An Efficient and Conditional Privacy-Preserving Heterogeneous Signcryption Scheme for the Internet of Drones

The Internet of Drones (IoD) is a network for drones that utilizes the existing Internet of Things (IoT) infrastructure to facilitate mission fulfilment through real-time data transfer and navigation services. IoD deployments, on the other hand, are often conducted in public wireless settings, which raises serious security and privacy concerns. A key source of these security and privacy concerns is the fact that drones often connect with one another through an unprotected wireless channel. Second, limits on the central processing unit (CPU), sensor, storage, and battery capacity make the execution of complicated cryptographic methods onboard a drone impossible. Signcryption is a promising method for overcoming these computational and security limitations. Additionally, in an IoD setting, drones and the ground station (GS) may employ various cryptosystems in a particular region. In this article, we offer a heterogeneous signcryption scheme with a conditional privacy-preservation option. In the proposed scheme, identity-based cryptography (IBC) was used by drones, while the public key infrastructure (PKI) belonged to the GS. The proposed scheme was constructed by using the hyperelliptic curve cryptosystem (HECC), and its security robustness was evaluated using the random oracle model (ROM). In addition, the proposed scheme was compared to the relevant existing schemes in terms of computation and communication costs. The results indicated that the proposed scheme was both efficient and secure, thereby proving its feasibility.


Introduction
The term "Internet of Drones" (IoD) refers to a network for interconnected drones and a ground station (GS) that allows the drones to enter low-altitude controlled airspace in a coordinated fashion. Drones in IoD networks typically have their sensors, software, and the technologies that connect them configured so that they may interact over the Internet using the same standard IoT protocols as other connected devices [1]. Historically, drones have been exploited for a large number of military applications and activities. However, due to substantial improvements in the design and manufacturing of inexpensive, highly reliable, and small-sized drones, drones are now being employed in a large array of civil and commercial applications. Moreover, the unique attributes of drones such as their ease of use, fast deployment to remote locations, high mobility, maneuverability, and capability to hover make them a suitable choice for commercial applications [2]. Despite their various benefits, there are still obstacles to overcome before IoD networks can be deployed successfully. Drones in IoD networks, for example, communicate through an unencrypted wireless channel; hence, it is essential to employ a cryptographic method with the highest level of security to enable their safe deployment in mission-critical situations [3]. Drones have limited onboard components such as CPUs, sensors, storage, and batteries [4]. Due to their small size, drones can only carry a limited number of supplies. Drones were designed for aerial surveillance with the primary goal of collecting data for transmission to the GS. Since drones often have small amounts of onboard storage and processing power, it can be difficult for them to perform complex computations. These restrictions may have a major impact on the privacy and security aspects of the IoD networks, which could lead to a catastrophic failure of the network's information-exchange capacity [5].
In the absence of countermeasures against cyber-physical threats to preserve data security and privacy in IoD networks, it is possible for intruders to penetrate the network and disclose sensitive data. Examples of common privacy and security threats in the IoD ecosystem include drone position tracking, device tampering, unauthorized data access, message manipulation, and falsification. Global Positioning System (GPS) spoofing attacks [6][7][8] generally exploit GPS signals and pose a significant threat to the privacy of IoDs. By sending significantly more powerful fake GPS signals to a drone, an attacker can trick it into flying in the wrong direction during a GPS spoofing attack. Data integrity and confidentiality can be jeopardized when malicious actors introduce chaos into a network and steal sensitive information. To maximize the use of drones, it is vital to protect IoD networks with stronger security measures and a cryptographic algorithm that requires less computation.
The IoD must assure authenticity and confidentiality for it to be of the utmost importance. The digital signature and encryption methods address these security attributes respectively. When the need arises for both encryption and digital signatures, signcryption [9] can be employed. Due to the growing variety and density of drones, a given zone may contain drones and GSs that belong to different cryptosystems. Furthermore, drones have limited computational capacity and storage space. Consequently, an efficient and secure heterogeneous signcryption scheme in which the sender and recipient have independent security domains is a better option [10,11]. Consequently, identity-based cryptography (IBC) [12] and public key infrastructure (PKI) are the two main cryptosystems that can be implemented in the IoD system. In addition to a heterogeneous signcryption scheme, a conditional privacy-preservation feature can be introduced to ensure receiver and sender identity anonymity [13]. To prevent their real identity from being revealed to the sender and the receiver, each entity in the proposed scheme encrypts its identity using a secret key known only to the entity and the PKG throughout the key-generation process. In order to decipher the identification after the PKG has received it, it must first find the secret key and the real identity. The PKG then makes available the encrypted identities of all entities via signcryption and unsigncryption processing.
Typically, Rivest-Shamir-Adleman (RSA), bilinear pairing (BP), and elliptic curve cryptography (ECC) are employed to increase the security and efficiency of any security solution. RSA is based on a massive factorization problem and employs 1024-bit keys, parameters, certificates, and identities. RSA is inappropriate for resource-constrained networks such as IoD due to the lack of onboard processing capability on small drones. In addition, BP is inferior to RSA due to its extensive pairing and map-to-point function processing. ECC was developed to address the shortcomings of RSA and bilinear pairing. ECC typically uses 160-bit keys, which are again not suitable for IoD networks. Hyperelliptic curve cryptography (HECC), which is an improved variant of ECC, was developed to compete with ECC's efficiency [14]. HECC offers the same amount of security as ECC, BP, and RSA with 80-bit keys. Therefore, HECC is the best choice for IoD systems, so we used it to construct the proposed scheme with the following main contributions.

•
We proposed a heterogeneous signcryption scheme in which the drone side utilized IBC and the GS side used PKI. The real identity of each entity was encrypted using a secret key that only the entity and the PKG knew during the key-generation process. This made the proposed scheme conditionally privacy-preserving.

•
In the proposed scheme, we introduced a new concept in IBC in which the PKGC sent the private key to drones in an encrypted format that did not require a secure channel. Moreover, the proposed scheme was constructed using the concept of the HECC and assessed using a random oracle model (ROM). The results verified that the proposed scheme was robust against cyberattacks. • Finally, we conducted a comparison study to evaluate the efficiency of the proposed scheme in terms of computation and communication costs. Comparing the proposed scheme to similar existing ones revealed that it had reduced computation and communication costs.
This manuscript is structured in a manner that includes the following sections: the related work on conditional privacy-preserving heterogeneous signcryption schemes is covered in Section 2, and the preliminary material is discussed in Section 3. In Section 4, we cover the construction of the proposed scheme. Security models are discussed in Section 5, and Section 6 provides a security analysis of the proposed scheme. We cover the performance analysis in Section 7, and the conclusions are contained in Section 8.

Related Work
Recent advancements in 5G technology have allowed the development of B5G cellular networks, which enable autonomous drone services. However, issues regarding the security and privacy of drones have increased rapidly [15]. The IoD's wireless communications can be attacked in a number of ways using cryptographic techniques [16]. Therefore, an efficient and highly secure cryptographic scheme is required for the successful deployment of IoD networks. Sign-then-encrypt approaches meet network security standards; however, this strategy raises computation costs on both ends. One way to address this issue is signcryption, a sophisticated method that combines a digital signature and encryption in an operation that conducts them simultaneously. This method, which is both effective and well suited for devices with limited resources, is in contrast to the more standard practice of employing separate procedures for encryption and digital signatures [17]. Most existing signcryption solutions rely on PKI and IDC cryptosystems. However, these cryptosystems can only be functional in networks in which both the senders and receivers employ the same cryptographic mechanism for exchanging data. Heterogeneous signcryption is preferable due to the dynamic nature of IoD systems [18].
The first heterogeneous signcryption scheme between PKI and IBC was introduced by Sun and Li [19]. Huang et al. [20] highlighted the security shortcomings of [19] and offered a more robust security approach that was termed "insider security" before proposing a new scheme between PKI and IBC. Their schemes, however, did not enable batch unsigncryption. Ali et al. [21] developed a conditional privacy-preserving hybrid signcryption scheme that combined BP with heterogeneous communication. The protocol ensured that a message sent via the IBC method was delivered via a PKI method. Unfortunately, in this design, any entity was able to produce a pseudo-identity and a public key, whilst the recipient had no method to check its authenticity. In addition, their scheme failed to ensure inner unforgeability because a hostile receiver could easily intercept a valid ciphertext, produce a new random number, and forge a new valid ciphertext. Furthermore, the proposed method employed bilinear pairing, which is a costly process for drones to execute. Elkhalil et al. [22] developed an efficient signcryption of a heterogeneous system to offer high-level security properties such as confidentiality, key revocation, integrity, authentication, and nonrepudiation. The proposed scheme was based on ECC, a procedure that is slightly more expensive than HECC.
Jin et al. [23] presented a signcryption scheme that was provably secure and heterogenous for a smart grid system in which meters in the IBC environment communicated data to utilities in the PKI environment. The signcryption and unsigncryption algorithms in their method were computationally and communicatively inefficient due to the BP operations. In addition, the scheme did not support the decryption of numerous ciphertexts in bulk. Ting et al. [24] proposed an efficient online/offline heterogeneous signcryption scheme that met the security objectives of confidentiality, integrity, authentication, and nonrepudiation in a single logical step. In particular, its structure enabled a sensor node in an IBC configuration to send a message to an Internet host in a PKI, thereby reducing the rigorous verification demands on low-power devices. However, the proposed method was computationally expensive due to the ECC operation, which is difficult for a drone to execute. Ali et al. [25] introduced a hybrid signcryption technique that satisfied the security requirements for heterogeneous vehicle-to-infrastructure (V2I) communications in a single logical step. The scheme permitted the secure communication of safety messages from a vehicle to a roadside device using PKI. The basis of the proposed solution was ECC, which incurred lower communication and computation costs. Pan et al. [26] presented a heterogeneous signcryption system that enabled drones to communicate with a GS without a bilinear pairing operation. In the scheme proposed by Pan et al. [26], the drones belonged to IBC and the GS to PKI. The proposed scheme safeguarded the identity of drones and enabled the GS to verify batches. Due to its limited processing capabilities, bilinear pairing is computationally costly for drones to complete. In order to overcome these restrictions, we proposed a conditional privacy-preserving heterogeneous signcryption scheme for IoD that leveraged HECC operation, an improved version of ECC with short keys. The proposed method offered the same level of security as existing systems while incurring minimal computational and communication costs.

Preliminaries
This section provides the preliminaries, which included the network model, elliptic curve cryptography, the basics of the hyperelliptic curve (HEC) as well as the associated difficult problems (i.e., the hyperelliptic curve Diffie-Hellman problem (HECDHP) and the hyperelliptic curve discrete logarithm problem (HECDLP)), and the syntax of the proposed scheme. Table 1 illustrates the notations used in the construction of the proposed scheme.  Figure 1 depicts the network model for the proposed scheme, which consisted of three clusters: Drones, the PKGC, and Everything. The Drones were equipped with cameras, inertial measurement units (IMUs), sensors, and a Global Positioning System (GPS) that could be used in a variety of scenarios. When the Drones wanted to communicate with a device in Everything's cluster, they sent a request to the PKGC along with their encrypted identity and public and private keys. Further, upon the request of a Drone's device, the PKGC would generate the private and public keys and send them to the Drone's device in an encrypted format. By using the received private and public messages, a Drone's device would generate signcryption on some messages and send the signcrypted text to a device belonging to the Everything cluster. After receiving the signed encrypted text, the device joins the cluster and generated its public and private keys before sending a request for certification to the PKGC. When the PKGC received a request, it generated a certificate and sent it to the device that was shared by all devices in the Everything cluster. By using its private key and the Drone's public key, a device belonging to the Everything cluster could verify a signature and recover a message. Note that all possible nodes such as GSs, APs, mobile phones, and vehicles on the ground could be included in the Everything cluster. Nonetheless, we only took the GSs into consideration in the proposed network model. The GSs could provide Internet access to the Drones. The Drones used 5G and Wi-Fi wireless technology to connect to the GSs. The drones could communicate with the GSs through 5G and with each other via Wi-Fi. Utilizing the best features of both technologies was important to the hybridization process.

18
The secret key that was used to encrypt and decrypt the messages between the Drone and the EVTG 19 The encryption function, which was used to encrypt the message of the Drone 20 The decryption function, which was used to recover the message of the Drone Figure 1 depicts the network model for the proposed scheme, which consisted of three clusters: Drones, the PKGC, and Everything. The Drones were equipped with cameras, inertial measurement units (IMUs), sensors, and a Global Positioning System (GPS) that could be used in a variety of scenarios. When the Drones wanted to communicate with a device in Everything's cluster, they sent a request to the PKGC along with their encrypted identity and public and private keys. Further, upon the request of a Drone's device, the PKGC would generate the private and public keys and send them to the Drone's device in an encrypted format. By using the received private and public messages, a Drone's device would generate signcryption on some messages and send the signcrypted text to a device belonging to the Everything cluster. After receiving the signed encrypted text, the device joins the cluster and generated its public and private keys before sending a request for certification to the PKGC. When the PKGC received a request, it generated a certificate and sent it to the device that was shared by all devices in the Everything cluster. By using its private key and the Drone's public key, a device belonging to the Everything cluster could verify a signature and recover a message. Note that all possible nodes such as GSs, APs, mobile phones, and vehicles on the ground could be included in the Everything cluster. Nonetheless, we only took the GSs into consideration in the proposed network model. The GSs could provide Internet access to the Drones. The Drones used 5G and Wi-Fi wireless technology to connect to the GSs. The drones could communicate with the GSs through 5G and with each other via Wi-Fi. Utilizing the best features of both technologies was important to the hybridization process.

Hyperelliptic Curve (HEC) and Difficult Mathematics Problems
In this subsection, we will cover the basics of the hyperelliptic curve (HEC) as well as the difficult problems; i.e., the hyperelliptic curve Diffie-Hellman problem (HECDHP) and the hyperelliptic curve discrete logarithm problem (HECDLP).

•
Hyperelliptic Curve (HEC): This is a special form of ECC with genus ⒢ 2 that employs 80-bit keys and parameters to generate ciphertext and signatures with the same level of security as ECC. A standard equation for HEC over a finite field ( ) is as

Hyperelliptic Curve (HEC) and Difficult Mathematics Problems
In this subsection, we will cover the basics of the hyperelliptic curve (HEC) as well as the difficult problems; i.e., the hyperelliptic curve Diffie-Hellman problem (HECDHP) and the hyperelliptic curve discrete logarithm problem (HECDLP).

•
Hyperelliptic Curve (HEC): This is a special form of ECC with genus (g) ≥ 2 that employs 80-bit keys and parameters to generate ciphertext and signatures with the same level of security as ECC. A standard equation for HEC over a finite field ( f n ) is as follows: w 2 + h(a)w = f (a) mod n; h(a) ∈ F(a) represents a polynomial with degree h(a) ≤ (g) and f (a) ∈ F(a) represents a monic polynomial with degree f (a) ≤ 2(g) + 1. Here, the central idea is to construct a Jacobian group and pick its generator, known as the devisor.
• Hyperelliptic Curve Diffie-Hellman Problem (HECDHP): Assuming the primary parameters for the HECDHP are (∝, ν, (Z =∝ ·ν · P)), the attacker's goal, with the help of the challenger, is to extract ∝ and ν from Z. • Hyperelliptic Curve Discrete Logarithm Problem (HECDLP): Assuming (∝, (Z =∝ ·P)) are the main parameters for the HECDLP, the attacker's goal, with the help of the challenger, is to extract ∝ from Z.

Syntax
The syntax of the proposed scheme consisted of the five algorithms listed below:

Construction of the Proposed Scheme
The construction of the proposed scheme included the following steps.

1.
Setup: When the PKGC receives Ø as a security parameter, it then performs the following steps: • Selects µ PKGC randomly, where µ PKGC ∈ f n and sets it as its private key; • Computes Y PKGC = µ PKGC · P and sets it as its private key, where P is the devisor on HECC; • Chooses hash functions H a1 , H a2 , and H a3 , with a 256-bit size; • Sets ξ PKGC = {H a1 , H a2 , H a3 , Y PKGC , P, f n , HEC} as a param for further processing of the proposed scheme and the PKGC shares it openly.

3.
PKI Key Generation for Everything (EVTG): A device that belongs to the EVTG plays the role of receiver, selects λ EVTG ∈ f n , and computes σ EVTG = λ EVTG · P.

5.
Heterogeneous Unsigncryption (HUS): A device that belongs to the EVTG plays the role of receiver and can generate HUS using the following steps;

Security Models
In this section, we define the role of two adversary (outsider adversary (OUT ADV ) and forger (OUT FRGR )) that could break the proposed scheme security aspects such as confidentiality and forgeability. The following two games defined the basic preliminaries for confidentiality security defenses against OUT ADV and unforgeability against OUT FRGR .
Setup: By using Ø as a security parameter, the C HS secret key is µ PKGC , ξ PKGC , and the param ξ PKGC is sent to OUT ADV . Phase 1: OUT ADV can make the following queries with C HS : QRY H ai Query : C HS set the lists (L H ai ) with some initial values. Upon the query request from OUT ADV , C HS checks the corresponding value in L H ai ; if it exists, then C HS sends the requested value to OUT ADV . Otherwise, C HS picks the requested value randomly, updates L H ai , and sends it to OUT ADV .
Public Key Query (QRY PBK ): Here, we consider two cases for user key generation when OUT ADV sends a request for a public key.
Case 1: Upon request of OUT ADV for the keys, which belong to identity-based cryptography, C HS transmits β i to OUT ADV . Case 2: Upon request of OUT ADV for the keys, which belong to public key infrastructurebased cryptography, C HS transmits σ i to OUT ADV .
Private Key Query (QRY PRK ): Here, we consider two cases for private key generation when OUT ADV requests a private key.
Case 1: Upon request of OUT ADV for the private key, which belongs to identity-based cryptography, C HS transmits PK i to OUT ADV . Case 2: Upon request of OUT ADV for the private key, which belongs to public key infrastructure-based cryptography, C HS transmits λ i to OUT ADV . Heterogeneous Signcryption Query (QRY HS ): Upon request of OUT ADV for the heterogeneous signcryption oracle, C HS transmits (S i , χ i , C i ) to OUT ADV .
Heterogeneous Unsigncryption Query (QRY HUS ) : Upon request of OUT ADV for the heterogeneous signcryption oracle, C HS either returns with plaintext or confirms (S i , χ i , C i ) is invalid.
Challenge: OUT ADV sends the triple (m 1 , m 1 , Drone RID , ID EVTG ) to C HS , which will respond with (S i * , χ i * , C i * ) to OUT ADV . Phase 2: OUT ADV represents the same nature of queries as made in Phase 1 except for using QRY PRK for MU AV RID . In addition, OUT ADV will not generate a request for plaintext that is related to (S i * , χ i * , C i * ). Guess: OUT ADV produces τ / . If τ = τ / , C HS returns a true result; otherwise it returns a false result. Setup: By using Ø as a security parameter, the C HS secret key is µ PKGC , ξ PKGC , and the param ξ PKGC is sent to OUT FRGR .
Phase 1: OUT FRGR can make the following queries with C HS : QRY H ai Query : C HS set the lists (L H ai ) with some initial values. Upon the query request from OUT ADV , C HS checks the corresponding value in L H ai ; if it exists, then C HS sends the requested value to OUT FRGR . Otherwise, C HS picks the requested value randomly, updates L H ai , and sends it to OUT FRGR .
Public Key Query (QRY PBK ): Here, we consider two cases for user key generation when OUT FRGR sends a request for a public key.
Case 1: Upon request of OUT FRGR for the keys, which belong to identity-based cryptography, C HS transmits β i to OUT FRGR . Case 2: Upon request of OUT FRGR for the keys that belong to public key infrastructurebased cryptography, C HS transmits σ i to OUT FRGR .
Private Key Query (QRY PRK ): Here, we consider two cases for private key generation when OUT FRGR requests for a private key.
Case 1: Upon request of OUT FRGR for the private key, which belongs to identity-based cryptography, C HS transmits PK i to OUT FRGR . Case 2: Upon request of OUT FRGR for the private key, which belongs to public key infrastructure-based cryptography, C HS transmits λ i to OUT FRGR .
Heterogeneous Signcryption Query (QRY HS ): Upon request of OUT FRGR for the heterogeneous signcryption oracle, C HS transmits (S i , χ i , C i ) to OUT FRGR .
Forgery: OUT FRGR can generate a forge signcryption (S i * , χ i * , C i * ) if the following steps are successfully completed: Step 1: QRY PRK C HS succeeds.
Step 3: All the queries are successful in target identity.

Security Analysis
In this part, we demonstrate that the proposed scheme was secure against confidentiality and unforgeability breaches under the random oracle model (ROM).

Theorem 1. Confidentiality (IND-CCATK-IBC-PKI-HS).
The proposed IBC-PKI-HS Indistinguishability Against Adaptive Chosen Cyphertext Attacks (IND-CCATK-IBC-PKI-HS) was under the HECDHP. Whether the outsider adversary (OUT ADV ) with advantages (∂) could solve the HECDHP using a challenger C HS was Sensors 2023, 23, 1063 9 of 16 a subroutine. The following is the success advantage of C HS in which it can solve HECDHP for OUT ADV : where QRY PBK is the public key query and QRY PRK is the private key query.
Proof: Suppose (∝, ν, (Z =∝ ·ν · P)) is the HECDHP: the task of OUT ADV with the help of C HS is to extract ∝ and ν from Z by using the following steps: Setup: By using Ø as a security parameter, C HS secret key as µ PKGC , public key Y PKGC , ξ PKGC , and send Y PKGC and ξ PKGC to OUT ADV .
Phase 1: OUT ADV can make the following queries with C HS . QRY H a1 Query : C HS sets a list (L H a1 ) with tuple (β i , Drone RIDi , π 1i ). Upon the query request from OUT ADV , C HS checks the value π 1i in L H a1 ; if π 1i exists, then C HS sends π 1i to OUT ADV . Otherwise, C HS picks the value π 1i randomly, updates L H a1 , and sends π 1i to OUT ADV . QRY H a2 Query : C HS sets a list (L H a2 ) with tuple (K i , χ i , k i ). Upon the query request from OUT ADV , C HS checks the value k i in L H a2 ; if k i exists, then C HS sends k i to OUT ADV . Otherwise, C HS picks the value k i randomly, updates L H a2 , and sends k i to OUT ADV . QRY H a3 Query : C HS sets a list (L H a3 ) with tuple (m i , χ i , Drone EIDi ). Upon the query request from OUT ADV , C HS checks the value π 2i in L H a3 ; if π 2i exists, then C HS sends π 2i to OUT ADV . Otherwise, C HS picks the value π 2i randomly, updates L H a3 , and sends π 2i to OUT ADV .
Public Key Query (QRY PBK ): Here, we consider two cases for user key generation when OUT ADV asks for this query.
Case 1: Upon request of OUT ADV for the keys that belong to identity-based cryptography, C HS checks the tuple (β i , Drone RIDi ) in list L pbk ; if it is found, C HS transmits β i to OUT ADV . Otherwise, at the j th query, C HS computes β i =∝ ·P. Further, C HS checks if i = j, then computes β i = η i · P, where η i is randomly selected number. Then, C HS updates the list L pbk and sends β i to OUT ADV .Case 2: Upon request of OUT ADV for the keys that belong to public key infrastructure-based cryptography, C HS checks the tuple (σ i , ID i ) in list L cuk ; if it is found, C HS transmits σ i to OUT ADV . Otherwise, C HS computes σ i =∝ ·P, updates the list L cuk , and sends σ i to OUT ADV .Private Key Query (QRY PRK ): Here, we consider two cases for private key generation when OUT ADV asks for this query. Case 1: Upon request of OUT ADV for the private key that belongs to identity-based cryptography, C HS checks if Drone RIDi = Drone target , then aborts this game. Otherwise, it finds the tuple (β i , Drone RIDi , PK i ) in list L prk and transmits PK i to OUT ADV .
Case 2: Upon request of OUT ADV for the private key that belongs to public key infrastructure-based cryptography, C HS checks if ID i = ID target , then aborts this game. Otherwise, it finds the tuple (σ i , ID i , λ i ) in the list L prk , and transmits λ i to OUT ADV .
Heterogeneous Signcryption Query (QRY HS ): Upon request of OUT ADV for the heterogeneous signcryption oracle with tuple (Drone RID , m, ID EVTG ), where RID is the identity of Drone, m is the plaintext, and ID EVTG is the identity of the EVTG. Then, C HS performs the following steps when Drone RIDi = ID target : • Selects ρ i , π 2i ∈ f n at random and computes χ i = ρ i · P; • Computes K = ρ i · σ i and extracts k i from L H a2 ; Heterogeneous Unsigncryption Query (QRY HUS ) : Upon request of OUT ADV for the heterogeneous signcryption oracle, C HS checks if ID EVTG = ID target and performs the following steps:
Otherwise, C HS confirms that (S i , χ i , C i ) is invalid. Challenge: OUT ADV sends the triple (m 1 , m 1 , Drone RID , ID EVTG ) to C HS , where (m 1 , m 1 ) are the two messages with equal lengths but different contents, and (Drone RID , ID EVTG ) is the identity of Drone and the EVTG. After this, C HS checks whether ID EVTG = ID target and performs the following steps: • Selects τ ∈ {0, 1} and chooses ρ i ,ν, k ∈ f n ; • Computes χ i = ν · P and K = ρ i + Z; Phase 2. OUT ADV uses the same nature of queries as made in Phase 1 except using QRY PRK for Drone RID . In addition, OUT ADV will not generate a request for plaintext that is related to (S i * , χ i * , C i * ). Guess: OUT ADV produced τ / . If τ = τ / , C HS returns a true result; otherwise it returns a false result. If Z =∝ ·ν · P, then (S i * , χ i * , C i * ) is not valid. Probability Analysis: The following are some events in which C HS will not fail:

Theorem 2. Unforgeability (UU-ACMA-IBC-PKI-HS).
The proposed IBC-PKI-HS Unforgeable Under Adaptive Chosen Message Attacks (UU-ACMA-IBC-PKI-HS) was under the HECDLP. Whether the Forger (OUT FRGR ) with advantages (∂) could solve the HECDLP using a challenger C HS was a subroutine. The following is the success advantage of C HS in which it could solve the HECDLP for OUT FRGR : where QRY PBK is the public key query and QRY PRK is the private key query.
Proof: Suppose (∝, (Z =∝ ·P)) is the HECDLP: the task of OUT FRGR with the help of C HS is to extract ∝ from Z by using the following steps. Setup: By using Ø as a security parameter, C HS secret key as µ PKGC , public key Y PKGC , ξ PKGC , and send Y PKGC and ξ PKGC to OUT FRGR .
Queries: OUT FRGR can make the same queries with C HS as used in the confidentiality Game.
Forgery: OUT FRGR can generate a forge signcryption (S i * , χ i * , C i * ) if the following computations are successfully done:

•
The C HS must be the original value for ρ MU AV ; this is only possible if it obtains the solution for Z =∝ ·P • In addition, C HS must be the original value for PK MU AV ; this is only possible if it obtains the solution for Z =∝ ·P during the public key query (QRY PBK ) and the private key query (QRY PRK ) or it can access the exact value from list L prk . • It can also extract the exact value as used in the heterogeneous signcryption algorithm for π 2 from a list (L H a3 ). • It can extract the exact value as used in the heterogeneous signcryption algorithm for k from a list (L H a2 ).
Probability Analysis: The following are some events in which C HS will not fail: QRY PBK −QRY PRK ∂ So, the following results can be obtained: The proposed IBC-PKI-HS resists against the disclosure of the sender's identity under the hardiness of the HECDLP.
Proof: In the proposed scheme, the Drone device selects (Drone RID ) as its real identity, selects ζ Drone ∈ f n , computes δ Drone = ζ Drone · P, SK sec = ζ Drone · Y PKGC , encrypts Drone RID as Drone EID = E SK sec (Drone RID ), and sends (Drone EID , δ Drone ) to the PKGC through an insecure channel. When (Drone RID , δ Drone ) sends to the PKGC, it computes the secret key SK sec as SK sec = δ Drone · µ PKGC , recovers Drone RID as Drone RID = D SK sec (Drone EID ), selects η Drone ∈ f n , computes β Drone = η Drone · P, and π 1 = H a1 (β Drone , Drone RID ). Here, the Drone device acts as a sender and if OUT ADV wants the real identity Drone RID of Drones, then it must reveal the secret key SK sec = ζ Drone · Y PKGC . To do so, it needs the value ζ Drone from δ Drone = ζ Drone · P that is equal to solve the HECDLP, which is infeasible for OUT ADV .

Theorem 4. Receiver Anonymity.
The proposed IBC-PKI-HS resists against the disclosure of the receiver's identity.
Proof: We did not use the receiver identity in any communication process, so our proposed scheme provided receiver anonymity.

Performance Comparison
This section compares the performance of the proposed scheme with the relevant existing counterparts proposed by Ali et al. [21], Jin et al. [23], Ting et al. [24], Ali et al. [25], and Pan et al. [26] based on the security properties, computation cost, and communication cost.

Security Properties Comparison
In this section, we made a comparison regarding the security properties between the proposed scheme and those of Ali et al. [21], Jin et al. [23], Ting et al. [24], Ali et al. [25], and Pan et al. [26]. The comparison was made using Table 2, in which we included the security properties such as the confidentiality, unforgeability, sender's anonymity, receiver's anonymity, and needing a secure channel. Further, if a scheme obeyed the security properties, we indicated "Yes" or vice versa. Moreover, if the scheme security analysis section did not include an explanation of the security properties, we indicated "Not Mentioned." The proposed scheme provided all the security requirements that are used in Table 1, while the schemes used in Ali et al. [21], Jin et al. [23], Ting et al. [24], Ali et al. [25], and Pan et al. [26] did not provide a secure-channel-free environment for the distribution of a private key between a user and the PKGC. In addition, the schemes used in Ali et al. [21], Jin et al. [23], Ting et al. [24], Ali et al. [25], and Pan et al. [26] did not explain the security requirements for sender and receiver anonymity.  Table 4 contains the operating expenses as measured in milliseconds (ms) for the proposed scheme as well as those of Ali et al. [21], Jin et al. [23], Ting et al. [24], Ali et al. [25], and Pan et al. [26]. The time requirements for a single BPM were 4.31 ms; EX, 1.25 ms; EM, 0.97 ms; HEM, 0.48 ms; and PR, 14.90. The Multi-Precision Integer and Rational Arithmetic C Library (MIRACL) [27] was used to assess the performance of the proposed scheme by testing the runtime of the core cryptographic operations up to 1000 times. Observations were made on a workstation with the following specifications: 8 GB RAM and the Windows 7 Home Basic 64-bit operating system [28]. As seen in Figure 2, the proposed scheme had a lower computation cost than the schemes proposed by Ali et al. [21], Jin et al. [23], Ting et al. [24], Ali et al. [25], and Pan et al. [26].  [27] was used to assess the performance of the proposed scheme by testing the runtime of the core cryptographic operations up to 1000 times. Observations were made on a workstation with the following specifications: 8 GB RAM and the Windows 7 Home Basic 64-bit operating system [28]. As seen in Figure 2, the proposed scheme had a lower computation cost than the schemes proposed by Ali et al. [21], Jin et al. [23], Ting et al. [24], Ali et al. [25], and Pan et al. [26].

Communication Costs
In this subsection, the proposed scheme is compared to the existing schemes; namely, those proposed by Ali et al. [21], Jin et al. [23], Ting et al. [24], Ali et al. [25], and Pan et al. [26] in terms of the communication costs. We listed the communication costs incurred based on the elliptic curve parameter size (|ECC q|), bilinear pairing parameter size (|BP G|), and a message size (|m|) for the proposed scheme and those of Ali et al. [
In addition, the communication cost analysis between the schemes of Ali et al. [21], Jin et al. [23], Ting et al. [24], Ali et al. [25], Pan et al. [26] and the proposed scheme are provided in Table 5. As seen in Figure 3, the proposed scheme had a lower communication cost than the schemes proposed by Ali et al. [21], Jin et al. [23], Ting et al. [24], Ali et al. [25], and Pan et al. [26].

Conclusions
In this article, we proposed a heterogeneous signcryption scheme with an option for conditional privacy. In the proposed scheme, drones employed identity-based cryptography (IBC) while the ground station (GS) used the public key infrastructure (PKI). The proposed scheme was built on the hyperelliptic curve cryptosystem (HECC), and its security robustness was assessed using the random oracle model (ROM). In addition, we introduced a new idea in IBC for the proposed method in which the PKGC communicated the private key to drones in an encrypted format that did not require a secure channel. A complete investigation of the ROM's security revealed that the proposed scheme was resistant to a variety of threats. In terms of the computation and communication costs, when comparing the proposed scheme to comparable schemes described by Ali et al. [21], Jin et al. [23], Ting et al. [24], Ali et al. [25], and Pan et al. [26], the results indicated that the proposed scheme was more cost-effective than the existing options in terms of the computation and communication costs. In addition, the findings indicated that the proposed scheme was suitable for IoD systems due to the algorithm's functionality and decreased computation and communication costs.
In future work, we intend to improve the proposed scheme so that it provides digital signatures and encryption not only simultaneously but also independently as based on application needs. In addition, we want to use the Automated Validation of Internet Se-

Conclusions
In this article, we proposed a heterogeneous signcryption scheme with an option for conditional privacy. In the proposed scheme, drones employed identity-based cryptography (IBC) while the ground station (GS) used the public key infrastructure (PKI). The proposed scheme was built on the hyperelliptic curve cryptosystem (HECC), and its security robustness was assessed using the random oracle model (ROM). In addition, we introduced a new idea in IBC for the proposed method in which the PKGC communicated the private key to drones in an encrypted format that did not require a secure channel. A complete investigation of the ROM's security revealed that the proposed scheme was resistant to a variety of threats. In terms of the computation and communication costs, when comparing the proposed scheme to comparable schemes described by Ali et al. [21], Jin et al. [23], Ting et al. [24], Ali et al. [25], and Pan et al. [26], the results indicated that the proposed scheme was more cost-effective than the existing options in terms of the computation and communication costs. In addition, the findings indicated that the proposed scheme was suitable for IoD systems due to the algorithm's functionality and decreased computation and communication costs.
In future work, we intend to improve the proposed scheme so that it provides digital signatures and encryption not only simultaneously but also independently as based on application needs. In addition, we want to use the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool to double-check the security toughness of the proposed scheme.