A Privacy Protection Scheme of Certificateless Aggregate Ring Signcryption Based on SM2 Algorithm in Smart Grid

Abstract

With the rapid increase in smart grid users and the increasing cost of user data transmission, proposing an encryption method that does not increase the construction cost while increasing the user ceiling has become the focus of many scholars. At the same time, the increase in users will also lead to more security problems, and it is also necessary to solve the privacy protection for users during information transmission. In order to solve the above problems, this paper proposes an aggregated ring encryption scheme based on the SM2 algorithm with special features, referred to as SM2-CLARSC, based on the certificateless ring signcryption mechanism and combining with the aggregate signcryption. SM2-CLARSC is designed to satisfy the basic needs of the smart grid, and it can be resistant to replay attacks, forward security and backward security, etc. It has better security and higher efficiency than existing solutions. Comparing SM2-CLARSC with existing typical solutions through simulation, the result proves that this solution has more comprehensive functions, higher security, and significant computational efficiency improvement.

1. Introduction

Intelligence is the theme of the development of all walks of life in the future. After combining the traditional grid and the Internet, the smart grid (SG) was developed because the traditional grid can no longer meet the development needs of today’s society. In the SG, users interact with the power control center (CC) through smart meters. Users send their own electricity consumption information to CC in real-time, and CC can also feed back information such as billing and predictive pricing to users in SG, allowing users to plan electricity consumption based on feedback, thereby reducing electricity costs. The goal of SG is to provide electricity to users in a more reliable and efficient manner, which has attracted the attention of researchers [1].

However, there are still unresolved issues within the SG. One of the significant challenges pertains to concealing the user’s identity within the SG, while also ensuring efficient and rapid completion of signcryption and unsigncryption. At present, many scholars have proposed solutions to this problem, but it can still be improved. The user’s private data are easily leaked or damaged during the transmission and storage process with the service node, which has a large security risk. For example, attackers can invade service nodes, which is much less difficult than attacking users or CC [2]. After hijacking edge service nodes, they can reasonably obtain information sent by both users and CC. This is a huge problem that was previously ignored.

At present, the mainstream encryption methods except for regular encryption in SG are ring signcryption [3,4], homomorphic encryption [5,6], etc. These methods cannot prevent service nodes from being hijacked and still protect user privacy and security, as well as data confidentiality. Although attackers cannot break through the algorithm, the data can still be obtained successfully. At the same time, the rapid increase in the number of users in SG will also bring problems such as response delay, service quality degradation, and increased computing pressure on control center resources. Ensuring the confidentiality and unforgeability of user privacy data, while simultaneously addressing response delays due to escalating user numbers poses a significant challenge in Smart Grid (SG) applications. This challenge becomes particularly pronounced when facilitating bidirectional information exchange between users and service nodes.

In response to the above problems, we propose to deploy edge computing nodes (ECN) in the SG in combination with edge computing [7]. ECN simply recalculates the data sent by users. In this process, although ECN receives the ciphertext, it cannot perform complete decryption. ECN can not only perform a simple verification of the ciphertext but also aggregate the ciphertext, so as to improve the computing efficiency of CC and reduce communication costs.

At present, the main methods to address user identity privacy protection issues include ring signature, pseudonym system, and group signature. Among them, adding a pseudonym has higher requirements for the storage cost of SG. The fairness of the group signature mainly depends on the group manager, but this is very subjective. If the system hides the identity of the user completely, it is very likely that malicious users will send malicious information through SG and cannot be found.

After comprehensively studying the existing related schemes, we propose a conditional privacy-preserving ring signcryption scheme based on the SM2 algorithm in a smart grid to address the shortcomings of the existing schemes. In order to effectively solve the user identity privacy protection problem and the problem of computational surge in the control center. The scheme not only outperforms existing related schemes in terms of efficiency but also has the functions of tracking malicious users, aggregating signatures and resisting replay attacks.

1.1. Our Contribution

In general, we propose a new solution. In order to more effectively address the above issues, our research content is as follows:

• Using the framework of edge computing, it is proposed to alleviate the communication delay problem that may be caused by the surge of users in the SG. ECN partially decrypts and aggregates the ciphertext, and then sends the processed ciphertext to the control center. On the one hand, it can simply verify the ciphertext once, and on the other hand, it can reduce communication costs and improve efficiency.
• We propose a certificateless aggregate ring signcryption scheme (CLARSC) with conditional privacy protection. This scheme enables the tracking of malicious users while safeguarding the privacy of user identities.
• Introducing the update key algorithm, which periodically updates the key to prevent greater damage due to the loss of user keys.
• We compared the scheme proposed in this paper with the existing similar schemes. The results show that the scheme in this paper has more comprehensive functions and significantly improved computational efficiency. By introducing the edge computing structure, the communication pressure of CC is relieved, and the communication cost of the smart grid is reduced.

1.2. Organization

The subsequent sections of this paper are organized as follows: Section 2 offers a review of relevant literature associated with our proposed approach. Section 3 outlines the foundational knowledge. The SM2 signature algorithm is reviewed in Section 4. The certificateless aggregate ring signcryption scheme is introduced in Section 5. Section 6 offers an assessment of the scheme’s correctness and security. Performance analysis is detailed in Section 7. Conclusively, Section 8 provides a summary of the key points discussed in this paper.

2. Related Work

The smart grid, as a combination of a traditional power grid and the Internet, began to take shape in the early 2000s. In the beginning, researchers mainly focused on the automation and communication aspects of power systems and paid less attention to privacy issues [8]. The main focus at that time was to enable remote monitoring, control and optimization of power systems [9]. With the introduction of smart meter technology [10], the collection and transmission of user electricity data have become more detailed and frequent. This raises concerns about user privacy [9], especially sensitive information about personal electricity usage behaviors and habits. User privacy issues in smart grids have begun to emerge [11]. Power usage data can reveal users’ life patterns and behaviors. Users have expressed concerns that their power usage data and identity information may be abused or leaked. After 2010, many countries and regions began to formulate privacy regulations and policies, requiring power companies to adopt privacy protection measures to ensure the security and privacy of user data. However, there are still criminals who use various methods to obtain users’ privacy for illegal profits.

After 2010, researchers mainly used differential privacy algorithms to protect user privacy [12]. In [13], Tian et al. proposed using differential privacy to aggregate multi-data to protect users’ data privacy. In [14], Zheng et al. proposed averaging differential privacy to improve the privacy protection performance of the algorithm. Although differential privacy has the characteristics of strong privacy protection, wide applicability, and good standardization, its performance is relatively poor, parameter selection is complicated, and most importantly, it is not suitable for all situations. Moreover, the noise introduced by differential privacy may have a certain impact on the accuracy of data analysis, especially when privacy intensity is high.

In response to the problems of differential privacy, relevant researchers have proposed using ring signatures to protect user identity privacy while improving user experience. The concept of a ring signature, introduced by Rivest et al. in 2001, originated as a simplified form of group signature [15]. The main purpose of ring signatures is to solve the problem of hiding the identity of the real signer during the message transmission process. In [16], Han et al. summarise the issues and problems that have been solved and present approaches that may be able to solve the problems that need to be solved. In their work [17], Wang et al. presented a traceable ring signature scheme designed for batch processing within the SG context. In [18], Tang et al. proposed multi-authority traceable ring signatures for distributed settings in smart grids. Liu et al. proposed an efficient multi-layer linkable ring signature scheme with logarithmic size to address the issue of excessively large signatures, as discussed in [19].

Ring signcryption is proposed as one of the main development directions of ring signatures. In the SG, ring signcryption has attracted much attention because it can encrypt messages while performing ring signatures. Liu et al. presented a trackable ring signature encryption scheme in [20], utilizing the SM2 algorithm. However, this scheme is not suitable for aggregation within smart grid applications. Zhang et al. introduced a ring signcryption scheme in [21], specifically designed to safeguard the privacy of smart meters. In [3], a privacy protection solution for smart meters in decentralized smart homes based on the alliance blockchain is proposed. In [22], Wang et al. proposed a lightweight certificateless aggregation ring signcryption scheme. In [23], Zhang et al. proposed a microgrid point-to-point e-bidding users based on ring signcryption.

The SM2 algorithm is a national cryptography standard [24] proposed by China’s National Cryptography Administration (NSA) in 2010 to protect the confidentiality and integrity of information. SM2 is used in various fields because of its high efficiency. In [25], Teng et al. proposed a simple smart grid privacy protection traceability ring signature scheme based on SM2. However, this solution requires signcryption of the message again, and this solution cannot aggregate or batch process signatures, which results in very low efficiency.

Existing ring signcryption schemes in smart grids all have network congestion problems, or cannot simultaneously solve problems such as low efficiency, replay attacks, and attacks on the middler. Therefore, we propose an SM2-based ring signcryption scheme for this aspect, which can solve the above problems at the same time.

3. Preliminary

3.1. Hardness Assumption

• Elliptic Curve Computational Diffie–Hellman Problem (ECCDHP): It pertains to the challenge of efficiently computing the point $abP$, where G is a known base point on a finite field comprising elliptic curves $E(a,b)$, and $aP$ and $bP$ are given values. This computation cannot be efficiently performed in polynomial time.
• Elliptic Curve Discrete Logarithm Problem (ECDLP): It involves determining the value of x in the equation $Q=xP$, where P and Q are any two points on an additive group $(G,+)$ of order q consisting of points on an elliptic curve $E(a,b)$. This computation cannot be efficiently performed in polynomial time.

3.2. Formal Definition

The scheme comprises eight algorithms, each executed by the following four entities: the Key Generation Center (KGC), Trusted Authority (TRA), as well as $I{D}_s$, $I{D}_r$, and $I{D}_v$.

• Setup$(1^k)\to (params,msk,mpk,mtk)$: TRA and KGC cooperate in the performance of this algorithm. The algorithm takes the security parameter k as input and returns the following outputs: the system parameters $params$, the master tracking key $mtk$, and the master public key $mpk$.
• Set-SV$(I{D}_i)\to (u_i,U_i)$: The user inputs his identity $I{D}_i$ and obtains the corresponding secret value $u_i$ and public value $U_i$.
• Extract-PSK $(params,U_i)\to (d_i,V_i)$: KGC executes the algorithm. Entering the system parameters $params$ and $U_i$, KGC produces the partial private key $d_i$ and the relevant authentication key $V_i$ for the user with the identity $I{D}_i$.
• Generate-PK$(I{D}_i)\to (s{k}_i,P{K}_i)$: Upon verifying $d_i$, the user identified as $I{D}_i$ generates a public-private key pair using $d_i$ and $u_i$ where the private key $s{k}_i$ and their public key $P{K}_i$.
• Update-Key pairs $(t,I{D}_i,s{k}_i^{t-1},P{K}_i^{t-1})\to (s{k}_i^t,P{K}_i^t)$: In the tth cycle, the user with identity $I{D}_i$ calculates a new key pair using their public-private key pair from the $(t-1)$th cycle. The updated private key is $s{k}_i^t$, and the corresponding public key is $P{K}_i^t$.
• Ring Signcryption $(params,s{k}_s^t,P{K}_r^t,P_v^t,L,M)\to (\sigma )$: The user with identity $I{D}_s$ executes the signcryption algorithm. They use $params,s{k}_s^t,P{K}_v^t,L$, to signcrypt the message M. The output is the signcryption $\sigma$.
• Single Verification $(params,\sigma ,L,s{k}_r^t)\to (\{0,1\})$: The verifier completes the verification algorithm by inputting $params,\sigma ,L$. Additionally, the verifier possesses the private key $s{k}_r^t$. Output whether the ciphertext is valid or not
• Batch Verification $(params,{\sigma }_{j=1,2,\dots ,m},s{k}_r^t)\to (\{0,1\})$: Enter m signcryptions and $s{k}_r^t$ of the authenticator $I{D}_r$, and prove the correctness of these signcryptions.
• Aggregated Signcryption $({\sigma }_{j=1,2,\dots ,m},s{k}_r^t)\to (\widehat{\sigma })$: The ECN $I{D}_r$ combines m ciphertexts and transmits the aggregated ciphertexts to the control center $I{D}_v$.
• Unsigncryption $(params,\widehat{\sigma },L,s{k}_v^t)\to (M_{j=1,2,\dots ,m})$: If the verification result is 1, the verifier uses L and $s{k}_r$ to unsigncryption $\widehat{\sigma }$ and obtain the messages $M_{j=1,2,\dots ,m}$.
• Tracking $(params,\sigma ,\widehat{\sigma })\to (I{D}_s)$: When there is a need to track the identity of a malicious signer $I{D}_s$. TRA can use the signcryption $\sigma$ or $\widehat{\sigma }$ and the ring list L to ascertain the real signer $I{D}_s$.

3.3. System Model

As shown in Figure 1, the scheme consists of five main entities: the KGC, the TRA, the Edge Computing Node (ECN), the Control Centre (CC) and the user.

• KGC: It is responsible for generating partial keys for users, ECNs, and CC.
• TRA: It is tasked with monitoring the entire power network. In the event of detecting a malicious user, the chase algorithm can be employed to trace the real identity of the signer.
• ECN: ECN acts as an aggregator in the scheme. It is an edge computing server deployed in the SG which is responsible for processing the ring-encrypted power request information sent by users in a timely manner. The ciphertexts after returning the ring signing encryption are processed and then aggregated to reduce the computation of CC.
• CC: It is tasked with receiving and verifying the aggregated ciphertext upon receipt, processing the ciphertext to obtain the plaintext, and controlling the power allocation in the SG in real-time in response to the received information.
• User: The signer in the scheme. Each user $use{r}_i$ sends power usage data to the control center via ECN.

3.4. Threat Model

The scheme in this paper deals with two types of attacks. The first type of attacker denoted as $A_I$ is one of the ring members. $A_I$ can tamper with any user’s public key when generating signature encryption but does not know the system master private key. The second type of attacker is noted as $A_{II}$ is a malicious KGC. $A_{II}$ cannot transform any user’s public key but knows the system’s master private key. We set up seven Oracle machines for $A_I$ and $A_{II}$ to query as below:

• Query-$H_i$: Upon inputting the query value, it can produce the corresponding hash value as output.
• Query-$PSK$: Upon entering the $I{D}_i$, it can output the corresponding $ps{k}_i$.
• Query-$SK$: If the public key $P{K}_i$ of the input $I{D}_i$ is not replaced, the algorithm provides the corresponding private key $s{k}_i$.
• Query-$PK$: After entering the $I{D}_i$, this algorithm outputs the corresponding public key $P{K}_i$.
• Replace-$PK$: The challenger C inputs the tuple $(I{D}_i,U^{\prime })$, and substitutes $U_i$ with $U_i^{\prime }$.
• Query-$ARSC$: After entering the tuple $(I{D}_s,I{D}_r,I{D}_v,M_j)$ for $j=1,\dots ,m$, the challenger C obtains the corresponding ciphertext $\widehat{\sigma }=\{\left\{c_j\right\},\left\{\widehat{s_i}\right\},\left\{X_j\right\},L,\left\{I_j\right\},\widehat{W},\widehat{TS}\}$.
• Query-$USC$: By inputting the tuple $(\widehat{\sigma },I{D}_v)$, the challenger C obtains the decrypted ciphertext $M_{j=1,\dots ,m}$.

Definition 1. 

Assuming that the winning advantage of the adversary is negligible in polynomial time in Game 1 and Game 2, the security of the scheme proposed in this paper is for IND-CLRSC-CCA2.

Proof. 

$\mathbf{Game}\mathbf{1}$: Opponent $A_I$ and Challenger C participate in the following several phases:

$\mathbf{Setting}$: Challenger C executes the setting algorithm to obtain $params$ and then provides them to $A_I$.

$\mathbf{Query}$: $A_I$ can be queried to the oracle machines and must fulfil the below requirements:

• $A_I$ cannot perform Query-$SK$ as $I{D}_r$, $I{D}_v$.
• $A_I$ cannot perform Query-$PSK$ as $I{D}_r$, $I{D}_v$, if its public key is replaced.
• $A_I$ cannot couple the tuple $(\widehat{\sigma },I{D}_s,I{D}_r,I{D}_v)$ to perform the query-$USC$.

$\mathbf{Challenge}$: $A_I$ outputs two equal length but unique messages $M_{j0}$ and $M_{j1}$, signer $I{D}_s$, ECN $I{D}_r$ and verifier $I{D}_v$, and then forwards them. Challenger C randomly selects $b\in \{0,1\}$ and the tuple $(M_{jb},I{D}_s,I{D}_r,I{D}_v)$ performs a signed encryption algorithm. Then, C sent $\widehat{\sigma }$ to $A_I$.

$\mathbf{Guess}$: After the adaptive execution of the query phase, $A_I$ guesses $b^{\prime }$. If $b^{\prime }=b$, $A_I$ wins this game.

The advantages of $A_I$ are as defined below:

$$Ad{v}_{A_I}^{IND-CLRSC-CCA2}=Pr\left[A_{I}wins\right].$$

$\mathbf{Game}\mathbf{2}$: Opponent $A_{II}$ and Challenger C participate in the following several phases:

$\mathbf{Setting}$: C executes the setting algorithm to obtain $params$ and then provides them to $A_{II}$.

$\mathbf{Query}$: $A_{II}$ can be queried to the oracle machines and must fulfil the below requirements:

• $A_{II}$ cannot perform the Query-$SK$ as $I{D}_r,I{D}_v$.
• $A_{II}$ cannot perform Query-$USC$ for the tuple $(\widehat{\sigma },I{D}_s,I{D}_r,I{D}_v)$.

$\mathbf{Challenge}$: $A_{II}$ outputs two equal-length but unique messages $M_{j0}$ and $M_{j1}$ with, sender $I{D}_s$, ECN $I{D}_r$ and verifier $I{D}_v$, and forwards them. C randomly selects $b\in \{0,1\}$ and uses the tuple $(M_{jb},I{D}_s,I{D}_r,I{D}_v)$ to execute the signcryption algorithm. Subsequently, C sends $\widehat{\sigma }$ back to $A_{II}$.

$\mathbf{Guess}$: After allowing the query to be executed adaptively in the query stage, $A_{II}$ guesses $b^{\prime }$. If $b^{\prime }=b$, $A_{II}$ wins Game 2.

The advantage of $A_{II}$ is defined as follows:

$$Ad{v}_{A_{II}}^{IND-CLRSC-CCA2}=Pr\left[A_{II}wins\right].$$

□

Definition 2. 

Assuming that the winning advantage of the adversary is negligible in polynomial time in Game 3 and Game 4, the security of the scheme proposed in this paper is for EUF-CLRSC-CMA2.

Proof. 

$\mathbf{Game}\mathbf{3}$: Opponent $A_I$ and Challenger C participate in the following several phases:

$\mathbf{Setting}$: Same as Game 1.

$\mathbf{Query}$: $A_I$ can be queried to the Oracle machines and must fulfill the below requirements:

• During the Query-$ARSC$ process, it was unable for $A_I$ to obtain the tuple $(\widehat{\sigma },M_j)$.
• $A_I$ cannot perform Query-$SK$ as $I{D}_s$.
• If the public key of $I{D}_s$ has been swapped, $A_I$ could not query Query-$PSK$.

$\mathbf{Forgery}$: $A_I$ forwards a new tuple $(\widehat{\sigma },M_j,I{D}_r,I{D}_v)$. The challenger C uses the tuple $(\widehat{\sigma },M_j,I{D}_r,I{D}_v)$ to run the unsigncryption algorithm. If the output of the algorithm is absent, then $A_I$ wins Game 3.

The advantage of $A_I$ is defined as follows:

$$Ad{v}_{A_I}^{EUF-CLRSC-CMA2}=Pr\left[A_{I}wins\right].$$

$\mathbf{Game}\mathbf{4}$: Opponent $A_{II}$ and Challenger C participate in the following several phases:

$\mathbf{Setting}$: Same as Game 2.

$\mathbf{Query}$: $A_{II}$ can be queried to the Oracle machines and must fulfill the below requirements:

• $A_{II}$ cannot perform Query-$ARSC$ on tuple $(\widehat{\sigma },M_j)$.
• $A_{II}$ cannot perform Query-$SK$ for $I{D}_s$.

$\mathbf{Forgery}$: $A_{II}$ inputs a new tuple $(\widehat{\sigma },M_j,I{D}_r,I{D}_v)$. The challenger C uses the tuple $(\widehat{\sigma },M_j,I{D}_r,I{D}_v)$ to run the unsigncryption algorithm. If the output of the algorithm is absent, then $A_{II}$ wins Game 4.

The advantage of $A_{II}$ is defined as follows:

$$Ad{v}_{A_{II}}^{EUF-CLRSC-CMA2}=Pr\left[A_{II}wins\right].$$

□

3.5. Security Performance

For better application in SG, this program also has the following properties.

• Message Validation: The message validator examines the integrity and accuracy of the received data to ensure its integrity and legitimacy as a valid signcryption.
• Traceability: In the event of malevolent activities within the smart grid, the Traceability mechanism can identify the origin of malicious messages, thereby attributing them to their respective senders.
• Un-linkability: With the exception of the Traceability mechanism, no entity possesses the ability to discern whether two distinct ciphertexts originate from the same sender.
• Confidentiality: In order to ensure that unauthorized entities do not have access to the plaintext, it is stipulated that only designated persons can successfully decrypt and access the plaintext.
• Anonymity: Except for TRA, the sender cannot be traced through analysis of the transmitted message.
• Replay attack resistance: If an attacker intercepts the ciphertext in the middle of the process, the receiver will consider it to be under attack for as long as the specified time has elapsed.
• Anti-malicious gateway: By introducing edge computing and aggregate signcryption in ECN, even if malicious nodes want to obtain information, they cannot obtain it.
• Conditional anonymity: Although ECN and CC can receive the ciphertext, if it is not a malicious user, they cannot know who the specific signcryptor is.
• User identity privacy protection: During the message-sending process, the user utilizes the ring signcryption algorithm to conceal their identity. This ensures that neither ECN nor CC can determine the source of the information.
• Forward security: By periodically updating the key, even in the event of accidental private key loss by the user, the security of previously sent messages remains intact and unaffected.

4. Review SM2 Signature Algorithm

This section briefly introduces the general flow of the SM2 digital signature algorithm.

• System parameter generation: the algorithm inputs security parameter k, and outputs system public parameter $params=\{p,F_p,a,b,P,G,q,H\}$. Where p is a large number, $F_p$ is a finite field. G is the additive cyclic group formed by the points on $E(F_p):y^2=x^3+ax+bmodp$, its order is q, and P is the base point. $H:{\{0,1\}}^{*}\to Z_q^{*}$ is a secure hash function.
• Key generation: User A generates their own $d_A\in Z_q^{*}$, and calculates $P_A=d_A·P$ as the public key.
• Signature: A uses $d_A$ to generate a signature for a message m. First, calculates the message digest $e=H(m)$; second, randomly select $k\in Z_q^{*}$, and computes $(x_1,y_1)=kP$, $r=(e+x_1)modq$, $s=[{(1+d_A)}^{-1}·(k-r·d_A)]$. Finally output the signature $(r,s)$.
• Verification: After receiving the message $m^{\prime }$ and the signature $(r^{\prime },s^{\prime })$, the verifier first checks whether $r^{\prime },s^{\prime }\in Z_q^{*}$ is true. If true, the verification calculates $e^{\prime }=H(m^{\prime })$, $t=(r^{\prime }+s^{\prime })$. Then they can use $s^{\prime }$ and t to compute $(x_1^{\prime },y_1^{\prime })=s^{\prime }P+t{P}_A$, and calculate $R=(e^{\prime }+x_1^{\prime })modq$. Then, verify whether the equation $R=r^{\prime }$ is true, if false, $(r,s)$ is an invalid signature about m, otherwise the signature is valid.

5. SM2-Based Certificateless Aggregate Ring Signcryption Scheme

In this section, we present the detailed design for the SG and provide the corresponding symbols, which are listed in

Table 1. Symbols and their Meanings.

Notations	Meanings
k	Security parameter
P	The generator of G
G	Additive group
$H_1,H_2,H_3,H_4,H_5$	Hash function
$T_{pub}$	Public key of TRA
$I{D}_i$	The identity of $use{r}_i$
$d_i$	The partial private key of user $I{D}_i$
$s{k}_i$	The private key of $I{D}_i$
$P{K}_i$	The public key of $I{D}_i$
M	Awaiting Signcrypted Messages
L	Public key collection
I	Tracking mark
$TS$	Timestamp
$\sigma$	Signcrypted ciphertext

for reference. The operation process of certificateless aggregate ring signcryption is shown in Figure 2. The specific operation process is as follows:

Below delineates the implementation process of our proposed program:

• $\mathbf{Setup}$: To execute the following steps, input the security parameter k, KGC, and TRA:

  (a)

  KGC chooses two large prime numbers p and q such that $p,q>2^k$ and a finite field $F_p$. The equation of an elliptic curve $E:y^2=x^3+ax+bmodp$ defined on $F_p$. Points satisfying this equation form an abelian group G of order q with base point P.

  (b)

  The KGC randomly selects $x\in Z_q^{*}$ as the master private key $msk$ and computes $P_{pub}=xP$ as the master public key $mpk$.

  (c)

  The KGC sets up security hash functions $H_1$, $H_2$, $H_3$, and $H_4$ as follows: $H_1:{\{0,1\}}^{*}\times G\to Z_q^{*}$, $H_2:{\{0,1\}}^{*}\to {\{0,1\}}^l$, $H_3:{\{0,1\}}^{*}\to Z_q^{*}$, $H_4:{\{0,1\}}^{*}\times {\{0,1\}}^l\to {\{0,1\}}^l$, $H_5:{\{0,1\}}^{*}\times G\to Z_q^{*}$. The length of the message is l.

  (d)

  TRA randomly chooses $t\in Z_q^{*}$ and calculates $T_{pub}=tP$.

  (e)

  KGC and TRA publishes params: $params=\{p,q,G,P,P_{pub},T_{pub},H_1,H_2,H_3,H_4,H_5\}$.

• $\mathbf{Set}-\mathbf{SV}$: The user $I{D}_i$ randomly selects $u_i\in Z_q^{*}$ and computes $U_i=u_{i}P$. Subsequently, $U_i$ is sent to the key generation center (KGC).
• $\mathbf{Extract}-\mathbf{PSK}$: Upon receiving $U_i$, the KGC randomly selects $v_i\in Z_q^{*}$ and calculates $V_i=v_{i}P$. Then, it calculates $e_i=H_1(I{D}_i,U_i,V_i,P_{pub})$ and $d_i=v_i+e_{i}x$, where the partial private key is denoted by $d_i$. KGC exposes $V_i$ and sends $D_i=(d_i,V_i)$ to $I{D}_i$.
• $\mathbf{Generate}-\mathbf{PK}$: The user $I{D}_i$ acquires $D_i$ and tests the validity of $d_i$ using the formula: $d_{i}P=V_i+H_1(I{D}_i,U_i,V_i,P_{pub})P_{pub}$.
  If it is not, the user will recalculate the key. If the equation holds, $I{D}_i$ will be given a partial privy $d_i$ and the current period’s privy will be calculated $s{k}_i^1=u_i+d_{i}modq$. Consequently, the corresponding public key is set as $P{K}_i^1=s{k}_i^{1}P$.
• $\mathbf{Update}-\mathbf{Key}\mathbf{Pairs}$: During the t-th cycle, the user $I{D}_i$ randomly generates a number $u_i^t\in Z_q^{*}$. The updated private key is calculated as $s{k}_i^t=s{k}_i^{t-1}+u_i^t$, and the corresponding public key is computed as $P{K}_i^t=s{k}_i^{t}P$. The updated public key $P{K}_i^t$ is then delivered.
• $\mathbf{Ring}\mathbf{Signcryption}$: $I{D}_s$ encrypts the message M using the ring public key $L=\{I{D}_1,I{D}_2,\dots ,I{D}_n\}$ and $P{K}_r$ of the ECN $I{D}_r$, $P{K}_v$ of CC $I{D}_v$, and finish the steps below.

  (a)

  $I{D}_s$ randomly selects $d\in Z_q^{*}$, and computes $X=(x_1,y_1)=d·P$, $Y=(x_2,y_2)=d·P{K}_r^t$, $Z=(x_3,y_3)=d·P{K}_v^t$.

  (b)

  $I{D}_s$ performs the following calculations, where M is the message to be signed, I is the tracking tag and ⊕ is the XOR operator:

  $$c=H_2(x_3\left|\right|y_3)\oplus M$$

  (1)

  $$C=H_3(x_2\left|\right|y_2)\oplus c$$

  (2)

  $$\beta =H_4(x_1\left|\right|c\left|\right|y_1)$$

  (3)

  $$I=(s{k}_s^t·\beta )T_{pub}$$

  (4)

  $$r_i=H_5(L,c,X,I)(i=1,2,\dots ,n)$$

  (5)

  (c)

  Randomly select numbers $k,s_i\in Z_q^{*}(i=1,\dots ,s-1,s+1,\dots ,n)$. Calculates: $Q=({\sum }_{i=1,i\ne s}^n{s}_i)P+{\sum }_{i=1,i\ne s}^n\left[(r_i+s_i)P{K}_i^t\right]$, $W=kP+Q$.

  (d)

  $I{D}_s$ computes $s_s=\left[{(1+s{k}_s^t)}^{-1}(k-r_{s}s{k}_s^t)\right]modq$.

  (e)

  Add a timestamp $TS$ to $\sigma$. Then, send $\sigma$ to $I{D}_r$: $\sigma =\{C,\left\{s_i\right\},X,L,I,W,TS\}$.

• $\mathbf{Single}\mathbf{Verification}$: We denote the received ciphertext by $\sigma =\{C,\left\{s_i\right\},X,L,I,W,TS\}$. Upon receiving the ciphertext $\sigma$, the receiver $I{D}_r$ performs the following calculation to verify its validity.

  (a)

  The receiver $I{D}_r$ verifies the validity of TS using the formula $|TS-T{S}_{cur}|\le △TS$, where $△TS$ denotes the maximum acceptable time interval and $T{S}_{cur}$ represents the current timestamp.

  (b)

  $I{D}_r$ checks whether $s_i\in Z_q^{*}$ for $i=1,2,\dots ,n$. If any of the $s_i$ values are not in $Z_q^{*}$, $I{D}_r$ discards the message.

  (c)

  The receiver $I{D}_r$ computes $Y^{\prime }=(x_2^{\prime },y_2^{\prime })=s{k}_r^t·X$, $c^{\prime }=H_3(x_2^{\prime }\left|\right|y_2^{\prime })\oplus C$, and $r_i^{\prime }=H_5(L,c^{\prime },X,I),(i=1,2,\dots ,n)$.

  (d)

  $I{D}_r$ checks whether $W^{\prime }=({\sum }_{i=1}^n{s}_i)P+{\sum }_{i=1}^n\left[(r_i^{\prime }+s_i)P{K}_i^t\right]$. If the equation holds true, $I{D}_r$ is assured that the ciphertext $\sigma$ is real and proceeds to receive the message. If the equation does not hold, $I{D}_r$ reports to TRA and discards it.

• $\mathbf{Batch}\mathbf{Verification}$: Perform batch verification on messages

  $$\begin{array}{cc}\hfill {\sigma }_j& =\{C_j,{\left\{s_i\right\}}_j,X,L,I_j,W_j,T{S}_j\}(j=1,2,\dots ,m).\hfill \end{array}$$

  (a)

  Check whether $s_{ij}\in Z_q^{*}$ for $(1\le i\le n,1\le j\le m)$.

  (b)

  The receiver $I{D}_r$ computes the following values:

  $$Y^{\prime }=(x_2^{\prime },y_2^{\prime })=s{k}_r^t·X$$

  (6)

  $$c_j^{\prime }=H_3(x_2^{\prime }\left|\right|y_2^{\prime })\oplus C_j$$

  (7)

  $$r_{ij}^{\prime }=H_5(L,c_j^{\prime },X,I_j)for(1\le i\le n,1\le j\le m)$$

  (8)

  $$W^{″}=(\sum _{i=1}^n\sum _{j=1}^m{s}_{ij})P+\sum _{i=1}^n\left[\sum _{j=1}^m(r_{ij}^{\prime }+s_{ij})P{K}_i^t\right]$$

  (9)

  $I{D}_r$ needs to check if $W^{″}={\sum }_{j=1}^m{W}_j$. If they are equal, $I{D}_r$ can be certain that the ciphertexts ${\sigma }_1,{\sigma }_2,\dots ,{\sigma }_m$ are correct and can receive them.
• $\mathbf{Aggregated}\mathbf{Signcryption}$: $I{D}_r$ aggregates m signcryptions, where the encrypted information is: $M_j(1\le j\le m)$.

  (a)

  The receiver $I{D}_r$ performs the following computations: $Y^{\prime }=(x_2^{\prime },y_2^{\prime })=s{k}_r^t·X$, $c_j^{\prime }=H_3(x_2^{\prime }\left|\right|y_2^{\prime })\oplus C_j$,

  (b)

  Compute $\widehat{s_i}={\sum }_{j=1}^m{s}_{ij}$, $\widehat{W}={\sum }_{j=1}^m{W}_j$,

  (c)

  Generate a new timestamp $\widehat{TS}$

  (d)

  Perform the aggregated signcryption as follows

  $$\widehat{\sigma }=\{\left\{c_j^{\prime }\right\},\left\{\widehat{s_i}\right\},X,L,\left\{I_j\right\},\widehat{W},\widehat{TS}\}.$$

• $\mathbf{Aggregated}\mathbf{Verification}$: $I{D}_r$ aggregates m signcryptions, where the encrypted information is: $M_j(1\le j\le m)$.

  (a)

  $I{D}_v$ checks $|\widehat{TS}-T{S}_{cur}|\le △TS$.

  (b)

  $I{D}_v$ needs to verify $\widehat{s_i}\in Z_q^{*}(1\le i\le n)$.

  (c)

  The receiver $I{D}_v$ computes $r_{ij}^{″}=H_5(L,c_j^{\prime },X,I_j)$ for $j=1,\dots ,m$,

  ${\widehat{W}}^{\prime }=({\sum }_{i=1}^n\widehat{s_i})P+{\sum }_{i=1}^n\left[({\sum }_{j=1}^m{r}_{ij}^{″}+\widehat{s_i})P{K}_i^t\right]$.

  (d)

  $I{D}_v$ needs to check ${\widehat{W}}^{\prime }=\widehat{W}$.

  (e)

  $I{D}_v$ then restores the encrypted message through the following calculation: $Z^{\prime }=(x_3^{\prime },y_3^{\prime })=s{k}_v^t·X$, $M_j^{\prime }=H_2(x_3^{\prime }\left|\right|y_3^{\prime })\oplus c_j$.

• $\mathbf{Tracking}$: In instances where the message fails the verification process, $I{D}_v$ has the discretion to escalate the matter to TRA. Additionally, TRA monitors for malicious activity in the SG. When a malicious ciphertext is found TRA can utilize the equation for $k^{-1}I=H_4(x_1\left|\right|c\left|\right|y_1)·P{K}_j^t$ to ascertain the malicious user $I{D}_j$ from the ring set $L=\{I{D}_1,I{D}_2,\dots ,I{D}_n\}$.

6. Safety Analysis

6.1. Proof of Correctness

In this section, we present a comprehensive analysis of the security of the aforementioned scheme.

For $i=1,2,\dots ,n,$

$$r_i^{\prime }=H_5(L,c^{\prime },X,I)$$

(10)

$$\begin{array}{cc}\hfill W^{\prime }& =(\sum _{i=1}^n{s}_i)P+\sum _{i=1}^n\left[(r_i^{\prime }+s_i)P{K}_i^t\right]\hfill \\ \hfill & =s_{s}P+(r_s^{\prime }+s_s)P{K}_i^t+(\sum _{i=1,i\ne s}^n{s}_i)P+\sum _{i=1,i\ne s}^n\left[(r_i+s_i)P{K}_i^t\right]\hfill \\ \hfill & =s_{s}P+(r_s^{\prime }+s_s)P{K}_i^t+Q\hfill \\ \hfill & =s_s(P+P{K}_i^t)+r_s^{\prime }P{K}_i^t+Q\hfill \\ \hfill & ={(1+s{k}_s^t)}^{-1}(k_s-r_{s}s{k}_s^t)(P+P{K}_i^t)+r_s^{\prime }P{K}_i^t+Q\hfill \\ \hfill & ={(1+s{k}_s^t)}^{-1}(k_s-r_{s}s{k}_s^t)(1+s{k}_s^t)P+r_s^{\prime }P{K}_i^t+Q\hfill \\ \hfill & =(k-r_{s}s{k}_s^t)P+r_s^{\prime }P{K}_i^t+Q\hfill \\ \hfill & =kP+Q\hfill \\ \hfill & =W\hfill \end{array}$$

(11)

Aggregated verification:

$$\begin{array}{cc}\hfill {\widehat{W}}^{\prime }& =(\sum _{i=1}^n\widehat{s_i})P+\sum _{i=1}^n\left[(\sum _{j=1}^m{r}_{ij}^{″}+\widehat{s_i})P{K}_i^t\right]\hfill \\ \hfill & =(\sum _{i=1}^n\sum _{j=1}^m{s}_{ij})P+\sum _{i=1}^n\left[(\sum _{j=1}^m{r}_{ij}^{″}+\sum _{j=1}^m{s}_{ij})P{K}_i^t\right]\hfill \\ \hfill & =\sum _{j=1}^m(\sum _{i=1}^n{s}_{ij})P+\sum _{i=1}^n\left[(r_i^{\prime \prime \prime }+s_{ij})P{K}_i^t\right]\hfill \\ \hfill & =\sum _{j=1}^m{W}_j\hfill \\ \hfill & =\widehat{W}\hfill \end{array}$$

(12)

Unsigncryption:

For message $M_j$ and its encrypted ciphertexts is

$${\sigma }_j=\{C_j,s_{ij},X_j,L,I_j,W_j,T{S}_j\}$$

(13)

$$\widehat{\sigma }=\{\left\{c_j^{\prime }\right\},\left\{\widehat{s_i}\right\},X,L,\left\{I_j\right\},\widehat{W},\widehat{TS}\}$$

(14)

$$Y^{\prime }=(x_2^{\prime },y_2^{\prime })=s{k}_r^t·X$$

(15)

$$Z^{\prime }=(x_3^{\prime },y_3^{\prime })=s{k}_r^t·X$$

(16)

$$\begin{array}{cc}\hfill M_j^{\prime }& =H_2(x_3^{\prime }\left|\right|y_3^{\prime })\oplus c_j^{\prime }\hfill \\ \hfill & =H_2(x_3^{\prime }\left|\right|y_3^{\prime })\oplus H_3(x_2^{\prime }\left|\right|y_2^{\prime })\oplus C_j\hfill \\ \hfill & =H_2(x_3^{\prime }\left|\right|y_3^{\prime })\oplus H_3(x_2^{\prime }\left|\right|y_2^{\prime })\oplus H_3(x_2\left|\right|y_2)\oplus c_j\hfill \\ \hfill & =H_2(x_3^{\prime }\left|\right|y_3^{\prime })\oplus H_3(x_2^{\prime }\left|\right|y_2^{\prime })\oplus H_3(x_2\left|\right|y_2)\oplus H_2(x_3\left|\right|y_3)\oplus M_j\hfill \\ \hfill & =M_j\hfill \end{array}$$

(17)

Tracking:

$$k^{-1}I=H_4(x_1\left|\right|c\left|\right|y_1)P{K}_j^t$$

(18)

$$k^{-1}(s{k}_j^t·\beta )T_{pub}=\beta P{K}_j^t$$

(19)

$$(s{k}_j·\beta )P=\beta ·P{K}_j^t$$

(20)

Based on the above verification, we can conclude that the scheme proposed in this paper is both correct and reasonable. In the following sections of this chapter, we will provide proof to establish the security, and functionality of this scheme.

6.2. Confidentiality

Theorem 1. 

If a Type I adversary $A_I$ manages to achieve a non-negligible advantage ε in Game 1, successfully compromising IND-CLRSC-CCCA2, after executing $q_{H_i}$ queries to Query-$H_i$ (for $i=1,2,3,4,5$), $q_{PSK}$ queries to Query-$PSK$, $q_{SK}$ queries to Query-$SK$, $q_{PK}$ queries to Query-$PK$, $q_{RPK}$ queries to Replace-$PK$, $q_{ARSC}$ queries to Query-$ARSC$, and $q_{USC}$ queries to Query-$USC$, then the Elliptic Curve Computational Diffie–Hellman Problem (ECCDHP) can be resolved with a probability ${\epsilon }^{\prime }\ge \epsilon (1-q_{USC}/2^l)/\left[e(q_{PSK}+q_{SK}+q_{RPK})\right]$, where l is the length of the signcryption message, and e denotes the base of the natural logarithm.

Proof. 

Assume the challenger C is given the tuple $(P,aP,bP)\in G^3$ and is tasked with computing the value of $abP$. In Game 1, C acts as the simulator while $A_I$ acts as the adversary. We set $Pr(I{D}_i=I{D}^{*})=\delta$, where $I{D}^{*}$ represents the target identity.

Setup: C performs the setup, obtaining $params$ and $P_{pub}=aP$. Then, C transmits $params$ to $A_I$.

Query: C simulates the oracles as follows for $A_I$ and maintains the lists: $L_1$, $L_2$, $L_3$, $L_4$, $L_5$, $L_U$, $L_{PK}$, $L_{PSK}$, $L_{SK}$ and those lists are empty initially.

$Query-H_1$: When $A_I$ provides the tuples $(I{D}_i,T_i,R_i,P_{pub})$, C checks the list $L_1$ for related tuples.

• If $(I{D}_i,U_i,R_i,P_{pub},e_i)\in L_1$, C obtains $e_i$ from $L_1$ and feedback $e_i$ to $A_I$.
• If $(I{D}_i,U_i,R_i,P_{pub},e_i)\notin L_1$, C random chooses a number $e_i\in Z_q^{*}$ and return $e_i$ to the enemy $A_I$ and C stores $(I{D}_i,U_i,R_i,P_{pub},e_i)$ into the list $L_2$.

$Query-H_2$: When $A_I$ receives the tuple $(x_3,y_3)$, component C searches the list $L_3$ for a tuple that is related to it.

• If $(x_3,y_3,h_2)\in L_2$, C gains $h_2$ from $L_2$ and feedback $h_2$ to $A_I$.
• If $(x_3,y_3,h_2)\notin L_2$, C random chooses a number $h_2\in Z_q^{*}$, feedbacks $h_2$ to $A_I$ and stores $(x_3,y_3,h_2)$ into the list $L_2$.

$Query-H_3$: When $A_I$ provides the tuple $(x_2,y_2)$, C Examine list $L_3$ for related tuples.

• If $(x_2,y_2,h_3)\in L_3$, C obtains $h_3$ from $L_3$ and sets $h_3$ as a reply to $A_I$.
• If $(x_2,y_2,h_3)\notin L_3$, C chooses $h_3\in Z_q^{*}$ randomly, sends out $h_3$ to $A_I$ and stores $(x_2,y_2,h_3)$ into the list $L_3$.

$Query-H_4$: When $A_I$ provides the tuple $(x_1|\left|c\right||y_1)$, C Examine list $L_4$ for related tuples.

• If $(x_1\left|\right|c\left|\right|y_1,\beta )\in L_4$, C derive $\beta$ from $L_4$, responses $\beta$ to $A_I$.
• If $(x_1\left|\right|c\left|\right|y_1,\beta )\notin L_4$, C randomly chooses $\beta \in Z_q^{*}$, responses $\beta$ to $A_I$ and stores $(x_1|\left|c\right||y_1,\beta )$ into the list $L_4$.

$Query-H_5$: When $A_I$ supplies the tuples $(L,c_j,X,I_j)$, C Examine list $L_5$ for related tuples.

• If $(L,c_j,X,I_j,r_i)\in L_5$, C derive $r_i$ from $L_5$, responses $r_i$ to $A_I$.
• If $(L,c_j,X,I_j,r_i)\notin L_5$, C randomly chooses $r_i\in Z_q^{*}$, responses $r_i$ to $A_I$ and stores $(L,c_j,X,I_j,r_i)$ into the list $L_5$.

$Query-PSK$: When $A_I$ requests the partial private key for identity $I{D}_i$, C checks the list $L_{PSK}$.

• If $(I{D}_i,d_i)\in L_{PSK}$, C sends $d_i$ to $A_I$.
• If $(I{D}_i,d_i)\notin L_{PSK}$, and $I{D}_i\ne I{D}^{*}$, C randomly selects $d_i\in Z_q^{*}$ and returns it to $A_I$. C then adds the tuple $(I{D}_i,d_i)$ to $L_{PSK}$. If $I{D}_i=I{D}^{*}$, C fails.

$Query-SK$: When $A_I$ requests the private key for identity $I{D}_i$, C checks the list $L_{SK}$.

• If $(I{D}_i,s{k}_i)\in L_{SK}$, C returns $s{k}_i$ to $A_I$.
• If $(I{D}_i,s{k}_i)\notin L_{SK}$, and $I{D}_i\ne I{D}^{*}$, C searches for the relative tuples $(I{D}_i,u_i)$ and $(I{D}_i,d_i)$ from the lists $L_U$ and $L_{PSK}$ to obtain $u_i$, $d_i$. C then computes $s{k}_i=d_i+u_i$ and returns it to $A_I$. Additionally, C adds the tuple $(I{D}_i,s{k}_i)$ to $L_{SK}$. If $I{D}_i=I{D}^{*}$, C fails.

$Query-PK$: When $A_I$ requests the public key for identity $I{D}_i$, C checks the list $L_{PK}$.

• If $(I{D}_i,P{K}_i)\in L_{PK}$, C searches for $(I{D}_i,P{K}_i)$ in $L_{PK}$ and returns $P{K}_i$ to $A_I$.
• If $(I{D}_i,P{K}_i)\notin L_{PK}$, and $I{D}_i=I{D}^{*}$, C randomly selects numbers $v_i,u_i\in Z_q^{*}$, and computes $e_i=H_1(I{D}_i,U_i,V_i,P_{pub})$. C then sets $P{K}^{*}=P{K}_i=(u_i+v_i+e_{i}a)P$ as a response to $A_I$. Afterward, C stores $(I{D}_i,u_i)$, $(I{D}_i,U_i,R_i,P_{pub},e_i)$ into the lists $L_U$ and $L_1$, respectively. If $I{D}_i\ne I{D}^{*}$, C randomly selects numbers $v_i,d_i\in Z_q^{*}$, computes $P{K}_i=(u_i+d_i)P$, and returns $P{K}_i$ to $A_I$. Subsequently, C adds the tuple $(I{D}_i,P{K}_i)$ into the list $L_{PK}$.

$Replace-PK$: When $A_I$ relays the tuple $(I{D}_i,P{K}_i^{t^{\prime }})$, C updates the tuple $(I{D}_i,P{K}_i^{t^{\prime }})$ with $(I{D}_i,P{K}_i^t)$ in the $L_{PK}$.

$Query-ARSC$: Assuming it is the t-th cycle, and $A_I$ relays the tuple $(I{D}_s,I{D}_r,I{D}_v,M_{j=1,\dots ,m})$, for any message $M_j$ in this tuple, C performs the following operations.

• If $I{D}_s=I{D}^{*}$ and $I{D}_r\ne I{D}^{*}$:

  (a)

  C randomly selects a point $I_j\in G$, queries Query-$PK$ for $I{D}_r$ and $I{D}_v$, respectively, and obtains $P{K}_r^t$ and $P{K}_v^t$.

  (b)

  C randomly selects a value $d_j\in Z_q^{*}$, and computes $X=(x_1,y_1)=d·P$, $Y=(x_2,y_2)=d·P{K}_r^t$, $Z=(x_3,y_3)=d·P{K}_v^t$.

  (c)

  C computes $c_j=H_2(x_3,y_3)\oplus M_j$, $C_j=H_2(x_2\left|\right|y_2)\oplus c_j$, and $r_{ij}=H_4(L,c_j,X,I_j)$ for $i=1,2,\dots ,n$.

  (d)

  C randomly selects figures $s_{ij}\in Z_q^{*}(i=1,\dots ,s-1,s+1,\dots ,n)$, maths $W^{\prime }=({\sum }_{i=1}^n{s}_i)P+{\sum }_{i=1}^n\left[(r_{ij}+s_{ij})P{K}_i^t\right]$, $\widehat{s_i}={\sum }_{i=1}^n{s}_i$.

  (e)

  C applies the Aggregated Signcryption algorithm and obtains a new timestamp $\widehat{TS}$.

  (f)

  C sends the ciphertext

  $\widehat{\sigma }=\{\left\{c_j\right\},\left\{\widehat{s_i}\right\},X,L,\left\{I_j\right\},\widehat{W},\widehat{TS}\}$

  to $A_I$, and stores the tuples $(x_2||y_2,h_2)$ and $(x_3||y_3,h_3)$ into the list $L_3$ and $L_2$, and stores the tuples $(L,c_j,X,I_j,r_{ij})$ into the list $L_5$.

• If $I{D}_r=I{D}^{*}$ and $I{D}_s\ne I{D}^{*}$:

  (a)

  C applies the Ring Signcryption algorithm.

  (b)

  For all message ciphers ${\sigma }_j(j=1,\dots ,n)$, C computes $Y=(x_2,y_2)=d_j·P{K}_r^t$, $c_j=H_2(x_2\left|\right|y_2)\oplus C_j$, $\widehat{s_i}={\sum }_{j=1}^m{s}_{ij}$, and $\widehat{W}={\sum }_{j=1}^{m}W$.

  (c)

  C sends the ciphertext

  $\widehat{\sigma }=\{\left\{c_j\right\},\left\{\widehat{s_i}\right\},X,L,\left\{I_j\right\},\widehat{W},\widehat{TS}\}$ to $A_I$.

• If $I{D}_s\ne I{D}^{*}$ and $I{D}_r\ne I{D}^{*}$: C apply both the Ring Signcryption Algorithm and the Aggregated Signcryption Algorithm.

$Query-USC$: $A_I$ relays $\widehat{\sigma }=\{\left\{c_j\right\},\left\{\widehat{s_i}\right\},X,L,\left\{I_j\right\},\widehat{W},\widehat{TS}\}$ and an identity $I{D}_v$:

• If $I{D}_v=I{D}^{*}$, C searches the relative tuples $(x_3||y_3,h_2)$ and $(x_2||y_2,h_3)$ from the list $L_2$,$L_3$. Finds the tuples $(L,c_j,X,I_j,r_{ij})$ from the list $L_4$. If these tuples are absent, C rejects $\sigma$. Otherwise, C runs the Verification algorithm and calculates $M_j=h_{3j}\oplus c_j$. C then returns $M_j$ to $A_I$ for $j=1,\dots ,m$.
• If $I{D}_v\ne I{D}^{*}$, C runs the Unsigncryption method.

Challenge: $A_I$ selects two distinct messages, denoted as $M_0$ and $M_1$, which are of equal length. Additionally, $A_I$ chooses a sender as $I{D}_s$, the ECN as $I{D}_r$, and an acceptor as $I{D}_v$. These messages, along with $I{D}_s$, $I{D}_r$, and $I{D}_v$, are forwarded to C along with the identities of the ring members as $L=\{I{D}_1,I{D}_2,\dots ,I{D}_n\}$.

• If $I{D}_v=I{D}^{*}$, C randomly selects a bit $b\in \{0,1\}$ and performs the following process:

  (a)

  C sets $X=b·P$, $Y=b·P{K}_r^t$, $Z=b·P{K}_v^t$.

  (b)

  C computes $c_j=H_2(x_3\left|\right|y_3)\oplus M_j$, $C_j=H_3(x_2\left|\right|y_2)\oplus c_j$, $\beta =H_3(x_1\left|\right|c_j\left|\right|y_1)$, $I_j=(s{k}_s^t·\beta )T_{pub}$ and $r_i=H_5(L,c_j,X,I_j)$ for $j=1,\dots ,m$.

  (c)

  C randomly selects figures $\widehat{s_i}\in Z_q^{*}$ for $i=1,2,\dots ,n$, and computes $\widehat{W}=({\sum }_{i=1}^n\widehat{s_i})P+{\sum }_{i=1}^n\left[({\sum }_{j=1}^m{r}_{ij}+\widehat{s_i})P{K}_i^t\right]$.

  (d)

  C increases the timestamp TS to ciphertext $\widehat{\sigma }$ and returns $\widehat{\sigma }$ to $A_I$.

  $$\begin{array}{cc}\hfill \widehat{\sigma }& =\{\left\{c_j\right\},\left\{\widehat{s_i}\right\},X,L,\left\{I_j\right\},\widehat{W},\widehat{TS}\}\hfill \end{array}$$

• If $I{D}_v\ne I{D}^{*}$, C fails.

Guess: $A_I$ executes adaptive querying, and guesses $b^{\prime }$. If $A_I$ relays the tuples $(x_3,y_3,h_2)$ to Query-$H_2$, it would know that $\widehat{\sigma }$ is a flawed ciphertext. Then, C can solve the ECCDHP that $abP=e_v^{-1}[Z-(u_v+v_v)X]$.

We define the following two cases:

${\pi }_1$: C passing the query stage.

${\pi }_2$: C passing the challenge stage.

We can deduce that:

$$\begin{array}{cc}\hfill Pr\left[{\pi }_1\right]& ={(1-\delta )}^{q_{PSK}+q_{SK}+q_{RPK}}(1-\frac{q_{USC}}{2^l}),\hfill \\ \hfill Pr\left[{\pi }_2\right|{\pi }_1]& =\delta ,\hfill \\ \hfill Pr\left[Csuccess\right]& =Pr[{\pi }_1\wedge {\pi }_2]\hfill \\ \hfill & =Pr\left[{\pi }_1\right]Pr\left[{\pi }_2\right|{\pi }_1]\hfill \\ \hfill & ={(1-\delta )}^{q_{PSK}+q_{SK}+q_{RPK}}·\delta (1-\frac{q_{USC}}{2^l})\hfill \\ \hfill & \ge \frac{1-\frac{q_{USC}}{2^l}}{e(q_{PSK}+q_{SK}+q_{RPK})}\hfill \end{array}$$

(21)

where $\delta =\frac{1}{q_{PSK}+q_{SK}+q_{RPK}+1}$.

Thus, C can be used with probability ${\epsilon }^{\prime }\ge \epsilon (1-q_{USC}/2^l)/\left[e(q_{PSK}+q_{SK}+q_{RPK})\right]$ to solve the ECCDHP, if $A_I$’s advantage of success is $\epsilon$. □

Theorem 2. 

If a Type II opponent $A_{II}$ can achieve successfully attack IND-CLRSC-CCA2 for a non-negligible advantage ε in Game 2, algorithm C with a probability ${\epsilon }^{\prime }\ge \epsilon (1-q_{USC}/2^l)/(e{q}_{SK})$ can be solved the ECCDHP.

Proof. 

Let us assume that the simulator C obtains the tuple $(P,aP,bP)\in G^3$ and its task is to compute the value of $abP$. The simulator is C and the adversary is $A_{II}$ in Game II. Set $Pr(I{D}_i=I{D}^{*})=\delta$.

Setup: C executes the Setup in Section 3 and generates the system parameters $params=\{p,q,G,P,P_{pub},T_{pub},H_1,H_2,H_3,H_4,H_5\}$. C then computes $P_{pub}=xP$ and sends the $params$ to the adversary $A_{II}$.

Query: C and upholds the initially empty lists $L_1$, $L_2$, $L_3$, $L_4$, $L_5$, $L_U$, $L_{PK}$, $L_{PSK}$ and $L_{SK}$, which are initially empty.

$Query-PSK$: When $A_{II}$ relays an identity $I{D}_i$:

• If $(I{D}_i,d_i)\in L_{PSK}$, C sends $d_i$ to $A_{II}$.
• If $(I{D}_i,d_i)\notin L_{PSK}$, and $I{D}_i\ne I{D}^{*}$, C randomly selects a number $v_i\in Z_q^{*}$, searches for $e_i$ from the tuples $(I{D}_i,U_i,V_i,P_{pub},e_i)$ in the list $L_1$, and computes $d_i=v_i+e_{i}x$. C then sends $d_i$ to $A_{II}$. If $I{D}_i=I{D}^{*}$, C fails.

$Query-PK$: At the i-th query, C sets a challenger identity $I{D}_i=I{D}^{*}$. When $A_{II}$ submits an identity $I{D}_i$:

• If $(I{D}_i,P{K}_i)\in L_{PK}$, C searches $(I{D}_i,P{K}_i)$ in $L_{PK}$ and returns $P{K}_i$ to $A_{II}$.
• If $(I{D}_i,P{K}_i)\notin L_{PK}$, and $I{D}_i=I{D}^{*}$, C randomly selects a number $d_i\in Z_q^{*}$, and sets $P{K}^{*}=P{K}_i=(d_i+a)P$ as a response to $A_{II}$. If $I{D}_i\ne I{D}^{*}$, C randomly selects numbers $d_i,v_i\in Z_q^{*}$, sets $P{K}^{*}=P{K}_i=(u_i+d_i)P$, and responds with $P{K}_i$ to $A_{II}$. Then, C buffers the tuples $(I{D}_i,P{K}_i)$ and $(I{D}_i,u_i)$ into the list $L_{PK}$ and $L_U$, respectively.

Other query types remain the same as described in Theorem 1.

Challenge: Same as in Theorem 1.

Guess: $A_{II}$ executes adaptive querying, and guesses $b^{\prime }$. If $A_{II}$ relays the tuples $(x_3,y_3,h_2)$ to Query-$H_2$, it would know that $\widehat{\sigma }$ is a flawed ciphertext. Then, C can output $abP=Z-d_{v}X$ as a program to solve the ECCDHP.

We define the following two cases:

${\pi }_1$: C passing the query stage.

${\pi }_2$: C passing the challenge stage.

We can deduce that:

$$\begin{array}{cc}\hfill Pr\left[{\pi }_1\right]& ={(1-\delta )}^{q_{SK}}(1-q_{USC}/2^l),\hfill \\ \hfill Pr\left[{\pi }_2\right|{\pi }_1]& =\delta ,\hfill \\ \hfill Pr\left[Csuccess\right]& =Pr[{\pi }_1\wedge {\pi }_2]\hfill \\ \hfill & =Pr\left[{\pi }_1\right]Pr\left[{\pi }_2\right|{\pi }_1]\hfill \\ \hfill & ={(1-\delta )}^{q_{SK}}·\delta (1-\frac{q_{USC}}{2^l})\hfill \\ \hfill & \ge \frac{(1-\frac{q_{USC}}{2^l})}{e{q}_{SK}}\hfill \end{array}$$

(22)

where $\delta =\frac{1}{q_{SK}+1}$.

Thus, C can be used with probability ${\epsilon }^{\prime }\ge \frac{(1-q_{USC}/2^l)}{e{q}_{SK}}$ to solve the ECCDHP if $A_{II}$’s advantage of success is $\epsilon$. □

6.3. Unforgeability

Theorem 3. 

If a Type I opponent $A_I$ can successfully attack EUF-CLRSC-CMA2 for a non-negligible advantage ε in Game 3, then simulator C can solve the ECDLP with a probability ${\epsilon }^{\prime }\ge \epsilon /\left[e(q_{SK}+q_{PSK}+q_{RPK})\right]$.

Proof. 

Assume The simulator C receipts the tuple $(P,aP)\in G^2$. It computes the value of a in Game 3. Set $Pr(I{D}_i=I{D}^{*})=\delta$.

Setup: The setup is the same as described in Theorem 1.

Query: The same rules as presented in Theorem 1.

Forgery: $A_I$ returns a ciphertext $\sigma =\{C,\left\{s_i\right\},X,L,I,W,TS\}$ that meets the requirements of Game 3. To forge another ciphertext ${\sigma }^{*}$, $A_I$ replays queries Query-$H_4$ and Query-$H_5$ to gain another signcryption ${\sigma }^{*}=\{C^{*},\left\{s_i^{*}\right\},X^{*},L,I^{*},W^{*},TS\}$. The intermediate values of the two signcryption are $(k,r_1,r_2,\dots ,r_n,e_1,e_2,\dots ,e_n)$ and $(k^{*},r_1^{*},r_2^{*},\dots ,r_n^{*},e_1^{*},e_2^{*},\dots ,e_n^{*})$ in the correct order. Hence, when $i\in \{1,2,\dots ,n\}$, the conditions $s_i\ne s_i^{*}$, $r_i\ne r_i^{*}$, and $e_i\ne e_i^{*}$ are established, so with the following calculation

$$s_s=\left[{(1+s{k}_s)}^{-1}(k-r_{s}s{k}_s)\right]$$

(23)

$$s_s^{*}=\left[{(1+s{k}_s)}^{-1}(k^{*}-r_s^{*}s{k}_s)\right]$$

(24)

$$s{k}_s=d_s+a$$

(25)

$$d_s=v_s+e_{s}x$$

(26)

Then, C computes $a=\frac{k^{*}-k-(s_s^{*}-s_s)}{s_s^{*}-s_s+r_s^{*}-r_s}-x{e}_s-v_s$.

We define three events as follows:

${\pi }_1$: C adopts the Query stage.

${\pi }_2$: $I{D}^{*}\in L$.

${\pi }_3$: $I{D}^{*}$ is the real signatory.

We can know that:

$$\begin{array}{cc}\hfill Pr\left[{\pi }_1\right]& ={(1-\delta )}^{q_{SK}+q_{PSK}+q_{RPK}}\hfill \\ \hfill Pr\left[{\pi }_2\right|{\pi }_1]& =\frac{n}{\delta }\hfill \\ \hfill Pr\left[{\pi }_3\right|{\pi }_2\wedge {\pi }_1]& =\frac{1}{n}\hfill \\ \hfill Pr\left[Csuccess\right]& =Pr[{\pi }_1\wedge {\pi }_2\wedge {\pi }_3]\hfill \\ \hfill & =Pr\left[{\pi }_1\right]·Pr\left[{\pi }_2\right|{\pi }_1]·Pr\left[{\pi }_3\right|{\pi }_2\wedge {\pi }_1]\hfill \\ \hfill & ={(1-\delta )}^{q_{SK}+q_{PSK}+q_{RPK}}·\frac{n}{\delta }·\frac{1}{n}\hfill \\ \hfill & \ge \frac{1}{e(q_{SK}+q_{PSK}+q_{RPK})}\hfill \end{array}$$

(27)

where $\delta =1/(q_{SK}+q_{PSK}+q_{RPK}+1)$.

We can deduce that $Pr\left[Csuccess\right]\ge 1/\left[e(q_{SK}+q_{PSK}+q_{RPK})\right]$. □

Based on the forking lemma for ring signatures [26], C can solve the ECDLP for the probability of ${\epsilon }^{\prime }\ge \epsilon /\left[e(q_{SK}+q_{PSK}+q_{RPK})\right]$, if the advantage $A_{II}$ succeeds is $\epsilon$.

Theorem 4. 

If a Type II adversary $A_{II}$ gains a notable advantage ε in Game 3, successfully compromising EUF-CLRSC-CMA2, it implies that a simulator C could potentially solve the Elliptic Curve Discrete Logarithm Problem (ECDLP) with a probability ${\epsilon }^{\prime }\ge \epsilon /(e{q}_{SK})$.

Proof. 

Suppose the simulator C is provided with the tuple $(P,aP)\in G^2$. Its objective is to determine the value of a within Game 3. To achieve this, simulator C engages with the adversary $A_I$. Let us assume that $I{D}^{*}$ represents the target identity, with $Pr(I{D}_i=I{D}^{*})=\delta$ being the assigned probability.

Setup: The setup is the same as described in Theorem 2.

Query: The query phase follows the same rules as presented in Theorem 2.

Forgery: $A_{II}$ returns a ciphertext $\sigma =\{C,\left\{s_i\right\},X,L,I,W,TS\}$ that meets the requirements of Game 3. To forge another ciphertext ${\sigma }^{*}$, $A_I$ replays queries Query-$H_4$ and Query-$H_5$ to gain another signcryption ${\sigma }^{*}=\{C^{*},\left\{s_i^{*}\right\},X^{*},L,I^{*},W^{*},TS\}$. The intermediate values of the two signcryption are $(k,r_1,r_2,\dots ,r_n,e_1,e_2,\dots ,e_n)$ and $(k^{*},r_1^{*},r_2^{*},\dots ,r_n^{*},e_1^{*},e_2^{*},\dots ,e_n^{*})$ in the correct order. Hence, when $i\in \{1,2,\dots ,n\}$, the conditions $s_i\ne s_i^{*}$, $r_i\ne r_i^{*}$, and $e_i\ne e_i^{*}$ are established, so with the following calculation

$$s_s=\left[{(1+s{k}_s)}^{-1}(k-r_{s}s{k}_s)\right]$$

(28)

$$s_s^{*}=\left[{(1+s{k}_s)}^{-1}(k^{*}-r_s^{*}s{k}_s)\right]$$

(29)

$$s{k}_s=d_s+u_s$$

(30)

$$d_s=v_s+e_{s}a$$

(31)

thus $a=\frac{k^{*}-k-(s_s^{*}-s_s)}{e_s[(s_s^{*}-s_s+r_s^{*}-r_s)-u_s-v_s]}$.

We define three events as follows:

${\pi }_1$: C adopts the Query stage.

${\pi }_2$: $I{D}^{*}\in L$.

${\pi }_3$: $I{D}^{*}$ is the real signatory.

We can know that:

$$\begin{array}{cc}\hfill Pr\left[{\pi }_1\right]& ={(1-\delta )}^{q_{SK}}\hfill \\ \hfill Pr\left[{\pi }_2\right|{\pi }_1]& =\frac{n}{\delta }\hfill \\ \hfill Pr\left[{\pi }_3\right|{\pi }_2\wedge {\pi }_1]& =\frac{1}{n}\hfill \\ \hfill Pr\left[Csuccess\right]& =Pr[{\pi }_1\wedge {\pi }_2\wedge {\pi }_3]\hfill \\ \hfill & =Pr\left[{\pi }_1\right]·Pr\left[{\pi }_2\right|{\pi }_1]·Pr\left[{\pi }_3\right|{\pi }_2\wedge {\pi }_1]\hfill \\ \hfill & ={(1-\delta )}^{q_{SK}}·\frac{n}{\delta }·\frac{1}{n}\hfill \\ \hfill & \ge \frac{1}{e{q}_{SK}}\hfill \end{array}$$

(32)

where $\delta =1/q_{SK}$. □

Drawing from the forking lemma to ring signatures (Ref. [26]), C has the ability to solve the Elliptic Curve Discrete Logarithm Problem (ECDLP) with a probability ${\epsilon }^{\prime }\ge \epsilon /(e{q}_{SK})$, given that the success rate of the advantage $A_{II}$ is $\epsilon$.

6.4. Anonymity

The collection L encompasses the public keys belonging to the legitimate senders within the ring. When validating the signcryption, the verifier applies a consistent formula using all public keys from $L″$. Owing to the cryptographic attributes inherent in signcryption, the verifier cannot differentiate the true identity of the sender, thus preserving the anonymity of the original sender.

6.5. Traceability

When suspicious information is detected and there is a need to identify the true signer, TRA assesses the identity of the genuine signer using the I value within the suspicious signcrypt. Upon receiving the I value, TRA examines the ring public key set L to verify the identity $I{D}_i$ of the true signer by validating the equation $k^{-1}I=P{K}_i+H_3(C,A)T_i$. The $k^{-1}$ value in the equation is exclusively known to TRA, thus ensuring that conditional anonymity is preserved in the proposed CLRSC scheme.

6.6. Unlinkability

In the signcryption process, when generating the identifier I, the signer incorporates a variable $\beta$ dependent on the message content ensuring that each message yields a unique I. Consequently, for different messages, the same signer calculates I differently. In the verification phase aimed at uncovering the true signer, the equation $k^{-1}I=P{K}_i+H_3(C,A)T_i$ is employed, with only TRA possessing the knowledge of the value $k^{-1}$. This ensures that only TRA has the capability to discern the identity of the actual signer.

6.7. Replay Attack Resistance

To prevent such situations, we incorporate timestamps into the encryption process, indicating the time of ciphertext transmission. If a ciphertext cannot be validated, indicating a potential replay attack, the insecure ciphertext will be discarded, and the sender will be notified to resend the ciphertext. Upon receiving a ciphertext, the verifier first examines whether the timestamp $TS$ contained within the ciphertext satisfies the condition $|TS-T{S}_{cur}|\le △TS$, where $T{S}_{cur}$ denotes the current timestamp, and $△TS$ represents the maximum permissible time interval. If this condition is not met, $I{D}_r$ rejects the ciphertext $\sigma$, thereby ensuring that intercepted and subsequently returned messages cannot pass the verification conducted by $I{D}_r$.

6.8. Anti-Malicious Gateway

As an edge computing node, ECN is likely to be a target for attackers. Being a semi-trusted gateway, ECN cannot guarantee that it will not be successfully attacked. Therefore, in our solution, ECN is designed not to have access to plaintext data, ensuring that information remains encrypted throughout the transmission process, thus reducing the risk of information leakage. In order to protect the message, after receiving it, ECN only partially decrypts it. ECN can only obtain Y through calculation, without CC’s private key $s{k}_v$. As a result, it cannot obtain the message M, eliminating the possibility of message leaks.

6.9. Forward Security

When the system is compromised, measures are taken to prevent further escalation of losses. We designed the algorithm of Update-KeyPairs to regularly update the key. If a user accidentally loses the key, the security of the message before this cycle will not be questioned. Every time the user passes the previous cycle The private key and the random value $u_i^t$ of this period are used to calculate the public-private key pair of this period. The key for each cycle is irregular, which prevents further damage due to key loss.

7. Performance Analysis

In this chapter, a comprehensive analysis of the scheme versus the existing alternatives is presented. The main tasks are as follows:

• Functional analysis: the functionality of this paper is compared with classical papers, which are similar to existing schemes. The number of users in SGs is increasing rapidly and the complexity of the environment requires more functionality. Cryptographic parties with more functionalities are more in line with the developing SGs.
• Computational efficiency analysis: in order to specifically analyze this scheme, a comparative analysis will be performed on ring signcryption with existing papers [3,23,27,28] and existing literature on aggregated signcryption papers [29,30,31,32], respectively. Suppose a ring has n members and m messages.
• Communication cost analysis: In the comparison process, the communication cost is mainly reflected in two places: the communication cost of ECN and the communication cost of CC. A phase-by-phase comparison is made to show how the program can effectively solve a wider range of problems at a lower cost.

To ensure a fair comparison, we acquire the execution time of the most time-intensive operations by employing well-established encryption libraries such as pairing-based cryptography (PBC) and Miracl. We conduct simulations on a Lenovo Thinkpad laptop in China, featuring is Intel Core i5-9300H CPU and 16 GB RAM.

Comparing the scenarios at the same security level of 80 bits, for the scheme using the bilinear pairing $e:G_1\times G_1\to G_2$, define the generating element of the additive group $G_1$ to be $\ddot{P}$ and the order to be $\ddot{q}$, and set the elliptic curve $\ddot{E}:y^2=x^3+xmod\ddot{p}$, $\ddot{p}$ and $\ddot{q}$ are numbers of size 64 bytes and 20 bytes. For the ECC-based scheme, we define the additive group G of order $\dot{q}$ on $\dot{E}:y^2=x^3+ax+bmod\dot{p}$, where $\dot{p}$ and $\dot{q}$ are two of size 20 bytes and $a,b\in Z_{\dot{p}}^{*}$.

7.1. Compare Algorithm Functions

In this section, we will select typical excellent papers [3,23,27,28,29,30,31,32] that are currently available and compare them. The main focus of attention is on the functionality of the programs and the problems they solve. The analyzed results are represented in

Table 2. Comparison of Program Functions.

References	[3]	[23]	[27]	[28]	[29]	[30]	[31]	[32]	Ours
Traceability	✕	✕	✓	✓	✕	✓	✕	✕	✓
Confidentiality	✓	✓	✓	✓	✓	✓	✓	✓	✓
Anonymity	✓	✓	✓	✓	✓	✓	✓	✓	✓
Replay attack resistance	✓	✓	✓	✓	✕	✕	✕	✕	✓
Edge computing	✕	✕	✕	✕	✕	✕	✕	✕	✓
Reventing unsafe ECN	✕	✕	✕	✕	✕	✕	✕	✕	✓
User identity privacy protection	✓	✓	✓	✓	✕	✕	✕	✕	✓
Data privacy protection	✓	✕	✕	✕	✓	✓	✓	✓	✓
Update key	✕	✕	✕	✕	✕	✕	✕	✕	✓

.

From Table 2, we can clearly see that the scheme in this paper has more comprehensive functions and solves more problems at the same time. The primary distinction lies in this paper’s utilization of edge computing to address the challenge of user surges in SG. In combination with edge computing At the same time, it also prevents the problem of malicious ECN. This is not available in the existing scheme. At the same time, we also added the function of updating the key to prevent the security of the previously sent information after someone’s key is lost.

Through Table 2, it can be seen that the proposed scheme is more secure than the existing schemes. Literature [3,23,29,31,32] lack the tracking feature for malicious users, and literature [23,27,28] cannot perform data privacy protection. Except for this scheme, none of the existing typical schemes have forward and backward security.

The edge computing introduced in this scheme not only solves the problem of user proliferation but also resists attacks from malicious ECNs, which is a feature not available in existing schemes. In addition, this scheme adds a key update feature that protects the security of previously sent messages in case of key loss.

7.2. Computational Efficiency Analysis

In this experiment, we only focus on the more consuming operations, and operations that take less time are ignored, which does not affect the objectivity and fairness of our experiments. The notations corresponding to various computational operations are defined, and the corresponding elapsed times are listed in

Table 3. Execution time of encryption operation.

Operation	Operation	Executing Time (ms)
$T_h$	hash-to-point operation	4.874
$T_p$	bilinear pairing operation	5.239
$T_e$	exponential operation	2.637
$T_{Gm}$	scale multiplication operation in $G_1$	2.896
$T_m$	point multiplication operation in G	1.156
$T_a$	point addition operation in G	0.023

.

In terms of computational cost, since the literature we compare are all certificateless schemes, the computational cost of this scheme in the key generation phase is not much different from the schemes we compare and is mostly $5T_m+T_a$. The computational costs in the ring signcryption phase, batch verification phase, aggregate signcryption phase, aggregate signcryption verification phase and tracking phase of this paper are $(n+5)T_m+n{T}_a$, $(n+2)T_m+n{T}_a$, $(n+2)T_m+n{T}_a$, $T_m+(m-1)T_a$, $(n+2)T_m+n{T}_a$ and $2T_m$, respectively.

In order to satisfy the fairness and reasonableness of the analysis, we analyze the computational efficiencies of schemes [3,23,27,28] and scheme [3,29,30,31,32] at different stages, respectively, and the analysis results are shown in

Table 4. Comparison of the computational efficiency of the ring signcryption part.

References	Ring Signcryption	Ring Verification	Batch Verification	Tracking
[3]	$(3n+2)T_m+(2n-1)T_a$	-	-	-
[27]	$(4n+3)T_m+(5n-3)T_a$	$(4n+2)T_m+(5n-1)T_a$	$(4n+2)m{T}_m+5n{T}_a$	$3T_m+3T_a$
[23]	$(2n+3)T_m$	$(n+2)T_m+n{T}_a$	-	-
[28]	$(n+3)T_{Gm}+T_p+(2n-2)T_a$	$n{T}_{Gm}+4T_p$	-	$2T_{Gm}+2T_p$
Ours	$(n+5)T_m+n{T}_a$	$(n+2)T_m+n{T}_a$	$(n+2)T_m+n{T}_a$	$2T_m$

and

Table 5. Comparison of the computational efficiency of the aggregate signcryption part.

References	Aggregate Signcryption	Aggregate Verification
[3]	$(m-1)T_a$	$(m+1)T_m+(m-1)T_a$
[29]	$(m-1)T_a$	$2m{T}_{Gm}+T_p$
[30]	$(2m+2)T_m+(2m+2)T_a$	$(m+3)T_m$
[31]	$(m-1)T_a$	$3m{T}_{Gm}+m{T}_p+3m{T}_a$
[32]	$(m-1)T_a$	$(2m+1)T_m+(3m-1)T_a$
Ours	$T_m+(m-1)T_a$	$(n+2)T_m+n{T}_a$

.

It can be seen from Table 4 that our scheme has a significant improvement compared with the existing schemes in the ring signcryption stage. From Table 5, we can see that the scheme in this paper adds a multiplication operation $T_m$ to the existing advanced schemes in the aggregation process, but it has a huge advantage in the verification process.

In order to more realistically simulate the application scenarios of the smart grid, we assume that $n=10$, $m=100$, simulate the computational efficiency of each scheme and show the experimental results in

Table 6. Comparison of the computational efficiency of the ring signcryption part.

References	Ring Signcryption (bytes)	Ring Verification (bytes)	Batch Verification (bytes)	Tracking (bytes)
[3]	$37.429$	-	-	-
[27]	$50.789$	$49.679$	$4856.35$	$3.537$
[23]	$26.588$	$14.102$	-	-
[28]	$43.301$	$49.916$	-	$24.405$
Ours	$17.57$	$14.102$	$14.102$	$2.312$

and

Table 7. Comparison of the computational efficiency of the aggregate signcryption part.

References	Aggregate Signcryption (bytes)	Aggregate Verification (bytes)
[3]	$2.277$	$119.033$
[29]	$2.277$	150
[30]	150	$119.068$
[31]	$2.277$	150
[32]	$2.277$	150
Ours	$2.433$	$14.102$

. In order to show the difference between the various schemes more clearly, we also draw Figure 3 and Figure 4 based on Table 6 and Table 7.

In Figure 3, the batch verification part of paper [27] is too inefficient. In order to make the results in Figure 3 more obvious, we reduced this value from 4856.35 to 100, and the real data are larger than those shown in Figure 3. Similarly, in Figure 4, the aggregated signcryption part of the paper [30] and the aggregate verification part of the papers [29,31,32] are too large. In order to make the picture show the difference between each scheme, we uniformly reduce these data to 150.

We divide the comparison process into two parts: the ring signcryption part and the aggregation signcryption part. Table 4 and Table 6 and Figure 3 show the ring signcryption part, and Table 5 and Table 7 and Figure 4 show the aggregation signcryption part. The analysis shows that in terms of computational efficiency, this solution is more efficient than existing schemes in both ring signcryption and aggregation signcryption.

In the ring signcryption phase, ref. [3] does not verify the signcryption, resulting in lower efficiency, and lacks verification, batch verification, and ciphertext tracing algorithms. Ref. [27], while having a complete algorithm, suffers from lower efficiency, taking twice the time compared to our approach. Ref. [23] shows slightly lower efficiency and lacks a batch verification algorithm, making it unsuitable for practical scenarios. Ref. [28] exhibits not only lower efficiency but also a longer time for the tracing algorithm, and lacks a batch verification algorithm. Therefore, in the ring signcryption phase, our approach demonstrates significantly higher efficiency compared to existing works, with a complete algorithm.

In the aggregate signcryption phase, although the signcryption part of our approach is slightly increased compared to [3,29,31,32], the overall efficiency is better than existing works. There is a noticeable improvement in the efficiency of aggregate ciphertext verification. It is evident that our approach demonstrates better efficiency in the aggregate signcryption phase compared to existing works overall.

The analysis shows that in terms of computational efficiency, this solution is more efficient than existing schemes in both ring signcryption and aggregation signcryption.

7.3. Communication Cost Analysis

In the model of this paper, the ciphertext is transmitted in two main places. User $I{D}_s$ transmits the ciphertext to $I{D}_r$ after signcryption of the message. $I{D}_r$ performs aggregation and sends the aggregated ciphertext to $I{D}_v$. We compare the two phases separately in

Table 8. Comparison of the communication cost analysis of the ring signcryption part.

References	Ring Signcryption Communication Cost (bytes)
[3]	$(n+3)\left|G\right|+|Z_{\dot{q}}^{*}|+|M|+|TS|+|L|=708$
[27]	$3\left|G\right|+(n+1)|Z_{\dot{q}}^{*}|+|M|+|TS|+|L|=772$
[28]	$(n+2)|G_1|+|M|+|TS|+|L|=1704$
[23]	$(n+1)\left|G\right|+3|Z_{\dot{q}}^{*}|+|M|+|TS|+|L|=608$
Ours	$3\left|G\right|+(n+1)|Z_{\dot{q}}^{*}|+|M|+|TS|+|L|=772$

and

Table 9. Comparison of the communication cost analysis of the aggregate signcryption part.

References	Aggregate Signcryption Communication Cost (bytes)
[3]	$(n+3)\left|G\right|+|Z_{\dot{q}}^{*}|+m|M|+|TS|+|L|=16,548$
[29]	$(m+1)|G_1|+|Z_{\dot{q}}^{*}|+m|M|=28,948$
[30]	$(m+1)|G_1|+4m|M|=68,040$
[31]	$(m+1)\left|G\right|+m\left|M\right|=28,800$
[32]	$m\left|G\right|+m\left|M\right|=28,820$
Ours	$(m+2)\left|G\right|+n|Z_{\dot{q}}^{*}|+m|M|+|TS|+|L|=29,084$

.

According to the experimental parameters we wrote at the beginning of this chapter, we can obtain $|Z_{\dot{q}}^{*}|=|Z_{\ddot{q}}^{*}|=20$ bytes and set $n=10$, $m=100$ similar to the above section. By simple calculation, we can obtain that the length of message $\left|M\right|=l=160$ bytes, the length of the timestamp is $\left|TS\right|=4$ bytes and the public key set $\left|L\right|=4$ bytes, the elements in G, $G_1$ and $G_2$ are 40 bytes and 128 bytes, and are signified as $\left|G\right|$ and $|G_1|$, respectively.

To make a clearer comparison of the communication costs, we set the number of ring members at 5 to better show the differences between the schemes. Based on Table 5, we can calculate the following. The costs of the four ring signcryption schemes and the scheme in this paper are 708, 772, 1704, 608 and 772, respectively. In this link, this paper is obviously better than the existing similar schemes. Combined with Table 8, we know that although our cost is not the lowest, it is not much different from the cost of the current excellent solutions.

After analysis, in terms of communication cost, the present scheme is lower than the literature [28] in the ring signing secret phase, and the same as the literature [27], which is not the lowest but still the lowest cost among the existing typical schemes. In the aggregate signcryption phase, the communication cost of the present scheme is lower than that of the literature [23], and not much different from that of the literature [29,31,32]. Taken together, this scheme is not the best in terms of communication cost, but the increase is less compared to typical schemes. It is worthwhile to sacrifice a small amount of communication cost to add more security and higher efficiency.

8. Conclusions

Protecting user privacy in SG is critical to its development. However, none of the existing solutions are suitable for SG, or cannot better solve the existing problems. This is very unfavorable for the development of SG. In this paper, we propose a certificateless aggregated ring signcryption scheme with conditional privacy in SG. By incorporating aggregate signcryption to improve computational efficiency, utilizing timestamps to counter replay attacks, and employing multi-layer encryption to resist malicious gateways, security has been enhanced. Through security analysis, it is proved that the scheme can resist external attacks and internal malicious KGC threats and has more comprehensive functions. Through the efficiency analysis experiment, it can be seen that compared with the existing schemes with the same function, our scheme does not require bilinear pairing and is faster. Ring signcryption and aggregate signcryption are performed under the same structure, improving computational efficiency and communication costs, which have obvious advantages over existing schemes.