A Lightweight Secure Scheme for Underwater Wireless Acoustic Network

Abstract

Due to the open underwater channels and untransparent network deployment environments, underwater acoustic networks (UANs) are more vulnerable to hostile environments. Security research is also being conducted in cryptography, including authentication based on asymmetric algorithms and key distribution based on symmetric algorithms. In recent years, the advancement of quantum computing has made anti-quantum attacks an important issue in the field of security. Algorithms such as lattice and SPHINCS+ have become a research topic of interest in the field of security. However, within the past five years, few papers have discussed security algorithms for UANs to resist quantum attacks, especially through classical algorithms. Some existing classical asymmetric and symmetric algorithms are considered to have no prospects. From the perspective of easy deployment in engineering and anti-quantum attacks, our research focuses on a comprehensive lightweight security framework for data protection, authentication, and malicious node detection through the Elliptic Curve and Hash algorithms. Our mechanism is suitable for ad hoc scenarios with limited underwater resources. Meanwhile, we have designed a multi-party bit commitment to build a security framework for the system. A management scheme is designed by combining self-certifying with the threshold sharing algorithm. All schemes are designed based on certificate-less and ad hoc features. The proposed scheme ensures that the confidentiality, integrity, and authentication of the system are well considered. Moreover, the scheme is proven to be of unconditional security and immune to channel eavesdropping. The resource and delay issues are also taken into consideration. The simulations considered multiple variables like number of nodes, attackers, and message length to calculate proper values that can increase the efficiency of this scheme. The results in terms of delay, delivery ratio, and consumption demonstrate the suitability of the proposal in terms of security, especially for malicious node detection. Meanwhile, the computational cost has also been controlled at the millisecond level.

1. Introduction

In recent years, the security issues of underwater acoustic networks (UANs) have gradually received attention from researchers. Underwater nodes are usually placed in an open underwater acoustic channel to gather information with limited resources. Therefore, UANs face many issues like greater propagation delay, limited computational power, and random node mobility, etc., which determines that research has to focus on lightweight solutions [1,2,3,4]. In addition, the CIA elements (confidentiality, integrity, availability) also require strict implementation as the core and foundation of network security prevention. Therefore, the motivation of our paper is to improve security issues by designing a lightweight secure scheme for UANs. A few key topics are clearly stated in this paper by comparing with existing works. First of all, the clear definition of application scenarios is given. Research on underwater acoustic communication has been undertaken for decades, and the most common research background is based on underwater sensor networks (UWSNs). But in fact, this background is ambiguous. The transmission methods of UWSNs do not necessarily rely solely on acoustic means. In short-distance underwater communication, both electromagnetic and optical means can serve as communication media. These two types of networks are not restricted by greater propagation delay and low bandwidth, which is a significant difference from the design of UAN schemes. Moreover, the network is self-organized, P2P, and homogeneous. A hierarchical or heterogeneous network structure should clearly consider the differences in device capabilities and propose a matching method in the algorithm statement. To the best of our knowledge, there few studies clearly explain the above topic.

Secondly, and most importantly, the anti-attack ability of the security schemes should be rigorously verified and discussed. Quantum attacks are a topic that must be addressed in the current post-quantum era. Significant progress has been made in cryptography against quantum attacks in 2022, and many underwater security studies have also been explored. As a result, there has been increasing interest in computational problems that are not known to be solved efficiently by quantum computers, which is called “quantum-safe cryptography”. Lattice cryptography has become a focus and highlight for researchers. But does traditional cryptography stand no chance entirely? The Shor algorithm [5] is the most famous algorithm in quantum attacks. Due to its emergence, the two major systems in existing cryptography, RSA and ECC algorithms, have been severely impacted. The most relevant feature of the Shor algorithm is that it can solve the problem of factoring large numbers into prime factors in polynomial time, but there is no equivalent proof that quantum attacks have the same ability to crack modular addition or hybrid operations. In addition, hash algorithms in traditional cryptography are also considered to have a certain resistance to quantum attacks. Meanwhile, there has been a large body of knowledge, experience, and hardware technology developed over the last 20 years in support of elliptic curve crypto, and so it is natural to try to continue using elliptic curves if possible. From the perspective of engineering deployment, it can also achieve the faster manufacturing of underwater devices and compatible chips. Meanwhile, the Supersingular Elliptic Curve Isogeny Cryptosystem [6], an efficient substituted technique to elliptic curve crypto, allows algorithms such as ECC or Diffie–Hellman to undergo a gradual progress in the post-quantum era. By combining other technologies such as bit commitment and multi-party computation, traditional cryptographic algorithms can be endowed with usability in the quantum age. It is worth mentioning that, even though the protocol constructed in this paper is an elliptic curve problem in a classical assumption, it does not make any restrictive assumptions about the computing power of participants and can resist quantum attacks.

Finally, guidance to engineering practicality should also be provided, such as which type of nodes to deploy and the difficulty of application on hardware chips or devices. Feasibility and availability are also important aspects of algorithm research significance.

In summary, our contributions in this paper are dedicated to clearly describe the four topics mentioned above while designing a lightweight secure scheme for UANs. Our scheme takes the self-organized and constrained resource characteristics of UANs into account, tailoring the security protection for the entire network. The main contributions of this paper are as follows:

• A certificate-less authentication scheme is designed for UANs. We propose a novel scheme based on self-certifying for node authentication, which ensures the reliability of network nodes. Dynamic crypto puzzles and Chameleon hash for nodeID generation provide an effective approach for malicious attacks;
• To identify adversaries in distributed underwater networking, a threshold-based detection scheme of malevolent nodes is introduced to realize the prevention of attacks in the process of underwater routing, which ensures that malicious nodes will not mix into the ad hoc UAN during underwater communication;
• For lightweight secure data collection in UANs, a bit commitment key framework is designed to provide comprehensive protection. We give the one-time key distribution schemes of point-to-point key to ensure data protection for UANs;
• All algorithms have been proven to be resistant to quantum attacks. Experimental simulations tested the performance of each cryptographic algorithm, which verified the rationality and low cost of our proposal. The completeness and suitability of the scheme for UANs have been well proved.

The structure of this paper is organized as follows. In Section 2, we briefly introduce the related work of our scheme. Section 3 illustrates the preliminaries and system architectural model of our proposal. The design protocol for the lightweight secure scheme is detailed in Section 4, including its working process and the related algorithms. Section 5 provides an analysis of the security of the whole scheme. The simulation results are presented and analyzed in Section 6. Finally, Section 7 offers our conclusion.

2. Related Work

Underwater security has long been a neglected research topic. With the development of other underwater communication technologies, security issues are currently gaining momentum. Meanwhile, in the past year, cryptography has made rapid progress in the field of quantum attacks, with many high-quality papers being published in explosive amounts in 2022–2024. Research on anti-quantum attacks has also begun in the field of underwater security. In general, security schemes are roughly divided into two types, detailed below.

The first type is merely based on the acoustic communication channel features, such as the number of channel taps, the relative delay spread, and the received power level. These features vary mildly over time and space, slowly enough that their distribution can be approximated as constant during the authentication process, which makes such features amenable for authentication purposes. Machine learning techniques are also widely used in this scheme to generate consistent symmetric keys for both the sender and receiver. Amedeo et al. [7] resort to physical layer key generation schemes, where the keys are generated by each user from the channel itself, by exploiting the environment as a source of randomness. They propose an adversarial auto encoder (AAE) model for advantage distillation. Similarly, [8] proposes an algorithm based on the Double Deep Q Network (D2QN) to jointly optimize the USV’s trajectory and transmit power, effectively resisting malicious underwater jamming attacks and maximizing the achievable end-to-end throughput of the system. The study in [9] proposes to learn the advantage distillation process by using a dataset of observed channels from the legitimate parties and the attacker, respectively. The proposed protocol in [10] extracts common acoustic channel features between receiving and sending nodes. Then, each party uses these features to generate his/her own secret bits via a random sequence generator. The study in [11] reverses the common digital signature solution and merely bases itself on the acoustic communication channel features. The distribution of the evaluated channel’s characteristics is leveraged by systematical measurement. The study in [12] generates secret keys dynamically based on the channel frequency response (CFR) in orthogonal frequency-division multiplexing systems, which optimizes the traditional symmetric encryption algorithm, provides higher security, and lower computational overhead. Unfortunately, the present solutions have some irreversible challenges. For the schemes of feature technology detection, the feasibility of the scheme depends on the strict time synchronization of the network nodes and the correctness of the evaluated channel’s characteristics. Machine learning cannot guarantee a 100% accurate generation of keys. It is inevitable that error eigenvalue detection will occur.

The second type applies the Cryptography Algorithm to accomplish lightweight authentication. Lattice-based public key cryptography has become a research hotspot for many cryptographers. Xu and Li et al. [13] proposed an NTRU certificate-less aggregate signature scheme for underwater acoustic communication. The pseudo-identity is generated by the polynomial fitting formula of the underwater acoustic channel, and the complete private key of the node privacy is formed with the secret value. Furthermore, [14] proposed a sky–underwater quantum key distribution scheme based on phase-matching protocol, which resulted in an asymmetric phase-matching protocol model to improve the classical phase-matching protocol.

There are also many published Elliptic Curve or Hash algorithms plans to ensure underwater security by the reduced computation sophistication, trusted encryption schemes, and resource conservation. Gupta et al. [15] introduced a lightweight certificateless signcryption system based on Hyper-elliptic Curve Cryptography (HCC). The system significantly reduces computing and communication costs, making it ideal for resource-constrained environments. But this scheme is only a measure for authentication and cannot provide comprehensive protection for the network. Krivokapic et al. [16] proposes the utilization of implicit certificates and the Hashed One-pass Menezes-QuVanstone (HOMQV) key-exchange protocol as an alternative. Goyal et al. [17] propose a reliable and secure approach by using trusted encryption schemes like HMAC and AES. Ullah et al. [18] considered an online/offline signature with a lightweight hyper-elliptic curve cryptosystem to reduce the communicational complexities for UAN communications. Du et al. [19] realized a two-way authentication between the node pair of source and destination by PKG (public key generate). However, the Shor algorithm has indicated that they would no longer be secure in the quantum era.

We provide a table to summarize the above analysis (

Table 1. The limitations of the existing literature.

Quantum Cryptography [13,14]	Combining Physical Properties [7,8,9,10,11,12]	Classical Algorithms (ECC/RSA/AES…) [15,16,17,18,19]
Large computational load Difficult to deploy	Extended calculation time and instability	Not resistant to quantum attacks

). In summary, existing research cannot balance the ease of application and the completeness of theory. Therefore, in the proposed approach, we considered a lightweight secure scheme to support the security protection of the entire network, which ensures that the system cost and security is improved. Moreover, we have also provided an analysis and proof for the three questions (quantum attacks, system model, engineering) given in the previous section.

3. Preliminaries and System Model

In this section, we introduce several important concepts of our system and present the design ideas of the scheme. We first describe the preliminaries and give the system model applicable to the algorithm. A concrete mathematical discussion will be presented in the following section.

3.1. Preliminaries

• Shamir secret sharing scheme

The Shamir’s Secret Sharing Scheme (SSSS) for cryptography was introduced by Adi Shamir [20]. In the SSSS, the shares of a unique secret are distributed among users. In this secret sharing, a secret is shared between n users in a way that users combine their shares to obtain the secret. No combination of users less than t (t is termed the threshold) can decipher the secret. Therefore, not all the shares of the secret are required to recover the actual secret. This scheme is implemented with the help of a one-dimensional t-degree uniquely determined using any t points on the polynomial. A user u_i’s share is given by (x_i, f(x_i)), where x_i is a point on the X-axis and f(x_i) = p_t(x). In Shamir’s secret sharing scheme, generally the secret is the term a₀ in the polynomial. The SSSS has information–theoretic security, which means that an attacker cannot break the cryptosystem. The attacker cannot obtain sufficient information to threaten the security even if it has unlimited computational power [21]. A Lagrange’s polynomial of degree n taking on the values f(x₀), f(x₁), …, f(x_n) for the points x₀, …, x_n is given by

$$\begin{array}{l}{L}_{\mathrm{n}}(x)=f(x_0)\frac{(x-x_1)(x-x_2)\cdots (x-x_n)}{(x_0-x_1)(x_0-x_2)\cdots (x_0-x_n)}+\\ f(x_1)\frac{(x-x_0)(x-x_2)\cdots (x-x_n)}{(x_1-x_0)(x_1-x_2)\cdots (x_1-x_n)}+\cdots +\\ f(x_n)\frac{(x-x_0)(x-x_1)\cdots (x-x_{n-1})}{(x_n-x_1)(x_n-x_2)\cdots (x_n-x_{n-1})}.\end{array}$$

(1)

Note that the secret a₀ in Shamir’s secret sharing scheme can be obtained as a₀ = Ln(0). The i_th Lagrangian coefficient [22] is Ln(0), resulting in a₀ = Ln(0) = f(x₀)λ₀ + f(x₁)λ₁ + … + f(x_n)λ_n.

• ECDLP

The security of the elliptic curve public key cryptosystem is equivalent to the solution difficulty of ECDLP (the Elliptic Curve Discrete Logarithm Problem) [23,24,25], which is the foundation of security of all elliptic curve schemes.

Definition of ECDLP: GF(q) is the finite field with q elements and E is an elliptic curve defined over GF(q). E(GF(q)) denote the group of Fq-rational points of E. Given two points P, Q in E(GF(q)) with P,Q ∈ E(GF(q)), the discrete logarithm problem is to find an integer ℓ satisfying Q = ℓP. Such an integer ℓ is unique up to module n, where n denotes the order of P in E(Fq). In particular, such an integer ℓ with 0 ≤ ℓ< n is denoted by logP(Q) (n is a huge prime). ℓ is called the P-based discrete logarithm of Q. It is easy to find point Q when ℓ and P are known.

• Chameleon hash

Definition: Anyone can perform chameleon hashing with a given public key PK, and users with sk can broadly find hash collisions, making $\mathrm{C}\mathrm{h}\_\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}\left(m^{\prime }\right)$ = Ch_Hash(m). The chameleon hash function has four main algorithms [26]:

• Key generation algorithm: Given a security constant λ, the public key PK and private key sk (trapdoor) are output as the key of chameleon hash;
• Hash generation algorithm $\mathrm{C}\mathrm{h}\_\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}(PK,m,r)$: Input the public key PK, random number r, and message m to generate a chameleon hash value h and a random number p:

$$\mathrm{C}\mathrm{h}\_\mathrm{H}\mathrm{a}\mathrm{s}\mathrm{h}(PK,m,r)=\left(h,p\right)$$

(2)

3.

Hash verification algorithm $\mathrm{C}\mathrm{h}\_\mathrm{V}\mathrm{e}\mathrm{r}(PK,m,\left(h,p\right)$ Input the public key PK, message m, hash value h, and a random number p. If (h, p) is the correct hash value, output 1; otherwise, output 0:

$$\mathrm{C}\mathrm{h}\_\mathrm{V}\mathrm{e}\mathrm{r}(PK,m,(h,p\left)\right)\underset{=}{?}1$$

(3)

4.

Hash collision algorithm $\mathrm{C}\mathrm{h}\_\mathrm{C}\mathrm{l}\mathrm{d}(sk,m,m^{\prime },\left(h,p\right)$): Input the private key sk (trapdoor), message m, new message m′, hash value h, and a random number p, and output the new random number r′, resulting in

$$\mathrm{C}\mathrm{h}\_\mathrm{V}\mathrm{e}\mathrm{r}\left(PK,m,(h,p),r\right) =\mathrm{C}\mathrm{h}\_\mathrm{V}\mathrm{e}\mathrm{r}(PK,m,\left(h,p\right),r^{\prime })=1$$

(4)

• Bit commitment

Bit commitment (BC) is an important basic protocol in cryptography, and its concept was first proposed by the 1995 Turing Award winner Blum [27]. The commitment scheme can be used to build zero-knowledge proof, verifiable secret sharing, coin throwing, and other protocols, and at the same time, form the basis of security computing, which is a research topic of interest in the field of cybersecurity [28]. A bit commitment scheme must possess the following properties:

Correctness: If both promisors honestly execute the protocol, then verifiers will correctly obtain the bit string promised during the disclosure phase.

Confidentiality: Verifiers cannot obtain bit string information before the disclosure stage.

Binding: After the commitment phase ends, promisors cannot reverse the bit string, as if they are “bound” to the bit string.

If a bit commitment protocol satisfies correctness, confidentiality, and binding, and does not make any restrictive assumptions about the attacker’s computing power, then the bit commitment protocol is unconditionally secure. Mayers, Lo, and Chau have demonstrated that bit commitment protocols under the standard model cannot be unconditionally secure, whether in classical or quantum computing environments. Their conclusion is called the Mayers–Lo–Chau (MLC) no-go theorem [29,30]. However, even if the theorem is completely correct, it does not rule out the possibility of the existence of an unconditional secure bit commitment protocol under the non-standard model. In fact, as long as the bit commitment of the constructed non-standard model does not fall into the proof framework of the MLC (such as multi-party commitments), the unconditional security bit commitment scheme is completely feasible.

3.2. System Model

As shown in Figure 1, our model is mainly composed of the following parts: Offshore data centers, Relay command ships, Buoy, and UAN nodes. The network topology type is random topology. The offshore data center is mainly responsible for the scheduling and calculation of data collected from the sensor nodes. Meanwhile, it is also the generation center of the algorithm parameters as a trusted third party. The relay command ships and buoys are in charge of preprocessing data and forwarding them toward the offshore data center, which will not be explained as the main role in the later algorithm description. They are both surface sinks. In order to improve the resistance to attack, there can be several offshore data centers and command ships. Nodes are the hardware support of the underwater acoustics networks, responsible for underwater data communication, such as mobile surveillance, marine explorations, military activity, etc. They are usually defined as an ad hoc mobile network consisting of unmanned underwater vehicles (UUVs) deployed in a three-dimensional ocean environment. This system model means that all network nodes are mobile and have a certain amount of computing power. In addition, the satellites are responsible for the positing system and wireless information transmission. The randomly moving UAN nodes need to communicate with each other, either to forward each other’s data or exchange information. The nodes may also need to send the data to offshore data centers.

3.3. Adversary Model

UANs are deployed in unattended and possible hostile underwater environments. Threats may originate from factors such as authentication errors or data thefts. Meanwhile, the UAN nodes are fully self-organized for a certain period and do not contact the ODC node frequently after deployment. All preload processes occur before the UAN nodes are placed in the underwater channel. In this section, we mainly considered several malicious adversary models with respect to the confidentiality, integrity, credibility, authentication, non-repudiation, and availability of our system.

• An adversary can passively disguise themself and eavesdrop on the communications, hardly being perceived by UAN nodes. Data theft is inevitable. Therefore, the confidentiality of underwater communications should be taken into consideration.
• Offshore data centers and command ships are tamper-resistant and no computational issues need to be considered. No adversary can impersonate an offshore data center or command ship. Meanwhile, they will not reveal the private data as a trusted third party. The algorithm can run in a trusted environment and resist various attacks [31,32].
• Nodes are half-tamper-proof. They will not reveal the private data preload in their hardware, even if captured. However, they cannot prevent the adversaries pretending to be them. Thus, a strict detection and authentication mechanism of malicious nodes is required.
• Adversaries in our model cannot capture the underwater nodes and obtain the secret from inside through hardware. It can be assumed that the hardware is equipped with a physical self-destructive protection system, and there are no adversaries other than us who can view the hardware content.

4. Lightweight Security Protocol for UAN

Our security protocols are mainly divided into the following parts: self-certified authentication scheme, threshold-based detection scheme of malevolent nodes, and a bit commitment encryption scheme.

Table 2. Notation table.

Notation	Meaning
G	The generator of the elliptic curve parameters
(dc,PKc)	Offshore data center’s private and public keys
(fi(IDj), Yij)	Underwater node j’s private and public keys
Nj	Underwater nodes’ independent number
IDjs	Underwater nodes’ static ID
IDjd	Underwater nodes’ dynamic ID, generated according to the self-certifying rules
P(0,i) and P(1,j)	The mapping value of bit commitment to a point on an elliptic curve
αn	Master commitment of underwater nodes
λnk	Interaction commitments of underwater nodes
l and m	The length of master commitment and interaction commitments
n	Number of nodes
t	Degree of polynomial
Zp*	Multiplicative group of invertible integers module p
GF(q)	A finite field with a prime number q
H (·)	A hash function: {0, 1} * → G, G⊂ Zp*
{Q1, Q2, …,Qk}	commitment parameters
Sij	Detection parameters/threshold keys
C1	Encryption parameters
r(i)AC	One-time symmetric key

shows the list of notations used in the formulation of our model. Without loss of generality, we describe some preconditions before presenting the improved schemes as follows:

• Each node can be a source node, a destination node, or an intermediate routing node;
• All nodes have the same initial limited energy, computing power, and other resource support. The offshore data centers are assumed to have an unlimited power supply, so the consumption of energy and computing power is not measured during the parameter preloading process;
• Before each node is deployed, security parameters will be preloaded in their cryptographic hardware, and the stored parameters will not be intentionally disclosed by nodes;
• This model is designed to resist cyber attacks, such as eavesdropping, replay, forgery, etc. The physical attacks are not considered. Parameter preloads in the underwater nodes for algorithms are assumed to be absolutely secure.

4.1. Initialization

Offshore data centers (ODCs) generate the algorithm parameters as a trusted third party. Let E(GF(q)) denote an elliptic curve over prime field GF(q) whose order is a big prime q. The base point of the elliptic curve E(GF(q)) is G.

Z_p* is a multiplicative group of invertible integers modulo p. The ODC randomly generates an integer d_c ∈ Z_p* as its private key and computes its own public key PK_c = (d_c)G. Then ODC sets up the polynomial f_i (x) of degree (t − 1) with f_iz as the coefficient: f_i(x) = d_c + f_i1*x + … + f_iz*x^z + …+ f_i(t−1)*x^t−1, where f_iz∈Z_p*, z = 1, 2, …, (t − 1). i is the sequence parameter of the polynomial. The ODC assigns nodes with the independent number N_j used for generating static ID_j, as seen in Section 4.2, and security parameters Y_ij of the nodes as (5) and (6). (f_i(ID_j), Y_ij) are node j’s private and public keys. It is especially worth noting that both the public and private keys here are not disclosed to the public. The private key is only stored in the node’s own hardware, while the public key is stored in the neighboring nodes communicating with it directly. During the forwarding process, there will be no plain-text public and private key information directly displayed.

$$f_i\left({ID}_j\right)=d_c+f_{il}\ast {ID}_j+\cdots f_{i\left(t-1\right)}\ast {{ID}_j}^{t-1}$$

(5)

$$Y_{ij}=f_i\left({ID}_j\right)G$$

(6)

Meanwhile, the parameters of multi-party bit commitments are set as follows. The random numbers r in commitments can be regarded as bit strings of {0,1} uniform distribution. Then, two random points on the curve can be used to represent bits 0 and 1, respectively (denoted as P₀ and P₁). In order to increase eavesdropping resistance, the points corresponding to bits 0 and 1 are not limited to two random points P₀ and P₁, but extended to 2R(R is a sufficiently large positive integer), with multiple different random points selected from the elliptical curve. {P_(0,1), P_(0,2), …,P_(0,R)} are denoted as bits 0 and {P_(1,1+R), P_(1,2+R), …, P_(1,2R)} are denoted as bits 1. In particular, P_(0,i) and P_(1,j) are transcoded as another complex encoding. ${\mathrm{H}}^{\prime }${} is the generating function. This setting makes it possible to enable cryptographic calculation and verification during communication:

$$r\in {\mathrm{Z}}_{\mathrm{p}}\mathrm{*}\to \left\{\mathrm{0,1}\right\}\to \left\{{\mathrm{P}}_{\left(0,\mathrm{i}\right)},{\mathrm{P}}_{\left(1,\mathrm{j}\right)}\right\}\to \left\{{\mathrm{H}}^{\prime }\left\{{\mathrm{P}}_{\left(0,\mathrm{i}\right)},{\mathrm{P}}_{\left(1,\mathrm{j}\right)}\right\}\in {\mathrm{Z}}_{\mathrm{p}}\mathrm{*}\right\}$$

(7)

In our model, multi-party bit commitments represent the interactions between nodes. There are three roles in the commitments: promisor, verifier, and variable number third party certifiers. Each node randomly generates a bit string α_n with a long l as its master commitment and k short bit strings λ_nk of length m as its interaction commitments. Among them, the master commitments α_n are stored in the node’s own security hardware and ODC, serving two purposes. The first is to serve as the data encryption key for communication with ODCs, used for instruction issuance or security parameter replacement. The second is used as an authentication parameter for detecting malicious nodes. If a node is suspected of rebelling, it verifies that third-party certifiers form a verification group, and the reliability of the node is confirmed through the verification of master commitment parameters, which are generated by the nodes. Nodes divide their master commitment into k sub-bit strings sc_z according to prescribed rules, and each bit string serves as a sub-commitment for authentication. Then, it generates proof f_n(sc_z) with k certifiers by the polynomial f_n(x) of degree (k−1) with f_nz as the coefficient. The rules are as follows:

$$f_n\left({sc}_z\right)={\alpha }_n+f_{n1}\ast {sc}_z+\cdots {+f}_{n1}\ast {{sc}_z}^{z-1},\mathrm{z}\in \left(0,\mathrm{k}\right)$$

(8)

The interaction commitments of short bit strings λ_nk are used for point-to-point authentication and encryption during communication. The k sub-commitments generated by each node are distributed to k neighboring nodes, and each node defaults to storing the initial authentication commitments of neighboring nodes that it can directly interact with before deployment underwater. The sub-commitments can be changed during node interaction.

Among them, OCDs also generate the detection parameters S_ij and detection parameters C₁ for nodes as in Equations (9) and (10), where r_s and r_pk are random numbers generated by OCDs, r_s, r_pk∈Z_p*. The specific functions of the parameters are discussed in Section 4.3 and Section 4.4.

$$S_{ij}=r_s{f}_i\left({ID}_j\right)G$$

(9)

$$C_1=\left(x_1,y_1\right)=r_{pk}{PK}_c$$

(10)

All of the above parameters are generated before the nodes are deployed underwater and are preloaded as initial security parameters in the node’s reliable hardware. Our system algorithms are described below.

4.2. Generate Authentication ID

Due to the high propagation delay characteristics of the underwater acoustic networks, it is not suitable for nodes to authenticate with PKI or DPKI during data transmission. This will greatly increase the delay and consume unnecessary energy. Therefore, we design a self-certified identity authentication protocol to impede the Eclipse, Sybil attack, and Impersonation attack which may be initiated by adversaries. Self-certification is an effective approach for nodeID generation by using crypto puzzles. The crypto puzzles ensure that the node’s ID cannot be chosen freely, generated in large quantities, and forged [33]. The S/Kademlia [34] algorithm first mentioned this theory, and we applied and extended it, redesigning appropriate crypto puzzles based on underwater scenarios. The generation rules are as follows:

• Generate static ID: Let G_c denote a cyclic group, G_c ⊂ Z_p*. A hash function H: {0, 1}* → G_c is chosen. Node static ID_js is generated from the cryptographic hash of the node’s public key, which is given by Equation (6). ⊕ is the XOR operation.

$${ID}_{js}=H\left(Y_{ij}\oplus N_j\right)$$

(11)

2.

Generate dynamic ID: In the S/Kademlia algorithm, puzzles are calculated by adding random numbers and setting difficulty. It searches for the hash value with special value 0 in the preceding k bits. The long preceding bits will increase the attack resistance effect. In our model, puzzles are irregular parameters obtained through negotiation. Furthermore, to prevent replay and impersonation attacks, we set the hash function of the dynamic ID to a Chameleon Hash. Nodes use their own private keys to form trapdoors, which can dynamically prove their identity by finding hash collisions in a generalized way to change the verification information. The initial verification value is the random r(i)_AC calculated by the receiving node according to Equation (14). Node dynamic ID_jd is generated by Equation (12), H_C: {0, 1}*→G_c is a Chameleon Hash.

$$H_c\left({ID}_{js}{\oplus r\left(i\right)}_{AC}\right)=\left\{{ID}_{jd},r_d\right\}$$

(12)

3.

Verification scheme: During identity verification, the verification node needs to export {Q₁, Q₂, …,Q_k} and calculate r(i)′_AC according to Section B. Then, it verifies the {ID_js,ID_jd} as in Equation (18).

4.3. The Process of Node Security Interaction

• A initiates communication with its neighboring C: A generates its own mapping based on its own sub-commitment string λ_nA with C, corresponding to the set {P₁, P₂, …, P_k}, and calculates commitment parameters {Q₁, Q₂, …,Q_k}:

$$\left\{\begin{array}{c}\genfrac{}{}{0pt}{}{Q_1=P_1+d_A\times Y_{iC}}{Q_2=P_2+d_A\times Y_{iC}}\\ \genfrac{}{}{0pt}{}{⋮}{Q_k=P_k+d_A\times Y_{iC}}\end{array}\right.$$

(13)

$${\mathrm{H}}^{\prime }\left\{P_1,P_2,\dots ,P_k\right\} ={r\left(i\right)}_{\mathit{AC}}$$

(14)

The randomness is composed by encoding H’{P₁, P₂, …,P_k} is r(i)_AC with the length l_r. Assuming that the encoding of each elliptic curve point is v bits, then l_r = vk. Node A calculates its hash value H(r(i)_AC). Therefore, the initial verification information sent by node A to node C is {{Q₁, Q₂, …, Q_k}, H(r(i)_AC), [H(ID_static), H_C(ID_dynamic)]}.

2.

After receiving the message from A, C first verifies whether static ID of A is correct. Then, it calculates the set {P₁′, P₂′, …, P_k′} using the following formula, and then calculates the random number r(i)′_AC based on the encoding mapping relationship of the {0,1} → {P_(0,i), P_(1,j)} set saved by itself, and compares its hash with the H(r(i)_AC). r_d is the random output of Chameleon Hash as in Equation (12).

$${{ID}_{static}}_{=}^{?}H(Y_{iA}\oplus {\mathrm{N}}_{\mathrm{A}})$$

(15)

$$\left\{\begin{array}{c}\genfrac{}{}{0pt}{}{{P_1}^{\prime }=Q_1-d_C\times Y_{iA}}{{P_2}^{\prime }=Q_2-d_C\times Y_{iA}}\\ \genfrac{}{}{0pt}{}{⋮}{{P_k}^{\prime }=Q_k-d_C\times Y_{iA}}\end{array}\right.$$

(16)

$${\mathrm{H}}^{\prime }\left\{P_1,P_2,\dots ,P_k\right\}={{r\left(i\right)}^{\prime }}_{\mathit{AC}}$$

(17)

$${{\mathrm{H}({\mathrm{Y}}_{\mathrm{i}\mathrm{j}}\oplus {\mathrm{N}}_{\mathrm{j}})}_{=}^{?}{\mathrm{I}\mathrm{D}}_{\mathrm{j}\mathrm{s}},{\mathrm{H}}_{\mathrm{C}}({\mathrm{I}\mathrm{D}}_{\mathrm{j}\mathrm{d}},{{r\left(i\right)}^{\prime }}_{\mathit{AC}},r_d)}_{=}^{?}1$$

(18)

If all the above verifications are correct, r(i)_AC will be used as the symmetric key S_k for further encrypted communication. The ciphertext C_sk delivers the data packet to the receiving node. The node takes the key S_k and ciphertext C_sk as input, yielding the plaintext M as output, and then the data encryption is described as follows:

$$M=Dec\left(S_k,C_{sk}\right)$$

(19)

It should be noted that we also set hash fingerprints CID for the transmitted content during transmission to verify the integrity of the content M as in Equation (16):

$$CID=H\left(M\right)$$

(20)

4.4. Detection Malevolent Nodes

In long-distance communication, malicious nodes may mix into the self-organizing UAN during certain processes. Thus, we propose a threshold-based detection scheme to detect and prevent malevolent nodes.

The detection parameters S_ij and C₁ generated by ODCs are preset in the nodes before deployment. According to the rules of the Shamir algorithm, since all the nodes participating in the networking have the threshold keys S_ij, the Lagrange interpolation polynomial is calculated during packet transmission:

$$\left(x_1,y_1\right)=\sum _{j=1}^t{S}_{i_j}\prod _{1\le k\le t,k\ne j}\frac{-{ID}_{i_k}}{{ID}_{i_j}-{ID}_{i_k}}$$

(21)

It should be noted that the Lagrange polynomial parameters are calculated by each node on the routing path when the data packet arrives, and the calculated parameters are put into the data packet for continuous transmission. The detection key S_ij is not transmitted, which can also avoid leakage. It is clear that, if there are malicious nodes in the transmission process of the routing path, the calculation of the final polynomial cannot be recovered due to the insufficient number of threshold keys. Therefore, it is necessary to choose a reasonable setting for the degree t of polynomial f_i(x), so that most transmission can be calculated for malicious node detection. Meanwhile, the degree cannot be too small, which may reduce the efficiency of node detection.

If A is suspected to be an attacker, the UAN system can require A to cooperate with authentication. In the authentication stage, k certifiers send their sub-proof f_n(sp_z) to the verifier. The verifier calculates the master commitment based on the sub-proofs of k certifiers as in Equation (22). Meanwhile, the verifier requires the promisor to encrypt a message using its master commitment as the key and decrypt. If a valid plaintext can be obtained, it proves that the promisor node is not a malicious node; otherwise, it may be a forgery attacker.

$${\alpha }_{n }=\sum _{z=1}^k{f}_n\left({sp}_z\right)\prod _{1\le z\le k,z\ne h}\frac{{-sc}_{j_k}}{{sc}_{j_h }-{sc}_{j_k}}$$

(22)

5. Correctness and Security Proof

5.1. Correctness

Correctness analysis aims to review and verify the logical and mathematic correctness of the algorithms to ensure that they can correctly and validly perform their expected security functions. The analysis is mainly from the following perspectives:

• Bit commitment: The correctness of multi-party bit commitment is provided below:

$$\begin{array}{ll}{P_i}^{\prime }& =Q_i-d_C\times Y_{iA}\\ & =Q_i-d_C\times d_A\times G\\ & =Q_i-d_A\times Y_{iC}\\ & =P_i\end{array}$$

(23)

2.

Chameleon Hash: We applied the scheme from [35]. The chameleon hash function is constructed based on the ECDLP. The construction process and proof are briefly described below. A detailed analysis can be found in the references.

Two secure hash functions H₁: {0, 1}* × G ∈ Z_p* and H₂: {0, 1}* × G ∈ Z_p* are used in the construction of a one-time chameleon hash function. We choose two random numbers k and y, k ∈Z_p*, y ∈ Z_p*, compute Y = yG, K = kG, and derive two public keys hk = (K, Y) and a trapdoor private key tk = (k, y), where the parameter in our scheme is (f_i(ID_j), Y_ij). Given the label μ, message m (${ID}_{jd}$), random number r ∈ Z_p*(r(i)_AC), X₀ ← H₂(μ), we then calculate ChHash(hk, m) = X₀H₁(m, K)G+ rY (modq).

Trapdoor collision: In the case of m≠m’, the input trapdoor tk = (k, y) outputs a value r in polynomial time such that ChHash(m, r) = ChHash(m′, r′). The process is expressed as r′ = r + y⁻¹(X₀H₁(m, K) − X₀H₁(m′, K)(modq).

5.2. Security Analysis

Security analysis refers to the process of evaluating and verifying the security of a system. It aims to review the security mechanism of the system, analyze the strategies of the algorithms, and ensure that they respond appropriately to various threats and risks. The analysis is mainly from the following perspectives:

Theorem 1. 

The above protocols are unconditionally bound and confidential, which makes them able to resist quantum attacks.

Proof. 

Firstly, the above protocol does not make any restrictive assumptions on the computing power of the nodes. According to Theorem 1, the probability of a successful attack can be infinitesimal even for quantum computers with infinite computing power. Therefore, it is unconditionally bound.

For the adversaries, to invade the UAN, they must calculate the r(i)_AC value through the {Q₁, Q₂, …, Q_k} value or derive it through Hash at the initial communication since plaintext only transmits at this stage. The two well-known algorithms Shor [5] and Grover [36] are the key technologies for quantum attacks. The biggest feature of the Shor algorithm is that it can solve the problem of factoring large numbers into prime factors in polynomial time, but there is no equivalent proof that quantum attacks have the same ability to crack modular addition or mixed prime factor operations. Due to our inclusion of {d_n,PK_n} value into the commitment Q_i value, it is not possible to determine the unknown variables P_i, d_A, and $Y_{iC}$ simultaneously by Equation (13) alone, even if adversaries have the quantum computing of a super polynomial Turing machine.

On the other hand, most implementations of the Hash algorithm can resist the attacks from Shor. The most effective universal quantum attack on hash functions is a search technique based on Grover, which reduces the effective security of hash functions. However, the reduction is far less severe than that of the Shor algorithm, with a range between square and cubic roots. Therefore, security can be maintained by increasing message capacity and output size, and hash functions such as SHA3 have been developed.

In fact, adversaries can only obtain information about r(i)_AC through random guessing, so the probability of its success is unbiased for (1/2)^s. s is the length of r(i)_AC and not less than 128, which can be regarded as infinitesimal. □

Theorem 2. 

Identification protocols made secure against replay attacks by two identity verifications and by generating one-time session keys.

Proof. 

Due to clock drift issues in UANs, it is difficult to implement the timestamp mechanism commonly used in replay attacks. Our scheme involves two dynamic authentications during the initial interaction. The sending node can take advantage of chameleon hash in dynamic ID design based on the private key trapdoors to construct new information and encrypt it to the receiving node during the second communication after the first communication is initiated. This way, the verified hash value is the same, but the content is different. Meanwhile, because only the owner of the trapdoor private key can construct the chameleon hash, replay attackers cannot complete this authentication, meaning that our scheme can be very comprehensive.

Moreover, our schemes realize encrypted transmission through preload security parameters at the first authentication, which ensures that malicious nodes in the system cannot determine the purpose of the packet. The parameters preload by the nodes and the asymmetric key algorithm constitute a challenge response mechanism to resist replay attacks. r(i)_AC is a one-time session key. Even if the authenticated packet is replayed, because the malicious node does not have a symmetric key for communication, it cannot continue the next communication process and its malicious behavior. □

Impersonation attacks: Impersonation attacks typically show as routing attacks and message manipulation attacks. Routing attacks usually generate useless messages on legitimate nodes by forging identities during the routing process, thus increasing network transmission overhead and consuming node energy. Moreover, adversaries launch message manipulation attacks through interception and tampering to disrupt the entire UAN in the process of packet transmission. Strict node authentication guarantees that malicious nodes cannot impersonate legitimate nodes and replay the effective authentication message. Meanwhile, the encrypted packets prevent the interception and tampering of adversaries. According to Theorem 1, it is difficult to solve crypto puzzles when the security parameters are secret. Impersonation attacks are almost impossible in our model.

Sybil attacks: The static ID of the nodes ensures that nodeID cannot be chosen freely and a dynamic cryptopuzzle makes sure that it is complex to generate a large amount of nodeIDs. Thus, our scheme is effective against Sybil attacks.

Compromise attacks and Collusion attacks: Unlike the server nodes in the traditional network, UAN nodes are only unintelligent computing nodes. Therefore, the compromise and collusion attack here can only capture and replace the legitimate nodes, rather than instigating the node through bribery attacks. Therefore, according to the preconditions in Section IV, adversaries in our model cannot capture the underwater nodes and obtain the secret from inside through hardware. Our scheme is also effective against compromise attacks and collusion attacks.

6. Experiments and Performance

We tested the performance of each cryptographic algorithm with CentOS 7. The signature algorithm uses the SM2 algorithm, and the hash algorithm uses the SM3 algorithm. The modular exponentiation and modular multiplication algorithms used in our experiments are the same as elliptic curve scalar multiplication and point addition algorithms, respectively. The threshold algorithm is implemented based on the OpenSSL cryptographic algorithm library.

Table 3. The performance parameters of basic cryptographic algorithms.

Operation	Performance Time (µs)
modular addition	151.43
modular multiply	1054.17
modular inverse	460.27
symmetric encryption	876.003
SM3	231.07

shows the performance parameters of basic cryptographic algorithms, which are the average results of running 1000 times.

The network simulations are built based on the OMNET++ [37] simulation platform to evaluate the performance of our model. By modeling and networking simulation, the effectiveness of the above algorithms is validated. Simulation modeling mainly includes network model, auxiliary model, channel model, and protocol model. The routing algorithm adopts the AODV (Ad Hoc On-Demand Distance Vector) routing strategy. The simulation parameters used in the proposed scheme are presented in

Table 4. Parameters used.

Name of Parameter	Value of Parameter
Number of nodes	50
The size of region	2000 × 2000 × 2000
Transmission speed	1500 m/s
Transmission radius	1000 m
Background noise	−110 dBm
Carrier frequency	20 kHz
Simulation span taken	1000 s
Transmission power	2 w
Receiving power	0.75 w

.

The experimental results of the algorithm performance are shown below. Firstly, we computed the computation costs of preload parameter generation at the initial stage, as shown in Figure 2.

Then, the time costs of authentication are graphically compared, as seen below in Figure 3. We calculated the time it took for two nodes to fully establish secure communication and provided the time for node A to generate verification parameters and for node C to verify the parameters, respectively. This includes the costs of self-certifying security verification, including identification, bit commitment reveal, and puzzle calculation, as shown in Equations (13)–(18). Here, the Y-axis is for the entire generation or verification time, without separating each parameter as Q_k or r(i)_AC. Due to the fact that all these parameter calculations are on the same time scale, it is not very pertinent to count them separately. It should be noted that the time required to establish a connection here only refers to the time spent on security verification, and it does not include the delay of underwater communication. As can be seen, our plan verification time is at the millisecond level, which is longer than the microsecond-level time of the lattice cipher method proposed in reference [13]. However, in underwater environments, compared to the minute-level communication delay between two nodes, it is already very negligible.

Referring to [35], 30 samples are selected as input, and the length range of the samples is between 128 byte and 1024 byte. A total of 30 experiments of the hash generation algorithm and 30 experiments of the hash collision algorithm are conducted for the CH-ECDLP algorithm as the message length increases. In order to ensure the accuracy of the experiments, ten experiments are conducted with the same input, and finally the average of the computing time of the ten experiments is taken as the final computing time of this input. The experimental results of the hash operation time of the two schemes are shown in Figure 4 to display the time cost for generating the second verification.

Figure 5, Figure 6 and Figure 7 show the performance metrics considered for comparison: average end-to-end delay, average data delivery ratio, average energy consumption. The main attacks tested are those wherein malicious nodes disguise themselves and interfere with normal routing forwarding, increasing latency. The system uses the above algorithm to identify and eliminate the average latency change in malicious nodes completing routing. We increase the number of attackers from 1 to 10 to test the basic parameters of our system for illustrating the effectiveness of the algorithm, which shows the efficiency of the system in detecting attackers and rebuilding secure and stable communication. Meanwhile, the settings about the degree t of polynomial f_i(x) are also considered as variable parameters to calculate proper values of node detection.

Average end-to-end delay refers to the average time consumed by data packets from source to the destination, which includes the packet routing process and the calculation time of the cryptographic algorithm. Average data delivery ratio represents the ratio of data packages successfully received. As can be seen from Figure 5, the average latency increases with the number of attackers. The proposed scheme ensures that, once a malicious node is detected, the data transmission will be interrupted and re-transmitted immediately, and the source node and destination node will be required to find the routing path again through the ADOV routing algorithm. This process will greatly increase the data transmission delay.

Meanwhile, due to the fact that the threshold t decides the detection probabilities for malicious nodes, the retransmission times are unspecific. Small thresholds (t < k, k is the average routing hops) only detect the first few hop routing nodes, and the probability of detecting malicious nodes is low, so the number of retransmissions is small. At this time, although the delay is relatively small, the robustness and data transmission rate are relatively poor.

Average energy consumption is defined as the total amount of energy consumed by all the nodes during data packets transmission in the communication when attackers exist. Figure 7 shows the energy consumption for the proposed techniques.

7. Conclusions

The security problem of UANs has become increasingly prominent. This paper designs and optimizes a lightweight security scheme according to the characteristics of UANs. Our proposal focuses on solutions for authentication, data protection, and malicious node inspection, which support the security protection in the entire network. Finally, we compared our approach with the current state of the art in the existing research, and

Table 5. Comparison with existing solutions.

	Lattice Cryptography [13,14]	Combining Physical Properties [7,8,9,10,11,12]	Classical Algorithms (ECC/RSA/AES…) [15,16,17,18,19]	Our Scheme
Operation time	μs	s	ms	ms
Application scenarios	Signature	Symmetric encryption	Authentication and encryption	All
Anti-quantum attack	Yes	Yes	No	Yes
Engineering difficulty	Difficulty	Uncertain	Easy	Easy

shows the comparison results. It can be seen that our scheme has a delay that is a magnitude larger than lattice cryptography, but it is not affected in high-latency underwater environments. Meanwhile, although our scheme is entirely based on classical computing environments, it does not require any restrictive assumptions on the computing power of protocol participants, which makes it able to resist quantum attacks and have unconditional security. In engineering practice and application scenarios, our solution also has significant advantages. The simulation results also prove the robustness and effectiveness of the scheme.