An Efficient and Provably Secure Certificateless Key-Encapsulated Signcryption Scheme for Flying Ad-hoc Network

A Flying Ad-hoc Network (FANET) consists of Unmanned Aerial Vehicles (UAVs) tasked to handle the communication jobs in a multi-hop ad-hoc fashion. Unlike its predecessors, i.e. Mobile Ad-hoc Networks (MANETs) and Vehicular Ad-hoc Networks (VANETs), a FANET promises uninterrupted connectivity, especially during events that are temporary and stipulate a massive audience reach. However, usually, the participating UAVs in a FANET environment are resource-constrained and are, therefore, prone to cyber-attacks. In order to resolve the issue and to enable a secure communication between the UAVs and the Base Station (BS), we propose a Certificateless Key-Encapsulated Signcryption (CL-KESC) scheme. The scheme is based on the concept of Certificateless Public Key Cryptography (CL-PKC). Since CL-PKC is immune to key escrow problems and thus one of the major drawbacks of the Identity-based Public Key Cryptography (ID-PKC) is addressed. Unfortunately, the existing construction models of CL-KESC rely on elliptic curve-based operations, which are computationally expensive for small UAVs. To counter the issue, in this paper, we present a new construction model of CL-KESC based on Hyperelliptic Curve Cryptography (HECC). HECC is an advanced version of the elliptic curve and is characterized by smaller parameter and key size. The key size stretches to a maximum of 80-bits, as opposed to the elliptic curve that demands a 160-bits key size. The proposed scheme proved to be superior, chiefly in terms of security and performance, as demonstrated by the results obtained from the security verification and by carrying out comparative analysis with the existing counterparts.


I. INTRODUCTION
Flying Ad-hoc Network (FANET) is an emerging phenomenon that, smartly, helps realize a rapidly deployable, self-configurable and flexible communication network for data transmission between the Unmanned Aerial Vehicles (UAVs) and the Base Station (BS). Such a network is primarily composed of UAVs acting as communicating entities connected in a multi-hop ad-hoc networking fashion [1].
The associate editor coordinating the review of this manuscript and approving it for publication was Muhammad Khandaker . This feature eliminates the need for deployment of complex hardware in each of the UAVs. Furthermore, in case one of the UAV communication links breaks down, there is no disconnection with the BS since an ad-hoc network is already deployed between the UAVs [2]. Compared to its predecessors, i.e. Mobile Ad-hoc Networks (MANETs) and Vehicular Ad-hoc Networks (VANETs), the FANET can be used to ensure ubiquitous connectivity, particularly during mission-critical disaster-rescue operations [3]. However, most of the applications involved in the a FANET system are based on real-time scenarios. That is, the users are usually interested in retrieving real-time information from the UAVs connected to a specific region. It is possible only if the users are permitted to directly access real-time information from the UAVs inside a FANET environment rather than the BS. This results in a security security breach, which might deteriorate the effectiveness of an implemented solution in the FANET system.
Two major aspects of a security system, confidentiality and authentication, need to be addressed. In general, the answer to confidentiality and authentication lies in encryption and digital signature respectively. In case when both methods are required simultaneously, the sign-then-encrypt approach is utilized mostly. However, the stringent constraints associated with small UAVs, such as limited on-board energy and restricted computational capability, do not permit complex cryptographic operations [4]. Moreover, performing computationally intensive tasks on a UAV may result in slow response time which can, in turn, deteriorate the battery's lifetime and hence compromise the mission's success. Fortunately, such an impediment can be mitigated by employing an amalgamated scheme, named 'signcryption' that is aimed at offloading the demanding computational tasks from UAVs [5]. It is a public-key cryptosystem which performs the functions of digital signature and encryption simultaneously in a single logic step. Signcryption is, also, far more efficient and cost-effective than both the encryption and digital signature. Besides, due to its lower cost than the alternates involving signature followed by encryption, signcryption is appropriate for the resource-constrained environments such as Flying Ad-hoc Networks (FANET). However, when 'signcryption' scheme is applied directly to the messages carrying large chunks of data, its performance reduces significantly. Inspired by the concept of hybrid encryption, Dent [6] proposed Signcryption Key Encapsulation Mechanism (SC-KEM) in order to improve the practical use of signcryption. The SC-KEM construction approach is utilized step-wise as follows: 1) A random session key is encapsulated by a signcryption key encapsulation algorithm.
2) The data is encrypted by the very session key using a symmetric encryption algorithm.
3) Finally, both encapsulated the session key and the ciphertext are transmitted over the insecure channel.
In public key cryptosystems, two basic approaches, Public Key Infrastructure (PKI) and Identity-Based Cryptography (IBC), are used to authenticate the public keys. In the PKI environment, maintaining a trustworthy unforgeable link between identity of a participant and its public key is an essential prerequisite [7]. This further stipulates the need of a signature Certificate Authority (CA) that assigns the link a unique signature [8]. The CA bounds the public key as the identity of a participant with certificates. Some of the shortcomings typical of the PKI approach are certificate distribution, storage and manufacturing difficulties [9]. On the other hand, an identity-based cryptosystem [10] is used to reduce the cost of public key management; however, it suffers from the private key escrow problem [11,12] because the trusted third-party Private Key Generator [PKG] has firsthand information about the participants' private keys. In 2003, Al-Riyami and Paterson [13] proposed the certificateless cryptosystem to address the key escrow problem. In a certificateless cryptosystem a participant's private key is composed of two parts: the partial-private key and a secret value. The partial private key is generated by the trusted third-party Key Generation Center (KGC), while secret value is selected by the participant. Similarly, a participant's public key is also based on two parts i.e. the participant's identity information and the public key corresponding to the secret value. Since the public key does not require a certificate, the cost of public key management is significantly reduced. Furthermore, the KGC does not have any firsthand information about the participant's secret value; therefore, the scheme does not suffer from the key escrow problem.
The first certificateless signcryption scheme was proposed by Barbosa and Farshim [14]. The scheme incorporates salient features of certificateless encryption as well as the digital signature in a simultaneous manner. Lippold et al. [15] proposed direct construction for Certificateless Key Encapsulation (CL-KEM) that makes use of a certificateless public key encryption scheme of a pattern similar to that of KEM. Li et al. [16] proposed Certificateless Signcryption Tag -KEM (CLSC-TKEM), scheme that combines the ideas of SC-TKEM and CL-PKC. The primary advantage of the CLSC-TKEM is the elimination of costs incurred due to certificate management and key escrow problem. CLSC-TKEM, also, upholds the benefits offered by SC-TKEM. In CLSC-TKEM, the cryptographic operations, such as key encapsulation based on CL-PKC, can be performed only when an authentic user possesses the partial private key and the secret value. Moreover, the special structure of CL-PKC allows a user to perform the key decapsulation operation of CLSC-TKEM. Doing so does not necessitate verification of the sender's public key via a public key certificate. CLSC-TKEM is, thus, an efficient scheme since the key encapsulation and the digital signature functions are supported without the need of a certificate management infrastructure.
Normally, the security and efficiency of the aforementioned signcryption schemes are based on some computationally hard problems e.g., Rivest-Shamir-Adleman (RSA) cryptography, Bilinear pairing and elliptic curve cryptosystems. The RSA cryptography [17], [18] is based on a large factorization problem, which utilizes a 1024-bits long key, parameter, certificate and identity [19].This is not suitable for resource-constrained networks, or FANET in this case, due to the lack of onboard processing resources on small UAVs. Furthermore, bilinear pairing is 14.31 times worse than RSA [20] due to huge pairing and map-to-point function computation. In order to counter the deficiencies of RSA and bilinear pairing, a new type of cryptography called elliptic curve was introduced [21]. In the elliptic curve cryptography, the prominent characteristics such as parameter, public key, private key, identity and certificate are of smaller size.
Moreover, the security hardiness and efficiency of the scheme is based on 160-bit small keys, as opposed to bilinear pairing and RSA [22]. Despite, the 160-bit key is not suitable and affordable for resource-hungry devices. Thus, a new type, the generalization of elliptic curve, called hyperelliptic curve, was proposed [23]. The hyperelliptic curve features security same as that of the elliptic curve, bilinear pairing and RSA; it uses a 80-bit key, identity and certificate size [24], [25]. The hyperelliptic curve is deemed to be a better choice for energy-constrained devices.

A. AUTHOR'S MOTIVATIONS AND CONTRIBUTIONS
A comprehensive literature review of the existing key-encapsulated certificateless signcryption schemes was carried out. The schemes incur high computational and communication costs since they are based on hard problems, such as elliptic curve. Secondly, such schemes are not tested using AVISPA, Scyther and other security validation tools. Therefore, small devices that have limited computational power cannot handle them. Such restriction, for effective resolution, demands a solution that is characterized by low computational costs. The state-of-the-art key-encapsulated certificateless schemes need to be harnessed for coming forth with cryptographic solutions that pose no threat to the battery lifetimes of the resource-constrained UAVs.
Aspired from such motivations, a new scheme, named Certificateless Key-Encapsulated Signcryption (CL-KESC) scheme, has been proposed for FANET. The scheme utilizes the concept of hyperelliptic curve and is characterized by smaller key-size. Moreover, in an uncompromising manner, it does offer the security features promised by the elliptic curve model.
The research work undertaken is distinguished by following outstanding attributes: • A secure and efficient scheme, namely Certificateless Key-Encapsulated Signcryption (CL-KESC) scheme, has been proposed for a FANET environment.
• The CL-KESC scheme makes use of the hyperelliptic curve and addresses the limitations posed by the resource-constrained elements.
• The proposed scheme is shown to be resistant against various attacks through informal security analysis as well as through the formal security verification using the AVISPA tool [43].
• The proposed scheme is also compared with major existing counterparts and it is shown that ours approach provides better efficiency in terms of computational cost as well as communication cost.

B. STRUCTURE OF THE PAPER
The rest of the paper is organized as follows. Section II contains a discussion about the related work. An overview of the underlying concepts and related definitions is provided in section III. The proposed Certificateless Key-Encapsulated Signcryption (CL-KESC) model is presented in section IV.
CL-KESC scheme is provided in section V. Formal, provable and informal security analyses are carried out in section VI. Section VII compares the work with existing solutions and presents a comparative analysis. In section VIII, we provide an application scenario for the proposed scheme. Finally, section IX contains a critical reflection and the concluding thoughts.

II. RELATED WORK
The topic of security and privacy issues related to FANET have not, so far, received ample attention in the scientific literature. Therefore, the issues need to be investigated thoroughly. The primary security mechanisms for FANET emphasize on authenticity, confidentiality and integrity of the data by following the principles of cryptography. A welldesigned data protection mechanism can significantly reduce the probability of the data getting compromised, irrespective of the devilish technique involved. In the literature, we have come across some studies dedicated to investigating the data protection issues for UAV networks. A certificate-based encryption communication scheme for an MBN-UAV network is proposed by Kong et al. [26]. The scheme uses a negotiated session key in order to support and authenticate the identity of end devices. Only then, the message encrypted with a symmetric key is transmitted. However, as a drawback, since the scheme only entertains a secure endto-end communication, it fails to support the broadcast of encrypted messages. Therefore, in order to establish multiple individual session keys, the involved devices are required to dedicate ample computational resources.
In a secure communication scheme proposed by He et al [27], the requirement of an online centralized authority is waived off. The UAVs, themselves, manage the area and the authorized devices can obtain a broadcast key. The scheme is characterized by employing a hierarchical identity-based broadcast encryption and pseudonym mechanism in which the devices can, anonymously, perform broadcasting of the encrypted messages and decryption of the legal ciphertext. The work done seconds the notion that the very scheme, satisfactorily, addresses four important security concerns: confidentiality, authentication, partial privacy-preservation and resistance to Denial of Service (DoS) attacks. However, it inherits a limitation in the registration phase. That is, the concern of finding a hash value's preimage still persists.
Won et al. [28], [29] proposed a suite of cryptographic protocols for drones and smart objects. The protocols deal with three communication scenarios, viz., one to-one, oneto-many and many-to-one. In the first scenario, i.e. 'one-toone', the efficient encapsulation mechanism, a certificateless signcryption tag key, backs the authenticated key agreement in addition to providing non-repudiation and user revocation. The 'one-to-many' scenario involves a certificateless multi-recipient encryption scheme, which allows a UAV to transmit privacy-intensive data to multiple smart objects. Lastly, UAVs are able to collect data from multiple smart VOLUME 8, 2020 objects in the 'many-to-one' communication scenario. The protocol, however, finds it difficult to transmit a multitude of encrypted messages and, at the same time, assures the privacy of end devices. Such novel cryptographic mechanisms are efficient and secure. However, they are supposed to be used in group communication where nodes have equal computational capability.
Semal et al. [30] proposed a Certificateless Group Authenticated Key Agreement (CL-GAKA) scheme to address the topic of secure communication between untrusting parties. The scheme claimed to have facilitated the provision of data integrity, confidentiality and authenticity for an environment that involves UAVs communicating with each other. The solution is, however, limited to the cases where the number of UAVs remains unchanged and there is a little probability of new entrants/leavers. Besides, the work also fails to address the problem of misbehavior from the authenticated elements.
A novel approach to mitigate the broadcast storm problem during the dissemination of interest packets is proposed by Barka et al. [31] The approach is based on a trust-aware monitoring communication architecture for flying named data networking. It makes use of the inter-UAV communication trust for checking the data authenticity on a particular UAV without disturbing the desired level of security. However, data privacy and caching policies are not taken into consideration in the proposed scheme.
To resist against the physical capturing of drones with minimum exposure of confidential data, Bae and Kim [32] proposed a saveless-based key management and delegation system for a multi-drone system. Nevertheless, the proposed scheme is not compatible with devices having limited on-board energy, or, in this case, UAVs, because the process of key renewal suffers significantly due to scarce available energy.
Seo et al. [33] proposed a pairing-free approach for the drone-based surveillance applications. The approach suffers from the problem of user revocation when a physical attack occurs. Therefore, the intruder(s) can access the current as well as the future information of the drones.
In order to overcome the problem of forward secrecy in drones, Liu et al. [34] proposed two constructions schemes. The schemes are shown to achieve better performance. However, this approach is based on elliptic curve and, therefore, suffers from high computational costs. Moreover, the proposed scheme is not validated through formal security analysis.
Zhou et al. [20] proposed a certificateless key-insulated generalized signcryption scheme without bilinear pairings to resolve the issues of private key exposure. The simulation results provide information about the efficiency analysis of the proposed scheme, and such scheme, based on cloud systems, is considered to be more suitable for the user communication. Similarly, the proposed scheme is also based on the concept of elliptic curve, which is computationally very expensive for small UAVs. Besides, the scheme is not validated through AVISPA, Scyther or any other formal security verification tool.
In 2018, Reddy et al. [35], with the aim to improve computational performance and communication efficiency, presented a pairing-free key insulated signature scheme in identity-based setting. Later, in 2019, Xiong et al. [36] also proposed a pairing-free scheme and a provably secure Certificateless Parallel Key-Insulated Signature (CL-PKIS) scheme for securing the communication in an Industrial Internet of Things (IIoT) environment. However, these approaches are also based on the concept of elliptic curve and, therefore, suffer from high computational cost. Moreover, the proposed schemes are not validated through formal security analysis.

III. PRELIMINARIES
In this section, a brief introduction to some major basic foundational concepts, along with the formal definitions, is presented.

A. HYPER ELLIPTIC CURVE CRYPTOSYSTEMS (HECC)
Hyperelliptic curves are a special class of algebraic curves that can be viewed as generalizations of the Elliptic Curve Cryptosystems (ECC) [37]. A hyperelliptic curve [38] is defined over curves whose genus is greater than 1 as shown in Fig.1. The curve with genus of value 1 is, commonly, known as elliptic curve. The vairable 'g' is the genus of curve over F q , the set of finite fields of order 'q'. For the group order of the field F q , for genus one, we will need a field F q with following value |F q | g. log 2 q ≈ 2 160 . For a curve with genus two, we will need a field F q with following value |F q | ≈ 2 80 . Similarly, for curves with genus three, 54 bits long operands are needed [39]. Let F be a finite field, and letF be the algebraic closure of F. A hyperelliptic curve C of genus g > 1 over F is a set of solutions (x, y) ∈ F × F to the equation of the curve C: . Such a curve is said to be non-singular if there are no pairs of (x, y) ∈F ×F which, at the same time, satisfy the equation of the curve C and the following partial differential equations: 2y + h(x) = 0 and h'(x)y -f'(x) = 0. The polynomial h(x) ∈ F[u] is of degree g and f(x) ∈ F[u] is a monic polynomial of degree 2g + 1. For odd characteristic it suffices to let h(x) = 0 and to have f(x) as a square free entity.

B. COMPLEXITY ASSUMPTIONS
While conducting the analysis, we have made following assumptions: • Fq is a finite field with the order q, where q ≈ 2 80 • D is a divisor of the hyper elliptic curve (HEC), which is the finite sum of points as:

1) SETUP
The Key Generation Center (KGC) runs this algorithm and it involves taking a security parameter d as input and generates a master secret key w , a public key u and a set of public parameters (D, H a , H b , H c , |F q | ≈ 2 80 , F,F, C, g ). The master secret key w is kept secret; whereas, the set of public parameters and master public key u is made available publicly by the KGC.

2) CONTESTANT SECRET VALUE GENERATION (CSVG)
This algorithm is run by each contestant and it involves considering the information of public parameters (D, H a , H b , |F q | ≈ 2 80 , F,F, C, g) and the contestants' identity ID C as inputs in order to select the secret value α C .

3) PARTIAL PRIVATE KEY GENERATION (PPKG)
The KGC generates a partial private key pair (β C , γ C ) for each contestant in response to following inputs: the identity ID C of each contestant and a set of public parameters. The partial private key pair is then transmitted to contestants with unsafe network.

4) CONTESTANT FULL KEY GENERATION (CFKG)
This algorithm is also run by each contestant. It involves taking a partial private key pair (β C , γ C ), secret value α C , a set of public parameters and an identity ID C of each contestant. Then, the CFKG algorithm produces their full private (Υ C , α C ) and public key (β C , δ C ) pairs. VOLUME 8, 2020 This algorithm is run by the sender to obtain symmetric key K and internal state information that is not known to the receiver. It basically takes a de-encapsulation identity ID rp , a set of public parameters and a de-encapsulation public key δ dn as inputs.

6) CERTIFICATELESS ENCAPSULATION (CLEN)
This algorithm is executed by the sender and it takes the following information as inputs: sender and recipient identity (ID en , ID dn ); a set of public parameters; recipient public key δ dn ; a fresh nonce Non; arbitrary tag t ; sender private key pair (Υ en , α en ); and secret key K. As an outcome, it produces the encapsulated tuple ψ = (C, r , S, ) for recipient.

7) CERTIFICATELESS DE-ENCAPSULATION (CLDEN)
This algorithm is executed by the receiver and it takes the following information as inputs: the encapsulated tuple ψ = (C, r , S, ); a sender and recipient identity (ID en , ID dn ); a set of public parameters; encapsulated public key δ en ; a fresh nonce Non; de-encapsulated private key pair (Υ dn , α dn ) and public key δ dn . Then, it proceeds with performing the deencapsulation and verification process.

IV. PROVABLE SECURITY MODEL FOR CL-KESC SCHEME
The two types of adverseries are classified as Type 1, represented as TA 1 , and type 2, represented as TA 2 . The adversary TA 1 can maliciously replace the public key of the contestant. However, it has no access to the master secret key. The TA2 can act otherwise. That is, TA2 can access the master key and generate the partial private key. However, it cannot replace the public key. The adversary's queries and the subsequent responses are classified as following seven oracles:

A. CREATE-CONTESTENT-ORACLE
This oracle involves taking the contestant ID as an input. Then, the input is checked in the list. If it is already available in list then PK c of the corresponding ID is retrived. In case of its unavailability, the corresponding values are assigned as follows: Public key PK c = (β C , δ C ); and Private key PR c = (Υ C , α C ). Further, the set (PK c , PR c ) is appended to the list and the value of PK c is returned.

B. REVEAL-CONTESTENT-PARTIAL-PRIVATE-KEY-ORACLE
In this case, the user ID is searched in the list. If the ID is available, the value of γ C is retrieved. Else, the null symbol ⊥ is retrieved.

C. REVEAL-CONTESTENT-SECRETE-VALUE-ORACLE
Here the user ID is searched from the list. If it is available the variable α C is retrieved . Else the null symbol ⊥ is returned.

D. REPLACE-PUBLIC-KEY-ORACLE
This oracle selects a random number instead of the contestant public key. After receiving the target ID, it replaces the contestant public key in a list with such randomely selected number.

E. SYMMETRIC-KEY-GENERATION AND ENCAPSULATION-ORACLE
This oracle is used to obtain following information: a.) Symmetric key K, ψ b.) Internal state information that is not known to the receiver c.) Sender and recipient identity, (id en , id dn ) d.) A set of public parameters e.) Recipient public key, δ dn f.) A fresh nonce, Non g.) Arbitrary tag, t h.) Sender private key, PR en i.) Secret key, K As an outcome, it produces the encapsulated text K and ψ.

F. CERTIFICATELESS DE-ENCAPSULATION -ORACLE
This oracle takes the following information as inputs: the encapsulated tuple ψ; a sender and recipient identity (ID en , ID dn ); a set of public parameters; encapsulated public key δ en ; a fresh nonce Non; de-encapsulated private key PR dn ; and public key δ dn . Then, it proceeds with performing the de-encapsulation and verification process.

1) SECURITY NOTIONS
This sub section is dedicated to discuss two main security requirements: confidentiality and unforgeability. Game 1: This game is played for the purpose of upholding confdentiality and is actualy based on the ciphertext indistinguishability adaptive ciphertext attacks (in contrast to TA 1 ).
Initialization: Given the security parameter k, the setup step is processed by challenger to produce master secret key, master public key and a set of public parameters. The master secret key is kept secret,;hereas, the set that includes public parameters and master public key is made publicly available.
Phase I: TA 1 can probe for the aforementioned seven oracles adaptively.
Challenge: In this section, the TA 1 submits the sender and recipient identities (ID en , ID dn ), alongwith two different same size messages M 0 and M 1. Then, the challenger picks a random bit ∂ {0,1} and applies the Certificateless Key Encapsulation Algorithm on M ∂ for producing a Certificateless Key Encapsulation text ψ * for TA 1 .
Phase II: Just as in Phase 1, the TA 1 probes for the same oracle query adaptively, ignoring the Reveal-Contestent-Partial-Private-Key-Oracle and Reveal-Contestent-Secrete-Value-Oracle. It futher excepts Certificateless De-encapsulation-Oracle with (ψ * ,ID en , ID dn ) unless the public key of ID en , ID dn has been altered. Output: Finally, TA 1 results in M ∂ / as the answer of Certificateless key Encapsulation text ψ * . In case ∂ / = ∂ then TA 1 emerges as winner of the game 1.
Game 2: This game is played for the purpose of maintaining confdentiality and it is actualy based on the ciphertext indistinguishability adaptive ciphertext attacks in contrast to TA 2 .
Initialization: Given the security parameter k, the setup step is processed to produce master secret key, master public key and the set of public parameters. The master secret key is kept secret; whereas, the set that contains public parameters and master public key is made publicly available.
Phase I: TA 2 can probe for the aforementioned seven oracle adaptively.
Challenge: In this section, the TA 2 transmits sender and recipient identities (ID en , ID dn ), along with two different same-sized messages M 0 and M 1. Then, the challenger picks a random bit ∂ {0,1} and applies Certificateless key Encapsulation algorithm on M ∂ for producing a Certificateless Key Encapsulation text ψ * for TA 2 .
Phase II: Just as in Phase 1, the TA 2 probes for the same oracle query adaptively, ignoring the Certificateless Deencapsulation-Oracle as in the earlier case.
Output: Finally, TA 2 results in M ∂ / as the answer of Certificateless key Encapsulation text ψ * . If ∂ / = ∂ then TA 2 wins the game 2.

2) UNFORGEABILITY
Defnition 2: A Certificateless Key Encapsulation scheme can be secured from EUF-CMA, if there is no intruder, who can win the games 3 and 4 utilizing some polynomial bounded time.
Game 3: This game is played for testing the property of unforgeability and it is actualy based on the EUF-CMA.
Initialization: Given the security parameter k, the setup step is processed to produce master secret key, the master public key and a set of public parameters. The master secret key is kept secret; whereas, the set of public parameters and the master public key is made available publicly.
Forgery: At the end, TF 1 computes ψ * for m, ID * en , ID * dn utilizing the Certificateless Encapsulation-Oracle. If ψ * is genuine then TF 1 prospers in game 3. However, the TF 1 is restricted from directing the queries such as Reveal-Contestent-Partial-Private-Key-Oracle and Reveal Contestent-Secrete-Value-Oracle.
Game 4: This game is played for demonstrating the unforgeability property and is based on EUF-CMA.
Initialization: Given the security parameter k, the setup step is processed to produce master secret key, master public key and a set of public parameters. Along with the master secret key, the challenger sends the TF 2 public parameter(s) and a master public key.

Forgery:
In the end, TF 2 computes ψ * for m, ID * en and ID * dn utilizing the Certificateless Encapsulation-Oracle. If ψ * is genuine then TF 1 stands victorious in game 3. However, here, it is obligatory for the TF 2 to not have lodged the appeal of Contestent-Secrete-Value-Oracle throughout the game 4.

V. PROPOSED CERTIFICATELESS KEY-ENCAPSULATION SIGNCRYPTION SCHEME A. NETWORK MODEL
An attempt to deploy the proposed scheme must be followed by due consideration to the following assumptions: 1)Each of the UAVs and the GS are connected with Wi-Fi-based ad-hoc networks.
2) The GS presumes the role of administrator and commands the course of UAVs.
3) Then, the UAVs adopt the flight path while flying, and execute the command(s) are issued by the GS.
4) The UAVs are located in the proximity of GS before the flight; therefore, the initial key generation and distribution are secured.
Depending on the application, FANET can be deployed in different settings. The UAVs can, then, be equipped with all the necessary gadgets such as cameras, IMU, sensors, GPS unit and data storage devices, including on-board processing units, flight controller, and short-range radio transceivers (i.e. Wi-Fi). The backbone UAV is mounted with dual band(s) of Wi-Fi, i.e. 802.11b and 802.11n, supposedly operating on 2.4 GHz and 5 GHz frequencies respectively. There are cogent reasons for choosing these technology standards. For instance, they operate in the unlicensed spectrum and they offer reasonable data rate and coverage along with no strict LOS. In addition, they can be easily integrated with small-sized UAV. Furthermore, 802.11n is best suited for air-to-air link, whereas 802.11b is suitable for air-toground link [3]. The GS is connected with the backbone UAV via IEEE 802.11b (Wi-Fi), whereas the member UAVs are connected with each other and the backbone UAV through 802.11n, thus paving way for an ad-hoc network architecture [41] as shown in Fig.2.
As depicted in Fig.3, our main system components are the UAV, KGC and GS. UAVs are the main communicating entities in the FANET system. To identify the target, multiple small UAVs are integrated as a team to collect sensing data using specialized onboard sensors.  Key Generation Center (KGC) is responsible for generating all the public parameters, partial private, master secret key and public key authentication. The users are likely required to share the data collected by multiple UAVs to obtain the information required to locate and contain the source. In the scheme, access control can only be controlled by the KGC (i.e., acting as a trusted party). The GS is the administrator that issues various commands and sets the course of the UAVs.

B. THREAT MODEL
The widely recognized Dolev-Yao (DY) threat model [42] is used in the proposed scheme. According to the DY model, an insecure public channel (open channel) is used for communication between any two parties; and the end-point entities have an untrustworthy nature. Therefore, the system is prone to eavesdropping of exchanged messages and deletion/modification attempts by the attacker. Besides, since the UAVs may roam around in unattended hostile areas, there does exist the probability of them getting physically captured. This may lead to leakage of precious data from the UAV's memory. The KGC, on the other hand, is a fully trusted entity.

C. CONSTRUCTION OF CERTIFICATELESS KEY-ENCAPSULATION SIGNCRYPTION SCHEME
Eight algorithms are considered for constructing the proposed scheme [55]. Each of them is explained as follows:
Step 2: The KGC calculates a master public key u using the relation u = w . D and selects the set of public parameters (D, H a , H b , |F q | ≈ 2 80 , F,F, C, g).
Step 3: The KGC keeps a master secret key w and publishes the set of public parameters (D, H a , H b , H c , |F q | ≈ 2 80 , F,F, C, g) and master public key u.

3) CONTESTANT PARTIAL PRIVATE KEY GENERATION (CPPKG)
Given each of contestants' identity ID C and a set of public parameters (D, H a , H b , |F q | ≈ 2 80 , F,F, C, g), the KGC proceeds as follows: a. It selects a random number Υ C from the following set: {1,2,3, . . . . . . ., q−1} b. It computes β C and γ C using following equations: c. It finally transmits a pair (β C , γ C ) to each contestant with identity ID C through secure network. d. Each contestant with identity ID C accepts the pair (β C , γ C ) on the condition that γ C .D = β C + H a (ID C β C δ C ).u.

4) CONTESTANT FULL PRIVATE KEY GENERATION (CFPKG)
The CFPKG algorithm is also applied by each of the contestants. It involves taking a contestant's partial private key pair (β C , γ C ), secret value α C and the identity ID C . As an outcome, a pair of private key is produced as follows: PR c = (γ C , α C ).

5) CONTESTANT FULL PUBLIC KEY GENERATION (CFPBKG)
The CFPBKG algorithm is also applied by each of the contestants. It involves taking a contestant's partial private key pair (β C , γ C ), public value δ C , and the identity ID C . As an outcome, the following pair is produced: full public key PK c = (β C , δ C ).
Given de-encapsulation identity ID dn , public key δ dn , a set of public parameters (D, H a , H b , |F q | ≈ 2 80 , F,F, C, g) and master public key u, the sender proceeds as follows: a. It picks a random number µ, where µ {1,2, 3 . . . . . . ., q−1} b. It calculates the value of using the relation: = µ. D c. It computes R as follows: R = (µ. H a (β dn ID dn δ dn ). u + β dn + δ dn ) d. It computes F using the relation: The algorithm considers the following information: • Encapsulation and de-encapsulation identity (ID en , ID dn ) • A set of public parameters (D, H a , H b , H c , |F q | ≈ 2 80 , F,F, C, g) • De-encapsulation public key δ dn • A fresh nonce Non • Arbitrary tag t • Encapsulation private key pair (γ en , α en ) • The variables , R, and F Then, as a next step, the algorithm proceeds as follows: • It selects a shared secret key Sk from the Advanced Encryption Standard (AES) • It sets m as m =(Sk m t Non ID en ) • It computes C using the equation: • Finally, it ends up producing the encapsulated tuple ψ = (C, S, ) for recipient.

8) CERTIFICATELESS DE-ENCAPSULATION (CLDEN)
The CLDEN algorithm considers the encapsulated tuple ψ = (C, S, ). Here, it is worth mentioning that prior to accepting the tuple ψ = (C, S, ), it takes the following parameters as input in order to verify the signature and proceed with decrypting the cipher text.
• Set of public parameters (D, H a , H b , |F q | ≈ 2 80 , F,F, C, g) • Encapsulation and de-encapsulation identities (ID en , ID dn ) • Encapsulation of public key δ en • De-encapsulation of private key pair (Υ dn , α dn ) • Public key δ dn Then, the algorithm performs the following tasks: • It computes λ = α dn .  The de-encapsulation can recover the cipher text as: Also, it can verify the signature as follows:

VI. SECURITY ANALYSIS
This section aims to justify the effectiveness of the proposed scheme in resisting well-known attacks.

A. FORMAL SECURITY ANALYSIS USING AVISPA
In this subsection, results produced from the simulation work using the AVISPA tool are presented [43]. This is primarily done to ascertain the potency of the proposed scheme against replay and man-in-the-middle attacks. AVISPA is a push-button tool for providing an expressive and modular VOLUME 8, 2020 The IF code works under two validation states: Safe, if the cryptographic scheme can resist the man-in-the-middle attack and; unsafe, in case the IF code does not provide resistance against man-in-the-middle attack. Formal security verification with this tool has been used in numerous studies to demonstrate the security of various authentication protocols against replay and man-in-the-middle attacks [48]- [53]. The basic architecture of the AVISPA tool is shown in Fig. 4. The proposed scheme has been implemented for CLEN and CLDEN in HLPSL, as illustrated in Tables 2 and 3 As with any security protocol to be analyzed in AVISPA, the roles for session, goal and environment have been implemented as shown in Tables 4 and 5. In order to gauge the probability of attacks on the proposed scheme, the widelyused OFMC and CL-AtSe backends are selected for the execution test. Since other backends such as SATMC and TA4SP are not compatible with bitwise XOR operations, the simulation results of SATMC and TA4SP are not included in our research work. It is essential to know whether the legitimate agents can execute the specified protocol or not.  The back-ends perform check operations to ascertain that. Then, the information about a few normal sessions between legitimate agents is provided to the intruder. Secondly, the  susceptibility of the system to man-in-the-middle attack is also estimated by the back-ends. This is done to verify the Dolev-Yao (DY) model. The scheme is, also, simulated under SPAN (Specific Protocol Animator for AVISPA) web-tool and the results are shown in Fig. 5 and Fig.6 for OFMC and ATSE respectively. It is evident that the proposed scheme is far more secure against replay and man-in-the-middle attack.

B. PROVABLE SECURITY ANALYSIS
This section is dedicated to highlight the contributions of the proposed scheme [55] in upholding security, that includes resistance to replay attack, confidentiality, forward secrecy, integrity and unforgeability. Each of the characteristics are briefly analyzed in the following subsections.

1) CONFIDENTIALITY
Theorem 1: The proposed CL-KESC scheme for FANET is secure against the adaptively chosen ciphertext attacks if the lemmas A and B are proven true.
Lemma A: If the type 1 adversary TA 1 has the advantage ξ against the IND-CL-KESC-CCA2-I security of the proposed CL-KESC scheme for a Flying Ad-hoc Network FANET, and accomplishing Q Hj queries to oracles H j (j = a,b,c), Q CPPK extract contestant partial private key query, and Q CFPKG contestant full private key generation query.
Further, B also answers the queries asked by H j (a ≤ j ≤ c) of a TA 1 .
H a queries: When TA 1 asks H a for (ID j β j δ j ) for some j [a, Q a ], B checks for its availability in L a . In case it VOLUME 8, 2020  is readily available in the pair (ID j β j δ j − υ j ), B returns -υ j to TA 1 , otherwise it randomly picks υ j {1,2,3, . . . . . . ., q−1} and returns −υ j to TA 1 . After this step, B includes (ID j β j δ j − υ j ) into L a . H b queries: Once TA 1 asks H b for ( j R j χ j ID j ) for j [b, Q b ], for the input of HECCDH, oracle B sets a tuple( j R j d . D). If the resulting answer of HECCDH oracle is true, then B suggests R i as the solution of d . p. D and discontinues. Otherwise B combs in L b , if ( j * χ j ID j η j ) is already available, it replaces R j with * symbol and returns η j . Otherwise, B randomly picks η i {0, 1} q , and sends it back to the TA 1 , and B also B ncludes ( j R j χ j ID j η j ) into L b .

H c queries:
Upon receiving H c for ( j R j m j ID j δ j /β j ) from TA 1 for some j [c, Q c ], B checks for the availability of ( j R j m j ID j δ j /β j H j ) in L c . If it is RH lready available in L c , B returns H j . Otherwise, B randomly picks H j from the set {1,2,3, . . . . . . ., q−1} and sends it to TA 1 Additionally, B can answer the following queries requested by TA 1 .

Phase I:
A. Create-Contestant-Oracle: Upon the request of TA 1, the secret value of the contestant with identity ID j is received. B returns α j from L κ. Here, the contestant ID j public key is not replaced.
B. Reveal-Contestant-Partial-Private-Key-Oracle: When TA 1 asks for a partial private key of a contestant with identity ID j , B checks for the answer. If ID j = ID σ then the processing is aborted. Otherwise, B combs in L κ .
If (ID j β j δ j α j γ j ) exists, B outputs the partial private key (γ j ) for TA 1. Else, it computes γ j by calling contestant Partial Private Key Generation algorithm, sends γ j to TA 1 and includes (ID j β j δ j α j γ j ) into L κ .
C. Reveal-Contestant-Private-Key-Oracle: When TA 1 asks for the private key of a contestant with identity ID j , B checks for ID j = ID σ . If so, the processing is aborted. Otherwise, B combs in L κ . If (ID j β j δ j α j γ j ) exists, B outputs the private key pair as (α j , j ) for TA 1. Otherwise, B picks υ j , α i , p j {1,2,3, . . . . . . ., q−1} and sets the variables as follows: It fulfills the equation γ j . D = β j + H a (ID j β j δ j ). u. In the end of this process, B sends the pair (α j , γ j ) to TA 1 . Moreover, it includes (ID j β j δ j -υ j ) and (ID j β j δ j α j γ j ) in L b , and L κ respectively. D. Set-Contestant-Public-Key-Oracle: When TA 1 asks for the public key of a contestant with identity ID j , B checks for ID j = ID σ . If so, it aborts further processing. Otherwise, B combs in L κ . If (ID j β j δ j α j γ j ) exists, B outputs the public key pair as (β j , δ j ) for TA 1 . Otherwise, B picks υ j , α i , p j {1,2,3, . . . . . . ., q−1} and sets the variables as follows: It fulfills the equation γ j . D = β C + H a (ID j β j δ j ). u. At the end of this process, B sends (β j , δ j ) to TA 1 . It includes (ID j β j δ j -υ j ) and (ID j β j δ j α j γ j ) as part of L b and L κ. respctively. E. Public-Key-Replacement -Oracle: When TA 1 asks for the replacement of public key (β j , δ j ) with (ID j , β / j , δ / j ), then B prepares a tuple of the following forms accordingly: (ID j ,

F. Symmetric-Key-Generation And Encapsulation-Oracle:
When TA 1 asks for ψ with the tuple (ID en β en δ en, ID dn β dn δ dn m), then B checks for IDen = ID σ . Then it calls Contestant Full PRIVATE Key Generation algorithm to compute PR en of ID en . In the next stage, it computes ψ by calling Symmetric Key Generation algorithm and Certificateless Encapsulation algorithm and then sends ψ to TA 1 . If ID en = ID σ and IDdn = ID σ , then B obtains PR dn by calling Contestant Full PRIVATE Key Generation, and perform following computations:  G. De-Encapsulation-Oracle: When TA 1 submits (ID en , ID dn, ψ) to B, and if ID dn = ID σ , then B gets the private key of ID dn and sends the result of the De-encapsulation algorithm to TA 1 . It is obvious that, if the public key of ID dn is replaced, then it cannot be possible for B to get the secret value of ID dn . In this type of situation, B can obtain the secret value of ID dn from TA1. Otherwise, B looking for ( R m ID j δ j /β j || H j ) and ( R m ID j δ j /β j || H / j ) in L c . If these two entries are already available and the equality of the following equation S. D = β en + H a (β en ID en δ en ). u+δ en . Hj + . H / j holds, then it retrieves R. Further, if B seen a tuple ( R χ ID dn η) from L b and producing HECCDH oracle gives positive result; means 1 on the query (d.D, , R ) then the plaintext (message) is C ⊕ η.
Challenge: In this section, the TA 1 submits sender and recipient identity (ID en , ID dn ), along with two different but the same length messages M 0 and M 1. However, in Phase I, TA 1 is restricted to calling Reveal-Contestent-Secrete-Value-Oracle on ID * dn . Also, it cannot extract the partial private of ID * dn and the public key has not been changed yet. Here, if ID dn = ID σ , then B stop the execution of this game. Otherwise, B can make the challenge signcrypted text from the following steps. Analyses: Suppose Ξ a, Ξ b, and Ξ c be the three events, in which B stop the execution of a game. a) Ξ a is that event, when TA 1 asked for a partial private key of ID σ and the probability of Ξ a is Q CPPK Q Ha . b) Ξ b is that event, when TA 1 asked for a private key of ID σ and the probability of Ξ a is Q CFPKG Q Ha . VOLUME 8, 2020 c) Ξ c is that event, in which ID σ has not been selected as a de-encapsulation by TA 1 and the probability of Ξ c is 1 − 1 (Q Ha −Q CPPK −Q CFPKG) . Hence, B may not stop this game's probability of ). B may pick the problem's solution of HECDLP from L b with probability 1 Q Hb . Thus, the successful advantage ξ of B is ADV HECCDH Lemma B: If the type 2 adversary TA 2 has the advantage ξ against the IND-CL-KESC-CCA2-II for breaking the security of proposed CL-KESC scheme for flying ad-hoc network and accomplishing Q Hj queries to oracles H j (j = a,b,c), Q Csv extract Contestant Secret Value query, and Q CFPKG contestant full private key generation query. Also, there exists a probabilistic time algorithm which solves the hyper elliptic curve discrete logarithm problem (HECDLP) with the winning probability ξ . Then, it calculates a master public key u using the relation u = w . D and selects the set of public parameters. B sends the set of public parameters with master public key u and secrete key w to TA 2 . B also maintains a list L j (a ≤ j ≤ c) to save the consistency among the responses to the asked hash queries by TA 2 and L κ of issue keys that are primarily unoccupied. B choose σ such that (1 ≤ σ ≤ Q Ha ) and take the target identity as ID σ . B randomly pick e σ , x σ {1,2,3, . . . . . . ., q−1}, set e σ =(H a (ID σ β σ δ σ )), β σ = x σ. D, γ σ = x σ + w . e σ , and δ σ = d D. Also, B includes (ID σ β σ δ σ e σ ) into the L a and (ID σ β σ δ σ ⊥ γ σ ) into the L κ .
Further, B answers the following asked queries H j (a ≤ j ≤ c) of a TA 2 .
H a queries: Once TA 2 asked H a query for (ID j β j δ j ) for some j [a, Q a ], B checks in L a , if it is already available (ID j β j δ j e j ) then B return e j to TA 2 , otherwise it randomly picks e j {1,2,3, . . . . . . ., q−1} and return e j to TA 2 . After this, B includes (ID j β j δ j e j ) into L a .
H b queries: If TA 2 submit H b query for ( j R j χ j ID j ) for some j [b, Q b ], here, for the input of HECCDH oracle B sets a tuple( j R j d . D). If the resulting answer of HEC-CDH oracle is true, then B suggest χ j as the solution of d . p.
D and discontinues, otherwise B combs in L b , if ( j * R j ID j e j ) is already available, it replaces χ j with * symbol and returns e j . Otherwise, B randomly picks e j {0, 1} q , sends e j back to the TA 2 , and also B includes ( j R j χ j ID j e j ) into L b . H c queries: When TA 2 submit H c query for ( j R j m j ID j δ j /β j ) for some j [c, Q c ]. B checks in L c , if ( j R j m j ID j δ j /β j H j ) already presented in L c , B return H j . Then, B erratically pick H j {1,2,3, . . . . . . ., q−1} and send it to TA 2 .
Additionally, B can answer the below requested queries of TA 1 .
A. Create-Contestant-Key-Oracle: When TA 2 asked for the secret value of the contestant with identity ID j , then B first check if ID j = ID σ then it abort further processing. If IDj = ID σ , B combs in L κ , if (ID j β j δ j α j γ j ) exists, B outputs is α j for TA 2 . Otherwise, B uniformly selects e j , x j , and α j {1,2,3, . . . . . . ., q−1} and then set e j =(H a (ID j β j δ j )), β j = x j. D, γ j = x j + w . e j , and δ j = α j D. B send α j to TA 2 and includes (ID j β j δ j α j γ j ) into L κ .
B. Reveal-Contestant-Private-Key-Oracle: When TA 2 asked for the secret value of the contestant with identity ID j , then B first check if ID j = ID σ then it abort further processing. If IDj = ID σ , B combs in L κ , if (ID j β j δ j α j γ j ) exists, B outputs is α j for TA 2 . Otherwise, B uniformly selects e j , x j , and α j {1,2,3, . . . . . . ., q−1} and then set e j =(H a (ID j β j δ j )), β j = x j. D, γ j = x j + w . e j , and δ j = α j D. B send ( α j , γ j ) to TA 2 and includes (ID j β j δ j α j γ j ) into L κ .
C. Set-Contestant-Public-Key -Oracle: When TA 2 asked for the public key of a contestant with identity ID j , after this B check, if ID j = ID σ then it abort further processing. Otherwise, B combs in L κ , if (ID j β j δ j α j γ j ) exists, B outputs the public key pair as (β j , δ j ) for TA 2 Otherwise, B uniformly selects e j , x j , and α j {1,2,3, . . . . . . ., q−1} and then set e j =(H a (ID j β j δ j )), β j = x j. D, γ j = x j + w . e j , and δ j = α j D. At the end of this process, B sends (β j , δ j ) to TA 2 and includes (ID j β j δ j e j ) into L a , also includes (ID j β j δ j α j γ j ) into L κ .
D. Symmetric-Key-Generation And Encapsulation-Oracle: When TA1 asked for ψ with the tuple (ID en β en δ en, ID dn β dn δ dn m), then B first check, if IDen = ID σ then it calls Contestant Full PRIVATE Key Generation algorithm to compute PR en of ID en . After, it computes ψ by calling Symmetric Key Generation algorithm and Certificateless Encapsulation algorithm then send ψ to TA1. If ID en = ID σ and IDdn = ID σ , then E. De-Encapsulation-Oracle: When TA1 submits (ID en , ID dn, ψ) to B, and if ID dn = ID σ , then B get the private key of ID dn and send the result of a De-encapsulation algorithm to TA 2 . Otherwise, B looking for ( R m ID j δ j /β j Hj) and ( R m ID j δ j /β j Hj / ) in L c . If these two entries are already available and the equality of the following equation S. D = β en + H a (β en ID en δ en ). u + δ en . Hj + . Hj / holds, then it retrieves R. Further, if B seen a tuple ( R χ ID dn η) from L b and producing HECCDH oracle gives positive result; means 1 on the query (d. D , R ) then the plaintext (message) is C ⊕ η.
Challenge: In this section, the TA 2 submits sender and recipient identity (ID * dn ,ID * dn ), along with two different but the same length messages M 0 and M 1. However, in Phase I, TA 2 is restricted to calling Reveal-Contestant-Private-Key-Oracle on ID * dn . Here, if ID dn = ID σ , then B stop the execution of this game. Otherwise, B can make the challenge signcrypted text from the following steps. Analyses: Suppose Ξ a, Ξ b, and Ξ c be the three events, in which B stop the execution of a game. a) Ξ a is that event, when TA 2 asked for a secret value of ID σ and the probability of Ξ a is Q Csv Q Ha . b) Ξ b is that event, when TA 2 asked for a full private key of ID σ and the probability of Ξ a is Q CFPKG Q Ha . c) Ξ c is that event, in which ID σ has not been selected as a de-encapsulation by TA 2 and the probability of Analyses: Suppose Ξ a, Ξ b, and Ξ c be the three events, in which B stop the execution of a game. a) Ξ a is that event, when forger TF 1 asked for a partial private key of ID σ and the probability of Ξ a is Q CPPK Q Ha . b) Ξ b is that event, when forger TF 1 asked for a private key of ID σ and the probability of Ξ a is Q CFPKG Q Ha . c) Ξ c is that event, in which ID σ has not been selected as a de-encapsulation by forger TF 1 and the probability of Then, it calculates a master public key u using the relation u = w . D and selects the set of public parameters. B sends the set of public parameters with master public key u and secrete key w to TF 2 . B also maintains a list L j (a ≤ j ≤ c) to save the consistency among the responses to the asked hash queries by TF 2 and L κ of issue keys that are primarily unoccupied.
Training Phase: TF 2 could create a same series of queries oracles as like in the IND-CL-KESC-CCA2-II game in Lemma B.
Forgery: Finally, TF 1 produced is an effective signcrypted text from encapsulation ID en to the de-encapsulation ID dn . If ID en = ID σ then B discontinue the running of this game. Consequently, it is perceived from forking lemma [56], uncertainty there available an effective and influential TF 2 , in the aforesaid interaction, then there exists a polynomial time another Turing machine TF T 2 that make two signcrypted text triples i.e. ( * , C * , S) and ( * , C * , S * ) on the similar plaintext (m). Then we may two types of output such as S.D = β en . e σ . u + δ en . Hσ / + . Hσ and S * . D = β en . e σ . u + δ en . Hσ / + . Hσ * . Suppose = p. D and then we get a) Ξ a is that event, when TF 2 asked for a secret value of ID σ and the probability of Ξ a is Q Csv Q Ha . b) Ξ b is that event, when TF 2 asked for a full private key of ID σ and the probability of Ξ a is Q CFPKG Q Ha . c) Ξ c is that event, in which ID σ has not been selected as a de-encapsulation by TF 2 and the probability of Ξ c is 1 − ). B may pick the problem's solution of HECDLP from L b with probability 1 Q Hb . Thus, the successful advantage ξ of B is ADV HECCDH

C. INFORMAL SECURITY ANALYSIS 1) REPLAY ATTACK
In the proposed scheme, the attacker may not give response to old messages. The scheme privileges replay attack resistance by offering renewal of key and nonce (Non) in each session i.e. C = H b ( R F ID dn ) ⊕ m where m =(Sk m t Non ID en ).
In case an attacker intrudes the message of one session, then he/she cannot infiltrate the messages of other sessions with the same key, because the session key and nonce is renewed. Nonce (Non), as a property, refreshes itself at each instance. The receiver is required to perform an up-to-dateness check with every message and in case an outdatedness is detected the message is trashed to the black box.

2) INTEGRITY
The sender takes ''hash value'' of the key before sending the message i.e. H c ( R m ID en δ en ) or H c ( R m ID n en β en ). When an attacker wants to do a change from C to C then it is indispensable for him to convert m to m and H c to H c . The 'hash' exhibits a property of being an irreversible function. Firstly, the sender counts 'hash' of the key and the arbitrary tag 't ', which decides the validity of the encapsulation. At receiver to check the integrity. Attacker cannot generate hash.

3) FORWARD SECRECY
The proposed scheme offers forward secrecy. Every session completion process follows the renewal of the sender's secret key. Here, the adversary is not able to read signcrypted  messages and therefore, session messages cannot be recovered. Moreover, above all, a secret key is regenerated in each session.

VII. PERFORMANCE COMPARISON
This section is dedicated to compare the performance of our proposed scheme with the schemes proposed by Seo et al. [33], Liu et al. [34], Zhou et al. [20], Reddy et al. [35], Xiong et al. [36] and Won et al. [28].

A. COMPUTATIONAL COST
In Table 6, the proposed scheme is compared, in terms of computational cost, with the existing ones, i.e. as Seo et al. [33], Liu et al. [34], Zhou et al. [20], Reddy et al. [35], Xiong et al. [36] and Won et al. [28]. We consider hyperelliptic divisor multiplication as the elliptic curve scalar multiplication has been found to be the most expensive operation in the related existing schemes. From the computational costs observed in Table 7, it is clearly evident that our scheme outperforms as compared to the schemes presented by Seo et al. [33], Liu et al. [34], Zhou et al. [20], Reddy et al. [35], Xiong et al. [36], and Won et al. [28]. In Table 6, the variables km and em denote hyperelliptic curve divisor multiplication and elliptic curve scalar multiplication respectively. It has been observed that a single scalar multiplication takes 0.97 milliseconds for Elliptic Curve Point Multiplication (ECPM). In order to estimate the performance of the proposed approach, the Multiprecision Integer and Rational Arithmetic C Library (MIRACL) [57] is used to test the runtime of the basic cryptographic operations up to 1000 times. The observance is made on a workstation having following specifications: Intel Core i7-4510U CPU @ 2.0 GHz, 8 GB RAM and Windows 7 Home Basic 64-bit Operating System [33]. Similarly, the Hyperelliptic Curve Divisor Multiplication (HCDM) is assumed to be 0.48 milliseconds due to the smaller key size i.e. 80-bits key size, as opposed to elliptic curve that is sized 160 bits [58].
Our proposed scheme proves to be quicker than the schemes presented by Seo et al. [   Reddy et al. [35], Xiong et al. [36] and Won et al. [28]. The variables involved have following assumed values: |q| ∼ = 160 bits for elliptic curve; |n| ∼ = 80 bits for hyperelliptic curve; and |m | = 1024 bits for message. The communication cost incurred for the existing schemes, i.e. Seo et al. [33], Liu et al. [34], Zhou et al. [20], Reddy et al. [35], Xiong et al. [36] and Won et al. [28], is 1504 bits (3|q| + |m| = 1504) as all the six schemes use elliptic curve. On the other hand, the communication cost for the proposed scheme, that uses hyperelliptic curve, is 1264 bits (|m | + 3|n| = 1264). Moreover, it has been concluded that, as compared to the existing schemes, in the proposed scheme the speed response experiences a boost of 15.95%. Table 9 presents a brief comparison between the proposed scheme and major existing schemes in term of security functionality. It is worth noting, from Table 9, that  the related schemes are not validated through formal security validation tools, such as AVISPA, and none of them guarantee Forward Secrecy (FS) and Replay Attack (RA).

VIII. APPLICATION SCENARIO A. PRECISION AGRICULTURE
The proposed scheme is evaluated for application scenario i.e precision agriculture that involves monitoring of crop health in a cultivated field as illustrated in Fig 2. The high-resolution images of crops are obtained with the help of air-borne platforms (i.e. UAVs). The images are, then, processed to extract information that can be used to provide future decisions. Therefore, in the proposed system, crop health is monitored using the data collected from the Normalized Difference Vegetation Index (NDVI) mapping of spectral images. The images are captured by a multi-spectral camera mounted on M-UAVs. The NDVIs are computed to differentiate healthy plants from the unhealthy ones. This is done by measuring the chlorophyll content in the crops. The information is further used to localize the area under stress precisely. The M-UAVs capture and transmit the images to the linked B-UAV. Upon receiving the images, the on-board microcontroller on the B-UAV generates the tasks. The Decision Support Engine (DSE), or the local microcomputer, then, processes the tasks. VOLUME 8, 2020 Here, it is pertinent to mention that the M-UAVs can be accoutred with relevant accessories, such as cameras, IMU, sensors and GPS unit etc, to cater to a wide range of customized tasks.

IX. CONCLUSION
Flying Ad-hoc Network (FANET) is an emerging technology for uniting small UAVs. It involves analyzing the continuously evolving data from heterogeneous sources for creating a new era of real-life applications. However, the participating UAVs in FANET are usually resource-constrained, which makes them luring targets for cyber-attacks. To address this challenge, in this paper, we propose a Certificateless Key-Encapsulated Signcryption (CL-KESC) scheme. Unfortunately, the existing construction models of CL-KESC rely on the use of elliptic curve-based operations, which are computationally expensive for small UAVs. Therefore, in this paper, we presented a new construction scheme of CL-KESC based on hyperelliptic curve, an advanced version of elliptic curve characterized by a small parameter and key size (80 bits) as compared to the elliptic curve, where key size is 160 bits. A security analysis, including the formal security verification, is performed using the widely-recognized AVISPA tool and, in the findings, our proposed scheme proves to offer significant immunity against adversely attacks. To further complement the pros, the presented scheme, in addition, is far more computationally efficient.
IJAZ MANSOOR QURESHI received the bachelor's degree in avionic engineering from the NED University of Engineering and Technology, Karachi, Pakistan, the master's degree in electrical engineering from the Middle East Technical University, Ankara, Turkey, and the Ph.D. degree in high energy physics from the University of Toronto, ON, Canada. He has to his credit a post-PhD experience stretching 27 years in various Pakistani higher education institutes of repute. He is currently with the Electrical Engineering Department, Air University, as a Professor. He has supervised about 37 Ph.D. thesis so far. His research interests include digital/wireless communications, digital signal processing, information security, soft computing, and evolutionary computing.
FAHIM ULLAH KHANZADA received the bachelor's degree in electronic engineering from the Balochistan University of Information Technology, Engineering and Management Sciences (BUITEMS), Quetta, and the master's degree in electrical engineering from the University of Nottingham, Nottingham, U.K. He is currently associated with Descon Engineering Limited, Lahore, Pakistan. His experience encompasses academia, industry, and standardization.
NOOR UL AMIN received the master's degree in computer science from the University of Peshawar, Pakistan, in 1996, and the Ph.D. degree in computer science from the Department of Information Technology, Hazara University, Pakistan, where he has been the Head of the Department of Information Technology and the Director IT for 11 years. He is currently the Chair of the Department of Telecommunication, Hazara University. He has completed recently an Research and Development project sponsored by the Ministry of Science and Technology, Pakistan, and established 07 hi-tech research and development labs. His research interests are in the areas of information security, mobile adhoc networks (MANETs), wireless sensor networks (WSNs), and information-centric networking (ICN).