A Privacy Protection Scheme of Certificateless Aggregate Ring Signcryption Based on SM2 Algorithm in Smart Grid

: With the rapid increase in smart grid users and the increasing cost of user data transmission, proposing an encryption method that does not increase the construction cost while increasing the user ceiling has become the focus of many scholars. At the same time, the increase in users will also lead to more security problems, and it is also necessary to solve the privacy protection for users during information transmission. In order to solve the above problems, this paper proposes an aggregated ring encryption scheme based on the SM2 algorithm with special features, referred to as SM2-CLARSC, based on the certificateless ring signcryption mechanism and combining with the aggregate signcryption. SM2-CLARSC is designed to satisfy the basic needs of the smart grid, and it can be resistant to replay attacks, forward security and backward security, etc. It has better security and higher efficiency than existing solutions. Comparing SM2-CLARSC with existing typical solutions through simulation, the result proves that this solution has more comprehensive functions, higher security, and significant computational efficiency improvement.


Introduction
Intelligence is the theme of the development of all walks of life in the future.After combining the traditional grid and the Internet, the smart grid (SG) was developed because the traditional grid can no longer meet the development needs of today's society.In the SG, users interact with the power control center (CC) through smart meters.Users send their own electricity consumption information to CC in real-time, and CC can also feed back information such as billing and predictive pricing to users in SG, allowing users to plan electricity consumption based on feedback, thereby reducing electricity costs.The goal of SG is to provide electricity to users in a more reliable and efficient manner, which has attracted the attention of researchers [1].
However, there are still unresolved issues within the SG.One of the significant challenges pertains to concealing the user's identity within the SG, while also ensuring efficient and rapid completion of signcryption and unsigncryption.At present, many scholars have proposed solutions to this problem, but it can still be improved.The user's private data are easily leaked or damaged during the transmission and storage process with the service node, which has a large security risk.For example, attackers can invade service nodes, which is much less difficult than attacking users or CC [2].After hijacking edge service nodes, they can reasonably obtain information sent by both users and CC.This is a huge problem that was previously ignored.
At present, the mainstream encryption methods except for regular encryption in SG are ring signcryption [3,4], homomorphic encryption [5,6], etc.These methods cannot prevent service nodes from being hijacked and still protect user privacy and security, as well as data confidentiality.Although attackers cannot break through the algorithm, the data can still be obtained successfully.At the same time, the rapid increase in the number of users in SG will also bring problems such as response delay, service quality degradation, and increased computing pressure on control center resources.Ensuring the confidentiality and unforgeability of user privacy data, while simultaneously addressing response delays due to escalating user numbers poses a significant challenge in Smart Grid (SG) applications.This challenge becomes particularly pronounced when facilitating bidirectional information exchange between users and service nodes.
In response to the above problems, we propose to deploy edge computing nodes (ECN) in the SG in combination with edge computing [7].ECN simply recalculates the data sent by users.In this process, although ECN receives the ciphertext, it cannot perform complete decryption.ECN can not only perform a simple verification of the ciphertext but also aggregate the ciphertext, so as to improve the computing efficiency of CC and reduce communication costs.
At present, the main methods to address user identity privacy protection issues include ring signature, pseudonym system, and group signature.Among them, adding a pseudonym has higher requirements for the storage cost of SG.The fairness of the group signature mainly depends on the group manager, but this is very subjective.If the system hides the identity of the user completely, it is very likely that malicious users will send malicious information through SG and cannot be found.
After comprehensively studying the existing related schemes, we propose a conditional privacy-preserving ring signcryption scheme based on the SM2 algorithm in a smart grid to address the shortcomings of the existing schemes.In order to effectively solve the user identity privacy protection problem and the problem of computational surge in the control center.The scheme not only outperforms existing related schemes in terms of efficiency but also has the functions of tracking malicious users, aggregating signatures and resisting replay attacks.

Our Contribution
In general, we propose a new solution.In order to more effectively address the above issues, our research content is as follows: 1.
Using the framework of edge computing, it is proposed to alleviate the communication delay problem that may be caused by the surge of users in the SG.ECN partially decrypts and aggregates the ciphertext, and then sends the processed ciphertext to the control center.On the one hand, it can simply verify the ciphertext once, and on the other hand, it can reduce communication costs and improve efficiency.

2.
We propose a certificateless aggregate ring signcryption scheme (CLARSC) with conditional privacy protection.This scheme enables the tracking of malicious users while safeguarding the privacy of user identities.

3.
Introducing the update key algorithm, which periodically updates the key to prevent greater damage due to the loss of user keys.4.
We compared the scheme proposed in this paper with the existing similar schemes.The results show that the scheme in this paper has more comprehensive functions and significantly improved computational efficiency.By introducing the edge computing structure, the communication pressure of CC is relieved, and the communication cost of the smart grid is reduced.

Organization
The subsequent sections of this paper are organized as follows: Section 2 offers a review of relevant literature associated with our proposed approach.Section 3 outlines the foundational knowledge.The SM2 signature algorithm is reviewed in Section 4. The certificateless aggregate ring signcryption scheme is introduced in Section 5. Section 6 offers an assessment of the scheme's correctness and security.Performance analysis is detailed in Section 7. Conclusively, Section 8 provides a summary of the key points discussed in this paper.

Related Work
The smart grid, as a combination of a traditional power grid and the Internet, began to take shape in the early 2000s.In the beginning, researchers mainly focused on the automation and communication aspects of power systems and paid less attention to privacy issues [8].The main focus at that time was to enable remote monitoring, control and optimization of power systems [9].With the introduction of smart meter technology [10], the collection and transmission of user electricity data have become more detailed and frequent.This raises concerns about user privacy [9], especially sensitive information about personal electricity usage behaviors and habits.User privacy issues in smart grids have begun to emerge [11].Power usage data can reveal users' life patterns and behaviors.Users have expressed concerns that their power usage data and identity information may be abused or leaked.After 2010, many countries and regions began to formulate privacy regulations and policies, requiring power companies to adopt privacy protection measures to ensure the security and privacy of user data.However, there are still criminals who use various methods to obtain users' privacy for illegal profits.
After 2010, researchers mainly used differential privacy algorithms to protect user privacy [12].In [13], Tian et al. proposed using differential privacy to aggregate multi-data to protect users' data privacy.In [14], Zheng et al. proposed averaging differential privacy to improve the privacy protection performance of the algorithm.Although differential privacy has the characteristics of strong privacy protection, wide applicability, and good standardization, its performance is relatively poor, parameter selection is complicated, and most importantly, it is not suitable for all situations.Moreover, the noise introduced by differential privacy may have a certain impact on the accuracy of data analysis, especially when privacy intensity is high.
In response to the problems of differential privacy, relevant researchers have proposed using ring signatures to protect user identity privacy while improving user experience.The concept of a ring signature, introduced by Rivest et al. in 2001, originated as a simplified form of group signature [15].The main purpose of ring signatures is to solve the problem of hiding the identity of the real signer during the message transmission process.In [16], Han et al. summarise the issues and problems that have been solved and present approaches that may be able to solve the problems that need to be solved.In their work [17], Wang et al. presented a traceable ring signature scheme designed for batch processing within the SG context.In [18], Tang et al. proposed multi-authority traceable ring signatures for distributed settings in smart grids.Liu et al. proposed an efficient multi-layer linkable ring signature scheme with logarithmic size to address the issue of excessively large signatures, as discussed in [19].
Ring signcryption is proposed as one of the main development directions of ring signatures.In the SG, ring signcryption has attracted much attention because it can encrypt messages while performing ring signatures.Liu et al. presented a trackable ring signature encryption scheme in [20], utilizing the SM2 algorithm.However, this scheme is not suitable for aggregation within smart grid applications.Zhang et al. introduced a ring signcryption scheme in [21], specifically designed to safeguard the privacy of smart meters.In [3], a privacy protection solution for smart meters in decentralized smart homes based on the alliance blockchain is proposed.In [22], Wang et al. proposed a lightweight certificateless aggregation ring signcryption scheme.In [23], Zhang et al. proposed a microgrid point-topoint e-bidding users based on ring signcryption.
The SM2 algorithm is a national cryptography standard [24] proposed by China's National Cryptography Administration (NSA) in 2010 to protect the confidentiality and integrity of information.SM2 is used in various fields because of its high efficiency.In [25], Teng et al. proposed a simple smart grid privacy protection traceability ring signature scheme based on SM2.However, this solution requires signcryption of the message again, and this solution cannot aggregate or batch process signatures, which results in very low efficiency.
Existing ring signcryption schemes in smart grids all have network congestion problems, or cannot simultaneously solve problems such as low efficiency, replay attacks, and attacks on the middler.Therefore, we propose an SM2-based ring signcryption scheme for this aspect, which can solve the above problems at the same time.(G, +) of order q consisting of points on an elliptic curve E(a, b).This computation cannot be efficiently performed in polynomial time.

Formal Definition
The scheme comprises eight algorithms, each executed by the following four entities: the Key Generation Center (KGC), Trusted Authority (TRA), as well as ID s , ID r , and ID v .

1.
Setup(1 k ) → (params, msk, mpk, mtk): TRA and KGC cooperate in the performance of this algorithm.The algorithm takes the security parameter k as input and returns the following outputs: the system parameters params, the master tracking key mtk, and the master public key mpk.

2.
Set-SV(ID i ) → (u i , U i ): The user inputs his identity ID i and obtains the corresponding secret value u i and public value U i .

3.
Extract-PSK (params, U i ) → (d i , V i ): KGC executes the algorithm.Entering the system parameters params and U i , KGC produces the partial private key d i and the relevant authentication key V i for the user with the identity ID i .4.
Generate-PK(ID i ) → (sk i , PK i ): Upon verifying d i , the user identified as ID i generates a public-private key pair using d i and u i where the private key sk i and their public key PK i .

5.
Update-Key pairs (t, ID i , sk t−1 i , PK t−1 i ) → (sk t i , PK t i ): In the tth cycle, the user with identity ID i calculates a new key pair using their public-private key pair from the (t − 1)th cycle.The updated private key is sk t i , and the corresponding public key is PK t i .

6.
Ring Signcryption (params, sk t s , PK t r , P t v , L, M) → (σ): The user with identity ID s executes the signcryption algorithm.They use params, sk t s , PK t v , L, to signcrypt the message M. The output is the signcryption σ.

7.
Single Verification (params, σ, L, sk t r ) → ({0, 1}): The verifier completes the verification algorithm by inputting params, σ, L. Additionally, the verifier possesses the private key sk t r .Output whether the ciphertext is valid or not 8.
Aggregated Signcryption (σ j=1,2,...,m , sk t r ) → ( σ) : The ECN ID r combines m ciphertexts and transmits the aggregated ciphertexts to the control center ID v .10. Unsigncryption (params, σ, L, sk t v ) → (M j=1,2,...,m ): If the verification result is 1, the verifier uses L and sk r to unsigncryption σ and obtain the messages M j=1,2,...,m .11. Tracking (params, σ, σ) → (ID s ): When there is a need to track the identity of a malicious signer ID s .TRA can use the signcryption σ or σand the ring list L to ascertain the real signer ID s .

System Model
As shown in Figure 1, the scheme consists of five main entities: the KGC, the TRA, the Edge Computing Node (ECN), the Control Centre (CC) and the user.

1.
KGC: It is responsible for generating partial keys for users, ECNs, and CC. 2.
TRA: It is tasked with monitoring the entire power network.In the event of detecting a malicious user, the chase algorithm can be employed to trace the real identity of the signer.

3.
ECN: ECN acts as an aggregator in the scheme.It is an edge computing server deployed in the SG which is responsible for processing the ring-encrypted power request information sent by users in a timely manner.The ciphertexts after returning the ring signing encryption are processed and then aggregated to reduce the computation of CC. 4.
CC: It is tasked with receiving and verifying the aggregated ciphertext upon receipt, processing the ciphertext to obtain the plaintext, and controlling the power allocation in the SG in real-time in response to the received information.5.
User: The signer in the scheme.Each user user i sends power usage data to the control center via ECN.

Threat Model
The scheme in this paper deals with two types of attacks.The first type of attacker denoted as A I is one of the ring members.A I can tamper with any user's public key when generating signature encryption but does not know the system master private key.The second type of attacker is noted as A I I is a malicious KGC.A I I cannot transform any user's public key but knows the system's master private key.We set up seven Oracle machines for A I and A I I to query as below:

1.
Query-H i : Upon inputting the query value, it can produce the corresponding hash value as output.

2.
Query-PSK: Upon entering the ID i , it can output the corresponding psk i .

3.
Query-SK: If the public key PK i of the input ID i is not replaced, the algorithm provides the corresponding private key sk i .

4.
Query-PK: After entering the ID i , this algorithm outputs the corresponding public key PK i .

5.
Replace-PK: The challenger C inputs the tuple (ID i , U ′ ), and substitutes U i with U ′ i .6.
Definition 1. Assuming that the winning advantage of the adversary is negligible in polynomial time in Game 1 and Game 2, the security of the scheme proposed in this paper is for IND-CLRSC-CCA2.
Proof.Game 1: Opponent A I and Challenger C participate in the following several phases: Setting: Challenger C executes the setting algorithm to obtain params and then provides them to A I .
Query: A I can be queried to the oracle machines and must fulfil the below requirements: 1.
A I cannot perform Query-SK as ID r , ID v .

2.
A I cannot perform Query-PSK as ID r , ID v , if its public key is replaced.

3.
A I cannot couple the tuple ( σ, ID s , ID r , ID v ) to perform the query-USC.
Challenge: A I outputs two equal length but unique messages M j0 and M j1 , signer ID s , ECN ID r and verifier ID v , and then forwards them.Challenger C randomly selects b ∈ {0, 1} and the tuple (M jb , ID s , ID r , ID v ) performs a signed encryption algorithm.Then, C sent σ to A I .
Guess: After the adaptive execution of the query phase, wins this game.The advantages of A I are as defined below: Game 2: Opponent A I I and Challenger C participate in the following several phases: Setting: C executes the setting algorithm to obtain params and then provides them to A II .Query: A I I can be queried to the oracle machines and must fulfil the below requirements: 1.
A I I cannot perform the Query-SK as ID r , ID v .

2.
A I I cannot perform Query-USC for the tuple ( σ, ID s , ID r , ID v ).
Challenge: A I I outputs two equal-length but unique messages M j0 and M j1 with, sender ID s , ECN ID r and verifier ID v , and forwards them.C randomly selects b ∈ {0, 1} and uses the tuple (M jb , ID s , ID r , ID v ) to execute the signcryption algorithm.Subsequently, C sends σ back to A I I .
Guess: After allowing the query to be executed adaptively in the query stage, The advantage of A I I is defined as follows: Definition 2. Assuming that the winning advantage of the adversary is negligible in polynomial time in Game 3 and Game 4, the security of the scheme proposed in this paper is for EUF-CLRSC-CMA2.

Proof. Game 3:
Opponent A I and Challenger C participate in the following several phases: Setting: Same as Game 1.
Query: A I can be queried to the Oracle machines and must fulfill the below requirements: 1.
During the Query-ARSC process, it was unable for A I to obtain the tuple ( σ, M j ).

2.
A I cannot perform Query-SK as ID s .

3.
If the public key of ID s has been swapped, A I could not query Query-PSK.
Forgery: A I forwards a new tuple ( σ, M j , ID r , ID v ).The challenger C uses the tuple ( σ, M j , ID r , ID v ) to run the unsigncryption algorithm.If the output of the algorithm is absent, then A I wins Game 3.
The advantage of A I is defined as follows: Game 4: Opponent A I I and Challenger C participate in the following several phases: Setting: Same as Game 2.
Query: A II can be queried to the Oracle machines and must fulfill the below requirements: 1.
A I I cannot perform Query-ARSC on tuple ( σ, M j ).

2.
A I I cannot perform Query-SK for ID s . Forgery: The challenger C uses the tuple ( σ, M j , ID r , ID v ) to run the unsigncryption algorithm.If the output of the algorithm is absent, then A I I wins Game 4.
The advantage of A I I is defined as follows:

Security Performance
For better application in SG, this program also has the following properties. 1.
Message Validation: The message validator examines the integrity and accuracy of the received data to ensure its integrity and legitimacy as a valid signcryption.

2.
Traceability: In the event of malevolent activities within the smart grid, the Traceability mechanism can identify the origin of malicious messages, thereby attributing them to their respective senders.

3.
Un-linkability: With the exception of the Traceability mechanism, no entity possesses the ability to discern whether two distinct ciphertexts originate from the same sender.4.
Confidentiality: In order to ensure that unauthorized entities do not have access to the plaintext, it is stipulated that only designated persons can successfully decrypt and access the plaintext.

5.
Anonymity: Except for TRA, the sender cannot be traced through analysis of the transmitted message.6.
Replay attack resistance: If an attacker intercepts the ciphertext in the middle of the process, the receiver will consider it to be under attack for as long as the specified time has elapsed.7.
Anti-malicious gateway: By introducing edge computing and aggregate signcryption in ECN, even if malicious nodes want to obtain information, they cannot obtain it.8.
Conditional anonymity: Although ECN and CC can receive the ciphertext, if it is not a malicious user, they cannot know who the specific signcryptor is. 9.
User identity privacy protection: During the message-sending process, the user utilizes the ring signcryption algorithm to conceal their identity.This ensures that neither ECN nor CC can determine the source of the information.10.Forward security: By periodically updating the key, even in the event of accidental private key loss by the user, the security of previously sent messages remains intact and unaffected.

Review SM2 Signature Algorithm
This section briefly introduces the general flow of the SM2 digital signature algorithm.

1.
System parameter generation: the algorithm inputs security parameter k, and outputs system public parameter params = {p, F p , a, b, P, G, q, H}.Where p is a large number, F p is a finite field.G is the additive cyclic group formed by the points on E(F p ) : y 2 = x 3 + ax + b mod p, its order is q, and P is the base point.H : {0, 1} * → Z * q is a secure hash function.

2.
Key generation: User A generates their own d A ∈ Z * q , and calculates P A = d A • P as the public key.

3.
Signature: A uses d A to generate a signature for a message m.First, calculates the message digest e = H(m); second, randomly select k ∈ Z * q , and computes (x 1 , y 1 ) = kP , r = (e + x 1 ) mod q, s = [(1 Finally output the signature (r, s).

4.
Verification: After receiving the message m ′ and the signature (r ′ , s ′ ), the verifier first checks whether r ′ , s ′ ∈ Z * q is true.If true, the verification calculates e ′ = H(m ′ ), t = (r ′ + s ′ ).Then they can use s ′ and t to compute (x ′ 1 , y ′ 1 ) = s ′ P + tP A , and calculate R = (e ′ + x ′ 1 ) mod q.Then, verify whether the equation R = r ′ is true, if false, (r, s) is an invalid signature about m, otherwise the signature is valid.

SM2-Based Certificateless Aggregate Ring Signcryption Scheme
In this section, we present the detailed design for the SG and provide the corresponding symbols, which are listed in Table 1 for reference.The operation process of certificateless aggregate ring signcryption is shown in Figure 2. The specific operation process is as follows:  Public key of TRA Below delineates the implementation process of our proposed program: 1.
Setup: To execute the following steps, input the security parameter k, KGC, and TRA: (a) KGC chooses two large prime numbers p and q such that p, q > 2 k and a finite field F p .The equation of an elliptic curve E : y 2 = x 3 + ax + b mod p defined on F p .Points satisfying this equation form an abelian group G of order q with base point P.

(b)
The KGC randomly selects x ∈ Z * q as the master private key msk and computes P pub = xP as the master public key mpk.

2.
Set − SV: The user ID i randomly selects u i ∈ Z * q and computes U i = u i P. Subsequently, U i is sent to the key generation center (KGC).

3.
Extract − PSK: Upon receiving U i , the KGC randomly selects v i ∈ Z * q and calculates V i = v i P.Then, it calculates e i = H 1 (ID i , U i , V i , P pub ) and d i = v i + e i x, where the partial private key is denoted by d i .KGC exposes V i and sends Generate − PK: The user ID i acquires D i and tests the validity of d i using the formula: If it is not, the user will recalculate the key.If the equation holds, ID i will be given a partial privy d i and the current period's privy will be calculated sk 1 i = u i + d i mod q.Consequently, the corresponding public key is set as PK 1 i = sk 1 i P.

5.
Update − Key Pairs: During the t-th cycle, the user ID i randomly generates a number u t i ∈ Z * q .The updated private key is calculated as sk t i = sk t−1 i + u t i , and the corresponding public key is computed as PK t i = sk t i P. The updated public key PK t i is then delivered.

6.
Ring Signcryption: ID s encrypts the message M using the ring public key L = {ID 1 , ID 2 , . . ., ID n } and PK r of the ECN ID r , PK v of CC ID v , and finish the steps below.
(a) ID s randomly selects d ∈ Z * q , and computes X = (x 1 , ID s performs the following calculations, where M is the message to be signed, I is the tracking tag and ⊕ is the XOR operator: Add a timestamp TS to σ.Then, send σ to ID r : σ = {C, {s i }, X, L, I, W, TS}.
Upon receiving the ciphertext σ, the receiver ID r performs the following calculation to verify its validity. (a) The receiver ID r verifies the validity of TS using the formula |TS − TS cur | ≤ △TS, where △TS denotes the maximum acceptable time interval and TS cur represents the current timestamp.(b) ID r checks whether s i ∈ Z * q for i = 1, 2, . . ., n.If any of the s i values are not in Z * q , ID r discards the message.(c) The receiver ID r computes If the equation holds true, ID r is assured that the ciphertext σ is real and proceeds to receive the message.If the equation does not hold, ID r reports to TRA and discards it.

8.
Batch Verification: Perform batch verification on messages The receiver ID r computes the following values: ID r needs to check if W ′′ = ∑ m j=1 W j .If they are equal, ID r can be certain that the ciphertexts σ 1 , σ 2 , . . ., σ m are correct and can receive them. 9.
Aggregated Signcryption: ID r aggregates m signcryptions, where the encrypted information is: (a) The receiver ID r performs the following computations: Perform the aggregated signcryption as follows σ = {{c ′ j }, { ŝi }, X, L, {I j }, Ŵ, TS}. 10.Aggregated Verification: ID r aggregates m signcryptions, where the encrypted information is: The receiver ID v needs to check Ŵ′ = Ŵ.
(e) ID v then restores the encrypted message through the following calculation: 11.Tracking: In instances where the message fails the verification process, ID v has the discretion to escalate the matter to TRA.Additionally, TRA monitors for malicious activity in the SG.When a malicious ciphertext is found TRA can utilize the equation for k −1 I = H 4 (x 1 ||c||y 1 ) • PK t j to ascertain the malicious user ID j from the ring set L = {ID 1 , ID 2 , . . ., ID n }.

Proof of Correctness
In this section, we present a comprehensive analysis of the security of the aforementioned scheme.
For i = 1, 2, . . ., n, Unsigncryption: For message M j and its encrypted ciphertexts is Based on the above verification, we can conclude that the scheme proposed in this paper is both correct and reasonable.In the following sections of this chapter, we will provide proof to establish the security, and functionality of this scheme.

Confidentiality
Theorem 1.If a Type I adversary A I manages to achieve a non-negligible advantage ε in Game 1, successfully compromising IND-CLRSC-CCCA2, after executing q H i queries to Query-H i (for i = 1, 2, 3, 4, 5), q PSK queries to Query-PSK, q SK queries to Query-SK, q PK queries to Query-PK, q RPK queries to Replace-PK, q ARSC queries to Query-ARSC, and q USC queries to Query-USC, then the Elliptic Curve Computational Diffie-Hellman Problem (ECCDHP) can be resolved with a probability ε ′ ≥ ε(1 − q USC /2 l )/[e(q PSK + q SK + q RPK )], where l is the length of the signcryption message, and e denotes the base of the natural logarithm.
Proof.Assume the challenger C is given the tuple (P, aP, bP) ∈ G 3 and is tasked with computing the value of abP.In Game 1, C acts as the simulator while A I acts as the adversary.We set Pr(ID i = ID * ) = δ, where ID * represents the target identity.
Setup: C performs the setup, obtaining params and P pub = aP.Then, C transmits params to A I .
Query: C simulates the oracles as follows for A I and maintains the lists: L 1 , L 2 , L 3 , L 4 , L 5 , L U , L PK , L PSK , L SK and those lists are empty initially.
Query − H 1 : When A I provides the tuples (ID i , T i , R i , P pub ), C checks the list L 1 for related tuples.

1.
If (ID i , U i , R i , P pub , e i ) ∈ L 1 , C obtains e i from L 1 and feedback e i to A I .2.
If (ID i , U i , R i , P pub , e i ) / ∈ L 1 , C random chooses a number e i ∈ Z * q and return e i to the enemy A I and C stores (ID i , U i , R i , P pub , e i ) into the list L 2 .Query − H 2 : When A I receives the tuple (x 3 , y 3 ), component C searches the list L 3 for a tuple that is related to it.
If (x 3 , y 3 , h 2 ) / ∈ L 2 , C random chooses a number h 2 ∈ Z * q , feedbacks h 2 to A I and stores (x 3 , y 3 , h 2 ) into the list L 2 .Query − H 3 : When A I provides the tuple (x 2 , y 2 ), C Examine list L 3 for related tuples.

1.
If (x 2 , y 2 , h 3 ) ∈ L 3 , C obtains h 3 from L 3 and sets h 3 as a reply to A I .2.
Query − H 4 : When A I provides the tuple (x 1 ||c||y 1 ), C Examine list L 4 for related tuples.

1.
If Query − H 5 : When A I supplies the tuples (L, c j , X, I j ), C Examine list L 5 for related tuples.

1.
If (L, c j , X, I j , r i ) ∈ L 5 , C derive r i from L 5 , responses r i to A I .2.
If (L, c j , X, I j , r i ) / ∈ L 5 , C randomly chooses r i ∈ Z * q , responses r i to A I and stores (L, c j , X, I j , r i ) into the list L 5 .
Query − PSK: When A I requests the partial private key for identity ID i , C checks the list L PSK .

1.
If and computes e i = H 1 (ID i , U i , V i , P pub ).C then sets PK * = PK i = (u i + v i + e i a)P as a response to A I .Afterward, C stores (ID i , u i ), (ID i , U i , R i , P pub , e i ) into the lists L U and L 1 , respectively.If ID i ̸ = ID * , C randomly selects numbers v i , d i ∈ Z * q , computes PK i = (u i + d i )P, and returns PK i to A I .Subsequently, C adds the tuple (ID i , PK i ) into the list L PK .
Replace − PK: When A I relays the tuple (ID i , PK t ′ i ), C updates the tuple (ID i , PK t ′ i ) with (ID i , PK t i ) in the L PK .Query − ARSC: Assuming it is the t-th cycle, and A I relays the tuple (ID s , ID r , ID v , M j=1,...,m ), for any message M j in this tuple, C performs the following operations.

1.
If ID s = ID * and ID r ̸ = ID * : (a) C randomly selects a point I j ∈ G, queries Query-PK for ID r and ID v , respectively, and obtains PK t r and PK t v .(b) C randomly selects a value d j ∈ Z * q , and computes X = (x 1 , C applies the Aggregated Signcryption algorithm and obtains a new timestamp TS.(f) C sends the ciphertext σ = {{c j }, { ŝi }, X, L, {I j }, Ŵ, TS} to A I , and stores the tuples (x 2 ||y 2 , h 2 ) and (x 3 ||y 3 , h 3 ) into the list L 3 and L 2 , and stores the tuples (L, c j , X, I j , r ij ) into the list L 5 .For all message ciphers σ j

3.
If ID s ̸ = ID * and ID r ̸ = ID * : C apply both the Ring Signcryption Algorithm and the Aggregated Signcryption Algorithm.
If ID v = ID * , C searches the relative tuples (x 3 ||y 3 , h 2 ) and (x 2 ||y 2 , h 3 ) from the list L 2 ,L 3 .Finds the tuples (L, c j , X, I j , r ij ) from the list L 4 .If these tuples are absent, C rejects σ.Otherwise, C runs the Verification algorithm and calculates M j = h 3j ⊕ c j .C then returns M j to A I for j = 1, . . ., m.
Challenge: A I selects two distinct messages, denoted as M 0 and M 1 , which are of equal length.Additionally, A I chooses a sender as ID s , the ECN as ID r , and an acceptor as ID v .These messages, along with ID s , ID r , and ID v , are forwarded to C along with the identities of the ring members as L = {ID 1 , ID 2 , . . ., ID n }.

1.
If ID v = ID * , C randomly selects a bit b ∈ {0, 1} and performs the following process: (a) C randomly selects figures ŝi ∈ Z * q for i = 1, 2, . . ., n, and computes Ŵ = (∑ n i=1 ŝi C increases the timestamp TS to ciphertext σ and returns σ to Guess: A I executes adaptive querying, and guesses b ′ .If A I relays the tuples (x 3 , y 3 , h 2 ) to Query-H 2 , it would know that σ is a flawed ciphertext.Then, C can solve the ECCDHP that abP We define the following two cases: π 1 : C passing the query stage.π 2 : C passing the challenge stage.We can deduce that: 2 l e(q PSK + q SK + q RPK ) (21) where δ = 1 q PSK +q SK +q RPK +1 .Thus, C can be used with probability ε ′ ≥ ε(1 − q USC /2 l )/[e(q PSK + q SK + q RPK )] to solve the ECCDHP, if A I 's advantage of success is ε.Theorem 2. If a Type II opponent A I I can achieve successfully attack IND-CLRSC-CCA2 for a non-negligible advantage ε in Game 2, algorithm C with a probability ε ′ ≥ ε(1 − q USC /2 l )/(eq SK ) can be solved the ECCDHP.
Proof.Let us assume that the simulator C obtains the tuple (P, aP, bP) ∈ G 3 and its task is to compute the value of abP.The simulator is C and the adversary isA I I in Game II.Set Pr(ID i = ID * ) = δ.
Setup: C executes the Setup in Section 3 and generates the system parameters params = {p, q, G, P, P pub , T pub , H 1 , H 2 , H 3 , H 4 , H 5 }.C then computes P pub = xP and sends the params to the adversary A I I .
Query: C and upholds the initially empty lists L 1 , L 2 , L 3 , L 4 , L 5 , L U , L PK , L PSK and L SK , which are initially empty.
Query − PSK: When A I I relays an identity ID i : If (ID i , d i ) / ∈ L PSK , and ID i ̸ = ID * , C randomly selects a number v i ∈ Z * q , searches for e i from the tuples (ID i , U i , V i , P pub , e i ) in the list L 1 , and computes d i = v i + e i x.C then sends d i to A I I .If ID i = ID * , C fails.Query − PK: At the i-th query, C sets a challenger identity ID i = ID * .When A I I submits an identity ID i : If (ID i , PK i ) / ∈ L PK , and ID i = ID * , C randomly selects a number d i ∈ Z * q , and sets PK * = PK i = (d i + a)P as a response to q , sets PK * = PK i = (u i + d i )P, and responds with PK i to A I I .Then, C buffers the tuples (ID i , PK i ) and (ID i , u i ) into the list L PK and L U , respectively.Other query types remain the same as described in Theorem 1. Challenge: Same as in Theorem 1. Guess: A I I executes adaptive querying, and guesses b ′ .If A I I relays the tuples (x 3 , y 3 , h 2 ) to Query-H 2 , it would know that σ is a flawed ciphertext.Then, C can output abP = Z − d v X as a program to solve the ECCDHP.
We define the following two cases: π 1 : C passing the query stage.π 2 : C passing the challenge stage.We can deduce that: (22) where δ = 1 q SK +1 .Thus, C can be used with probability ε ′ ≥ (1−q USC /2 l ) eq SK to solve the ECCDHP if A I I 's advantage of success is ε.

Unforgeability
Theorem 3. If a Type I opponent A I can successfully attack EUF-CLRSC-CMA2 for a nonnegligible advantage ε in Game 3, then simulator C can solve the ECDLP with a probability ε ′ ≥ ε/[e(q SK + q PSK + q RPK )].
Proof.Assume The simulator C receipts the tuple (P, aP) ∈ G 2 .It computes the value of a in Game 3. Set Pr(ID i = ID * ) = δ.
Setup: The setup is the same as described in Theorem 1.

Query:
The same rules as presented in Theorem 1. Forgery: A I returns a ciphertext σ = {C, {s i }, X, L, I, W, TS} that meets the requirements of Game 3. To forge another ciphertext σ * , A I replays queries Query-H 4 and Query-H 5 to gain another signcryption σ * = {C * , {s * i }, X * , L, I in the correct order.Hence, when i ∈ {1, 2, . . ., n}, the conditions s i ̸ = s * i , r i ̸ = r * i , and e i ̸ = e * i are established, so with the following calculation Then, We define three events as follows: π 1 : C adopts the Query stage.π 2 : ID * ∈ L. π 3 : ID * is the real signatory.We can know that: where δ = 1/(q SK + q PSK + q RPK + 1).We can deduce that Pr[C success] ≥ 1/[e(q SK + q PSK + q RPK )].
Based on the forking lemma for ring signatures [26], C can solve the ECDLP for the probability of ε ′ ≥ ε/[e(q SK + q PSK + q RPK )], if the advantage A I I succeeds is ε.Theorem 4. If a Type II adversary A I I gains a notable advantage ε in Game 3, successfully compromising EUF-CLRSC-CMA2, it implies that a simulator C could potentially solve the Elliptic Curve Discrete Logarithm Problem (ECDLP) with a probability ε ′ ≥ ε/(eq SK ).
Proof.Suppose the simulator C is provided with the tuple (P, aP) ∈ G 2 .Its objective is to determine the value of a within Game 3. To achieve this, simulator C engages with the adversary A I .Let us assume that ID * represents the target identity, with Pr(ID i = ID * ) = δ being the assigned probability.
Setup: The setup is the same as described in Theorem 2.

Query:
The query phase follows the same rules as presented in Theorem 2. Forgery: A I I returns a ciphertext σ = {C, {s i }, X, L, I, W, TS} that meets the requirements of Game 3. To forge another ciphertext σ * , A I replays queries Query-H 4 and Query-H 5 to gain another signcryption σ * = {C * , {s * i }, X * , L, I sk s = d s + u s (30) . We define three events as follows: π 1 : C adopts the Query stage.π 2 : ID * ∈ L. π 3 : ID * is the real signatory.We can know that: (32) where δ = 1/q SK .Drawing from the forking lemma to ring signatures (Ref.[26]), C has the ability to solve the Elliptic Curve Discrete Logarithm Problem (ECDLP) with a probability ε ′ ≥ ε/(eq SK ), given that the success rate of the advantage A I I is ε.

Anonymity
The collection L encompasses the public keys belonging to the legitimate senders within the ring.When validating the signcryption, the verifier applies a consistent formula using all public keys from L". Owing to the cryptographic attributes inherent in signcryption, the verifier cannot differentiate the true identity of the sender, thus preserving the anonymity of the original sender.

Traceability
When suspicious information is detected and there is a need to identify the true signer, TRA assesses the identity of the genuine signer using the I value within the suspicious signcrypt.Upon receiving the I value, TRA examines the ring public key set L to verify the identity ID i of the true signer by validating the equation k −1 I = PK i + H 3 (C, A)T i .The k −1 value in the equation is exclusively known to TRA, thus ensuring that conditional anonymity is preserved in the proposed CLRSC scheme.

Unlinkability
In the signcryption process, when generating the identifier I, the signer incorporates a variable β dependent on the message content ensuring that each message yields a unique I. Consequently, for different messages, the same signer calculates I differently.In the verification phase aimed at uncovering the true signer, the equation k −1 I = PK i + H 3 (C, A)T i is employed, with only TRA possessing the knowledge of the value k −1 .This ensures that only TRA has the capability to discern the identity of the actual signer.

Replay Attack Resistance
To prevent such situations, we incorporate timestamps into the encryption process, indicating the time of ciphertext transmission.If a ciphertext cannot be validated, indicating a potential replay attack, the insecure ciphertext will be discarded, and the sender will be notified to resend the ciphertext.Upon receiving a ciphertext, the verifier first examines whether the timestamp TS contained within the ciphertext satisfies the condition |TS − TS cur | ≤ △TS, where TS cur denotes the current timestamp, and △TS represents the maximum permissible time interval.If this condition is not met, ID r rejects the ciphertext σ, thereby ensuring that intercepted and subsequently returned messages cannot pass the verification conducted by ID r .

Anti-Malicious Gateway
As an edge computing node, ECN is likely to be a target for attackers.Being a semi-trusted gateway, ECN cannot guarantee that it will not be successfully attacked.Therefore, in our solution, ECN is designed not to have access to plaintext data, ensuring that information remains encrypted throughout the transmission process, thus reducing the risk of information leakage.In order to protect the message, after receiving it, ECN only partially decrypts it.ECN can only obtain Y through calculation, without CC's private key sk v .As a result, it cannot obtain the message M, eliminating the possibility of message leaks.

Forward Security
When the system is compromised, measures are taken to prevent further escalation of losses.We designed the algorithm of Update-KeyPairs to regularly update the key.If a user accidentally loses the key, the security of the message before this cycle will not be questioned.Every time the user passes the previous cycle The private key and the random value u t i of this period are used to calculate the public-private key pair of this period.The key for each cycle is irregular, which prevents further damage due to key loss.

Performance Analysis
In this chapter, a comprehensive analysis of the scheme versus the existing alternatives is presented.The main tasks are as follows: 1.
Functional analysis: the functionality of this paper is compared with classical papers, which are similar to existing schemes.The number of users in SGs is increasing rapidly and the complexity of the environment requires more functionality.Cryptographic parties with more functionalities are more in line with the developing SGs. 2.
Computational efficiency analysis: in order to specifically analyze this scheme, a comparative analysis will be performed on ring signcryption with existing papers [3,23,27,28] and existing literature on aggregated signcryption papers [29][30][31][32], respectively.Suppose a ring has n members and m messages.

3.
Communication cost analysis: In the comparison process, the communication cost is mainly reflected in two places: the communication cost of ECN and the communication cost of CC.A phase-by-phase comparison is made to show how the program can effectively solve a wider range of problems at a lower cost.
To ensure a fair comparison, we acquire the execution time of the most time-intensive operations by employing well-established encryption libraries such as pairing-based cryptography (PBC) and Miracl.We conduct simulations on a Lenovo Thinkpad laptop in China, featuring is Intel Core i5-9300H CPU and 16 GB RAM.
Comparing the scenarios at the same security level of 80 bits, for the scheme using the bilinear pairing e : G 1 × G 1 → G 2 , define the generating element of the additive group G 1 to be P and the order to be q, and set the elliptic curve Ë : y 2 = x 3 + x mod p, p and q are numbers of size 64 bytes and 20 bytes.For the ECC-based scheme, we define the additive group G of order q on Ė : y 2 = x 3 + ax + b mod ṗ, where ṗ and q are two of size 20 bytes and a, b ∈ Z * ṗ.

Compare Algorithm Functions
In this section, we will select typical excellent papers [3,23,[27][28][29][30][31][32] that are currently available and compare them.The main focus of attention is on the functionality of the programs and the problems they solve.The analyzed results are represented in Table 2. From Table 2, we can clearly see that the scheme in this paper has more comprehensive functions and solves more problems at the same time.The primary distinction lies in this paper's utilization of edge computing to address the challenge of user surges in SG.In combination with edge computing At the same time, it also prevents the problem of malicious ECN.This is not available in the existing scheme.At the same time, we also added the function of updating the key to prevent the security of the previously sent information after someone's key is lost.
Through Table 2, it can be seen that the proposed scheme is more secure than the existing schemes.Literature [3,23,29,31,32] lack the tracking feature for malicious users, and literature [23,27,28] cannot perform data privacy protection.Except for this scheme, none of the existing typical schemes have forward and backward security.
The edge computing introduced in this scheme not only solves the problem of user proliferation but also resists attacks from malicious ECNs, which is a feature not available in existing schemes.In addition, this scheme adds a key update feature that protects the security of previously sent messages in case of key loss.

Computational Efficiency Analysis
In this experiment, we only focus on the more consuming operations, and operations that take less time are ignored, which does not affect the objectivity and fairness of our experiments.The notations corresponding to various computational operations are defined, and the corresponding elapsed times are listed in Table 3.In terms of computational cost, since the literature we compare are all certificateless schemes, the computational cost of this scheme in the key generation phase is not much different from the schemes we compare and is mostly 5T m + T a .The computational costs in the ring signcryption phase, batch verification phase, aggregate signcryption phase, aggre-   We divide the comparison process into two parts: the ring signcryption part and the aggregation signcryption part.Tables 4 and 6 and Figure 3 show the ring signcryption part, and Tables 5 and 7 and Figure 4 show the aggregation signcryption part.The analysis shows that in terms of computational efficiency, this solution is more efficient than existing schemes in both ring signcryption and aggregation signcryption.
In the ring signcryption phase, ref. [3] does not verify the signcryption, resulting in lower efficiency, and lacks verification, batch verification, and ciphertext tracing algorithms.Ref. [27], while having a complete algorithm, suffers from lower efficiency, taking twice the time compared to our approach.Ref. [23] shows slightly lower efficiency and lacks a batch signcryption phase, the communication cost of the present scheme is lower than that of the literature [23], and not much different from that of the literature [29,31,32].Taken together, this scheme is not the best in terms of communication cost, but the increase is less compared to typical schemes.It is worthwhile to sacrifice a small amount of communication cost to add more security and higher efficiency.

Conclusions
Protecting user privacy in SG is critical to its development.However, none of the existing solutions are suitable for SG, or cannot better solve the existing problems.This is very unfavorable for the development of SG.In this paper, we propose a certificateless aggregated ring signcryption scheme with conditional privacy in SG.By incorporating aggregate signcryption to improve computational efficiency, utilizing timestamps to counter replay attacks, and employing multi-layer encryption to resist malicious gateways, security has been enhanced.Through security analysis, it is proved that the scheme can resist external attacks and internal malicious KGC threats and has more comprehensive functions.Through the efficiency analysis experiment, it can be seen that compared with the existing schemes with the same function, our scheme does not require bilinear pairing and is faster.Ring signcryption and aggregate signcryption are performed under the same structure, improving computational efficiency and communication costs, which have obvious advantages over existing schemes.

Figure 1 .
Figure 1.The data transmission architecture of SG.

Figure 2 .
Figure 2. The process of running the program in this paper.
ID r = ID * and ID s ̸ = ID * : (a) C applies the Ring Signcryption algorithm.(b)
= xP, where P and Q are any two points on an additive group

Table 1 .
Symbols and their Meanings.
and ID i ̸ = ID * , C randomly selects d i ∈ Z * q and returns it to A I .C then adds the tuple (ID i , d i ) to L PSK .If ID i = ID * , C fails.Query − SK: When A I requests the private key for identity ID i , C checks the list L SK .1.If(ID i , sk i ) ∈ L SK , C returns sk i to A I .2.If (ID i , sk i ) / ∈ L SK ,and ID i ̸ = ID * , C searches for the relative tuples (ID i , u i ) and (ID i , d i ) from the lists L U and L PSK to obtain u i , d i .C then computes sk i = d i + u i and returns it to A I .Additionally, C adds the tuple (ID i , sk i ) to L SK .If ID i = ID * , C fails.Query − PK: When A I requests the public key for identity ID i , C checks the list L PK .1.If (ID i , PK i ) ∈ L PK , C searches for (ID i , PK i ) in L PK and returns PK i to A I .2. If (ID i , PK i ) / ∈ L PK , and The intermediate values of the two signcryption are (k, r 1 , r 2 , . . ., r n , e 1 , e 2 , . . ., e n ) and (k * , r * * , W * , TS}.

Table 2 .
Comparison of Program Functions.

Table 3 .
Execution time of encryption operation.

Table 7 .
Comparison of the computational efficiency of the aggregate signcryption part.