ${\mathcal{O}}_1$.

• The execution of ${𝒽}_i$ Query (${𝓆}_i$), Device Key Query (${𝓆}_{dk}$), CSV Query (${𝓆}_{csv}$), CPPK Query (${𝓆}_{cppk}$), CPBPK Query (${𝓆}_{cpbpk}$), PBKR Query (${𝓆}_{pbkr}$), Signcryption Query (${𝓆}_s$), and Un-Signcryption Query (${𝓆}_{us}$) is same as Theorem 1.

• Forgery: ${\mathcal{O}}_1$ uses $m$ and identity to forge ${\Psi }^{*}$, if ${\Psi }^{*}$ is falsified efficaciously, then it gets the solution of HEDHP. Otherwise, it returns ⊥.

• Note that ${\mathcal{O}}_1$ can carry with all the above queries except Un-Signcryption Query (${𝓆}_{us}$) against ${\Psi }^{*}$.

• Game 4: Let ${\mathcal{O}}_2$ be the Type 2 opponent in the EF-ACLS-PA and φ can act as challenger and its task to interact with ${\mathcal{O}}_2$ during setup and queries of this Game. The task of φ is to solve HEDHP for ${\mathcal{O}}_2$.

• Setup:φ give γ, η, and ξ to ${\mathcal{O}}_2$.

• The execution of ${𝒽}_i$ Query (${𝓆}_i$), Device Key Query (${𝓆}_{dk}$), CSV Query (${𝓆}_{csv}$), CPPK Query (${𝓆}_{cppk}$), CPBPK Query (${𝓆}_{cpbpk}$), Signcryption Query (${𝓆}_s$), and Un-Signcryption Query (${𝓆}_{us}$) is same as Theorem 1.

• Forgery: ${\mathcal{O}}_2$ uses $m$ and identity to forge ${\Psi }^{*}$, if ${\Psi }^{*}$ is falsified efficaciously, then it gets the solution of HEDHP. Otherwise, it returns ⊥. In this execution, the Signcryption Query cannot acquire ${\Psi }^{*}$.

• Game 5: Let ${\mathcal{O}}_1$ be the Type 1 opponent in the ANO-ACLS-CA and φ can act as challenger and its task to interact with ${\mathcal{O}}_1$ during setup and queries of this Game. The task of φ is to solve HEDHP for ${\mathcal{O}}_1$.

• Setup:φ give γ and ξ to ${\mathcal{O}}_1$.

• The execution of ${𝒽}_i$ Query (${𝓆}_i$), Device Key Query (${𝓆}_{dk}$), CSV Query (${𝓆}_{csv}$), CPPK Query (${𝓆}_{cppk}$), CPBPK Query (${𝓆}_{cpbpk}$), PBKR Query (${𝓆}_{pbkr}$), Signcryption Query (${𝓆}_s$), and Un-Signcryption Query (${𝓆}_{us}$) is same as Theorem 1.

• Challenge: Here, $I{D}_1$ and $I{D}_2$ are the two identities that are selected by ${\mathcal{O}}_1$ for φ. Further, φ chooses a bit $e$∈ {0, 1} at unsystematic way to develop ${\Psi }^{*}$. Then, it returns ${\Psi }^{*}$ to ${\mathcal{O}}_1$.

• Guess: ${\mathcal{O}}_1$ provides $e^{*}$, if $e^{*}=e$, then ${\mathcal{O}}_1$ succeeded and φ gives the solution of HEDHP. Otherwise, φ returns ⊥.

• Game 6: Let ${\mathcal{O}}_2$ be the Type 2 opponent in the ANO-ACLS-CA and φ can act as challenger and its task to interact with ${\mathcal{O}}_2$ during setup and queries of this Game. The task of φ is to solve HEDHP for ${\mathcal{O}}_2$.

• Setup:φ give γ, η, and ξ to ${\mathcal{O}}_2$.

• The execution of ${𝒽}_i$ Query (${𝓆}_i$), Device Key Query (${𝓆}_{dk}$), CSV Query (${𝓆}_{csv}$), CPPK Query (${𝓆}_{cppk}$), CPBPK Query (${𝓆}_{cpbpk}$), PBKR Query (${𝓆}_{pbkr}$), Signcryption Query (${𝓆}_s$), and Un-Signcryption Query (${𝓆}_{us}$) is same as Theorem 1.

• Challenge: Here, $I{D}_1$ and $I{D}_2$ are the two identities that are selected by ${\mathcal{O}}_2$ for φ. Further, φ chooses a bit $e$∈ {0, 1} at unsystematic way to develop ${\Psi }^{*}$. Then, it returns ${\Psi }^{*}$ to ${\mathcal{O}}_2$.

• Guess: ${\mathcal{O}}_2$ provides $e^{*}$, if $e^{*}=e$, then ${\mathcal{O}}_2$ succeeded and φ gives the solution of HEDHP. Otherwise, φ returns ⊥.

5. Proposed Scheme

5.1. Syntax of the Proposed Scheme

i.

Setup: KGC makes η as his private key and γ as his public key and also generates ξ as a global parameter set.

ii.

Keys Generation: It contains Construct Secrete Value, Construct Partial Private Key, and Construct Public and Private Key, which are as follow:

• Construct Secrete Value (CSV): The device selects ${\mathcal{Q}}_d$ and computes ${\mathcal{O}}_d$, then sends its identity $\left(I{D}_d\right)$ and ${\mathcal{O}}_d$ to KGC using a secure channel.
• Construct Partial Private Key (CPPK): KGC selects ${\delta }_d,$ computes ${\zeta }_d$, calculates ${\mu }_d,$ makes ${{\rm Y}}_d$, and calculates ${\beta }_d$. Finally, KGC sends ${\zeta }_d$ and ${\beta }_d$ to the device with $I{D}_d$ through a secure link.
• Construct Public and Private Key (CPBPK): The device with identity $\left(I{D}_d\right)$, computes ${{\rm Y}}_d$ and $Z_d$. Then, set $P{B}_d$ as a public key and $P_d$ as a private key.

iii.

Signcryption: Considering the input parameters such as ξ as his private key and identities $(P_s$,$I{D}_s)$, message m, and identity of receiver $I{D}_r$, the sending device generates and send $\Psi =\left(\mathcal{X},𝓀,\Omega \right)$ to receiver.

iv.

Un-Signcryption: On the other hand, the receiving device executes the algorithm by considering the received parameter $\Psi$, and verifies its authenticity.

5.2. Proposed Algorithm

In this phase, we explain the proposed scheme construction steps [27], which are as follows:

i.

Setup: Considering a security input σ, the KGC performs the following operations:

• Define 𝕙𝔼𝕔 of genus $𝒢$ ≥ 2 over a finite field $𝒰$_p, where $𝒢$ represents the non-intersecting curves.
• KGC selects ${𝒽}_v, {𝒽}_w, {𝒽}_x,and {𝒽}_y,$ as irreversible hash functions.
• KGC also selects η where 0 ≤ η ≤ p and computes γ = η. $𝒟$.
• KGC set η as his private key and γ as his public key.
• KGC selects $E_{ℐ}$ and $D_{ℐ}$ as encryption and decryption algorithms.
• KGC sets ξ = {$𝒢$ ≥ 2, $𝒰$_p, 𝕙𝔼𝕔, $𝒟$, p,${𝒽}_v, {𝒽}_w, {𝒽}_x, {𝒽}_y,\gamma , E_{ℐ}$,$D_{ℐ}$} as a global parameter set.

ii.

Keys Generation: It contains Construct Secrete Value, Construct Partial Private Key, and Construct Public and Private Key, which are calculated as follows:

• Construct Secrete Value (CSV): The device sends its identity $\left(I{D}_d\right)$ and ${\mathcal{O}}_d$ to KGC using a secure channel, where ${\mathcal{O}}_d$ = ${\mathcal{Q}}_d$.$𝒟$ and 0 ≤ ${\mathcal{Q}}_d$ ≤ p.
• Construct Partial Private Key (CPPK): KGC selects ${\delta }_d$ where 0 ≤ ${\delta }_d$ ≤ p and then, by considering the receptions values that are $I{D}_d$ and ${\mathcal{O}}_d$, it computes ${\zeta }_d={\delta }_d$.$𝒟$, calculates ${\mu }_d={𝒽}_v\left(I{D}_d,{\mathcal{O}}_d,{\zeta }_d\right)$, makes ${{\rm Y}}_d={\delta }_d+{\mu }_d.\eta$, and calculates ${\beta }_d={{\rm Y}}_d+{𝒽}_w\left(I{D}_d,\eta .{\mathcal{O}}_d\right)$. Finally, KGC sends ${\zeta }_d$ and ${\beta }_d$ to the device with $I{D}_d$ through secure link.
• Construct Public and Private Key (CPBPK): The device with identity $\left(I{D}_d\right)$ considers the reception values that are ${\zeta }_d$ and ${\beta }_d$, computes ${{\rm Y}}_d={\beta }_d-{𝒽}_w\left(I{D}_d,\gamma .{\mathcal{Q}}_d\right)$ and $Z_d={{\rm Y}}_d$.$𝒟$. Then, it checks ${{\rm Y}}_d.\mathcal{D}\stackrel{?}{=}{\zeta }_d$ +${\mu }_d.\gamma$. After successful execution, the device then with identity $\left(I{D}_d\right)$ accepts the values of ${\zeta }_d$ and ${\beta }_d$, and sets $P{B}_d$ =(${\mathcal{O}}_d,Z_d$) as a public key and $P_d$ = (${\mathcal{Q}}_d,{{\rm Y}}_d$) as a private key respectively.

iii.

Signcryption: Considering the input parameters such as ξ as his private key and identities $(P_s$,$I{D}_s)$, message m, and identity of receiver $I{D}_r$, the sending device selects $\ell$ where $0\le \ell \le p$ and computes $𝓀=\ell .\mathcal{D}$, $ℐ={𝒽}_x\left(\ell .{\mathcal{O}}_j\right)$ and $\mathcal{X}=E_{ℐ}\left(m\right),\mathcal{V}={𝒽}_y\left(m,I{D}_r,P{B}_s\right),$ Ω = ${\mathcal{Q}}_s+{{\rm Y}}_s+{\mu }_s.\ell$, respectively, and then sends $\Psi =\left(\mathcal{X},𝓀,\Omega \right)$ to receiver.

iv.

Un-Signcryption: Finally, the receiving device executes the algorithm by considering the received parameter $\Psi$, and verifies its authenticity as follows:

• Compute $ℐ$ = ${𝒽}_x\left({\mathcal{Q}}_r.𝓀\right)$ and m = $D_{ℐ}$($𝒳$)
• Compute ${\mathcal{V}}^{/}$ = ${𝒽}_y\left(m,I{D}_r,P{B}_s\right)$ and check $\Omega .\mathcal{D}\stackrel{?}{=}{\mathcal{O}}_s+Z_s$ +${\mu }_s.𝓀$, if it is successfully processed then receiver accept $\Psi .$

5.3. Correctness

• The device with identity $\left(I{D}_d\right)$, checks the validity of ${\zeta }_d$ and ${\beta }_d$ as follows:
  ${{\rm Y}}_d.\mathcal{D}\stackrel{?}{=}{\zeta }_d$ + ${\mu }_d.\gamma$
  $={{\rm Y}}_d.\mathcal{D}=({\delta }_d+{\mu }_d.\eta ).\mathcal{D}=({\delta }_d.\mathcal{D}+{\mu }_d.\eta .\mathcal{D})$
  $=({\zeta }_d+{\mu }_d.\gamma )$ where ${\zeta }_d={\delta }_d.\mathcal{D}$ and $\gamma =\eta .\mathcal{D}$
  ${{\rm Y}}_d.\mathcal{D}=({\zeta }_d+{\mu }_d.\gamma )$, hence proved.

• The receiver makes the decryption key as follows:
  $ℐ$ = ${𝒽}_x\left({\mathcal{Q}}_r.𝓀\right)$
  = ${𝒽}_x\left({\mathcal{Q}}_r.\ell .\mathcal{D}\right)$ = ${𝒽}_x\left(\ell .{\mathcal{O}}_r\right)$ where ${\mathcal{O}}_r={\mathcal{Q}}_r.\mathcal{D}$
  = ${𝒽}_x\left(\ell .{\mathcal{O}}_r\right)$ = $ℐ$ hence proved.

• The receiver checks the validity of $\Psi =\left(\mathcal{X},𝓀,\Omega \right)$ as followed
  $\Omega .\mathcal{D}\stackrel{?}{=}{\mathcal{O}}_s+Z_s$ + ${\mu }_s.𝓀$
  =$\Omega .\mathcal{D}=({\mathcal{Q}}_s+{{\rm Y}}_s+{\mu }_s.\ell ).\mathcal{D}$ where Ω = ${\mathcal{Q}}_s+{{\rm Y}}_s+{\mu }_s.\ell$
  $=({\mathcal{Q}}_s.\mathcal{D}+{{\rm Y}}_s.\mathcal{D}+{\mu }_s.\ell .\mathcal{D})$
  = ${\mathcal{O}}_s+Z_s$ + ${\mu }_s.𝓀$ where ${\mathcal{O}}_s={\mathcal{Q}}_s.\mathcal{D}$, $Z_s={{\rm Y}}_s.\mathcal{D}$, and $𝓀=\ell .\mathcal{D}$
  $\Omega .\mathcal{D}={\mathcal{O}}_s+Z_s+{\mu }_s.𝓀$ hence proved.

6. Security Analysis

In this section, we provide the security proofs for our scheme on the basis of random oracle model.

It includes the six games, which are explained in the following theorems.

Theorem 1.

Let${\mathcal{O}}_1$be the Type 1 opponent in the IN-ACLS-CA and its winning advantage isω which cannot be ignored during a time𝓉. Theφ can act as challenger and its task to give an access when${\mathcal{O}}_1$ask for the queries such as Device Key Query (${𝓆}_{dk}$), CSV Query (${𝓆}_{csv}$), CPPK Query (${𝓆}_{cppk}$), CPBPK Query (${𝓆}_{cpbpk}$), Public Key Replacement (PBKR) Query (${𝓆}_{pbkr}$), Signcryption Query (${𝓆}_s$), Un-Signcryption Query (${𝓆}_{us}$), and${𝒽}_i$Query (${𝓆}_i$) where$\left(i=v,w,x,y\right).$Further, within the time𝓉 it can help to recuperate the solution of HEDHP for${\mathcal{O}}_1$. Here, the advantage of${\mathcal{O}}_1$will be as$\omega \succcurlyeq 2\left(\omega -\raisebox{1ex}{${𝓆}_{us}{𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\sigma }$}\right.\right)/n{𝓆}_x$.

Proof of Theorem 1:

Suppose 𝜘.α.$𝒟$ is the assumed occurrence of HEDHP and the task of φ with ${\mathcal{O}}_1$ is to find the two unknown variables that are 𝜘 and α. For this task, ${\mathcal{O}}_1$ with by using the following sub-steps. □

• Setup.φ select a random number η, compute γ = η.$𝒟$, make ξ, and give γ and ξ to ${\mathcal{O}}_1$.

• ${\mathbf{𝒽}}_{\mathit{v}}$Query (${\mathbf{𝓆}}_{\mathit{v}}$): The triple $\left(I{D}_j,{\mathcal{O}}_j,{\zeta }_j\right)$ is reserved as input, and ${\mathcal{O}}_1$ needs φ to accomplish ${𝒽}_v$ Query. After reception, φ searches whether triple $\left(I{D}_j,{\mathcal{O}}_j,{\zeta }_j\right)$ subsists in list $L_v$. If it is subsisting, ${\mu }_j$ can send by φ to ${\mathcal{O}}_1$. Otherwise, φ pick ${\mu }_j$ in a random manner, send ${\mu }_j$ to ${\mathcal{O}}_1$, and update $L_v$ using $\left(I{D}_j,{\mathcal{O}}_j,{\zeta }_j,{\mu }_j \right)$.

• ${\mathbf{𝒽}}_{\mathit{w}}$Query (${\mathbf{𝓆}}_{\mathit{w}}$): The pair $\left(I{D}_j,\eta .{\mathcal{O}}_j\right)$ and $(I{D}_j,\gamma .{\mathcal{Q}}_j)$ is reserved as input, and ${\mathcal{O}}_1$ needs φ to accomplish ${𝒽}_w$ Query. After reception, φ searches whether pair $\left(I{D}_j,\eta .{\mathcal{O}}_j\right)$ and $(I{D}_j,\gamma .{\mathcal{Q}}_j)$ is subsists in list $L_w$. If it is subsisting, ${\epsilon }_j$ and ${\partial }_j$ can send by φ to ${\mathcal{O}}_1$. Otherwise, φ pick ${\epsilon }_j$ and ${\partial }_j$ in a random manner, send ${\epsilon }_j$ and ${\partial }_j$ to ${\mathcal{O}}_1$, and update $L_w$ using $\left(I{D}_j,\eta .{\mathcal{O}}_j,{\epsilon }_j\right)$ and $(I{D}_j,\gamma .{\mathcal{Q}}_j,{\partial }_j)$.

• ${\mathbf{𝒽}}_x$Query (${\mathbf{𝓆}}_x$): The pair $\left(\ell .{\mathcal{O}}_j\right)$ is reserved as input, and ${\mathcal{O}}_1$ needs φ to accomplish ${𝒽}_x$ Query. After reception, a φ search whether pair $\left(\ell .{\mathcal{O}}_j\right)$ is subsists in list $L_x$. If it is subsisting, ${ℐ}_j$ can send by φ to ${\mathcal{O}}_1$. Otherwise, φ pick ${ℐ}_j$ in a random manner, send ${ℐ}_j$ to ${\mathcal{O}}_1$, and update $L_x$ using $\left(\ell .{\mathcal{O}}_j,{ℐ}_j\right)$.

• ${\mathbf{𝒽}}_{\mathit{y}}$Query (${\mathbf{𝓆}}_{\mathit{y}}$): The triple $\left(m,I{D}_j,P{B}_j\right)$ is reserved as input, and ${\mathcal{O}}_1$ needs φ to accomplish ${𝒽}_y$ Query. After reception, a φ search whether pair $\left(m,I{D}_j,P{B}_j\right)$ is subsists in list $L_y$. If it is subsisting, ${\mathcal{V}}_j$ can send by φ to ${\mathcal{O}}_1$. Otherwise, φ pick ${\mathcal{V}}_j$ in a random manner, send ${\mathcal{V}}_j$ to ${\mathcal{O}}_1$, and update $L_y$ using $\left(m,I{D}_j,P{B}_j,{\mathcal{V}}_j\right)$.

• Device Key Query(${\mathbf{𝓆}}_{\mathit{d}\mathit{k}}$): The tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ is reserved as input, and ${\mathcal{O}}_1$ needs φ to accomplish Device Key Query. After reception, a φ search whether pair $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ is subsists in list $L_k$. If it is subsisting, φ reserves the tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$. Otherwise, φ do the following steps.
  • If $I{D}_j\ne I{D}_d$, φ pick ${\mathcal{Q}}_j,{\beta }_j$ in a random manner, set ${\mathcal{O}}_j={\mathcal{Q}}_j.\mathcal{D}$, ${{\rm Y}}_j={\beta }_j-{𝒽}_w\left(I{D}_j,\gamma .{\mathcal{Q}}_j\right)$, $Z_j={{\rm Y}}_j$.$𝒟$,$P{B}_j$ = (${\mathcal{O}}_j,Z_j$), $P_j$ = (${\mathcal{Q}}_j,{{\rm Y}}_j$), and then update $L_k$ using $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ and $L_v$ using $\left(I{D}_j,{\mathcal{O}}_j,{\zeta }_j,{\mu }_j\right)$.
  • If $I{D}_j=I{D}_d$, φ pick ${\mathcal{Q}}_j,{\delta }_j$ in a random manner, set ${\mathcal{O}}_j={\mathcal{Q}}_j.\mathcal{D}$, $P_j⇽\perp ,{\zeta }_j={\delta }_j$.$𝒟$, ${{\rm Y}}_j={\delta }_j+{𝒽}_v\left(I{D}_j,{\mathcal{O}}_j,{\zeta }_j\right).\eta ,Z_j={{\rm Y}}_j$.$𝒟$,$P{B}_j$ = (${\mathcal{O}}_j,Z_j$), and then update $L_k$ using $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ and $L_v$ using $\left(I{D}_j,{\mathcal{O}}_j,{\zeta }_j,{\mu }_j\right)$.

• CSV Query (${\mathbf{𝓆}}_{\mathit{c}\mathit{s}\mathit{v}}$): The tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ is reserved as input, and ${\mathcal{O}}_1$ needs φ to accomplish CSV Query. After reception, a φ search whether tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ is subsists in list $L_k$. If it is subsisting, φ sends ${\mathcal{Q}}_j$ to ${\mathcal{O}}_1$. Otherwise, φ calls Device Key Query and generates the tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ and sends ${\mathcal{Q}}_j$ to ${\mathcal{O}}_1$. Then, it updates $L_k$ using $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$.

• CPPK Query (${\mathbf{𝓆}}_{\mathit{c}\mathit{p}\mathit{p}\mathit{k}}$): The tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ is reserved as input, and ${\mathcal{O}}_1$ needs φ to accomplish CPPK Query. After reception, φ does the following steps.
  • If $I{D}_j=I{D}_d$, φ returns ⊥.
  • If $I{D}_j\ne I{D}_d$, φ calls Device Key Query, generates the tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ and send ${\beta }_j$ to ${\mathcal{O}}_1$. Then, update $L_k$ using $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$.

• CPBPK Query (${\mathbf{𝓆}}_{\mathit{c}\mathit{p}\mathit{b}\mathit{p}\mathit{k}}$): Upon the request of ${\mathcal{O}}_1$, φ first of all give the response for public key that are, a φ search whether tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ subsists in list $L_k$. If it is subsisting, φ send $P{B}_j$ to ${\mathcal{O}}_1$. Otherwise, φ calls Device Key Query and generates the tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ and send $P{B}_j$ to ${\mathcal{O}}_1$.

• Secondly, φ first of all give the response for private key that are followed.
  • If $I{D}_j=I{D}_d$, φ returns ⊥.
  • If $I{D}_j\ne I{D}_d$, φ calls Device Key Query, generates the tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ and send $P_j$ to ${\mathcal{O}}_1$. Then, update $L_k$ using $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$.

• PBKR Query (${\mathbf{𝓆}}_{\mathit{p}\mathit{b}\mathit{k}\mathit{r}}$): Upon the request of ${\mathcal{O}}_1$, φ convert $P{B}_j$ into $P{B}_j{ }^{/}$ and update $L_k$ using $\left(I{D}_j, P{B}_j{ }^{/}, P_j,{\mathcal{Q}}_j, {\beta }_j\right)$.

• Signcryption Query (${\mathbf{𝓆}}_{\mathit{s}}$):${\mathcal{O}}_1$ needs φ to make Signcryption Query, φ check if $I{D}_s\ne I{D}_d$ then it calls CPBPK Query and performs the following computations.
  • Select $\ell$ where $0\le \ell \le p$ and compute $𝓀=\ell .\mathcal{D}$
  • Compute $ℐ={𝒽}_x\left(\ell .{\mathcal{O}}_j\right)$ and $\mathcal{X}=E_{ℐ}\left(m\right)$
  • Compute $\mathcal{V}={𝒽}_y\left(m,I{D}_j,P{B}_j\right)$
  • Compute Ω = ${\mathcal{Q}}_j+{{\rm Y}}_j+{\mu }_j.\ell$ and send $\Psi =\left(\mathcal{X},𝓀,\Omega \right)$ to ${\mathcal{O}}_1$

• Un-Signcryption Query(${\mathbf{𝓆}}_{\mathit{u}\mathit{s}}$): ${\mathcal{O}}_1$ needs φ to make Un-Signcryption Query, φ check if $I{D}_j=I{D}_d$, φ returns ⊥. Otherwise, it performs the following computations.
  • Search for a tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ in list $L_k$ and compute $ℐ$ = ${𝒽}_x\left({\mathcal{Q}}_j.𝓀\right)$ and m = $D_{ℐ}$($𝒳$)
  • Check $\Omega .\mathcal{D}\stackrel{?}{=}{\mathcal{O}}_s+Z_s$ + ${\mu }_s.𝓀$, if it is successfully processed then φ send m to ${\mathcal{O}}_1$. Otherwise, φ returns ⊥.

• Challenge: $m_1$ and $m_2$ are the two identical sizes but dissimilar type of messages that are selected by ${\mathcal{O}}_1$ for φ. Further, φ chooses a bit 𝜗 ∈ {0, 1} at an unsystematic way and uses $m_{\vartheta }$ to develop ${\Psi }^{*}$. The detail steps are followed.
  • Set $𝓀=\alpha .P{B}_d$, $\ell .{\mathcal{O}}_d= \alpha \left(\gamma +P{B}_d\right)$, and $ℐ={𝒽}_x\left(\ell .{\mathcal{O}}_d\right)$
  • Set ${\mathcal{X}}^{*}=E_{ℐ}\left(m\right)$ and select Ω randomly
  • Return ${\Psi }^{*}=\left( {\mathcal{X}}^{*},\Omega ,𝓀\right)$ to ${\mathcal{O}}_1$

• Note that ${\mathcal{O}}_1$ can carry with all the above queries, except Un-Signcryption Query (${𝓆}_{us}$), against ${\Psi }^{*}$.

• Guess: ${\mathcal{O}}_1$ provides ${\vartheta }^{*}$, if ${\vartheta }^{*}$ = 𝜗, then ${\mathcal{O}}_1$ succeeded and φ gives the solution of 𝜘.α.$𝒟$ = $\ell .{\mathcal{O}}_d-𝓀$. Otherwise, φ returns ⊥. We can observe the following probability events from the aforementioned explanations.
  • ${𝒽}_y$ hash offers a valid scramble text during ${𝓆}_{us}$ and its probability as $\raisebox{1ex}{${𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.$
  • ${\mathcal{O}}_1$ needs φ to perform Un-Signcryption Query (${𝓆}_{us}$) during the attack process, the decryption success probability of φ as ${\omega }_{us}=\omega -\raisebox{1ex}{${𝓆}_{us}{𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.$
  • During the guess phase the probability for 𝜘.α.$𝒟$ as $\raisebox{1ex}{$2$}\!\left/ \!\raisebox{-1ex}{$n$}\right.{𝓆}_x$

• So, ${\mathcal{O}}_1$ the advantage of ${\mathcal{O}}_1$ will be as $\omega \succcurlyeq 2\left(\omega -\raisebox{1ex}{${𝓆}_{us}{𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.\right)/n{𝓆}_x$, for the solution of HEDHP.

Theorem 2.

Suppose${\mathcal{O}}_2$is the Type 2 opponent in the IN-ACLS-CA and its winning advantage isωwhich cannot be ignored during a time𝓉. Theφcan act as challenger and its task to give an access when${\mathcal{O}}_2$ask for the queries as performed in Theorem 1 except PBKR Query (${𝓆}_{pbkr}$). Further, within the time𝓉it can help to recuperate the solution of HEDHP for${\mathcal{O}}_2$. Here, the advantage of${\mathcal{O}}_2$will be as$\omega \succcurlyeq 2\left(\omega -\raisebox{1ex}{${𝓆}_{us}{𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\sigma }$}\right.\right)/n{𝓆}_x$.

Proof of Theorem 2:

Assume 𝜘.α.$𝒟$ is the expected manifestation of HEDHP and the job of φ with ${\mathcal{O}}_2$ is to discover the two unknown variables that are 𝜘 and α. For this mission, ${\mathcal{O}}_2$ with by using the following sub-steps. □

• Setup:φ choose a random number η, calculate γ = η.$𝒟$, make ξ, and give γ, η, and ξ to ${\mathcal{O}}_2$. Then, set $K=\varkappa .\mathcal{D}$.

• ${\mathbf{𝒽}}_{\mathit{i}}$Query (${\mathbf{𝓆}}_{\mathit{i}}$): The process for this query is same as Theorem 1.

• Device Key Query(${\mathbf{𝓆}}_{\mathit{d}\mathit{k}}$): The tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ is reserved as input, and ${\mathcal{O}}_2$ needs φ to accomplish Device Key Query. After reception, a φ search whether pair $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ is subsists in list $L_k$. If it is subsisting, φ reserves the tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$. Otherwise, φ do the following steps.
  • If $I{D}_j=I{D}_d$, φ pick ${\mathcal{Q}}_j,{\delta }_j$ in a random manner, compute ${\zeta }_j={\delta }_j$.$𝒟$, ${{\rm Y}}_j={\delta }_j+{𝒽}_v\left(I{D}_j,{\mathcal{O}}_j,{\zeta }_j\right).\eta ,Z_j={{\rm Y}}_j$.$𝒟$,$P{B}_j$ = (${\mathcal{O}}_j,Z_j$), and then update $L_k$ using $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ and $L_v$ using $\left(I{D}_j,{\mathcal{O}}_j,{\zeta }_j,{\mu }_j\right)$, where ${\mathcal{O}}_j={\mathcal{Q}}_j.\mathcal{D}$, $P_j⇽\perp$.
  • If $I{D}_j\ne I{D}_d$, φ pick ${\mathcal{Q}}_j,{\beta }_j$ in a random manner, set ${\mathcal{O}}_j={\mathcal{Q}}_j.\mathcal{D}$, ${{\rm Y}}_j={\beta }_j-{𝒽}_w\left(I{D}_j,\gamma .{\mathcal{Q}}_j\right)$, $Z_j={{\rm Y}}_j$.$𝒟$,$P{B}_j$ = (${\mathcal{O}}_j,Z_j$), $P_j$ =(${\mathcal{Q}}_j,{{\rm Y}}_j$), and then update $L_k$ using $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ and $L_v$ using $\left(I{D}_j,{\mathcal{O}}_j,{\zeta }_j,{\mu }_j\right)$.

• CSV Query (${\mathbf{𝓆}}_{\mathit{c}\mathit{s}\mathit{v}}$): ${\mathcal{O}}_2$ needs φ to accomplish CSV Query. After reception, a φ does the following executions.
  • If $I{D}_j=I{D}_d$, φ returns ⊥.
  • If $I{D}_j\ne I{D}_d$, φ calls Device Key Query, generates the tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ and send ${\mathcal{Q}}_j$ to ${\mathcal{O}}_2$. Then, update $L_k$ using $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$.

• CPPK Query (${\mathbf{𝓆}}_{\mathit{c}\mathit{p}\mathit{p}\mathit{k}}$): The tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ is reserved as input, and ${\mathcal{O}}_2$ needs φ to accomplish CPPK Query. After reception, a φ searches whether tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ subsists in list $L_k$. If it is subsisting, φ send ${\beta }_j$ to ${\mathcal{O}}_2$. Otherwise, φ calls Device Key Query and generates the tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ and send ${\beta }_j$ to ${\mathcal{O}}_2$. Then, update $L_k$ using $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$.

• CPBPK Query (${\mathbf{𝓆}}_{\mathit{c}\mathit{p}\mathit{b}\mathit{p}\mathit{k}}$): Upon the request of ${\mathcal{O}}_2$, φ first of all gives the response for public key that are, a φ searches whether tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ subsists in list $L_k$. If it is subsisting, φ sends $P{B}_j$ to ${\mathcal{O}}_2$. Otherwise, φ calls Device Key Query and generates the tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ and send $P{B}_j$ to ${\mathcal{O}}_2$.

• Secondly, φ first of all gives the response for private key that are followed.
  • If $I{D}_j=I{D}_d$, φ returns ⊥.
  • If $I{D}_j\ne I{D}_d$, φ calls Device Key Query, generates the tuple $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$ and send $P_j$ to ${\mathcal{O}}_2$. Then, update $L_k$ using $\left(I{D}_j,P_j,P{B}_j,{\mathcal{Q}}_j,{\beta }_j\right)$.

• Signcryption Query (${\mathbf{𝓆}}_{\mathit{s}}$): The process for this query is same as Theorem 1.

• Un-Signcryption Query(${\mathbf{𝓆}}_{\mathit{u}\mathit{s}}$): The process for this query is same as Theorem 1.

• Challenge:$m_1$ and $m_2$ are the two identical sizes but dissimilar type of messages that are selected by ${\mathcal{O}}_2$ for φ. Further, φ chooses a bit 𝜗 ∈ {0, 1} at unsystematic way and uses $m_{\vartheta }$ to develop ${\Psi }^{*}$. The detail steps are followed.
  • Set $𝓀=\alpha .(P{B}_d+T)$, where $T=\gamma +K,\ell .{\mathcal{O}}_d= \alpha \left(\gamma +P{B}_d\right)$, and $ℐ={𝒽}_x\left(\ell .{\mathcal{O}}_d\right)$
  • Set ${\mathcal{X}}^{*}=E_{ℐ}\left(m\right)$ and select Ω randomly
  • Return ${\Psi }^{*}=\left( {\mathcal{X}}^{*},\Omega ,𝓀\right)$ to ${\mathcal{O}}_2$

• Note that ${\mathcal{O}}_2$ can carry with all the above queries, except Un-Signcryption Query (${\mathbf{𝓆}}_{\mathit{u}\mathit{s}}$), against ${\Psi }^{*}$.

• Guess: ${\mathcal{O}}_2$ provides ${\vartheta }^{*}$, if ${\vartheta }^{*}$ = 𝜗, then ${\mathcal{O}}_2$ succeeded and φ gives the solution of 𝜘.α.$𝒟$ = $\ell .{\mathcal{O}}_d-𝓀$. Otherwise, φ returns ⊥.

• So, we can observe the following probability events from the aforementioned explanations.
  • ${𝒽}_y$ hash offers a valid scramble text during ${𝓆}_{us}$ and its probability as $\raisebox{1ex}{${𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.$
  • ${\mathcal{O}}_2$ needs φ to perform Un-Signcryption Query (${𝓆}_{us}$) during the attack process, the decryption success probability of φ as ${\omega }_{us}=\omega -\raisebox{1ex}{${𝓆}_{us}{𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.$
  • During the guess phase the probability for 𝜘.α.$𝒟$ as $\raisebox{1ex}{$2$}\!\left/ \!\raisebox{-1ex}{$n$}\right.{𝓆}_x$

• For ${\mathcal{O}}_2$ the advantage of ${\mathcal{O}}_2$ will be as $\omega \succcurlyeq 2\left(\omega -\raisebox{1ex}{${𝓆}_{us}{𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.\right)/n{𝓆}_x$, for the solution of HEDHP.

Theorem 3.

Suppose${\mathcal{O}}_1$is the Type 1 opponent in the EF-ACLS-PA and its winning advantage isωwhich cannot be ignored during a time𝓉. Theφcan act as challenger and its task to give an access when${\mathcal{O}}_1$ask for the queries as performed in Theorem 1. Further, within the time𝓉it can help to recuperate the solution of HEDHP for${\mathcal{O}}_1$. Here, the advantage of${\mathcal{O}}_1$will be as$\omega \succcurlyeq \left(\omega -\raisebox{1ex}{${𝓆}_s$}\!\left/ \!\raisebox{-1ex}{$2^{\sigma }$}\right.\right)/2$.

Proof of Theorem3:

Assume 𝜘.α.$𝒟$ is the expected manifestation of HEDHP and the job of φ with ${\mathcal{O}}_1$ is to discover the two unknown variables that are 𝜘 and α. For this mission, ${\mathcal{O}}_1$ with by using the following sub-steps. □

• Setup.φ chooses a random number η, calculates γ = η.$𝒟$, make ξ, and gives γ and ξ to ${\mathcal{O}}_1$.

• The execution of ${𝒽}_i$ Query (${𝓆}_i$), Device Key Query (${𝓆}_{dk}$), CSV Query (${𝓆}_{csv}$), CPPK Query (${𝓆}_{cppk}$), CPBPK Query (${𝓆}_{cpbpk}$), PBKR Query (${𝓆}_{pbkr}$), Signcryption Query (${𝓆}_s$), and Un-Signcryption Query (${𝓆}_{us}$) are same as Theorem 1.

• Forgery:${\mathcal{O}}_1$ forges ${\Psi }^{*}$ and $m$, if $\Omega .\mathcal{D}\stackrel{?}{=}{\mathcal{O}}_s+Z_s$ +${\mu }_s.𝓀$, is successfully processed, ${\Psi }^{*}$ falsified efficaciously, describing ${\mathcal{O}}_d$=$\raisebox{1ex}{${\mathcal{O}}_d$}\!\left/ \!\raisebox{-1ex}{$\alpha $}\right.$ and $\ell .{\mathcal{O}}_d= \alpha \left(\gamma +P{B}_d\right)$, φ computes $\ell .{\mathcal{O}}_d$ = ${\mathcal{O}}_d$+ 𝜘.α.$𝒟$, returns $\ell .{\mathcal{O}}_d-{\mathcal{O}}_d=$ 𝜘.α.$𝒟$, and 𝜘.α.$𝒟$ is the solution of HEDHP. Otherwise, it returns ⊥.

• Hence, we can observe the following probability events from the aforementioned explanations.
  • The success probability of Signcryption Query (${𝓆}_s$) φ as $\omega -\raisebox{1ex}{${𝓆}_s$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.$
  • During the forgery phase, the success probability of solving 𝜘. $𝒟$ as $\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$2$}\right.$

• So, ${\mathcal{O}}_1$ the advantage of ${\mathcal{O}}_1$ will be as $\omega \succcurlyeq \left(\omega -\raisebox{1ex}{${𝓆}_s$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.\right)/2$, for the solution of HEDHP.

Theorem 4.

Suppose${\mathcal{O}}_2$is the Type 2 opponent in the EF-ACLS-PA and its winning advantage isωwhich cannot be ignored during a time𝓉. Theφcan act as challenger and its task to give an access when${\mathcal{O}}_2$ask for the queries as performed in Theorem 1 except PBKR Query (${𝓆}_{pbkr}$). Further, within the time𝓉it can help to recuperate the solution of HEDHP for${\mathcal{O}}_2$. Here, the advantage of${\mathcal{O}}_2$will be as$\omega \succcurlyeq \left(\omega -\raisebox{1ex}{${𝓆}_s$}\!\left/ \!\raisebox{-1ex}{$2^{\sigma }$}\right.\right)/2$.

Proof of Theorem 4:

Assume 𝜘.α.$𝒟$ is the expected manifestation of HEDHP and the job of φ with ${\mathcal{O}}_2$ is to discover the two unknown variables that are 𝜘 and α. For this mission, ${\mathcal{O}}_2$ will by using the following sub-steps. □

• Setup. The execution of this phase is same as Theorem 2.

• The execution of ${𝒽}_i$ Query (${𝓆}_i$), Device Key Query (${𝓆}_{dk}$), CSV Query (${𝓆}_{csv}$), CPPK Query (${𝓆}_{cppk}$), CPBPK Query (${𝓆}_{cpbpk}$), Signcryption Query (${𝓆}_s$), and Un-Signcryption Query (${𝓆}_{us}$) are same as Theorem 1.

• Forgery:${\mathcal{O}}_2$ forges ${\Psi }^{*}$ and $m$, if $\Omega .\mathcal{D}\stackrel{?}{=}{\mathcal{O}}_s+Z_s$ + ${\mu }_s.𝓀$, is successfully processed, ${\Psi }^{*}$ falsified efficaciously, describing ${\mathcal{O}}_d$ = $\raisebox{1ex}{${\mathcal{O}}_d$}\!\left/ \!\raisebox{-1ex}{$\alpha $}\right.$ and $\ell .{\mathcal{O}}_d = \alpha \left(\gamma +P{B}_d\right)$, φ compute $\ell .{\mathcal{O}}_d$ = ${\mathcal{O}}_d$ + 𝜘.α.$𝒟$, returns $\ell .{\mathcal{O}}_d-{\mathcal{O}}_d=$ 𝜘.α.$𝒟$, and 𝜘.α.$𝒟$ is the solution of HEDHP. Otherwise, it returns ⊥.

• Therefore, we can observe the following probability events from the aforementioned explanations.
  • The success probability of Signcryption Query (${𝓆}_s$) φ as $\omega -\raisebox{1ex}{${𝓆}_s$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.$
  • During the forgery phase the success probability of solving 𝜘. $𝒟$ as $\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$2$}\right.$

• For ${\mathcal{O}}_2$ the advantage of ${\mathcal{O}}_2$ will be as $\omega \succcurlyeq \left(\omega -\raisebox{1ex}{${𝓆}_s$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.\right)/2$, for the solution of HEDHP.

Theorem 5.

Let${\mathcal{O}}_1$be the Type 1 opponent in the ANO-ACLS-CA and its winning advantage isωwhich cannot be ignored during a time𝓉. Theφcan act as challenger and its task to give access when${\mathcal{O}}_1$ask for the queries same as Theorem 1$.$Further, within the time𝓉it can help to recuperate the solution of HEDHP for${\mathcal{O}}_1$. Here, the advantage of${\mathcal{O}}_1$will be as$\omega \succcurlyeq 2\left(\omega -\raisebox{1ex}{${𝓆}_{us}{𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\sigma }$}\right.\right)/n{𝓆}_x$.

Proof of Theorem 5:

Suppose 𝜘.α.$𝒟$ is the assumed occurrence of HEDHP and the task of φ with ${\mathcal{O}}_1$ is to find the two unknown variables that are 𝜘 and α. For this task, ${\mathcal{O}}_1$ will by using the following sub-steps. □

• The execution of ${𝒽}_i$ Query (${𝓆}_i$), Device Key Query (${𝓆}_{dk}$), CSV Query (${𝓆}_{csv}$), CPPK Query (${𝓆}_{cppk}$), CPBPK Query (${𝓆}_{cpbpk}$), PBKR Query (${𝓆}_{pbkr}$), Signcryption Query (${𝓆}_s$), and Un-Signcryption Query (${𝓆}_{us}$) are same as Theorem 1.

• Challenge: Here, $I{D}_1$ and $I{D}_2$ are the two identities that are selected by ${\mathcal{O}}_1$ for φ. Further, φ chooses a bit $e$∈ {0, 1} at unsystematic way to develop ${\Psi }^{*}$. The detail steps are followed.
  • Set $𝓀=\alpha .P{B}_d$, $\ell .{\mathcal{O}}_d= \alpha \left(\gamma +P{B}_d\right)$, and $ℐ={𝒽}_x\left(\ell .{\mathcal{O}}_d\right)$
  • Set ${\mathcal{X}}^{*}=E_{ℐ}\left(m\right)$ and select Ω randomly
  • Return ${\Psi }^{*}=\left( {\mathcal{X}}^{*},\Omega ,𝓀\right)$ to ${\mathcal{O}}_1$

• Note that ${\mathcal{O}}_1$ can carry with all the above queries except Un-Signcryption Query (${𝓆}_{us}$) against ${\Psi }^{*}$.

• Guess:${\mathcal{O}}_1$ provides $e^{*}$, if $e^{*}=e$, then ${\mathcal{O}}_1$ succeeded and φ gives the solution of 𝜘.α.$𝒟$ = $\ell .{\mathcal{O}}_d-𝓀$. Otherwise, φ returns ⊥.

• Hence, we can observe the following probability events from the aforementioned explanations.
  • ${𝒽}_y$ hash offers a valid scramble text during ${𝓆}_{us}$ and its probability as $\raisebox{1ex}{${𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.$
  • ${\mathcal{O}}_1$ needs φ to perform Un-Signcryption Query (${𝓆}_{us}$) during the attack process, the decryption success probability of φ as ${\omega }_{us}=\omega -\raisebox{1ex}{${𝓆}_{us}{𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.$
  • During the guess phase, the probability for 𝜘.α.$𝒟$ as $\raisebox{1ex}{$2$}\!\left/ \!\raisebox{-1ex}{$n$}\right.{𝓆}_x$

• So, ${\mathcal{O}}_1$ the advantage of ${\mathcal{O}}_1$ will be as $\omega \succcurlyeq 2\left(\omega -\raisebox{1ex}{${𝓆}_{us}{𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.\right)/n{𝓆}_x$, for the solution of HEDHP.

Theorem 6.

Let${\mathcal{O}}_2$be the Type 2 opponent in the ANO-ACLS-CA and its winning advantage isωwhich cannot be ignored during a time𝓉. Theφcan act as challenger and its task to give an access when${\mathcal{O}}_1$ask for the queries same as Theorem 1 except PBKR Query (${𝓆}_{pbkr}$). Further, within the time𝓉it can help to recuperate the solution of HEDHP for${\mathcal{O}}_2$. Here, the advantage of${\mathcal{O}}_2$will be as$\omega \succcurlyeq 2\left(\omega -\raisebox{1ex}{${𝓆}_{us}{𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\sigma }$}\right.\right)/n{𝓆}_x$.

Proof of Theorem 6:

Suppose 𝜘.α.$𝒟$ is the assumed occurrence of HEDHP and the task of φ with ${\mathcal{O}}_2$ is to find the two unknown variables that are 𝜘 and α. For this task, ${\mathcal{O}}_2$ will by using the following sub-steps. □

• Setup: The execution of this phase as Theorem 2.

• The execution of ${𝒽}_i$ Query (${𝓆}_i$), Device Key Query (${𝓆}_{dk}$), CSV Query (${𝓆}_{csv}$), CPPK Query (${𝓆}_{cppk}$), CPBPK Query (${𝓆}_{cpbpk}$), Signcryption Query (${𝓆}_s$), and Un-Signcryption Query (${𝓆}_{us}$) are same as Theorem 1.

• Challenge: Here, $I{D}_1$ and $I{D}_2$ are the two identities sizes that are selected by ${\mathcal{O}}_2$ for φ. Further, φ chooses a bit $e$ ∈ {0, 1} at unsystematic way to develop ${\Psi }^{*}$. The detail steps are followed.
  • Set $𝓆=\alpha .(P{B}_d+T)$, where $T=\gamma +K,\ell .{\mathcal{O}}_d= \alpha \left(\gamma +P{B}_d\right)$, and $ℐ={𝒽}_x\left(\ell .{\mathcal{O}}_d\right)$
  • Set ${\mathcal{X}}^{*}=E_{ℐ}\left(m\right)$ and select Ω randomly
  • Return ${\Psi }^{*}=\left( {\mathcal{X}}^{*},\Omega ,𝓀\right)$ to ${\mathcal{O}}_2$

• Note that ${\mathcal{O}}_2$ can carry with all the above queries, except Un-Signcryption Query (${𝓆}_{us}$), against ${\Psi }^{*}$.

• Guess:${\mathcal{O}}_2$ provides $e^{*}$, if $e^{*}=e$, then ${\mathcal{O}}_2$ succeeded and φ gives the solution of 𝜘.α.$𝒟$=$\ell .{\mathcal{O}}_d-𝓀$. Otherwise, φ returns ⊥.

• Therefore, we can observe the following probability events from the aforementioned explanations.
  • ${𝒽}_y$ hash offers a valid scramble text during ${𝓆}_{us}$ and its probability as $\raisebox{1ex}{${𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.$
  • ${\mathcal{O}}_2$ needs φ to perform Un-Signcryption Query (${𝓆}_{us}$) during the attack process, the decryption success probability of φ as ${\omega }_{us}=\omega -\raisebox{1ex}{${𝓆}_{us}{𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.$
  • During the guess phase the probability for 𝜘.α.$𝒟$ as $\raisebox{1ex}{$2$}\!\left/ \!\raisebox{-1ex}{$n$}\right.{𝓆}_x$

• So, ${\mathcal{O}}_2$ the advantage of ${\mathcal{O}}_2$ will be as $\omega \succcurlyeq 2\left(\omega -\raisebox{1ex}{${𝓆}_{us}{𝓆}_y$}\!\left/ \!\raisebox{-1ex}{$2^{\mathsf{\sigma }}$}\right.\right)/n{𝓆}_x$, for the solution of HEDHP.

7. Cost Analysis

7.1. Computational Cost

The proposed scheme is compared, in terms of computational cost, with the relevant existing schemes proposed by Zhou [25], Cao and Ge [26], Luo and Ma [27], Rastegari et al. [28], and Karati et al. [29], as shown in

Table 2. Computational cost regarding major operations and milliseconds (MS).

Schemes	Signcryption	Unsigncryption	Total	Total (ms)
Caixue Zhou [25]	$𝒫$ + 7𝓔	4$𝒫$ + 5𝓔	5$𝒫$ + 12𝓔	11.1 + 22.09 = 33.19
Cao and Ge [26]	7𝓔℘	5 𝓔℘	12𝓔℘	11.64
Luo and Ma [27]	6𝓔℘	5𝓔℘	11𝓔℘	10.67
Rastegari et al. [28]	2$𝒫$ + 4𝓔	8$𝒫$ + 2𝓔	10$𝒫$ + 6𝓔	50.60
Karati et al. [29]	3𝓔℘	4𝓔℘	7𝓔℘	6.79
Proposed scheme	3$\mathscr{H}$℘	3$\mathscr{H}$℘	6$\mathscr{H}$℘	2.88

Note: 𝓔 = single exponential operation, $𝒫$ = pairing based point multiplication, $\mathscr{H}$℘ = hyperelliptic curve divisor multiplication, and 𝓔℘ = elliptic curve point multiplication.

. The existing schemes utilize exponential operations, pairing, and elliptic curve point multiplication, which are costlier options. Comparatively, our scheme is based on the hyperelliptic divisor multiplication. The time required for processing a single Elliptic Curve Point Multiplication (ECPM) is 0.97 ms; bilinear pairing is 14.90 ms; pairing-based point multiplications is 4.31 ms; modular exponentiation is 1.25 ms [33]. The Hyperelliptic Curve Divisor Multiplication (HCDM) is assumed to be 0.48 milliseconds [34,35,36,37,38]. Multi-precision Integer and Rational Arithmetic C Library (MIRACL) [39] is used to measure the computational performance. The simulation results are obtained with a machine equipped with the specifications as follows: Intel Core i7-4510U CPU @ 2.0 GHz, 8 GB RAM, and Windows 7 Home Basic 64-bit Operating System [33]. It is evident that our scheme is efficient, in terms of computational cost, from the findings illustrated in Table 2 and Figure 2.

7.2. Communication Cost

In this subsection, the proposed approach is compared, in terms of communication cost, with the schemes presented by Zhou [25], Cao and Ge [26], Luo and Ma [27], Rastegari et al. [28], and Karati et al. [29]. In

Table 3. Communication cost comparisons.

Schemes	Communication Cost	Total (in Bits)
Caixue Zhou [25]	|m|+ 5|$𝒢$|	6144
Cao and Ge [26]	|m|+ 2|q|	1344
Luo and Ma [27]	|m|+ 2|q|	1344
Rastegari et al. [28]	|m|+ 4|$𝒢$|	5120
Karati et al. [29]	|m|+ 2|q|	1344
Proposed scheme	|m|+ 2|n|	1184

, the comparative analysis is provided for communication cost, which is also illustrated in Figure 3. The variables where, m = plaintext, $𝒢$ = bilinear pairing bits, q = elliptic curve bits, and n = hyperelliptic curve bits used, along with the respective values shown in

Table 4. Variables used for communication cost comparison.

Variable	Value
|m|	1024 bits
|q|	160 bits
|n|	80 bits
|$𝒢$|	1024 s

, are given as follows.

7.3. Security Functionalities

The comparisons, with respect to security functionalities, with the existing schemes are listed in

Table 5. Comparison with relevant existing schemes. Symbol: √ satisfy the security functionality, ⍻: does not satisfy the security functionality.

Schemes	Unforgeability	Confidentiality	Anonymity
Caixue Zhou [25]	√	√	⍻
Cao and Ge [26]	√	√	⍻
Luo and Ma [27]	√	√	⍻
Rastegari et al. [28]	√	√	⍻
Karati et al. [29]	√	√	⍻
Proposed scheme	√	√	√

. The outcomes of these comparisons are based on the security parameters as follows: unforgeability, confidentiality, and anonymity. From the Table 5, it can be witnessed that none of the schemes proposed by Zhou [25], Cao and Ge [26], Luo and Ma [27], Rastegari et al. [28], and Karati et al. [29] offer anonymity.

8. Conclusions

Internet of Vehicles (IoV) is the set of Internet of Things (IoT) with Intelligent Transport Systems (ITS) to provide information for common services, which builds the foundation of a next generation of traffic management systems. However, the environments of IoV could be dangerous in the absence of security protections. It gives an enormous opportunity to malicious attackers to modify, intercept, delete, or even insert false information during the on-going transmission. In this paper, using the HEC concept, we introduced an anonymous certificateless signcryption scheme for the IoV environment to resolve such deficiencies. The HEC approach is efficient at producing small keys and is therefore appropriate for a highly dynamic IoV environment. Moreover, because of the certificateless cryptography mechanism, the proposed scheme avoids the key escrow problem. The scheme also ensures receiver anonymity in open wireless channels. The formal security analysis demonstrates the ability of the proposed scheme to thwart different cyber-attacks, and it is competitive with its current counterparts in terms of computational and communication costs. In the future, we intend to implement the same scheme by including the ability to distribute partial private keys over an open channel; this ensures that the KGC would no longer need a secure channel to share partial private keys with vehicles in the IoV system.