A Multi-Message Multi-Receiver Signcryption Scheme with Edge Computing for Secure and Reliable Wireless Internet of Medical Things Communications

Abstract

Thanks to recent advancements in biomedical sensors, wireless networking technologies, and information networks, traditional healthcare methods are evolving into a new healthcare infrastructure known as the Internet of Medical Things (IoMT). It enables patients in remote areas to obtain preventative or proactive healthcare services at a cheaper cost through the ease of time-independent interaction. Despite the many benefits of IoMT, the ubiquitously linked devices offer significant security and privacy concerns for patient data. In the literature, several multi-message and multi-receiver signcryption schemes have been proposed that use traditional public-key cryptography, identity-based cryptography, or certificateless cryptography methods to securely transfer patient health-related data from a variety of biomedical sensors to healthcare professionals. However, certificate management, key escrow, and key distribution are all complications with these methods. Furthermore, in terms of IoMT performance and privacy requirements, they are impractical. This article aims to include edge computing into an IoMT with secure deployment employing a multi-message and multi-receiver signcryption scheme to address these issues. In the proposed method, certificate-based signcryption and hyperelliptic curve cryptography (HECC) have been coupled for excellent performance and security. The cost study confirms that the proposed scheme is better than the existing schemes in terms of computational and communication costs.

1. Introduction

The Internet of Medical Things (IoMT) is an emerging paradigm in the IoT sub-marketplace that can group all medical devices and applications over the Internet to collect, examine, and exchange physiological data of patients [1]. Figure 1 depicts the general architecture of the IoMT system, which includes a number of biomedical sensors, special embedded devices and wireless technologies. The biomedical sensors are used in IoMT settings to collect patient data such as breathing rate, blood pressure, chest noise, body temperature, breathing rate, electrocardiogram (ECG), and patient location, etc. Likewise, patient data can then be examined through special embedded devices such as computers, smartphones, and smartwatches, etc. [2]. Short-range wireless technologies such as Bluetooth Low Energy (BLE), Wi-Fi, and Zigbee, among others, can be used to communicate collected and examined data. The special embedded devices (controllers) can be further linked to cloud servers using the Fifth Generation (5G) wireless connection for high storage and intense data processing. The collected data from the patient monitoring sensors are usually too large to be handled by the local server. It requires a high level of storage and computational capabilities. Fortunately, the emerging 5G mobile networking architecture includes a Multiaccess Edge Computing (MEC) facility. When MEC is used in an IoMT system, it provides high storage and intense processing capabilities. The healthcare professionals can access the cloud server to review the health information and provide the patient with the appropriate assistance. In addition, when any medical indicators of the patient appear irregular, healthcare professionals will immediately contact the patient to provide guidance and medical examinations [3,4,5,6]. Furthermore, patient data can be stored in the health information system as electronic health records, which are accessible to medical practitioners when patients visit the hospital.

On the one hand, the IoMT system provides several benefits, but on the other hand, the widespread use of linked devices over an open wireless channel raises significant security and privacy concerns [7,8,9,10]. In addition, most biomedical devices have limited computational resources and, as a result, fail to perform conventional cryptographic operations. To address these flaws, an integrated scheme known as "signcryption" can be employed [11,12,13]. Signcryption is a public key cryptographic scheme that performs both encryption and digital signature operations at the same time. It is much more efficient and cost-effective than any of the alternates, i.e., performing the encryption and digital signature individually. In addition, the Multi-message and Multi-receiver Signcryption (MMSC) method is an extension of the signcryption scheme in which multiple messages are transmitted in one ciphertext to multiple receivers [14]. The use of the multicast channel will speed up the communication process; however, the basic security features such as confidentiality, unforgeability and anonymity should be maintained.

To find the solution for the aforementioned security attributes, several Multi-message and Multi-receiver Signcryption (MMSC) schemes [15,16,17,18,19,20,21] have been proposed by using the Public Key Infrastructure (PKI)-based cryptography [22], Identity (ID)-based cryptography [23] or Certificateless (CL)-based cryptography [24]. However, the conventional PKI-based MMSC schemes suggested in [15,16] suffer from a heavy burden of certificate management. In addition, the ID-based MMSC scheme introduced in [17] imposes the key escrow issue, while the heterogeneous ID-based and CL-based MMSC schemes implemented in [18,19] pose the key distribution problem. The CL-based MMSC schemes introduced in [20,21] bring about the key distribution problem. The schemes proposed in [15,16,17,18,19,20,21] either have poor performance in terms of computation cost or failure to meet the security requirements. In general, the proposed schemes are based on mathematical models that employ bilinear pairing or Elliptic Curve Cryptography (ECC), both of which have been proven to impose significant computational and communication burdens. In contrast to these two methods, Hyper Elliptic Curve Cryptography (HECC) is a lightweight cryptosystem, which provides the same level of security as opposed to ECC and bilinear pairing with a lower key size. In HECC, the key size is 80 bits, whereas ECC requires a key size of 160 bits.

1.1. Contributions

This article proposes a Multi-message Multi-receiver Signcyption (MMSC) scheme in a certificate-based setting. The proposed scheme is based on the concept of HECC, which is an enhanced version of the ECC that provides the same level of security as ECC and bilinear pairing with a smaller key size. Some of the key features that distinguish the contributions of our research in this work are as follows:

• Firstly, for an IoMT system, a multi-message and multi-receiver signcryption scheme has been proposed. In multicast channels under the Random Oracle Model (ROM), the proposed scheme guarantees confidentiality, unforgeability, and receiver anonymity.
• Secondly, for encryption and signature authentication, the proposed scheme makes use of hyperelliptic curve cryptography.
• Thirdly, we introduce a 5G architecture for IoMT with an edge computing facility.
• Finally, a thorough comparative analysis is performed to assess the performance of the proposed scheme. The findings show that the proposed scheme is efficient in terms of computation and communication costs from its counterpart schemes.

1.2. Organization of the Paper

The article is structured as follows. The related work is discussed in Section 2. The preliminaries are clarified in Section 3. The network model, threat model and syntax are provided in Section 4. The proposed scheme is provided in Section 5. Security analysis is carried out in Section 6. In Section 7, a performance comparison is carried out. Finally, the concluding ideas are included in Section 8.

2. Related Work

In this section, we examine and evaluate current MMSC schemes in terms of their research aims, security requirements, and computational and communication overheads.

In 2017, a heterogeneous MMSC scheme for ad hoc networks was proposed by Wang et al. [25]. In heterogeneous forms, the suggested scheme achieves a two-way signcryption that can move between PKI cryptography and IBC. Wang et al.’s [25] scheme uses PKI and IBC and thus creates an unavoidable key escrow issue as well as PKI certificate management burdens. Additionally, bilinear pairing is inefficient in terms of computation and communication costs due to the costly pairing operations. Niu et al. [18] implemented a heterogeneous MMSC signature later in the same year that can move from IBC under the ROM to certificateless cryptography. Unfortunately, Niu et al.’s scheme suffers from the problems such as private key distribution and key escrow. Furthermore, the scheme efficiency is based on bilinear pairing, which is not suitable for IoMT systems due to the high computation cost.

Gao et al. [20] proposed an efficient and practical certificateless signcryption scheme for wireless body area networks. The scheme is based exclusively on the widely used RSA cryptosystem and does not involve bilinear pairing. RSA is not suitable for IoMT because, like bilinear pairing, it is computationally costly. Pang et al. [26] constructed an anonymous MMSC scheme under the ROM. The proposed scheme aimed to remove the issue encountered during the distribution of the partial private key. However, the efficiency of the given scheme is again based on ECC, which is comparatively inefficient in terms of computation cost as opposed to HECC.

In 2019, Pang et al. [27] proposed an anonymous and efficient certificateless MMSC scheme. The authors aimed to eliminate the key escrow problem, which is commonly linked with IBC, as well as the certificate management problem, which is associated with PKI-based cryptography. However, the given scheme needs a secure channel for the distribution of partial private keys and therefore suffers from partial private key distribution problems. In 2019, Peng et al. [21] suggested a certificateless MMSC scheme using ECC. However, for the delivery of partial private keys, the scheme needs a secure channel. Finally, in 2020, Ming et al. [28] proposed an efficient anonymous certificate-based MMSC scheme for healthcare Internet of Things. The proposed method is based on ECC and employs certificate-based cryptography. It eliminates certificate management, key escrow, and key distribution issues, but, owing to ECC, it incurs high computational cost.

All of the schemes discussed above are based on computationally complex problems of ECC and bilinear pairing. In this paper, we propose a lightweight and secure security scheme termed MMSC in a certificate-based setting using HECC. The HECC approach is suitable for the IoMT system since it facilitates small keys.

3. Preliminaries

This section includes some explanations about HEC and formal definitions as well as the notions used in the proposed scheme, which are illustrated in

Table 1. Notations used in the proposed scheme.

S. No	Symbol	Explanation
1	$CA$	Certificate authority
2	$𝒯$	global parameter
3	$\delta$	$\sec \mathrm{ret} \mathrm{key} \mathrm{of} CA$
4	${\rm Y}$	$\mathrm{public} \mathrm{key} \mathrm{of} CA$
5	Hξ	hyper elliptic curve
6	${\mathcal{H}}_1,{\mathcal{H}}_{2.}{\mathcal{H}}_{3.}$	one way hash functions
7	$D$	divisor of Hξ
8	$I{D}_s$$, I{D}_i$	identity of sender and multi receiver respectively
9	${\alpha }_s,{\alpha }_i$	private key of sender and receivers
10	${\beta }_s,{\beta }_i$	public key of sender and receivers
11	$C{R}_s,C{R}_i$	certificate of sender and receivers
12	${\mathcal{C}}_i,m_i$	multi-cipher text and multi-plaintext
13	$E_{{\vartheta }_i}$$, D_{{\vartheta }_i}$	encryption and decryption
14	${\vartheta }_i$	multi-encryption and multi-decryption key

.

• Hyper Elliptic Curve

Suppose $f$ represents a non-finite field and $f^{*}$ is an algebraic closure of $f$. The following equation represents hyper elliptic curve ($H\epsilon$) over$f$ considering its solutions $\left(\varsigma ,\iota \right)$ belong to $f\times f$, while $g⩾1$ is the genus. $H\epsilon$: ${\iota }^2+h\left(\varsigma \right)\iota =F\left(\varsigma \right)$.

Therefore, $h\left(\varsigma \right):$ a polynomial and belongs to $f\left(\varsigma \right)$ having degree at most $g$. $F\left(\varsigma \right):$ represents a monic polynomial having degree is equal to$2g+1$. The points on $H\epsilon$ further form a set called Jacobian, which is the quotient group $\mathcal{J}={\mathcal{D}}^o/\mathcal{P}$, where ${\mathcal{D}}^o$ represents zero-degree devisors and $\mathcal{P}$ rational function-oriented devisors. Furthermore, each element of the Jacobian is represented as ${\mathcal{J}}_{H\epsilon }\left(f\right)$ and can be denoted individually through a divisor$\mathcal{D}$ = Ʃ${\mathfrak{m}}_i{\mathcal{P}}_i$, and ${\mathfrak{m}}_i$ represents a formal sum of points of $f^{*}$.

• Hyper Elliptic Curve Discrete Logarithm Problem (HECDLP)

Suppose given two devisors D₁ and D₂ belonging to J_Hε (f), finding integer ρ, such that D₂ = ρ. D₁ is called HECDLP.

• Hyper Elliptic Curve Deffi–Helman Problem (HECDHP)

Suppose given two devisors $D_1$ and $D_2$ belonging to ${\mathcal{J}}_{H\epsilon }\left(f\right)$, finding integer ρ and $\omega$ such that $D_2$ = $\omega$.ρ. $D_1$ is called HECDHP.

4. Network Model, Threat Model and Syntax

In this section, we will define the network model, threat model and syntax of the proposed scheme.

4.1. Network Model

The network model of the proposed certificate-based MMSC scheme consists of biomedical sensors, special embedded devices, ambulance, medical personal, medical server, cloud computing/MEC server and wireless technologies (BLE, Wi-Fi and 5G), as shown in Figure 1. Biomedical sensors can monitor and extract patient physiological data, which can further analyze with special embedded devices, such as smartphones, smartwatches or even a special embedded unit. Each of the biomedical sensors and the special embedded devices is wirelessly linked through short range communication technology known as BLE.

Special embedded devices can be further linked to the cloud computing/MEC server via Wi-Fi and 5G mobile communication to provide access. In addition, the medical server claims to be a local computer-attached administrator, where hospital professionals can view electronic health records (HERs) of patients. For future consultations, the HER is kept safely on the storage server.

4.2. Threat Model

The threat model includes three games, which will be played among a malicious agent/forger ($ℳ\mathcal{A}$/$ℳℱ$) and a challenger $\mathsf{\zeta }$ [29]. The first game is played for confidentiality regarding indistinguishability in contradiction of adaptive chosen multi-ciphertext attacks (IND-CBMMS-CCA). In this game, $ℳ\mathcal{A}$ with non-ignorable advantages$ϵ$, wants to break IND-CBMMS-CCA of a proposed CBMMS. $\mathsf{\zeta }$ selects a random number δ and $\mathsf{{\rm Y}}$, then makes $\mathcal{T}$ available to $ℳ\mathcal{A}$. Furthermore, $ℳ\mathcal{A}$ selects ${\mathrm{ID}}_{\mathrm{s}}{}^{*}$ as a sender identity, ${\mathrm{ID}}_{\mathrm{i}}{}^{*}$ as receivers group identities, and two different natures but the same length set of messages (${\mathrm{m}}^{\mathrm{x}}{}_{\mathrm{i}},{\mathrm{m}}^{\mathrm{y}}{}_{\mathrm{i}}$). Further, $\mathsf{\zeta }$ chooses$\varrho ϵ\left\{0,1\right\}$, to investigate which set of messages will be multi-signcryption. For this game $ℳ\mathcal{A}$ asks the queries such as ${\mathcal{H}}_{\mathrm{j} }$(${\mathrm{m}}_{\mathrm{j}}$), Create Entity (${\mathrm{ID}}_{\mathrm{e}}$), Corrupt Entity (${\mathrm{ID}}_{\mathrm{e}}$), and multi-message multi-receiver signcryption, respectively.

The second game is played for unforgeability regarding existential forgeability against adaptive chosen multi-message attacks (EUF- CBMMS-CMA). In this game $ℳℱ$ with$ϵ$ can solve HECDLP with the help of $\mathsf{\zeta }$. $\mathsf{\zeta }$ selects a random number δ and $\mathsf{{\rm Y}}$, then makes $\mathcal{T}$ available to $ℳℱ$. Furthermore, $ℳℱ$ selects ${\mathrm{ID}}_{\mathrm{s}}{}^{*}$ as a sender identity, ${\mathrm{ID}}_{\mathrm{i}}{}^{*}$ as receivers group identities. For this game, $ℳℱ$ asks the queries such as ${\mathcal{H}}_{\mathrm{j} }$(${\mathrm{m}}_{\mathrm{j}}$), Create Entity (${\mathrm{ID}}_{\mathrm{e}}$), Corrupt Entity (${\mathrm{ID}}_{\mathrm{e}}$), Multi-Message Multi-receiver Signcryption, and Multi-Message-Multi-receiver Un-signcryption, respectively. $ℳℱ$ can win this game if it is making the solution for HECDLP.

The third game is about anonymity property, e.g., anonymous indistinguishability beneath the taken multi-ciphertext attack (ANON-CBMMS-CCA). In this game, $ℳ\mathcal{A}$ with non-ignorable advantages$ϵ$ wants to break ANON-CBMMS-CCA of a proposed CBMMS. $\mathsf{\zeta }$ selects a random number δ and $\mathsf{{\rm Y}}$, then makes $\mathcal{T}$ available to $ℳ\mathcal{A}$. Furthermore, $ℳ\mathcal{A}$ selects a target identity set TGL and two different natures but with the same set length of messages (${\mathrm{m}}^{\mathrm{x}}{}_{\mathrm{i}},{\mathrm{m}}^{\mathrm{y}}{}_{\mathrm{i}}$). Further, $\mathsf{\zeta }$ chooses$\varrho ϵ\left\{0,1\right\}$ to investigate which set of messages will be multi signcryption. For this game $ℳ\mathcal{A}$ ask the queries such as ${\mathcal{H}}_{j }$($m_j$), Create Entity ($I{D}_e$), Corrupt Entity ($I{D}_e$), and multi-message multi-receiver signcryption, respectively.

Note that the queries, such as ${\mathcal{H}}_{j }$($m_j$), Create Entity ($I{D}_e$), Corrupt Entity ($I{D}_e$), multi-message multi-receiver signcryption, and multi-message multi-receiver Un-signcryption, are defined clearly in Theorem1, Theorem 2, and Theorem 3 of the security analysis section.

4.3. Syntax

The following six steps the comprise syntax for the proposed CBMMS [24]:

• Setup: A global parameter set $𝒯$ is created by CA, then, CA selects δ and computes Υ, and sets Υ and δ is a public and private key.
• Set-Public-Variant: An entity with identity ID_e chooses a random number ν_e, computes φ_e, and sends a tuple (φ_e,ID_e) to CA.
• Set-Certificate: For an entity with identity ID_e, CA selects a random number χ_e, calculates γ_e, computes a certificate CR_e, calculates W_e and sends a tuple (W_e,CR_e) to CA.
• Set-Public-and-Private-Key: An entity with identity ID_e computes α_e as a private key and computes his/her public key as βe.
• Multi-message-Multi-receiver Signcryption: A sender with identity (ID_S) can take (ID_S,CR_S,β_s,m_i) as an in input and make a Multi-Message-Multi-receiver signcryption tuple ψ.
• Multi-message-Multi-receiver Un-signcryption: Each recipient with identity (ID_i) can take the tuple ψ for verification of a multi-signature and for recovering multi-encryption data.

5. Proposed Scheme

The proposed scheme is described in detail in this section, which is made from the following six computational steps:

• Setup: A global parameter set $𝒯$= {Hξ$,\mathit{D},{\mathcal{H}}_1,{\mathcal{H}}_{2.}{\mathcal{H}}_{3.}$} is created by CA, where ${\mathcal{H}}_1,{\mathcal{H}}_{2.}{\mathcal{H}}_{3.}$ are the one-way hash functions, Hξ is a hyper elliptic curve, and $\mathit{D}$ is the devisor. Then, CA computes$\mathit{{\rm Y}}=\mathit{\delta }.\mathit{D}$, where$\mathit{\delta }\mathit{ϵ} \left\{\mathbf{1},\mathbf{2},\mathbf{3},\mathbf{4},\dots \dots , \mathit{n}-\mathbf{1}\right\}$, and set$\mathit{{\rm Y}} \mathit{a}\mathit{n}\mathit{d} \mathit{\delta }$ is a public and private key.
• Set-Public-Variant: An entity with identity $\mathit{I}{\mathit{D}}_{\mathit{e}}$ chooses ${\mathcal{V}}_{\mathit{e}}\mathit{ϵ} \left\{\mathbf{1},\mathbf{2},\mathbf{3},\mathbf{4},\dots \dots , \mathit{n}-\mathbf{1}\right\}$, computes ${\mathit{\phi }}_{\mathit{e}}={\mathcal{V}}_{\mathit{e}}.\mathit{D}$, and sends a tuple (${\mathit{\phi }}_{\mathit{e}},\mathit{I}{\mathit{D}}_{\mathit{e}}$) to $\mathit{C}\mathit{A}$.
• Set-Certificate: For an entity with identity$\mathit{I}{\mathit{D}}_{\mathit{e}}$, $\mathit{C}\mathit{A}$ selects ${\mathcal{X}}_{\mathit{e}}\mathit{ϵ} \left\{\mathbf{1},\mathbf{2},\mathbf{3},\mathbf{4},\dots \dots , \mathit{n}-\mathbf{1}\right\},$ calculates${\mathit{\gamma }}_{\mathit{e}}={\mathcal{X}}_{\mathit{e}}.\mathit{D}$, computes $\mathit{C}{\mathit{R}}_{\mathit{e}}={\mathit{\gamma }}_{\mathit{e}}+{\mathit{\phi }}_{\mathit{e}}$, calculates ${\mathcal{W}}_{\mathit{e}}={\mathcal{H}}_{\mathbf{1}}\left(\mathit{C}{\mathit{R}}_{\mathit{e}},\mathit{I}{\mathit{D}}_{\mathit{e}}\right).{\mathcal{X}}_{\mathit{e}}+\mathit{\delta }$and sends a tuple (${\mathcal{W}}_{\mathit{e}},\mathit{C}{\mathit{R}}_{\mathit{e}}$) to $\mathit{C}\mathit{A}$.
• Set-Public-and-Private-Key: An entity with identity $\mathit{I}{\mathit{D}}_{\mathit{e}}$ computes ${\mathit{\alpha }}_{\mathit{e}}={\mathcal{H}}_{\mathbf{1} }\left(\mathit{C}{\mathit{R}}_{\mathit{e}},\mathit{I}{\mathit{D}}_{\mathit{e}}\right).{\mathcal{V}}_{\mathit{e}}+{\mathcal{W}}_{\mathit{e}}$as a private key and computes his/her public key as ${\mathit{\beta }}_{\mathit{e}}={\mathit{\alpha }}_{\mathit{e}}.\mathit{D}$.
• Multi-message-Multi-receiver Signcryption: A sender with identity ($I{D}_s$) can perform the following steps for generation of Multi-Message-Multi-receiver signcryption data.
  • Choose${\mathit{\varphi }}_{\mathit{i}}\mathit{ϵ} \left\{\mathbf{1},\mathbf{2},\mathbf{3},\mathbf{4},\dots .,., \mathit{n}-\mathbf{1}\right\}$ and multiply with divisor as: ${\mathit{\mu }}_{\mathit{i}}={\mathit{\varphi }}_{\mathit{i}}.\mathit{D}$.
  • Compute ${\mathit{\vartheta }}_{\mathit{i}}={\mathcal{H}}_{\mathbf{2} }({\mathit{\varphi }}_{\mathit{i}}.{\mathit{\beta }}_{\mathit{i}}$), where $\mathit{i}=\left\{\mathbf{1},\mathbf{2},\mathbf{3},\dots .\mathit{n}\right\}$
  • Make a Ciphertext as ${\mathcal{C}}_{\mathit{i}}$ = ${\mathit{E}}_{{\mathit{\vartheta }}_{\mathit{i}}}\mathit{C}{\mathit{R}}_{\mathit{s}},{\mathit{\beta }}_{\mathit{s}},{\mathit{m}}_{\mathit{i}})$ and make a non-reversible hash value ${\mathcal{J}}_{\mathit{i}}={\mathcal{H}}_{\mathbf{3} }\left(\mathit{I}{\mathit{D}}_{\mathit{s}},\mathit{C}{\mathit{R}}_{\mathit{s}},{\mathit{\beta }}_{\mathit{s}},{\mathit{m}}_{\mathit{i}}\right)$
  • Compute a multi signature as ${\mathcal{G}}_{\mathit{i}}={\mathit{\varphi }}_{\mathit{i}}-{\mathcal{J}}_{\mathit{i}}.{\mathit{\alpha }}_{\mathit{s}}$ and send Multi-message-Multi-receiver signcryption $\mathit{\psi }=\left({\mathcal{C}}_{\mathit{i}},{\mathcal{J}}_{\mathit{i}},{\mathcal{G}}_{\mathit{i}}\right)$ to the recipient group.
• Multi-message-Multi-receiver Un-signcryption: each recipient with identity ($\mathit{I}{\mathit{D}}_{\mathit{i}}$) can perform the following steps for verification of multi-signature and recovering multi-encryption data.
  • Calculate${\mathit{\mu }}_{\mathit{i}}={\mathcal{G}}_{\mathit{i}}.\mathit{D}+{\mathcal{J}}_{\mathit{i}}.{\mathit{\beta }}_{\mathit{s}}$and${\mathit{\vartheta }}_{\mathit{i}}={\mathcal{H}}_{\mathbf{2} }({\mathit{\mu }}_{\mathit{i}}.{\mathit{\alpha }}_{\mathit{i}}$)
  • Compute$\left(\mathit{I}{\mathit{D}}_{\mathit{s}},\mathit{C}{\mathit{R}}_{\mathit{s}},{\mathit{\beta }}_{\mathit{s}},{\mathit{m}}_{\mathit{i}}\right)$=${\mathit{D}}_{{\mathit{\vartheta }}_{\mathit{i}}}\left({\mathcal{C}}_{\mathit{i}}\right)$.

Correctness Analysis

The recipient with identity ($I{D}_i$) computes

$$\begin{array}{c}{\mu }_i={\mathcal{G}}_i.D+{\mathcal{J}}_i.{\beta }_s\\ \hspace{1em}\hspace{1em}={\mathcal{G}}_i.D+{\mathcal{J}}_i.{\beta }_s=\left({\varphi }_i-{\mathcal{J}}_i.{\alpha }_s\right).D+{\mathcal{J}}_i.{\alpha }_s.D \mathrm{where} {\mathcal{G}}_i={\varphi }_i-{\mathcal{J}}_i.{\alpha }_s \mathrm{and} {\beta }_s={\alpha }_s.D\\ =D\left({\varphi }_i-{\mathcal{J}}_i.{\alpha }_s+{\mathcal{J}}_i.{\alpha }_s\right)=D\left({\varphi }_i\right)={\varphi }_i.D={\mu }_i\end{array}$$

(1)

Then it calculates

$$\begin{gathered} {\vartheta }_i={\mathcal{H}}_{3 }({\mu }_i.{\alpha }_i) \\ {\vartheta }_i={\mathcal{H}}_{3 }\left({\mu }_i.{\alpha }_i\right)=\left({\mathcal{G}}_i.D+{\mathcal{J}}_i.{\beta }_s\right).{\alpha }_i=\left(\left({\varphi }_i-{\mathcal{J}}_i.{\alpha }_s\right).D+{\mathcal{J}}_i.{\beta }_s\right).{\alpha }_i \\ =\left(\left({\varphi }_i.D-{\mathcal{J}}_i.{\alpha }_s.D\right)+{\mathcal{J}}_i.{\beta }_s\right).{\alpha }_i \\ =\left(\left({\varphi }_i.D-{\mathcal{J}}_i.{\beta }_s\right)+{\mathcal{J}}_i.{\beta }_s\right).{\alpha }_i=\left({\varphi }_i.D\right).{\alpha }_i=\left({\mu }_i\right).{\alpha }_i \end{gathered}$$

(2)

6. Security Analysis

This section contains the following three theorems for proving the three games, which are discussed in the threat model.

Theorem 1. 

Suppose a malicious agent($ℳ\mathcal{A}$)with non-ignorable advantages$ϵ$, wants to break IND-CBMMS-CCA of a proposed CBMMS. Further, the challenger ζ serves is a subroutine for finding the solution of a hyper elliptic curve Deffi–Helman problem (HECDHP) for $ℳ\mathcal{A}$. Assume ς = ρ.$D$, σ = $\omega .D$ where ρ, $\omega$ $ϵ \left\{1,2,3,4,\dots \dots , n-1\right\}$ then we must say the HECDHP instance will be ς and σ. Therefore, $\zeta$ computes${\rm Y}=\delta .D$, where$\delta ϵ \left\{1,2,3,4,\dots \dots , n-1\right\}$, and sends${\rm Y} and \mathcal{T}=\left\{H\mathsf{\xi },D,{\mathcal{H}}_1,{\mathcal{H}}_{2.}{\mathcal{H}}_{3.}\right\}$to $ℳ\mathcal{A}$. Furthermore, $ℳ\mathcal{A}$ selects $I{D}_s{}^{*}$ as a sender identity, $I{D}_i{}^{*}$ as receivers group identities, and two different natures but the same set length of messages ($m^x{}_i,m^y{}_i$). Further, $\zeta$ chooses$\varrho ϵ\left\{0,1\right\}$ to investigate which set of messages will be multi-signcryption and, in the user list $L_{usr}$, divorces the identity data associated with $I{D}_s{}^{*}$. It fixed ς = ${\beta }_i{}^{*}$. Therefore, for the determination of multi-cipher text, it set ${\mu }_i$ = δ. Then, $\zeta$ generates some value for ${\mathcal{J}}_i$ and chooses ${\mathcal{C}}_i,{\mathcal{G}}_i$ from $\left\{1,2,3,4,\dots \dots ., n-1\right\}$. Further, its stores the corresponding values in the user list that are $L_{{\mathcal{H}}_{3.}}$ and $L_{{\mathcal{H}}_{4.}}$. Finally, $\zeta$ sends a triple (${\mathcal{J}}_i$,${\mathcal{C}}_i,{\mathcal{G}}_i$) to $ℳ\mathcal{A}$. Consequently, the $ℳ\mathcal{A}$ can ensue with the following queries, which are answered through$\zeta$.

• ${\mathcal{H}}_{\mathit{j} }$(${\mathit{m}}_{\mathit{j}}$): $\zeta$ maintains a list $L_{{\mathcal{H}}_{j }}$and initially stores $m_j$ and ${\mathcal{J}}_j$. Note that, for the hash of $m_j$, the result is obtained as ${\mathcal{J}}_j$ where (j = 1,2,3). If the requested value is not existing in $L_{{\mathcal{H}}_j},$ then $\zeta$ generates a new hash value for $ℳ\mathcal{A}$. The $ℳ\mathcal{A}$ has access to $L_{{\mathcal{H}}_i}$.
• Create Entity ($\mathit{I}{\mathit{D}}_{\mathit{e}}$): if $\mathit{I}{\mathit{D}}_{\mathit{e}}=I{D}_i{}^{*}$, then ς = ${\beta }_i{}^{*}$ and chooses a random number for $C{R}_i{}^{*}$. Further, it adds ($C{R}_i{}^{*},⫝,I{D}_i{}^{*},{\beta }_i{}^{*}$) into $L_{usr}$ and ($C{R}_i{}^{*},⫝,I{D}_i{}^{*}$) into $L_{{\mathcal{H}}_1}$. If $I{D}_e$ is not previously added in $L_{usr}$,$\zeta$ computes $C{R}_e=\ell .D$, where ℓ belongs to $\left\{1,2,3,4,\dots \dots ., n-1\right\}$, then selects ${\alpha }_e$ from $\left\{1,2,3,4,\dots \dots ., n-1\right\}$, calculates ${\mathcal{W}}_e=\left({\alpha }_e+\delta \right)/\ell$, sets ${\beta }_e={\alpha }_e.D$, and includes ${\mathcal{W}}_e$ into $L_{{\mathcal{H}}_1}$. Furthermore, the values such as $I{D}_e$,$C{R}_e$,${\beta }_e$, and ${\alpha }_e$ are included to $L_{usr}$.
• Corrupt Entity ($\mathit{I}{\mathit{D}}_{\mathit{e}}$): If the requested value for $I{D}_e$ does not belong to $L_{usr}$, $\zeta$ calls the Create Entity ($I{D}_e$) query for generating ${\mathsf{\alpha }}_{\mathrm{e}}$ and dispatches it to $ℳ\mathcal{A}$.
• Multi-message-Multi-receiver Signcryption:Multi-Message-Multi-receiver Signcryption:$\zeta$ will stop further processing, if $I{D}_e=I{D}_i{}^{*}$ or $I{D}_e=I{D}_s{}^{*}$, otherwise $\zeta$ search in $L_{usr}$, if the entry exists for $I{D}_i$ and $I{D}_s$. If such entry is not existing in $L_{usr}$, then it calls Create Entity ($I{D}_e$) and generates (${\mathcal{J}}_i$,${\mathcal{C}}_i,{\mathcal{G}}_i$).

When the above query is finished successfully, then $ℳ\mathcal{A}$ is decided upon$\varrho$. When $\zeta$ is able to find the solution for a hyper elliptic curve discrete logarithm problem and determines $E_{{\vartheta }_i}\left(I{D}_s,C{R}_s,{\beta }_s,m_i\right)$ from $L_{{\mathcal{H}}_2}$, then$ℳ\mathcal{A}$ will able with $ϵ$ to win this game. Therefore, the $ℳ\mathcal{A}$ can solve HECDHP with the following probability and events:

• $E_1: ℳ\mathcal{A}$ wins in creating an entity query ($Q_{CE}$), and its probability is $\frac{ϵ}{Q_{CE}}$.
• $E_2: ℳ\mathcal{A}$ wins in the Multi-message-Multi-receiver Signcryption query ($Q_{MMS}$), and its probability is $\frac{Q_{MMS}}{2^k}$.
• $E_3: ℳ\mathcal{A}$ processes the ${\mathcal{H}}_{\mathbf{2}}$ query ($Q_{{\mathcal{H}}_2}$) without any hurdles and its probability is $\frac{1}{Q_{{\mathcal{H}}_2}}$.

Therefore, the breaching probability will be ${ϵ}^{/}\ge \left(\frac{ϵ}{Q_{CE}}.\frac{Q_{MMS}}{2^k}.\frac{1}{Q_{{\mathcal{H}}_2}}\right)$, which means that our proposed scheme provides IND- CBMMS-CCA security regarding confidentiality.

Theorem 2. 

Assume a malicious forger ($ℳℱ$) with non-ignorable advantages$ϵ$wants to break EUF-CBMMS-CMA of a proposed CBMMS. Further, the challenger ζ serves as a subroutine for finding the solution of the hyper elliptic curve discrete logarithm problem (HECDLP) for$ℳℱ$. Assume ς = ρ.$D$whereρ$ϵ \left\{1,2,3,4,\dots \dots , n-1\right\}$then we must say the HECDLP instance will be ρ. Therefore, $\zeta$computes${\rm Y}=\delta .D$, where$\delta ϵ \left\{1,2,3,4,\dots \dots , n-1\right\}$and sends${\rm Y} and \mathcal{T}=\left\{H\mathsf{\xi },D,{\mathcal{H}}_1,{\mathcal{H}}_{2.}{\mathcal{H}}_{3.}\right\}$to$ℳ\mathcal{A}$. Furthermore, $ℳ\mathcal{A}$selects$I{D}_s{}^{*}$as a sender identity and$I{D}_i{}^{*}$as receiver group identities. Consequently, the$ℳ\mathcal{A}$can ensue with the following queries, which are answered through$\zeta$.

• ${\mathcal{H}}_{\mathit{j} }$(${\mathit{m}}_{\mathit{j}}$): $\zeta$ maintains a list $L_{{\mathcal{H}}_{j }}$and initially stored $m_j$ and ${\mathcal{J}}_j$. Note that, for the hash of $m_j$, the result is obtained as ${\mathcal{J}}_j$ where (j = 1,2,3). If the requested value is not existing in $L_{{\mathcal{H}}_j},$ then $\zeta$ generates a new hash value for $ℳℱ$. The $ℳℱ$ has access to $L_{{\mathcal{H}}_i}$.
• Create Entity ($\mathit{I}{\mathit{D}}_{\mathit{e}}$): If $I{D}_e$ is not previously added in $L_{usr}$, then we define two conditions, which are: the first condition is if $I{D}_e=I{D}_i{}^{*}$, then ς = ${\beta }_i{}^{*}$ and chooses a random number for $C{R}_i{}^{*}$. Further, it adds ($C{R}_i{}^{*},⫝,I{D}_i{}^{*},{\beta }_i{}^{*}$) into $L_{usr}$ and ($C{R}_i{}^{*},⫝,I{D}_i{}^{*}$) into $L_{{\mathcal{H}}_1}$. The second condition is if $I{D}_e$ is not equal to $I{D}_i{}^{*}$, then$\zeta$ computes $C{R}_e=\ell .D$, where ℓ belongs to $\left\{1,2,3,4,\dots \dots ., n-1\right\}$, then selects ${\alpha }_e$ from $\left\{1,2,3,4,\dots \dots ., n-1\right\}$, calculates ${\mathcal{W}}_e=\left({\alpha }_e+\delta \right)/\ell$, sets ${\beta }_e={\alpha }_e.D$, and includes ${\mathcal{W}}_e$ into $L_{{\mathcal{H}}_1}$. Furthermore, the values such as $I{D}_e$,$C{R}_e$,${\beta }_e$, and ${\alpha }_e$ are included to $L_{usr}$.
• Corrupt Entity ($\mathit{I}{\mathit{D}}_{\mathit{e}}$): If the requested value for $I{D}_e$ does not belongs to $L_{usr}$, $\zeta$ calls the Create Entity ($I{D}_e$) query to generate ${\mathsf{\alpha }}_{\mathrm{e}}$ and dispatches it to $ℳℱ$.
• Multi-message-Multi-receiver Signcryption:$\zeta$ will stop further processing, if $I{D}_e=I{D}_i{}^{*}$ or $I{D}_e=I{D}_s{}^{*}$, otherwise $\zeta$ searches in $L_{usr}$, if the entry exists for $I{D}_i$ and $I{D}_s$. If such entry does not exist in $L_{usr}$, then it calls Create Entity ($I{D}_e$) and generates (${\mathcal{J}}_i$,${\mathcal{C}}_i,{\mathcal{G}}_i$).
• Multi-message-Multi-receiver Un-signcryption:$\zeta$ can check the validity of multi-ciphertext, which is basically generated by $I{D}_s$ for $I{D}_i$ and then it recovers the multi-plaintext.

When the above query is finished successfully, then $ℳℱ$ and $\zeta$ will create their respective Multi-message-Multi-receiver Signcryption triples, which are (${\mathcal{J}}_i$,${\mathcal{C}}_i,{\mathcal{G}}_i$) and (${\mathcal{J}}_i{}^{*},{\mathcal{G}}_i{}^{*}$,${\mathcal{C}}_i$). Therefore, we can obtain the following results [24]:

$$\begin{gathered} {\mathcal{G}}_i.D+{\mathcal{J}}_i.{\beta }_i={\mathcal{G}}_i{}^{*}.D+{\mathcal{J}}_i{}^{*}.{\beta }_i \\ ={\mathcal{G}}_i.D-{\mathcal{G}}_i{}^{*}.D={\mathcal{J}}_i{}^{*}.{\beta }_i-{\mathcal{J}}_i.{\beta }_i=({\mathcal{G}}_i-{\mathcal{G}}_i{}^{*}).D=({\mathcal{J}}_i{}^{*}-{\mathcal{J}}_i).{\beta }_i \\ =({\mathcal{G}}_i-{\mathcal{G}}_i{}^{*}).D=({\mathcal{J}}_i{}^{*}-{\mathcal{J}}_i).\mathsf{\rho }.D \\ =({\mathcal{G}}_i-{\mathcal{G}}_i{}^{*})=({\mathcal{J}}_i{}^{*}-{\mathcal{J}}_i).\mathsf{\rho } \end{gathered}$$

(3)

$({\mathcal{G}}_i-{\mathcal{G}}_i{}^{*})/({\mathcal{J}}_i{}^{*}-{\mathcal{J}}_i)=\mathsf{\rho }$will be the solution of HECDLP.

The $ℳℱ$ can solve HECDLP with the probability of $\frac{ϵ}{Q{\mathcal{H}}_3},$and this means that our proposed scheme provides EUF-CBMMS-CMA security regarding unforgeability.

Theorem 3. 

Here, the malicious agent ($ℳ\mathcal{A}$),having advantage$ϵ$, wants to break ANON-CBMMS-CCA of a proposed CBMMS. Further, the challenger ζ serves is a subroutine for finding the solution of HECDHP for$ℳ\mathcal{A}$. Adopt ς = ρ.$D$, σ = $\omega .D$ where ρ, $\omega$ $ϵ \left\{1,2,3,4,\dots \dots , n-1\right\},$ then we must say the HECDHP instance will be ς and σ. Therefore, $\zeta$ computes${\rm Y}=\delta .D$, where$\delta ϵ \left\{1,2,3,4,\dots \dots , n-1\right\}$, and sends${\rm Y} and \mathcal{T}=\left\{H\mathsf{\xi },D,{\mathcal{H}}_1,{\mathcal{H}}_{2.}{\mathcal{H}}_{3.}\right\}$to $ℳ\mathcal{A}$. Furthermore, $ℳ\mathcal{A}$ selects a target identity set TGL = $\left\{I{D}_1{}^{*},I{D}_2{}^{*},\dots .I{D}_n{}^{*}\right\}$ and two different natures but with the same set length of messages ($m^x{}_i,m^y{}_i$). Further, $\zeta$ chooses$\varrho ϵ\left\{0,1\right\}$ to investigate which set of messages will be multi-signcryption, and in the user list, $L_{usr}$ divorces the identity associated data with $I{D}_s{}^{*}$. It fixed ς = ${\beta }_i{}^{*}$. Therefore, for the determination of multi-cipher text, it sets ${\mu }_i$ = δ. Then, $\zeta$ generate some value for ${\mathcal{J}}_i$ and chooses ${\mathcal{C}}_i,{\mathcal{G}}_i$ from $\left\{1,2,3,4,\dots \dots ., n-1\right\}$. Further, it stores the corresponding values in the user list, which are $L_{{\mathcal{H}}_{3.}}$ and $L_{{\mathcal{H}}_{4.}}$. Finally, $\zeta$ sends a triple (${\mathcal{J}}_i$,${\mathcal{C}}_i,{\mathcal{G}}_i$) to $ℳ\mathcal{A}$. Consequently, the $ℳ\mathcal{A}$ can ensue with the following queries, which are answered through$\zeta$.

• ${\mathcal{H}}_{\mathit{j}}$(${\mathit{m}}_{\mathit{j}}$): $\zeta$ maintains a list $L_{{\mathcal{H}}_{j }}$and initially stores $m_j$ and ${\mathcal{J}}_j$. Note that for the hash of $m_j$, the result obtained as ${\mathcal{J}}_j$ where (j = 1,2,3). If the requested value does not exist in $L_{{\mathcal{H}}_j},$ then $\zeta$ generates a new hash value for $ℳ\mathcal{A}$. The $ℳ\mathcal{A}$ has access to $L_{{\mathcal{H}}_i}$.
• Create Entity ($\mathit{I}{\mathit{D}}_{\mathit{e}}$): If $I{D}_e=I{D}_i{}^{*}$, then ς = ${\beta }_i{}^{*}$ and chooses a random number for $C{R}_i{}^{*}$. Further, it adds ($C{R}_i{}^{*},⫝,I{D}_i{}^{*},{\beta }_i{}^{*}$) into $L_{usr}$ and ($C{R}_i{}^{*},⫝,I{D}_i{}^{*}$) into $L_{{\mathcal{H}}_1}$. If $I{D}_e$ is not previously added in $L_{usr}$,$\zeta$ computes $C{R}_e=\ell .D$, where ℓ belongs to $\left\{1,2,3,4,\dots \dots ., n-1\right\}$, then selects ${\alpha }_e$ from $\left\{1,2,3,4,\dots \dots ., n-1\right\}$, calculates ${\mathcal{W}}_e=\left({\alpha }_e+\delta \right)/\ell$, sets ${\beta }_e={\alpha }_e.D$, and includes ${\mathcal{W}}_e$ into $L_{{\mathcal{H}}_1}$. Furthermore, the values such as $I{D}_e$,$C{R}_e$,${\beta }_e$, and ${\alpha }_e$ are included to $L_{usr}$.
• Corrupt Entity ($\mathit{I}{\mathit{D}}_{\mathit{e}}$): If the requested value for $I{D}_e$ does not belong to $L_{usr}$, $\zeta$ calls the Create Entity ($I{D}_e$) query to generate ${\mathsf{\alpha }}_{\mathrm{e}}$ and dispatches it to $ℳ\mathcal{A}$.
• Multi-message-Multi-receiver Signcryption:$\zeta$ will stop further processing if $I{D}_e=I{D}_i{}^{*}$ or $I{D}_e=I{D}_s{}^{*}$; otherwise, $\zeta$ searches in $L_{usr}$, if the entry exists for $I{D}_i$ and $I{D}_s$. If such entry does not exist in $L_{usr}$, then it calls Create Entity ($I{D}_e$) and generates (${\mathcal{J}}_i$,${\mathcal{C}}_i,{\mathcal{G}}_i$).

When the above query is finished successfully, then $ℳ\mathcal{A}$ is decided upon$\varrho$. When $\zeta$ is able to find the solution for the hyper elliptic curve discrete logarithm problem and determines $E_{{\vartheta }_i}\left(I{D}_s,C{R}_s,{\beta }_s,m_i\right)$ from $L_{{\mathcal{H}}_2}$, then$ℳ\mathcal{A}$ will able with $ϵ$ to win this game. Therefore, the $ℳ\mathcal{A}$ can solve HECDHP with the probability of $\frac{ϵ}{Q{\mathcal{H}}_2}$ and this means that our proposed scheme provides IND-CBMMS-CCA security regarding confidentiality.

7. Performance Comparison

In this section, we compare our scheme’s communication and computation costs with the corresponding current three existing schemes, i.e., Pang et al. [20], Peng et al. [21] and Ming et al. [28], on the basis of expensive mathematical operations used such as Scalar Elliptic curve point Multiplication (SEM) and Scalar HyperElliptic curve divisor Multiplication (SHEM) to show the efficiency, security and superiority. While the operation, such as addition, division, subtraction, hashing, encryption and decryption, is neglected because of its minimum numerical length. We consider the following kinds of operations for our comparative study.

Scalar Elliptic curve point Multiplication (SEM): The number of total point multiplication required on an elliptic curve.

Scalar HyperElliptic curve divisor Multiplication (SHEM): The total number of divisor points required on a hyperelliptic curve.

q = 160 bits

Number of messages = mi

Number of receivers= П

Size of single message (ṃ) = 1024 bits

The SEM and SHEM values are shown in

Table 2. Computational time of major operations in milliseconds.

Name of Operation	SEM	SHEM
Time in milliseconds (ms)	0.97 ms	0.48 ms

. To calculate the efficiency of the proposed solution, the Multi-precision Integer and Rational Arithmetic C Library (MIRACL) [30] is used to test the runtime of simple cryptographic operations up to 1000 times.

The following specs are observed on a workstation: Intel Core i7- 4510U Processor^@ 2.0 GHz, 8 GB RAM and Windows 7 Home Standard 64-bit Operating System [31]. We compared our scheme with Pang et al. [20], Peng et al. [21] and Ming et al. [28] by considering the same settings, and the findings are shown in

Table 3. Computation and communication cost comparison for single node and single message.

Schemes	Signcryption	Unsigncryption	Length of Ciphertext
Pang et al. [20]	(П + 1) SEM = (1 + 1) × 0.97 = 1.94	3 SEM = 3 × (0.97) = 2.91	|mi| + П|2q| = |1024| + 1|2(160)| = 1344
Peng et al. [21]	(2 П + 1) SEM = (2 × 1 + 1) × 0.97 = 2.91	3 SEM = 3 × (0.97) = 2.91	|mi| + П|4q| = |1024| + 1|4(160)| = 1664
Ming et al. [28]	(4 П + 1) SEM = (4 × 1 + 1) × 0.97 = 4.85	5 SEM = 5 × (0.97) = 4.85	|mi| + П|2q| = |1024| + 1|2(160)| = 1344
Proposed	(2 П + 1) SHEM = (2 × 1 + 1) × 0.48 = 1.44	3 SHEM = 3 × (0.48) = 1.44	|mi| + П|2n| = |1024| + 1|2(80)| = 1184

,

Table 4. Computation and communication cost comparison for twenty-five nodes and ten messages.

Schemes	Signcryption	Unsigncryption	Length of Ciphertext
Pang et al. [20]	(П + 1) SEM = (25 + 1) × 0.97 = 25.22	3 SEM = 3 × (0.97) = 2.91	|mi| + П|2q| = 10|1024| + 25|2(160)| = 18,240
Peng et al. [21]	(2 П + 1) SEM = (2 × 25 + 1) × 0.97 = 49.47	3 SEM = 3 × (0.97) = 2.91	|mi| + П|4q| = 10|1024| + 25|4(160)| = 26,240
Ming et al. [28]	(4 П + 1) SEM = (4 × 25 + 1) × 0.97 = 97	5 SEM = 5 × (0.97) = 4.85	|mi| + П|2q| = 10|1024| + 25|2(160)| = 18,240
Proposed	(2 П + 1) SHEM = (2 × 25 + 1) × 0.48 = 24.48	3 SHEM = 3 × (0.48) = 1.44	|mi| + П|2n| = 10|1024| + 25|2(80)| = 14,240

and

Table 5. Computation and communication cost comparison for fifty nodes and fifteen messages.

Schemes	Signcryption	Unsigncryption	Length of Ciphertext
Pang et al. [20]	(П + 1) SEM = (50 + 1) × 0.97 = 49.47	3 SEM = 3 × (0.97) = 2.91	|mi| + П|2q| = 15|1024| + 50|2(160)| = 31,360
Peng et al. [21]	(2 П + 1) SEM = (2 × 50 + 1) × 0.97 = 97.97	3 SEM = 3 × (0.97) = 2.91	|mi| + П|4q| = 5|1024| + 50|4(160)| = 47,360
Ming et al. [28]	(4 П + 1) SEM = (4 × 50 + 1) × 0.97 = 194.97	5 SEM = 5 × (0.97) = 4.85	|mi| + П|2q| = 15|1024| + 50|2(160)| = 31,360
Proposed	(2 П + 1) SHEM = (2 × 50 + 1) × 0.48 = 48.48	3 SHEM = 3 × (0.48) = 1.44	|mi| + П|2n| = 15|1024| + 50|2(80)| = 23,360

. The time required for SHEM is 0.48 ms [32,33].

Moreover, the results of a comparative study with current equivalents suggest that, as seen in Figure 2 and Figure 3, the new scheme is defined by the lowest cost of computation. In comparison, from the related existing schemes, as shown in Figure 4, the ciphertext size is comparatively less in our proposed scheme.

8. Conclusions

In the remote sharing of patient data, such as monitoring, treatment progression, diagnosis and consultation, the Internet of Medical Things (IoMT) plays a major role. Multiple biomedical sensors are ubiquitously linked with the Internet in IoMT, thereby offering seamless communication with effective usage of resources. However, because of the resource-constrained biomedical devices, traditional cryptographic approaches are not practical for the majority of IoMT implementations. Fortunately, the envisioned 5G mobile communication architecture includes an edge computing facility that can provide on-demand processing, computation, and storage. In this paper, we proposed a lightweight security scheme, using the hyperelliptic curve (HEC) principle together with a certificate-based cryptography called a Multi-message and Multi-receiver Signcryption. The HEC solution is a reliable technique due to the small key size and therefore has huge potential for future IoMT applications. The formal security analysis using ROM confirms confidentiality, unforgeability, and receiver anonymity by the proposed scheme. Furthermore, after a comparative comparison with the key existing schemes, the proposed scheme proved to be effective in terms of both the cost of computation and communication.