Efficient Threshold Attribute-Based Signature Scheme for Unmanned Aerial Vehicle (UAV) Networks

Abstract

Unmanned aerial vehicles (UAVs) are highly versatile and cost-effective, making them an attractive option for various applications. In UAV networks, it is essential to implement a digital signature scheme to ensure the integrity and authentication of commands sent to UAVs. Moreover, this digital signature scheme not only maintains the real-time performance of UAVs while executing commands but also protects the identity privacy of the signer. To meet these needs, we propose an efficient threshold attribute-based proxy signature (t-ABPS) scheme that integrates a threshold predicate specifically designed for UAV networks. The formal security proof for the t-ABPS scheme demonstrates its existential unforgeability under selective-attribute and chosen-message attacks (EUF-sA-CMA) in the random oracle model. This scheme also ensures the identity privacy of the signer. Furthermore, we evaluate the computational costs and communication costs associated with the proposed scheme. Our analysis indicates that the t-ABPS scheme is more computationally efficient than other existing attribute-based proxy signature schemes, but it has higher communication costs.

1. Introduction

In the field of aviation technology, an unmanned aerial vehicle (UAV) is generally defined as an aircraft without a human pilot on board. When equipped with specialized equipment, such a vehicle can perform a wide range of tasks. The successful execution of these functions often relies on collaboration with additional computational devices and communication infrastructure. These components, along with the UAVs, can form a UAV network, which typically centers around the UAVs. As shown in Figure 1, a UAV network may include various components, such as UAVs, a command center, ground control stations (GCSs), satellites, mobile command vehicles, airships, etc. UAV networks exhibit several characteristics, including high mobility, dynamic topological structure, intermittent connectivity, and varying link quality [1,2].

With the rapid development of artificial intelligence (AI) and UAV technology, many UAVs now have autonomous capabilities that allow them to operate without real-time human control. These UAVs can independently plan routes and execute missions without any human intervention. Consequently, it is essential to protect the commands sent to these UAVs. Digital signature schemes are typically employed to ensure the integrity and authenticity of these commands.

1.1. Problem Statement

In a UAV network, it is crucial for every UAV to be connected to a command center, which holds the highest authority over the UAV. The command center sends commands to UAVs to instruct them to perform various tasks. Since UAVs have limited computation and communication resources and are often in airspace where conditions are unknown, links between UAVs and the command center or other communication facilities are usually considered insecure. The command center and other communication facilities have sufficient computation and communication resources, so links between them are usually considered secure. In order to protect the integrity and authentication of the commands sent from the command center to UAVs, it is necessary to implement a digital signature scheme.

The command center generates a digital signature for each command and sends both the command and its signature to the UAV. The UAV then conducts a signature verification process. If the signature is valid, the UAV will carry out the command; otherwise, it will consider the command counterfeit and will refuse to execute it.

There is a delay in transmitting commands from a command center to a UAV. Minimizing this delay is crucial, as it significantly impacts the UAV’s real-time operational effectiveness. One effective method to reduce this delay is to shorten the distance between the command center and the UAV. Therefore, the command center should be located as close to the UAV as possible.

However, a UAV is often deployed to a remote location far from the command center. In these situations, intermittent connections and varying link quality within UAV networks can hinder the timely reception of commands and signatures. To address this challenge, the command center may temporarily delegate command authority to a local agent near the UAV, such as a ground control station. This local agent is responsible for issuing commands and computing signatures on behalf of the command center. Once the commands and corresponding signatures are generated, the agent transmits them to the UAV. The UAV then verifies the signatures to determine whether to execute the commands. This requirement can be efficiently addressed through the implementation of a proxy signature scheme.

Some users want to issue commands to a UAV anonymously. A traditional digital signature scheme typically requires a user’s digital certificate or identification, which significantly increases the risk of revealing the user’s identity. A feasible solution is to allow command issuance based on attributes rather than identity. Each user possesses a set of attributes, and only those users whose attributes meet the specified requirements can issue commands to the UAV. In this case, the UAV only needs to confirm that the command was issued by a user with the required attributes without needing to identify the user, thus protecting the user’s identity privacy. This can be achieved through the implementation of an attribute-based signature (ABS) scheme.

In conclusion, we find that an attribute-based proxy signature (ABPS) scheme is more suitable for UAV networks. An ABPS scheme not only improves the real-time reception of commands by UAVs but also protects the privacy of the signer’s identity. However, many ABPS schemes tend to have high computational costs. It is necessary to reduce the computational costs in an ABPS scheme. To address this issue, we propose an efficient threshold ABPS (t-ABPS) scheme for UAV networks.

1.2. Our Contributions

In addressing the challenge of high computational overheads associated with attribute-based signature schemes, we present an efficient threshold attribute-based proxy signature (t-ABPS) scheme. The motivation behind this work stems from the growing need to enhance the performance and practicality of attribute-based cryptographic systems, especially in resource-constrained environments, such as UAV networks. By introducing a proxy signature scheme, we aim to make it possible for the original signer to send messages and signatures to the verifier in a timely manner.

To demonstrate the security of the proposed scheme, we prove its existential unforgeability. This property ensures that the scheme is resistant to potential attacks.

Furthermore, we perform a comprehensive analysis of the scheme’s efficiency, evaluating both the computation and communication costs. The results show that the proposed scheme significantly reduces the computational costs, making it more suitable for practical deployment in scenarios where computational resources are limited. The communication costs of the proposed scheme are larger than those of existing schemes.

The primary contribution of this paper lies in providing an efficient solution to the computational inefficiencies inherent in attribute-based signature schemes. By streamlining the attributes of the signers and verifier, we achieve a balance between security and efficiency, offering a promising signature scheme for applications in the UAV networks.

1.3. Organization of the Remainder of the Paper

The structure of this paper is organized as follows. Section 2 presents a comprehensive review of related work. Section 3 introduces the necessary preliminaries essential for understanding the subsequent discussion. In Section 4, we formally define the model and security framework of the proposed t-ABPS scheme. A detailed description of our t-ABPS scheme is provided in Section 5, with a thorough analysis of its properties and performance discussed in Section 6. Finally, Section 7 concludes the paper.

2. Related Work

2.1. Security Solutions for UAV Networks

Zhi et al. analyzed threats in a UAV system and considered that unsafe links between UAV and ground control stations are susceptible to attacks [3]. Samanth et al. considered it necessary to propose more suitable digital signature schemes for UAV networks [4]. Khan et al. proposed an identity-based generalized signcryption scheme for flying ad hoc networks [5]. Din et al. analyzed this scheme [5] and showed that it is not secure. They proposed an improved signcryption scheme [6]. Wang et al. proposed a data aggregate authentication scheme based on the ID-based encryption for UAV cluster networks [7]. Jan and Khan proposed two security frameworks for UAV networks [8]. One is based on identity and the other is an authentication scheme based on an aggregate signature scheme. He et al. proposed a certificateless designated verifier proxy signature (CLDVPS) scheme [9] for UAV networks. Xu et al. considered that a CLDVPS scheme [9] cannot resist user impersonation attacks and proposed an efficient CLDVPS scheme [10]. Abdel-Malek et al. proposed a lightweight authentication mechanism based on proxy signature for a swarm of UAVs [11]. Qu and Zeng proposed a certificateless proxy signcryption scheme for a UAV network [12]. Liu et al. proposed a lightweight trustworthy message exchange scheme for UAV networks by aggregating the cryptography and trust management technologies [13]. We compare some security solutions in

Table 1. Comparison of security solutions.

Security Solutions	Integrity	Authentication	Protection of Signer’s Identity
Din et al. [6]	√	√	×
Xu et al. [10]	√	√	×
Qu et al. [12]	√	√	×

. The symbol “√” indicates that the scheme meets the corresponding security, while the symbol “×” indicates that the scheme does not meet the corresponding security.

2.2. Attribute-Based Signature Schemes

In 2008, Maji et al. formally defined the security requirements of an ABS scheme and proposed a concrete ABS scheme [14]. They proved the security of this scheme in the generic group model. Furthermore, they discussed the possible applications of the ABS scheme. Su et al. proposed a revocable attribute-based signature scheme [15]. Zhang et al. proposed a reusable ABS scheme where the signer generated the signature associated with its attributes [16]. They defined this scheme and its security model and proposed a concrete construction. Blazy et al. proposed an anonymous attribute-based designated verifier signature scheme [17]. In this scheme, only users obtaining the attributes that satisfy the predicate can verify the signature. Liu et al. proposed a revocable and comparable ABS scheme from lattices [18]. This scheme implements user revocation and resists quantum attacks.

ABS schemes with a single attribute authority have some disadvantages. For example, a single attribute authority is a single point of failure and is not conducive to attribute segmentation. Therefore, Li et al. proposed an ABS with multiple attribute authorities [19]. There is a central attribute authority and some distributed attribute authorities in this ABS scheme. However, more ABS schemes with multiple attribute authorities do not need a central attribute authority, which are distributed ABS schemes. Li et al. proposed a flexible and distributed ABS scheme that supports various access structures [20]. Su et al. proposed a distributed ABS scheme for electricity trading in the smart grid [21].

One of the disadvantages of ABS schemes is higher computational costs for the user in computing and verifying the signature. In order to reduce the computational costs of the signer, Chen et al. proposed two outsourced ABS schemes [22]. In these schemes, the computational costs of the signer is outsourced to a signing cloud service provider. Tao et al. [23] proposed an outsourced distributed ABS scheme with multiple attribute authorities. Xiong et al. [24] proposed a server-aided ABS scheme. This scheme reduces the computational costs of the signer and verifier. Huang and Lin analyzed this scheme and considered that it cannot provide anonymity and is forgeable. Therefore, Huang and Lin proposed an improved scheme [25]. Li et al. proposed a distributed server-aided ABS scheme with multiple attribute authorities [26].

Liu et al. defined an ABPS scheme and constructed a concrete ABPS scheme [27]. He et al. proposed an ABPS scheme for UAV networks and proved its security [28]. He et al. also proposed an ABPS scheme that supports a flexible threshold predicate for UAV networks [29].

3. Preliminaries

3.1. Complexity Assumption

Definition 1 (Computational Diffie–Hellman (CDH) Problem). 

The variables $x,y\in {\mathbb{Z}}_q^{*}$ are unknown. Given $g,g^x,g^y\in \mathbb{G}$, compute $g^{xy}$.

3.2. Lagrange Interpolation

Let $t(·)$ be a $(d-1)$-degree polynomial over ${\mathbb{Z}}_q$ and S be a d-element set over ${\mathbb{Z}}_q$. The polynomial $t(·)$ can be constructed as $t\left(i\right)={\sum }_{j=1}^{d}t\left(j\right){\Delta }_{j,S}\left(i\right)$ where ${\Delta }_{j,S}\left(i\right)={\prod }_{\eta \in S,\eta \ne j}{\displaystyle \frac{i-\eta }{j-\eta }}$.

4. Formal Model and Security Model of a t-ABPS Scheme

In this section, we use the following notations in

Table 2. Notations and descriptions.

Notations	Description
$params$	public parameters
$MSK$	master secret key
${\omega }_{OS}$, ${\omega }_{PS}$, ${\omega }_{Ver}$	attribute sets of OS, PS, and Ver, respectively
$s{k}_{OS}$, $s{k}_{PS}$	private keys of OS, PS, respectively
$p{k}_{OS}$, $p{k}_{PS}$	public keys of OS, PS, respectively
w	warrant generated by OS
$del$	delegation computed by OS
m	message
$\sigma$	signature computed by PS

.

4.1. Formal Model of a t-ABPS Scheme

A t-ABPS scheme typically involves four principal entities, an attribute authority (AA), an original signer (OS), a proxy signer (PS), and a verifier (Ver). The AA is responsible for initializing the system and generating private keys required by the OS and PS. The OS generates a warrant and computes a delegation for the PS, who then computes a signature based on the received delegation and its private key. The verifier verifies the signature. The ABPS scheme is fundamentally structured around the algorithms Setup, Extract, DelG, DelV, Sign, and Verify. The inputs and outputs of these algorithms are similar to those of ABPS-HL1 [28] scheme and ABPS-HL2 [29] scheme.

4.2. Security Model of a t-ABPS Scheme

Unforgeability

According to the security models in [30], we also divide adversaries into three categories, ${\mathcal{A}}_{\mathcal{I}}$, ${\mathcal{A}}_{\mathcal{II}}$, and ${\mathcal{A}}_{\mathcal{III}}$. We mainly consider ${\mathcal{A}}_{\mathcal{II}}$ and ${\mathcal{A}}_{\mathcal{III}}$ in the security model. We introduce the concept of existential unforgeability under selective-attribute and chosen-message attacks (EUF-sA-CMA).

1. EUF-sA-CMA against ${\mathcal{A}}_{\mathcal{II}}$

The EUF-sA-CMA against ${\mathcal{A}}_{\mathcal{II}}$ is formally defined through the following game.

(1) Initialization: ${\mathcal{A}}_{\mathcal{II}}$ selects the challenge attribute set ${\omega }^{*}$ and the challenge message $m^{*}$.

(2) Setup: The challenger $\mathcal{C}$ selects a security parameter and executes the Setup algorithm to generate $params$ and $MSK$. Subsequently, $\mathcal{C}$ executes the Extract algorithm to generate $s{k}_{OS}$ and $p{k}_{OS}$ for an OS. Similarly, $\mathcal{C}$ generates $s{k}_{PS}$ and $p{k}_{PS}$ for a PS. $\mathcal{C}$ retains the $MSK$ and $s{k}_{OS}$ confidentially while transmitting $params$ along with the tuple $(p{k}_{OS},s{k}_{PS},p{k}_{PS})$ to the adversary ${\mathcal{A}}_{\mathcal{II}}$.

(3) Queries: ${\mathcal{A}}_{\mathcal{II}}$ is permitted to issue a polynomially bounded number of queries to three distinct oracles: the private key extraction oracle ($\mathbb{PKEO}$), the delegation generation oracle ($\mathbb{DGO}$), and the signing oracle ($\mathbb{SO}$). The inputs and outputs of these oracles are listed in the

Table 3. Inputs and outputs of different oracles.

Oracles	Inputs	Outputs
$\mathbb{PKEO}$	$\omega$	the corresponding private key
$\mathbb{DGO}$	w, $\omega$	$del$
$\mathbb{SO}$	w, $\omega$, m	$\sigma$

.

(4) Forgery: ${\mathcal{A}}_{\mathcal{II}}$ outputs a signature ${\sigma }^{*}$ on $w^{*}$, $m^{*}$, and ${\omega }^{*}$.

${\mathcal{A}}_{\mathcal{II}}$ wins the game if the forgery meets the following conditions:

• ${\mathcal{A}}_{\mathcal{II}}$ has not previously submitted any $\omega$ to $\mathbb{PKEO}$ such that $|\omega \cap {\omega }^{*}|\ge d$.
• ${\mathcal{A}}_{\mathcal{II}}$ has not previously submitted the pair ($w^{*}$, ${\omega }^{*}$) to $\mathbb{DGO}$.
• ${\mathcal{A}}_{\mathcal{II}}$ has not previously submitted the tuple ($m^{*}$, $w^{*}$, ${\omega }^{*}$) to $\mathbb{SO}$.
• The signature ${\sigma }^{*}$ is valid.

Definition 2 (EUF-sA-CMA against ${\mathcal{A}}_{\mathcal{II}}$). 

A t-ABPS scheme possesses EUF-sA-CMA against ${\mathcal{A}}_{\mathcal{II}}$ if the success probability of any polynomially bounded adversary ${\mathcal{A}}_{\mathcal{II}}$ in the aforementioned game is negligible. It is expressed as $Pr{o}_{ABPS,{\mathcal{A}}_{\mathcal{II}}}^{EUF-sA-CMA}\le \epsilon$, where ε represents a negligible value.

2. EUF-sA-CMA against ${\mathcal{A}}_{\mathcal{III}}$

The EUF-sA-CMA against ${\mathcal{A}}_{\mathcal{III}}$ is defined through a similar game. Its Initialization and Setup phases are similar to these phases in the game of EUF-sA-CMA against ${\mathcal{A}}_{\mathcal{II}}$. The difference is that $\mathcal{C}$ retains $s{k}_{PS}$ confidentially and transmits $(p{k}_{OS},s{k}_{OS},p{k}_{PS})$ to ${\mathcal{A}}_{\mathcal{III}}$. In the Queries phase, ${\mathcal{A}}_{\mathcal{II}}$ is permitted to issue a polynomially bounded number of queries to $\mathbb{PKEO}$ and $\mathbb{SO}$. Finally, ${\mathcal{A}}_{\mathcal{III}}$ outputs a signature ${\sigma }^{*}$ on $w^{*}$, $m^{*}$, and ${\omega }^{*}$.

${\mathcal{A}}_{\mathcal{III}}$ wins the game if the forgery meets the following conditions:

• ${\mathcal{A}}_{\mathcal{III}}$ has not previously submitted any $\omega$ to $\mathbb{PKEO}$ such that $|\omega \cap {\omega }^{*}|\ge d$.
• ${\mathcal{A}}_{\mathcal{III}}$ has not previously submitted the triplet ($m^{*}$, $w^{*}$, ${\omega }^{*}$) to $\mathbb{SO}$.
• The signature ${\sigma }^{*}$ is valid.

Definition 3 (EUF-sA-CMA against ${\mathcal{A}}_{\mathcal{III}}$). 

A t-ABPS scheme possesses EUF-sA-CMA against ${\mathcal{A}}_{\mathcal{III}}$ if the success probability of any polynomially bounded adversary ${\mathcal{A}}_{\mathcal{III}}$ in the aforementioned game is negligible. It is expressed as $Pr{o}_{ABPS,{\mathcal{A}}_{\mathcal{III}}}^{EUF-sA-CMA}\le \epsilon$, where ε represents a negligible value.

Definition 4 (EUF-sA-CMA). 

A t-ABPS scheme has EUF-sA-CMA if it has EUF-sA-CMA against ${\mathcal{A}}_{\mathcal{II}}$ and ${\mathcal{A}}_{\mathcal{III}}$.

5. t-ABPS Scheme for UAV Networks

5.1. Overview of a t-ABPS Scheme

In the t-ABPS scheme, there are four primary participants: an AA, an OS, a PS, and a Ver. In the context of a UAV network, we assume the presence of an AA, a command center, a ground control station, and a UAV. The command center serves as the OS and possesses the attribute set ${\omega }_o$ and private key $s{k}_o$. The ground control station acts as the PS, holding the attribute set ${\omega }_p$ and private key $s{k}_p$, while the UAV functions as the verifier and has the attribute set ${\omega }_v$. For the sake of clarity and simplicity in both research and presentation, we assume that both the OS and the PS share the same threshold within the proposed t-ABPS scheme. Our t-ABPS scheme mainly includes the following steps, which are illustrated in Figure 2.

(1) An AA generates private key for a command center, a ground control station, and a UAV, respectively.

(2) The command center plays the role of the trusted original signer. It generates a warrant, computes a delegation, and sends them to the ground control station over a secure link.

(3) The ground control station plays the role of the trusted proxy signer. It verifies the delegation.

(4) The ground control station computes the signature of a command. It sends them to the UAV over an insecure link.

(5) The UAV plays the role of the verifier. It verifies the signature.

5.2. t-ABPS Scheme

The proposed t-ABPS scheme is composed of the following key algorithms.

5.2.1. Setup

We use $\mathbb{G}$ and ${\mathbb{G}}_T$ to denote two cyclic multiplicative groups with prime order q. Let $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ be a bilinear map. We define three hash functions $H_1,H_2,H_3:{\{0,1\}}^{*}\to \mathbb{G}$ and the attributes as elements in ${\mathbb{Z}}_q$. The AA initializes the system as follows.

(i)

It randomly selects the generator $g\in \mathbb{G}$, $\alpha \in {\mathbb{Z}}_q^{*}$, and $g_2\in \mathbb{G}$.

(ii)

It computes $g_1=g^{\alpha }$ and $Z=e(g_2,g_1)$.

(iii)

It outputs the public parameters $params=(g,g_1,g_2,Z,d,H_1,H_2,H_3)$ and sets $\alpha$ as the master key.

5.2.2. Extract

The AA generates private keys for the command center (OS), ground control station (PS), and UAV (Ver). It is supposed that ${\omega }_o$, ${\omega }_p$, and ${\omega }_v$ are the attribute sets of the command center, ground control station, and UAV, respectively, and $\left|{\omega }_o\right|=|{\omega }_p|=\left|{\omega }_v\right|=n$. The AA selects a $(d-1)$ degree polynomial $t(·)$ such that $t\left(0\right)=\alpha$. It generates private keys for the command center as follows.

(i)

It randomly selects $r_{i_o}\in {\mathbb{Z}}_q$.

(ii)

It computes the private key for command center as $D_{i_o}=(d_{i_{o}0},d_{i_{o}1})=(g_2^{t\left(i_o\right)}{H}_1{\left(i_o\right)}^{r_{i_o}},g^{r_{i_o}})$ for every $i_o\in {\omega }_o$.

The AA generates private keys for the ground control station as follows.

(i)

It randomly selects $r_{i_p}\in {\mathbb{Z}}_q$.

(ii)

It computes the private key for the ground control station as $D_{i_p}=(d_{i_{p}0},d_{i_{p}1})=(g_2^{t\left(i_p\right)}{H}_1{\left(i_p\right)}^{r_{i_p}},g^{r_{i_p}})$ for every $i_p\in {\omega }_p$.

The AA generates private keys for the UAV as follows.

(i)

It randomly selects $r_{i_v}\in {\mathbb{Z}}_q$.

(ii)

It computes the private key for UAV as $D_{i_v}=(d_{i_{v}0},d_{i_{v}1})=(g_2^{t\left(i_v\right)}{H}_1{\left(i_v\right)}^{r_{i_v}},g^{r_{i_v}})$ for every $i_v\in {\omega }_v$.

5.2.3. Delegation Generate

The command center generates delegation for the ground control station as follows.

(i)

It randomly generates $s_{i_o}\in {\mathbb{Z}}_q$ for $i_o\in {\omega }_o$.

(ii)

It generates the warrant w for the proxy signer.

(iii)

It computes the delegation $({\sigma }_{i_o,0},{\sigma }_{i_o,1},{\sigma }_{i_o,2})$ as ${\sigma }_{i_o,0}=d_{i_{o}0}{H}_2{\left(w\right)}^{s_{i_o}}$, ${\sigma }_{i_o,1}=d_{i_{o}1}$, ${\sigma }_{i_o,2}=g^{s_{i_o}}$, where $i_o\in {\omega }_o$.

(iv)

It sends $(w,{\omega }_o,{\sigma }_{i_o,0},{\sigma }_{i_o,1},{\sigma }_{i_o,2})$ to the ground control station.

5.2.4. Delegation Verify

The ground control station verifies the delegation as follows.

(i)

It chooses a set $S_o\subseteq {\omega }_o\cap {\omega }_p$, where $\left|S_o\right|=d$ and $S_o=\{i_{o,1},i_{o,2}\dots i_{o,j_o},\dots i_{o,d}\}$.

(ii)

It verifies the delegation by checking if the equation holds.

$$\prod _{i_{o,j_o}\in S_o}{({\displaystyle \frac{e({\sigma }_{i_{o,j_o},0},g)}{e(H_1\left(i_{o,j_o}\right),{\sigma }_{i_{o,j_o},1})e(H_2\left(w\right),{\sigma }_{i_{o,j_o},2})}})}^{{\Delta }_{i_{o,j_o},S_o}\left(0\right)}=Z$$

5.2.5. Sign

The ground control station computes the signature as follows.

(i)

It randomly generates $s_{i_p}\in {\mathbb{Z}}_q$ for $i_p\in {\omega }_p$.

(ii)

It computes the signature $({\sigma }_{i_p,0},{\sigma }_{i_p,1},{\sigma }_{i_p,2})$ as ${\sigma }_{i_p,0}={\sigma }_{i_o,0}^{{\displaystyle \frac{{\Delta }_{i_o,{\omega }_o}\left(0\right)}{{\Delta }_{i_p,{\omega }_p}\left(0\right)}}}{d}_{i_{p}0}{H}_3{\left(m\right)}^{s_{i_p}}$, ${\sigma }_{i_p,1}=d_{i_{p}1}$, ${\sigma }_{i_p,2}=g^{s_{i_p}}$, where $i_p\in {\omega }_p$.

(iii)

It sends $(w,{\omega }_p,{\sigma }_{i_p,0},{\sigma }_{i_p,1},{\sigma }_{i_p,2},{\sigma }_{i_o,1},{\sigma }_{i_o,2})$ to the UAV.

5.2.6. Verify

The UAV verifies the proxy signature as follows.

(i)

It chooses a set $S_p\subseteq {\omega }_p\cap {\omega }_v$, where $\left|S_p\right|=d$ and $S_p=\{S_{p,1},S_{p,2}\dots S_{p,j_p},\dots S_{p,d}\}$.

(ii)

It verifies the signature by checking if the equation holds.

$$\begin{array}{cc}\hfill \prod _{i_{o,j_o}\in S_o,i_{p,j_p}\in S_p,j_o=j_p}& [{({\displaystyle \frac{e({\sigma }_{i_{p,j_p},0},g)}{e(H_1(i_{p,j_p}),{\sigma }_{i_{p,j_p},1})e(H_3(m),{\sigma }_{i_{p,j_p},2})}})}^{{\Delta }_{i_{p,j_p},S_p}(0)}\hfill \\ & ·{({\displaystyle \frac{1}{e(H_1(i_{o,j_o}),{\sigma }_{i_{o,j_o},1})e(H_2(w),{\sigma }_{i_{o,j_o},2})}})}^{{\Delta }_{i_{o,j_o},S_o}(0)}]=Z^2\hfill \end{array}$$

(iii)

It outputs a boolean value $Accept$ if the equation holds. Otherwise, it outputs a boolean value $Reject$.

6. t-ABPS Scheme Analysis

6.1. Correctness

Firstly, we prove the correctness of the algorithms DelGen and DelVer.

$$\begin{array}{cc}& \prod _{i_{o,j_o}\in S_o}{({\displaystyle \frac{e({\sigma }_{i_{o,j_o},0},g)}{e(H_1(i_{o,j_o}),{\sigma }_{i_{o,j_o},1})e(H_2(w),{\sigma }_{i_{o,j_o},2})}})}^{{\Delta }_{i_{o,j_o},S_o}(0)}\hfill \\ \hfill =& \prod _{i_{o,j_o}\in S_o}{({\displaystyle \frac{e(g_2^{t(i_{o,j_o})}{H}_1{(i_{o,j_o})}^{r_{i_{o,j_o}}}{H}_2{(w)}^{s_{i_{o,j_o}}},g)}{e(H_1(i_{o,j_o}),g^{r_{i_{o,j_o}}})e(H_2(w),g^{s_{i_{o,j_o}}})}})}^{{\Delta }_{i_{o,j_o},S_o}(0)}\hfill \\ \hfill =& \prod _{i_{o,j_o}\in S_o}e{(g_2^{t(i_{o,j_o})},g)}^{{\Delta }_{i_{o,j_o},S_o}(0)}\hfill \\ \hfill =& e(g_2^{\alpha },g)\hfill \\ \hfill =& Z\hfill \end{array}$$

Secondly, we prove the correctness of the algorithms Sign and Verify.

$$\begin{array}{cc}\hfill \prod _{i_{o,j_o}\in S_o,i_{p,j_p}\in S_p,j_o=j_p}& [{({\displaystyle \frac{e({\sigma }_{i_{p,j_p},0},g)}{e(H_1(i_{p,j_p}),{\sigma }_{i_{p,j_p},1})e(H_3(m),{\sigma }_{i_{p,j_p},2})}})}^{{\Delta }_{i_{p,j_p},S_p}(0)}\hfill \\ & ·{({\displaystyle \frac{1}{e(H_1(i_{o,j_o}),{\sigma }_{i_{o,j_o},1})e(H_2(w),{\sigma }_{i_{o,j_o},2})}})}^{{\Delta }_{i_{o,j_o},S_o}(0)}]\hfill \\ \hfill =& \prod _{i_{o,j_o}\in S_o,i_{p,j_p}\in S_p,j_o=j_p}[{({\displaystyle \frac{e(g_2^{t(i_{p,j_p})}{H}_1{(i_{p,j_p})}^{r_{i_{p,j_p}}}{H}_3{(m)}^{s_{i_p}},g)}{e(H_1(i_{p,j_p}),{\sigma }_{i_{p,j_p},1})e(H_3(m),{\sigma }_{i_{p,j_p},2})}})}^{{\Delta }_{i_{p,j_p},S_p}(0)}\hfill \\ & ·{({\displaystyle \frac{e({\sigma }_{i_{o,j_o},0},g)}{e(H_1(i_{o,j_o}),{\sigma }_{i_{o,j_o},1})e(H_2(w),{\sigma }_{i_{o,j_o},2})}})}^{{\Delta }_{i_{o,j_o},S_o}(0)}]\hfill \\ \hfill =& (\prod _{i_{o,j_o}\in S_o,i_{p,j_p}\in S_p,j_o=j_p}e{(g_2^{t(i_{p,j_p})},g)}^{{\Delta }_{i_{p,j_p},S_p}(0)})·Z\hfill \\ \hfill =& Z^2\hfill \end{array}$$

Therefore, the t-ABPS scheme is correct.

6.2. Security Analysis

In this subsection, we prove that our t-ABPS scheme possesses unforgeability.

Theorem 1.

The proposed ABPS scheme achieves EUF-sA-CMA against ${\mathcal{A}}_{\mathcal{II}}$ in the random oracle model, provided that the CDH assumption holds in group $\mathbb{G}$.

Proof. 

${\mathcal{A}}_{\mathcal{II}}$ implements an attack on our t-ABPS scheme with a success probability of $\epsilon$. It issues $q_{H_1}$, $q_{H_2}$, $q_{H_3}$, $q_K$, $q_D$, and $q_S$ queries to the $H_1$ oracle (${\mathbb{HO}}_1$), $H_2$ oracle (${\mathbb{HO}}_2$), $H_3$ oracle (${\mathbb{HO}}_3$), $\mathbb{PKEO}$, $\mathbb{DGO}$, and $\mathbb{SO}$, respectively. We will construct an algorithm $\mathcal{B}$ that uses ${\mathcal{A}}_{\mathcal{II}}$ to solve the CDH problem with a probability ${\epsilon }^{\prime }$. This algorithm is provided with a random instance of the CDH problem, represented as $(g,X=g^x,Y=g^y)$, where x and y are randomly selected from ${\mathbb{Z}}_q$. Our goal is to construct $\mathcal{B}$ such that it can compute $g^{xy}$, therefore solving the CDH problem.

${\mathcal{A}}_{\mathcal{II}}$ outputs the challenge attribute set ${\omega }^{*}$. $\mathcal{B}$ randomly selects $\nu \in \{1,2,\dots ,q_{H_2}\}$, $\xi \in \{1,2,\dots ,q_{H_3}\}$ and sets $g_1=X$, $g_2=Y$. ${\mathcal{A}}_{\mathcal{II}}$ will query these oracles above as follows, where the random numbers $a_i,b_i,a_{i^{\prime }}^{\prime },c_{i^{\prime }}^{\prime },a_{i^{″}}^{″},c_{i^{″}}^{″}$, $f_i$, $r_i^{\prime }$ are selected from ${\mathbb{Z}}_q$.

${\mathbb{HO}}_1$: ${\mathcal{A}}_{\mathcal{II}}$ submits a query to ${\mathbb{HO}}_1$ with an input i. If $i\in {\omega }^{*}$, $\mathcal{B}$ will output $g^{b_i}$. Otherwise, $\mathcal{B}$ will output $g_1^{-b_i}{g}^{a_i}$. It adds the output to the $H_1$-List.

${\mathbb{HO}}_2$: ${\mathcal{A}}_{\mathcal{II}}$ submits a query to ${\mathbb{HO}}_2$ with an input $w_{i^{\prime }}$. If $i^{\prime }=\nu$, $\mathcal{B}$ will output $g^{a_{i^{\prime }}^{\prime }}$. Otherwise, $\mathcal{B}$ will output $g_1^{c_{i^{\prime }}^{\prime }}{g}^{a_{i^{\prime }}^{\prime }}$. It adds the output to the $H_2$-List.

${\mathbb{HO}}_3$: ${\mathcal{A}}_{\mathcal{II}}$ submits a query to ${\mathbb{HO}}_3$ with an input $m_{i^{″}}$. If $i^{″}=\xi$, $\mathcal{B}$ will output $g^{a_{i^{″}}^{″}}$. Otherwise, $\mathcal{B}$ will output $g_1^{c_{i^{″}}^{″}}{g}^{a_{i^{″}}^{″}}$. It adds the output to the $H_3$-List.

$\mathbb{PKEO}$: ${\mathcal{A}}_{\mathcal{II}}$ submits a query to $\mathbb{PKEO}$ with an input $\omega$ and $|\omega \cap {\omega }^{*}|<d$. $\mathcal{B}$ defines three sets $\Gamma =\omega \cap {\omega }^{*}$, $\Gamma \subseteq {\Gamma }^{\prime }\subseteq \omega$ and $\left|{\Gamma }^{\prime }\right|=d-1$, $S={\Gamma }^{\prime }\cup \left\{0\right\}$. For $i\in {\Gamma }^{\prime }$, $\mathcal{B}$ simulates the key as $D_i=(d_{i0},d_{i1})=(g_2^{f_i}{H}_1{\left(i\right)}^{r_i},g^{r_i})$. For $i\in \omega \setminus {\Gamma }^{\prime }$, $\mathcal{B}$ sets $r_i={\displaystyle \frac{{\Delta }_{0,S}\left(i\right)}{b_i}}y+r_i^{\prime }$, $t\left(i\right)={\Sigma }_{j\in {\Gamma }^{\prime }}{\Delta }_{j,S}\left(i\right)t\left(j\right)+{\Delta }_{0,S}\left(i\right)t\left(0\right)$, and $t\left(0\right)=x$. It simulates the key as $(d_{i0}=g_2^{{\displaystyle \frac{{\Delta }_{0,S}\left(i\right)a_i}{b_i}}+{\Sigma }_{j\in {\Gamma }^{\prime }}{\Delta }_{j,S}\left(i\right)t\left(j\right)}{\left(H_1\left(i\right)\right)}^{r_i^{\prime }}$, $d_{i1}=g_2^{{\displaystyle \frac{{\Delta }_{0,S}\left(i\right)}{b_i}}}{g}^{r_i^{\prime }})$.

$\mathbb{DGO}$: ${\mathcal{A}}_{\mathcal{II}}$ submits a query to $\mathbb{DGO}$ with an input (w, $\omega$). If $|\omega \cap {\omega }^{*}|<d$, $\mathcal{B}$ can obtain the simulated private key by querying the $\mathbb{PKEO}$, and then it can generate the delegation based on the key. If $|\omega \cap {\omega }^{*}|\ge d$ and $H_2\left(w_{i^{\prime }}\right)=g^{a_{i^{\prime }}^{\prime }}$, it is aborted. If $|\omega \cap {\omega }^{*}|\ge d$ and $H_2\left(w_{i^{\prime }}\right)\ne g^{a_{i^{\prime }}^{\prime }}$, $\mathcal{B}$ selects random number $s_i^{\prime },r_i\in {\mathbb{Z}}_q$ and sets $s_i=s_i^{\prime }-{\displaystyle \frac{y}{c_i^{\prime }}}$, where $i\in \omega$. It also selects a $d-1$ degree polynomial $t^{\prime }\left(i\right)$ such that $t^{\prime }\left(i\right)=t\left(i\right)-x$. It simulates the delegation as ${\sigma }_{i_o,0}=g_2^{t^{\prime }\left(i\right)-{\displaystyle \frac{a_i^{\prime }}{c_i^{\prime }}}}{H}_1{\left(i\right)}^{r_i}{\left(g_1^{c_i^{\prime }}{g}^{a_i^{\prime }}\right)}^{s_i^{\prime }}$, ${\sigma }_{i_o,1}=g^{r_i}$, ${\sigma }_{i_o,2}=g^{s_i^{\prime }}{g}_2^{{\displaystyle \frac{-1}{c_i^{\prime }}}}$.

$\mathbb{SO}$: ${\mathcal{A}}_{\mathcal{II}}$ submits a query to $\mathbb{SO}$ with an input $(m,w)$. If $H_2\left(w_{i^{\prime }}\right)=g^{a_{i^{\prime }}^{\prime }}$ and $H_3\left(m_{i^{″}}\right)=g^{a_{i^{″}}^{″}}$, it is aborted. Otherwise, $\mathcal{B}$ outputs the signature.

After these queries, ${\mathcal{A}}_{\mathcal{II}}$ outputs a forged signature ${\sigma }^{*}$ on ($m^{*}$, $w^{*}$, ${\omega }^{*}$). We can obtain the following equation.

$$\begin{array}{cc}\hfill \prod _{i_{o,j_o}\in S_o,i_{p,j_p}\in S_p,j_o=j_p}& [{({\displaystyle \frac{e({\sigma }_{i_{p,j_p},0}^{*},g)}{e(H_1(i_{p,j_p}),{\sigma }_{i_{p,j_p},1}^{*})e(H_3(m),{\sigma }_{i_{p,j_p},2}^{*})}})}^{{\Delta }_{i_{p,j_p},S_p}(0)}\hfill \\ & ·{({\displaystyle \frac{1}{e(H_1(i_{o,j_o}),{\sigma }_{i_{o,j_o},1}^{*})e(H_2(w),{\sigma }_{i_{o,j_o},2}^{*})}})}^{{\Delta }_{i_{o,j_o},S_o}(0)}]\hfill \\ & =\prod _{i_{o,j_o}\in S_o,i_{p,j_p}\in S_p,j_o=j_p}[{({\displaystyle \frac{e({\sigma }_{i_{p,j_p},0}^{*},g)}{e(g^{b_{i_{p,j_p}}},{\sigma }_{i_{p,j_p},1}^{*})e(g^{a_{\xi }^{″}},{\sigma }_{i_{p,j_p},2}^{*})}})}^{{\Delta }_{i_{p,j_p},S_p}(0)}\hfill \\ & ·{({\displaystyle \frac{1}{e(g^{b_{i_{o,j_o}}},{\sigma }_{i_{o,j_o},1}^{*})e(g^{a_{\nu }^{\prime }},{\sigma }_{i_{o,j_o},2}^{*})}})}^{{\Delta }_{i_{o,j_o},S_o}(0)}]\hfill \\ & =\prod _{i_{o,j_o}\in S_o,i_{p,j_p}\in S_p,j_o=j_p}[{({\displaystyle \frac{e({\sigma }_{i_{p,j_p},0}^{*},g)}{e(g,{({\sigma }_{i_{p,j_p},1}^{*})}^{b_{i_{p,j_p}}})e(g,{({\sigma }_{i_{p,j_p},2}^{*})}^{a_{\xi }^{″}})}})}^{{\Delta }_{i_{p,j_p},S_p}(0)}\hfill \\ & ·{({\displaystyle \frac{1}{e(g,{({\sigma }_{i_{o,j_o},1}^{*})}^{b_{i_{o,j_o}}})e(g,{({\sigma }_{i_{o,j_o},2}^{*})}^{a_{\nu }^{\prime }})}})}^{{\Delta }_{i_{o,j_o},S_o}(0)}]\hfill \\ & =e(g,g^{xy})\hfill \end{array}$$

Therefore, $\mathcal{B}$ can compute

$$g^{xy}=\prod _{i_{o,j_o}\in S_o,i_{p,j_p}\in S_p,j_o=j_p}[{({\displaystyle \frac{{\sigma }_{i_{p,j_p},0}^{*}}{{({\sigma }_{i_{p,j_p},1}^{*})}^{b_{i_{p,j_p}}}{({\sigma }_{i_{p,j_p},2}^{*})}^{a_{\xi }^{″}}}})}^{{\Delta }_{i_{p,j_p},S_p}(0)}·{({\displaystyle \frac{1}{{({\sigma }_{i_{o,j_o},1}^{*})}^{b_{i_{o,j_o}}}{({\sigma }_{i_{o,j_o},2}^{*})}^{a_{\nu }^{\prime }}}})}^{{\Delta }_{i_{o,j_o},S_o}(0)}]$$

According to the security model, we compute ${\epsilon }^{\prime }\approx {\displaystyle \frac{\epsilon }{q_{H_2}^2{q}_{H_3}{\left(\genfrac{}{}{0pt}{}{d-1}{n}\right)}^2}}$, where n is the number of attributes in the $\omega$. Therefore, this scheme has EUF-sA-CMA against ${\mathcal{A}}_{\mathcal{II}}$. □

Theorem 2.

The proposed ABPS scheme achieves EUF-sA-CMA against ${\mathcal{A}}_{\mathcal{III}}$ in the random oracle model, provided that the CDH assumption holds in the group $\mathbb{G}$.

Proof. 

The proof is similar to the proof Theorem 1. We compute ${\epsilon }^{\prime }\approx {\displaystyle \frac{\epsilon }{q_{H_2}{q}_{H_3}\left(\genfrac{}{}{0pt}{}{d-1}{n}\right)}}$. Therefore, this scheme has EUF-sA-CMA against ${\mathcal{A}}_{\mathcal{III}}$. □

In conclusion, this ABPS scheme has EUF-sA-CMA.

In the t-ABPS scheme, the original signer uses its own attributes rather than identity to compute the delegation. The proxy signer also uses its own attributes rather than identity to compute the signature. An adversary cannot obtain the identities of the signers. The original signer and the proxy signer do not obtain each other’s identity information. Therefore, the t-ABPS scheme protects the signer’s identity privacy.

6.3. Efficiency Analysis

In this subsection, we compare the efficiency of our t-ABPS scheme to some other schemes, which include the ABPS-HL1 [28] scheme and the ABPS-HL2 [29] scheme. Firstly, we compare their computational costs based on the computational time of different algorithms. Secondly, we compare their communication costs according to the length of the signature.

6.3.1. Computational Costs

Each of these ABPS schemes uses some basic operations, such as exponential operations, hash operations, and pairing operations. We theoretically analyze these schemes and obtain the amount of these operations in the algorithm Sign and algorithm Verify, respectively. The results are listed in

Table 4. Amount of some operations in Sign.

Signature Schemes	Exponential Operation	Hash Operation	Pairing Operation
t-ABPS	3n	1	0
ABPS-HL1	6d	d + 1	0
ABPS-HL2	2n + 4d − 2k + 2	n + d − k + 1	0

and

Table 5. Amount of some operations in Verify.

Signature Schemes	Exponential Operation	Hash Operation	Pairing Operation
t-ABPS	2d	2d + 2	5d
ABPS-HL1	2d	2d + 2	4d + 1
ABPS-HL2	0	2(n + d − k + 1)	2(n + d − k) + 3

, where n represents the number of attributes, and k represents the threshold value.

We obtain the computational time of these basic operations by using the Java pairing-based cryptography (jPBC) library [31]. The experimental environment is a PC with Intel i5-13400 CPU and 16 GB RAM. We use a $TypeA$ pairing. In this pairing, the variable $rBits$ is equal to 160, which refers to the bit length of the order of the group’s generator and the variable $qBits$ is equal to 512, which refers to the bit length of the finite field. The experiment results show that the exponential operation, hash operation, and pairing operation take $10.04$ ms, $21.27$ ms, and $9.18$ ms respectively.

According to the analysis and experiment results, we are able to estimate the computational time of algorithm Sign and algorithm Verify in these ABPS schemes. For the convenience of research and presentation, it is assumed the variables $n=1.5d,d=2k$. The results are illustrated in Figure 3 and Figure 4.

Figure 3 presents a comparative analysis of the computational time in milliseconds (ms) for computing signatures as a function of the variable d, which extends from 6 to 40. This metric is important for evaluating the efficiency of algorithm Sign in the t-ABPS scheme, the ABPS-HL1 scheme, and the ABPS-HL2 scheme.

The t-ABPS scheme shows a gradual increase in the computational time of algorithm Sign. It suggests that this scheme maintains a relatively stable performance increase. The ABPS-HL1 scheme shows a more pronounced increase in the computational time of algorithm Sign. The ABPS-HL2 scheme shows the most significant increase in the computational time of algorithm Sign. These steeper slopes may imply less efficient handling of a larger number of attributes. In summary, the t-ABPS scheme is the most efficient in terms of cost time of algorithm Sign, followed by ABPS-HL1, with ABPS-HL2 being the least efficient. Therefore, the ground control station, as the proxy signer, takes the least time to compute the proxy signature.

Figure 4 it shows the computational time of the algorithm Verify in different schemes. The computational time grows linearly with the value of the variable d. When the variable $d=6$, the computational times of the algorithm Verify are very close in the three schemes. However, as the value of the variable d increases, the differences in computational time among the three schemes become more obvious. The computational time of the t-ABPS scheme is longer than that of the ABPS-HL1 scheme and shorter than that of the ABPS-HL2 scheme. Therefore, the UAV, as the verifier, also takes less time to verify the proxy signature.

In order to better reflect the computational time by the different schemes as a whole, we calculated the sums of the computational times by the algorithm Sign and the algorithm Verify in different schemes. The results are illustrated as Figure 5. The sum also grows linearly with the value of the variable d. When the variable $d=6$, the sums are very close in the three schemes. However, as the value of the variable d increases, the differences become more obvious. Overall, the t-ABPS scheme needs less computational time. That is, the ground control station and verifier need less time to compute and verify the signature.

6.3.2. Communication Costs

A signer needs to send a digital signature to a verifier. Therefore, we consider the length of the signature to be the communication cost. We theoretically analyze the length of these signature schemes in

Table 6. Signature length of different ABPS schemes.

Signature Schemes	Signature Length
t-ABPS	$5n\left|G\right|$
ABPS-HL1	$(4d+1)\left|G\right|$
ABPS-HL2	$\left(2\right(n+d-k)+3)\left|G\right|$

. The communication cost of t-ABPS is at the same level as that of the ABPS-HL1 and ABPS-HL2 schemes.

For more accurate analyses, it is assumed the variables $n=1.5d,d=2k$, and $\left|G\right|=512$ bits. The results are illustrated in Figure 6.

This graph offers a detailed examination of the signature length in kilobytes (KB) for three distinct algorithms, t-ABPS, ABPS-HL1, and ABPS-HL2, across a variable d that spans from 6 to 40. Regardless of the value of the variable d taken between 6 and 40, the signature length of the t-ABPS scheme is longer than that of the other two schemes. The t-ABPS scheme shows an obvious upward trajectory, indicating an increase in signature length. This trend suggests that t-ABPS prioritizes lower computational costs, albeit at the expense of larger signature sizes. The ABPS-HL1 and ABPS-HL2 schemes demonstrate a more gradual ascent in signature length. It implies a more balanced approach to computational costs and signature length. Therefore, the t-ABPS scheme has larger communication costs than the other schemes.

6.3.3. Discussion

In this section, we analyzed the security and efficiency of the t-ABPS scheme and other ABPS schemes.

1. Security

We proved the t-ABPS scheme has EUF-sA-CMA in the random oracle model (ROM). It protects the original signer’s privacy and the proxy signer’s privacy because it uses attributes instead of identities to compute and verify the signature. No one can obtain the identities of the signers from the signatures.

The ABPS-HL1 scheme has been proven to have EUF-sA-CMA in the random oracle model. The ABPS-HL2 scheme has been proven to have existential unforgeability under selective-predicate and chosen-message attacks (EUF-sP-CMA). Both of the two schemes use attributes instead of identities to compute and verify the signatures, which protects the identity privacy of signers.We compare the security of the three ABPS schemes as shown in

Table 7. Security comparisons of t-ABPS, ABPS-HL1, and ABPS-HL2.

Signature Schemes	Unforgeability	Identity Privacy of OS	Identity Privacy of PS	Security Model
t-ABPS	√	√	√	ROM
ABPS-HL1	√	√	√	ROM
ABPS-HL2	√	√	√	ROM

. The symbol “√” indicates that the scheme meets the corresponding security.

2. Efficiency

We compared the t-ABPS scheme, ABPS-HL1 scheme, and ABPS-HL2 scheme in terms of computational costs and communication costs.

For the Sign algorithms in the different schemes, the t-ABPS scheme, the ABPS-HL1 scheme, and the ABPS-HL2 scheme have lower computational costs, medium computational costs, and higher computational costs, respectively. For the Verify algorithms in the different schemes, they have medium computational costs, lower computational costs, and higher computational costs respectively. We have summed the computational costs of the algorithms Sign and Verify to obtain the overall computational costs. The results show the t-ABPS scheme, ABPS-HL1 scheme, and ABPS-HL2 scheme have lower computational costs, medium computational costs, and higher computational costs respectively. The t-ABPS scheme has lower computational costs because it does not use the default attribute set, which simplifies this scheme.

The communication costs of the three schemes are at the same level. For more accurate analyses, the ABPS-HL1 scheme and ABPS-HL2 scheme have lower communication costs, while the t-ABPS scheme has higher communication costs. We compare the efficiency of the three ABPS schemes in

Table 8. Efficiency comparisons of t-ABPS, ABPS-HL1, and ABPS-HL2.

Signature Schemes	Overall Computational Costs	Communication Costs	Use Default Attribute Set
t-ABPS	lower	higher	No
ABPS-HL1	medium	lower	Yes
ABPS-HL2	higher	lower	Yes

.

7. Conclusions

With the rapid development of AI technology, more and more UAVs are capable of flying autonomously without requiring real-time control from an operator. In this case, it is crucial to ensure the security of the commands sent to the UAVs.

To address this problem, we propose an efficient t-ABPS scheme. This scheme protects the integrity and authentication of commands, reduces the propagation delay, and protects the privacy of the user’s identity. We prove that t-ABPS has EUF-sA-CMA. Furthermore, we analyze the efficiency of t-ABPS in terms of computational costs and communication costs. The results indicate that the t-ABPS scheme has lower computational costs and higher communication costs.

In the t-ABPS scheme, it does not use a default attribute set, which reduces the flexibility of the scheme. Moreover, the UAV as the verifier still has higher computational costs. Next, we will further research how to reduce the computational costs of the UAV.