An Improved Identity-Based Generalized Signcryption Scheme for Secure Multi-Access Edge Computing Empowered Flying Ad Hoc Networks

Emerging Unmanned Aerial Vehicles (UAVs) have applications for traffic monitoring, public safety, surveillance, agriculture, health services. Collaborative UAVs can form flying ad hoc networks, although such networks are especially vulnerable to security vulnerabilities due to open access media and limited power. Very recently, Khan et al. presented an Identity-Based Generalized Signcryption having Multi-access Edge computing to secure Flying Ad hoc Networks (FANETs). First, this paper presents the cryptanalysis of the Khan et al. scheme and shows that their scheme does not provide message confidentiality, Authenticity, and integrity. Second, it presents an improved scheme as well. The comparison of the improved scheme with the state of the art schemes based on security and cost shows, it is efficient, provably secure against security attacks, and suitable for multi-access edge computing empowered FANETs.


I. INTRODUCTION
Unmanned aerial vehicles (UAVs) are emerging and have extensive and diverse technologically based applications. Some of the applications domains are national security [1], disaster relief operations [2], surveillance [3], border control [4], traffic monitoring [5], farming and goods transportation [1], managing wildfires [6] and wind estimation [7]. Recently, Amazon introduced Amazon Prime Air [8] for quick and safe customer parcel delivery. FANETs consist of multiple small UAVs collecting and exchanging data with each other and ground stations. Due to their unique structure, FANETs have numerous challenges such as dynamic Topology, Mobility management, Latency, Frequent Link Disconnection, Flight Formation, Collision Avoidance, Combat with External Disturbances, and Scalability [9]. FANETs have limited resources and face security challenges such as GPS The associate editor coordinating the review of this manuscript and approving it for publication was Sedat Akleylek . spoofing, black hole attacks, Denial of Service attacks, Spam, traffic, Sybil, and Man-in-the-Middle attacks [10]. Therefore, for efficient and secure information communication, smart and secure solutions are in demand.
Formally designed data and network security solutions can significantly reduce the threat to data and nodes compromised in FANETs. He et al. [11], proposed a hierarchal broadcast identity-based encryption to offload the need for certificate verification burden. Won et al. [12] proposed a certificateless multi-receiver encryption scheme for one-toone, one to many, and many-to-one secure communication.
Asghar et al. [13] proposed a certificateless blind signature scheme for sender anonymous authenticated communication in FANETs.
Signcryption combines the functionality of public-key signature and encryption with a significantly reduce cost. Lal et al. [14] first introduced the notions of ID-based generalized signcryption schemes(ID-GSCS). Wei et al. [15] proposed an ID-GSCS formally secure in the random oracle model. However, Waheed et al. [16] showed that the scheme of Wei et al. is insecure in their defined model. Shen et al. [17] first proposed an ID-GSCS in the standard model. Zhou et al. [18] proposed an ID based combined public key signcryption scheme for signature encryption and signature to provide sufficient security functionality. To cope with the efficient security requirements of FANETs, Khan et al. [19] proposed an ID based generalized signcryption for secure multi-access edge computing empowered FANETs. This paper analyzes the Khan et al. solution and proves that this scheme does not provide message confidentiality. This paper also presents an improved scheme that provides necessary security features for secure multi-access edge computing-empowered FANETs.

A. PAPER ORGANIZATION
The rest of this paper is organized as follows: The literature review presented in section II, and preliminaries is defined in section III. Section IV represents the review of khan's scheme and section V presents the cryptanalysis of the said scheme. Section VI, presents the improved scheme and its correctness and analysis with its deployment. Section VII of the paper presents the analysis of the improved scheme having the security and cost analysis. The conclusion of the paper is described in section VIII.

II. RELATED WORK
This section reviews some relevant literature. Zhang et al. [20] proposed a Chinese remainder theorembased privacy-preserving authentication scheme using fingerprints for securing communications in VANETs. The scheme has performance effectiveness and security under the random oracle model. Future work extends the enhanced user privacy in emerging dynamic environments comprising 5G network base stations, driver handheld devices, etc. Due to enhancement in communication technologies, the concept of the Internet of Battle Things (IoBT) emerges, which empowers armed forces in the battle to face challenges in command and control (C2) scenarios. Leal et al. [21] proposed an architecture for the software-defined and information-centric network nodes that meet the high-level operational requirements for ''C2 agility'' provides a more efficient data distribution.
Reddy et al. [22] proposed a pairing-free key insulated signature scheme in an identity-based setting having computational and communication efficiency. Xiong et al. [23] also proposed a provable secure pairing-free Certificateless Parallel Key-Insulated Signature (CL-PKIS) scheme for Industrial Internet of Things (IIoT). Both the mentioned approaches are based on an elliptic curve and suffer from high computational costs. Khan et al. [24] proposed a CL Key-Encapsulated Signcryption scheme based on Hyper Elliptic Curve Cryptosystem (HECC) for FANETs. HECC having a shorter key size and is efficient compare to elliptic curves. Khan et al. [25] proposed an access control and key agreement HECC based scheme and the security and cost analysis is presented.
Next, we introduce FANETs's common security attack known as Sybil Attack. Where an attacker pretends that many people communicate within the same time and hide his/her identity to users of the network, that causes connectivity issues mainly in the Peer-to-Peer communications as it is creating multiple identities which look like regular users of a network and thus behind the scene a single attacker manipulates and controls the whole network. In contrast, in the eclipse attack, the attacker targets the few nodes within the network and eclipse/restrict them to communicate with the other nodes. Fig 1 shows the Sybil attack where the blue Sybil nodes prevent the honest nodes from connecting to other network nodes by creating multiple fake identities and preventing the information transmission lines among the nodes in a network. The Sybil attack can be prevented when the cost of identities is so high that the attacker cannot compute the high number of fack identities, however, at the same time, the cost of identification should not be too high that it's burdensome for legitimate users, and possible for them to communicate without facing any difficulties. This would be possible via using the digital signature based on HECC having a minimal cost with the same level of security.

III. PRELIMINARY OF HYPERELLIPTIC CURVE CRYPTOSYSTEM
Definition 1: Let F q be a finite field of order q and F q are the algebraic closure of F q . Hyper-elliptic curves hEc of genus g ≥ over F q is a set of solutions (x, y) ∈ F q × F q of the equations hEc : Where h(x)) ∈ F q is a polynomial of degree g and f (x)) ∈ F q is a monic polynomial of degree 2g + 1 and there should be no solutions (x, y) ∈ F q × F q simultaneously satisfy the Eq. (l) and partial derivatives of Eq. (1) [26] A Divisor D is a finite formal sum of points D = The Jacobian J (F q ) is finite abelian group under addition and each element in J (F q ) is an equivalence class of reduced divisor. The following inequality calculates the order of the Jacobian J (F q ) Koblitz [27] first introduced a hyper-elliptic curve cryptosystem over J (F q ) the jacobians of hyper-elliptic curves on the presumed intractability of the discrete logarithm problem. HECDP is prioritized over other cryptosystems due to high efficiency and shorter key size. The notation used in this paper are shown in Table 1:  1) Setup: PKGC performs the following steps: a) Selects a hyper-elliptic curve (HEC) over a finite field I q , of order is q b) Selects a divisor D in the Jacobian J (F q ) of HEC c) Selects a number uniformly δ ∈ [1, 2, · · · , (q − 1)] as PKGC private key d) PKGC Computes its public key as = δD e) Selects two one-way hash functions: 2) Key extraction: a) Each node sends their identity (ID pc ) to the PKGC b) PKGC Computes private key for the sender (ID cs ) as A cs = δ · h a (ID cs ) mod q and public key as B cs = A cs · D c) PKGC Computes private key for the receiver (ID cr ) as A cr = δ · h a (ID cr )mod q and public key as B cr = A cr · D d) Transmit securely the private-public key pair to the node having identity ID cr

4) Generalized Unsigncryption:
a) Receiver generalized signcryption text ψ = (∂, σ, η, ) and (A cr , B cs , B cr , Without knowing the key, breaking a cryptographic scheme known as cryptanalysis as shown in Fig 3. Khan et al. work in three different modes: Encryption only, signature only, and Signcryption. The scheme has been analyzed in these three modes as below:

A. ATTACK ON ENCRYPTION ONLY MODE
If ID cs = null and ID cr = null null, then GSC proceeds in an encryption only mode. The Generalized signcryption algorithm with ID cs = null in last step, Computes encrypted text as:

For an attacker
that can be easily computed in polynomial time • and attacker can compute session key as β = ϕ · B cr · ID cr . Therefore, this scheme does not provide message confidentiality in encryption-only mode.

B. ATTACK ON SIGNATURE ONLY MODE
If ID cr = null and ID cs = null null, then generalized signcryption proceeds in an signature only mode.
Receiver then computes σ * = h b (m ||ID cs ||ID cr ||n cs ) compares σ * = σ that hold, and the fraudulent message is authenticated. Therefore, the scheme does not provide message authentication and integrity.

C. ATTACK ON SIGNCRYPTION MODE
In signcryption only mode sender computes ∂ = (ID cr · ϕ − σ · · A cs · ID cs ) = (ID cr · ϕ − σ · A cs · ID cs · ) Let A = ID cr · ϕ (Is arithmetic multiplication that result an integer as both ID cr and ϕ are integer like number. Let B = σ · A cs · ID cs · ( ) (Is repetitive addition of divisor that result a divisor in the J (F q ) Abelian groups under addition) VOLUME 9, 2021 The sender can only simplify ∂ = A − B and further simplification is not possible as an integer A = ID cr ·ϕ could not be subtracted from divisor B = σ · A cs · ID cs · ( ) in the J (F q ) both are of different nature. Now the attacker can easy compute ϕ from ID cr · ϕ as in encryption mode and break message confidentiality.

A. CORRECTNESS ANALYSIS
This section presents the proposed scheme's consistency proofs in signature-only mode, encryption-only mode, signcryption mode, and judge verification.

Theorem 1: Improved ID-based Generalized Signcryption (Encryption only mode), Encryption/Decryption is correct if the sender and receiver confirm the equation. ID cr · A cr
Clearly, the equation ID cr · A cr · = ID cr · ϕ · B cr is established.
Theorem 2: Improved ID based Generalized Signcryption (signature only mode) Signature/Verification is valid if sender and each receiver confirm to the Equation. ∂(B cs + σ · D) = ID cs · Proof: Let Clearly, the equation ∂(B cs + σ · D) = ID cs · is established.

Theorem 3: Improved ID based Generalized Signcryption (signcryption only mode) Signcryption/ Unsigncryption is valid if sender and receiver confirm to the Equation ID cr ·
A cr · = ID cr · ϕ · B cr and ∂(B cs + σ · D) = ID cs · Proof: Both the equation holds as proved in Theorem 1 and 2.

B. PROPOSED SCHEME DEPLOYMENT
This section of the paper presents the proposed scheme deployment in the UAV networks within different filed for monitoring purposes. This scheme comprises three distinct phases: System initialization, registration, transmission, and verification.

1) SYSTEM INITIALIZATION
It starts the setup algorithm after calling PKG to initiate the process. Its chooses the security parameters such k, HEC with a genus number, a divisor D, q a parameter with a length of 80 bits, two one way hash functions (h a and h b ) a keyspace for randomly choosing a private key δ ∈ {1, 2, · · · , (q − 1)} and associated public key computed as = δ · D. The key tuple E = {k, h a , h b , q, D, HEC, } share publicly for the various communication processes. This phase of the proposed technique also introduces the identities of the various nodes participating in the secure communication process: ID mec identity for MEC-UAV, ID mbs , the identity used for

2) REGISTRATION PHASE
This phase of the proposed scheme initializes the extraction algorithm first, and the nodes/participants share IDs with PKG shown in Fig 5. The PKG generates and transmits private keys to each node on behalf of the ID concern. Though, the KPG generates a private key for the ID p c as A pc = δ · h a (ID pc ) mod q, and the associated public key for the said ID would be computed as B pc = A pc · D. Similarly, the above public and private keys generation process for other nodes generated which would be (A mec , B mec ), (A mbs , B mbs ), and (A m−uav , B m−uav ). PKG shares the respective key pair to each node using a private communication channel.

3) DATA TRANSMISSION AND VERIFICATION PHASE
This phase of the proposed scheme performs generalized signcryption operation on the sending data and forwards the message to the receiver of the message to receive and verify the message's contents after the Unsigncrypting received a signcrypted message as shown in Fig 6. The MEC-UAV plays the role as a sender and executes the following process as; first chooses a random number ϕ ∈ {1, 2, · · · , (q − 1)} and computes = ϕ · D, = ϕ · D. Next computes β = ϕ · ID cr · B cr and η = e β (m||ID cs ||ID cr ||n cs ) and Compute σ = h b (m||ID cs ID cr ||n cs ). At the end computes ∂ = ( ϕ σ +A cs ID cs ) mod q and sends the generalized signcrypted text ψ = (∂, σ, η, ). In case the ID mec = null and ID m b = null,then MEC-UAV runs in the in the encryption only mode of generalized signcryption or if the ID mec = null, then sender MEC-UAV runs in the signature only mode or If ID mbs = null and ID m ec = null, then MEC-UAV runs in the signcryption only mode. MBS/SBS unsigncryption process after receiving the text tuple ψ = (∂, σ, η, ). The unsigncryption process areas; first computes β = ID cr · A cr · , than computes (m||ID cs ||ID cr ||n cs ) = d β (η), σ = h b (m||ID cs ||ID cr ||n cs , computes ID cs · A cr · = ∂(B cs + σ · D) if holds, then accept ψ otherwise generates the error symbol ⊥.

VII. IMPROVED SCHEME ANALYSIS
The improved scheme analyzed based on the security aspect and computational cost reflect in the following subsections.

A. SECURITY ANALYSIS
The Improved ID-based Generalized Signcryption provides basic security properties such as message confidentiality, message integrity, sender authenticity, unforgeability, as well as resistive against a replay attack and Sybil attack.

1) CONFIDENTIALITY
The improved ID based Generalized Signcryption ensures confidentiality. If an attacker wants to steal the contents of a message. The must have private key of the sender or receiver(A cs and A cr ) or session key ϕ: 1) Computing A cs from B cs = A cs · D and A cr from B cr = A cr · D is equivalent to HECDLP solving, That is intractable. 2) Computing session key from ϕ from equation ∂ = ( ϕ σ +A cs ID cs ) mod q is equivalent to solving one equation having two unknown, that is infeasible.

2) INTEGRITY
To generate generalized signcrypted text ψ = (∂, σ, η, ), the Sender compute σ = h b (m||ID cs ||ID cr ||n cs and ∂ = ( ϕ σ +A cs ID cs ) mod q using hash function having strong  collision resistance and computes ∂ = ( ϕ σ +A cs ID cs ) mod q using sender priivate key. The receiver verify ψ using σ = h b (m||ID cs ||ID cr ||n cs and ID cs .A cr . = ∂(B cs + σ.D). if the attacker change the message due to strong collision resistance the receiver can confirm either the message is original one or fabricated.

3) AUTHENTICITY
The improved scheme provides sender authenticity. The sender computes generalized signcrypted text ψ = (∂, σ, η, ) using his private key A cs as σ = h b (m||ID cs ||ID cr ||n cs and ∂ = ( ϕ σ +A cs ID cs ) mod q. The receiver verify the message using sender public key ID cs .A cr . = ∂(B cs + σ.D), this confirm that the message is signcrypted by the legitimate sender.

4) UNFORGEABILITY
The proposed improved scheme provides sender unforgeability. The sender computes generalized signcrypted text ψ = (∂, σ, η, ) using his private key A cs as σ = h b (m||ID cs ||ID cr ||n cs and ∂ = ( ϕ σ +A cs ID cs ) mod q. If an attacker wants to forge the message he/she must have sender   private key and computing sender private key is equivalent to solving intractable Hyperelliptic curve discrete log problem.

5) REPLAY ATTACK
The sender generate generalized signcrypted text using one time nonce n cs and hash function σ = h b (m||ID cs ||ID cr ||n cs ). for an intruder it is infeasible to launch a replay attack.  [18] and Khan et al. [19] as shown in Table 2.

6) SYBIL ATTACK
In this type of attack, a node in peer-to-peer networks operates with multiple identities actively at the same time and influences the authority/power in reputation systems. In the proposed system, the multi-access edge computing node verifies identity with each node's public key and prevents Sybil attack.

B. COST ANALYSIS
FANETs have low battery and computation power resources. Therefore, computational cost and communication overhead efficiency are of prime importance in FANETs.

1) COMPUTATION COST
Computation power is required for needed security operations. The proposed improved scheme consumed fewer computation resources and resources for the desired security requirement. The improved scheme compared with state of the art existing schemes proposed by Yu et al. [28], Kushwah et al. [29], Wei et al. [15], Shen et al. [17], Zhou et al. [18], and Khan et al. [19].   In all mentioned schemes, major and most expensive operations are ECPM, BP, BPM, Mexp and HECDM. Based on the result presented in [18], [19], [30], For testing the simulation results, a workstation having the specifications: Intel Core i7−4510U CPU @ 2.0 GHz, 8     the time comparison of the proposed and existing schemes is presented in Tables 3, 4, and the percent computation cost reduction is presented in Table 5.

2) COMMUNICATION OVERHEAD
Communication overhead is the extra bits appended with an encrypted message for security and is one of the vital performance indicators. The improved scheme compared with existing schemes Yu et al. [28], Kushwah et al. [29], Wei et al. [15], Shen et al. [17], Zhou et al. [18], Khan et al [19]. The comparison is based on the NIST standard parameters (value in bits): |S| = 1024, |Z q | = 160, |Z n | = 80, |H| = 512, |W| = 1024. The results are presented in Tables 3,6 and the percent communication cost reduction is presented in Table 7. Table 4 shows percent cost reduction of proposed then the existing schemes.

VIII. CONCLUSION
This paper presented cryptanalysis of Khan et al. scheme. The analysis of this paper showed that their scheme is insecure and did not provide message confidentiality, Authenticity, and integrity. This paper also presented an improved ID based generalized signcryption scheme. The proposed improved scheme is provably secure against the mentioned security attacks. The improved scheme is efficient and attractive for multi-access edge computing empowered FANETs proved after the comparison with other state-of-theart schemes. In the future, it is possible to extend this concept for heterogeneous generalized signcryption for multi-access edge computing empowered FANETs. FAISAL ALANAZI received the B.Sc. degree in electrical engineering (electronics and communication) from KSU and the M.Sc. and Ph.D. degrees in electrical and computer engineering from The Ohio State University, in 2013 and 2018, respectively. He is currently working as an Assistant Professor at PSAU. His research interests include cryptography, vehicular ad-hoc networks, and delay-tolerant networks. He is a member of the IEEE Communication Society.