Keywords

1 Introduction

Currently, the development of smart cities is the priority of most countries. The foundation of such development is based on the utilization of Internet of things (IoT) technologies [1]. In this context, the deployment of IoT technologies helps to ensure the smart living style/standards of the citizens [2]. However, the increasing number of vehicles in smart cities has increased road accidents. According to the reports, road accidents will be the fifth leading cause of casualties by 2030 [3, 4]. Besides, the road conditions and weather conditions also increase the cost of transportation and cause the high cost of consumer items. Therefore, to ensure the smooth functioning of road traffic in smart cities, an intelligent traffic system (ITS) has been evolved [5].

In ITS, unmanned aerial vehicles (UAVs) (also called drones) are deployed to record traffic-related information. These drones can communicate with each other and also can communicate with the traffic control office (TCO). The communication between drones is called UAV-2-UAV communication and between drones to TCO is called UAV-to-Ground Station (UAV-2-GS) communication. The communication system for UAV-2-UAV and UAV-2-GS communication is utilizing the latest technologies and is called the Internet of drone (IoD) [6]. Based on the information received from UAVs, TCO can update the functioning of the traffic management system. Thus, real-time feedback from UAVs causes a real-time improvement in ITS [7].

In this IoD environment, UAVs work like moving nodes in ad hoc networks. However, due to limited storage and power capacity, UAVs are resource-constrained devices. To utilize their resources in optimized manner, UAVs collect the observations from their current locations and send to TCO using a local roadside unit (RSU). This RSU is considered to have a larger space and more energy resourceful device than UAVs. Thus, some part of computation and storage is done by RSU like an edge device. In this IoD-based communication, UAVs share the information to RSU using wireless channels. Further, RSU sends the aggregated information to TCO using wired or wireless links [8].

As most of the communication links in IoD are open channels. Therefore, an unauthorized attacker can easily target the information shared. It can capture, alter, or destroy the sensitive information between UAV-2-GS communication. Sometimes, this attack on shared information can cause a serious threat. For example, attacker can modify the road condition information and send to TCO. This modified information can misguide TCO and result may be a traffic congestion [9]. As we know that traffic congestion results in a high transportation cost. Thus, the manufacture, transport company, or consumer will be in loss. Therefore, the shared information/observations should be secured from such attacks. The security in this context can be achieved by authentication and confidentiality of the data.

1.1 Signcryption and Aggregated Signcryption

To achieve authentication and confidentiality simultaneously, the paradigm of signcryption has been devised in [10]. This pioneering work by Yulian Zhang reduces the cost of encryption and then signature approach by fusing these two operations. Thus, it is suitable to deploy resource-constrained IoD-based UAV-2-GS communication. In UAV-2-GS communication, several UAVs lying in a certain region share the information to a specified TCO. Therefore, the data received from various UAVs should be processed in an efficient manner. The meaning is that the verification and decryption of received data should be performed in a single step like batch verify. To achieve the batch verification in signcryption, Selvi et al. [11] proposed the first identity-based aggregated version of signcryption. However, their scheme is utilizing costly pairing operations. Thus, it can be improved further by removing the use of pairing. In [12], Wang et al. devised a new aggregated signcryption scheme using the paradigm of multilinear maps. This scheme was the first secure in standard model. However, it has no discussion about efficiency. Further, to improve efficiency, Swapna and Reddy [13] proposed an efficient aggregated signcryption. However, still the devised construction was based on pairing. Thus further improvement can be made possible. The first pairing less identity-based aggregated signcryption has been devised in [14] by Abouelkheir and El-sherbiny. As authors have removed the use of pairing, the scheme is more efficient than previous literature. Later, some more aggregated signcryptions with more features have been devised in the literature [15,16,17,18].

1.2 Motivation and Contribution

According to the discussion, in smart city environment, utilization of ITS is the imperative need for smooth transportation. As the functioning of ITS is associated with the data received from various UAVs. Therefore, the security of communication links between UAV-2-UAV and UAV-2-GS is highly important. To secure the links, various key agreement and authentication protocols like [6,7,8,9, 19, 20] have been designed in the literature. However, in the case of UAV-2-GS link, several UAVs share information to a single TCO. Thus, to save resources at the receiving end (i.e., TCO), the verification/recovery of the received information should be done by using batch verify. The batch verify facility cannot be availed using key agreement. Therefore, key agreement schemes are insufficient to secure UAV-2-GS links. To secure these links, an efficient and secure data aggregation scheme is required. Therefore, in this paper, an efficient identity-based secure data aggregation scheme for UAV-2-GS communication has been devised. According to our sources (i.e., Internet or literature), the proposed scheme is the first scheme to secure UAV-2-GS communication in smart city ITS scenario.

The outline of the paper is as follows: next Sect. 2 presents the base definitions of foundation and related points. Section 3 introduces the proposed scheme and Sect. 4 discusses the security and efficiency analysis in brief. Section 5 concludes the paper along with future directions.

2 Preliminaries

This section introduces the basic concepts on mathematics and data aggregation in brief.

2.1 Mathematical Background

Let p and q be two primes selected randomly such that \(p|(q-1)\). Suppose E be the elliptic curve defined over the finite field \(F^*_p\) and P be the generator of E. Then the following problems are defined as the base of the construction.

  • Computational Diffie–Hellman Problem (CDHP): Given an instance (PaPbP) of three elliptic points for random unknown \(a, b\in F^*_p\) and it is computationally hard to find abP. The advantage of an algorithm \(\mathcal {A}\) to solve CDHP is the probability \(Pr[abP \leftarrow \mathcal {A}(P, aP, bP)]\).

  • Discrete Log Problem (DLP): Given an instance (PaP) of two elliptic points for random unknown \(a\in F^*_p\) and it is computationally hard to find a. The advantage of an algorithm \(\mathcal {A}\) to solve DLP is the probability \(Pr[a \leftarrow \mathcal {A}(P, aP)]\).

The security of the proposed data aggregation relies on these computationally hard problems.

2.2 Security Attributes of the Proposed Scheme

For the proposed data aggregation between UAV-2-GS communication, the following security attributes should be considered:

  • Authentication and Integrity: In the UAV-2-GS communication, authentication of the sender UAV (i.e., source) and data integrity is important.

  • Confidentiality: Confidentiality of the information shared is another important attribute.

  • Man-in-the-middle (MITM) Attack: The consideration of MITM attack is also important.

A detailed discussion regarding definition and achieving the goals will be considered in Sect. 4.2.

2.3 Threat Model

To achieve the security attributes, the semantic security along with the unforgettability of the base signcryption should be considered [21,22,23]. In the current settings, two types of attackers have been defined. The Type-I attacker is an honest but curious KGC. This attacker has access to master secret, however not able to replace key of a drone (user). Another attacker is Type-II, who is malicious drone (user). It has no access to master secret. The proposed scheme is said to be secure against these attackers, if no attacker wins the attack games defined in [14] corresponding to provable security. These games are played between the attacker and the challenger. In the attack games, the two types of attackers has been permitted to put requests to Key-Gen, Signcryption, and Designcryption oracles. The challenger can access the oracles to respond the requests. At last, the challenger can design an algorithm to solve the CDHP or DLP (for a challenged instance). For a detailed description on provable security and various attack games, please refer [14].

2.4 System Model

In the devised scheme, four entities, Key Generation Center (KGC), Traffic Control Office (TCO), UAVs, and Road Side Unit (RSU), are involved (Fig. 1). KGC generates the system parameters and keys of all the users. Generally, KGC is a UAV manufacturer company who stores the data in UAV before installation. KGC and TCO can communicate with each other using secure links. TCO is responsible for smooth functioning of ITS. For this purpose, TCO receives the data from all UAVs via RSU and use it for ITS improvement. The links between RSU-to-TCO are wired (Internet-based) links. The work of RSU is to aggregate the data received from various UAVs lying in its range. The links between UAV-2-RSU are the wireless open channels. Therefore, the communication done by using these links is the most insecure. Thus, the purpose of the proposed data aggregation is to secure this communication and to perform an efficient verification at TCO end.

Fig. 1
figure 1

System model

Full size image

3 Proposed Data Aggregation for UAV-2-GS Communication

The proposal is a modified version of the signcryption devised in [14]. The detailed steps of the scheme are follows:

  • Initialization: KGC runs it by input a security parameter \(\lambda \) and obtains the outputs as

    1. 1.

      Two random primes p and q such that \(p|(q-1)\).

    2. 2.

      An order p subgroup \(\mathcal {G}\) of elliptic curve defined by \(y = x^3+ax+b\) (where \(4a^3+27b^2 \ne 0\) mod p) over \(\mathbb {Z}^*_p\). P be a generator of G.

    3. 3.

      Five hash functions \(H_0:\{0, 1\}^* \rightarrow \mathbb {Z}^*_q\), \(H_1:\{0, 1\}^* \times G \rightarrow \mathbb {Z}^*_q\), \(H_2: G \rightarrow \mathbb {Z}^*_q\), \(H_3:\{0, 1\}^* \times \{0, 1\}^* \times G \times G \times \{0, 1\}^* \times G \rightarrow \mathbb {Z}^*_q\), \(H_4:\{0, 1\}^* \times \{0, 1\}^* \times G \times G \times \{0, 1\}^* \times G \times \mathbb {Z}^*_q \rightarrow \mathbb {Z}^*_q\).

    4. 4.

      A random \(s \in \mathbb {Z}^*_q\) as master secret key and \(P_\text {pub} = sP\) as master public key.

    Final output is \(params = (p, q, G, P, P_\text {pub}, H_0, H_1, H_2, H_3, H_4)\).

  • Key-Gen: Suppose, \(ID_i\) be the identity of \(UAV_i\). KGC runs it by input params, \(ID_i\) and s. The steps are follows:

    1. 1.

      For \(x_i\in _R \mathbb {Z}^*_q\), computes \(X_i=x_iP\), \(S_{ID_i}=sH_0(ID_i)\) mod q, \(q_i=H_1(ID_i, X_i)\) and \(d_i=(x_i+sq_i)\) mod q.

    2. 2.

      Secret key of \(UAV_i\) is \((S_{ID_i}, d_i)\) and public key is \(X_i\).

    KGC sends secret keys to \(UAV_i\) via secure link.

  • Data-Aggregate: It is done in two steps.

    • Step 1: For the message \(m_i \in \{0, 1\}^*\), the following steps are done by \(UAV_i\):

      1. 1.

        Selects \(r_i\in _R \mathbb {Z}^*_q\) and computes \(R_i=r_iP\) and \(W_i=r_iH_0(ID_\text {tco})P_\text {pub}\).

      2. 2.

        Computes \(h_{2i}=H_2(W_i)\), \(h_{3i}=H_3(m_i,ID_i,X_i,W_i,ID_\text {tco},X_\text {tco})\) and \(h_{4i}=H_4(m_i,ID_i,X_i,W_i,ID_\text {tco},X_\text {tco}, h_{3i})\).

      3. 3.

        Computes \(v_i=(r_ih_{3i}+d_ih_{4i})\) mod q and \(V_i=v_iP\).

      4. 4.

        Computes \(C_i=(m_i\Vert v_i) \oplus h_{2i}\).

      After this, \(UAV_i\) sends \(\sigma _i=(C_i, R_i, V_i)\) to RSU.

    • Step 2: RSU receives data from n UAVs and computes \(V=\sum \nolimits _{i=1}^{n}V_i\).

    • RSU forwards \(\sigma _\text {agg}=((C_1, C_2, \ldots , C_n), (R_1, R_2, \ldots , R_n), V)\) to TCO as aggregated data.

  • Verify-Decryption: The following steps are done by TCO:

    1. 1.

      For \(1 \le i \le n\), compute \(W_i=S_{ID_\text {tco}}R_i\) and recover \(m_i\Vert v_i=C_i \oplus H_1(W_i)\).

    2. 2.

      Checks \(V=\sum \nolimits _{i=1}^{n}h_{3i}R_i+\sum \nolimits _{i=1}^{n}h_{4i}X_i+(\sum \nolimits _{i=1}^{n}h_{4i}q_i)P_\text {pub}\).

    If equation holds, accept the ciphertexts as valid.

4 Security and Efficiency Discussion

4.1 Correctness

From the construction of the scheme, \(V=\sum \nolimits _{i=1}^{n}V_i\), where \(V_i=(r_ih_{3i}+d_ih_{4i})P\), \(h_{3i}=H_3(m_i,ID_i,X_i,W_i,ID_\text {tco},X_\text {tco})\) and \(h_{4i}=H_4(m_i,ID_i,X_i,W_i,ID_\text {tco},X_\text {tco}, h_{3i})\). Therefore, \(V=\sum \nolimits _{i=1}^{n}(r_ih_{3i}+d_ih_{4i})P\), i.e., \(V=\sum \nolimits _{i=1}^{n}h_{3i}R_i+\sum \nolimits _{i=1}^{n}h_{4i}X_i+(\sum \nolimits _{i=1}^{n}h_{4i}q_i)P_\text {pub}\) as \(d_i=(x_i+sq_i)\) mod q. Thus, the Verify-Decryption runs correctly.

4.2 Security Attributes Analysis

As per the discussion in Sect. 2.2, the proposed scheme satisfies the following attributes:

  • Authentication and Integrity: In the designing of the protocols, during Data-Aggregate phase, each \(\text {UAV}_i\) computes ciphertext \(C_i=(m_i\Vert v_i) \oplus h_{2i}\), where \(v_i=(r_ih_{3i}+d_ih_{4i})\) mod q. This computation is possible with secret key \(d_i\) of the \(UAV_i\). At the receiver end, i.e., TCO, verification needs to check \(V=\sum \nolimits _{i=1}^{n}h_{3i}R_i+\sum \nolimits _{i=1}^{n}h_{4i}X_i+(\sum \nolimits _{i=1}^{n}h_{4i}q_i)P_\text {pub}\). This step is possible only with public key \(X_i\) of \(\text {UAV}_i\) and secret key \(S_{ID_\text {tco}}\) of TCO. Thus, the generation of ciphertext can be done by legitimate \(UAV_i\) only. From the discussion in [14], the base scheme is unforgettable, and therefore authentication is satisfied. For verify purpose, secret key of TCO is needed, so alteration of message is not possible, i.e., integrity is also satisfied.

  • Confidentiality: As per the scheme [14], the encryption is semantically secure. Therefore, an adversary is unsuccessful to get any observation from the ciphertext. Thus, confidentiality is also satisfied.

  • MITM Attack: As the base scheme [14] is unforgettable against an adaptively chosen message attack. Besides, the possible alteration to ciphertext will result in rejection during verification/decryption process. Thus, no adversary can impersonate the signer or cannot modify the content. Thus, the scheme is secure against MITM attack.

Table 1 Computation costs of various cryptography operations [24]
Full size table

4.3 Efficiency Analysis

The computational costs of various cryptographic operations have been referred from [24] (shown in Table 1). In the literature, a limited resource device single 798 MHz CPU has been utilized with 256 MB RAM support. Thus, it can be a good choice to emulate an UAV capacity. Based on the discussion, UAVs are resource-constrained devices. UAVs are having less storage capacity, less computation capacity, and limited power backup. Thus, the computation done by UAVs is analyzed. During the ciphertext generation phase, 3 scalar multiplications + 3 modular multiplications + 3 hash functions are computed. The total cost of these operations is \(3\times 14.83+3\times 21.63+ 3\times 0.025 = 109.455\) ms. Thus, it is not a very big computation time for a resource-constrained device like UAV. If the computation overhead of RSU is considered, it is \(\approx (n-1)4.61\) ms. As RSU is stronger than UAV, it is adjustable computation. Similarly, the cost incurred by TCO is \(\approx (66.195n-6.8)\) ms. It is also not a large consumption time for TCO as it has infinite resources. Therefore, the proposed scheme is practically suitable for UAV-2-GS communication with respect to computational efficiency.

5 Conclusion

Based on the various reports, it is observed that road accidents and traffic congestion are big losses to the world economy. In smart city environment, UAVs are utilized to get real-time traffic data. This data enhances the functioning of ITS by inserting the feedback analysis. However, the links between UAV-to-TCO are wireless. Thus, a secure data aggregation based on a signcryption scheme has been proposed in this paper. The security and efficiency analysis presents the suitability of the proposal for UAV-2-GS communication.

As a future scope, data aggregation for multiple applications using UAV-2-GS communication should be devised.